Resources: Published reports on how real threat actors operate

Reading published threat reports is a great way to learn how real threat actors operate. The industry is getting better about producing reports that include some degree or mapping of “replay-able” techniques to practically test detections, however, there is still room for improvement.

The reports provide detailed steps on real threat actor activity:

• DFIR Report

   https://thedfirreport.com

• APT Groups and Operations https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=1864660085

• ORKL

  https://orkl.eu/sources

• People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

  https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

• Mandiant M-Trends 2023

  https://mandiant.widen.net/s/dlzgn6w26n/m-trends-2023

• BianLian Ransomware Group

  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

Review and monitor these resources for tactics, techniques and procedures. 😃 Test those techniques within your environment to validate your getting the telemetry coverage required.