SlideShare a Scribd company logo
1 of 59
Download to read offline
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
The Archeologists
Raiding for The Holy Grail
The Myth of The Lost Ark
What Not To Expect
What To Expect
Puzzling The Pieces
Digging Through Ancient Data
Campaigns
Tools
Threat Actors
Distinguishing Friend from Foe
Reading The Book of Secrets
Escaping Data Rubble
$167
Ruth Esmeralda Barbacil
Threat Library Team Lead
Deloitte Argentina
Valentina Palacin
Threat Library Team Sr. Analyst
Deloitte Argentina
What is a
Threat Library?
Knowledge Base for distilled and
curated intelligence insights
produced by CTI Research Teams
& OSINT Sources.
$167
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
- It’s not a solution by itself.
- It’s not an indicator feed.
- It’s not fixed in time.
- It’s not a collection of all existing attacks.
- It’s not perfect.
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
- Normalized, cataloged and vetted information
- APT activity journal
- Key observables for specific threats
- Context for adversary emulation
- APT operation analysis and evolution through time
- All-in-One Accessible Information
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
- Overabundance of data
- Diverse formatting and distribution
- Lack of context
- Lack of indicators/evidence
- Lack of linked activity
- Partial information
- Uncatalogued information
- Disappearing sources
- Overlapping/misattribution
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
Basic Information
• Affected Regions/Countries/Industries
• Campaign Summary
Main Information
• Initial Access
• Tools
• Repercussions
Technical Analysis
• Campaign Evidence
Analysis, Attribution and Geolocation
• Analysis
• Attribution
• Geolocation Evidence
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
Basic Information
• Aliases
• Description
Behavioral Analysis
• Campaign
• Techniques (ATT&CK)
• Tactics (ATT&CK)
• Description
• Details
Indicators of Compromise
Related Threat Actors
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
Basic Information
• Affected
Regions/Countries/Industries
• Known Aliases
• Threat Actor Type
• Motivations
• Sophistication level
Relevant Information
Toolset
• Tool & Description
TTPs
• Tool
• Technique (ATT&CK)
• Tactic (ATT&CK)
• Technique Description
Campaigns
• Campaign date
• Campaign name
• Campaign description
• Campaign intended effect
• Confidence level
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
- False flag campaigns
- Analyst bias
- Misattribution
- Misinterpretation of the observables
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
- False flag campaigns
- Analyst bias
- Misattribution
- Misinterpretation of the observables
- Analyst lack of specific knowledge
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
Spanish as official
language
Countries which
use that expression
Spanish as official
language
- False flag campaigns
- Analyst bias
- Misattribution
- Misinterpretation of the observables
- Analyst lack of specific knowledge
- Overlapping Attributions
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
Rate your sources:
… overrule your own
formula if necessary.
• Type
• Region visibility
• Reputation
• Availability of IOCs
But...
1. Read the source.
▪ Identify a paragraph describing a behavior.
2. Identify first which tactic it belongs to.
▪ Simplify the description in a sentence.
3. Identify the technique.
Create your own!
DEFENSE
EVASION
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
IMPACT
??????
ACon001 – Deny System Access
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
- Choose a good technology to build on.
- Be prepared to evolve.
- Do not misunderstand the objectives.
- It’s not about collecting everything.
- Define good quality workflows.
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte
- Choose your taxonomy and stick with it.
- STIX and ATT&CK
- Think about how the information is
going to be consumed.
- Define a good structure beforehand.
-Be consistent!!
Ruth Barbacil
@33root
Valentina Palacin
@fierytermite
• QianXin. APT-C-09 Reappeared as Conflict Intensified Between India and
Pakistan. www.ti.qianxin.com. Available at: https://ti.qianxin.com/blog/articles/apt-
c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/ [Accessed
September 2019]
• Cisco Talos. Adamitis Danny, Rascagneres Paul. Sea Turtle keeps on swimming, finds
new victims, DNS hijacking techniques. www.blog.talosintelligence.com. Available at:
https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html
[Accessed August 2019]
• Azpúrua, Andrés, Guerra, C. and Rivas, J. Phishing by Venezuelan government puts
activists and internet users at risk. vesinfiltro.com. Available
from https://vesinfiltro.com/noticias/Phishing_by_Venezuelan_government_targets
_activists/ [Accessed June 2019]
• GReAT. DNS Manipulation in Venezuela in regards to the Humanitarian Aid
Campaign. securelist.com. Available from https://securelist.com/dns-manipulation-in-
venezuela/89592/ [Accessed June 2019]
• Mercer, Warren and Rascagneres, P. DNSpionage brings out the
Karkoff. blog.talosintelligence.com. Available
from https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-
karkoff.html [Accessed June 2019]
• Sherstobitoff Ryan. Threat Group APT28 Slips Office Malware into Doc Citing NYC
Terror Attack. https://securingtomorrow.mcafee.com. Available
at: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/apt28-threat-
group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/ [Accessed March
2019]
• Palo Alto Networks Blog. 2018.Sofacy Continues Global Attacks and Wheels Out New
‘Cannon’ Trojan - Palo Alto Networks Blog. [ONLINE] Available
at:https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-
global-attacks-wheels-new-cannon-trojan/. [Accessed November 2018]
• Arbor Networks Threat Intelligence. 2018. LoJack Becomes a Double-Agent. Available
at: https://asert.arbornetworks.com/lojack-becomes-a-double-agent/. [Accessed
November 2018]
• Cyberscoop. 2018. Russian hackers found the 'ultimate' hacking tool buried in the
supply chain of laptops - CyberScoop. Available
at: https://www.cyberscoop.com/lojack-computrace-fancy-bear-absolute-
kaspersky/. [Accessed November 2018].
• Lee Bryan, Harbison Mike, and Falcone Robert. Sofacy Attacks Multiple Government
Entities. https://unit42.paloaltonetworks.com. Available
at: https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-
multiple-government-entities/ [Accessed March 2019]
• ThreatConnect Research Team. Fancy Bear Pens the Worst Blog Posts
Ever. https://threatconnect.com. Available at: https://threatconnect.com/fancy-bear-
leverages-blogspot/ [Accessed March 2019]
• Kovacs Eduard. Russian "Fancy Bear" Hackers Abuse Blogspot for
Phishing. https://www.securityweek.com. Available
at: https://www.securityweek.com/russian-fancy-bear-hackers-abuse-blogspot-
phishing [Accessed March 2019]
• Smith, Lindsay and Read, B. APT28 Targets Hospitality Sector, Presents Threat to
Travelers. www.fireeye.com. Available at https://www.fireeye.com/blog/threat-
research/2017/08/apt28-targets-hospitality-sector.html [Accessed January 2019]
• Hacquebord, Feike. Update on Pawn Storm: New Targets and Politically Motivated
Campaigns. https://blog.trendmicro.com. Available
at: https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-
new-targets-politically-motivated-campaigns/ [Accessed March 2019]
• Cisco Talos. "Cyber Conflict" Decoy Document Used In Real Cyber
Conflict. https://blog.talosintelligence.com. Available
at: https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-
document.html [Accessed March 2019]
• Palmer, Danny. Hackers are using a Flash flaw in fake document in this new spying
campaign. www.zdnet.com Available at: https://www.zdnet.com/article/hackers-are-
using-a-flash-flaw-in-fake-document-in-this-new-spying-campaign/ [Accessed January
2019]
• Palmer, Danny. Hackers race to use Flash exploit before vulnerable systems are
patched. www.zdnet.com Available at: https://www.zdnet.com/article/hackers-race-to-
use-flash-exploit-before-vulnerable-systems-are-patched/ [Accessed January 2019]
• Conference Agenda | Underwater Defence & Security. 2018. Conference Agenda |
Underwater Defence & Security. ww.underwater-defence-security.com Available
at: http://www.underwater-defence-security.com/conference-agenda.php. [Accessed
November 2018]
• Netzpolitik. Digital Attack on German Parliament: Investigative Report on the
Hack of the Left Party Infrastructure in
Bundestag. https://netzpolitik.org. Available
at: https://netzpolitik.org/2015/digital-attack-on-german-parliament-
investigative-report-on-the-hack-of-the-left-party-infrastructure-in-
bundestag/ [Accessed March 2019]
• FireEye Labs. Operation RussianDoll: Adobe & Windows Zero-Day Exploits
Likely Leveraged by Russia's APT28 in Highly-Targeted
Attack. https://www.fireye.com. Available
at: https://www.fireeye.com/blog/threat-
research/2015/04/probable_apt28_useo.html [Accessed March 2019]
• Trend Micro. From Espionage to Cyber Propaganda: Pawn Storm's Activities over the
Past Two Years. trendmicro.com Available
at: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/espionage-
cyber-propaganda-two-years-of-pawn-storm [Accessed January 2019]
• Sean Gallagher. Evidence suggests Russia behind hack of French president-
elect. arstechnica.com Available at https://arstechnica.com/information-
technology/2017/05/evidence-suggests-russia-behind-hack-of-french-presidential-
candidate/ [Accessed January 2019]
• Feike Hacquebord. Pawn Storm Targets German Christian Democratic
Union. blog.trendmicro.com Available at https://blog.trendmicro.com/trendlabs-
security-intelligence/pawn-storm-targets-german-christian-democratic-
union/. [Accessed January 2019]
• Sean Baird, Nick Biacini. Gmail Worm Requiring You To Give It A Push And Apparently You
All Are Really Helpful. blog.talosintelligence.com Available
at: https://blog.talosintelligence.com/2017/05/google-oauth-phish.html [Accessed
January 2019]
• Graham Cluley. “Google Docs” Worm Ransacks Gmail Users’ Contact Lists – What You
Need to Know. tripwire.com Available at https://www.tripwire.com/state-of-
security/security-data-protection/google-docs-worm-ransacks-gmail-users-need-
know/ [Accessed January 2019]
• Thomas Brewster. A Massive Google Docs Phish Hits 1 Million Gmail Accounts -
UPDATED. forbes.com Available
at https://www.forbes.com/sites/thomasbrewster/2017/05/03/massive-google-gmail-
phish-many-victims/#22a27ce242a1 [Accesed January 2019]
• Feike Hacquebord. Pawn Storm Abuses Open Authentication in Advanced Social
Engineering Attacks. blog.trendmicro.com Available
at https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-
authentication-advanced-social-engineering-
attacks/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-
MalwareBlog+%28Trendlabs+Security+Intelligence+BI [Accessed January 2019]
• FireEye, APT28: At the center of the storm. Russia strategically evolves its cyber
operations. Available
at: https://arintel.atlassian.net/wiki/download/attachments/189753/FireEye_APT28-
Center-of-Storm(01-11-
2017).pdf?version=1&modificationDate=1490291952562&cacheVersion=1&api=v2 [Acces
sed January 2019]
• HackRead, World Anti-Doping Agency Site Hacked; Thousands of Accounts
Leaked. Available at: https://www.hackread.com/world-anti-doping-agency-site-
hacked/ [Accessed January 2019]
• U.S.. 2016. Exclusive: FBI probes hacking of Democratic congressional group |
Reuters. Available at: https://www.reuters.com/article/us-usa-cyber-democrats-
exclusive/exclusive-fbi-probes-hacking-of-democratic-congressional-group-
sources-idUSKCN1082Y7. [Accessed November 2018]
• netyksho_et_al_indictment.pdf | Department of Justice.
2018. netyksho_et_al_indictment.pdf | Department of Justice. Available
at: https://www.justice.gov/file/1080281/. [Accessed November 2018].
• Alperovitch, Dmitri. Bears in the Midst: Intrusion into the Democratic National
Committee. www.crowdstrike.com/. Available
from https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-
committee/ [Accessed November 2018]
• The United States District Court for the District of Columbia. Case 1:18-cr-00215-ABJ -
INDICTMENT. www.justice.gov. Available
from https://www.justice.gov/file/1080281/download [Accessed November 2018]
• WADA. WADA Confirms Attack by Russian Cyber Espionage Group. https://www.wada-
ama.org. Available at: https://www.wada-ama.org/en/media/news/2016-09/wada-
confirms-attack-by-russian-cyber-espionage-group [Accessed March 2019]
• Lee, Briand and Falcone, R. Sofacy Group’s Parallel
Attacks. researchcenter.paloaltonetworks.com. Available
from https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-
parallel-attacks/ [Accessed June 2018]
• ThreatConnect Research Team. Belling the BEAR. https://threatconnect.com.
Available at: https://threatconnect.com/russia-hacks-bellingcat-mh17-
investigation/ [Accessed March 2019]
• Falcone, Robert. Sofacy Uses DealersChoice to Target European Government
Agency. unit42.paloaltonetworks.com at: https://unit42.paloaltonetworks.com/u
nit42-sofacy-uses-dealerschoice-target-european-government-agency/ [Accessed
January 2019]
• FireEye Labs. APT28: A Window into Russia's Cyber Espionage Operations?. Available
at: https://arintel.atlassian.net/wiki/download/attachments/209890/apt28.pdf?versi
on=1&modificationDate=1490317815345&cacheVersion=1&api=v2 [Accessed March
2019]
• Rafia Shaikh. Denmark Says Russia's APT28 "Very Likely" Hacked Defense Ministry
Emails. wccftech.com. Available at https://wccftech.com/denmark-russia-apt28-
hacked-defense/ [Accessed January 2019]
• The New York Times Company. Denmark Says ‘Key Elements’ of Russian Government
Hacked Defense Ministry. nytimes.com Available
at https://www.nytimes.com/2017/04/24/world/europe/russia-denmark-hacking-
cyberattack-defense-ministry.html?_r=2 [Accessed January 2019]
• ESET Research. Sednit: What's going on with
Zebrocy. https://www.welivesecurity.com. Available
at: https://www.welivesecurity.com/2018/11/20/sednit-whats-going-
zebrocy/ [Accessed March 2019]
• Jasper Manuel and Joie Salvio. LockerGoga: Ransomware Targeting Critical
Infrastructure. fortinet.com. Available at https://www.fortinet.com/blog/threat-
research/lockergoga-ransomeware-targeting-critical-infrastructure.html [Accessed
Aug 2019]
• Threatrecon Team. SectorJ04 Group’s Increased Activity in
2019. threatrecon.nshc.net. Available
at https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-
in-2019/ [Accessed October 2019]
• Counter Threat Unit Research Team. The Curious Case of Mia Ash: Fake Persona Lures
Middle Eastern Targets.twww.secureworks.com. Available
at https://www.secureworks.com/research/the-curious-case-of-mia-ash [Accessed
October 2019]
• Riley, Aaron and Feller, M. Phishing Campaigns are Manipulating the Windows
Control Panel Extension to Deliver Banking Trojans.tcofense.com. Available
at https://cofense.com/phishing-campaigns-manipulating-windows-control-panel-
extension-deliver-banking-trojans/ [Accessed October 2019]
• Accenture Security. Threat Campaign Likely Targeting NATO Members, Defense and
Military Outlets. https://www.accenture.com. Available
at: https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-
94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-
Defense-and-Military-Outlets.pdf [Accessed March 2019]
• Malpedia. OilRig. malpedia.caad.fkie.fraunhofer.de. Available
at https://malpedia.caad.fkie.fraunhofer.de/actor/oilrig [Accessed October 2019]
• Kuhnert, Nils. OilRig. aptmap.netlify.com. Available
at https://aptmap.netlify.com/#OilRig [Accessed October 2019]
• Kuhnert, Nils. Chrysene. aptmap.netlify.com. Available
at https://aptmap.netlify.com/#CHRYSENE
• [Accessed October 2019]
• Mitre ATT&CK. APT28. https://attack.mitre.org/. Available
at: https://attack.mitre.org/groups/G0007/ [Accessed March 2019]
• Alex Hern. Macron hackers linked to Russian-affiliated group behind US
attack. theguardian.com Available
at: https://www.theguardian.com/world/2017/may/08/macron-hackers-linked-to-russian-
affiliated-group-behind-us-attack [Accessed January 2019]
• Sherstobitoff Ryan. Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror
Attack. https://securingtomorrow.mcafee.com. Available
at: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/apt28-threat-group-
adopts-dde-technique-nyc-attack-theme-in-latest-campaign/ [Accessed March 2019]
• ThaiCERT. A Threat Actor Encyclopedia. www.thaicert.or.th. Available
at https://www.thaicert.or.th/downloads/files/A_Threat_Actor_Encyclopedia.pdf [Accesse
d October 2019]
• ThreatConnect Research Team. A Song of Intel and
Fancy. https://www.threatconnect.com. Available
at: https://www.threatconnect.com/blog/using-fancy-bear-ssl-certificate-
information-to-identify-their-infrastructure/ [Accessed March 2019]
• Muncaster, Phil. APT28 Back in RussianDoll Attack Using Adobe, Windows
Flaws. https://www.infosecurity-
magazine.com.Available at: https://www.infosecurity-
magazine.com/news/apt28-back-russiandoll-attack/ [Accessed March 2019]

More Related Content

More from MITRE - ATT&CKcon

What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?MITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?MITRE - ATT&CKcon
 
ATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesMITRE - ATT&CKcon
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionMITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?MITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-TechniquesMITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 

More from MITRE - ATT&CKcon (20)

What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
 
Putting the PRE into ATTACK
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACK
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
 
ATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the Matrices
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-Techniques
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 

Recently uploaded

Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 

Recently uploaded (20)

Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 

MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte

  • 2. The Archeologists Raiding for The Holy Grail The Myth of The Lost Ark What Not To Expect What To Expect Puzzling The Pieces Digging Through Ancient Data Campaigns Tools Threat Actors Distinguishing Friend from Foe Reading The Book of Secrets Escaping Data Rubble $167
  • 3. Ruth Esmeralda Barbacil Threat Library Team Lead Deloitte Argentina Valentina Palacin Threat Library Team Sr. Analyst Deloitte Argentina
  • 4. What is a Threat Library? Knowledge Base for distilled and curated intelligence insights produced by CTI Research Teams & OSINT Sources. $167
  • 6. - It’s not a solution by itself. - It’s not an indicator feed. - It’s not fixed in time. - It’s not a collection of all existing attacks. - It’s not perfect.
  • 8. - Normalized, cataloged and vetted information - APT activity journal - Key observables for specific threats - Context for adversary emulation - APT operation analysis and evolution through time - All-in-One Accessible Information
  • 10. - Overabundance of data - Diverse formatting and distribution - Lack of context - Lack of indicators/evidence - Lack of linked activity - Partial information - Uncatalogued information - Disappearing sources - Overlapping/misattribution
  • 13. Basic Information • Affected Regions/Countries/Industries • Campaign Summary Main Information • Initial Access • Tools • Repercussions Technical Analysis • Campaign Evidence Analysis, Attribution and Geolocation • Analysis • Attribution • Geolocation Evidence
  • 18. Basic Information • Aliases • Description Behavioral Analysis • Campaign • Techniques (ATT&CK) • Tactics (ATT&CK) • Description • Details Indicators of Compromise Related Threat Actors
  • 20. Basic Information • Affected Regions/Countries/Industries • Known Aliases • Threat Actor Type • Motivations • Sophistication level Relevant Information Toolset • Tool & Description TTPs • Tool • Technique (ATT&CK) • Tactic (ATT&CK) • Technique Description Campaigns • Campaign date • Campaign name • Campaign description • Campaign intended effect • Confidence level
  • 22. - False flag campaigns - Analyst bias - Misattribution - Misinterpretation of the observables
  • 24. - False flag campaigns - Analyst bias - Misattribution - Misinterpretation of the observables - Analyst lack of specific knowledge
  • 27. Countries which use that expression Spanish as official language
  • 28. - False flag campaigns - Analyst bias - Misattribution - Misinterpretation of the observables - Analyst lack of specific knowledge - Overlapping Attributions
  • 30. Rate your sources: … overrule your own formula if necessary. • Type • Region visibility • Reputation • Availability of IOCs But...
  • 31. 1. Read the source. ▪ Identify a paragraph describing a behavior. 2. Identify first which tactic it belongs to. ▪ Simplify the description in a sentence. 3. Identify the technique. Create your own!
  • 35. ?????? ACon001 – Deny System Access
  • 37. - Choose a good technology to build on. - Be prepared to evolve. - Do not misunderstand the objectives. - It’s not about collecting everything. - Define good quality workflows.
  • 39. - Choose your taxonomy and stick with it. - STIX and ATT&CK - Think about how the information is going to be consumed. - Define a good structure beforehand. -Be consistent!!
  • 41. • QianXin. APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan. www.ti.qianxin.com. Available at: https://ti.qianxin.com/blog/articles/apt- c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/ [Accessed September 2019] • Cisco Talos. Adamitis Danny, Rascagneres Paul. Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques. www.blog.talosintelligence.com. Available at: https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html [Accessed August 2019] • Azpúrua, Andrés, Guerra, C. and Rivas, J. Phishing by Venezuelan government puts activists and internet users at risk. vesinfiltro.com. Available from https://vesinfiltro.com/noticias/Phishing_by_Venezuelan_government_targets _activists/ [Accessed June 2019]
  • 42. • GReAT. DNS Manipulation in Venezuela in regards to the Humanitarian Aid Campaign. securelist.com. Available from https://securelist.com/dns-manipulation-in- venezuela/89592/ [Accessed June 2019] • Mercer, Warren and Rascagneres, P. DNSpionage brings out the Karkoff. blog.talosintelligence.com. Available from https://blog.talosintelligence.com/2019/04/dnspionage-brings-out- karkoff.html [Accessed June 2019] • Sherstobitoff Ryan. Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. https://securingtomorrow.mcafee.com. Available at: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/apt28-threat- group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/ [Accessed March 2019]
  • 43. • Palo Alto Networks Blog. 2018.Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan - Palo Alto Networks Blog. [ONLINE] Available at:https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues- global-attacks-wheels-new-cannon-trojan/. [Accessed November 2018] • Arbor Networks Threat Intelligence. 2018. LoJack Becomes a Double-Agent. Available at: https://asert.arbornetworks.com/lojack-becomes-a-double-agent/. [Accessed November 2018] • Cyberscoop. 2018. Russian hackers found the 'ultimate' hacking tool buried in the supply chain of laptops - CyberScoop. Available at: https://www.cyberscoop.com/lojack-computrace-fancy-bear-absolute- kaspersky/. [Accessed November 2018].
  • 44. • Lee Bryan, Harbison Mike, and Falcone Robert. Sofacy Attacks Multiple Government Entities. https://unit42.paloaltonetworks.com. Available at: https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks- multiple-government-entities/ [Accessed March 2019] • ThreatConnect Research Team. Fancy Bear Pens the Worst Blog Posts Ever. https://threatconnect.com. Available at: https://threatconnect.com/fancy-bear- leverages-blogspot/ [Accessed March 2019] • Kovacs Eduard. Russian "Fancy Bear" Hackers Abuse Blogspot for Phishing. https://www.securityweek.com. Available at: https://www.securityweek.com/russian-fancy-bear-hackers-abuse-blogspot- phishing [Accessed March 2019]
  • 45. • Smith, Lindsay and Read, B. APT28 Targets Hospitality Sector, Presents Threat to Travelers. www.fireeye.com. Available at https://www.fireeye.com/blog/threat- research/2017/08/apt28-targets-hospitality-sector.html [Accessed January 2019] • Hacquebord, Feike. Update on Pawn Storm: New Targets and Politically Motivated Campaigns. https://blog.trendmicro.com. Available at: https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm- new-targets-politically-motivated-campaigns/ [Accessed March 2019] • Cisco Talos. "Cyber Conflict" Decoy Document Used In Real Cyber Conflict. https://blog.talosintelligence.com. Available at: https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy- document.html [Accessed March 2019]
  • 46. • Palmer, Danny. Hackers are using a Flash flaw in fake document in this new spying campaign. www.zdnet.com Available at: https://www.zdnet.com/article/hackers-are- using-a-flash-flaw-in-fake-document-in-this-new-spying-campaign/ [Accessed January 2019] • Palmer, Danny. Hackers race to use Flash exploit before vulnerable systems are patched. www.zdnet.com Available at: https://www.zdnet.com/article/hackers-race-to- use-flash-exploit-before-vulnerable-systems-are-patched/ [Accessed January 2019] • Conference Agenda | Underwater Defence & Security. 2018. Conference Agenda | Underwater Defence & Security. ww.underwater-defence-security.com Available at: http://www.underwater-defence-security.com/conference-agenda.php. [Accessed November 2018]
  • 47. • Netzpolitik. Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. https://netzpolitik.org. Available at: https://netzpolitik.org/2015/digital-attack-on-german-parliament- investigative-report-on-the-hack-of-the-left-party-infrastructure-in- bundestag/ [Accessed March 2019] • FireEye Labs. Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia's APT28 in Highly-Targeted Attack. https://www.fireye.com. Available at: https://www.fireeye.com/blog/threat- research/2015/04/probable_apt28_useo.html [Accessed March 2019]
  • 48. • Trend Micro. From Espionage to Cyber Propaganda: Pawn Storm's Activities over the Past Two Years. trendmicro.com Available at: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/espionage- cyber-propaganda-two-years-of-pawn-storm [Accessed January 2019] • Sean Gallagher. Evidence suggests Russia behind hack of French president- elect. arstechnica.com Available at https://arstechnica.com/information- technology/2017/05/evidence-suggests-russia-behind-hack-of-french-presidential- candidate/ [Accessed January 2019] • Feike Hacquebord. Pawn Storm Targets German Christian Democratic Union. blog.trendmicro.com Available at https://blog.trendmicro.com/trendlabs- security-intelligence/pawn-storm-targets-german-christian-democratic- union/. [Accessed January 2019]
  • 49. • Sean Baird, Nick Biacini. Gmail Worm Requiring You To Give It A Push And Apparently You All Are Really Helpful. blog.talosintelligence.com Available at: https://blog.talosintelligence.com/2017/05/google-oauth-phish.html [Accessed January 2019] • Graham Cluley. “Google Docs” Worm Ransacks Gmail Users’ Contact Lists – What You Need to Know. tripwire.com Available at https://www.tripwire.com/state-of- security/security-data-protection/google-docs-worm-ransacks-gmail-users-need- know/ [Accessed January 2019] • Thomas Brewster. A Massive Google Docs Phish Hits 1 Million Gmail Accounts - UPDATED. forbes.com Available at https://www.forbes.com/sites/thomasbrewster/2017/05/03/massive-google-gmail- phish-many-victims/#22a27ce242a1 [Accesed January 2019]
  • 50. • Feike Hacquebord. Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. blog.trendmicro.com Available at https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open- authentication-advanced-social-engineering- attacks/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti- MalwareBlog+%28Trendlabs+Security+Intelligence+BI [Accessed January 2019] • FireEye, APT28: At the center of the storm. Russia strategically evolves its cyber operations. Available at: https://arintel.atlassian.net/wiki/download/attachments/189753/FireEye_APT28- Center-of-Storm(01-11- 2017).pdf?version=1&modificationDate=1490291952562&cacheVersion=1&api=v2 [Acces sed January 2019]
  • 51. • HackRead, World Anti-Doping Agency Site Hacked; Thousands of Accounts Leaked. Available at: https://www.hackread.com/world-anti-doping-agency-site- hacked/ [Accessed January 2019] • U.S.. 2016. Exclusive: FBI probes hacking of Democratic congressional group | Reuters. Available at: https://www.reuters.com/article/us-usa-cyber-democrats- exclusive/exclusive-fbi-probes-hacking-of-democratic-congressional-group- sources-idUSKCN1082Y7. [Accessed November 2018] • netyksho_et_al_indictment.pdf | Department of Justice. 2018. netyksho_et_al_indictment.pdf | Department of Justice. Available at: https://www.justice.gov/file/1080281/. [Accessed November 2018].
  • 52. • Alperovitch, Dmitri. Bears in the Midst: Intrusion into the Democratic National Committee. www.crowdstrike.com/. Available from https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national- committee/ [Accessed November 2018] • The United States District Court for the District of Columbia. Case 1:18-cr-00215-ABJ - INDICTMENT. www.justice.gov. Available from https://www.justice.gov/file/1080281/download [Accessed November 2018] • WADA. WADA Confirms Attack by Russian Cyber Espionage Group. https://www.wada- ama.org. Available at: https://www.wada-ama.org/en/media/news/2016-09/wada- confirms-attack-by-russian-cyber-espionage-group [Accessed March 2019]
  • 53. • Lee, Briand and Falcone, R. Sofacy Group’s Parallel Attacks. researchcenter.paloaltonetworks.com. Available from https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups- parallel-attacks/ [Accessed June 2018] • ThreatConnect Research Team. Belling the BEAR. https://threatconnect.com. Available at: https://threatconnect.com/russia-hacks-bellingcat-mh17- investigation/ [Accessed March 2019] • Falcone, Robert. Sofacy Uses DealersChoice to Target European Government Agency. unit42.paloaltonetworks.com at: https://unit42.paloaltonetworks.com/u nit42-sofacy-uses-dealerschoice-target-european-government-agency/ [Accessed January 2019]
  • 54. • FireEye Labs. APT28: A Window into Russia's Cyber Espionage Operations?. Available at: https://arintel.atlassian.net/wiki/download/attachments/209890/apt28.pdf?versi on=1&modificationDate=1490317815345&cacheVersion=1&api=v2 [Accessed March 2019] • Rafia Shaikh. Denmark Says Russia's APT28 "Very Likely" Hacked Defense Ministry Emails. wccftech.com. Available at https://wccftech.com/denmark-russia-apt28- hacked-defense/ [Accessed January 2019] • The New York Times Company. Denmark Says ‘Key Elements’ of Russian Government Hacked Defense Ministry. nytimes.com Available at https://www.nytimes.com/2017/04/24/world/europe/russia-denmark-hacking- cyberattack-defense-ministry.html?_r=2 [Accessed January 2019]
  • 55. • ESET Research. Sednit: What's going on with Zebrocy. https://www.welivesecurity.com. Available at: https://www.welivesecurity.com/2018/11/20/sednit-whats-going- zebrocy/ [Accessed March 2019] • Jasper Manuel and Joie Salvio. LockerGoga: Ransomware Targeting Critical Infrastructure. fortinet.com. Available at https://www.fortinet.com/blog/threat- research/lockergoga-ransomeware-targeting-critical-infrastructure.html [Accessed Aug 2019] • Threatrecon Team. SectorJ04 Group’s Increased Activity in 2019. threatrecon.nshc.net. Available at https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity- in-2019/ [Accessed October 2019]
  • 56. • Counter Threat Unit Research Team. The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets.twww.secureworks.com. Available at https://www.secureworks.com/research/the-curious-case-of-mia-ash [Accessed October 2019] • Riley, Aaron and Feller, M. Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans.tcofense.com. Available at https://cofense.com/phishing-campaigns-manipulating-windows-control-panel- extension-deliver-banking-trojans/ [Accessed October 2019] • Accenture Security. Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets. https://www.accenture.com. Available at: https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF- 94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members- Defense-and-Military-Outlets.pdf [Accessed March 2019]
  • 57. • Malpedia. OilRig. malpedia.caad.fkie.fraunhofer.de. Available at https://malpedia.caad.fkie.fraunhofer.de/actor/oilrig [Accessed October 2019] • Kuhnert, Nils. OilRig. aptmap.netlify.com. Available at https://aptmap.netlify.com/#OilRig [Accessed October 2019] • Kuhnert, Nils. Chrysene. aptmap.netlify.com. Available at https://aptmap.netlify.com/#CHRYSENE • [Accessed October 2019] • Mitre ATT&CK. APT28. https://attack.mitre.org/. Available at: https://attack.mitre.org/groups/G0007/ [Accessed March 2019]
  • 58. • Alex Hern. Macron hackers linked to Russian-affiliated group behind US attack. theguardian.com Available at: https://www.theguardian.com/world/2017/may/08/macron-hackers-linked-to-russian- affiliated-group-behind-us-attack [Accessed January 2019] • Sherstobitoff Ryan. Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. https://securingtomorrow.mcafee.com. Available at: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/apt28-threat-group- adopts-dde-technique-nyc-attack-theme-in-latest-campaign/ [Accessed March 2019] • ThaiCERT. A Threat Actor Encyclopedia. www.thaicert.or.th. Available at https://www.thaicert.or.th/downloads/files/A_Threat_Actor_Encyclopedia.pdf [Accesse d October 2019]
  • 59. • ThreatConnect Research Team. A Song of Intel and Fancy. https://www.threatconnect.com. Available at: https://www.threatconnect.com/blog/using-fancy-bear-ssl-certificate- information-to-identify-their-infrastructure/ [Accessed March 2019] • Muncaster, Phil. APT28 Back in RussianDoll Attack Using Adobe, Windows Flaws. https://www.infosecurity- magazine.com.Available at: https://www.infosecurity- magazine.com/news/apt28-back-russiandoll-attack/ [Accessed March 2019]