Introduction

Introduction to Campaigns

What is a Campaign?

• A campaign is a series of incidents that occur over a specific time period and are related by shared indicators, tools, infrastructure, or TTPs (Tactics, Techniques, and Procedures).

• These incidents are performed by the same threat actors or have a shared objective.

Starting a Campaign Analysis

• Identify Trends: Look for patterns in intrusions over time.

• Keep Detailed Reports: Maintain detailed incident reports, including indicators, as they can be useful for future analysis.

• Use External Intelligence: Collect intelligence from multiple sources like iSaaS, ISOs, vendors, and resources.

Key Indicators

• Consistent indicators across intrusions help identify whether the trend targets a specific sector, country, or organization.

• Compare key indicators and TTPs to identify adversaries.

Techniques for Campaign Analysis

• ACH (Analysis of Competing Hypothesis): Replace hypothesis with campaign hypothesis and identify candidate campaigns for correlations.

• Cyber Kill Chain and Diamond Model: Use these models to correlate intrusions based on key indicators.

• Other Techniques: Data analysis, temporal analysis, visual analysis, and heatmap analysis.

Importance of Campaign Analysis

• Helps anticipate future intrusions.

• Even unsuccessful intrusions are useful as adversaries may try them again.