Azeria Labs Azeria Labs
  • ARM Assembly
    • Part 1: Introduction to ARM Assembly
    • Part 2: ARM Data Types and Registers
    • Part 3: ARM Instruction Set
    • Part 4: Memory Instructions: LDR/STR
    • Part 5: Load and Store Multiple
    • Part 6: Conditional Execution and Branching
    • Part 7: Stack and Functions
    • Assembly Basics Cheatsheet
  • Online Assembler
  • Exploitation
    • Writing ARM Shellcode
    • TCP Bind Shell in Assembly (ARM 32-bit)
    • TCP Reverse Shell in Assembly (ARM 32-bit)
    • Process Memory and Memory Corruption
    • Stack Overflows (Arm32)
    • Return Oriented Programming (Arm32)
    • Stack Overflow Challenges
    • Process Continuation Shellcode
    • Glibc Heap – malloc
    • Glibc Heap – free, bins, tcache
    • Part 1: Heap Exploit Development
    • Part 2: Heap Overflows and the iOS Kernel
    • Part 3: Grooming the iOS Kernel Heap
  • Lab Environment
    • ARM Lab VM 1.0
    • ARM Lab VM 2.0
    • Debugging with GDB and GEF
    • Emulate Raspberry Pi with QEMU
    • Running Arm Binaries on x86 with QEMU-User
    • Emulating Arm Firmware
  • TrustZone Research
    • TEEs and Arm TrustZone
    • Trustonic’s Kinibi TEE
  • Self-Improvement
    • Deep Work & The 30-Hour Method
    • Paradox of Choice
    • The Process of Mastering a Skill
  • About
Azeria Labs Azeria Labs
  • ARM Assembly
    • Part 1: Introduction to ARM Assembly
    • Part 2: ARM Data Types and Registers
    • Part 3: ARM Instruction Set
    • Part 4: Memory Instructions: LDR/STR
    • Part 5: Load and Store Multiple
    • Part 6: Conditional Execution and Branching
    • Part 7: Stack and Functions
    • Assembly Basics Cheatsheet
  • Online Assembler
  • Exploitation
    • Writing ARM Shellcode
    • TCP Bind Shell in Assembly (ARM 32-bit)
    • TCP Reverse Shell in Assembly (ARM 32-bit)
    • Process Memory and Memory Corruption
    • Stack Overflows (Arm32)
    • Return Oriented Programming (Arm32)
    • Stack Overflow Challenges
    • Process Continuation Shellcode
    • Glibc Heap – malloc
    • Glibc Heap – free, bins, tcache
    • Part 1: Heap Exploit Development
    • Part 2: Heap Overflows and the iOS Kernel
    • Part 3: Grooming the iOS Kernel Heap
  • Lab Environment
    • ARM Lab VM 1.0
    • ARM Lab VM 2.0
    • Debugging with GDB and GEF
    • Emulate Raspberry Pi with QEMU
    • Running Arm Binaries on x86 with QEMU-User
    • Emulating Arm Firmware
  • TrustZone Research
    • TEEs and Arm TrustZone
    • Trustonic’s Kinibi TEE
  • Self-Improvement
    • Deep Work & The 30-Hour Method
    • Paradox of Choice
    • The Process of Mastering a Skill
  • About
Introduction

Espionage campaigns performed by Advanced Persistent Threat (APT) groups against government entities is a critical issue due to the fact that state secrets, if disclosed, would damage national security or international cooperation. Nowadays, security companies can gain insights into espionage operations by offering incident response services that allow governments and large organizations to take a closer look at what is going in their network, thus discovering espionage operations and emerging threats. This in turn allows security companies to analyze these incidents on a deeper level and share some of their insights with the public in order to provide a better understanding of the current threat landscape. Although this makes espionage operations more visible, proving that a particular threat actor or nation-state is behind an attack is still difficult. Much research in recent years has focused on analysis of malware used in APT attacks by extracting Indicators of Compromise (IoC) such as hash values, IP addresses, network and host artifacts and the tools used during the attack. This approach leaves a gap in understanding the operational nature of a malicious operation and the limitations of an attacker which makes it difficult to detect and respond to the adversaries’ behavior instead of their tools. The effort an adversary needs to invest in order to reinvent their behaviors is much larger than on the IoC level. Moreover, the motivation of a threat group can be determined by analyzing their TTPs and therefore allows to estimate the likelihood for an organization to be targeted by this particular group.

In this research, strategic threat intelligence is being used to investigate the tactical nature of chosen APT groups. This form of threat intelligence is classified as human observations, analysis and conclusions from a given data set. The data set used in this research is compiled from many different sources, including news stories, and reports from security researchers and security organizations that document on data breaches and incidents. However, the data set used in this analysis is extremely limited due to the fact that not all compromises of a specific APT group are discovered, not all of the discovered compromises are reported and not all the facts of any specific compromise are always uncovered. Another key issue that complicates this field of research is the lack of standardization in reporting and analyzing TTPs. Moreover, due to the fact that attribution is difficult, some facts released in reports about certain APT groups may be misleading or even incorrect.

Because of the fact that most of the publicly available information is fragmented, limited and inconsistent in its nature, the analysis provided in this research presents only a general perspective into TTPs used by chosen Advanced Persistent Threat groups. In order to enhance the proposed model, additional study and information is required. However, despite the fact of limited coverage, the purpose of this research is meant to establish a new way of analyzing sophisticated attacks by eliminating the limitations of the IOC based approach. In this way, the efficiency comes from the analysis of attacker’s methodology rather than specific tools and artifacts which can be easily altered.

Real world examples

Two real world examples were selected to illustrate how TTPs are used by different APT groups. APT28, believed to have Russian origins, and APT30, a Chinese speaking threat actor, were chosen due to different mentalities. These groups are analyzed in parallel in order to show that the same step in the APT life-cycle can be performed in multiple ways.

Read More

Stages of an APT attack

Reconnaissance

Describes how attackers prepare for their campaign. This step mainly includes information gathering through OSINT, passive and active fingerprinting, etc.

Read More

Initial Compromise

Step where the initial foothold is established. The most common approaches include Spear-Phishing, Water Hole attacks or direct exploitation.

Read more

Persistence

Persistence is deployed for maintaining the access to compromised systems. Common techniques rely on file system and registry changes.

Read more

Command & Control

Communication between infected system and attacker is controlled via a central server. Some techniques involve cloud based services.

Read more

Privilege Escalation

Allows stealthier persistence and effective credential harvesting. Achieved due to insecure configuration or attacking system via a Zero-Day vulnerability.

Read more

Lateral Movement

Propagation over the target infrastructure by abusing collected credentials or exploiting unpatched systems. Facilitates asset discovery.

Read more

Asset Discovery

Stage where attackers try to discover valuable information. Performed by file search, gaining access to specific systems, etc.

Read more

Data Exfiltration

Describes exfiltration of sensitive data that was collected during the campaign. Outlines techniques of copying files to attacker’s server.

Read more

Intro

  • Introduction
  • Advanced Persistent Threats (APTs)
  • Tactics, Techniques, and Procedures (TTPs)
  • IOCs vs. TTPs
  • Intro to APT28 & APT30

Stages of APT

  • Reconnaissance
  • Initial Compromise
  • Persistence
  • Command and Control
  • Privilege Escalation
  • Lateral Movement
  • Asset Discovery
  • Data Exfiltration

Follow Azeria for updates
Follow @Azeria
Feedback?
Message @Azeria

RSS Feed
© 2017-2022 Azeria Labs™ | All Rights Reserved.