Converging Behaviors Across Threat Actors By Joe Slowik (2023)
HTML-код
- Опубликовано: 2 окт 2024
- visit 2023.swisscybe... & www.swisscyber... for more information
The following summary was machine generated from the RUclips transcript and then reviewed by human eyes. If you spot any errors, please comment below.
Summary
Presenter: Joe Slowik
Title: Converging Behaviors Across Threat Actors
Category: SCS2023
Subcategory: Regular
Video: • Converging Behaviors A...
Length: 29:32
Content: Joe Slowik discusses the increasing convergence of behaviors among various threat actors, making attribution and defense more challenging. He explores how adversaries use common tools and techniques to achieve their objectives efficiently, leading to a need for defenders to focus on behavioral analysis and anomaly detection rather than relying on traditional indicators.
Keywords:
- Threat actors
- Convergence
- Attribution
- Cyber defense
- Behavioral analysis
Ideas
- Adversaries are increasingly using common tools and techniques, making it difficult to distinguish between different threat actors.
- There is a trend toward specialization and division of labor among threat actors, with roles such as initial access brokers and ransomware affiliates.
- Defenders need to adopt behavior-centric detection methods to effectively identify malicious activities.
- The reliance on common tools by adversaries necessitates a shift in defensive strategies and policies to focus on anomaly detection and understanding normal behavior patterns.
- Custom tools are still used, but mainly for niche applications like operational technology intrusions and specialized attacks.
Quotes
- "Adversaries seek to achieve objectives, yet precisely how those objectives are achieved is largely immaterial."
- "We see the tools of the trade coalesce around certain common features like Mimikatz."
- "Adversaries converge on tradecraft because it works."
- "Identifying the malicious use of benign tools is difficult, and we haven’t gotten there yet, but we need to because this is where adversaries are now living."
Facts
- Specialization and division of labor among threat actors are becoming more common.
- Tools like Mimikatz, Cobalt Strike, and PSExec are frequently used by various adversaries.
- Custom tools are primarily used in niche applications and specialized attacks.
- Behavioral convergence makes attribution more challenging as threat actors adopt similar techniques.
Resources
- *Mimikatz* (Tool): Used for credential dumping, commonly employed by various threat actors for post-exploitation activities.
- *Cobalt Strike* (Tool): A post-exploitation framework widely used for command and control, even in high-profile intrusions like the SolarWinds attack.
- *Sysinternals PSExec* (Tool): A legitimate tool frequently used by adversaries for remote execution within victim environments.
Recommendations
- Shift focus from traditional indicators to behavior-centric detection methods to identify anomalies in execution patterns.
- Enhance policies and best practices to address the challenge of adversaries blending in with legitimate IT operations.
- Invest in continuous training and updating of defense strategies to keep pace with evolving threat actor techniques and tools. 
Наука
