1.
The Archeologists
Raiding for The Holy Grail
The Myth of The Lost Ark
What Not To Expect
What To Expect
Puzzling The Pieces
Digging Through Ancient Data
Campaigns
Tools
Threat Actors
Distinguishing Friend from Foe
Reading The Book of Secrets
Escaping Data Rubble
$167

2.
Ruth Esmeralda Barbacil
Threat Library Team Lead
Deloitte Argentina
Valentina Palacin
Threat Library Team Sr. Analyst
Deloitte Argentina

3.
What is a
Threat Library?
Knowledge Base for distilled and
curated intelligence insights
produced by CTI Research Teams
& OSINT Sources.
$167

4.
- It’s not a solution by itself.
- It’s not an indicator feed.
- It’s not fixed in time.
- It’s not a collection of all existing attacks.
- It’s not perfect.

5.
- Normalized, cataloged and vetted information
- APT activity journal
- Key observables for specific threats
- Context for adversary emulation
- APT operation analysis and evolution through time
- All-in-One Accessible Information

6.
- Overabundance of data
- Diverse formatting and distribution
- Lack of context
- Lack of indicators/evidence
- Lack of linked activity
- Partial information
- Uncatalogued information
- Disappearing sources
- Overlapping/misattribution

7.
Basic Information
• Affected Regions/Countries/Industries
• Campaign Summary
Main Information
• Initial Access
• Tools
• Repercussions
Technical Analysis
• Campaign Evidence
Analysis, Attribution and Geolocation
• Analysis
• Attribution
• Geolocation Evidence

8.
Basic Information
• Aliases
• Description
Behavioral Analysis
• Campaign
• Techniques (ATT&CK)
• Tactics (ATT&CK)
• Description
• Details
Indicators of Compromise
Related Threat Actors

9.
Basic Information
• Affected
Regions/Countries/Industries
• Known Aliases
• Threat Actor Type
• Motivations
• Sophistication level
Relevant Information
Toolset
• Tool & Description
TTPs
• Tool
• Technique (ATT&CK)
• Tactic (ATT&CK)
• Technique Description
Campaigns
• Campaign date
• Campaign name
• Campaign description
• Campaign intended effect
• Confidence level

10.
- False flag campaigns
- Analyst bias
- Misattribution
- Misinterpretation of the observables

11.
- False flag campaigns
- Analyst bias
- Misattribution
- Misinterpretation of the observables
- Analyst lack of specific knowledge

12.
Spanish as official
language

13.
Countries which
use that expression
Spanish as official
language

14.
- False flag campaigns
- Analyst bias
- Misattribution
- Misinterpretation of the observables
- Analyst lack of specific knowledge
- Overlapping Attributions

15.
Rate your sources:
… overrule your own
formula if necessary.
• Type
• Region visibility
• Reputation
• Availability of IOCs
But...

16.
1. Read the source.
▪ Identify a paragraph describing a behavior.
2. Identify first which tactic it belongs to.
▪ Simplify the description in a sentence.
3. Identify the technique.
Create your own!

17.
DEFENSE
EVASION

18.
IMPACT

19.
??????
ACon001 – Deny System Access

20.
- Choose a good technology to build on.
- Be prepared to evolve.
- Do not misunderstand the objectives.
- It’s not about collecting everything.
- Define good quality workflows.

21.
- Choose your taxonomy and stick with it.
- STIX and ATT&CK
- Think about how the information is
going to be consumed.
- Define a good structure beforehand.
-Be consistent!!

22.
Ruth Barbacil
@33root
Valentina Palacin
@fierytermite

23.
• QianXin. APT-C-09 Reappeared as Conflict Intensified Between India and
Pakistan. www.ti.qianxin.com. Available at: https://ti.qianxin.com/blog/articles/apt-
c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/ [Accessed
September 2019]
• Cisco Talos. Adamitis Danny, Rascagneres Paul. Sea Turtle keeps on swimming, finds
new victims, DNS hijacking techniques. www.blog.talosintelligence.com. Available at:
https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html
[Accessed August 2019]
• Azpúrua, Andrés, Guerra, C. and Rivas, J. Phishing by Venezuelan government puts
activists and internet users at risk. vesinfiltro.com. Available
from https://vesinfiltro.com/noticias/Phishing_by_Venezuelan_government_targets
_activists/ [Accessed June 2019]

24.
• GReAT. DNS Manipulation in Venezuela in regards to the Humanitarian Aid
Campaign. securelist.com. Available from https://securelist.com/dns-manipulation-in-
venezuela/89592/ [Accessed June 2019]
• Mercer, Warren and Rascagneres, P. DNSpionage brings out the
Karkoff. blog.talosintelligence.com. Available
from https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-
karkoff.html [Accessed June 2019]
• Sherstobitoff Ryan. Threat Group APT28 Slips Office Malware into Doc Citing NYC
Terror Attack. https://securingtomorrow.mcafee.com. Available
at: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/apt28-threat-
group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/ [Accessed March
2019]

25.
• Palo Alto Networks Blog. 2018.Sofacy Continues Global Attacks and Wheels Out New
‘Cannon’ Trojan - Palo Alto Networks Blog. [ONLINE] Available
at:https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-
global-attacks-wheels-new-cannon-trojan/. [Accessed November 2018]
• Arbor Networks Threat Intelligence. 2018. LoJack Becomes a Double-Agent. Available
at: https://asert.arbornetworks.com/lojack-becomes-a-double-agent/. [Accessed
November 2018]
• Cyberscoop. 2018. Russian hackers found the 'ultimate' hacking tool buried in the
supply chain of laptops - CyberScoop. Available
at: https://www.cyberscoop.com/lojack-computrace-fancy-bear-absolute-
kaspersky/. [Accessed November 2018].

26.
• Lee Bryan, Harbison Mike, and Falcone Robert. Sofacy Attacks Multiple Government
Entities. https://unit42.paloaltonetworks.com. Available
at: https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-
multiple-government-entities/ [Accessed March 2019]
• ThreatConnect Research Team. Fancy Bear Pens the Worst Blog Posts
Ever. https://threatconnect.com. Available at: https://threatconnect.com/fancy-bear-
leverages-blogspot/ [Accessed March 2019]
• Kovacs Eduard. Russian "Fancy Bear" Hackers Abuse Blogspot for
Phishing. https://www.securityweek.com. Available
at: https://www.securityweek.com/russian-fancy-bear-hackers-abuse-blogspot-
phishing [Accessed March 2019]

27.
• Smith, Lindsay and Read, B. APT28 Targets Hospitality Sector, Presents Threat to
Travelers. www.fireeye.com. Available at https://www.fireeye.com/blog/threat-
research/2017/08/apt28-targets-hospitality-sector.html [Accessed January 2019]
• Hacquebord, Feike. Update on Pawn Storm: New Targets and Politically Motivated
Campaigns. https://blog.trendmicro.com. Available
at: https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-
new-targets-politically-motivated-campaigns/ [Accessed March 2019]
• Cisco Talos. "Cyber Conflict" Decoy Document Used In Real Cyber
Conflict. https://blog.talosintelligence.com. Available
at: https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-
document.html [Accessed March 2019]

28.
• Palmer, Danny. Hackers are using a Flash flaw in fake document in this new spying
campaign. www.zdnet.com Available at: https://www.zdnet.com/article/hackers-are-
using-a-flash-flaw-in-fake-document-in-this-new-spying-campaign/ [Accessed January
2019]
• Palmer, Danny. Hackers race to use Flash exploit before vulnerable systems are
patched. www.zdnet.com Available at: https://www.zdnet.com/article/hackers-race-to-
use-flash-exploit-before-vulnerable-systems-are-patched/ [Accessed January 2019]
• Conference Agenda | Underwater Defence & Security. 2018. Conference Agenda |
Underwater Defence & Security. ww.underwater-defence-security.com Available
at: http://www.underwater-defence-security.com/conference-agenda.php. [Accessed
November 2018]

29.
• Netzpolitik. Digital Attack on German Parliament: Investigative Report on the
Hack of the Left Party Infrastructure in
Bundestag. https://netzpolitik.org. Available
at: https://netzpolitik.org/2015/digital-attack-on-german-parliament-
investigative-report-on-the-hack-of-the-left-party-infrastructure-in-
bundestag/ [Accessed March 2019]
• FireEye Labs. Operation RussianDoll: Adobe & Windows Zero-Day Exploits
Likely Leveraged by Russia's APT28 in Highly-Targeted
Attack. https://www.fireye.com. Available
at: https://www.fireeye.com/blog/threat-
research/2015/04/probable_apt28_useo.html [Accessed March 2019]

30.
• Trend Micro. From Espionage to Cyber Propaganda: Pawn Storm's Activities over the
Past Two Years. trendmicro.com Available
at: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/espionage-
cyber-propaganda-two-years-of-pawn-storm [Accessed January 2019]
• Sean Gallagher. Evidence suggests Russia behind hack of French president-
elect. arstechnica.com Available at https://arstechnica.com/information-
technology/2017/05/evidence-suggests-russia-behind-hack-of-french-presidential-
candidate/ [Accessed January 2019]
• Feike Hacquebord. Pawn Storm Targets German Christian Democratic
Union. blog.trendmicro.com Available at https://blog.trendmicro.com/trendlabs-
security-intelligence/pawn-storm-targets-german-christian-democratic-
union/. [Accessed January 2019]

31.
• Sean Baird, Nick Biacini. Gmail Worm Requiring You To Give It A Push And Apparently You
All Are Really Helpful. blog.talosintelligence.com Available
at: https://blog.talosintelligence.com/2017/05/google-oauth-phish.html [Accessed
January 2019]
• Graham Cluley. “Google Docs” Worm Ransacks Gmail Users’ Contact Lists – What You
Need to Know. tripwire.com Available at https://www.tripwire.com/state-of-
security/security-data-protection/google-docs-worm-ransacks-gmail-users-need-
know/ [Accessed January 2019]
• Thomas Brewster. A Massive Google Docs Phish Hits 1 Million Gmail Accounts -
UPDATED. forbes.com Available
at https://www.forbes.com/sites/thomasbrewster/2017/05/03/massive-google-gmail-
phish-many-victims/#22a27ce242a1 [Accesed January 2019]

32.
• Feike Hacquebord. Pawn Storm Abuses Open Authentication in Advanced Social
Engineering Attacks. blog.trendmicro.com Available
at https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-
authentication-advanced-social-engineering-
attacks/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-
MalwareBlog+%28Trendlabs+Security+Intelligence+BI [Accessed January 2019]
• FireEye, APT28: At the center of the storm. Russia strategically evolves its cyber
operations. Available
at: https://arintel.atlassian.net/wiki/download/attachments/189753/FireEye_APT28-
Center-of-Storm(01-11-
2017).pdf?version=1&modificationDate=1490291952562&cacheVersion=1&api=v2 [Acces
sed January 2019]

33.
• HackRead, World Anti-Doping Agency Site Hacked; Thousands of Accounts
Leaked. Available at: https://www.hackread.com/world-anti-doping-agency-site-
hacked/ [Accessed January 2019]
• U.S.. 2016. Exclusive: FBI probes hacking of Democratic congressional group |
Reuters. Available at: https://www.reuters.com/article/us-usa-cyber-democrats-
exclusive/exclusive-fbi-probes-hacking-of-democratic-congressional-group-
sources-idUSKCN1082Y7. [Accessed November 2018]
• netyksho_et_al_indictment.pdf | Department of Justice.
2018. netyksho_et_al_indictment.pdf | Department of Justice. Available
at: https://www.justice.gov/file/1080281/. [Accessed November 2018].

34.
• Alperovitch, Dmitri. Bears in the Midst: Intrusion into the Democratic National
Committee. www.crowdstrike.com/. Available
from https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-
committee/ [Accessed November 2018]
• The United States District Court for the District of Columbia. Case 1:18-cr-00215-ABJ -
INDICTMENT. www.justice.gov. Available
from https://www.justice.gov/file/1080281/download [Accessed November 2018]
• WADA. WADA Confirms Attack by Russian Cyber Espionage Group. https://www.wada-
ama.org. Available at: https://www.wada-ama.org/en/media/news/2016-09/wada-
confirms-attack-by-russian-cyber-espionage-group [Accessed March 2019]

35.
• Lee, Briand and Falcone, R. Sofacy Group’s Parallel
Attacks. researchcenter.paloaltonetworks.com. Available
from https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-
parallel-attacks/ [Accessed June 2018]
• ThreatConnect Research Team. Belling the BEAR. https://threatconnect.com.
Available at: https://threatconnect.com/russia-hacks-bellingcat-mh17-
investigation/ [Accessed March 2019]
• Falcone, Robert. Sofacy Uses DealersChoice to Target European Government
Agency. unit42.paloaltonetworks.com at: https://unit42.paloaltonetworks.com/u
nit42-sofacy-uses-dealerschoice-target-european-government-agency/ [Accessed
January 2019]

36.
• FireEye Labs. APT28: A Window into Russia's Cyber Espionage Operations?. Available
at: https://arintel.atlassian.net/wiki/download/attachments/209890/apt28.pdf?versi
on=1&modificationDate=1490317815345&cacheVersion=1&api=v2 [Accessed March
2019]
• Rafia Shaikh. Denmark Says Russia's APT28 "Very Likely" Hacked Defense Ministry
Emails. wccftech.com. Available at https://wccftech.com/denmark-russia-apt28-
hacked-defense/ [Accessed January 2019]
• The New York Times Company. Denmark Says ‘Key Elements’ of Russian Government
Hacked Defense Ministry. nytimes.com Available
at https://www.nytimes.com/2017/04/24/world/europe/russia-denmark-hacking-
cyberattack-defense-ministry.html?_r=2 [Accessed January 2019]

37.
• ESET Research. Sednit: What's going on with
Zebrocy. https://www.welivesecurity.com. Available
at: https://www.welivesecurity.com/2018/11/20/sednit-whats-going-
zebrocy/ [Accessed March 2019]
• Jasper Manuel and Joie Salvio. LockerGoga: Ransomware Targeting Critical
Infrastructure. fortinet.com. Available at https://www.fortinet.com/blog/threat-
research/lockergoga-ransomeware-targeting-critical-infrastructure.html [Accessed
Aug 2019]
• Threatrecon Team. SectorJ04 Group’s Increased Activity in
2019. threatrecon.nshc.net. Available
at https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-
in-2019/ [Accessed October 2019]

38.
• Counter Threat Unit Research Team. The Curious Case of Mia Ash: Fake Persona Lures
Middle Eastern Targets.twww.secureworks.com. Available
at https://www.secureworks.com/research/the-curious-case-of-mia-ash [Accessed
October 2019]
• Riley, Aaron and Feller, M. Phishing Campaigns are Manipulating the Windows
Control Panel Extension to Deliver Banking Trojans.tcofense.com. Available
at https://cofense.com/phishing-campaigns-manipulating-windows-control-panel-
extension-deliver-banking-trojans/ [Accessed October 2019]
• Accenture Security. Threat Campaign Likely Targeting NATO Members, Defense and
Military Outlets. https://www.accenture.com. Available
at: https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-
94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-
Defense-and-Military-Outlets.pdf [Accessed March 2019]

39.
• Malpedia. OilRig. malpedia.caad.fkie.fraunhofer.de. Available
at https://malpedia.caad.fkie.fraunhofer.de/actor/oilrig [Accessed October 2019]
• Kuhnert, Nils. OilRig. aptmap.netlify.com. Available
at https://aptmap.netlify.com/#OilRig [Accessed October 2019]
• Kuhnert, Nils. Chrysene. aptmap.netlify.com. Available
at https://aptmap.netlify.com/#CHRYSENE
• [Accessed October 2019]
• Mitre ATT&CK. APT28. https://attack.mitre.org/. Available
at: https://attack.mitre.org/groups/G0007/ [Accessed March 2019]

40.
• Alex Hern. Macron hackers linked to Russian-affiliated group behind US
attack. theguardian.com Available
at: https://www.theguardian.com/world/2017/may/08/macron-hackers-linked-to-russian-
affiliated-group-behind-us-attack [Accessed January 2019]
• Sherstobitoff Ryan. Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror
Attack. https://securingtomorrow.mcafee.com. Available
at: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/apt28-threat-group-
adopts-dde-technique-nyc-attack-theme-in-latest-campaign/ [Accessed March 2019]
• ThaiCERT. A Threat Actor Encyclopedia. www.thaicert.or.th. Available
at https://www.thaicert.or.th/downloads/files/A_Threat_Actor_Encyclopedia.pdf [Accesse
d October 2019]

41.
• ThreatConnect Research Team. A Song of Intel and
Fancy. https://www.threatconnect.com. Available
at: https://www.threatconnect.com/blog/using-fancy-bear-ssl-certificate-
information-to-identify-their-infrastructure/ [Accessed March 2019]
• Muncaster, Phil. APT28 Back in RussianDoll Attack Using Adobe, Windows
Flaws. https://www.infosecurity-
magazine.com.Available at: https://www.infosecurity-
magazine.com/news/apt28-back-russiandoll-attack/ [Accessed March 2019]