Open in app

Sign in

Write

Sign in

Understanding Threat Actors

Berk Dusunur
4 min readFeb 23, 2022

--

Hello everyone. I am so excited to publish my second article in 2022 which is ‘Understanding Threat Actors’.

This post is going to be about ‘Threat’s, Work Technique’s, Tool’s and Method’s Threat Actor’s are using.’ Almost all Threat Intelligence Analyst’s accepting that rule;

Try to understand Threat Actors, so you can fight against them!

It means, you should have knowledge base on threat methods, threat tools, threat motivations and threat work techniques. This post will be helping you to understand threat and protecting your information technology systems against cyber threats and attacks.

I would like to start with describing threats with Advanced Persistent Threat groups (APT)

Advanced Persistent Threat (APT)

APT is one of and the most critical threat for information technology systems. APT groups are targeting the Industry systems, government systems and critical infrastructure’s, they may stay in target internal network for a couple of years, they are persistently extracting data from internal network.

Detecting APT Group in Internal Network

So, we know APT groups is not targeting systems for a one time. They are trying to extract data persistently so, we continuously monitor internal network. We can detect threat with monitoring endpoints and network adapters in internal network.

For stealing data, there must be Command Control Server (C&C) inside your internal network or an external network like their remote server. Also, there must be protocol for talking to each other like between infected endpoints and C&C server.

  • IRC (Internet Relay Chat) protocol-based — 1st generation.
  • P2P (Peer to Peer) protocol-based — 2nd generation.
  • HTTPS (Hyper Text Transfer Protocol Secure) protocol-based — 3rd

Let’s discuss about example case below.

There is an internal network which have 20 endpoints working on Active Directory and one of your endpoint talking with remote server which is located outside your country with P2P protocol.

Usually SIEM tools is filtering traffic like protocol based, so you can detect threat quickly. But it is not always easy. Sometimes C&C servers locating in internal network by attackers, because of that you should check internal network traffic like ‘which endpoint talking with other network devices and what protocol they are using during to talking’.

Other method is stolen data with HTTPS protocol. HTTPS protocol is one of famous protocol. Almost all your endpoints are using HTTPS during the work to visit website’s or internal web application’s. This is one of solution for APT groups to stay anonymously inside your internal network. Detecting this method is hard for SIEM tool or Security Officers. But not impossible.

Check your endpoint work times like 9.00AM to 5.00PM. If you get any HTTPS or other protocol traffic between 5.00PM to 9.00AM it means there are possible 2 reasons.

1-) Your endpoint employee is working at night shift.

If not…

2-)Your endpoint infected by attackers and machine is talking with C&C server.

So you should check your employee’s activity by time. One of Security Analyst detected APT group like “One of our employee was on vacation, during the vacation his endpoint sent traffic to remote address(C&C server).

Most Used Methods, by APT Groups

APT Groups using too much online tool for detecting your attack surface, your technologies and your environments. You make sure that which system accessible by external networks and which is not up to date.

Always scan your environments to detect new open ports, system versions and what is your attack surface.

Some tools for detect your environment’s using by APT Groups.

  • Shodan
  • URLScan
  • BuiltWith
  • WayBack Machine
  • NetCraft

Other critical issue is phishing e-mails.

Phishing E-Mails

Phishing method using by APT attackers to get unauthorized access from your internal network. Scan mails hash’es with SIEM tools or other protection solutions when you got phishing e-mail. Exercise Phishing Attacks training with your employees.

If you got phishing attack, never click to links, never execute attached files or other activity. Report your incident response team.

0Day Vulnerabilities

0Day vulnerabilities is other method using by APT groups for get unauthorized access from your internal network. There are 2 method for find 0day vulnerability.

  • Review source code with RedTeam and detect vulnerabilities which is not detected yet.
  • Follow Exploit-DB or other platforms for 0Day vulnerabilities.

I shared 0Day vulnerabilities at Exploit-DB when I focused about Source Code Analysing. I reported to vendor and waited for patch, When I found 0Day vulnerability. A couple of weeks after patch and new version I shared vulnerability by exploit-db.com

It is my ethical rules. I just want to sure all clients updated new and non-vulnerable version.

Conclusion…

I wrote about the threat actors and their attack methods. I would like to share a couple of links for protecting against APT groups. Subscribe to their e-mail list and stay up to date

And

Never lost your motivation. Yes, Threat Actor’s are everywhere… so are those who fighting against them!

My other blog post will be about Detect APT Attack’s with Splunk.

Thank you for reading, follow me on Twitter

BlogPost Wallpaper

Security
Threat Intelligence
Threat Hunting
Threat Detection
Cybersecurity

--

--

Berk Dusunur

Written by Berk Dusunur

30 Followers

system engineer / offensive security.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams