One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 461917 |
| Date de publication | 2018-01-30 13:40:00 (vue: 2018-01-30 13:40:00) |
| Titre | OTX Trends Part 3 - Threat Actors |
| Texte |
By Javvad Malik and Chris Doman
This is the third of a three part series on trends identified by AlienVault in 2017.
Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX.
Which threat actors should I be most concerned about?
Which threat actors your organization should be most concerned about will vary greatly. A flower shop will have a very different threat profile from a defense contractor. Therefore below we’ve limited ourselves to some very high level trends of particular threat actors below- many of which may not be relevant to your organisation.
Which threat actors are most active?
The following graph describes the number of vendor reports for each threat actor over the past two years by quarter:
For clarity, we have limited the graph to the five threat actors reported on most in OTX. This is useful as a very rough indication of which actors are particularly busy.
Caveats
There are a number of caveats to consider here. One news-worthy event against a single target may be reported in multiple vendor reports. Whereas a campaign against thousands of targets may be only represented by one report.
Vendors are also more inclined to report on something that is “commercially interesting”. For example activity targeting banks in the United States is more likely to be reported than attacks targeting the Uyghur population in China. It’s also likely we missed some reports, particularly in the earlier days of OTX which may explain some of the increase in reports between 2016 and 2017.
The global targeted threat landscape
There are a number of suggested methods to classify the capability of different threat actors. Each have their problems however. For example – if a threat actor never deploys 0-day exploits do they lack the resources to develop them, or are they mature enough to avoid wasting resources unnecessarily?
Below we have plotted out a graph of the threat actors most reported on in the last two years. We have excluded threat actors whose motivation is thought to be criminal, as that wouldn’t be an apples to apples comparison.
Both the measure of their activity (the number of vendor reports) and the measure of their capability (a rough rule of thumb) are not scientific, but can provide some rough insights:
A rough chart of the activity and capability of notable threat actors in the last year
Perhaps most notable here is which threat actors are not listed here. Some, such as APT1 and Equation Group, seem to have disappeared under their existing formation following from very public reporting. It seems unlikely groups which likely employ thousands of people such as those have disappeared completely. The lack of such reporting is more likely a result of significantly changed tactics and identification following their outing. Others remain visibly active, but not enough to make our chart of “worst offenders”.
A review of the most reported on threat actors
The threat actor referenced i |
| Envoyé | Oui |
| Condensat | “commercially “life “worst 1990s 2015 2016 2017 about above achievement” active activities activity actor actors adapt addressed against ago agreements alienvault also alto analysis annual anunak anunak/ appendix apples apt1 apt10 apt28 apt3 are aren’t around attackers attacks available avoid award back bad band banks base bear becoming been behind being below between both botnets boyusec build busy but campaign campaigns can capability carbanak caring caveats changed chart china chris doman cisco clarity classify clearsky cloudhopper cloudhopper’s code come comes command comparison completely compromise compromised compromising concerned conclusions conferences consider consist continue continuing contractor control could count counted criminal data day days decrease defenders defense delineated deploys describes description despite detect detected develop different difficult disappeared discretely discuss doesn’t domestic down dridex drop each earlier easily economic eg; elections employ enough entry equation espionage even event everyone example exchange excluded existing expanded explain explanation exploits extremely failure fancy fbi featured filters findings first five flower focused focusing followed following formation forwards france from further gain german github global good government governments graph greatly group grouping groups has have here high highest highlight hit hope however identification identified inclined includes increase indicate indication indicted individual individuals infrastructure insight insights insights: intelligence interest interesting” intrusions investigated isn’t it’s javvad korea lack landscape large largest last launched lazarus leaked less level like likely limited list listed located looking looks majority make malik malware managed many mature may means meant measure members methods military ministries missed more most mostly motivation moving multiple name nato network networks never news newsworthy north not notable number numbers offenders” official often oilrig old one only open operate operating operations organisation organisations organization organized other others otx ourselves out outing over own palo panda part particular particularly past patterns people perform perhaps perimeters persist plotted political population possible pressure prevent primarily primary prioritise private probable problems profile profit programs prove provide provided providers: public punk pussy pwc quality quarter: radar ranked rapidly rarely raw recent recorded referenced relevant relying remain report reported reported: reporting reports represented researchers resemble resources response result review riot rough rule russian same satellites scientific scripts seasonal second sector security see seeing seem seems seen series service set shared sharing shop should significant significantly since single small sofacy solely some something somewhat south states statistics stone stop sub success such suggested switched tactics taken talos taps target targeted targeting targets team ten tens terms than them then therefore these third this: those thought thousands threat threats three through thumb tied time timed together told toolset top total traffic trends trying turla two under underreported united unlikely unnecessarily unsurprisingly upon ups usage use used useful uyghur variations vary vast vendor vendors very visibly wasting way we’re we’ve welcome well west where whereas which whose wider will win within work worthy would wouldn’t year years your |
| Tags | |
| Stories | APT 38 APT 28 APT 10 APT 3 APT 1 APT 34 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.