Gary,
A couple questions/comments:
The campaign definition is dependent on the term incident. Is it necessary for an incident (which would not need to be represented in STIX or shared) to have occurred in order for there to be a campaign? I had always thought of Campaigns
as “related activity performed by one or more threat actors/groups”, but I’m not a threat analyst (and never have been). Does my definition align/overlap with yours, or are there key differences?
I’m still fuzzy on Intrusion Set. Is intrusion set effectively an “unknown” Threat Actor? Intrusion Set and Campaign share a lot of the same concepts (e.g., both relater a set of incidents, indicators, tools, infrastructure or TTPs).
And I think a lot of the Intrusion Set sentences make sense if you swap in “Campaign” for “Intrusion Set”. For instance:
Threat actors could move from supporting one
Intrusion Set Campaign , to supporting another, or they may support multiple
Intrusion Set Campaigns . A Intrusion Set Campaign is usually tracked over a long period of time. While sometime a
Intrusion Set Campaign goes silent, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing a
Intrusion Set Campaign back to Threat Actors.
My apologies if I missed a key point in all of this – I’m trying to better my understanding.
Thank you.
-Mark
P.S. Pats will beat the Jets 4 Christmas
J
On 5/23/16, 1:26 PM, "
cti@lists.oasis-open.org on behalf of Katz, Gary CTR DC3/DCCI" <
cti@lists.oasis-open.org on behalf of
Gary.Katz.ctr@dc3.mil> wrote:
>During some of the previous discussions, individuals had asked for definitions on Campaigns, Intrusion Sets and Threat Actors. The below definitions were put together to help with the discussions. I put together these definitions/examples
and ran them by Paul Patrick to get some concurrence, but if individuals do not agree, I would be interested in understanding where there is disagreement.
>
>Hope it helps the discussion,
> -Gary
>
>
>Campaign: A campaign is a set of incidents that occur over a specific time period that relate to each other by shared indicators, tools, infrastructure or TTPs which indicate that they were performed by the same Intrusion Set/Threat
Actor and/or have a shared objective. Some SOCs will associate incidents to a campaign if: a new incident shares observables that are relatively unique and difficult to change from 2 or more phases of the kill chain with observables from incidents already
associated with that campaign.
>
>An Intrusion Set relates a set of incidents, indicators, tools, infrastructure or TTPs, that are grouped together to show a believed attribution back to an entity. For example, a set of Incidents may share a set of TTPs. The Threat
Actors behind the attack may not be known but the activity can be grouped together and new activity can be attributed to that Intrusion Set. Threat actors could move from supporting one Intrusion Set, to supporting another, or they may support multiple Intrusion
Sets. An Intrusion Set is usually tracked over a long period of time. While sometime an Intrusion Set goes silent, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing
an Intrusion Set back to Threat Actors. The analysts may be able to only attribute it back to a nation-state, perhaps back to an organization within that nation-state, or perhaps back to the individuals within that organization.
>
>Threat Actor: Threat Actors are the individuals or organizations related to a set of incidents, indicators, tools, infrastructure or TTPs. There can be multiple Threat Actors associated to the same thing. For example, a Threat Actor
1, malware author, may provide malware to an attack which is used by Threat Actor 2 to perform the attack. Both Threat Actors work for the same organization, which would also be represented using the Threat Actor object. An analyst may wish to map out the
organization and the individual members, how they interact and any overlaps the have supporting multiple organizations. The analyst may want to capture the infrastructure used by those threat actors, their tools, or motivations, etc.
>
>Examples:
> // Campaign Example
> {
> "type": "campaign",
> "title": "Jets4Christmas"
> "description": "shared TTP of malicious Christmas messages"
> "motive": "Political"
> "objective": "Access documents pertaining to jet engine designs"
> "id": "campaign--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
> "created_time": "2015-12-06T20:07:09Z",
> "created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff",
>
> }
>
> // Intrusion Set Example
> {
> "type:": "intrusion-set"
> "id": "intrusion-set-4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
> "title": "Bobcat Breakin",
> "description": "Incidents usually feature a shared TTP of a bobcat being released within the building containing network access, scaring users to leave their computers without locking them first. Still
determining where the threat actors are getting the bobcats.",
> "sophistication": "Unique"
> }
>
> // Threat Actor Example
> {
> "type": "threat-actor"
> "id": "threat-actor-4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
> "title": "Norway Nasjonal Sikkerhetsmyndighet"
> "title": "Norway Nasjonal Sikkerhetsmyndighet"
> "description": "Norway National Security Authority"
> "motivation": "Usually focused on capturing intelligence about meatball recipes devised by their neighboring country"
> "sophistication": "High, perfect meatballs are of utmost importance"
> }
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail. Follow this link to all your TCs in OASIS at:
>https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>