Dissecting the APT Wilderness: A Journey beyond Bears and Dragons

let me tell you this is not a technical session we are just this is a kind of hard for walking session let's us start with ice breaking session why not okay here it Go imagine you're working on the project and this project is involved in so many tasks and each member of your team call each task differently possible Mission Hungry dog now I want you sit to next to the person find the make group with the one person next to you and tell and if you have such a same experience and say what type of challenges you face I give you two minutes one minutes the right person share and the second minute the other

session other person share did you get a point yes okay are are we ready yes click on it find the

person how are you

just here so it still picks stuff up but not as well if you front Okay I try CU I need to walk I know there is an guy will tra you if you can it makes life easier for cre sure thank you okay now swap now swap the other person share that if he or she has the same experience share what type of challenges might you face crap on it

what would be happen if you name the each task differently okay because we are running off the time let's crack on it okay anyone who wants to volunteer and say what what challenges you will face if you name the same task differently any idea you know what you talking about you know you all think you know what you're talking about but actually you're so miscommunication so you're talking is like woman and men you're saying yes but woman here no something like that so never happens so miscommunication is one of the things and also you lost the track of it because last time your partner say Yes means really yes but this time say no or

I'm not sure so it's challenging isn't it so pick up one number that's your ticket to the zoo no I'm joking any idea what this number means to you any any if you're ins or any AP groups can you name any of them from which country or name yes one is unit 6389 from Shanghai China okay cool but that's the ticket to the [Music] zoo so yes that's the a the first L I show you is a numeric way they call the a anyone knows what doesn't know what's the a okay a is all about the name Advan presistent threat or professional people mainly hire from the government even there are not toer in the storage room try to

prove their skill there are professional people they have a specific Mission they use different tactics and techniques sometimes they use a customer malare to do something they are persistance because they do it over and over and we couldn't find it out somehow so they are quite sneaky some of these animal might if you have read any intelligent report might be familiar you have heard about charm you might heard the Cozy Bear from CH Russia sorry but we do have other as well we have Kimo if you don't know K is I just found it out as a and that's from North Kore just had on the news about Russia China North Korea and we have other

country that are involving with the AP as well and why these names like lyx or I don't know the main thing is trying to associate it somehow with this country but let's find it out more when we talk about AP people wants to know who they are what they do and how we can sport them technically AP is a marriage between the activism and people who trying to do different way when we talk about a for example from Russia there are s less sophisticated compared to the China and less noisy compared to Iranian One what does it mean they use different technique and tactics for example Iranian AP usually uses the social engineering technique like a telegram or

Facebook or LinkedIn to just going through the for example recruting system or China they have a proper Nation they have a proper plan they use different way like USV they or they even use a supply change system or zero vulnerability to do that attack for Russia recent conflict between Ukraine and Russia they make them more active but they are already active since 2008 with the ap44 what they do why the AP is interested to the country you might not hear on the news why I'm doing I what somehow I know because I'm not friend of the gchq people no I'm not pointing any countries no I'm just doing the research in a and it's quite

interesting back to the question why a interested in the government because it's a cheap operation they don't need to hire people as a soldier or have a tank or high quality missionary to send a different country let the conflict happen in Hamas in Israel or in the Middle East or Russia in Ukraine they use a cheap operation which is cyber war and Cyber attack that's why if you notice in this map majority of attack towards the go targeting the government we have a US election soon so we have expecting a lot of a attack as well but if is it only the government from China attacking America because of the sanction or North Korea for the sanction no they they they

they to targeting all source of the company majority of them maybe is a energy uh company or the big organization even the research if you notice this this is a recent uh statistic as you see the erosion is going quite high but which is obvious because of the sanction and they trying to H collect the money for crypto but what's the characteristic of the AP you try avoid any type of tools EDR IPS IDs name it because you try to evade the system in a way that they they are Ry that's is challenging part of the all of the recession in terms of the false positive and false negative so the EV the system in in a

way that they are quite okay with the in the network they sit in the network and fun fact in fact for AP apt1 they were in the system more than four years and 10 months who they are and for the first time fire off the name the at as you notice we have four nation that are quite active Iran Russia North Korea and China I don't point to any of them that are quite active in compared to the other one but if you notice here for example ap41 is um is is is not um is it which call it a double dragon is from China and if you notice it's still active from two 2012 so something's

wrong I show you this number and brilliantly some of you spotted yes there are a but look at them I just wanted to show you a 12 how many name it has a 18 interestingly not just you can count all of the this is a name so next time when you read the report you have a you trying to solve the puzzle is it really AP1 is it m Ponda is it Cozy Bear what they are why we need so many names for them why we don't have a

standard so I did a research and I find it out we have different type of category to name them they use the name of the animal as I invited to the zoo they use a numeric so many things it's not exactly the project I asked you work on it p01 Mission Impossible and hungry dog they do it differ way but why do you really need it oh if you know me you know that I'm dinosaur lover I just wanted to quickly tell you that that imagine if the dinosaur researcher name each of the dinosaur differently could we know really this is TX or Troon no they couldn't find it out but they have a naming standard naming system for the

star or for the D noal so I use this one and I try to figure it out can I a spot that A1 is really A1 or maybe is the at23 or maybe the ATV is unknown who said this is from China maybe the America really like to blame neuron we don't know so one of the way one of the project I work on it is that I try to create the B from the AR of the a so technically don't know the sample of the A and from the op code creative B and because if your dinosur lover you know that that from the bones and the tail they can't find this bone is belong to

each family and for example this is to this is TX so having said that currently I'm working on a project is called it TR why trone big eyes um big brain and it's vegetarian I'm I like this dinosur this project trying to all first of all why we have different type of n syst could it be easier as a malare analysis as a researcher or as someone enthusiastic to read the Tad intelligent report to know that this is AP1 not other name could it make our life easier because the first discussion had we said we miscommunicate so imagine you are in the incident Response Group you might dealing with the same a but you have a

four flag how does your life become easier if you know you're dealing with the one TR type of the track this is just different name so how we can do that the current project I'm working on it I'm going to use different different type of the A and I don't want to confuse you maybe you you're not familiar with machine learning so is this type of project is using the unsupervised learning unexplainable AI to use the probabil probability sorry probability way to say that for example this sample is 60 percentage related to ap20 is 40% is related to a41 you might say that was a point first of all I question the naming system who

said this is really AP1 it might not A1 and secondly why we don't have a standard in cyber security like a star like a dinosaur it make our life easier when we providing report and recording history because if you have a company and and I come to you and say that oh we facing the attack is a A or Cozy Bear you have no idea what is it and then next time I come up video e blah blah doesn't make a sense to me talk to me in a way that I can make a sense so if you're interested in this project um I'm I'm as as far as I carry on these different phases I try to

figure it out could we could we separate the different clust of the AP and family of Apt in a way that make our life easier not only to enhance our tools like a EDR IPS um and also in a way that we can have a better way of giving the report to the people well who I am I'm or also as you know that I'm dinosaur lover I'm working on two project currently one project which is uh finded out the different family of APs with the usage of explainable AI with the one University in the UK and another University in Australia yes I'm going to see the koala and pte the spider and also I'm working on another

project with the Manchester University with the arm company we trying to find it out can we enhance the fuzing tools for the job of vulnerability with the usage of AI okay you might say that you are crazy working two project which in just just in the t is not related to each other I'm going to say no when we talk about the job of vulnerability we talking about zero day vulnerability we talk about weakness of the app ation and weakness of the fing tools which Russian and China using to penetrate to the system so if you're interested in any of this project please contact me and follow me on LinkedIn to know about the dinosaur I mean the

a so any question by the way uh that's another naming system if you can see that is a blind Eagle AP that see that 36 how they come with this next and please next time when you read the any intelligent fromper firearm mandate strike and if you go to the mro platform just look at them and say to yourself you we need all different type of name thank you

any question so one of your points is having [Music] systemus Absolut free no problem yes the other your machine learning project you're working on is one of the a is to get better accuracy and identifying which attack are coming from which AP yes is I disagree with I think it's very because you're ADV bested research team and often they will want to specifically misle people and think someone else so if you publish your research and say this is the system I designed to better identify APS the aps are going to read that research use it and exploit what you're doing make it look like they're coming from there is inevitably going to be IG about where

these are coming from who they are is very very difficult if you have a 100% guarantee I totally agree with you and but we know that this a cat and we are chasing each other I know it's probability going to do that in the niche way that this type of the project in the second year is going some collaboration

but mainly what we are trying to do we try to enhance the inion prevention system to just increase the probability and reduce the FSE positive EXA thank you thanks [Applause]