Actor profiling
cudeso opened this issue · 2 comments
The title of the playbook
Actor profiling
Purpose of the playbook
This playbook uses the MITRE Intrusion Set (Groups) as an input to query all MISP events that have a specific group attached. The group is defined by the analyst running the playbook. The playbook then returns a chronological list of all those events with context information and summarises the attributes found in these events. The playbook then summaries the other TTPs (software, technique) that were found (TTP, number of occurrences) in the MISP events. The playbook also lists all the CVE attributes found in these events. The result of the playbook is a profile an actor based on the MISP events in a local instance. The results are stored in the playbook and sent to Mattermost or Slack or as an alert in TheHive or DFIR-IRIS (to be discussed for implementation). An extension to the playbook is an interaction with OpenCTI (to be discussed).
External resources used by this playbook
MITRE, Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional)
Target audience
CTI
Breefly list the execution steps or workflow
No response
Check if https://www.curatedintel.org/2023/07/the-threat-actor-profile-guide-for-cti.html can be integrated