Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Contribute set of threat intelligence experiments #3

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Contribute set of threat intelligence experiments #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
The diff you're trying to view is too large. We only load the first 3000 changed files.
5 changes: 5 additions & 0 deletions experiments/RAG/Threat-Intelligence/ETDA-Groups/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
.env
embeddings/embeddings.pkl
.ipynb_checkpoints
db/db.pkl
chroma_db
11 changes: 11 additions & 0 deletions experiments/RAG/Threat-Intelligence/ETDA-Groups/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# RAG: ETDA Threat Actor Encyclopedia Experiments
This Retrieval Augmented Generation (RAG) experiment explores proof-of-concepts to integrate generative AI with threat intelligence. It contains various Jupyter Notebooks that explore the different topics. Every notebook is documented and has various improvement ideas. The ultimate goal is to support analysts in understanding and assessing threat actors.

## Threat Actor RAG Experiment
This experiment explores how less controlled threat actor information sources perform for RAG use cases compared to using ATT&CK. It scrapes documents listed in the [ETDA Threat Actor Encyclopedia](https://apt.etda.or.th/cgi-bin/aptgroups.cgi). This database contains over 450 threat actors and provides various hyperlinks to reports about operations and information about these threat actors. See "threat-actor-knowledge-builder.ipynb" and "threat-actor-QA.ipynb" for the experiment.

## Report Summarizer Experiment
The scraped reports vary in quality, length, and consistency. By summarizing them through an LLM we can iron out some of these issues. The summaries can also provide additional input for experimentation with multi vector retrievers. This notebook describes how to loop over the reports and create summaries for reports where we can.

## Threat Actor Assessment
Organizations want to prioritize their resources through threat intelligence. By assessing threat actors for their threat level to your organization you can look at their TTPs to learn and prepare for. However, threat actor assessment can take a lot of effort through manual work, especially when kept up to date. It is also difficult to be consistent on the analysis through time and different analysts. Generative AI could support this process by assessing reports through some model. By leveraging the [threat box model](https://klrgrz.medium.com/quantifying-threat-actors-with-threat-box-e6b641109b11) this notebook experiments with assessing threat actors through LLMs.
23,207 changes: 23,207 additions & 0 deletions .../Threat-Intelligence/ETDA-Groups/knowledge/contrib/ETDA-threat-actors-index-reports.jsonl
View file
Open in desktop

Large diffs are not rendered by default.

871 changes: 871 additions & 0 deletions ...ents/RAG/Threat-Intelligence/ETDA-Groups/knowledge/contrib/ETDA-threat-actors-index.jsonl
View file
Open in desktop

Large diffs are not rendered by default.

62 changes: 62 additions & 0 deletions ...eat-Intelligence/ETDA-Groups/knowledge/documents/reports/8220 Gang/8220_Gang.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# Threat actor: 8220 Gang

**UUID**: 8384088d-a679-47bb-bff5-957830937ae3

**First seen**: 2017

**Source last modified**: 2024-01-16

## Threat actor aliases

8220 Gang (Talos), 8220 Mining Group (Talos)

## Description

(Trend Micro) 8220 Gang (also known as “8220 Mining Group,” derived from their use of port 8220 for command and control or C&C communications exchange) has been active since 2017 and continues to scan for vulnerable applications in cloud and container environments. Researchers have documented this group targeting Oracle WebLogic, Apache Log4j, Atlassian Confluence vulnerabilities, and misconfigured Docker containers to deploy cryptocurrency miners in both Linux and Microsoft Windows hosts. The group was documented to have used Tsunami malware, XMRIG cryptominer, masscan, and spirit, among other tools in their campaigns.

## Sponsor type and motivation

**Sponsor**:

**Motivation**: Financial gain


## Country of origin

China

## Observed attacked sectors where victims operate in



## Observed attacked countries where victims operate in



## Observed usage of tools



## Reported hacking operations

2021-05: 8220 Gangs Recent use of Custom Miner and Botnet
https://www.lacework.com/blog/8220-gangs-recent-use-of-custom-miner-and-botnet/

2022-07: 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts
https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/

2022-10: 8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads
https://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/

2022-11: 8220 Gang Continues to Evolve With Each New Campaign
https://sysdig.com/blog/8220-gang-continues-to-evolve/

2023-05: 8220 Gang Evolves With New Strategies
https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html

## Reported counter operations against threat actor





Loading