In the world of threat intelligence, attribution can be one of the greater challenges analysts and researchers face. When analyzing large intrusions that spread over years, and with the possibility of multiple threat actors operating in the same environment, the task of attributing and separating one kill chain from another can be a rather daunting one. Some analysts might even be tempted to treat the multiple kill chain as part of a larger attack, which can often lead to misattribution. Following the discovery of Hafnium attacks targeting Microsoft Exchange vulnerabilities, our team proactively hunted for various threat actors trying to leverage similar techniques in the wild. At the beginning of 2021, our team investigated multiple intrusions targeting the telecommunications industry in multiple countries. This investigation was the beginning of a thrilling journey that ultimately produced great insights and re-examine our perspective on attribution. In our session, we will talk about the challenges that attribution poses for threat intelligence analysts, using a case study of a breach that involved not one, but three sophisticated nation-state APT groups, all suspected to be operating on behalf of Chinese state interests. In the first part of the session, we will share how we initially discovered an active breach that remained undetected for years, dating back to 2017.View upcoming Summits:
Download the presentation slides (SANS account required) at
#CTISummit
Музыка
Фильмы
ТВ Шоу
Категории видео
