Cyber Threat Intelligence and APT 101

Testing, testing. Testing, testing.

All the chitlins. Black and gold. Hello, sir.

B-Sides DC, thank you for coming. I'd like to introduce our next presenters, Ronnie Obenhaus and John Storer to talk about cyber threat intelligence and APT 101.

All right, thanks to B-Sides DC for having us. Thank you guys for spending some time with us today. We're from the DoD Cyber Crime Center. and we'll go ahead and dive into this presentation about cyber threat intelligence and APTs. This is meant to be entry level, so if this is like your primary field, we're not gonna be on the expert side of this. This is meant to be an approachable presentation for people who primarily are not cyber threat intelligence analysts or do not have a lot of experience in advanced persistent threats. So that's sort of our agenda that we're gonna try and fit in today, which we normally don't have too much problem with. We

actually work in the DOD, DID, Collaborative Information Sharing Environment, and yes, that's a DOD acronym that contains acronyms. I apologize for that. I was not consulted in the naming of the organization that we're with. And that's one of the mission directorates that's housed at DC3. So we're gonna do a real quick overview, just because some people have not heard of DC3. Man, we've got a lot of feedback. Can we turn the mics down a little bit? Whoever's in charge of that? All right, great. Thanks, sorry, I must be a really loud talker. Alright, so DC3 is one of seven federal cyber centers. They have a lot of different missions, including forensics analysis, cyber investigation training, technical solutions. There's a lot of analysis and

operations in terms of law enforcement and counterintelligence support, obviously cyber security, or else it would be odd that we're here today. Document and media exploitation, support for counterterrorism mission and operations. And then really, our particular role there within the DICE that we focus on is we're the single repository for cleared defense contractor cyber reporting incidents about their unclassified networks. We also operate a 12 year long voluntary cyber sharing program with cleared defense contractors. We have about 655 cleared defense contractors that are in our voluntary sharing program. So they share threat information with us and amongst themselves and we share government furnished products and information back to them as well. So we're about a 500 person agency overall at DC3. I'm gonna go through these

pretty quickly and again if you guys will have questions later, we'll be available. I brought the cavalry, my boss is here today if you have questions for her then or criticisms. So we have the Cyber Training Academy. A lot of people in DOD and law enforcement and counterintelligence or Cyber Command are pretty familiar with our training academy. It's one of the original directorates back when DC3 2003 was founded in 1998. We have a Technical Solutions and Development Directorate, that's our TSD, that's basically our in-house DevSecOps unit. They actually have some malware parsers available on GitHub if you're really curious. They make a lot of in-house tools for us as well. We have our newest directorate

is the Vulnerability Disclosure Program. You may have heard of like Hack the Pentagon and a bunch of other initiatives that DOD has had. So they grew out of some of those initiatives. stood up for about three years now and they work with white hat hackers about vulnerabilities on the defense networks. We have a particular analytic group that is housed not only of cyber security professionals but also linguists. So they're very unusual animals, very hard to find. They do a lot of really in-depth cyber analytic work in the cyber threat intelligence world. We have our forensics lab, one of the other original directorates back in 1998 from DC3. So they do a lot of really sort of high end specialized forensics analysis. They work with damaged media,

cell phone encryption issues, plane recovery types of efforts and a lot of really specialized and unique things that other forensics labs couldn't potentially handle. And then we're down here, our particular director is the Dib collaboration where we provide analytical threat products mostly focused on advanced persistent threats. So really a little bit more about our role and then we're really going to get into the meat of this again. I've covered some of this a little bit. We're working with over 650 clear defense contractors in this voluntary sharing program. There's some guidance up there. We're not going to worry about that today. There's a voluntary program. There's also some mandatory reporting requirements. If the CDC has a particularly bad day, they may

send us in some some mandatory reports as well. And really, our core team, going back to 2007, 2008, when DICE was formed, is to provide advanced persistent threat analysis on threats that we know are targeting the defense industrial base. So that's really our core area of focus and expertise within DICE. The clear defense contractors that partner with us can also get free, no cost forensics analysis. They can submit that in to us and we work with our forensics lab. We actually have some newer automated tools as well to get some initial triage out. If somebody maybe just wants like some Yara signatures or maybe they don't even know if it is malware or not yet, we can push that out pretty quickly automated or they can

get full forensics. We've published many cyber reports. some short-term turnaround things, and we try to get back out to a customer within 72 hours and some longer 30-day written analytic reports. And of course, we deal with IOCs as well, and we've shared many IOCs. So DICE operations, so we'll touch on this just a little bit. Again, our analytic products are focused on advanced persistent threats. And we're really focused on what intrusion vector was used, is this something we've seen before, are these repeated TTPs, are these repeated tactics, techniques, and procedures, and what sort of level of analysis can we provide back to that clear defense contractor partner. So we have some very quick turnaround products. Again, if somebody reports something into us, we try to provide some contextual analysis

within 72 hours so that they have an immediate response. And then depending on what is reported, we can do a whole host of other more in-depth analysis either based on that singular incident or maybe multiple partners have reported something in and then we can start to see that across the sector a little bit into some of our longer term reporting like our TAR or our CTAR. These will be multi-page reports. The TAR could delve into one particular APT. A TAR might really go down into the weeds about a particular malware that an APT is supposed to use. And then our tip is really where we're giving government furnished indicators back to the clear defense contractors.

So we not only encourage their sharing of their own information, we are a conduit for multiple US government and DOD agencies to get indicators and information back out to the defense industrial base. And we have a number of different services. Our customers can get all of our reports on a particular network. We have a lot of conferences. We have a biannual two-day conference up to the classified level. A lot of things we do are unclassified. We have regional engagements where we go out to the geographically dispersed areas to meet our partners and talk to them. We can have really in-depth analytic to analytic meetings if they have a concern about something they've seen on their network and they wanna know if we've seen that, if that's been reported somewhere

else. We can also go in and try to explain what CyberThread is to their C-suite or executive level personnel. And we have about 12 different product lines altogether.

So we're really gonna kick this off now. So that's a little bit about who we are. And we're actually near BWI, so we're not really too far away if you have cause to visit us. We're really gonna dive now into the cyber threat intelligence portion of this. So this is new to you guys. Hopefully you'll have a much better idea of what this is and what advanced persistent threats are at the end of the day. And I always like to start this talk with what is cyber threat intelligence? We get that question a lot. And this sort of ties into other talks I've given about what is cybersecurity. Cybersecurity in and of itself is a

really broad field with a lot of narrow specializations. And we are one of those very narrow specializations. We bring a lot of different skill sets into the type of person that will excel as an analyst in the cyber threat intel world. So this is just sort of my scoping slide so we all know where we're at within this whole array of other types of jobs you might have in IT or cybersecurity. So, I like to talk to this slide about what is cyber threat intelligence and I think it falls into two broader categories. I think there's a lot of operational or non-humanized, non-human analyzed information or data. So I think all of these automatic detection algorithms, ML,

enhanced automated operations, that's data. So a lot of us come from an intelligence background. So to me, that may provide some level of information and data, but to me it becomes intelligence, and up here I use the term strategic intelligence, once a human analyst has done some sort of cognitive analysis on the data that has been produced automatically, we need to understand what might the risks be that that particular organization has concerns about for where that analyst resides. It's really hard to automate that. I would say currently it's impossible to automate that. What are our priority intelligence requirements or what are the concerns that my leadership has that they want me to be analyzing on? Pretty hard to put

that into any sort of sim that I've seen yet. So there's a lot of mechanisms out there to help you whittle down, maybe focus on some of the data, but I believe intelligence in the form of cyber threat intelligence will be after a human has put their eyes on it and done that human cognitive analysis on all of the information. Really at the core of this, when you say cyber threat intelligence to me, I think you're talking about tactics, techniques and procedures that cyber threat actors use. And to me that's the core of where our day to day focus is really at. What TTPs, are known actors using, regardless of actor set, regardless of sector you might work in. So we might have somebody concerned about financial

criminal actors. Well, they have specific TTPs, which might be different than Russian nation state sponsored APTs, which might be different than another set of attacker specific APTs, TTPs. Too many acronyms. Well, just to go back to that, we're also not trying to discount operational intelligence at all. We understand that that's very important. We are providing intelligence to our partners, maybe because they just don't have the time. That's one of the biggest things when it comes to intelligence, and we're going to speak to that later, is it takes a very specific skill set to do that. So operational intelligence might be what you can afford or what your people do. So I don't want to discount that at all because that's what a lot of companies

are currently having played. Right. That's a great point, Ronnie, because a lot of smaller organizations, government entities, smaller private companies, non-profits, school systems, you're not going to have cyber threat intelligence personnel. Maybe some of the larger schools might, but for the most part, this is a pretty specialized field, and you may have some people in your SOC that do some of this, and they may not call this cyber threat intelligence. but a lot of organizations probably will not have a team of cyber threat intelligence professionals working for them. And nowadays a lot of people are subscribing or paying for this as a commercial service as a matter of fact. So I know you've been here for a long time and you still don't

know what cyber threat intelligence is. Hopefully by the end of this presentation you'll be able to have a better idea. So if I had to whittle this down, right, it's the analysis based on all of the information I have, and it's that enrichment of the data so that I can understand the TTPs of threat actors. So I can understand perhaps what the TTPs were, what the TTPs are, and then make some predictive analysis about where maybe the TTPs are gonna go that I need to be worried about. And to me, that's the core when we talk about cyber threat intelligence. That would be my definition of it. And if you ask about three cyber threat

intelligence personnel what that is, you'll probably get about 12 answers. And in my mind, because of my experience where I work, a lot of this really has to do with the more sophisticated nation state actors or advanced persistent threats. Although it doesn't always have to, as I pointed out. So you wanna? Yeah, so there's a lot of different backgrounds that end up going into cyber threat intel because it's not really something that a lot of colleges have focused on for a long time. How many people have their cyber threat intelligence degree? Right. Yeah, so a lot of people will come in from just a bunch of various different backgrounds. We've seen it where somebody's like, I'm the cyber threat intel person for this, and we ask, well, how did

you get into that? Well, I'm the only guy that could connect the printer. So, you know, it's just varied backgrounds. People kind of learn as they go. I come from a network defense background in the Army. As he mentioned, a lot of people end up coming from intelligence backgrounds. So you can get into it. I mean, you see all the different things we have up there. People want to get into this field and again, it's a very specialized niche of an already specialized field. Yeah, and while this talk doesn't dive into that a lot, I'm happy to talk about how you get into this field offline as well. So if you have those sorts of questions, you can definitely hit me up after the talk. But

I know people in this field with all of those backgrounds. One of my mentors at a consulting company was an EMT. and now he is a sans instructor and has since left to start his own cyber OSINT business. So people find their way into cyber threat intelligence analysis like a lot of other cyber security fields. There is no one particular path necessarily. And I think the diversity is really important as well because we really need that human analysis So the fact that there is a lot of diversity and that people are coming from a lot of diverse backgrounds, in my opinion, is really helpful when we are trying to analyze, in some cases, actions that

human adversaries or human criminal elements are taking. So we're really gonna start to dive into sort of like one of the core fundamental meats of this presentation. And I touched on this a little bit earlier when I said not everybody's gonna have a cyber threat intelligence team. So what am I really trying to convey with that message? Is that you have to have some of the basics first. If you don't have an architecture that's defendable, if you don't have an architecture where you know what's on your network, if you don't have policies and you don't have multi-factor authentication, there are some underlying cybersecurity concepts that your organization probably should focus on first as a foundation because we might be able to apply some risk based analysis about what types

of threats might your organization face but that may not be really helpful if you're not patching your systems. Right so there's this like blue like do you have a defensible architecture or you meeting like core cyber security principles and cyber security hygiene is that documented or there are so peas about it. Do you have an incident response plan. Right, so that's step one, that's architecture. And then you sort of move up into like, well, if you're at that point, let's get into a passive defense. Let's ensure whatever SOC or NOC analysts we do have are not just entirely reactive to alerts that come in. Let's make sure that they know things they should be researching if there are laws, you know, there's not a lot of laws in

SOCs and NOCs, but what are some things that might be more priority? Have we done any risk-based analysis on the types of threats that might affect us? Are we a global operation? Well if we're not a global operation, what sorts of IP addresses might we expect or not expect to see on our network? So this is where you're starting to get a little bit more proactive, but probably still on a defense, like a purely defensive side. And then you can get into the next level, the reactive defense or active defense. So again, not every organization is gonna have the budget or manpower to move all the way up this chart and that's fine. We understand that and I think you would want to have some understanding of where you

would want to be on this chart as well. But active defense means now perhaps I've done some risk analysis. I know which threats are likely to target the industry or sector that my organization is in so I can prioritize my analysis or OSINT collection about the threats that are most likely to target me. I understand what my management or risk team think are really critical. I understand you know, for our organization, there's certain, perhaps, segmentated areas of our network that need to have more defenses than others. So I might more proactively ensure that those areas of the network are defended. Something along those lines. So then, you really get to where intelligence or cyber threat intelligence can help your network. So at this point you should be informing

that cyber threat intelligence that your team does in house or that you're subscribed to or you get from various government program. They can start to inform right. We might now have a really good understanding of how the threat landscape is changing or which TTP is the the adversaries that we're concerned about based on our analysis what they're doing and where we think they might go and how they continue to change. And then there'll be very few organizations that get all the way to active hunting, right? Very few probably commercial organizations, as you have to have scale and size and funding to get all the way that we now are, with intelligence, actively hunting in our

network for those threats that we're missing at our perimeter defense if such a thing exists, which is another talk we could have later. So now we're more proactively looking for hashes, TTPs, heuristics, right? What are the anomalous things that are happening on the network that make me question whether that anomalous thing should be happening, but it's not being flagged anywhere. And is that anomalous activity repetitive? Have I seen that before? Does it match any known threat actor TTPs that perhaps I know target my sector? And maybe I will go see if there are additional anomalies like that across my network that would be concerning. So this is a much more proactive level of active hunting or active defense on your network. So how

many of you are familiar with the phrase, don't be a one pizza target? Okay, so what this gets into is how long it actually takes an adversary to get into your network. So is it just gonna take them a pizza and an energy drink and then they're in? You know, it starts at the very beginning. Oh look, I ran end map. Look, this server hasn't been patched since 2012. Yeah, so you'll notice as we go up to scale, we're getting up to more pizzas and more energy drinks. But something I want you to notice is this is finite, right? There's never an amount of pizzas and energy drinks that you'll be able to get to that won't keep them from getting in if they want to get in.

So that's the idea. You're just trying to make it so hard that if I'm being blunt, they'll just move to the next person. That's really what you're trying to do. Now, you may be in a sector where they're like, nope, I'm coming. It's like, okay, that's fine, but for the majority of them out there, you can make it so hard that they'll just move to someone else. And that's really what you're trying to do going up this sliding scale is making it hard. Right, I mean just like in the real world physical security, well if you have locked your car door and your car has an alarm and you park in a well lit area,

right, I'm not gonna say your car is never gonna be stolen, but it's less likely than I forgot to lock my car in that sketchy parking lot behind the 7-Eleven where there's no lights, right? So there's no such thing as guarantee cybersecurity in any of this. There are still advanced persistent threats that if you are a particular target, they may just have to take a lot longer time to breach a network. But we can increase the scale to the adversary. We can increase their time and make it harder for one of them. And now we're really gonna dive super deep into the kill chain and explain it a really complicated, we're not doing that? No, no. So how many of you have ever seen the movie Ocean's

Eleven? Okay, so this movie actually lines up pretty well with the cyber kill chain. So first step right there is recon. So we need reconnaissance, right? So if you remember Ocean's 11, where do they start? Reconnaissance of the bank vault, so that's what they're gonna go out and find. We need the blueprints. So it's the same thing, right? If an APT is doing recon for you, it may be something as simple as just scanning your network. It may be just

looking up on your website to see if email addresses are readily available. We list all the VP's email addresses on the website. Boom, there you go. So now all of a sudden we have emails that we can craft these spear phishing emails to. We have a person. So there's Recon. And really, I always say, when I explain this, there's really two forms of reconnaissance that we don't often talk about. There's the technical reconnaissance. There's the scanning of your network. There's also sort of the non-technical reconnaissance depending on if you are a target of a very sophisticated threat actor. Do your technical guys operate blogs where they post questions about things on your network and throw

up screenshots of blogs? Because that happens probably more frequently our leadership would like to know that that happens. So there's that whole reconnaissance side from an open source intelligence or OSINT perspective as well of we may be making it really easy for the adversary to understand things about our organization that perhaps we might not want them to know. And let's not forget good old fashioned dumpster diving. I have a story about that that I can tell later. So our next step is weaponization. So in this particular scene in Ocean's 11, if you remember, he is trying to convince Benedict to get his briefcase into the vault. So that's really what it encapsulates, right? He is just setting the stage. So with weaponization, you've already

done the recon. You've already done the recon. So you've scanned the network, you've seen it. Now weaponization, you have to find out how to use that. I'm sure a lot of us have heard of Metasploit, You're going to Metasploit and you're packaging something together. Maybe you go to Shodan and find something that you can use. So that's weaponization. Yeah, so this is informed a lot in large part by the technical or open source reconnaissance activities previously. So then we have our next step of delivery. So that is taking that payload and that's actually delivering it. Now, I know a lot of times we think of the phishing email. The delivery can be anything. Well, not anything. But we're looking at email, we're looking at maybe

somebody has put something on a USB stick and just dropped it in a parking lot. Maybe there's been a URL that has been set up to where people can go there and enter credentials. Delivery can be anything. In this particular case, delivery is that. They are delivering that briefcase to the vault. Right, and so when we're trying to explain this to non-technical people, I think a lot of people are more familiar with phishing emails. But again, there's lots of different ways that delivery can happen, right? Site redirections, click-jacking, you know, vendor-compromised laptop in an air-gapped nuclear facility in a Middle Eastern country. There's all sorts of, I mean, just, there's all sorts of delivery examples. USBs in the

parking lot apparently still work as well, which is scary enough. So there's lots of different forms of delivering the weaponized payload to the intended victim network. So we move from delivery into exploitation. So if you remember this scene, they're exploiting that security guard's ability to do his job. So they're making this scene, he can't do his job, they're literally exploiting his position. So if we're going to for the phishing example, the exploit is, I've cracked this email so well that you don't know. that it's a phishing email and the exploit is that, that I've caused you to click on that. Or I've caused you to open the Word document or the PDF that's attached to it. Or I've caused you to go to the website

and enter your credentials into this place. That's the exploit. And it most often comes into exploiting a person. Most often, not all the time. Yeah, so it could be exploiting a person, right? There are very, very sophisticated phishing emails that are out there depending on the threat actor. That could be informed by the reconnaissance phase. There's examples where legitimate documents are downloaded from the victim's network and repackaged with malware. So I mean, it was a legitimate PDF, or it was a legitimate PowerPoint, which now has a malicious macro in it. And there's also the technical exploitation side of this as well. It could be malware that we know works against these vulnerabilities that you haven't patched. It could be much more sophisticated versions of malware. Not everything is

a zero day nowadays. That would be a particular example. There's a lot of different technical examples of how we might exploit the vulnerability that we've discovered, whether it's the people vulnerability or whether it's the technical vulnerability. This is the stage in the kill chain where that is essentially executed. So we move to the next step, which is installation. And as you can see here, they're literally pushing, I'm using literally a lot, I'm sorry. They are pushing the briefcase into the vault. So they have the successful exploitation and now he is moving that in. So along with what the name suggests, installation, they've already clicked on the link or they've clicked on the Word document that you sent, PDF that you sent, and now the malware is installing

on the system. Right, and this is fairly self-explanatory, but depending on the, motivations of threat actor, which you may or may not be able to determine based on your cyber threat intelligence analysis, right, there could be an initial installation, and then if they're trying to maintain persistence, there could be multiple other installations as well. And also what we see at this stage now is not only are they trying to install malware, they may just be using tools on your network as well. So sometimes you could consider perhaps that that operating on this stage a little bit. In a lot of cases, this might be where they're downloading a packer and a compression and an extraction tool if they're just trying to steal data. This maybe is

happening on this stage, but that first initial installation of malware is really what we're talking about at this phase of the kill chain. And then we move into command and control. So this is, they've installed and now we get to

the place where it's communicating with their infrastructure now. In this particular one, they're setting up things to where they can see the vault from inside. But if you know the movie, you know this happens way before the actual install of the briefcase into the vault. And that's why we have it here, because I want you to know it doesn't happen that we are explaining it in linear order, but it doesn't have to happen in that order. A lot of these steps could be skipped if you don't have very good security, their stuff, they can skip all of this. Maybe there's, we have it all the time where CVs get released, common vulnerability exploits, right? So

these get released and they'll just do a scan, and I say they, they'll just do a scan, find out what has that CV and just go for it. They really didn't even have to do any recon on you at all. Well, I guess they did, they did a show that it's good, anyway. So that was the example of showing that beforehand is to show you how easy it can be if we just don't follow basic hygiene.

to get to that answer. So there should still be prioritization of what your intelligence, your cyber threat intelligence personnel are doing, whether you have a big team or a smaller team, they really need guidance and priorities. Yeah, a little elementary way to deal with it that I tell children a lot whenever we're talking, you know, trying to guide them up into cyber threat intel, is if your company makes rubber ducks, don't spend money trying to stop the APT that's trying to take wooden bucks.

Yeah, you're focused on the local threat actor. All right, how many people are familiar with Bianco's pyramid of pain? There's a few out there. All right, so it's kind of the reason we have that main pyramid and then the sliding scale up top is because this kind of serves two purposes. Hash values, all right. If we're gonna block hash value, malware hashes. Yeah, so malware hashes. I hope everyone out there is familiar with what a hash is. Okay, I'm just gonna move on. Alright, so blocking hashes or detecting hashes on a network is pretty trivial. By that I mean it's pretty easy to do, right? IP addresses, detecting IP addresses on your network. Like I said, easy. Pretty easy

to do. You can detect them, you can block them, set alerts, whatever. Domain names, simple. Very easy for us to implement. Network and host artifacts. Alright, so this is where it starts getting a little more, you know, we have that there as annoying. Is everyone familiar with what network and host artifacts are? Okay, so host artifacts are, if malware is installed on your system, host artifacts is what it's leaving there. So a lot of times when you install malware system it creates a registry key. Well there's a host artifact, it's that registry key. It's the stuff that we're going to look for. Network artifacts, same thing. It's behavior on the network that we're looking at when there's suspicious behavior. So looking for that

stuff, a little tougher. You have to have people that know what they're doing. But it's possible. Tools, implementing, looking for tools

What do you look for? Are you looking for, maybe there's a bug that every time they send a phishing email, it comes from this particular mailer. What exactly are you looking for? So as we talk about cyber threat intel, you have to have people looking for this. So it becomes challenging. TTPs, the highest point of the pyramid. Now that's tough because everything that's in there all encompasses the TTPs of the adversary. So it's gonna be just even tougher to look for. Now, the other half of this pyramid is that sliding scale of the adversary. So you're looking and blocking hash values. I'm not gonna say that you shouldn't be doing that, but it's trivial for the adversary. Because all they have

to do is, let's say they sit in a Word document. They just open the Word document, throw an A at the very end, save it, and now it's a completely different hash. So they can get past that pretty easily. IP address. They can just get a new IP address. Now all of a sudden all the IPs that you're blocking, it just doesn't matter. I'm not going to say not to do it because better safe than sorry. It's like having an antivirus on your system. You want it, just because it's not catching everything doesn't mean it's not useful. Domain names. They can just go out and get more domain names.

Again, do not do it. Some adversaries aren't that there because the more you're doing to disrupt this stuff, as we're going up the scale, you know it's a trend, as we go up the scale, you're making it harder for them. As you start detecting network and host artifacts of what they're doing on your network, well now it's annoying because now they have to go possibly find more malware. to use against you because you're detecting the artifacts that they're using already. So now they can't establish that persistence where they can't get what they're trying to get because you're detecting it. Same thing with the tools. As you start recognizing tools on the network, well now they

have to go find new tools. Well some of these APTs aren't even developing their own tools. They're going out and purchasing from other places. Maybe they don't have the technical sophistication to make these tools. That's why you're making it challenging for them. You're forcing them to spend money. don't be a one-piece of target. You're trying to make it challenging enough for them. TTPs, the last thing, is you start detecting TTPs of the adversary, well now they have to go change the TTPs. And I don't think a lot of people appreciate how difficult that is. Have you ever, in your organization, when they implement a change, I'm sorry to throw a lot of organizations on the bus, but when they try to implement a change, how difficult is that? It

is very difficult. A lot of adversaries out there work like an organization. These are human people doing jobs. Human people.

So these are humans doing jobs. This is the work that they do. Gone are the days of us staying people in the basement. These are professionals doing this for a living. At least some of them are professionals. So when we talk about APTs, I will often use a scale to describe APTs. And I don't know whether this is good or not, but I always go back to the Olympics. Like every single person at the Olympics is amazing. They're not even all close to actually being medal contenders, right? All right? That's my analogy for APTs. All of them have some scale, right? All of them are not me running NMAP and Cali and Metasploit from my house. When we talk about an advanced persistent threat

actor, there's a certain level of sophistication, organization, probably funding and backing that pretty much all of the advanced persistent threat groups have. And we can quibble whether any criminal elements count as APTs later, we can have that discussion later in by the year. But all of the APTs are sophisticated, but they're not gold medal contenders. Well here's two of them that are medal contenders pretty much continually. So you have APT28 which is known by a whole bunch of other names, mostly Cepacee and Fancy Bear. And APT29 is sort of their sister or cousin APT which is also known as Cosmic Dukes or Cozy Bear.

Both are suspected to be associated with Russia in some capacity, so both of them have funding and nation state resources from a large country. But they are still human people. So, APT28, for example, it was noticed by researchers that the malware that this organization tend to use was compiled between very certain government working hours which just happened to align with the times in Moscow and St. Petersburg. Hmm, imagine that. And then there's going to be somebody in the back who's like, well, they could have done that on purpose just so you could think it was them. And if you are from a counterintelligence field and have that argument, that's fine. But at some point, people don't think through every single thing they're doing for deception.

Yes, I'm not going to say deception may not exist. sometimes paranoia runs a bit far. So I thought that was really interesting, because even though they are one of the more sophisticated threat actors, people still make mistakes. They have habits. These habits may form some of the TTPs that that group becomes associated with. They used to rely and be known for zero-day vulnerabilities. They're not the only APT set that was known for that. But a lot of APT sets, including APT28, APT29, continue to evolve.

Right? So they also, the adversary, these APTs, read all of the open source articles that you and I read about them as well, which is weird if you think about it. So we also kind of help them evolve sometimes to some degree. So many of the APTs are like, well, they know that when they see this malware, it's me. Maybe I should use malware that anyone can use. Great. And that's what a lot of the APTs have done when it works. And why does it work? Because you have unpatched servers from 2006. So why would they need zero-day custom-made malware when I need you patch a patchy struts, please? So yes, they can be behind VPN filter malware and not

patch you, but they may not always need that level of sophistication in their intrusion vector if it's not warranted. And APT29 is also right, a suspected Russian back group. What I like about APT29 is sort of how thorough and how quiet they tend to be. That's really their claim to fame. They are really good about obfuscation and encryption to make the detection very difficult once you are a victim. And they basically also patch their own malware. So, I mean, we have trouble getting people to patch our perimeter security devices, and if we have APTs, which are so dedicated that they'll update their malware. So yes, I would consider them to be gold medal contenders, if you will, in the APT

spectrum. And there's a lot of information about both of these two advanced persistent threat actors available. But however, just keep in mind, If you have cyber threat intelligence personnel and you're thinking like at an organizational level, you should probably have some idea if you are in an industry that would be targeted by any particular APT. Like I said, there's probably 130 that you could potentially research. So we're just giving you a couple of examples. It doesn't mean that all of you should go to your boss and go, oh my god, we need to protect him against APT28. You may not be in an industry that is particularly known to be targeted by that particular APT.

And then there are the, at least one example, I mean Chinese associated APT, there are many others. This goes by a number of different names, so Deep Panda, 1819, Shell Crew, Pink Panther. So this also, this APT is also known to target a lot of different industries, so this may be one that if you're not familiar with, regardless of industry, you might want to know a little bit more about. Whether it's government, defense, financial, telecommunications, those are pretty broad industry bases. Some people in organizations will say that they are behind the anthem hack. Some will also say they're behind the OPM hack. Some people might disagree, but I tend to believe the OSIP reports that tie into those. They also have

the notes with that healthcare, aerospace, and energy sectors. just to ensure that they've covered multiple very broad industries. And they have their own TTPs as well. So they don't operate exactly the same as the Russian APT sets do.

And I want to try to get through the next couple slides so we can take some questions. So I really like this term intelligence-driven network defense. Not every organization, company, industry sector that you might work in will get to this level. But I kind of think that phrase is sort of like, that's the elite level that some organizations will be able to be at. Where we have sort of the budget, buy-in, billets, people, risk factor understood, that we now use cyber threat intelligence to drive SOC operations, to inform threat hunting, to be more proactive in how we think about cyber network defense. Bless you. So that's the real quick overview. So I wanna kinda open it up

for questions and then if this runs long, we'll be outside if you wanna talk to us or have questions or I put up brochures as well.

Thank you.