Threat Intelligence

Clarifying Threat Intelligence Concepts: Threat Actors vs. Intrusion Sets

Oct 29, 2024 6 min read
Thumbnail_Intrusion set vs threat actor article_svg

In Cybersecurity and Threat Intelligence, we often use two terms that cause confusion: Threat Actors and Intrusion Sets. While these concepts are related and sometimes used interchangeably in casual discussions, they represent distinct entities in formal threat modeling frameworks like STIX (Structured Threat Information eXpression) and in our case OpenCTI. This article aims to clarify the differences between these two concepts and provide guidance on their appropriate use in threat intelligence.

It’s important to note that this article explores the boundary between these two concepts. This is not an absolute truth and is open to debate. The aim is to give users the keys to choosing how to model their data.


Defining the Terms

Threat Actors

A Threat Actor represents a physical entity or group of attackers behind malicious activities. These actors can be individuals or organizations, such state entities, or private companies. They coordinate and execute attacks. A Threat Actor might be responsible for orchestrating the Intrusion Sets.

Examples of Threat Actors:

  • GRU (Russian military intelligence),
  • NSA (U.S. National Security Agency),
  • NSO Group.

Intrusion Sets

An Intrusion Set refers to a grouping of consistent malicious activities, based on shared tactics, techniques, and objectives. It may be seen as the digital fingerprint of a hacker group and attributed to a specific Threat Actor. It’s a useful concept when the attacker’s identity is unclear but their actions follow recognizable patterns.

Examples of Intrusion Sets:

  • APT28 (also known as Fancy Bear),
  • Lazarus Group,
  • Mustang Panda.

Key Differences

Threat Actors vs Intrusion Sets: Key Differences
Threat Actors vs Intrusion Sets: Key Differences

Gray Area

Certain entities may straddle the line between distinct classifications, making it challenging to decide how to best categorize them. Here are a two examples of cases where modeling can be debated.

Ransomware group

One example of this ambiguity is with ransomware groups.

Theoretically, given that ransomware groups often openly claim their activities and showcase them on their own websites, they could be categorized as Threat Actors based on the four criteria discussed in the “Key Difference” section. However, due to their nature and the often ambiguous internal structure, potential affiliations, and branching, they could also be categorized as Intrusion Sets.

In practice, the consensus leans towards modeling these groups as Intrusion Sets. Following this consensus streamlines reporting and analysis.

Black hat hackers

Another example arises with black hat hackers, where classification depends on the specific context.

If the hacker in question is a known or “doxed” individual, they can be categorized as a Threat Actor Individual. However, if the focus is on a forum user or an anonymous hacker, the same debate as with ransomware groups resurfaces. Unlike ransomware groups, where most sources consistently classify them as Intrusion Sets, there is more flexibility here in representation. Depending on the available data, analysts have the freedom to choose how they categorize such actors, but it is crucial to maintain consistency to avoid duplicated entities in your data.

Proposed Concrete Criterion: The Naming Convention

One possible concrete criterion for distinguishing a Threat Actor from an Intrusion Set could focus on the clarity and consensus around its definition. For instance, a Threat Actor may be more clearly defined if intelligence providers (e.g., Mandiant, CrowdStrike, Microsoft) consistently track the entity under the same name. In such cases, the providers agree on both the entity’s boundaries and the attribution of its attacks globally, signaling that the entity is well-understood and recognized across the intelligence community.

Conversely, if different names are used for the same entity, despite a general agreement in the CTI community that they represent the same group, it may indicate that the boundaries of the group are still unclear, leading to differing interpretations. This lack of clarity would support classifying the entity as an Intrusion Set, where the perimeter is less defined, and attribution may vary.

This proposed criterion is an angle of reflection for decision-making on classification. However, it remains open to interpretation and debate.

Other criteria can be put forward. For example, one member of the community, Coleman Kane (aka ckane) has proposed an additional/alternative criterion, suggesting that Threat Actors could be defined as entities that operate across multiple domains, not limited to just cyber activities (You can find it below under “To Go Further”).

Practical Application in Cyber Threat Intelligence (CTI)

When working with these concepts in CTI platforms like OpenCTI:

  1. Use Threat Actor for:
    • Known state entities (e.g., GRU, PLA units),
    • Well-defined organizations or groups.
  2. Use Intrusion Set for:
    • Groups of activities with similar characteristics (e.g., APT41, Lazarus),
    • Campaigns where the exact perpetrator is not confirmed.
  3. Relationship modeling:
    • Create relationships like: APT28 (Intrusion Set) -> Attributed to -> GRU (Threat Actor)
Knowledge View : Threat Actors vs. Intrusion Sets in OpenCTI
Knowledge View : Threat Actors vs. Intrusion Sets in OpenCTI

Challenges and Considerations

  • Evolving understanding: As more information becomes available, an Intrusion Set might later be linked to a specific Threat Actor.
  • Community consensus: The CTI community may not always agree on attributions or categorizations.
  • Naming discrepancies: Different security firms may use proprietary names for the same Intrusion Set, indicating some uncertainty in its exact scope.

Conclusion

Understanding the distinction between Threat Actors and Intrusion Sets is crucial for accurate threat modeling and intelligence sharing. While Threat Actors represent the “who” behind cyber attacks, Intrusion Sets focus on the “what” and “how” of observed malicious activities. By correctly applying these concepts, CTI analysts can more effectively track, analyze, and respond to cyber threats.

It’s important to remember that threat intelligence is a dynamic field, where our understanding of threat entities often evolves over time. Categorizations may need to be adjusted as new information comes to light, making flexibility in approach essential. Maintaining clear distinctions between Threat Actors and Intrusion Sets, while acknowledging their interconnected nature, enables CTI analysts to create more comprehensive and accurate threat models. Regular review and refinement of these models, based on the latest intelligence and best practices, will help organizations stay ahead in the ever-changing landscape of cyber threats.

To Go Further

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.