桑内·马萨克斯_揭开APT背后的思维分析借口在CTI和归因中的作用.pdf

1、Unraveling the Mind behind the APTAnalyzing the Role of Pretexting in CTI and AttributionSpeaker:Sanne MaasakkersBlackHat USA 2024 briefingsContents3Introduction01Introduction02Research concept03Analyzing content04Analyzing context05Result&demos06Conclusion&outlookSanne4Introduction-Joined Mandiant

2、Intelligence/Google Cloud in 2023 as Senior Analyst-Previously worked in Red Team/Research&Intel Fusion Team(Fox-IT)and Fusion Centre(NCSC-NL)analyzing threats against The Netherlands-3 malware and being creative with(actor/threat)data-Coach of the European CTF team,creator of Hackchallenges-EU lead

3、 at(DEFCONs)Adversary Village383851515171710105 56 63 32 22 21 11 1ExploitPhishingPrior CompromiseStolen CredentialsBrute ForceWebCompromiseServer CompromiseThird-PartyCompromiseOtherPhishing(Social Media)SIM Swap%Threat groups6IntroductionThreat groups7IntroductionThreat groupsUNCUNCUNCUNCUNCUNCUNC

4、UNC8IntroductionUNCUNCUNCUNCUNCUNCUNCUNCUNCClusteringEmails are associated with a threat group mostly through various technical,tactical and strategical indicators,including:-TechnicalTechnical:reuse of malware or code within malware attachments,reuse of infrastructure,including IP addresses,domains

5、,and hosting providers.-TacticalTactical:consistent use of specific tactics in the infection chain,patterns in infrastructure.-StrategicalStrategical:common geographical and industry targeting.9IntroductionBehavioralBehavioralSpear phishing10IntroductionConceptThis research focuses on the behavioral

6、 characteristicsbehavioral characteristicsof APT phishing emails,including the pretext and email scenario,and their importance in linking(new)phishing campaigns to their authors.This includes both the content and contextcontent and contextof the email.11Research conceptExampleSubject:software update