It was ~2 weeks ago when Costin Raiu wrote an article on “Where are all the ‘A’s in APT?”. In this article, Costin focused on what is regarded as sophisticated in observed APT attacks as well as how future detected sophisticated attacks will look like:
This is a great blog post from Digital Shadows . Their team has gone through Mueller GRU indictment and mapped the mentioned capabilities to ATT&CK framework TTPs (accompanied with mitigation advice per TTP).
Blue teams should learn from this type of analysis:
During the past years, there has been a lot of public reporting on APT activity of group with Russia and China nexus. However, it has been observed that more and more countries have developed such advanced capabilities and their activity is captured and reported by the vendors and mainstream media.
FireEye’s list of sophisticated actors and naming conventions looks like this:
ENISA has released the first comprehensive study on cyber Threat Intelligence Platforms (TIPs) focused on the needs of TIP users, developers, vendors and the security research community.
The study channels its efforts into identifying some of the key opportunities and limitations of existing platforms and solutions, since information exchange formats and tools remain central items on the agenda of the cybersecurity community in general, and particularly of incident responders.
CrySyS Lab has provided a great document on its analysis on NSA’s perspective on the APT landscape. The analysis is based on Shadow Brokers leak (“Lost in Translation” leak) and most specifically on the module called “Territorial Dispute“. The purpose of this module is to detect presence of competing state intelligence services. NSA wanted to secure its operations, avoid any conflict between “Five Eyes” group as well as get intelligence on the targets of the competing state intelligence services.
See below some interesting points related to the analysis done by CrySyS Lab:
I recently came across an interesting research paper from University of Innsbruck. The title of the parer is “Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives“.
According to the abstract of the paper: “In the last couple of years, organizations have demonstrated an increased willingness to exchange information and knowledge regarding vulnerabilities, threats, incidents and mitigation strategies in order to collectively protect against today’s sophisticated cyber attacks. As a reaction to this trend, software vendors started to create offerings that facilitate this exchange and appear under the umbrella term “Threat Intelligence Sharing Platforms”. To which extent these platforms provide the needed means for exchange and information sharing remains unclear as they lack a common definition, innovation in this area is mostly driven by vendors and empirical research is rare. To close this gap, we examine the state-of-the-art software vendor landscape of these platforms, identify gaps and present arising research perspectives. Therefore, we conducted a systematic study of 22 threat intelligence sharing platforms and compared them. We derived 8 key findings and discuss how existing gaps should be addressed by future research.”
The authors conduct their research by exploring the capabilities of the following 22 Threat Intelligence Platforms: