1、Advanced Threat Research MethodologiesUnraveling a Triple-APT IntrusionAbout UsLior is a principal threat researcher at Palo Alto Networks,focusing on threat hunting,malware analysis and tracking nation state APTs.Lior Rochberger,Principal Threat ResearcherTom Fakterman,Senior Threat ResearcherTom i
2、s a senior threat researcher at Palo Alto Networks.On his day to day,Tom focuses on threat hunting,malware research,and threat intelligence.1AgendaBACKGROUND 2THE CHALLENGES 3CLUSTERING METHODOLOGY 4THREAT ACTOR ACTIVITY+ATTRIBUTION METHODOLOGY5INTELLIGENCE DRIVEN HUNTING 6KEY TAKEAWAYS BackgroundTh
3、e ChallengesWhere to begin?How to go over all the data?Where one kill chain ends and another begins?A single threat actor or multiple threat actors in the network?Data ChallengeMultiple Kill ChainsSingle vs.Multiple Threat ActorClustering MethodologyTools&TechniquesKill Chain InfrastructureCLUSTER A
4、CLUSTER BCLUSTER ACLUSTER CCLUSTER BCLUSTER ACLUSTER A Suspect?CLUSTER B Suspect?CLUSTER C Suspect?CLUSTER AESETs Remote Administrator(Signed&Verified)Unknown MalwareAbusing Existing Antivirus SoftwareTrend Micro(Signed&Verified)Identifying The Mysterious BackdoorToneShell BackdoorThree DLL componen
5、ts working in tandemKnown Mustang Panda backdoor(AKA Stately Taurus)Main CapabilitiesExecuting commands File system interaction Downloading&uploading files Keylogging Screen capturingShadowPad BackdoorPopular among chinese threat actors since at least 2015Considered to be the successor of PlugXDLL s
6、ide loading into a legitimate component of BitdefenderHighly Targeted and Intelligence-Driven OperationSuccessful login attemptsAssignments of sensitive privileges to new login sessionsRedacted user name of target individualFind hostnames of interestCompromise MachinesGather names of individuals who