Intrusion set
-
- UpdatedFeb 1, 2024
- 1 minute read
- Washington DC
- Threat Intelligence
An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties. An Intrusion Set usually involves a single organization. Intrusion set applies for STIX 2.x.
An Intrusion Set may capture multiple Campaigns or other activities. These activities share attributes indicating a commonly known or unknown Threat Actor.
New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.
An Intrusion Set is the entire attack package and may be used over a long period in multiple Campaigns to achieve potentially multiple purposes.
Related Content
- Attack modes and methods
Attack modes and methods, sometimes referred to as Tactics, Techniques, and Procedures (TTPs), are representations of how cyber adversaries behave. They characterize what these adversaries do and how they do it, in increasing levels of detail. Attack modes and methods apply for STIX 1.1.
- Indicators of compromise
Indicators of Compromise (IoC) are artifacts observed on a network or operating system that are likely to indicate an intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or domain names. IoC applies for STIX 1.1 and 2.x.
- Observables
Observables represent stateful properties (such as the MD5 hash of a file or the value of a registry key) or measurable events (such as the creation of a registry key or the deletion of a file) that are pertinent to the operation of computers and networks. Observables apply for STIX 1.1 and 2.x.
- Attack patterns
Attack patterns are a type of Tactics, Techniques, and Procedures (TTPs) that describe the methods that adversaries attempt to compromise targets. Attack Patterns apply for STIX 2.x.
- Campaigns
A Campaign is a grouping of adversarial behaviors. These behaviors describe a set of malicious activities or attacks that occur over time against a specific set of targets. Campaigns apply for STIX 2.x.
- Course of actions
A course of action is an action taken either to prevent an attack or to respond to an attack that is in progress. Course of actions apply for STIX 2.x.
- Identities
Identities represent actual individuals, organizations, or groups (ACME, Inc.) and classes of individuals, systems, or groups (the finance sector). Identities apply for STIX 2.x.
- Infrastructure
The Infrastructure SDO represents a type of Tactics, Techniques, and Procedures (TTPs). They describe any systems, software services, and any associated physical or virtual resources intended to support some purpose of an attack. Infrastructure applies for STIX 2.x.
- Locations
A Location represents a geographic location. Locations are primarily used to give context to other SDOs. Locations apply for STIX 2.x.
- Malware
Malware is a type of TTP that represents malicious code. It refers to a program that is covertly inserted into a system. Malware applies for STIX 2.x.
- Malware analysis
Malware Analysis captures the metadata and results of a malware. Malware analysis applies for STIX 2.x.
- Observed data
Observed Data conveys information about cyber security-related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). Observed data applies for STIX 2.x.
- Threat actors
Threat Actors are individuals, groups, or organizations who act with malicious intent. Threat actors applies for STIX 2.x.
- Threat groupings
A Threat Groupings object explicitly asserts that the referenced STIX Objects have a shared context. Threat groupings applies for STIX 2.x.
- Marking definitions
The marking definitions object represents a specific marking.
- Threat notes
A Threat Note conveys informative text to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Threat notes applies for STIX 2.x.
- Threat opinions
An Opinion is an assessment of the accuracy of the information in a STIX Object produced by a different entity. Threat opinions apply for STIX 2.x.
- Threat reports
Threat Reports are collections of threat intelligence focused on one or more topics. Threat reports apply for STIX 2.x.
- Sightings
Sightings denote that an indicator or object was seen. Objects may be a malware, tool, threat actor, and so on.
- Tools
Tools are legitimate software that are used by threat actors to perform attacks. Tools apply for STIX 2.x.
- Vulnerabilities
A Vulnerability is a weakness or defect in a software or hardware component that attackers exploit. Vulnerabilities apply for STIX 2.x.
- Relationships
Use the relationship objects to link together two SDOs or STIX Cyber-observable Objects (SCOs) to describe how they relate to each other.
- STIX Visualizer
The STIX Visualizer visually represents the structure of the STIX object and its relationship.