UN session about modern ICT threat landscape.
The session was aimed to introduce recent threats targeting UN agencies and some potential recommendations to improve detection, investigation and understanding of these threats and their goals.
2. Who am I?
Hacker and Cracker of the nineties, turn to good before major disasters…
I am actually Principal Advisory Consultant for RSA Incident Response team.
Prior to join RSA I worked in several big IT corporations such as Digital, HP and Cisco.
I led IR teams engaged against cybercriminals and sophisticated attackers.
3. Agenda
Introduction to modern ICT Threat landscape
APT Attacks and cases
Reasons to be concerned
What to do
What to avoid
Detailed review of most threatening actors
Recommendations
4. Back then…
Richard Pryce Richard Pryce
Albert Gonzalez
"Captain Crunch"
John Draper
Jeanson James Ancheta
“Phiber Optik”
Mark Abene
Kevin Poulsen
5. Now…
Mexico Brazil Turkey
Saudi
Arabia Iran
India Bangladesh
Russia
China Taiwan Rep of
Korea
Malaysia
Indonesia
Vietnam
Lazarus Group targets
Lazarus Group is a malicious adversary responsible for crippling ICT attacks
and cyberespionage campaigns targeting financial, media and
manufacturing sectors.
US
6. … and more...
US Brazil Canada
Morocco
Spain Iceland
UK
France Switzerland
Italy
Germany
Norway
Czech Rep
Poland Bulgaria
Ukraine
Russia Pakistan
India
Nepal China
Hong
Kong
Taiwan Australia
Qatar UAE
Carbanak gang area of activities
Carbanak is a sophisticated cybercriminal gang
targeting the financial sector worldwide.
7. What has changed?
Interconnected environments
Nearly 3 billion people (40%) have
access to the Internet!
Collective Nerve system – our lives now
depend on many devices
Technology is transforming how we
interact and live with each other.
WE HAVE
8. What has changed?
Different types of players - From
traditional cybercriminals to hacktivists
to sophisticated frauds to cyber
espionage groups
Varied actions from ransomware to
spear-phishing to drive-by download
New tools used to perform attacks
Data has become an end goal, users
trust a means and malware the tools
Sophisticated tools . Modern malware is
able to defuse antivirus and intrusion
prevention mechanisms
The threat landscape
9. Type of attacks
Cybercrime
Identiy theft
Money theft
Phishing
Bullying
Cyber stalking
Theft of personal or
company data
Ransomware
Cryptominers
Cyberwarfare
Cyber espionage
Cyber attacks
Propaganda
Infiltration support
Targeted DDoS
10. APT Attacks
Targeted against «strategic» users
to gain access to key assets
Can do much damage long
before an organization knows that
it can be hit!
69% of victims learn from a third
party that they have been
compromised
Focus on the weakest links of your
defense chain targeting specific
system vulnerabilities and specific
people.
11. Recent attacks
France The Netherland Switzerland Germany Ukraine Russia
Olympic Destroyer – probably APT28 attack On February 9, shortly before the Pyeongchang
opening ceremonies, televisions at the main
press centre, wi-fi at the Olympic Stadium and
the official website were taken down.
Hackers used the so-called “Olympic Destroyer”,
a strain of malware that allowed the attackers
to wipe files and make systems inoperable.
Initially, experts blamed North Korea for the
attack, later intelligence officers attributed the
cyber attack to Russia.
12. Recent attacks
Epic Turla– also known as Uroburos APT group
Turla is a Russian cyber espionage APT
active since at least 2007.
It targets government organizations and
private businesses.
The list of known victims is long and
includes the Swiss defense firm RUAG, US
Department of State, and the US Central
Command.
Recently ESET revealed that Epic Turla
breached Germany’s Federal Foreign
Office syphoning data for almost the
whole of 2017.
US UK Germany Italy Syria Iraq Azerbaijan Turkmenistan Kazakhstan
Tunisia
Venezuela
Brazil
Paraguay Pakistan
Iran
Qatar
Kuwait
Saudi Arabia
Uzbekistan
Kyrgyzstan
Tajikistan
Afghanistan
13. Case study – Tracking dissidents
In 2012 the Axion APT group targeted a an international non-governmental organization that
conducts research and advocacy on human rights.
The attack was aimed to collect data on Tibetan and Chinese dissidents living abroad¹.
The attack started against a webserver exploiting a Coldfusion vulnerability and proceeded
internally by stealing users and administrator accounts.
¹ https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf
Coldfusion
exploit
Target web server
1
2
3
Stole admin
accounts
Bulletproof servers
(China)
14. Case study – Tracking dissidents
Leveraging the stolen accounts and implanting GhostRat and Derusbi malware, the attacker
sneaked into the environment and collected information related to Tibetan, Chinese and Uyghur
dissidents.
4
2
5
6
7
8
When the attacker transferred the stolen data, he alerted the victim.
My team was able to track the entire attack, blocking the data hemorrhage.
Bulletproof servers
(China)
15. Another case – a UN breach
In May 2017 selected individuals of the United Nations Committee investigating violations of
sanctions on North Korea (UN 1718 Committee) received a zip file with a sounding email from a
“known” source.
Exploited
email server
1
2
Somewhere in
North Korea
Public VPN Servers
The email was written with a highly personalized message which shows the hackers have very detailed
insight into the panel’s structure and working methods.
3
Victim
16. Another case – a UN breach
The victims opened the malicious attachment activating a sophisticated Trojan.
Few hours later, the attacker moved laterally to the internal Committee database, were a
significant number of evidences and documents were stored.
The attacker showed interest in both Committee staff credentials and the data stored in the
database, probably counting on the harvested credentials to perform additional actions.
4
Somewhere in
North Korea
Public VPN Servers
5
Victim
UN
Committee
Database
The attack lasted a week and was identified by verifying access to the database on non-business
hours. It was attributed to North Korea’s main spy agency (Unit 180), known as “Lazarus Group” or
APT37.
6
19. Here are a few reasons...
A number of Governments are interested in evaluating preliminarily the actions
planned by UN missions in several key areas such as:
Yemen
Syria
Central Africa
Sudan
A number of organizations and corporations are interested in anticipating actions
aimed to support local farmers and redevelop territories in Africa, by purchasing
these territories from local farmers before they would receive UN support.
A number of Governments are interested in being able to create fake
documentation under the UN insignia, to simplify the jobs of their local spy under
cover or to give their fake identities the chance to transit with diplomatic visas.
20. Biggest threat? Targeted Attacks
While cyber frauds target every type of organization and could be fought with traditional
tech and resources, targeted attacks are the biggest threat for any modern public and
private company.
While APTs may use the same techniques as
traditional attacks, such as drive-by download and
spear phishing, they differ from common infections
because they target strategic users to gain
undetected access to key assets.
APTs can do insidious damage long before an
organization knows that it has been hit.
The attribution of APT attack is mainly based on the
uniqueness of the tools any APT group uses.
22. As an organization….
Mixed approach based on technology and human
knowledge
Modern antispam, host intrusion prevention systems and
firewalls
Incident Response capabilities to ensure proper reaction
Incident Response tools to empower IR personnel
Training on how to spot cyber attacks
As an individual…
Keep yourself informed about ICT risks
Avoid to disseminate sensible information of you and your work
Avoid to click on links or attachments sent from untrusted channels
Avoid to use unsecure channels while working
Don’t try to solve a potential infection alone, but escalate the issue
to dedicated staff
25. What to do – how to react
Protect against APT attacks is a major concern in the field of cybersecurity.
APTs can evade traditional detection, causing tremendous damage to organizations.
Compared with traditional cyberattacks, APTs exhibit two distinctive characteristics:
a) The attacker of an APT is a well-resourced and well-organized group, with the goal of
stealing as many sensitive data as possible from a specific organization.
b) Based on meticulous reconnaissance, the attacker is going to launch a preliminary
advanced social engineering attack on a few target users to gain footholds in the
organization and then to gain access to critical information stealthily and slowly.
To date, the detection of APTs is far from mature.
Consequently, To successfully respond to an APT attack is to ensure all internal staff is
aware of the risks and act accordingly in any “suspicious” or clearly malicious
situation.
26. What to do…
Again… don’t panic
Follow the rules and procedures for these cases
Don’t turn off your computer
Don’t modify your credentials
Escalate the problem to the proper, dedicated staff
Use a separate channel to communicate the problem internally
(by phone or from a different computer)
Inform your manager
Don’t use the potentially breached computer until dedicated
staff has investigate it and cleared it of any compromise.
31. Recommended behavior
Reduce the risks of being targeted by advanced actors by avoiding to publish
information related to your job and private information about your life.
Avoid to point your browser to malicious or untrusted website
Avoid to trust unknown “Third parties” through chats, IMs and other media when at
work and using corporate assets.
Avoid to click on any link or potential content not inspected by your company
Antivirus and Antispam.
Don’t use cracked software
Don’t install programs collected from untrusted sources on p2p networks
DON’T USE THE SAME PASSWORD ON MULTIPLE CONTEXTS AND PUBLIC SERVICES
33. Naikon (APT30)
Naikon is a state-sponsored gang able to infiltrate and steal sensitive data and
intellectual property from military, diplomatic and enterprise targets.
It has carried out attacks in a number of Asian countries, as well as the United Nations
Development Programme and the Association of Southeast Asian Nations (ASEAN).
To get into target networks, Naikon relies on email as attack vector and studies his
victims through social engineering techniques and social media.
Data collection, prior to an attack, includes a significant set of private or public data
related to the most “interesting” targets.
Naikon initial attacks uses decoy content maintaining local topics of interest for the
victims and showing.
The adversary showed remarkable capabilities to adapt his initial attack strategy to the
most effective way to breach into, keeping the user trust as the initial main objective of
the infection.
34. Naikon attack strategy
The attacker uses to study the target to ensure
the success of his initial Spear-phishing
by preparing proper content and to distributed it
to specific and selected victims of the targeted
organization. Once successful with the infection the
attacker moves laterally and extend his
control upon the victim organization
using commonly available tools such as
psexec, procdump and other Microsoft
sys admin tools
Only for specific tasks he uses
a custom backdoor based on
HDoor family
Much of Naikon’s spear-phish and decoy documents matches highly-charged
geopolitical events.
The consistent list of military, economic, and political targets clearly illustrates the
actor’s areas of interest.
The name “Naikon” was derived from the
User-Agent string “NOKIAN95” found in the
beacons of the II stage backdoor.
35. Emissary Panda (APT 27)
Also known as TG-3390, it is a hacking group with Chinese origins which targets
selected organizations related with education, energy and technology.
In the past, Emissary Panda has used many ways to target their victims, with the
most notable being the exploits from the Hacking Team leak.
Usually, Emissary Panda malware is either the well-known ‘PlugX’ or
‘HttpBrowser’ RAT, tools with clear Chinese origins and with a usage limited to
Chinese APTs.
Typical APT 27 attacks are based on an initial compromise of victim servers,
used as trampoline to move laterally or to execute spear-phishing attacks
against internal users, sending messages via trusted systems (the exploited
servers already into the victim perimeter).
To compromise web servers, Emissary Panda leverages on zero-day exploits and
webshells¹.
¹ Webshells are malicious code based on .php, aspx or other common web-based languages and extentions.
36. Emissary Panda and webshells
Below is shown a typical first stage attack of APT 27 targeting a public web server and
implanting a Webshell.
The reported webshell is called “China
Chopper”. It is a simple backdoor
composed of two key modules:
the Webshell (client) binary
The text-based Webshell payload
(server component).
The China Chopper client communicates
over TCP using HTTP/HTTPS POST requests to
the server component.
The webshell is very small and powerful
allowing the attacker to use it as a real
Trojan.
The server component includes a significant
set of options allowing terminal access and
file system management
APT 27 seems to stick with China Chopper webshell more than any other APT group.
37. APT27 attack strategy
Dump
credentials
and attempt
lateral
movements
Implant
webshell
Exploit
vulnerable
services
Scan and
fingerprint
web
services
Exfiltrate
data
Move data
to
controlled
machines
Collect
data
Scan
networks
Implant
backdoor
on
interesting
targets
Sends
messages to
selected
victims
including
malicious
content or
links
Forge
messages
If fails
The group uses to steal intellectual property, through his custom backdoors: PlugX and ,
HttpBrowser RAT.
After the initial compromise, the adversary leverages on typical scanners like nbtscan or
scanline network scanner to identify additional targets and to prepare his lateral
movements through the network.
38. APT 27 latest trend
In recent days, a growing number of security researchers reported a new infection
campaign attributed to APT27 with a number of peculiar characteristics as reported
from Bitdefender:
https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-
inside-a-highly-specialized-espionage-infrastructure/
In particular, the infection campaign, named “Pzchao”, is based on highly targeted
spam messages, but more interesting, the attacker adopted on a certain stage of the
attack, Cryptominers (Monero) implanted on a number of systems after the traditional
exfiltration stage.
The reason behind the adoption of such noisy software is still under scrutiny.
The actions have been reported in recent attacks against UN agencies as well. We
studied some of these cases involving UN environments this year .
39. APT 28
APT28, also known as “Fancy Bear”, “Sofacy Group” or ”Sednit” is a cyber
espionage group associated with the Russian military intelligence agency GRU.
In 2018, an indictment¹ by the United States Special Counsel identified Fancy Bear
as two GRU units known as Unit 26165 and Unit 74455.
Fancy Bear's methods are consistent with the capabilities of state actors.
The group targets government, military, and security organizations, such as
Caucasian countries and NATO-aligned states.
Fancy Bear is responsible for cyber attacks on the German parliament, the French
television station TV5Monde, the White House, the Democratic National
Committee, Organization for Security and Co-operation in Europe and the
campaign of French presidential candidate Emmanuel Macron.
The group promotes the political interests of the Russian government by helping
favored foreign political candidates win elections.
¹ See source: https://www.justice.gov/file/1080281/download
40. APT 28 compromise strategy
APT 28 attack strategies leverage on a set of specialized malware.
The attack is multistage.
In the first stage, the adversary attempts to infect less protected targets, such as
non-IT personnel and roaming systems.
During the second stage the attacker tends to maintain persistence implementing
backdoors.
The third stage evolves by only if the attackers need to escalate control upon
strategic systems such as:
Points of Contact - systems that could be used to access the environment from
outside (typical Point of Contact is a laptop or a VPN concentrator).
Strategic Systems - Hosts holding interesting data or that could be used as
Jumpbox to other network segments (typical Strategic System is an Active
Directory Server or a Jumpbox).
41. First Stage attack
The “First stage” targets are chosen with extreme care.
The malware used in this phase is a dropper with basic info-stealing capabilities
(named Coreshell).
The malcode has the option to extract information such as accounts or other similar
data and to upload the stolen information to an external C2 server.
From the C2 the attacker can command the malware to “evolve”, by downloading
and executing the second stage: the Backdoor.
Note: Coreshell is the evolution of the Sourface
dropper (the latter was used till early 2015).
Once the infected machine
communicates with the external C2
the attacker is aware of the
infected system, its users and about
additional interesting data.
The attacker could expand the control upon
the victim or to leave it moving to other
targets.
Usually, at this stage, the less interesting
victims are cleared of any malware.
The attacker prefers to keep control upon just
a handful of interesting systems to lower the
risks of being caught.
42. Second stage
Second stage involves a backdoor: “Eviltoss”.
The backdoor serves as the preferred point of entrance to the target environment.
Eviltoss infection is limited to a small subset of initial infected hosts.
The backdoor shares a number of commonalities with Coreshell.
The communication mechanism is protected with the same algorithm.
Eviltoss is usually packed (encrypted) and has a set of hardcoded configuration shared with
Coreshell.
Eviltoss is extremely functional for the
persistence in a target system.
The setup of Eviltoss is carried
out via download and
execution through the C2 or
additional dropzones.
Once Eviltoss is active, the attacker
can access the victim’s Filesystem
and steal any type of data.
Also, he can activate a shell to
directly execute additional
commands.
Eviltoss allows the attacker to move
laterally to other systems, further
extending the magnitude of the
attack and the exposure of the
environment.
43. APT 28 attack strategy
Usually, it takes weeks or months for APT 28 attacks to escalate from stage 2 to
stage 3.
APT 28 usually starts monitoring the controlled hosts and moves “laterally”
before even considering a further enhancement of his control.
Once the attacker has the “big picture” of “how the environment works”, he
could decide to implement a tailored implant against strategic hosts.
The implant is a highly customized Trojan named Chopstick that is
configured to work only into the targeted environment.
The implant is used only when the persistence must be granted at all costs or
if the victim is a highly interesting target.
APT 28 has a version of this implant tailored to work on mobile devices such
as iOS systems (x-Agent malware).
44. Third Stage
Sometimes, APT 28 is forced to evolve his attack onto stage 3 in order to access air-gapped
environments, such as in the case of Italian Navy¹.
In these cases, the attacker collects data and credentials related to the target system and
then implants the Trojan (named “Chopstick” or “X-Agent”).
Compared to Eviltoss, the Trojan is far morecomplex, to the point that the samples worked
only if we replicated the exact same conditions of the original victim or after reversing the
malware code patching it.
Chopstick allows the attacker to gain full
control of the infected system and it can also
include specific features such as °activation°
in specific conditions or replication in
specific cases.
All this is included in Chopstick configuration
file, bundled with the malware.
Chopstick uses C2, but can also work
without direct contact with them for long
periods of time.
APT28 uses to pass from Eviltoss to Chopstick
only on key systems for the economy of his
attack.
APT28 tends to implement strong encryption
and strong anti-reverse measures on every
variant of Chopstick.
45. APT29
APT29, also known as Cozy Bear is a Russian black hat group associated
with Russian intelligence.
The Dutch AIVD deduced from security camera footage that it is led by
the Russian Foreign Intelligence Service (SVR) ¹.
Cybersecurity firm CrowdStrike suggested that it may be associated with
either the Russian Federal Security Service (FSB) or SVR.
Cozy Bear had been compromising diplomatic organizations and
governments since at least 2010.
Cozy Bear is behind the 'HAMMERTOSS' remote access tool which uses
commonly visited websites like Twitter and GitHub to relay command
data.
¹ See source
https://www.volkskrant.nl/wetenschap/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~b4f8111b/
46. APT 29 First Stage attack
As seen in APT 28 attacks, the first stage is executed against a small number
or selected targets pertaining to the victim infrastructure.
The targets are usually chosen with extreme care.
The attackers carefully avoid to infect IT or Security related personnel.
Usually, at this stage the malware used is a common dropper aimed to
detonate the Hammertoss backdoor.
The spear phishing hits the victim with
emails containing malicious attachments
or links to malicious websites aimed to
compromise the victim browser via web
access (“Drive-by Download).
Hammertoss Backdoor, is dropped and installed
via exploit of Office applications or via “Drive-by
Download” through Browser vulnerabilities.
At this point the attacker can enhance the control by
moving to a second stage for a handful of interesting
hosts.
The remaining machines are cleared of any malware or
artifact in order to avoid DFIR analysis and lowering the
chance to find the original “patient-zero”.
Once infected, the backdoor communicates with the external
C2 via Twitter or other HTTP/HTTPs based applications.
All communications are encrypted with basic encryption.
47. APT 29 Second Stage
The upgrade commands were published via Twitter accounts (in our case).
The upgrade forced the infected system to download plugins as encrypted images (using
steganography).
The encrypted data included instructions to execute commands via PowerShell, or to execute a
file, or to save a file and execute it.
In several cases, the powershell commands directed HAMMERTOSS to upload data from the
victim to cloud storage services using login credentials received via Twitter.
APT29 tends to avoid long persistence
on the victim environment.
In a relatively high number of cases,
once the data has been exfiltrated,
the attacker quitted completely the
persistence on the target environment.
Through Twitter channel, the attacker
sent commands publishing them in
his account.
Each infected host was managed
separately (using separated twitter
channels).
Once the malware is upgraded, the attacker can
access the victim’s Filesystem and steal any type
of data. Also he can activate command shells to
directly execute several tasks.
Once the interesting data was collected
APT 29 cleared all involved systems by
using secure removal techniques
The malware can process the
commands, decrypt the content
from the image and execute the
interesting data.
Hammertoss allowed the attacker to
access the system and control the
target supporting the setup of other
malicious tools and to move laterally to
other systems in the environment.
48. APT 29 characteristics
APT29 uses mainly Hammertoss malware.
The group work hours seem to align with the UTC +3 time zone, which contains
cities such as Moscow and St. Petersburg.
The group appeared to cease operations on Russian holidays.
The group showed discipline and consistency to clear tracks of his attack after
reaching his goal.
APT29 almost always uses anti-forensic techniques, and they monitor victim
remediation efforts to subvert them.
The group appears to almost solely uses compromised servers for CnC to
enhance the security of its operations and maintains a rapid development
cycle for its malware by quickly modifying tools to undermine detection.
The group targets a wide set of different type of targets such as political
parties, security companies, military and political institutions worldwide.
The approach, the malware used and the way APT 29 acts in infected
networks show similarities with advanced cybercriminal groups such as
Carbanak.
49. APT 37
APT 37, also known as Reaper, is a group carrying out attacks on behalf of
the North Korean government, as malware artifacts and targets are aligned
with North Korean state interests.
The group operations are expanding in scope and sophistication, with a
toolset that includes access to zero-day vulnerabilities and wiper malware.
Prevalent targets of APT 37 are South Korea, Japan, Vietnam and the Middle
East in various industry verticals, including chemicals, electronics,
manufacturing, aerospace, automotive, and healthcare.
Recently, APT 37 was involved in cyber-espionage against UN agencies.
Social engineering tactics tailored specifically to desired targets, strategic
web compromises typical of targeted cyber espionage operations, and the
use of torrent file-sharing sites to distribute malware more indiscriminately are
typical attack vectors and strategies adopted by the adversary.
The group has demonstrated access to zero-day vulnerabilities (CVE-2018-
0802), and the ability to incorporate them into operations.
50. APT 37
APT37 employs a suite of malware for initial intrusion and exfiltration.
Their malware is characterized by a focus on stealing information from victims,
with many set up to automatically exfiltrate data of interest.
Along with custom malware APT37 has access to destructive malware.
In April 2017, he targeted South Korean military and government organizations
with the DOGCALL backdoor and RUHAPPY wiper malware.
RUHAPPY can overwrite a machine's Master Boot Record (MBR), causing the
system to fail to boot into preconfigured partitions.
It is possible that APT 37’s distribution of KARAE malware via torrent websites
could assist in creating and maintaining botnets for future distributed denial-of-
service (DDoS) attacks, or for other activity such as financially motivated
campaigns or disruptive operations. Disruptive and destructive cyber threat
activity, including the use of wiper malware, public leaks of proprietary
materials by false hacktivist personas, DDoS attacks and electronic warfare
tactics such as GPS signal jamming is consistent with past behavior by other
North Korean actors.
51. Organization recommendations
Effective defense against these attackers can be ensured only through
Incident Response (IR) capabilities.
Ideally, organizations empowered by IR should balance between people,
process and technology.
Solid incident responders with solid technology but no well designed, validated
and, established processes and procedures will leave an organization less than
optimally defended.
An effective IR enabled agency requires all three dimensions – people,
process, technology – to work well and improve together.
It is important to create lightweight policies, plans, and procedures related to
incident response with management buy-in to effectively protect the
environment against cyber security attacks.
In addition, IR team must adopt a methodology to investigate attacks.
52. How to investigate APT attacks
The matter is discussed frequently between subject matter experts
Several approaches have been evaluated.
The most effective, based on public works and researches, is arranged around a mix of
technologies and skills.
Ensure complete
Network visibility
Ensure
System and
Logs visibility
Analyze malicious
artifacts to extract
IOCs
Network, system
and log indicators.
Classification and
attribution.
Incident
surface.
Triage planned from
a tailored set of
strategic actions.
53. The investigative methodology we use is based on Actionable IOCs (AIOCs).
To build AIOCs, we employ a systematic approach that relies on the synergy of
network and host visibility with log and malware analysis in order to identify key
indicators that can be formalized and stored in an organized knowledge base for
rapid reuse during subsequent investigations.
The knowledge base aggregates the Actionable IOCs, otherwise they remain atomic
indicators, to build actor attack profiles that can be quickly applied to investigations
in order to streamline response efforts and give non-circumstantial evidence towards
attribution of malicious actors.
Succeed in a rapid attribution during the early stages of an incident investigation can
significantly lower the time required to scope the presence of the attacker and to
prepare a proper mitigation strategy to expel the adversary in the proper fashion.
Our investigation
54. IoCs from the analysis
• In our approach, the malware analysis is a key element to generate reliable
IOCs because it is the moment when the artifacts discovered in the
compromised systems can “talk” to the analyst and presents the indicators
that are needed to measure the extension and the goal of the actual attack.
• There are several IOCs that could be extracted from a good malware analysis
process and I am not assuming this means necessarily to reverse engineer the
malware.
• Even a simple Yara rule that allows the analysts to perform a file sweep on the
entire segment of a network or an entire enterprise could be enough.
• The most important aspect to transform atomic IOCs to Actionable IOCs is the
formalization process, made through comparison with the consolidated KB,
lab analyses and peer review.
• An important support for the formalization of AIOCs is the
“retrohunting” feature offered by Virustotal.
55. Actionable IOCs is an answer to the need solid indicators to support the investigation,
the attribution and the triage, of incidents generated by malicious actors.
The adoption of this methodology can positively impact investigation and triage, but
also improves knowledge of the tools and strategies adopted by the adversaries.
The formalization process behind it can facilitate the exchange of information and
indicators without the risk of unintentional leakage of sensitive information and, in
short, strengthen the proactive and reactive capabilities of any structure.
Conclusion