DragonFly like a intrustion set

[sebdraven]

I think there is a mistake here https://github.com/mitre/cti/blob/272ce2cd52a7ca4820775e7278a7af1395b44d94/ATTACK/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json about DragonFly is a threat actor and no intrusion set if i read the documentation here https://stixproject.github.io/stix2.0/stixdocs/stix-v2.0-wd02.pdf.

[Bojak4616]

Hey @sebdraven, I just removed those documents since they shouldn't have been hosted there. You can get the latest documents on our new site here: https://oasis-open.github.io/cti-documentation/resources.html

[johnwunder]

Good question, @sebdraven. You can see the definition of groups in ATT&CK here: https://attack.mitre.org/wiki/Groups. Based on the definition "related intrusion activity that are tracked by a common name in the security community" we felt that intrusion set was a better mapping than threat actor. That applies to Dragonfly but also the other groups referenced in ATT&CK.