Threat actor

A threat actor identifies an adversary who is motivated to damage a targeted victim, usually for personal gain.

A threat actor is an adversary who is motivated to damage an individual, a group, an entity or an organization. Threat actors can be individuals, groups, or organizations; they can be nation-sponsored or nation-state actors; they can be external to the targeted victims, or they can be insider threats. The motivation that drives them ranges from economic, political, ideological, to revenge and bragging. The benefits they gain from attacking a targeted victim vary from financial, to reputation damage, to intellectual property theft, and so on.

You can associate threat actors to TTPs and campaigns to understand how they plan and organize their attacks to the targeted victims. Indicators can help you track them, and relate them to observables and sightings. For example, an email address, an IP address, or a domain name associated with a real person’s identity.

Create a threat actor by selecting:

• In the side navigation bar + Create > Threat actor.

Or:

• (Requires Beta: Intelligence creation on the graph)

  In the top navigation bar of a graph, select + and then Threat actor to create a draft entity.

• Double-click to open the newly created draft entity to edit it.

Then, Configure this entity.

Configure

The following sections the fields and options available.

Note

Required fields are marked with an asterisk (*).

General

Field	EIQ JSON field	Description
Name*	data.title	Descriptive title for this entity. See Titles and aliases.
Analysis	data.description	Long description.
Types*	data.types[]	One or more threat actor types. See Threat actor types
Confidence*	data.confidence	Confidence in the accuracy and trustworthiness of the information contained by this entity. Analogous to ConfidenceType. Possible values from Enumerated values: High Medium low.

Observables

You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.

Note

If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.

In the Add observable view that appears, fill out these fields:

Field	EIQ JSON field	Description
Type*	extracts[].kind	See Observable types
Link name*	See Observable link names	See Observable link names
Values(s)*	extracts[].value	Enter one or more values. One observable is created per value. Values must be comma-separated, or newline-separated, but not both.
Maliciousness*	See Observable maliciousness	See Observable maliciousness

Characteristics

Characteristics are properties on an entity that provide context for the intelligence indicated by this object.

The following are characteristics available for threat actors:

• Characteristics: Intent

• Characteristics: Identity

Characteristics: Intent

Set additional properties for this threat actor. Analogous to multiple properties under the ThreatActorType.

Field	EIQ JSON field	Description
Motivations	data.motivations[]	Analogous to MotivationVocab-1.1.
Sophistication	data.sophistication[]	Analogous to ThreatActorSophisticationVocab-1.0.
Intended effects	data.intended_effects[]	See Intended effects.
Planning and operational support	data.planning_and_operational_support[]	Analogous to PlanningAndOperationalSupportVocab-1.0.1.

Characteristics: Identity

Identity object to identify this threat actor with. Analogous to IdentityType.

Field	EIQ JSON field	Description
Name	data.identity.name	Name to identify this threat actor with. Creates a name observable when this entity is published.
Specification	data.identity.specification_xml	Add details to describe this threat actor’s identity. See Identity: Specification.

Identity: Specification

Add one or more items to Specification to flesh out the identity being described. Content here is used to construct the XML content in the specification_xml field in EIQ JSON. Analogous to STIXCIQIdentity3.0Type as used in IdentityType/ CIQIdentity3.0InstanceType/ CIQ 3.0 Specifications.

Field	Description
Account	Describes a bank account or similar. Available fields: Account type*: Set an account type. Free text field. Account status*: Set an account status. Free text field. Account specification: Add one or more account specifications. For each account specification, set these fields: Type*: One of the following options: Account ID Issuing authority Account type Account branch Issuing country name Value*: Set a value for this account specification.
Person	Add one or more properties describing a person. Type*: Select one of these options: Preceding title Title First name Middle name Last name Other name Alias name Generation identifier Degree Value*: Enter a value for this Type.
Organization	Add one or more properties describing an organization. Type*: Select one of these options: Name only Type only (i.e. “Inc”) Full name Value*: Enter a value for this Type.
Electronic address	Add one or more electronic addresses for this targeted victim. Type*: Select an electronic address type. Value*: Enter the full electronic address.

Each item added to the Specification section creates an observable with the corresponding type:

Specification field	Resulting observable type(s)
Account	bank-account
Person	person
Organization	organization
Electronic address	email domain handle

Relations

Add relationships to this entity by selecting + Relationship.

1. From the drop-down menu select the option corresponding to the relationship you want to create:

   • Observed TTPs

   • Associated campaigns

   • Associated actors

   • Campaign Attributions

   • Incident Attributed threat actors

   • Report Threat actors

   • Sighting Threat actor

2. After selecting an option, the Search an entity dialog appears. Select one or more entities to relate to the current entity.

   Note

   You can narrow down the displayed entities by entering a search query, or by using the filter .

3. Select Select to add the selected entities as relations.

Once a relationship is added to this entity, you can:

• Assign MITRE ATT&CK IDs by selecting + under the MITRE ATT&CK IDs column.

• Set a Relationship type

  • Enter a custom relationship type by typing in the empty field and pressing ENTER to save.

  • Select one of these options:

    • Indicates malware

    • Is associated campaign to

    • I don’t know

    • Could be anything

Meta

The Meta section contains configuration options that allow you to attach descriptive data to the entity.

Field	EIQ JSON field	Description
Estimated threat start time	meta.estimated_threat_start_time	Estimated start of threat. See Time values.
Estimated threat end time	meta.estimated_threat_end_time	Estimated end of threat. See Time values.
Estimated observed time	meta.estimated_observed_time	Estimated time threat was observed. See Time values.
Half-life	meta.half_life	See Half-life. Select one of these options: Use default value: When selected, half-life for this entity is set to 720 days. Override value: Set a custom value for half-life, in number of days.
Tags	meta.tags[] and meta.taxonomy_paths[]	See tags and taxonomies.
Source*	sources[]	Select one source.
Source reliability	meta.source_reliability	See source reliability. Options: Inherit from source: This entity inherits source reliability from Source. Custom override: Set a source reliability value for just this entity.

Information source

Field	EIQ JSON field	Description
Description	data.information_source.description	Description of information source.
Identity	data.information_source.identity	Name of this information source
Roles	data.information_source.roles[]	One or more information source roles. Possible values: Initial Author Content Enhancer/Refiner Aggregator Transformer/Translator
References	data.information_source.references[]	One or more URLs.

Data marking

Descriptive metadata for entity.

Field	EIQ JSON field	Description
TLP	meta.tlp_color	Set a TLP color for this entity.
Terms of use	data.handling[].marking_structures[]	Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType.
Simple	data.handling[].marking_structures[]	Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType.

Workflow

Use options here to apply workflow options to this entity.

Field	Description
Add to dataset	Select this option to add this entity to one or more datasets on Publish.
Manually enrich	Run one or more enrichers on this entity on Publish.

Save and publish

Tip

For more information, see Draft and published entities.

Select Publish to create this entity, and make it available under + Create > Production > Published.

For more publishing options, select More and then one of these options:

• Publish and new: Publish this entity, and start creating a new entity.

• Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.

Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.

For more options while saving as a draft, select More and then one of these options:

• Publish and new: Save this entity as a draft, and start creating a new entity.

• Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.

Appendix

Threat actor types

List of possible threat actor types. Analogous to ThreatActorTypeVocab-1.0.

Possible values:

• Cyber Espionage Operations

• Hacker

• Hacker - White hat

• Hacker - Gray hat

• Hacker - Black hat

• Hacktivist

• State Actor / Agency

• eCrime Actor - Credential Theft Botnet Operator

• eCrime Actor - Credential Theft Botnet Service

• eCrime Actor - Malware Developer

• eCrime Actor - Money Laundering Network

• eCrime Actor - Organized Crime Actor

• eCrime Actor - Spam Service

• eCrime Actor - Traffic Service

• eCrime Actor - Underground Call Service

• Insider Threat

• Disgruntled Customer / User