isaisabel
commented
5 years ago Hi @HamptonJ,
The STIX documentation defines threat-actors as "individuals, groups or organizations" and intrusion-sets as "grouped sets of adversarial behaviors or resources with common properties orchestrated by a single threat actor."
We chose intrusion-sets because we feel the grouping of techniques (behaviors) on our ATT&CK Group pages is closest to that definition. However, as we explain on our Groups page, analysts track clusters of activities using various analytic methodologies and terms such as threat groups, activity groups, threat actors, intrusion sets, and campaigns. For the purposes of the Group pages, the MITRE ATT&CK team uses the term Group to refer to any of the above designations for a cluster of adversary activity.
In reading through the STIX specification, it seems like Threat Actor fits the description of a MITRE ATT&CK Group better than Intrusion Set does, yet none of the Groups are expressed as Threat Actors in the STIX json output. We were curious about what the thought process was to decide not to use Threat Actor.