I am trying to identify a campaign group based on the techniques used in the campaign. In my mind, all techniques used in a campaign should be in the group that runs it. On the website, this information appears this way (each technique on a campaign is present in the group that runs it).
But when I try to do this from the STIX file information, there are a lot of techniques on the campaigns that are not associated with the group, for example:
OilRig Group (intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d)
There are 76 techniques listed as used by the group
But on the Juicy Mix campaign (campaign--7ab2f1a1-26af-4204-ad84-d640fde391da) that OilRig conducted, there are five techniques:
1. T1074.001: Local Data Staging
2. T1132.001: Standard Encoding
3. T1217: Browser Information Discovery
4. T1518: Software Discovery
5. T1584.004: Compromise Infrastructure: Server
that are not listed on the 76 techniques used by the group.
Resuming: the correspondence occurs in all campaigns on the website, but not in every campaign in the STIX file (enterprise-attack.json).
Is it worth listing all these inconsistencies, or are they not important?
I am trying to identify a campaign group based on the techniques used in the campaign. In my mind, all techniques used in a campaign should be in the group that runs it. On the website, this information appears this way (each technique on a campaign is present in the group that runs it).
But when I try to do this from the STIX file information, there are a lot of techniques on the campaigns that are not associated with the group, for example:
OilRig Group (intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d)
There are 76 techniques listed as used by the group
But on the Juicy Mix campaign (campaign--7ab2f1a1-26af-4204-ad84-d640fde391da) that OilRig conducted, there are five techniques:
1. T1074.001: Local Data Staging
2. T1132.001: Standard Encoding
3. T1217: Browser Information Discovery
4. T1518: Software Discovery
5. T1584.004: Compromise Infrastructure: Server
that are not listed on the 76 techniques used by the group.
Resuming: the correspondence occurs in all campaigns on the website, but not in every campaign in the STIX file (enterprise-attack.json).
Is it worth listing all these inconsistencies, or are they not important?