Campaign — Coordinated Malicious Activity Conducted Over Time
A Campaign is a coordinated series of malicious activities conducted by a threat actor to achieve strategic objectives. This SECMONS glossary entry explains how campaigns are structured, how they are tracked, and why campaign analysis is central to cybersecurity intelligence.
What Is a Campaign?
In cybersecurity, a Campaign refers to a coordinated set of malicious activities conducted over time by a threat actor to achieve specific objectives.
A campaign is not a single incident.
It may include:
- Multiple intrusion attempts
- Repeated targeting of specific sectors
- Reuse of infrastructure
- Consistent TTP patterns
- Long-term persistence within victim networks
Campaign analysis connects technical artifacts to strategic intent.
Campaign vs Single Incident
| Concept | Scope |
|---|---|
| Incident | A single compromise event |
| Breach | Confirmed unauthorized data exposure |
| Campaign | Series of related malicious operations |
| Threat Actor | Entity conducting campaign |
An organization may experience one incident that is part of a broader campaign affecting multiple victims.
Campaign tracking is commonly documented under:
How Campaigns Are Identified
Security researchers correlate:
- Shared infrastructure (domains, IPs)
- Malware families
- Command and Control patterns
- Reused code fragments
- Similar phishing lures
- Common exploit chains
These correlations often rely on:
- /glossary/indicators-of-compromise/
- /glossary/tactics-techniques-procedures/
- Behavioral analysis rather than isolated evidence
Typical Campaign Lifecycle
Campaigns often follow a structured progression:
- Reconnaissance and targeting
- Initial Access via techniques such as /glossary/phishing/
- Privilege escalation and /glossary/lateral-movement/
- Establishment of /glossary/persistence/
- Long-term surveillance or data theft
- Impact stage (e.g., ransomware or disruption)
Campaigns may persist for months or even years.
Campaign Attribution
Attribution attempts to link a campaign to a specific /glossary/threat-actor/.
However, attribution can be:
- Partial
- Probabilistic
- Based on infrastructure overlap
- Influenced by deception or false flags
Campaign names are often assigned by security vendors or intelligence groups.
Why Campaign Tracking Matters ️
Understanding campaigns allows defenders to:
- Identify patterns across incidents
- Anticipate follow-on activity
- Harden targeted systems
- Share intelligence across sectors
- Improve threat modeling
Campaign analysis often informs prioritization under /glossary/vulnerability-management/ and risk assessments described in /glossary/risk-vs-exposure/.
Campaign vs Exploit Chain
| Concept | Focus |
|---|---|
| Exploit Chain | Technical sequence of vulnerabilities |
| Campaign | Operational series of coordinated activities |
| TTP | Behavioral pattern |
| IOC | Observable artifact |
Exploit chains describe technical execution.
Campaigns describe operational strategy.
Why SECMONS Treats Campaigns as Core Intelligence Units
Campaigns provide context beyond isolated vulnerabilities or malware samples.
They connect behavior, infrastructure, and intent — transforming raw technical data into actionable intelligence.
Campaign analysis is central to understanding real-world adversary operations.
Authoritative References
- MITRE ATT&CK Campaign Tracking Documentation
- CISA Threat Campaign Reports