all right, So what exactly is a campaign?
One easy way to think about. This is a bunch of different incidents,
with a bunch of different threat actors
taking some some actions in a coordinated way,
As I talked about a little bit earlier in the module, it's sometimes difficult.
AH, single incidents which may be isolated
versus those incidents. Would you tend to be grouped together? One of the ways to get closer to answering that question is, of course, to use tools like multi go
or threat connector. Passive,
Passive total. These are all great ways to
group things together. Look for the patterns see with relationships might be. And then it should be come or clear that you're actually looking at a campaign because you've got
things in common between the threat actors between the domains that they register between email addresses,
things in common with I P addresses
and other associate ID
So the tactics, techniques and procedures of different threat actors could also be used as clues to determine if you're dealing with the campaign.
This is something we'll talk about a little bit later when we discuss attribution. But
The base idea, then, is to look for commonality between the different pieces of evidence that are discovered
to see if there is something that links them together.
Uh, what about key indicators?
Uh, these could be a lot of different things that are
going to be maybe a case by case basis and a lot of circumstances, but
it's still something Thio consider
what kind of metrics are important to doing investigation,
especially when you haven't determined yet. If you're dealing with the campaign or isolated incidents, some of the indicators could have to do with
when something happened. The order of events.
Try to look for patterns in the in. The events that lead up to some kind of a compromise.
He's could provide little clues
a particular threat actor is operating.
Their modus operandi is certainly something to try to get a handle on.
In order to better connect a potential threat actor with their activity
campaigns should be named.
The Convention for Naming Campaigns, of course, is gonna vary from one organization to another,
but a unique name is certainly something needed in order to keep the information separate.
You don't want to have
any confusion about which campaign is actually being discussed or investigated
because of names they're too similar or or you know
names and are identical in the worst case scenario,
Trying to, uh, help identify whether
new incidents are part of an existing campaign that's being studied can also be a little bit tricky.
Some incidents may turn out to be related after further investigation,
type of activity is also important.
If the existing campaign is dealing with RANSOMWARE, for instance, like we were just looking at some, some of the artifacts for Wanna Cry
than other Ransomware related incidents and activities
could also be investigated
in in the in the hopes that there's a connection between some new action and existing campaign that's already
All right, so now let's think a little bit about how do you
communicate some of the information about a campaign?
One. Really a nice tool uses a heat map,
and we saw this when we're looking at a little bit earlier at the Threat Connect tool,
and the man was a very straightforward way to represent different values of data in a easily
You can use colors as we see here.
not only different colored boxes to represent different information but also different sized boxes.
Sometimes this is done with circles different color circles. Different sizes indicate
whatever parameters are the designer wishes.
Maybe a larger square means Maur activity.
Smaller square might mean less activity. That's a pretty typical way to do this.
This heat map could also be done on using a map.
there's endless ways to you. Ah, tinker with this basic idea.
The trick is a course to find a method that works for your particular situation
and is hopefully acceptable to the people that are consuming the intelligence.
As with any kind of communication, it's very important
to design any reporting or
any kind of a lecture presentation. It has to be designed in order to best to the audience, which is which is it's intended for
if your son sharing this information with technical people than you have a little bit more
leeway as faras the terminology you can use in the concepts you can present.
a technical discussion is being shared with people who are a little bit more business oriented,
then you have to keep that in mind by choosing appropriate language, inappropriate examples
to convey some of the more difficult to understand concepts.
Using templates is not a bad idea,
and I talked about a little bit earlier. Having a consistent, repeatable approach to reporting and otherwise
any other kind of communications
is a really great goal
The consumers have. The intelligence will also appreciate
having a consistent look and feel when they're looking at a report or some other right up of evidence and Gore campaign.
And then, lastly, we wanted also think about being concise.
It's very important to think about having a summary or like an executive summary for certain bits of information, which then the reader can decide whether or not to go to another section of the report
for more detailed explanations.
But having some high level descriptions or even bullet points is not a bad way to get the reader started
and giving them the choice to dig deeper if they want. Instead of
just presenting all of the detailed information right at the beginning of a of a report,
it's better to be able to kind of drill down a little bit as needed
when more information is needed.
Okay. Well, thank you for watching module to stay tuned from 103.