correlating-threat-campaigns

# Correlating Threat Campaigns ## When to Use Use this skill when: - Multiple unrelated-appearing incidents share IOCs (same C2 IP, same malware hash, similar TTPs) - An ISAC partner shares indicators from an incident that match your own historical events - Building a campaign report linking adversary activity over weeks or months to a single operation **Do not use** this skill to force correlation based on weak signals — false campaign attribution misleads defenders and wastes resources on incorrect threat models. ## Prerequisites - TIP or SIEM with historical indicator and event data (90+ days recommended) - MISP correlation engine enabled with event sharing configured - Graph analysis tool (Maltego, Neo4j, or OpenCTI) for relationship visualization - Reference to MITRE ATT&CK intrusion set and campaign objects for structuring output ## Workflow ### Step 1: Collect and Normalize Events Gather all candidate events for correlation from: - Internal SIEM (raw events, alert history) - TIP (historical indicators and events) - ISAC sharing (partner-submitted events in MISP or TAXII) - Commercial intelligence (Recorded Future, Mandiant, CrowdStrike reports) Normalize all events to STIX 2.1 schema with consistent timestamp (UTC), indicator types, and confidence scores. Ensure all indicators have source attribution and collection date. ### Step 2: Identify Correlation Pivot Points Apply systematic pivot analysis across four dimensions: **Infrastructure pivots**: - Same IP...