Fill Intrusion Set Details
An Intrusion Set refers to a collection of adversarial behaviours and resources believed to be orchestrated by a single entity or organization. It represents a broader grouping of activities, potentially including multiple campaigns, all tied together by shared characteristics that point to a common, known, or unknown threat actor. An Intrusion Set allows analysts to attribute new malicious activities even when the exact actors behind the attacks remain unidentified. Threat actors may shift between supporting different Intrusion Sets or contribute to multiple sets simultaneously.
Unlike a Campaign, which is a series of attacks aimed at specific targets over a defined period to achieve a particular objective, an Intrusion Set encompasses the broader strategy and resources used across multiple campaigns. This strategic approach can span long periods and pursue various goals.
Even when an Intrusion Set appears inactive or changes focus, it is often challenging to determine whether it has truly ended. The attribution of an Intrusion Set to specific threat actors can vary in certainty, sometimes linking only to a nation-state or an organization within it.
The intrusion component contains the following:
Basic Details
Common Fields
Custom Attributes
External References
Basic Details
Field Name | Required | Description |
|---|---|---|
Name | Mandatory | Specify the name of the intrusion set. |
Description | Optional | Specify the additional information about the intrusion set, such as the purpose and its key characteristics. |
First Seen | Optional | The time when this Intrusion Set was first observed. This property serves as a summary of data from sightings and other related information, which may or may not be available in STIX. If new sightings are received that predate the first seen timestamp, the object may be updated to reflect this new data. |
Last Seen | Optional | The time when this Intrusion Set was last observed. This property serves as a summary of data from sightings and other relevant information, which may or may not be available in STIX. If new sightings are received that occur after the last seen timestamp, the object may be updated to incorporate this new data. This value must be greater than or equal to the timestamp in the first seen property. |
Resource Level | Optional | This indicates the organizational level at which the Intrusion Set typically operates, influencing the resources available to it for conducting attacks. |
Goal(s) | Optional | The high-level objectives of this Intrusion Set, outlining their intentions. For instance, they may be driven by personal gain, with the specific goal of stealing credit card numbers. To achieve this, they might carry out particular campaigns with detailed objectives, such as compromising point-of-sale systems at a large retailer. |
Primary Motivation | Optional | The main reason or purpose driving this Intrusion Set. This motivation explains why the Intrusion Set aims to achieve its goals. For example, an Intrusion Set with the goal of disrupting the finance sector in a country might be motivated by an ideological hatred of capitalism. |
Secondary Motivation | Optional | The secondary reasons or purposes behind this Intrusion Set. These motivations can be equal to or closely aligned with the primary motivation, providing additional context without replacing or amplifying it. The order of these motivations holds no significance. |
Aliases | Optional | Alternative names used to refer to this Intrusion Set. |
Common Fields
Field Name | Description |
|---|---|
Tags | Specify the tags for the intrusion set. |
TLP | Specify the TLP of the intrusion set, such as RED, AMBER, GREEN, WHITE, and NONE. |
Confidence | Specify the confidence score for the intrusion set. |
Custom Scores | This field allows for the assignment of scores to threat data objects based on factors that influence the lifecycle of indicators of compromise (IOCs), such as relevance, severity, and risk. Custom scores aid analysts in prioritizing their analysis, guiding actions, and facilitating the sharing of threat intelligence. |
Created by Reference | Specify the entity that created the CTIX object. |
Revoked | Select this option to mark the component as revoked or invalid. |
Custom Attributes
Field Name | Description |
|---|---|
Add Custom Attribute | Specify the additional information that helps in improving the threat intelligence details. CTIX displays custom attributes created in Administration > Custom Entities Management. You can create multiple custom attributes for the report. |
External References
Field Name | Description |
|---|---|
Source Name | Enter a source name. |
Description | Enter a description. |
External ID | Enter an external ID. |
URL | Enter the URL of the external reference. |
Hash Type | Select the hash type. |
Hash Value | Enter the hash value. |