Cyber Threat Intelligence and APT 101

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers all right thanks to besides DC for having us thank you guys for spending some time with us today we're from the DoD cyber crime Center and we'll go ahead and dive into this presentation about cyber threat intelligence and apts this is meant to be entry level so if this is like your primary field we're not going to be on the expert side of this this is meant to be an approachable presentation for people who primarily are not cyber threat intelligence analysts or do not have a lot of experience in advanced persistent threats so that's sort of our agenda

that we're gonna try and fit in today which we normally don't have too much problem with we actually work in the DoD did collaborative information sharing environment and yes that's a DoD acronym that contains as acronyms I apologize for that I was not consulted in the naming of the organization that we're with that's one of the mission directorates that housed at dc-3 so what we're gonna do a real quick overview just because some of the some people have not heard of dc-3 man we've got a lot of feedback can we turn the mics down a little bit whoever's in charge of that all right great thanks sorry I must be a really loud talker all right so dc-3 is one of seven

federal federal cyber centers they have a lot of different emissions including forensics analysis cyber investigation training technical solutions there's a lot of analysis and operations in terms of law enforcement and counterintelligence support obviously cyber security or else it would be odd that we're here today documented media exploitation support for counterterrorism mission and operations and then really our particular role there within the dice that we focus on is where the single repository for clear defense contractor cyber reporting incidents about their unclassified networks we also operate a 12 year long voluntary cyber sharing program with clear defense contractors we have about 655 cleared defense contractors that are in our voluntary sharing program so they share threat information with us and

amongst themselves and we share government furnished products and in from and back to them as well so we're about a 500 person agency overall at dc-3 I'm going to go through these pretty quickly and again if you guys will have questions later will be available I brought the cavalry my boss is here today if you have questions for her then or criticisms so we have the cyber training academy a lot of people in DoD and law enforcement and counterintelligence or Cyber Command are pretty familiar with our training academy it's one of the original directorates back when dc-3 was founded in 1998 we have a technical solutions and development Directorate that's our TSD that's basically our in-house dev

sec ops unit they actually have some malware parsers available on github if you're really curious they make a lot of main house tools for us as well we have our newest Directorate is the vulnerability disclosure program you may have heard of like hack the Pentagon and a bunch of other initiatives that DoD has had so they grew out of some of those initiatives they've been stood up for about three years now and they they work with white hat hackers about vulnerabilities on the defense networks oh we have a particular analytic group that is house not only of cyber security professionals but also linguists so there are very unusual animals very hard to find they do a lot

of really in-depth cyber analytic work in the cyber threat intelligence a world we have our forensics lab one of the other original directorates back in 1998 from dc-3 so they do a lot of really sort of high-end specialized forensics analysis they work with damage to media cell phone encryption issues plane recovery types of efforts and a lot of really specializing unique things that other forensics labs couldn't potentially handle and then we're down here our particular Directorate is the Dib collaboration where we provide analytical threat products mostly focused on advanced persistent threats so really a little bit more about our role and then we're really going to get into the meat of this again I've covered

some of this a little bit we're working with over 650 clear defense contractors in this voluntary sharing program there's some guidance up there we're not going to worry about that today there's a voluntary program there's also some mandatory reporting requirements if a CDC has a gilli bad day it may send us in some some mandatory reports as well and really our core team going back to 2007 2008 when dice was formed is to provide advanced persistent threat analysis on threats that we know are targeting the defense industrial base so that's really our core area focus and expertise within dice the clear defense contractors that partner with us can also get free no-cost forensics analysis they can

submit that in to us and we work with our forensics lab we actually have some newer automated tools as well to get some initial triage out if somebody maybe just wants like some yard signatures or maybe they don't even know if it is malware or not yet we can push that out pretty quickly automated or they can get full forensics we've published many cyber reports some short-term turnaround things that we try to get back out to a customer within 72 hours and some longer 30 day written analytic analytic reports and of course we deal with iOS es as well and we've shared many IOC s so dice operations so we'll touch on this just a little bit

and again our analytic products are focused on advanced persistent threats and we're really focused on you know what at rusian vector was used is this something we've seen before or these repeated T TPS are these repeated tactics techniques and procedures and what sort of level of analysis can we provide back to that clear defense contractor partner so we have some very quick turnaround products again if somebody reports something in to us we try to provide some contextual analysis within 72 hours so that they have an immediate response and then depending on what is reported we can do a whole host of other more in-depth and analysis either based on that singular incident or maybe multiple partners have reported

something in and then we can start to see that across the sector a little bit into some of our longer-term reporting like our tar or our seat are these will be multi-page reports the tar could delve into one particular apt at our might really go down into the weeds about a particular malware that a known apt is supposed to use and then our tip is really where we're giving government furnished indicators to the clear defense contractors so we we not only encourage their sharing of their own information we are a conduit for multiple US government and DOD agencies to get indicators and information back out to the defense industrial base and we have a number of

different services our customers can get all of our network can get all of our reports on a particular network we have a lot of conferences we have a biannual two-day conference up to the classified level a lot of things we do are unclassified we have regional engagements where we go out to the geographically dispersed areas to meet our partners and talk to them we can have really in-depth analytic - analytic meetings if they have a concern about something they've seen on their network and they want to know if we've seen that if that's been reported somewhere else we can also go in and try to explain what cyber threat is to their c-suite or executive level personnel and we have

about 12 different product lines altogether and so we're really going to kick this off now so that's a little bit about who we are and we're actually near BWI so we're not really too far away if you have cause to visit us we're really going to diet now into the cyber threat intelligence portion of this so this is new to you guys hopefully you'll have a much better idea of what this is and what advanced persistent threats are at the end of the day and I always like to start this talk with what is cyber threat intelligence we get that question a lot and this sort of ties in to other talks I've given about what a cyber

security cyber security in and of itself is a really broad field with a lot of narrow specializations and right we are one of those very narrow specializations right we bring a lot of different skill sets into the type of person that will excel as an analyst in a cyber threat Intel world so this is just sort of my scoping slide so we all know where we're at within this whole array of other types of jobs you might have an IT or cyber security so why I like to talk to this slide about what is cyber threat intelligence and I think it falls into two broader categories I think there's a lot of operational or non humanized

non-human annele information or data so I think all of these automatic detection algorithms m/l enhanced automated operations that's data so a lot of us come from an intelligence background so to me that may provide some level of information and data but to me it becomes intelligence and up here I use the term strategic intelligence once a human analyst has done some sort of cognitive analysis on the data that has been produced automatically all right we need to understand what what might the risks be that that particular organization has concerns about for where that analyst resides it's really hard to automate that I would say currently it's impossible to automate that what are our priority intelligence requirements or

what are the concerns that my leadership has that they want me to be analyzing on pretty hard to put that into any sort of sim that I've seen yet so there's a lot of mechanisms out there to help you whittle down maybe focus on some of the data but I believe intelligence in the form of cyber threat intelligence will be after a human has put their eyes on it and done that human cognitive analysis on all of the information really at the core of this when when you say cyber threat intelligence to me I think you're talking about tactics techniques and procedures that cyber threat actors use and to me that's the core of where our day-to-day focus is

really at what TTP's are known actors using regardless of actors set regardless of sector you might work in so we might have somebody concerned about financial criminal actors well they have specific TTP's which might be different than Russians but nation state-sponsored apts which might be different than another set of attacker specific apts TTP's too many acronyms well just to go back to that we're also not trying to discount operational intelligence at all we understand that that's very important we are providing intelligence to our partners maybe because they just don't have a time you know that's one of the biggest things when it comes to intelligence and we're gonna speak to that later is it takes a very specific skill set to do

that so operational intelligence might be what you can afford or what your people do so I don't want to discount that at all because that's what a lot of companies are currently have in place right that's a great point Ronnie because a lot of smaller organizations government entities smaller private companies nonprofits school systems you're not going to have cyber threat intelligence personnel I mean maybe some of the larger schools might but for the most part this is a pretty specialized field and you may have some people in your sock that do some of this and they may not call this cyber threat intelligence but a lot of organizations probably will not have a team of cyber

threat intelligence professionals working for them and nowadays a lot of people are subscribing or paying for this as a commercial service as a matter of fact so I know you've been here for a long time and you still don't know what cyber threat intelligence is hopefully by the end of this presentation you'll be able to have a better idea so if I had to whittle this down right it's the analysis based on all of the information I have and it's that enrichment of the data so that I can understand the TTP's of threat actors so I can understand perhaps what the TTP's were what the TTP's are and then make some predictive analysis about where maybe the TTP's are

gonna go that I need to be worried about and to me that's the core when we talk about cyber threat intelligence that would be my definition of it and if you ask about three cyber threat intelligence personnel what that is you'll probably get about 12 answers and in my mind because of my experience where I work a lot of this really has to do with the more sophisticated nation-state actors or advanced persistent threats although it doesn't always have to as I've pointed out so you want to yes so there's a lot of different backgrounds to end up going into cyber threat Intel because it's not really something that a lot of colleges have focused on for a while how many

people have their cyber threat intelligence degree right yeah so a lot of people will come in from just a bunch of various different backgrounds we've seen it where somebody's like I'm the cyber threat Intel person for this and we asked how did you get into that well I'm the only guy that could connect the printer so you know it's just varied background that's my kind of lurking yeah people kind of learn as they go I come from a network defense background in the army as he mentioned you know a lot of people end up coming from intelligence backgrounds so you can get into it I mean you see all the different things we have up there people want to get into

this field and again it's a very specialized niche of an already specialized field yeah and and while this talk doesn't dive into that a lot I'm happy to talk about how you get into this field offline as well so if you have those sorts of questions you can definitely hit me up after the talk but I know people in this field with all of those backgrounds I one of my mentors at a consulting company who was an EMT and now he is a sans instructor and has since left to start his own cyber oesn't business right so people find their way into cyber threat intelligence analysis like a lot of other cybersecurity fields right there is no one particular path

necessarily and I think the diversity is really important as well because we really need that human analysis so the fact that there is a lot of diversity and that people are coming from a lot of diverse backgrounds in my opinion is really helpful when we are trying to analyze in some cases actions that human adversaries or human criminal elements are taking so we're really going to start to to dive into sort of like one of the core fundamental meats of this presentation and I touched on this a little bit earlier when I said not everybody's gonna have a cyber threat intelligence team so what what am I really trying to convey with that met that message is that you have to have

some of the basics first if you don't have an architecture that's defendable if you don't have an architecture where you know what's on your network if you don't have policies and you don't have multi-factor authentication right there are some underlying cybersecurity concepts that your organization probably should focus on first as a foundation because we might be able to apply some risk-based analysis about what types of threats might your organization face but that may not be really helpful if you're not patching your systems right so there's this like blue like do you have a defensible architecture or are you meeting like core cyber security principles in cybersecurity hygiene is that documented are their SOPs about it

do you have an incident response plan right so that's that's step one that's architecture and then you sort of move up into like well if you're at that point let's get into a passive defense let's ensure whatever soccer knock analysts we do have are not just entirely reactive to alerts that come in let's make sure that they know things they should be researching if there are lols you know there's not a lot of walls and socks and knocks but what are some things that might be more priority have we done any risk-based analysis on the types of threats that it might affect us are we a global operation well if we're not a global operation what sorts of IP

addresses might we expect or not expect to see on our network so this is where you're starting to get a little bit more proactive but probably still on a defense like a purely defensive side and then you can get into the to the next level the reactive defense or active defense so again not every organization is going to have the budget or manpower to to move all the way up this chart and that's fine we we understand that and I think you would want to have some understanding of where you would want to be on this chart as well but active defence means now perhaps I've done some risk analysis I know which threats are

likely to target the industry or sector that my organization is in so I can prioritize my analysis or Osen collection about the threats that are most likely to target me I understand what my management or risk team think are really critical or I understand you know for our organization there's there are certain perhaps segmented areas of our network that need to have more defenses than others so I might more proactively ensure that those areas of the network are defended something along those lines so then you really get to where intelligence or cyber threat intelligence can can help your network so at this point you should be informing that cyber threat intelligence that your team does

in-house or that's your subscribe to or you get from various government program they can start to inform right we might now have a really good understanding of how the threat landscape is changing or which TTP is the the adversaries that were concerned about based on our analysis what they're doing and where we think they might go and how they continue to change and then there'll be very few organizations that get all the way to active hunting right very few probably commercial organizations as you have to scale and size and funding to get all the way that we now are with intelligence actively hunting in our network for those threats that we're missing at our perimeter defense if such

a thing exists which is another talk we could have later so now we're more proactively looking for hashes TTP's heuristics right what are the anomalous things that are happening on the network that make me question whether that anomalous thing should be happy happening but it's not being flagged anywhere and is that anomalous activity repetitive have I seen that before does it match any known for an actor TTP's that perhaps I know target my sector and maybe I will go see if there are additional anomalies like that across my network that would be concerning right so this is a much more proactive level of active hunting or active defense on your network yes so how many of you are

familiar with the phrase don't be a one Pizza Target okay so what this gets into is how long it actually takes an adversary to get into your network all right so is it just going to take them a pizza and an energy drink and in there in you know it starts this server hasn't been patched since 2012 yes so you'll notice as we go up to scale we're getting up to more pizzas and more energy drinks but something I want you to notice is this is finite right there's never an of pizzas and energy drinks that you'll be able to get to that won't keep them from getting in if they if they want to

get in so that's the idea you're just trying to make it so hard that if I'm being blunt they'll just move to the next person right that's that's really what you're trying to do now you may be in a sector where they're like nope I'm coming it's like okay you know that's fine but but for the majority of them out there you can make it so hard that they'll just move to someone else and that's really what you're trying to do going up the sliding scale is making it hard right I mean just like in in the real world physical security well if you have locked your car door and your car has an alarm and you've parked in a

well-lit area right I'm not gonna say your car is never gonna be stolen but it's less likely than I forgot to lock my car and that's sketchy parking lot behind the 7-eleven where there's no lights right so there's no such thing as guarantee cyber security in any of this right there are still advanced persistent threats that if you are a particular target right they may just have to take a lot longer time to to breach a network but we can increase the scale to the adversary we can increase their time and make it harder for them and now we're really gonna dive super deep into the kill chain and explain it a really competent we're not doing that now no so

okay how many of you have ever seen the movie Ocean's eleven okay so this movie actually lines it up pretty well with the cyber kill chain so first step right there is recon so we need reconnaissance right so if you remember Ocean's eleven where do they start reconnaissance of the bank vault so that's what they're going to go out and find we need the blueprints so it's the same thing right if an apt is doing recon for you it may be something as simple as just scanning your network it may be just you know looking up on your website to see if email addresses are ready and readily available we list all the VP's email addresses on the website

oh there you go so now sudden we have emails that we you know we can craft these spear phishing emails to you know we have a person you know so there's and really I always say when I explain this there's really two forms of reconnaissance that we don't often talk about there's the technical reconnaissance there's the scanning of your network there's also sort of the non-technical reconnaissance depending on if you are a target of a very sophisticated threat actor does your do your technical guys operate blogs where they post questions about things on your network and throw up screenshots of logs because that happens probably more frequently than our leadership would like to know that

that happens right so there's that whole there's that whole reconnaissance side from an open source intelligence or Osen perspective as well we may be making it really easy for the adversary to understand things about our organization that perhaps we might not want them to know and let's not forget good old-fashioned dumpster diving I have a story about that that I can tell later so our next step is weaponization so in this particular scene in Ocean's eleven if you remember he is trying to convince Benedict to get his briefcase into the vault so that's that's really what it encapsulate s'right he is just setting the stage so weaponization you've already done the recon you've already done the recon so you've scanned the

network you've seen it now weaponization you have to find out how to use that you know I'm sure a lot of us have heard of Metasploit you know you're going to Metasploit and you're packaging something together maybe you go to showdown and find something that you can use so that's weaponization yeah so this has informed a lot in large part by the technical or open source reconnaissance activities previously so then we have our next step of delivery so that is taking that payload and that's actually delivering it now you know I know a lot of times we think of the phishing email the delivery can be anything you deliver it well not anything it can't be anything but you

know it's you know we're looking at email we're looking at you know maybe somebody has put something on a USB stick and just dropped it in a parking lot maybe there's been a URL that has been set up you know to where people can go there and enter credentials you know delivery can be anything in this particular case delivery is they are dope they are delivering that briefcase to the vault actually right and so when when we're trying to explain us to non-technical people I think a lot of people are more familiar with phishing emails again there's lots of different ways that delivery can happen right site redirections clickjacking you know vendor compromised laptop in an

air-gapped nuclear facility in a Middle Eastern country there's all sorts of man just there's all sorts of delivery examples USBs in the parking lot apparently still work as well which is scary enough so so there's there's lots of different forms of delivering the weaponized payload to the victim to the intended victim Network so we move from delivery into exploitation so if you remember this scene they're exploiting the security guards ability to do his job you know so they're making this scene he can't do his job they're literally exploiting his position so if we're going to for the fishing example the exploit is I've crafted this email so well that you don't know that it's a

phishing email and the exploit is that that I've caused you to click on that or I've caused you to open the word document or the PDF that's attached to it or I've caused you to go to the web site and enter your credentials into this place that's the exploit and it most often comes into exploiting a person most often not all the time yeah so it could be exploiting a person right there are very very sophisticated phishing emails that are out there depending on the threat actor you know that could be informed by the reconnaissance phase there's examples where legitimate documents are downloaded from the victims Network and repackage with malware so I mean it was illegitimate at

PDF where it was a legitimate you know PowerPoint which now has a malicious macro in it and there's also the technical exploitation side of this as well you know it could be malware that we know works against these vulnerabilities that you haven't patched it could be you know much more sophisticated versions of malware not everything is a zero-day nowadays that would be a particular example you know there's a lot of different technical examples of how we might exploit you know the vulnerability that we've discovered whether it's the the people vulnerability or whether it's the technical vulnerability this is the stage in the kill chain where that is essentially executed so we move to the next step which is installation and as

you can see here they're literally pushing I'm using literally a left I'm sorry they are pushing the briefcase into the vault so they have the successful exploitation and now he is moving that in so along with what the name suggests installation they've already clicked on the link or they've clicked on the the word document that you sent PDF that you sent and now the malware is installing on the system right and this is this is fairly self-explanatory but depending on the motivations of threat actor which you may or may not be able to determine based on your cyber threat intelligence analysis right there could be an initial installation and then if they're trying to maintain

persistence there could be multiple other installations as well and also what we see at this stage now is not only are they trying to install malware they may just be using tools on your network as well so sometimes you could consider perhaps that that operating on this stage a little bit in a lot of cases you know this might be where they're downloading you know a packer and a compression and an extraction tool if they're just trying to steal data this maybe is happening on this stage but but that first initial installation of malware is really what we're talking about at this phase of the kill chain and then we move into command and control so this is you know they've

installed and now we get to the place where it's communicating with their infrastructure now in this particular one they're setting up things to where they can see the vault from inside but if you know the movie you know this happens way before the actual install of the briefcase into the vault and that's why we have it here because I want you to know it doesn't happen that we are explaining it in linear order but it doesn't have to happen in that order a lot of these these steps could be skipped you if you don't have very good security there's stuff they can skip all of this maybe there's you know we have it all the time where CBS get released you know

common vulnerability exploits right so you these get released and they'll just do a scan you know and I say they you know they'll just do a scan find out what has that CV and just go for it they really didn't even have to do any recon on you at all you know well I guess they did they did a show that was good anyway anyway so yeah that was that was the example of showing that beforehand here's to show you how easy it can be if we just don't follow basic hygiene and command and control like most things in cyber security from the adversary perspective gets more sophisticated depending on the threat actor that you're interested in their application

methods for command and control have gotten much better than you know five years ago you know you used to be able to take a sans class and they would teach you let's look for some you know repetitious beaconing every 20 minutes or something so that may still happen with some malware but there are much more obfuscated much more asymmetric ways that the command and control can be done so the adversary continues to get technically more proficient in the ways that they will do all aspects of this to include command and control then we move to the final step in the cyber kill chain which is actions on objective so in this particular case it's the

exfiltration of money from the ball things around 120 something million dollars and you know Ocean's eleven there were 11 of them right so it's pretty good size of money but actions on objective you know if we're talking on the cyber world give me anything from exfiltration of data it could be just establishing persistence on the network it could be moving to other machines that were really the target you know they'll gain a foothold wherever they can and once they're there they'll move wherever they need to go alright a lot of a lot of people who have a military intelligence background will use delay destroy denied degrade those sort of terms at this stage as well if if the

adversary is at this stage in the kill chain where you're completely evicted the actions on objective can be whatever that adversary wants to do right are they just going to burn infrastructure and cause you to have a bad day are there trying to exfiltrate data are they trying to prove a point for diplomatic reasons are they gonna try to obfuscate their presence and remain there for a really long period of time because it's a long-term espionage campaign but whatever happens at this stage no one knows the adversaries there and basically they can do whatever they want until they are discovered all right that's what point we're at if we're describing an adversary intrusion into a

victim Network at this point so that's the kill chain if you have questions about that you can let us know so this okay so we know we need apt analysis we need some cyber threat people we need defensible infrastructure we should be proactive all right great got it no you also should have some sort of priority intelligence requirements right so even if you are a private organization you might not call them intelligence requirements you can call them whatever you wish to call them based on your board or your risk personnel and your senior management but there should be some idea of what are the priorities that your intelligence your CTI analysts should be focusing on

so this can be informed by risk analysis could be informed by doing some initial research into the types of threats that are known to operate against your organization your company your agency and then we we might start to prioritize what we look at because there are way too many just advanced persistent threat actors for you to tell someone analyze advanced persistent threat actors there are probably dormant or active about a hundred and thirty six in open source that you could read about so you know that's my best guess there's a spreadsheet on Google because if you haven't prioritized this then you might have some really good analysts but they might be going down rabbit holes because

they're just kind of free to analyze whatever they're interested in or you know whatever the leader of the day comes down and says I read this on the news what are we susceptible to that no but you might have to do a lot of research to get to that answer so there should still be zatia of what your intelligence your cyber threat intelligence personnel are doing whether you have a big team or a smaller team they really need guidance in priorities yeah a little elementary way to deal with it that I tell children a lot whenever we're talking to you know trying to guide them up in the cyber threat Intel is if your company makes

rubber ducks then don't spend money trying to stop the apt that's trying to take wooden boats yeah you're focused on the wrong threat actor yeah all right how many people are familiar with Bianco's pyramid of pain okay there's a few out there all right so it's kind of the reason we have you know that made pyramid and then the the sliding scale of tapas because this kind of serves two purposes cash values all right if we're gonna block hash value we mean malware has just to be a so malware hashes I hope everyone out there is familiar with what a hash is okay I'm just gonna move on like like everyone is for me all

right so blocking hashes or detecting hashes on a network is pretty trivial by that I mean it's pretty easy to do all right IP addresses detecting IP addresses on your network and like set it easy pretty easy to do you can detect them you can block them set alert whatever domain names simple very easy for us to implement Network and host artifacts all right so this is where it starts getting a little more you know as you know we have it up there as annoying is anyone as everyone familiar with what Network and host artifacts are no okay so what so host artifacts are if malware is installed on your system host artifacts is what is what it's

leaving there so a lot of times when you install malware system it creates a registry key well there's a host artifact it's that registry key it's the stuff that we're going to look for Network artifacts same thing it's it's behavior on the network that we're looking at when there's suspicious behavior so looking for that stuff a little tougher you know you have to have people that know what they're doing but it's possible tool you know implementing you looking for tools that adversaries are using on your network well now that's that's gonna be even hard you know what do you look for you know are you looking for you know maybe maybe there's a bug you know that every

time they send a phishing email it comes from this particular mailer you know what are what exactly are you looking for so it's you know as we talked about with cyber threat Intel you have to have people looking for this so you know becomes challenging TTP's the highest point of the pyramid now that's tough because you know everything that's in there all encompasses the TTP's of the adversary right so it's going to be just even tougher to look for now the other half of this pyramid is that sliding scale of the adversary so you're looking and blocking hash values I'm not going to say that you shouldn't be doing that but it's trivial for the adversary

because all I got to do is let's say they sent it in a Word document it has open the word document throw an A at the very end save it and now it's a completely different hash so they can get past that pretty easily IP address you know they can just get a new IP address and now send all the IPS that you're blocking it just doesn't matter I'm not going to say not to do it because you know better safe than sorry right it's like having antivirus on your system you want it just because it's not catching everything doesn't mean it's not useful domain names all right they can just go out and get more domain

names so again don't not do it some adversaries some adversaries sometimes more than that yes some adversaries are doctors out there because the more you're doing to disrupt this stuff as we're going up the scale you know you notice a trend as we go up the scale you're making it harder for them you know as you start detecting Network and host artifacts of what they're doing on your network well now it's annoying because now they have to go possibly find more malware to use against you because you're detecting the artifacts that they're using already so now they can't establish that persistence or they can't get what they're trying to get because you're detecting it same thing

with the tools as you start recognizing tools on the network well now they have to go find new tools well some of these apts aren't even developing their own tools they're going out and purchasing from other places you know maybe they're don't have the technical sophistication to make these tools that's why you're making it challenging for them you're forcing them to spend money goes back to that don't be a 1 Pizza target you're trying to make it challenging enough for them and that TTP's the last thing is you start detecting TTP's of the adversary well now they have to go change to TTP's and I don't I don't think a lot of people appreciate how difficult that is you

know have you ever in your organization when they implement a change I'm sorry to throw a lot of organizations under the bus but when they try to implement a change how difficult is that it is very difficult well a lot of adversaries out there work like an organization these are human people doing jobs human people yeah human people has to be here so yeah so these are humans doing jobs like this is this is the work that they do you know gone are the days of us saying you know people in the basements I mean these are professionals doing this for a living at least some of them are professionals so when we talk about a

PT's I will often I will often use this scale to describe a PT's and I I don't know whether this is good or not but I always go back to the Olympics like every single person at the Olympics is amazing they're not even all close to actually being medal contenders right all right that's my analogy for a PT's all of them have some skill right all of them are not me running nmap and Callie and Metasploit and you know from my house right when we talk about an advanced persistent threat actor there's a certain level of sophistication organization probably funding and backing that pretty much all of the advanced persistent threat groups have all right and we can we can quibble

whether any criminal elements count as apts later we can have that discussion later if you buy me there but all of the apts are sophisticated but they're not all gold medal contenders well here's two of them that are metal contenders pretty much continually all right so you have apt 28 which is known by a whole bunch of other names mostly sofy and fancy they're an apt 29 sort of their sister or cousin apt which is also known as cosmic Dukes or cozy bear so both are suspected to be associated with Russia in some capacity so both of them have funding and nation-state resources from a large country all right but they are still human people so apt 28 for example it

was noticed by researchers that the malware that this organization tend to use right was compiled between very certain government working hours which just happened to align with the times in Moscow st. Petersburg hmm imagine that and then there's going to be somebody in the back who's like well they could have done that on purpose just so you could think it was them and if you are from a counterintelligence field and had that argument that's fine but at some point people don't think through every every single thing they're doing for a deception yes I'm not going to say deception may not exist but sometimes paranoia runs a bit far so I thought that was really interesting because even

though they are one of the more sophisticated threat actors right people still make mistakes they have habits these habits may form some of the TTP's that that group becomes associated with they used to rely and be known for zero-day vulnerabilities they're not the only apt set that was known for that but a lot of apt sets including apt 28 AP 29 consecutive read all of the open source articles that you and I read about them as well which is weird if you think about it so we also kind of help them evolve sometimes to some degree so many of the apts are like well if they know that when they see this malware it's me

maybe I should use malware that anyone can use great and that's what a lot of the apts have done when it works and why does it work because you have unpatched servers from 2006 so why would they need zero day and custom-made malware when I need you to patch a patchy struts please right so yes they can be behind VPN filter malware and not Pecha but they may not always need that level of sophistication in their intrusion vector if it's not warranted an apt 29 is also right a suspected russian-backed group what I like about apt 29 is sort of how thorough and how quiet they tend to be that's really their claim to fame they

are really good about obfuscation and encryption to make the detection very difficult once you are a victim and they basically also patched their own malware so I mean we have trouble getting people to patch our perimeter security devices and that we have a PT's which are you know so dedicated that they'll update their malware so yes I would I would consider them to be gold medal contenders if you will in the apt spectrum and there's a lot of information about both of these two advanced persistent threat actors available but however just keep in mind if you have cyber threat intelligence personnel and you're thinking like at an organizational level you should probably have some idea if you are in an industry

that would be targeted by any particular apt like I said there's probably 130 that you could potentially research so we're just giving you a couple of examples it doesn't mean that all of you should go to your boss make oh my god we need to protect them against apt 28 right you may not be in an industry that is particularly known to be targeted by that particular apt and then there are the at least one example of a Chinese associated apt there are many others this goes by a number of different names so deep panda a pt-19 shell crew Pink Panther so this also this apt is also known to target a lot of different

industries so this may be one that if you're not familiar with regardless of industry you might want to know a little bit more about all right whether it's you know government defense financial telecommunications those are pretty broad industry basis some people and organizations will say that you know they are behind the anthem hack some will also say they're behind the OPM hack some people might disagree I tend to believe the I tend to believe the Osen reports that tie them to those they also have been known to attack healthcare aerospace and energy sectors just to insure that they've covered you know multiple very broad industries and they have their own TTP's as well so they don't operate exactly the same as

some of the russian named apt sets do so and i want to try to get through the next couple slides so we could take some questions so I really like this term intelligence driven Network defense not every organization company industry sector that you might work in will get to this level but I kind of think that phrase is sort of like that's the elite level that some organizations will be able to be at where we have sort of the budget buy-in billets people risk-factor understood that we now use cyber threat intelligence to drive shock operations to inform threat hunting to be more proactive in how we think about cyber network defense bless you so that's the

real quick overview so I want to kind of open it up for questions and then if this runs long you know we'll be we'll be outside if you if you want to talk to us or have questions or I brought brochures as well thank you you [Applause]