Vietnam NCSC Threat Actors Map Using Instruction

Vietnam NCSC Threat Actors Map Using Instruction

This presentation will show you how to use the Threat Actors Map created by Vietnam National Cyber Security Center.

Link to the map: https://soc.gov.vn/apt

35e0df23d7ed5bf6c37dce3551bc5c18?s=128

Thang Nguyen

August 12, 2020
Tweet

Transcript

  1. THREAT ACTORS MAP USING INSTRUCTION AND USE CASES Link to

    the map: https://soc.gov.vn/apt
  2. BASIC USAGE

  3. 1. Search for a country or a threat actor Use

    the Search bar located at the top of the map to search and select any particular country or threat actor that you are looking for. Please note that it may take some time to thoroughly index and load the data. For instance, the word Vietnam is searched in the image below. The map will not only specifically give back the result of the country "Vietnam" but also any element that has information relating to the word "Vietnam" inside it.
  4. None
  5. 2. Complex search If you want to perform a more

    complicated search on the elements contained in the map, click the Search bar and then click the rocket icon to enter the Selector Builder.
  6. For example, a search on APT groups that target at

    least Vietnam and sector Financial is shown below.
  7. 3. Focus on elements You can focus on elements by

    selecting them, right click, choose Focus, and then select either the option Selected or Direct or Indirect or Extended. NOTE: Below are some shortcut keys that you may want to use to select elements. A: Select All SHIFT + E: Select All Elements SHIFT + C: Select All Connections SHIFT + L: Select All Loops SHIFT + CLICK: Toggle Selection Details of shortcut keys can be found in this link: https://docs.kumu.io/guides/shortcuts.html
  8. 4. Customize the view of the map To edit the

    default view of the map, click the Settings button and use the Basic View Editor to change characteristics of the view. You can also Switch to Advanced Editor to perform further view customizations. You can read the Kumu's instruction on View Editors by following this link: View Editors
  9. None
  10. USE CASES

  11. 1. Display threat actor(s) that target one or more than

    one countries At the top of map, you can see a dropdown menu named Filter by targeted country which can help you display threat actors that target a specific country or a group of countries. By doing this, you can create a subset of targeted countries which can be focused on. An example of how to use this filter is shown in images below.
  12. Action: Filter and create a subset of threat actors targeting

    ASEAN and Vietnam
  13. Action: Choose a threat actor to view its detailed information

  14. 2. Display threat actor(s) that target one or more than

    one sector This case is implemented in a similar way to the first case but instead of choosing Filter by target country, select the dropdown menu named Filter by targeted sector.
  15. 3. Display threat actor(s) that performed operations at a specicific

    time This case is implemented in a similar way to the first case but instead of choosing Filter by target country, select the dropdown menu named Filter by operation dates. After choosing one or more than one operation dates, you can look at the Map Overview on the left side of the map and click on the timestamp that you want to see. It will show you all operations of all groups that happened at that time.
  16. Action: Select some operation dates

  17. Action: Choose a specific time to see all operations

  18. 4. Search for threat actor(s) that have specific IOC(s) This

    map contains three types of IOCs: URL, domain and IP address. If you want to search for a specific IOC, you can perform this action in the ways as specified below.
  19. i. Basic search bar An example showing the search on

    the domain IOC "163-cn.org" is performed in the below image. We can see that only "Patchwork" has this piece of information and is the only result.
  20. None
  21. ii. Complex search If you want to perform a more

    complicated on more than one types of IOCs, you can use the Selector Builder as specified in point 2. Complex search of Basic Usage. An example of searching threat actors encompassing domain IOC "officeproduces.com", IP IOC "149.28.156.153:443" and URL IOC "http://144.202.54.8" is demonstrated below.
  22. Action: Build the selector

  23. Outcome: "Mustang Panda" is the only result found by the

    map
  24. 5. Obtain the MITRE ATT&CK Navigator of attacking groups Each

    country contains a link leading to the MITRE ATT&CK Navigator of APT groups targeting it. NOTE: Only APT groups appearing in MITRE ATT&CK database are contained.
  25. MITRE ATT&CK Navigator link

  26. MITRE ATT&CK Navigator