Vietnam NCSC Threat Actors Map Using Instruction

Transcript

1. THREAT ACTORS MAP USING INSTRUCTION AND USE CASES Link to

   the map: https://soc.gov.vn/apt

2. BASIC USAGE

3. 1. Search for a country or a threat actor Use

   the Search bar located at the top of the map to search and select any particular country or threat actor that you are looking for. Please note that it may take some time to thoroughly index and load the data. For instance, the word Vietnam is searched in the image below. The map will not only specifically give back the result of the country "Vietnam" but also any element that has information relating to the word "Vietnam" inside it.
4. None

5. 2. Complex search If you want to perform a more

   complicated search on the elements contained in the map, click the Search bar and then click the rocket icon to enter the Selector Builder.

6. For example, a search on APT groups that target at

   least Vietnam and sector Financial is shown below.

7. 3. Focus on elements You can focus on elements by

   selecting them, right click, choose Focus, and then select either the option Selected or Direct or Indirect or Extended. NOTE: Below are some shortcut keys that you may want to use to select elements. A: Select All SHIFT + E: Select All Elements SHIFT + C: Select All Connections SHIFT + L: Select All Loops SHIFT + CLICK: Toggle Selection Details of shortcut keys can be found in this link: https://docs.kumu.io/guides/shortcuts.html

8. 4. Customize the view of the map To edit the

   default view of the map, click the Settings button and use the Basic View Editor to change characteristics of the view. You can also Switch to Advanced Editor to perform further view customizations. You can read the Kumu's instruction on View Editors by following this link: View Editors
9. None

10. USE CASES

11. 1. Display threat actor(s) that target one or more than

    one countries At the top of map, you can see a dropdown menu named Filter by targeted country which can help you display threat actors that target a specific country or a group of countries. By doing this, you can create a subset of targeted countries which can be focused on. An example of how to use this filter is shown in images below.

12. Action: Filter and create a subset of threat actors targeting

    ASEAN and Vietnam

13. Action: Choose a threat actor to view its detailed information

14. 2. Display threat actor(s) that target one or more than

    one sector This case is implemented in a similar way to the first case but instead of choosing Filter by target country, select the dropdown menu named Filter by targeted sector.

15. 3. Display threat actor(s) that performed operations at a specicific

    time This case is implemented in a similar way to the first case but instead of choosing Filter by target country, select the dropdown menu named Filter by operation dates. After choosing one or more than one operation dates, you can look at the Map Overview on the left side of the map and click on the timestamp that you want to see. It will show you all operations of all groups that happened at that time.

16. Action: Select some operation dates

17. Action: Choose a specific time to see all operations

18. 4. Search for threat actor(s) that have specific IOC(s) This

    map contains three types of IOCs: URL, domain and IP address. If you want to search for a specific IOC, you can perform this action in the ways as specified below.

19. i. Basic search bar An example showing the search on

    the domain IOC "163-cn.org" is performed in the below image. We can see that only "Patchwork" has this piece of information and is the only result.
20. None

21. ii. Complex search If you want to perform a more

    complicated on more than one types of IOCs, you can use the Selector Builder as specified in point 2. Complex search of Basic Usage. An example of searching threat actors encompassing domain IOC "officeproduces.com", IP IOC "149.28.156.153:443" and URL IOC "http://144.202.54.8" is demonstrated below.

22. Action: Build the selector

23. Outcome: "Mustang Panda" is the only result found by the

    map

24. 5. Obtain the MITRE ATT&CK Navigator of attacking groups Each

    country contains a link leading to the MITRE ATT&CK Navigator of APT groups targeting it. NOTE: Only APT groups appearing in MITRE ATT&CK database are contained.

25. MITRE ATT&CK Navigator link

26. MITRE ATT&CK Navigator