THREAT ACTORS MAP USING INSTRUCTION AND USE CASES Link to the map: https://soc.gov.vn/apt

BASIC USAGE

1. Search for a country or a threat actor Use the Search bar located at the top of the map to search and select any particular country or threat actor that you are looking for. Please note that it may take some time to thoroughly index and load the data. For instance, the word Vietnam is searched in the image below. The map will not only specifically give back the result of the country "Vietnam" but also any element that has information relating to the word "Vietnam" inside it.

No content

2. Complex search If you want to perform a more complicated search on the elements contained in the map, click the Search bar and then click the rocket icon to enter the Selector Builder.

For example, a search on APT groups that target at least Vietnam and sector Financial is shown below.

3. Focus on elements You can focus on elements by selecting them, right click, choose Focus, and then select either the option Selected or Direct or Indirect or Extended. NOTE: Below are some shortcut keys that you may want to use to select elements. A: Select All SHIFT + E: Select All Elements SHIFT + C: Select All Connections SHIFT + L: Select All Loops SHIFT + CLICK: Toggle Selection Details of shortcut keys can be found in this link: https://docs.kumu.io/guides/shortcuts.html

4. Customize the view of the map To edit the default view of the map, click the Settings button and use the Basic View Editor to change characteristics of the view. You can also Switch to Advanced Editor to perform further view customizations. You can read the Kumu's instruction on View Editors by following this link: View Editors

No content

USE CASES

1. Display threat actor(s) that target one or more than one countries At the top of map, you can see a dropdown menu named Filter by targeted country which can help you display threat actors that target a specific country or a group of countries. By doing this, you can create a subset of targeted countries which can be focused on. An example of how to use this filter is shown in images below.

Action: Filter and create a subset of threat actors targeting ASEAN and Vietnam

Action: Choose a threat actor to view its detailed information

2. Display threat actor(s) that target one or more than one sector This case is implemented in a similar way to the first case but instead of choosing Filter by target country, select the dropdown menu named Filter by targeted sector.

3. Display threat actor(s) that performed operations at a specicific time This case is implemented in a similar way to the first case but instead of choosing Filter by target country, select the dropdown menu named Filter by operation dates. After choosing one or more than one operation dates, you can look at the Map Overview on the left side of the map and click on the timestamp that you want to see. It will show you all operations of all groups that happened at that time.

Action: Select some operation dates

Action: Choose a specific time to see all operations

4. Search for threat actor(s) that have specific IOC(s) This map contains three types of IOCs: URL, domain and IP address. If you want to search for a specific IOC, you can perform this action in the ways as specified below.

i. Basic search bar An example showing the search on the domain IOC "163-cn.org" is performed in the below image. We can see that only "Patchwork" has this piece of information and is the only result.

No content

ii. Complex search If you want to perform a more complicated on more than one types of IOCs, you can use the Selector Builder as specified in point 2. Complex search of Basic Usage. An example of searching threat actors encompassing domain IOC "officeproduces.com", IP IOC "149.28.156.153:443" and URL IOC "http://144.202.54.8" is demonstrated below.

Action: Build the selector

Outcome: "Mustang Panda" is the only result found by the map

5. Obtain the MITRE ATT&CK Navigator of attacking groups Each country contains a link leading to the MITRE ATT&CK Navigator of APT groups targeting it. NOTE: Only APT groups appearing in MITRE ATT&CK database are contained.

MITRE ATT&CK Navigator link

MITRE ATT&CK Navigator