Campaigns
Security teams may struggle with understanding their threat landscape and determining what activity to focus on, especially when faced with a myriad of emerging threats. To better assist these teams, the Threat Campaign feature in Google Threat Intelligence gives security professionals visibility into active campaigns affecting their industries, regions, and peers.
This feature provides a campaign-centric view and lets you easily pivot across all accompanying intelligence. Campaigns help you better prioritize mitigation and response actions in preparation for the next attack with a high degree of confidence. Data is updated daily as analysts get new campaign details, so you get access to Google Threat Intelligence’s knowledge in near real-time.
Campaign Creation
Google TI analyzes emerging threat data directly from client engagements and from open source or other collections methods when assessing a campaign's viability for a Threat Campaign profile. Considerations for campaign creation include the following:
-
Who is the threat actor, what are their motivations, and how impactful are their operations on targeted organizations? For example, an espionage actor targeting Ministries of Foreign Affairs or a fast-paced extortion operator does not equate to automated drive-by adware or infostealer campaigns.
-
What level of insight into the campaign do we have? Can we confirm that multiple organizations have been targeted? Do we have a sufficient amount of shareable, actionable data that we can disseminate to our clients?
-
Is the targeting broad enough that the targeted organizations could not be discerned based on the data we have available to share?
We take sensitivities of this data very seriously and make every effort to restrict the unintended release of sensitive, client-attributable data into the Threat Campaign profile.
Campaign List
All active campaigns appear in full in the Campaign List. You can search or filter on the results and open a specific campaign to access its more granular details. Campaigns are automatically updated as analysts tag events.
You can use various filters to pare down the list:
- Creation Date
- Last Modification Date
- Origin
- Source Region
- Targeted Region
- Targeted Industry
- Associated Malware
- Associated Tools
Campaign card
Each campaign is shown as a card in the list with relevant information.
- Campaign title
- Update date: Date when the campaign card was last updated with any new associated report, malware family, targeted region, etc.
- Owner: Creator of the campaign card.
- Campaign ID
- Last activity: Date when the campaign card was last updated with any new associated report, malware family, targeted region, etc.
- Description: Short summary of the Campaign
- Targeted Industries
- Targeted Regions
- Associated Actors
- Associated Malware
- IoCs: number of IoCs related to this Campaign
- Telemetry graph on IoC activity
Each Campaign card has a checkbox to the left to select it, when selected you have two options that are enabled in the top right corner:
Follow Campaigns
In the Campaigns tab, click Follow for any Campaign to monitor changes to the selected Campaigns over time, such as new activity, associations or IoCs.
To add a Campaign to a Threat Profile, open the card details and use the Follow button inside, it will give you the option to choose which profile to add it to.
Run TTP analysis
You are redirected to TTP Analysis tab where a MITRE ATT&ACK matrix is filled with the TTPs of the campaign/s selected so you can explore it in detail.
Actions available for TTPs:
- Hovering over the ID of a Technique or Tactic provides a brief description of it and a link to open details in MITRE site.
- Clicking on the name of a Technique or Tactic will redirect you to a Intelligene search filtering for that specific Technique (example: attack_technique:T1129)
- Clicking on the matches tag on the bottom right corner of a Technique will redirect you to the list of the current Campaign's IOCs that match this Technique
Campaign details
Click on the name of any Campaign card for a view its details, navigate its tabs for specific data:
- Summary: This tab displays the same comprehensive summary of the Campaign as seen in the quick view. It also includes an Overview block with information such as Targeted Regions and Industries and dates on campaigns's activity. The following blocks have a dashboard with a timeline with Campaign most relevant activity, and summarized information on Associated Actors, Malware, Tools & Vulnerabilities, Associations timeline, Telemetry Graph and Activity board.
- Associations: This tab provides a list of the various associations with this Campaign. It includes associated Malware, Toolkits, Threat Actors and Vulnerabilities. Various filter options let you customize your view.
-
IOCs: This tab includes a table with all known Indicators attributed to this Campaign, such as specific IP addresses, urls, domains, and hashes.
-
Rules: This tab shows detection rules for this Campaigns IoCs, there are Yara, Sigma and IDS rules, and they can be crowdsourced or curated. These rules can be downloaded for use in threat hunt efforts or other workflows involving third-party security tools outside the Google Threat Intelligence platform.
- TTPs: This tab shows the Tactics, Techniques, and Procedures (TTPs) observed to be associated with this Campaign. This tab contains 2 sub tabs:
- Threat Actor Actions: shows the events observed by Google Threat Intelligence analysts in a timeline and as a detailed list.
- MITRE ATT&CK: shows the MITRE matrix with all TTPs associated, they can be downloaded by clicking Download TTPs from the Actions drop-down.
- Community: This tab features a dedicated space for community discussion, it is a section that contains comments posted by the community making observations on the Campaign.
Updated 16 days ago