Defining Campaigns vs Threat Actors

In STIX terminology, an individual or group involved in malicious cyber activity is called a Threat Actor. A set of activity (Incidents) carried out by Threat Actors using specific techniques (TTP) for some particular purpose is called a Campaign. Such activity might fit along the lines of stealing financial information from banking customers or targeting a particular business sector.

When data is collected on various related intrusion attempts (Incidents), it may not initially include enough information for characterizing attribution of the actor causing them. In this case, for cross-incident analysis of the “who” and “why”, the preferred method is to begin by defining a Campaign for that activity with a placeholder Threat Actor identity until additional information comes to light. As more information evolves for characterizing the responsible actors the Threat Actor placeholder can be incrementally fleshed out.

As an example, if domains used in an intrusion are owned and registered by a single persona, the persona may be added to the Threat Actor placeholder but possibly given “Low” Confidence for attribution in relation to the incident. If the persona is known through other means to be used by a professional intrusion team, the placeholder could be related to that larger group and the associated Confidence would likely go up. Occasionally it is possible to fingerprint an actor by the customizations made in their tools (such as language choice or debug information), which would further flesh out characterization of the Threat Actor placeholder and increase Confidence in the actor being involved.

Once the Threat Actor placeholder reaches a level of characterization to be relevant outside the restricted context of its enclosing Campaign (this is largely a subjective decision) it can be split out into a separate entity and be replaced with a reference to it within the Campaign. This will allow that actor to be associated with other Incident or TTP.

When data is collected on various related activity including information characterizing those responsible or an actor is known but cannot be linked to existing activity, this can be defined directly as a Threat Actor with the Identity or other characterizing information filled out with things like their handles, location, known tools and network infrastructure. If those markers are observed in a new Incident or correlated with historical data, the Actor can be related according to its Confidence rating.

It is tempting to name a given Campaign or Threat Actor after the malware involved or to name a Campaign after the apparent group involved, however these methods are not very precise and prone to conflicts in naming between information sources. Imagine a situation where one organization declares that the “Netcat” malware had targeted their network, or the “Poison Ivy” actors were involved in a given intrusion.

Overall, a Campaign is some time-bounded set of activity that uses particular techniques against a set of targets, while a Threat Actor is the entity performing such behavior.

Data model

We use the CampaignType to render the campaign and ThreatActorType for the actor.

In this case, a Campaign has an identified ThreatActor and constrained victim targeting. Since the actor was likely involved in other incidents, it may be related to other campaigns as well.

The example below shows a VERY simple initial Campaign defined to correlate a specific set of activity (three referenced Incidents) with a particular victim targeting profile believed to be carried out by the same unknown actor (characterized initially by a placeholder Threat Actor entry).

Implementation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<stix:Campaign id="example:Campaign-e5268b6e-4931-42f1-b379-87f48eb41b1e" timestamp="2014-08-08T15:50:10.983728+00:00" 
        xsi:type='campaign:CampaignType' version="1.2">
    <campaign:Title>Compromise of ATM Machines</campaign:Title>
    <campaign:Related_TTPs>
        <campaign:Related_TTP>
            <stixCommon:TTP id="example:ttp-2d1c6ab3-5e4e-48ac-a32b-f0c01c2836a8" timestamp="2014-08-08T15:50:10.983464+00:00" 
                    xsi:type='ttp:TTPType' version="1.2">
                <ttp:Title>Victim Targeting: Customer PII and Financial Data</ttp:Title>
                <ttp:Victim_Targeting>
                    <ttp:Targeted_Information xsi:type="stixVocabs:InformationTypeVocab-1.0">Information Assets - Financial Data</ttp:Targeted_Information>
                </ttp:Victim_Targeting>
            </stixCommon:TTP>
        </campaign:Related_TTP>
    </campaign:Related_TTPs>
    <campaign:Related_Incidents>
        <campaign:Related_Incident>
            <stixCommon:Incident idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e"/>
        </campaign:Related_Incident>
        <campaign:Related_Incident>
            <stixCommon:Incident idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a"/>
        </campaign:Related_Incident>
        <campaign:Related_Incident>
            <stixCommon:Incident idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621"/>
        </campaign:Related_Incident>
    </campaign:Related_Incidents>
    <campaign:Attribution>
        <campaign:Attributed_Threat_Actor>
            <stixCommon:Threat_Actor id="example:threatactor-56f3f0db-b5d5-431c-ae56-c18f02caf500" 
                    timestamp="2014-08-08T15:50:10.983629+00:00" xsi:type='ta:ThreatActorType' version="1.2">
            <ta:Title>People behind the intrusion</ta:Title>
        </stixCommon:Threat_Actor>
        </campaign:Attributed_Threat_Actor>
    </campaign:Attribution>
</stix:Campaign>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
ttp = TTP()
ttp.title = "Victim Targeting: Customer PII and Financial Data"
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")

actor = ThreatActor()
actor.title = "People behind the intrusion"
attrib = Attribution()
attrib.append(actor)

c = Campaign()
c.attribution = []
c.attribution.append(attrib)
c.title = "Compromise of ATM Machines"
c.related_ttps.append(ttp)

c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e"))
c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a"))
c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621"))

pkg = STIXPackage()
pkg.add_campaign(c)

print(pkg.to_xml(encoding=None))
1
2
3
4
5
6
7
8
9
10
11
12
for camp in pkg.campaigns:
    print("== CAMPAIGN ==")
    print("Campaign Name: " + str(camp.title))
    
    for tactic in camp.related_ttps:
        print("TTP: " + tactic.item.title)
        
    for attrib in camp.attribution:
        print("Actor: " + attrib[0].item.title)
    
    for rel in camp.related_incidents:
        print("Related Incident ID: " + str(rel.item.idref))

Full XML | Python Producer | Python Consumer

Further Reading

See the full documentation for the relevant types for further information that may be provided: