Campaign — Coordinated Malicious Activity Conducted Over Time
A Campaign is a coordinated series of malicious activities conducted by a threat actor to achieve strategic objectives. This SECMONS glossary entry explains how campaigns are structured, how they are tracked, and why campaign analysis is central to cybersecurity intelligence.
What Is a Campaign? 🧠
In cybersecurity, a Campaign refers to a coordinated set of malicious activities conducted over time by a threat actor to achieve specific objectives.
A campaign is not a single incident.
It may include:
- Multiple intrusion attempts
- Repeated targeting of specific sectors
- Reuse of infrastructure
- Consistent TTP patterns
- Long-term persistence within victim networks
Campaign analysis connects technical artifacts to strategic intent.
Campaign vs Single Incident 🔄
| Concept | Scope |
|---|---|
| Incident | A single compromise event |
| Breach | Confirmed unauthorized data exposure |
| Campaign | Series of related malicious operations |
| Threat Actor | Entity conducting campaign |
An organization may experience one incident that is part of a broader campaign affecting multiple victims.
Campaign tracking is commonly documented under:
How Campaigns Are Identified 🔎
Security researchers correlate:
- Shared infrastructure (domains, IPs)
- Malware families
- Command and Control patterns
- Reused code fragments
- Similar phishing lures
- Common exploit chains
These correlations often rely on:
- /glossary/indicators-of-compromise/
- /glossary/tactics-techniques-procedures/
- Behavioral analysis rather than isolated evidence
Typical Campaign Lifecycle 🎯
Campaigns often follow a structured progression:
- Reconnaissance and targeting
- Initial Access via techniques such as /glossary/phishing/
- Privilege escalation and /glossary/lateral-movement/
- Establishment of /glossary/persistence/
- Long-term surveillance or data theft
- Impact stage (e.g., ransomware or disruption)
Campaigns may persist for months or even years.
Campaign Attribution 🔬
Attribution attempts to link a campaign to a specific /glossary/threat-actor/.
However, attribution can be:
- Partial
- Probabilistic
- Based on infrastructure overlap
- Influenced by deception or false flags
Campaign names are often assigned by security vendors or intelligence groups.
Why Campaign Tracking Matters 🛡️
Understanding campaigns allows defenders to:
- Identify patterns across incidents
- Anticipate follow-on activity
- Harden targeted systems
- Share intelligence across sectors
- Improve threat modeling
Campaign analysis often informs prioritization under /glossary/vulnerability-management/ and risk assessments described in /glossary/risk-vs-exposure/.
Campaign vs Exploit Chain 🔄
| Concept | Focus |
|---|---|
| Exploit Chain | Technical sequence of vulnerabilities |
| Campaign | Operational series of coordinated activities |
| TTP | Behavioral pattern |
| IOC | Observable artifact |
Exploit chains describe technical execution.
Campaigns describe operational strategy.
Why SECMONS Treats Campaigns as Core Intelligence Units 📌
Campaigns provide context beyond isolated vulnerabilities or malware samples.
They connect behavior, infrastructure, and intent — transforming raw technical data into actionable intelligence.
Campaign analysis is central to understanding real-world adversary operations.
Authoritative References 📎
- MITRE ATT&CK Campaign Tracking Documentation
- CISA Threat Campaign Reports