Attack patterns
- UpdatedJul 31, 2025
- 1 minute read
- Zurich
- Threat Intelligence
Attack patterns are a type of Tactics, Techniques, and Procedures (TTPs) that describe the methods that adversaries attempt to compromise targets. Attack Patterns apply for STIX 2.x.
Attack patterns are used to help categorize attacks. They generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed.
For example, spear phishing is a common type of attack where an attacker sends a carefully crafted email message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns are more specific, such as spear phishing by a particular threat actor (example - that the target won a contest) can also be an Attack pattern.
Related Content
- Attack modes and methods
Attack modes and methods, sometimes referred to as Tactics, Techniques, and Procedures (TTPs), are representations of how cyber adversaries behave. They characterize what these adversaries do and how they do it, in increasing levels of detail. Attack modes and methods apply for STIX 1.1.
- Indicators of compromise
Indicators of Compromise (IoC) are artifacts observed on a network or operating system that are likely to indicate an intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or domain names. IoC applies for STIX 1.1 and 2.x.
- Observables
Observables represent stateful properties (such as the MD5 hash of a file or the value of a registry key) or measurable events (such as the creation of a registry key or the deletion of a file) that are pertinent to the operation of computers and networks. Observables apply for STIX 1.1 and 2.x.
- Campaigns
A Campaign is a grouping of adversarial behaviors. These behaviors describe a set of malicious activities or attacks that occur over time against a specific set of targets. Campaigns apply for STIX 2.x.
- Course of actions
A course of action is an action taken either to prevent an attack or to respond to an attack that is in progress. Course of actions apply for STIX 2.x.
- Identities
Identities represent actual individuals, organizations, or groups (ACME, Inc.) and classes of individuals, systems, or groups (the finance sector). Identities apply for STIX 2.x.
- Infrastructure
The Infrastructure SDO represents a type of Tactics, Techniques, and Procedures (TTPs). They describe any systems, software services, and any associated physical or virtual resources intended to support some purpose of an attack. Infrastructure applies for STIX 2.x.
- Intrusion set
An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties. An Intrusion Set usually involves a single organization. Intrusion set applies for STIX 2.x.
- Locations
A Location represents a geographic location. Locations are primarily used to give context to other SDOs. Locations apply for STIX 2.x.
- Malware
Malware is a type of TTP that represents malicious code. It refers to a program that is covertly inserted into a system. Malware applies for STIX 2.x.
- Malware analysis
Malware Analysis captures the metadata and results of a malware. Malware analysis applies for STIX 2.x.
- Observed data
Observed Data conveys information about cyber security-related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). Observed data applies for STIX 2.x.
- Threat actors
Threat Actors are individuals, groups, or organizations who act with malicious intent. Threat actors applies for STIX 2.x.
- Threat groupings
A Threat Groupings object explicitly asserts that the referenced STIX Objects have a shared context. Threat groupings applies for STIX 2.x.
- Marking definitions
The marking definitions object represents a specific marking.
- Threat notes
A Threat Note conveys informative text to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Threat notes applies for STIX 2.x.
- Threat opinions
An Opinion is an assessment of the accuracy of the information in a STIX Object produced by a different entity. Threat opinions apply for STIX 2.x.
- Threat reports
Threat Reports are collections of threat intelligence focused on one or more topics. Threat reports apply for STIX 2.x.
- Sightings
Sightings denote that an indicator or object was seen. Objects may be a malware, tool, threat actor, and so on.
- Tools
Tools are legitimate software that are used by threat actors to perform attacks. Tools apply for STIX 2.x.
- Vulnerabilities
A Vulnerability is a weakness or defect in a software or hardware component that attackers exploit. Vulnerabilities apply for STIX 2.x.
- Relationships
Use the relationship objects to link together two SDOs or STIX Cyber-observable Objects (SCOs) to describe how they relate to each other.
- STIX Visualizer
The STIX Visualizer visually represents the structure of the STIX object and its relationship.