Actors

An Actor in CRITs can mean a couple things. It can be defined as a single individual or an organized group of individuals.

CRITs allows you to track Actors and associate/attribute metadata to them. You can map out complex organizations by leveraging Actors with relationships. For example:

Create an Actor with a name of "Evil Organization".
Create an Actor with a name of "Evil Actor"
Use the Relationships feature to note that "Evil Actor" is contained within "Evil Organization".

In most cases you will have metadata associated with several Actors contained within an organization so that metadata might also need to be associated with the organization itself. To do that we've separated metadata from the Actor and allow you to make those associations individually. For a given Actor you can define:

Name
- The name your organization refers to this Actor by.
Aliases
- The name other organizations have given that Actor.
Description
- A description of the Actor.
Intended Effects
- The intended effects that Actor has when attacking organizations.
Motivations
- The motivations the Actor has behind the attacks.
Sophistication
- The level of sophistication an Actor has shown.
Threat Types
- The types of threats that Actor poses to an organization.

The latter four are based off of STIX vocabulary so they cannot be appended to. You can, however, use the Control Panel to enable/disable their use.

Actor Identifiers

There is another attribution you can make for Actors. The concept is called "Actor Identifiers". These are values that you might stumble upon during Intel/Malware analysis that will tip you off to the presence/activity of an Actor.

An Actor Identifier is added to CRITs as an entirely separate entity. They do not have to be attributed to an Actor. Until there is a level of confidence in that identifier actually being a specific Actor, they can stay in the system as an organized way to store and reference these values.

Each Actor Identifier requires an Identifier Type. This provides context to the Identifier. An example might be:

Identifier Type: URL Post Parameter
Identifier: "foo=bar"

By itself, foo=bar is not very useful. But knowing that it is part of a POST gives it much greater context. If people want to search for that they can now equip their network sensors and tools appropriately. The Identifier Types are customizable and can be altered through the CRITs interface similar to adding other menu options.

When you are ready to attribute that Identifier to an Actor you can go to the Actor Details page and do so. When you make this attribution you can also assign it a confidence level.

Identifiers are very similar to Indicators insofar as most Identifier values will make for potentially useful Indicators. Indicators, however, lack context and can have much broader use cases than just Actor attribution. There might be times when you'll be adding a value both as an Indicator and as an Actor Identifier and this is quite alright!

Actors

Actor Identifiers

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally