Building on the initial research you did on your APT group last week, for this week’s discussion, I want you to familiarize yourself with the Lockheed Martin “Cyber Kill Chain” (https://www.sans.org/security-awareness-training/blog/applying-security-awareness-cyber-kill-chain) and then identify your APT group’s tools, techniques, and procedures (TTPs) for the Exploitation, Installation, and Command and Control phases.1) What Indicators of Compromise (IOCs) would suggest that this adversary is present on a network?2) What techniques or tools are they using to evade detection by host-based detection products? What techniques or tools are they using to evade network-based detection?3) Assuming you work in an affected company’s incident response/network defense team, what steps would you take to remediate and mitigate the threat? Note: posting that you would improve security awareness/education training does NOT remediate against an on-going operation and as such, I won’t provide credit if I see this answer posted. Ditto with a posting that says use vendor X’s product (Falcon View, etc.).4) How would you present the case to your management that the APT group is on the network and would it matter to the company whether the threat was coming from a suspect state-sponsored actor? If so/not, explain.My expectation for this post is that you will use multiple APT reports to identify such indicators, so I’ll expect to see references from multiple cyber security vendors’ reporting in your citations. Note that the same group could be called something different by a different cyber security vendor, so I’ll provide you with this Google Group page as a starting point to help you identify other names for your APT actors: https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml
Write a response/comment to this discussion board
APT 26 is a group that has been known under the names Turbine Panda, Hippo Team, and JerseyMikes among many other names. The group utilizes tools such as Cobalt Strike, Derusbi, and Mivast to attack various sectors such as the defense and financial sectors. For the exploitation phase, APT 26 attacks the supply chain of the targets such as a hosting service. This is considered a strategic web compromise which will help the group gain access to the targets site. During the command and control phase they will get access to the data of the target through a data breach.
Some indicators of compromise for this group are errors with the hosting sites as well as unusual network traffic. In order to combat this, someone should be checking the network traffic and keeping tabs on whatever hosting sites are being utilized by the company.
The group uses the stolen credentials to get inside data and information and attacks hosting sites as well as their direct target. Through the usage of many different malwares such as PlugX, Winnti, and Cobalt, the group is able to hide their information and breach their target’s defenses.
Due to the group’s method of attacks, I believe that if any hosting sites are being used, they must be as secure as possible and prepared for attacks from the APT 26 group. Additionally, due to the group’s history of stealing credentials, we must make sure that our organization is promptly following the principle of least privelege so that if the group attains credentials, they cannot mess with the system too much.
To present the case, I would mention any errors with a hosting service that we are using. Additionally, unusual activity and traffic to our website could be an indicator that APT 26 is currently targetting our organization. Depending on the types of malware present in our system, we would be able to determine if the malware has anything in common with APT 26 and if their are similarities, we could assume that the attacks are being carried out by APT 26. If the attacks are sophisticated with a multitude of tools, we can say that the group is sponsored by a state.