APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets. Or, there may be not documentation at all, requiring you to create the design documents. For the designers or the architects: they should assign the risk mitigation to the development team to consider it while building the application. Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese Peoples Liberation Armys (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. threat methodologies) to evolve the infrastructure, operational services/capabilities and overall security posture. threat actor - Glossary | CSRC Microsoft maintains an internal process for tracking these in-development activity clusters (now Storm-###) for reference across our hunting teams. OCTAVE focuses on assessing organizational risks and does not address technological risks. Moafee is a threat group that appears to operate from the Guandong Province of China. Assume the attacker has a zero-day because he does. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. We believe this new approach, along with the new icon system shown in some of the examples above, makes it even easier to identify and remember Microsofts threat actors. We know defenders benefit from context and actionable insight they need to understand what threat actor is behind an attack and how they can take steps to mitigate the issue. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Some groups have multiple names associated with similar activities due to various organizations tracking similar activities by different names. Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. In addition to the above terminologies, it is important to be familiar with the key threat modeling principles defined in the Threat Modeling Manifesto project. APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. Each cell of the matrix is divided into four parts, one for each action of CRUD (creating, reading, updating, and deleting). To prevent threats from taking advantage of system flaws, administrators can use threat-modeling methods to inform defensive measures. Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company. Groups | MITRE ATT&CK Persona non Grata (PnG) focuses on the motivations and skills of human attackers. Threat actors are motivated by a multitude of factors, depending on a particular actor's relationship . Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry. Shevchenko, N., 2018: Threat Modeling: 12 Available Methods. This new naming approach does not in any way change who the threat actors are that we are tracking, or our current analysis behind the names. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university. Analysts track these clusters using various analytic methodologies and terms such as threat groups, activity groups, and threat actors. As of 2023 it is under active development. APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. A threat actor is any inside or external attacker that could affect data security. A variety of factors can impact the likelihood of a threat being carried out, including how difficult the implementation of the threat is, and how rewarding it would be to the attacker. How Do Intent and Capability Relate to Assessing Threat? The intrusion into healthcare company Anthem has been attributed to Deep Panda. However, if the threat is relatively easy to accomplish, or if the attacker were to gain valuable information from which they could profit, the likelihood may be higher. April 19, 2023 update We have published a JSON file mapping old threat actor names with their new names in the updated taxonomy, summarized here: https://aka.ms/threatactors. Threat can be evaluated as a combination of Intent & Capability. SPARTA HOME Open SPARTA October 18, 2022 Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries. ThreatActors are characterizations of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behavior. It aims to address a few pressing issues with threat modeling for cyber-physical systems that had complex interdependences among their components. the relationship as a quasi-mathematical model: Threat-Perception = Estimated Capability x Estimated Intent . They develop . If you dont like to manually draw your DFD; there are several tools available that could be used: The OWASP Threat Dragon project is a cross platform tool that runs on Linux, macOS and Windows 10. APT10: threat actor: 2018: APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009. Provides analysts and executives with a graphical representation of threat actors' intentions and capabilities to carry out attacks . When building your cyber security capability, understanding your adversaries is essential. The group uses custom malware as well as "living off the land" techniques. Impact is a measure of the potential damage caused by a particular threat. Highly skilled and comprehensively trained. Preventions are controls that may completely prevent a particular attack from being possible. Before starting the threat modeling process it is important to identify business objectives of the applications you are assessing, and to identify security and compliance requirements that may be necessary due to business or government regulation. BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. A trust boundary (in the context of threat modeling) is a location on the data flow diagram where data changes its level of trust. Those principles are considered throughout the following steps in this cheat sheet. See the Resources section. Microsoft also developed a similar method called DREAD, which is also a mnemonic (damage potential, reproducibility, exploitability, affected users, discoverability) with a different approach for assessing threats. The following subsections show the details about 4+1 approach and how this could help in the threat modeling process: Create a logical map of the Target of Evaluation. The group uses stolen data exfiltrated from victims to extort organizations. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing. Automating threat actor tracking: Understanding attacker behavior for APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry. Impact and damage can take a variety of forms. Check out the, Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying Kitten, Operation Saffron Rose, Comment Crew, Comment Group, Comment Panda, TG-0416, Dynamite Panda, Threat Group-0416, Codoso, C0d0so0, Codoso Team, Sunshop Group, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110, Richochet Chollima, InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper, NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider, Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine, TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear, Elderwood Gang, Beijing Group, Sneaky Panda, Saint Bear, UNC2589, UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, IRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm, DEV-0157, APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL, STOLEN PENCIL, Thallium, Black Banshee, Velvet Chollima, Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY, MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, APT40, TEMP.Periscope, TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35, Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH, Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive Serpens, Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover, ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo Bear, IRIDIUM, Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse, Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda, COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM, IRON HUNTER, Group 88, Belugasturgeon, Waterbug, WhiteBear, Snake, Krypton, Venomous Bear. Patchwork has been seen targeting industries related to diplomatic and government agencies. What Is a Threat Actor? - Definition, Types & More | Proofpoint US Identify the trusted boundaries of your system/application/module/ecosystem that you may want to start off with. The information provided does not represent all possible technique use by Groups, but rather a subset that is available solely through open source reporting. Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name. CVSS was developed by NIST and is maintained by the Forum of Incident Response and Security Teams (FIRST) with support and contributions from the CVSS Special Interest Group. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies. Threat can be evaluated as a combination of Intent & Capability. Use Means, Motive, and Opportunities to understand Threats posed by Attackers. Some methods focus specifically on risk or privacy concerns. The cyber threat landscape is a complex mix of adversaries, vulnerabilities, and emerging capabilities. We see this lone-actor threat manifested both within homegrown violent . LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. This group has been active since at least 2009. Threat Modeling in the Enterprise, Part 3: Understanding the Context This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. Copyright 2021 - CheatSheets Series Team - This work is licensed under a, Insecure Direct Object Reference Prevention, Consider Data in transit and Data at rest, Manage to present your DFD in the context of MVC, Define applications user roles and trust levels, Highlight Authorization per user role over the DFD, Map Threat agents to application Entry points, Define the Impact and Probability for each threat, Agree on risk mitigation with risk owners and stakeholders, Select appropriate controls to mitigate the risk, Test risk treatment to verify remediation, Reduce risk in risk log for verified treated risk, Creative Commons Attribution 3.0 Unported License. Use this query on Microsoft Sentinel, Microsoft 365 Defender, Azure Data Explorer, and other products that support Kusto Query Language (KQL) to get information about a threat actor using the old name, new name, or industry name: Use this query on Microsoft Sentinel to look up TI indicators that have been tagged with threat actor name to get the new name. Attack trees were initially applied as a stand-alone method and has since been combined with other methods and frameworks. Evilnum is a financially motivated threat group that has been active since at least 2018. To ease the transition from old names to new names, we developed a reference guide at https://aka.ms/threatactors. Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. Security researchers assess Ember Bear likely conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022. Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. Read the SEI White Paper, Threat Modeling: A Summary of Available Methods, on which this post is based. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. Integrated into Microsoft 365 Defender, Intel Profiles are updated daily and put the wealth of information tracked by the Microsoft Threat Intelligence community about threat actors and their tools and techniques directly into the hands of security operations professionals so that they can investigate, analyze, and hunt for threats. All developers, software and system designers, and architects should strive to include threat modeling in their software development life cycle. LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets. Intent and Capability both comprise other elements as illustrated below. In a structured sense, ThreatActors consist of a characterization of identity, suspected motivation, suspected intended . FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. Each icon uniquely represents a family name, and where it makes sense will accompany the threat actor names as a visual aid. For the assessor, this is considered as the last step in the assessment process. The attractiveness thereof depends on the objective that the threat actor pursues in this particular campaign, the match of this objective to the organization (e.g., a hacktivist group might be more interested in attacking a pharmaceutical enterprise) and the threat actor's commitment to reach these objectives. What is the Mitre Attack Framework? - CrowdStrike Where possible add assets to the identified information flows. Figure 1: Threat Actor Motivation and Capability Heat Map. Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLAs 3rd General Staff Department (GSD). The challenge, though,. Our threat research has grown to track more than 300 unique threat actors, including 160 nation-state actors, 50 ransomware groups, and hundreds of others. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia. Significant level of funding and/or resources. IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014. PDF Rethinking Threat: Intelligence Analysis, Intentions, Capabilities, and The analyst builds a requirement model by enumerating and understanding the system's actors, assets, intended actions, and rules. It looks at threat modeling from a risk-management and defensive perspective. The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors. ), Identify infrastructure vulnerability. Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. For example, if your company's website were defaced this could cause damage to your company's reputation, which may in turn cause a loss of business because of the loss of confidence by your users. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps. Applying these concepts bridges the gap between these segmented functional domains and enables a robust, agile and proactive set of cyber security capabilities. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC). Very skilled and trained in the use of tactics and techniques. APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.