6. Todo a SIEM
numeritos y datos
@martixx
Fuente: CSIS
“China es un adversario cibernético decidido, con buenos
recursos y persistente”
“..el gobierno de China y algunas empresas chinas utilizarán
cualquier medio, legal o ilegal, para adquirir tecnología”
26. Todo a SIEM
Leaks
@martixx
O.P.M.
Julio 2014
Primeros scripts de exfiltración de
datos
• Bases de datos de antecedentes penales
• 18.000.000 de copias del Formulario Estándar 86
27. Todo a SIEM
Leaks
@martixx
O.P.M.
Julio 2014
Primeros scripts de exfiltración de
datos
• Bases de datos de antecedentes penales
• 18.000.000 de copias del Formulario Estándar 86
• 5.600.000 huellas digitales
31. Todo a SIEM
Hostias como panes (chinos)
@martixx
Advance Persistent Threat
2.a Oficina del 3.º Departamento
del Estado Mayor del Estado
Mayor del Ejército Popular de
Liberación (EPL) (GSD)
Unidad 61398 (MUCD) APT1
总参三部二局
部队
32. Todo a SIEM
Hostias como panes (chinos)
@martixx
Fuente: mandiant
• Putter Panda
• The Comment group - Comment Crew – Comment Panda
• Byzantine Candor
• Shangai Group
A.K.A.
57. Todo a SIEM
CAPEC
@martixx
•Focus on application security
•Enumerates exploits against vulnerable
systems
•Includes social engineering / supply chain
•Associated with Common Weakness
Enumeration (CWE)
•Focus on network defense
•Based on threat intelligence and red team
research
•Provides contextual understanding of
malicious behavior
•Supports testing and analysis of defense
options
58. Todo a SIEM
Link no es solo el rubio del zelda
@martixx
https://es.theepochtimes.com/china-estuvo-involucrada-en-la-cuarta-parte-de-los-
ciberataques-mas-relevantes-del-ano-pasado-dice-informe_528503.html
https://fas.org/sgp/crs/row/IN10376.pdf
https://www.csis.org/programs/technology-policy-program/significant-cyber-incidents
https://csis-prod.s3.amazonaws.com/s3fs-
public/publication/190904_Lewis_ChinaTechTransfer_WEB_v2_1.pdf
https://content.fireeye.com/m-trends/rpt-m-trends-2020
https://www.ccn-cert.cni.es/pdf/3767-ccn-cert-ia-13-19-ciberamenazas-y-tendencias-resumen-
ejecutivo-2019/file.html
https://en.wikipedia.org/wiki/Motives_for_spying
https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/
https://fas.org/sgp/crs/row/IN10376.pdf
https://www.fedsmith.com/2018/09/21/bolton-confirms-china-behind-opm-data-breaches/
59. Todo a SIEM
Link no es solo el rubio del zelda
@martixx
https://www.justice.gov/opa/press-release/file/1246891/download
https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf
https://elpais.com/tecnologia/2020/02/17/actualidad/1581897525_009258.html
https://elpais.com/internacional/2017/09/08/actualidad/1504822977_221786.html
https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628
https://krebsonsecurity.com/2020/02/u-s-charges-4-chinese-military-officers-in-2017-equifax-
hack/
https://www.wired.com/story/equifax-hack-china/
https://www.forbes.com/sites/thomasbrewster/2017/09/14/equifax-hack-the-result-of-
patched-vulnerability/#29eba3605cda
https://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/
https://www.wired.com/2013/02/chinese-army-linked-to-hacks/
60. Todo a SIEM
Link no es solo el rubio del zelda
@martixx
https://www.nytimes.com/2015/09/24/world/asia/hackers-took-fingerprints-of-5-6-million-us-
workers-government-says.html
https://www.nytimes.com/2015/06/11/world/asia/hackers-may-have-obtained-names-of-
chinese-with-ties-to-us-government.html?_r=0
https://securityboulevard.com/2020/02/equifax-hacked-by-china-israeli-voter-registry-exposed-
how-the-cia-owned-encryption/
https://www.wsj.com/articles/hackers-entered-equifax-systems-in-march-1505943617
https://en.wikipedia.org/wiki/Anthem_medical_data_breach
https://www.govexec.com/management/2014/09/opm-terminates-controversial-background-
check-contractor/93680/
https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/
https://www.opm.gov/news/releases/2015/07/opm-announces-steps-to-protect-federal-
workers-and-others-from-cyber-threats/
61. Todo a SIEM
Link no es solo el rubio del zelda
@martixx
https://threatconnect.com/news/february-27-the-hill-security-firm-all-roads-lead-to-china-in-
anthem-breach/
https://csis-prod.s3.amazonaws.com/s3fs-
public/legacy_files/files/publication/60396rpt_cybercrime-cost_0713_ph4_0.pdf
https://malpedia.caad.fkie.fraunhofer.de/actor/emissary_panda
https://unaaldia.hispasec.com/2017/03/vulnerabilidad-critica-en-apache-struts.html
https://www.keensoft.es/cve-2017-5638-vulnerabilidad-struts-permite-la-ejecucion-codigo-
remoto/
https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-
vulnerability-remote-code-execution/
https://www.cvedetails.com/cve/CVE-2017-5638/
https://www.justice.gov/opa/press-release/file/1246891/download
62. Todo a SIEM
Link no es solo el rubio del zelda
@martixx
https://attack.mitre.org/groups/
https://attack.mitre.org/groups/G0006/
https://www.cytomicmodel.com/es/news/ttp-ventajas-en-ciberinteligencia/
https://dirigentesdigital.com/mercados/europa/700-millones-de-multa-a-equifax-por-una-
filtracion-masiva-de-datos-de-usuarios-CC1334163
https://www.usnews.com/news/best-countries/articles/2019-02-01/china-and-russia-biggest-
cyber-offenders-since-2006-report-shows
https://elpais.com/tecnologia/2017/09/08/actualidad/1504856601_125518.html
https://elpais.com/internacional/2020/02/10/actualidad/1581352912_665482.html
https://csis-prod.s3.amazonaws.com/s3fs-
public/publication/190904_Lewis_ChinaTechTransfer_WEB_v2_1.pdf
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
63. Todo a SIEM
Link no es solo el rubio del zelda
@martixx
http://www.cyberseer.net/wp-content/uploads/2018/11/Cyberseer-UK-Sec-Show-From-IOC-
to-TTP-How-Attack-Chains-Have-Evolved.pdf
https://latam.kaspersky.com/blog/que-es-apt/761/
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-
panda.original.pdf
https://capec.mitre.org/data/index.html
64. Todo a SIEM
¡¡Muchas gracias!!
@martixx
@martixx
Marta.lopez.pardal@Gmail.com
Dudas, ruegos y lamentaciones: