Follow the Clues: Everyday is lazarus.day
Contents
Follow the Clues
Everyday is lazarus.day
2025-01-21
JeongGak Lyu @lazarusholic
The Evolving Threat Landscape
Financial Gain
Political or Social Agendas
Cybercriminals
Hacktivists
State-Sponsored
Threat Actors
Political Influence and Espionage
DPRK State-Sponsored
Threat Actors
Cyber Threat Intelligence Essentials
CTI Lifecycle
The Pyramid of Pain
Data
Information
Intelligence
https://www.gartner.com/document-reader/document/4056399
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Threat Detection & Threat Hunting
Reactive Approach
Focus on Known Threats
Detecting Evil
Proactive Approach
Targets Unknown Threats
Searching for Evil
Threat
Detection
Threat
Hunting
Rely on CTI & IOCs
Mitigating Threats
Inside a CTI Report
Each Item can be a Clue
CTI Report Collections & Platforms
• DocIntel https://docintel.org/
• ioc[.]one https://ioc.one/
• Malpedia https://malpedia.caad.fkie.fraunhofer.de/
• ORKL https://orkl.eu/
• Threat Intelligence Reports https://mthcht.github.io/ThreatIntel-Reports/
• Vx Underground https://vx-underground.org/
IOC Pivoting / Enrichment
IOC Pivoting with OSINT
Introduction to lazarus.day
BlueNoroff
Reports
Konni
2,470
FamousChollima
Incidents
Actors
187
187
Andariel
DPRK
Lazarus
Kimsuky
ScarCruft
Everyday is lazarus.day
cryptocopedia[.]com
Strategies for Enhanced Threat Intelligence
CTI Lifecycle
Set Clear Goals!
Automation, Automation, Automation!
Adopt Generative AI!
Tools to Spark Ideas
• Harpoon https://github.com/Te-k/harpoon
• IntelOwl https://intelowlproject.github.io/
• Censeye https://github.com/Censys-Research/censeye
• SecAI https://secai.ai/
• TI Mindmap https://github.com/format81/TI-Mindmap-GPT
Conclusion
Following the Clues is an Endless Journey
•
•
•
CTI Capability Maturity Model
Requires Patience, Expertise and Investment
Program
Maximize the Use of OSINT
Evaluate Your CTI Capability Maturity
Asset
100
Threat
75
50
Architecture
Risk
25
0
Workforce
Access
Fraud
Situation
Thrid-Parties Response
https://cti-cmm.org/
Q&A
@lazarusholic
https://lazarus.day
Background Images: Unsplash Marek Piwnicki
Everyday is lazarus.day
2025-01-21
JeongGak Lyu @lazarusholic
The Evolving Threat Landscape
Financial Gain
Political or Social Agendas
Cybercriminals
Hacktivists
State-Sponsored
Threat Actors
Political Influence and Espionage
DPRK State-Sponsored
Threat Actors
Cyber Threat Intelligence Essentials
CTI Lifecycle
The Pyramid of Pain
Data
Information
Intelligence
https://www.gartner.com/document-reader/document/4056399
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Threat Detection & Threat Hunting
Reactive Approach
Focus on Known Threats
Detecting Evil
Proactive Approach
Targets Unknown Threats
Searching for Evil
Threat
Detection
Threat
Hunting
Rely on CTI & IOCs
Mitigating Threats
Inside a CTI Report
Each Item can be a Clue
CTI Report Collections & Platforms
• DocIntel https://docintel.org/
• ioc[.]one https://ioc.one/
• Malpedia https://malpedia.caad.fkie.fraunhofer.de/
• ORKL https://orkl.eu/
• Threat Intelligence Reports https://mthcht.github.io/ThreatIntel-Reports/
• Vx Underground https://vx-underground.org/
IOC Pivoting / Enrichment
IOC Pivoting with OSINT
Introduction to lazarus.day
BlueNoroff
Reports
Konni
2,470
FamousChollima
Incidents
Actors
187
187
Andariel
DPRK
Lazarus
Kimsuky
ScarCruft
Everyday is lazarus.day
cryptocopedia[.]com
Strategies for Enhanced Threat Intelligence
CTI Lifecycle
Set Clear Goals!
Automation, Automation, Automation!
Adopt Generative AI!
Tools to Spark Ideas
• Harpoon https://github.com/Te-k/harpoon
• IntelOwl https://intelowlproject.github.io/
• Censeye https://github.com/Censys-Research/censeye
• SecAI https://secai.ai/
• TI Mindmap https://github.com/format81/TI-Mindmap-GPT
Conclusion
Following the Clues is an Endless Journey
•
•
•
CTI Capability Maturity Model
Requires Patience, Expertise and Investment
Program
Maximize the Use of OSINT
Evaluate Your CTI Capability Maturity
Asset
100
Threat
75
50
Architecture
Risk
25
0
Workforce
Access
Fraud
Situation
Thrid-Parties Response
https://cti-cmm.org/
Q&A
@lazarusholic
https://lazarus.day
Background Images: Unsplash Marek Piwnicki