Espionage campaigns performed by Advanced Persistent Threat (APT) groups against government entities is a critical issue due to the fact that state secrets, if disclosed, would damage national security or international cooperation. Nowadays, security companies can gain insights into espionage operations by offering incident response services that allow governments and large organizations to take a closer look at what is going in their network, thus discovering espionage operations and emerging threats. This in turn allows security companies to analyze these incidents on a deeper level and share some of their insights with the public in order to provide a better understanding of the current threat landscape. Although this makes espionage operations more visible, proving that a particular threat actor or nation-state is behind an attack is still difficult. Much research in recent years has focused on analysis of malware used in APT attacks by extracting Indicators of Compromise (IoC) such as hash values, IP addresses, network and host artifacts and the tools used during the attack. This approach leaves a gap in understanding the operational nature of a malicious operation and the limitations of an attacker which makes it difficult to detect and respond to the adversaries’ behavior instead of their tools. The effort an adversary needs to invest in order to reinvent their behaviors is much larger than on the IoC level. Moreover, the motivation of a threat group can be determined by analyzing their TTPs and therefore allows to estimate the likelihood for an organization to be targeted by this particular group.
In this research, strategic threat intelligence is being used to investigate the tactical nature of chosen APT groups. This form of threat intelligence is classified as human observations, analysis and conclusions from a given data set. The data set used in this research is compiled from many different sources, including news stories, and reports from security researchers and security organizations that document on data breaches and incidents. However, the data set used in this analysis is extremely limited due to the fact that not all compromises of a specific APT group are discovered, not all of the discovered compromises are reported and not all the facts of any specific compromise are always uncovered. Another key issue that complicates this field of research is the lack of standardization in reporting and analyzing TTPs. Moreover, due to the fact that attribution is difficult, some facts released in reports about certain APT groups may be misleading or even incorrect.
Because of the fact that most of the publicly available information is fragmented, limited and inconsistent in its nature, the analysis provided in this research presents only a general perspective into TTPs used by chosen Advanced Persistent Threat groups. In order to enhance the proposed model, additional study and information is required. However, despite the fact of limited coverage, the purpose of this research is meant to establish a new way of analyzing sophisticated attacks by eliminating the limitations of the IOC based approach. In this way, the efficiency comes from the analysis of attacker’s methodology rather than specific tools and artifacts which can be easily altered.