misp-galaxy icon indicating copy to clipboard operation
misp-galaxy copied to clipboard
verified publisher icon MISP

Solving the issue of threat actor, activity group, campaign and operation

Open adulau opened this issue 6 years ago • 2 comments

threat-actor-classification meta field

There is an old and persistence issue in attribution world and basically no-one really agrees on this. So we decided to start a specific metadata threat-actor-classification on the threat-actor to define the various types per cluster entry:

  • operation:
    • A military operation is the coordinated military actions of a state, or a non-state actor, in response to a developing situation. These actions are designed as a military plan to resolve the situation in the state or actor's favor. Operations may be of a combat or non-combat nature and may be referred to by a code name for the purpose of national security. Military operations are often known for their more generally accepted common usage names than their actual operational objectives. from Wikipedia
    • In the context of MISP threat-actor name, it's a single specific operation.
  • campaign:
    • The term military campaign applies to large scale, long duration, significant military strategy plans incorporating a series of inter-related military operations or battles forming a distinct part of a larger conflict often called a war. The term derives from the plain of Campania, a place of annual wartime operations by the armies of the Roman Republic. from Wikipedia
    • In the context of MISP threat-actor-name, it's long-term activity which might be composed of one or more operations.
  • threat-actor
    • In the context of MISP threat-actor-name, it's an agreed name by a set of organisations.
  • activity group
    • In the context of MISP threat-actor-name, it's a group defined by its set of common techniques or activities.
  • unknown
    • In the context of MISP threat-actor-name, it's still not clear if it's an operation, campaign, threat-actor or activity group

The meta field is an array to allow specific cluster of threat-actor to show the current disagreement between different organisations about the type (threat actor, activity group, campaign and operation).

It's a work in progress and subject to change.

Example

  {
      "description": "In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10.  This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network.",
      "meta": {
        "refs": [
          "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers"
        ],
        "threat-actor-classification": [
          "operation"
        ]
      },
      "uuid": "8dda51ef-9a30-48f7-b0fd-5b6f0a62262d",
      "value": "Operation Soft Cell"
    },
    {
      "description": "We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.",
      "meta": {
        "refs": [
          "https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/"
        ],
        "threat-actor-classification": [
          "operation"
        ]
      },
      "uuid": "75db4269-924b-4771-8f62-0de600a43634",
      "value": "Operation WizardOpium"
    }

Alternative type per vendor

Following input from various people, we will extend the meta field with the ability to scope it per vendor in addition to the default threat-actor-classification.

The model is the following, a alt- prefix is used to mention alternative description of the same field. So if Kaspersky has a different view of the threat-actor-type, this can be expressed in the following way.

alt-threat-actor-classification-kaspersky alt-<fieldname of the meta-<vendornameinoneword>

A list of known vendors, should be available to avoid ambiguity.

adulau avatar Nov 03 '19 15:11 adulau

While I think the operation/campaign distinction makes sense for APT actors, for cybercrime they are often used the other way around: I would read a "ransomware operation" as a longer term use of a ransomware family by a single actor, and a "ransomware campaign" as a short term action part of that operation (e.g. a spam run).

lapsedordinary avatar Nov 04 '19 09:11 lapsedordinary

While I think the operation/campaign distinction makes sense for APT actors, for cybercrime they are often used the other way around: I would read a "ransomware operation" as a longer term use of a ransomware family by a single actor, and a "ransomware campaign" as a short term action part of that operation (e.g. a spam run).

Thanks for the feedback. Good point, it's indeed an issue. It's difficult to solve per se. We had a discussion at the office about prefixing cybercrime to campaign and operation cybercrime-campaign or cybercrime-operation to clearly state that we use it in the scope of cybercrime compared to the default APT cases.

adulau avatar Nov 04 '19 10:11 adulau