scoutTHREAT - Creating a Threat Actor Object
Written by Benjamin Dewey
Updated over a week ago

1. To add a Threat Actor Object, navigate to Intelligence, then click on Threat Actor.

2. If any exist, a list of Threat Actor objects will load with the item Name, Type, date Created and Modified.

3. Click on Create New on the top right side of the page.

4. Enter a Name and Description for your Threat Actor object profile.

The HTML editor above the text area enables more control of layout, either by using the default options in the layout bar or enabling the Source Code editor, as shown below.

5. On the right panel of the page, select the Confidence level you have about this Threat Actor. Choose a number from 1 to 10, 1 being the highest level.

6. Then, select the Threat Actor Type from the drop-down menu (e.g., hacker, competitor, nation-state, etc.).

7. Click on the empty field under Aliases to add alternative names used to identify this Threat Actor. Type the name of the alias then click on Create.

8. Next, you can choose from the drop-down menu the level of Sophistication the Threat Actor has when it comes to the skill, specific knowledge, special training, or expertise to perform an attack.

9. A Threat Actor can play many Roles such as agent, author, etc. Choose from the drop-down the role your Threat Actor object generally plays.

10. Next, choose the Threat Actor's Resource Level from the drop-down menu. This can include the organizational level at which this Threat Actor typically works, which in turn determines the resources available they can use in an attack.

11. Under Primary motivation, you can select the primary reason, motivation, or purpose behind this Threat Actor. The motivation is why the Threat Actor wishes to achieve the goal (what they are trying to achieve). For example, a Threat Actor with a goal to disrupt the finance sector in a country might be motivated by ideological hatred of capitalism.

12. You can also add the Threat Actor's Secondary motivation. This property specifies the secondary reasons, motivations, or purposes behind this Threat Actor.

13. Next, you can select the Threat Actor's possible Personal motivations. This can include notoriety, revenge, coercion, personal-gain, and others.

14. It is optional to add dates for when the Campaign was First seen and Last seen. To add dates, click on Select Date fields to choose from the calendar.

15. Click on the + in the center of the page to save the information.

16. Next, you can choose to add a Note to provide further context or analysis about the object, as well as an Opinion to assess the accuracy of the intelligence data.

For steps on adding Notes and Opinions, see Adding Notes to Objects and Adding Opinions to Objects.

17. After saving, you will have the option to add Relationships and External References to the object.

18. To add a new Relationship, click on +Add.

19. A new window will display for adding a new relationship, you will see the following:

  • Source will display the current object which is the name of the object.
    You can select from the Relationship type drop-down menu the type of relationship the object has to the Target.

  • Depending on the Relationship type you select, a Target can be an Identity Object or another Intelligence Object. To add a target, type its name in the Target field.

    NOTE: A Target must already be in the system for it to appear in the field.

  • Depending on the object, you can the swap the Source and Target names by clicking on Swap & Target.

  • Under Description you can add details about the Relationship shared with the object you are creating. Click Add when you are done.

20. Newly added relationships will be listed under Relationships.

21. You can also add already existing External References to an Indicator Object.

  • Click on +Add.

  • A new window will display with a drop-down list of External References you can select from. Choose the name of the External Reference you want then click Add.

    NOTE: You can add one or more External References to an object.

22. Newly added references will be listed under External References.

23. Several icons will appear at the top of the page:

#1. This icon is for deactivating the object profile.

#2. This icon is for sharing the object on TICE.

#3. This icon is for sharing the Threat Actor profile to AILA.

#4. This icon is for editing the object profile information.

Related Content

Did this answer your question?