Solving the issue of threat actor, activity group, campaign and operation #469
Comments
adulau
added
the
T: enhancement
|
While I think the operation/campaign distinction makes sense for APT actors, for cybercrime they are often used the other way around: I would read a "ransomware operation" as a longer term use of a ransomware family by a single actor, and a "ransomware campaign" as a short term action part of that operation (e.g. a spam run). |
Thanks for the feedback. Good point, it's indeed an issue. It's difficult to solve per se. We had a discussion at the office about prefixing cybercrime to campaign and operation |
…ign only. Based on #469 There is an old and persistence issue in attribution world and basically no-one really agrees on this. So we decided to start a specific metadata `threat-actor-classification` on the threat-actor to define the various types per cluster entry: - _operation_: - _A military operation is the coordinated military actions of a state, or a non-state actor, in response to a developing situation. These actions are designed as a military plan to resolve the situation in the state or actor's favor. Operations may be of a combat or non-combat nature and may be referred to by a code name for the purpose of national security. Military operations are often known for their more generally accepted common usage names than their actual operational objectives._ from Wikipedia - **In the context of MISP threat-actor name, it's a single specific operation.** - _campaign_: - _The term military campaign applies to large scale, long duration, significant military strategy plans incorporating a series of inter-related military operations or battles forming a distinct part of a larger conflict often called a war. The term derives from the plain of Campania, a place of annual wartime operations by the armies of the Roman Republic._ from Wikipedia - **In the context of MISP threat-actor-name, it's long-term activity which might be composed of one or more operations.** - threat-actor - **In the context of MISP threat-actor-name, it's an agreed name by a set of organisations.** - activity group - **In the context of MISP threat-actor-name, it's a group defined by its set of common techniques or activities.** - unknown - **In the context of MISP threat-actor-name, it's still not clear if it's an operation, campaign, threat-actor or activity group** The meta field is an array to allow specific cluster of threat-actor to show the current disagreement between different organisations about the type (threat actor, activity group, campaign and operation).
enjeck
added
the
S: stale
threat-actor-classification meta field
There is an old and persistence issue in attribution world and basically no-one really agrees on this. So we decided to start a specific metadata
threat-actor-classificationon the threat-actor to define the various types per cluster entry:The meta field is an array to allow specific cluster of threat-actor to show the current disagreement between different organisations about the type (threat actor, activity group, campaign and operation).
It's a work in progress and subject to change.
Example
{ "description": "In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10. This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network.", "meta": { "refs": [ "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" ], "threat-actor-classification": [ "operation" ] }, "uuid": "8dda51ef-9a30-48f7-b0fd-5b6f0a62262d", "value": "Operation Soft Cell" }, { "description": "We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.", "meta": { "refs": [ "https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/" ], "threat-actor-classification": [ "operation" ] }, "uuid": "75db4269-924b-4771-8f62-0de600a43634", "value": "Operation WizardOpium" }Alternative type per vendor
Following input from various people, we will extend the meta field with the ability to scope it per vendor in addition to the default
threat-actor-classification.The model is the following, a
alt-prefix is used to mention alternative description of the same field. So if Kaspersky has a different view of the threat-actor-type, this can be expressed in the following way.alt-threat-actor-classification-kasperskyalt-<fieldname of the meta-<vendornameinoneword>A list of known vendors, should be available to avoid ambiguity.
The text was updated successfully, but these errors were encountered: