I feel like the way some CTI research are done are fundamentally flawed sometimes. A lot of the times people treat each clue at face value. I think it's better to reserve judgment sometimes before confidently saying this or this must be X.
"Where is the sample submitted from? UK? The victim must be from UK then!" whilst ignoring the possiblity that the victim might have a VPN on since they're so prevelant these days, or even the possibility that the actor was the one who submitted it in the first place.
You can deduce and come to the conclusion that UK is a possible targeted country by checking if there has been a healthy stream of samples coming from the country, but at the same time who's to say a TA isn't poisoning the sample pool by submitting fake samples from the proposed country?
Similar things can be said about malware family attribution as well - a lot of the times CTI researchers use code overlap as a strong argument for relating one TA to the other, but who's to say someone didn't just read an OSINT report and decided hey that'd be a fun thing to implement in my loader, and or use the same RAT while they're at it?
Idk just food for thought when I'm just lying in bed thinking about things
=> More informations about this toot | View the thread | More toots from still@infosec.exchange
text/geminiThis content has been proxied by September (3851b).