Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The Archeologists
Raiding for The Holy Grail
The Myth of The Lost Ark
What Not To Expect
What To Expect
Puzzling The Piece...
Ruth Esmeralda Barbacil
Threat Library Team Lead
Deloitte Argentina
Valentina Palacin
Threat Library Team Sr. Analyst
Delo...
What is a
Threat Library?
Knowledge Base for distilled and
curated intelligence insights
produced by CTI Research Teams
& ...
- It’s not a solution by itself.
- It’s not an indicator feed.
- It’s not fixed in time.
- It’s not a collection of all ex...
- Normalized, cataloged and vetted information
- APT activity journal
- Key observables for specific threats
- Context for...
- Overabundance of data
- Diverse formatting and distribution
- Lack of context
- Lack of indicators/evidence
- Lack of li...
Basic Information
• Affected Regions/Countries/Industries
• Campaign Summary
Main Information
• Initial Access
• Tools
• R...
Basic Information
• Aliases
• Description
Behavioral Analysis
• Campaign
• Techniques (ATT&CK)
• Tactics (ATT&CK)
• Descri...
Basic Information
• Affected
Regions/Countries/Industries
• Known Aliases
• Threat Actor Type
• Motivations
• Sophisticati...
- False flag campaigns
- Analyst bias
- Misattribution
- Misinterpretation of the observables
- False flag campaigns
- Analyst bias
- Misattribution
- Misinterpretation of the observables
- Analyst lack of specific k...
Spanish as official
language
Countries which
use that expression
Spanish as official
language
- False flag campaigns
- Analyst bias
- Misattribution
- Misinterpretation of the observables
- Analyst lack of specific k...
Rate your sources:
… overrule your own
formula if necessary.
• Type
• Region visibility
• Reputation
• Availability of IOC...
1. Read the source.
▪ Identify a paragraph describing a behavior.
2. Identify first which tactic it belongs to.
▪ Simplify...
DEFENSE
EVASION
IMPACT
??????
ACon001 – Deny System Access
- Choose a good technology to build on.
- Be prepared to evolve.
- Do not misunderstand the objectives.
- It’s not about c...
- Choose your taxonomy and stick with it.
- STIX and ATT&CK
- Think about how the information is
going to be consumed.
- D...
Ruth Barbacil
@33root
Valentina Palacin
@fierytermite
• QianXin. APT-C-09 Reappeared as Conflict Intensified Between India and
Pakistan. www.ti.qianxin.com. Available at: https...
• GReAT. DNS Manipulation in Venezuela in regards to the Humanitarian Aid
Campaign. securelist.com. Available from https:/...
• Palo Alto Networks Blog. 2018.Sofacy Continues Global Attacks and Wheels Out New
‘Cannon’ Trojan - Palo Alto Networks Bl...
• Lee Bryan, Harbison Mike, and Falcone Robert. Sofacy Attacks Multiple Government
Entities. https://unit42.paloaltonetwor...
• Smith, Lindsay and Read, B. APT28 Targets Hospitality Sector, Presents Threat to
Travelers. www.fireeye.com. Available a...
• Palmer, Danny. Hackers are using a Flash flaw in fake document in this new spying
campaign. www.zdnet.com Available at: ...
• Netzpolitik. Digital Attack on German Parliament: Investigative Report on the
Hack of the Left Party Infrastructure in
B...
• Trend Micro. From Espionage to Cyber Propaganda: Pawn Storm's Activities over the
Past Two Years. trendmicro.com Availab...
• Sean Baird, Nick Biacini. Gmail Worm Requiring You To Give It A Push And Apparently You
All Are Really Helpful. blog.tal...
• Feike Hacquebord. Pawn Storm Abuses Open Authentication in Advanced Social
Engineering Attacks. blog.trendmicro.com Avai...
• HackRead, World Anti-Doping Agency Site Hacked; Thousands of Accounts
Leaked. Available at: https://www.hackread.com/wor...
• Alperovitch, Dmitri. Bears in the Midst: Intrusion into the Democratic National
Committee. www.crowdstrike.com/. Availab...
• Lee, Briand and Falcone, R. Sofacy Group’s Parallel
Attacks. researchcenter.paloaltonetworks.com. Available
from https:/...
• FireEye Labs. APT28: A Window into Russia's Cyber Espionage Operations?. Available
at: https://arintel.atlassian.net/wik...
• ESET Research. Sednit: What's going on with
Zebrocy. https://www.welivesecurity.com. Available
at: https://www.welivesec...
• Counter Threat Unit Research Team. The Curious Case of Mia Ash: Fake Persona Lures
Middle Eastern Targets.twww.securewor...
• Malpedia. OilRig. malpedia.caad.fkie.fraunhofer.de. Available
at https://malpedia.caad.fkie.fraunhofer.de/actor/oilrig [...
• Alex Hern. Macron hackers linked to Russian-affiliated group behind US
attack. theguardian.com Available
at: https://www...
• ThreatConnect Research Team. A Song of Intel and
Fancy. https://www.threatconnect.com. Available
at: https://www.threatc...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esm...
Upcoming SlideShare
Loading in …5
×

MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte

1,440 views

Published on

MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte

Published in: Technology
  • Login to see the comments

MITRE ATT&CKcon 2.0: Raiders of the MITRE Framework - How to Build Your Own Threat Library; Valentina Palacin and Ruth Esmerelda Barbacil, Deloitte

  1. 1. The Archeologists Raiding for The Holy Grail The Myth of The Lost Ark What Not To Expect What To Expect Puzzling The Pieces Digging Through Ancient Data Campaigns Tools Threat Actors Distinguishing Friend from Foe Reading The Book of Secrets Escaping Data Rubble $167
  2. 2. Ruth Esmeralda Barbacil Threat Library Team Lead Deloitte Argentina Valentina Palacin Threat Library Team Sr. Analyst Deloitte Argentina
  3. 3. What is a Threat Library? Knowledge Base for distilled and curated intelligence insights produced by CTI Research Teams & OSINT Sources. $167
  4. 4. - It’s not a solution by itself. - It’s not an indicator feed. - It’s not fixed in time. - It’s not a collection of all existing attacks. - It’s not perfect.
  5. 5. - Normalized, cataloged and vetted information - APT activity journal - Key observables for specific threats - Context for adversary emulation - APT operation analysis and evolution through time - All-in-One Accessible Information
  6. 6. - Overabundance of data - Diverse formatting and distribution - Lack of context - Lack of indicators/evidence - Lack of linked activity - Partial information - Uncatalogued information - Disappearing sources - Overlapping/misattribution
  7. 7. Basic Information • Affected Regions/Countries/Industries • Campaign Summary Main Information • Initial Access • Tools • Repercussions Technical Analysis • Campaign Evidence Analysis, Attribution and Geolocation • Analysis • Attribution • Geolocation Evidence
  8. 8. Basic Information • Aliases • Description Behavioral Analysis • Campaign • Techniques (ATT&CK) • Tactics (ATT&CK) • Description • Details Indicators of Compromise Related Threat Actors
  9. 9. Basic Information • Affected Regions/Countries/Industries • Known Aliases • Threat Actor Type • Motivations • Sophistication level Relevant Information Toolset • Tool & Description TTPs • Tool • Technique (ATT&CK) • Tactic (ATT&CK) • Technique Description Campaigns • Campaign date • Campaign name • Campaign description • Campaign intended effect • Confidence level
  10. 10. - False flag campaigns - Analyst bias - Misattribution - Misinterpretation of the observables
  11. 11. - False flag campaigns - Analyst bias - Misattribution - Misinterpretation of the observables - Analyst lack of specific knowledge
  12. 12. Spanish as official language
  13. 13. Countries which use that expression Spanish as official language
  14. 14. - False flag campaigns - Analyst bias - Misattribution - Misinterpretation of the observables - Analyst lack of specific knowledge - Overlapping Attributions
  15. 15. Rate your sources: … overrule your own formula if necessary. • Type • Region visibility • Reputation • Availability of IOCs But...
  16. 16. 1. Read the source. ▪ Identify a paragraph describing a behavior. 2. Identify first which tactic it belongs to. ▪ Simplify the description in a sentence. 3. Identify the technique. Create your own!
  17. 17. DEFENSE EVASION
  18. 18. IMPACT
  19. 19. ?????? ACon001 – Deny System Access
  20. 20. - Choose a good technology to build on. - Be prepared to evolve. - Do not misunderstand the objectives. - It’s not about collecting everything. - Define good quality workflows.
  21. 21. - Choose your taxonomy and stick with it. - STIX and ATT&CK - Think about how the information is going to be consumed. - Define a good structure beforehand. -Be consistent!!
  22. 22. Ruth Barbacil @33root Valentina Palacin @fierytermite
  23. 23. • QianXin. APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan. www.ti.qianxin.com. Available at: https://ti.qianxin.com/blog/articles/apt- c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/ [Accessed September 2019] • Cisco Talos. Adamitis Danny, Rascagneres Paul. Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques. www.blog.talosintelligence.com. Available at: https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html [Accessed August 2019] • Azpúrua, Andrés, Guerra, C. and Rivas, J. Phishing by Venezuelan government puts activists and internet users at risk. vesinfiltro.com. Available from https://vesinfiltro.com/noticias/Phishing_by_Venezuelan_government_targets _activists/ [Accessed June 2019]
  24. 24. • GReAT. DNS Manipulation in Venezuela in regards to the Humanitarian Aid Campaign. securelist.com. Available from https://securelist.com/dns-manipulation-in- venezuela/89592/ [Accessed June 2019] • Mercer, Warren and Rascagneres, P. DNSpionage brings out the Karkoff. blog.talosintelligence.com. Available from https://blog.talosintelligence.com/2019/04/dnspionage-brings-out- karkoff.html [Accessed June 2019] • Sherstobitoff Ryan. Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. https://securingtomorrow.mcafee.com. Available at: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/apt28-threat- group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/ [Accessed March 2019]
  25. 25. • Palo Alto Networks Blog. 2018.Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan - Palo Alto Networks Blog. [ONLINE] Available at:https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues- global-attacks-wheels-new-cannon-trojan/. [Accessed November 2018] • Arbor Networks Threat Intelligence. 2018. LoJack Becomes a Double-Agent. Available at: https://asert.arbornetworks.com/lojack-becomes-a-double-agent/. [Accessed November 2018] • Cyberscoop. 2018. Russian hackers found the 'ultimate' hacking tool buried in the supply chain of laptops - CyberScoop. Available at: https://www.cyberscoop.com/lojack-computrace-fancy-bear-absolute- kaspersky/. [Accessed November 2018].
  26. 26. • Lee Bryan, Harbison Mike, and Falcone Robert. Sofacy Attacks Multiple Government Entities. https://unit42.paloaltonetworks.com. Available at: https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks- multiple-government-entities/ [Accessed March 2019] • ThreatConnect Research Team. Fancy Bear Pens the Worst Blog Posts Ever. https://threatconnect.com. Available at: https://threatconnect.com/fancy-bear- leverages-blogspot/ [Accessed March 2019] • Kovacs Eduard. Russian "Fancy Bear" Hackers Abuse Blogspot for Phishing. https://www.securityweek.com. Available at: https://www.securityweek.com/russian-fancy-bear-hackers-abuse-blogspot- phishing [Accessed March 2019]
  27. 27. • Smith, Lindsay and Read, B. APT28 Targets Hospitality Sector, Presents Threat to Travelers. www.fireeye.com. Available at https://www.fireeye.com/blog/threat- research/2017/08/apt28-targets-hospitality-sector.html [Accessed January 2019] • Hacquebord, Feike. Update on Pawn Storm: New Targets and Politically Motivated Campaigns. https://blog.trendmicro.com. Available at: https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm- new-targets-politically-motivated-campaigns/ [Accessed March 2019] • Cisco Talos. "Cyber Conflict" Decoy Document Used In Real Cyber Conflict. https://blog.talosintelligence.com. Available at: https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy- document.html [Accessed March 2019]
  28. 28. • Palmer, Danny. Hackers are using a Flash flaw in fake document in this new spying campaign. www.zdnet.com Available at: https://www.zdnet.com/article/hackers-are- using-a-flash-flaw-in-fake-document-in-this-new-spying-campaign/ [Accessed January 2019] • Palmer, Danny. Hackers race to use Flash exploit before vulnerable systems are patched. www.zdnet.com Available at: https://www.zdnet.com/article/hackers-race-to- use-flash-exploit-before-vulnerable-systems-are-patched/ [Accessed January 2019] • Conference Agenda | Underwater Defence & Security. 2018. Conference Agenda | Underwater Defence & Security. ww.underwater-defence-security.com Available at: http://www.underwater-defence-security.com/conference-agenda.php. [Accessed November 2018]
  29. 29. • Netzpolitik. Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. https://netzpolitik.org. Available at: https://netzpolitik.org/2015/digital-attack-on-german-parliament- investigative-report-on-the-hack-of-the-left-party-infrastructure-in- bundestag/ [Accessed March 2019] • FireEye Labs. Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia's APT28 in Highly-Targeted Attack. https://www.fireye.com. Available at: https://www.fireeye.com/blog/threat- research/2015/04/probable_apt28_useo.html [Accessed March 2019]
  30. 30. • Trend Micro. From Espionage to Cyber Propaganda: Pawn Storm's Activities over the Past Two Years. trendmicro.com Available at: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/espionage- cyber-propaganda-two-years-of-pawn-storm [Accessed January 2019] • Sean Gallagher. Evidence suggests Russia behind hack of French president- elect. arstechnica.com Available at https://arstechnica.com/information- technology/2017/05/evidence-suggests-russia-behind-hack-of-french-presidential- candidate/ [Accessed January 2019] • Feike Hacquebord. Pawn Storm Targets German Christian Democratic Union. blog.trendmicro.com Available at https://blog.trendmicro.com/trendlabs- security-intelligence/pawn-storm-targets-german-christian-democratic- union/. [Accessed January 2019]
  31. 31. • Sean Baird, Nick Biacini. Gmail Worm Requiring You To Give It A Push And Apparently You All Are Really Helpful. blog.talosintelligence.com Available at: https://blog.talosintelligence.com/2017/05/google-oauth-phish.html [Accessed January 2019] • Graham Cluley. “Google Docs” Worm Ransacks Gmail Users’ Contact Lists – What You Need to Know. tripwire.com Available at https://www.tripwire.com/state-of- security/security-data-protection/google-docs-worm-ransacks-gmail-users-need- know/ [Accessed January 2019] • Thomas Brewster. A Massive Google Docs Phish Hits 1 Million Gmail Accounts - UPDATED. forbes.com Available at https://www.forbes.com/sites/thomasbrewster/2017/05/03/massive-google-gmail- phish-many-victims/#22a27ce242a1 [Accesed January 2019]
  32. 32. • Feike Hacquebord. Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. blog.trendmicro.com Available at https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open- authentication-advanced-social-engineering- attacks/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti- MalwareBlog+%28Trendlabs+Security+Intelligence+BI [Accessed January 2019] • FireEye, APT28: At the center of the storm. Russia strategically evolves its cyber operations. Available at: https://arintel.atlassian.net/wiki/download/attachments/189753/FireEye_APT28- Center-of-Storm(01-11- 2017).pdf?version=1&modificationDate=1490291952562&cacheVersion=1&api=v2 [Acces sed January 2019]
  33. 33. • HackRead, World Anti-Doping Agency Site Hacked; Thousands of Accounts Leaked. Available at: https://www.hackread.com/world-anti-doping-agency-site- hacked/ [Accessed January 2019] • U.S.. 2016. Exclusive: FBI probes hacking of Democratic congressional group | Reuters. Available at: https://www.reuters.com/article/us-usa-cyber-democrats- exclusive/exclusive-fbi-probes-hacking-of-democratic-congressional-group- sources-idUSKCN1082Y7. [Accessed November 2018] • netyksho_et_al_indictment.pdf | Department of Justice. 2018. netyksho_et_al_indictment.pdf | Department of Justice. Available at: https://www.justice.gov/file/1080281/. [Accessed November 2018].
  34. 34. • Alperovitch, Dmitri. Bears in the Midst: Intrusion into the Democratic National Committee. www.crowdstrike.com/. Available from https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national- committee/ [Accessed November 2018] • The United States District Court for the District of Columbia. Case 1:18-cr-00215-ABJ - INDICTMENT. www.justice.gov. Available from https://www.justice.gov/file/1080281/download [Accessed November 2018] • WADA. WADA Confirms Attack by Russian Cyber Espionage Group. https://www.wada- ama.org. Available at: https://www.wada-ama.org/en/media/news/2016-09/wada- confirms-attack-by-russian-cyber-espionage-group [Accessed March 2019]
  35. 35. • Lee, Briand and Falcone, R. Sofacy Group’s Parallel Attacks. researchcenter.paloaltonetworks.com. Available from https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups- parallel-attacks/ [Accessed June 2018] • ThreatConnect Research Team. Belling the BEAR. https://threatconnect.com. Available at: https://threatconnect.com/russia-hacks-bellingcat-mh17- investigation/ [Accessed March 2019] • Falcone, Robert. Sofacy Uses DealersChoice to Target European Government Agency. unit42.paloaltonetworks.com at: https://unit42.paloaltonetworks.com/u nit42-sofacy-uses-dealerschoice-target-european-government-agency/ [Accessed January 2019]
  36. 36. • FireEye Labs. APT28: A Window into Russia's Cyber Espionage Operations?. Available at: https://arintel.atlassian.net/wiki/download/attachments/209890/apt28.pdf?versi on=1&modificationDate=1490317815345&cacheVersion=1&api=v2 [Accessed March 2019] • Rafia Shaikh. Denmark Says Russia's APT28 "Very Likely" Hacked Defense Ministry Emails. wccftech.com. Available at https://wccftech.com/denmark-russia-apt28- hacked-defense/ [Accessed January 2019] • The New York Times Company. Denmark Says ‘Key Elements’ of Russian Government Hacked Defense Ministry. nytimes.com Available at https://www.nytimes.com/2017/04/24/world/europe/russia-denmark-hacking- cyberattack-defense-ministry.html?_r=2 [Accessed January 2019]
  37. 37. • ESET Research. Sednit: What's going on with Zebrocy. https://www.welivesecurity.com. Available at: https://www.welivesecurity.com/2018/11/20/sednit-whats-going- zebrocy/ [Accessed March 2019] • Jasper Manuel and Joie Salvio. LockerGoga: Ransomware Targeting Critical Infrastructure. fortinet.com. Available at https://www.fortinet.com/blog/threat- research/lockergoga-ransomeware-targeting-critical-infrastructure.html [Accessed Aug 2019] • Threatrecon Team. SectorJ04 Group’s Increased Activity in 2019. threatrecon.nshc.net. Available at https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity- in-2019/ [Accessed October 2019]
  38. 38. • Counter Threat Unit Research Team. The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets.twww.secureworks.com. Available at https://www.secureworks.com/research/the-curious-case-of-mia-ash [Accessed October 2019] • Riley, Aaron and Feller, M. Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans.tcofense.com. Available at https://cofense.com/phishing-campaigns-manipulating-windows-control-panel- extension-deliver-banking-trojans/ [Accessed October 2019] • Accenture Security. Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets. https://www.accenture.com. Available at: https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF- 94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members- Defense-and-Military-Outlets.pdf [Accessed March 2019]
  39. 39. • Malpedia. OilRig. malpedia.caad.fkie.fraunhofer.de. Available at https://malpedia.caad.fkie.fraunhofer.de/actor/oilrig [Accessed October 2019] • Kuhnert, Nils. OilRig. aptmap.netlify.com. Available at https://aptmap.netlify.com/#OilRig [Accessed October 2019] • Kuhnert, Nils. Chrysene. aptmap.netlify.com. Available at https://aptmap.netlify.com/#CHRYSENE • [Accessed October 2019] • Mitre ATT&CK. APT28. https://attack.mitre.org/. Available at: https://attack.mitre.org/groups/G0007/ [Accessed March 2019]
  40. 40. • Alex Hern. Macron hackers linked to Russian-affiliated group behind US attack. theguardian.com Available at: https://www.theguardian.com/world/2017/may/08/macron-hackers-linked-to-russian- affiliated-group-behind-us-attack [Accessed January 2019] • Sherstobitoff Ryan. Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. https://securingtomorrow.mcafee.com. Available at: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/apt28-threat-group- adopts-dde-technique-nyc-attack-theme-in-latest-campaign/ [Accessed March 2019] • ThaiCERT. A Threat Actor Encyclopedia. www.thaicert.or.th. Available at https://www.thaicert.or.th/downloads/files/A_Threat_Actor_Encyclopedia.pdf [Accesse d October 2019]
  41. 41. • ThreatConnect Research Team. A Song of Intel and Fancy. https://www.threatconnect.com. Available at: https://www.threatconnect.com/blog/using-fancy-bear-ssl-certificate- information-to-identify-their-infrastructure/ [Accessed March 2019] • Muncaster, Phil. APT28 Back in RussianDoll Attack Using Adobe, Windows Flaws. https://www.infosecurity- magazine.com.Available at: https://www.infosecurity- magazine.com/news/apt28-back-russiandoll-attack/ [Accessed March 2019]

×