Connect with us

Tech

What is an advanced persistent threat (APT)? Definition, list, examples and management best practices

Avatar

Published

on

Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.


An advanced persistent threat (APT) is defined as a sophisticated, multi-staged cyberattack whereby an intruder establishes and maintains an undetected presence within an organization’s network over an extended period of time. 

The target may be a government or a private organization and the purpose may be to extract information for theft or to cause other harm. An APT may be launched against one entity’s systems to gain access to another high-value target. Both private criminals and state actors are known to carry out APTs. 

The groups of threat actors that pose these APTs are carefully tracked by multiple organizations. Security firm CrowdStrike tracks over 170 APT groups, and reports having observed a nearly 45% increase in interactive intrusion campaigns from 2020 to 2021. While (financial) e-crime is still the most common motive identified, nation-state espionage actions are growing more rapidly and now a strong second in frequency.

An APT is comprised of three main stages:

Event

Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.


Register Now

  1. Network infiltration
  2. The expansion of the attacker’s presence
  3. The extraction of amassed data (or, in some cases, the launch of sabotage within the system)

Because the threat is designed to both avoid detection and reach very sensitive information or processes, each of these stages may involve multiple steps and be patiently conducted over an extended period of time. Successful breaches may operate undetected over years; but some actions, such as jumping from a third-party provider to the ultimate target or executing a financial exfiltration, may be done very rapidly.

APTs are known for using misdirection to avoid correct, direct attribution of its work. To throw off investigators, an APT for one country might embed language from another country within their code. Investigating firms may have close relationships with a government’s intelligence agencies, leading some to question the objectivity of their findings. But especially with widespread attacks, consensus may be found.

Perhaps the best-known recent APT is the SolarWinds Sunburst attack that was discovered in 2020, but problematic well into 2021. The U.S. Government Accountability Office (GAO) provides a timeline of its discovery and the private and public sector response. Another recently discovered APT is Aquatic Panda, which is believed to be a Chinese group. As listed in MITRE’s ATT&CK database, it is believed to have been active since at least May 2020, conducting both intelligence collection and industrial espionage primarily in technology and telecom markets and the government sector.

The tactics, techniques and procedures (TTPs) of APTs are regularly updated in response to constantly evolving environments and countermeasures. Trellix’s Head of Threat Intelligence reports, “This past year, there was a dramatic uptick in APT attacks on critical infrastructure such as the transportation and financial sectors.”

As Gartner analyst Ruggero Contu has noted, “The pandemic accelerated hybrid work and the shift to the cloud, challenging the CISO to secure an increasingly distributed enterprise. The modern CISO needs to focus on an expanding attack surface created by digital transformation initiatives such as cloud adoption, IT/OT-IoT convergence, remote working, and third-party infrastructure integration.”

Threat actors employ continuous and often complex hacking techniques. They typically perform a thorough analysis of a company, review its leadership team, profile its users and obtain other in-depth details about what it takes to run the business. Based on this assessment, attackers attempt to install one or more backdoors so that they can gain access to an environment without being detected.

The lifecycle of an advanced persistent threat

Lockheed Martin’s cyber kill chain framework serves as a helpful reference for the lifecycle of advanced persistent threats. The process consists of seven steps, beginning with reconnaissance. 

The basic cyber kill chain model steps are the following:

1.           Reconnaissance

2.           Weaponization

3.           Delivery

4.           Exploitation

5.           Installation

6.           Command and Control

7.           Actions on Objective

8.           Monetization: This eighth step has been added by some to the original model.

Attackers will analyze the leadership team, they will analyze the type of business, and they will understand exactly what type of target it is. As the attack evolves from reconnaissance to weaponization, attackers will determine the most efficient method for exploiting vulnerabilities. 

The attacker may exploit vulnerabilities in systems and cloud services, or they may exploit employees through phishing-style attacks. Having selected the approach or approaches that they wish to take, they will deliver malware or exploit vulnerabilities that will allow them access to the environment. An attacker will then install a remote-access Trojan or a backdoor mechanism to maintain persistent access to the system. 

It is common for a command-and-control system to be set up where the environment sends out heartbeats to an external server or service so that the attacker may execute or download malicious files to the environment, or exfiltrate data out of the environment.

This is a useful model, but cyber-attackers have adapted to it. They sometimes skip steps or combine several of them into one action to reduce the time needed to infiltrate and infect. As part of the process, bad actors will develop customized tools (or acquire them on the dark web) to attack a specific organization or type of organization. 

In some cases, cybercriminals have become deft at covering their tracks. By remaining undetected, they have the opportunity to use back doors over and over for additional raids.

As well as there being a lifecycle for one advanced persistent threat, there is also the lifecycle of the attackers to consider. Carric Dooley, managing director of incident response at Cerberus Sentinel, notes that the groups tend to evolve as well as come and go over time.

He gives the example of DarkSide, which became DarkMatter, and has now spun off into the BlackCat criminal group.

 “They evolve their approach, [their] tooling, how they define and select targets, and business models based on staying ahead of the good guys using ‘what works today’,” he said. “Some take a break after making a pile of cash and some retire or let the heat from law enforcement die down.”  

Thus, some APT groups remain active over the long term. Others that have been dormant for many years suddenly get back into business. But it is hard for the defending organizations or nations to accurately categorize who or what is attacking them. Apart from the obfuscation techniques delivered by nation state-sponsored actors, it may be that APT groups perceived as different are actually one entity but the individuals that compose them and their malware tools are changing and evolving.

List of key threats

By their nature, new advanced persistent threats based on novel techniques are commonly operating without yet having been detected. Moreover, especially challenging attacks may still be perpetrated on organizations long after they were initially identified (e.g. SolarWinds). 

However, new common trends and patterns are regularly recognized and replicated until the means are found to render them ineffective. Kaspersky, a Russian internet security firm, has identified the following major trends in APTs:

  • The private sector supporting an influx of new APT players: Commercially available products such as the Israeli firm NSO Group’s Pegasus software, which is marketed to government agencies for its zero-click surveillance capabilities, are expected to find their way into an increasing number of APTs.
  • Mobile devices exposed to wide, sophisticated attacks: Apple’s new Lockdown Mode for its iOS 16 iPhone software update is intended to address the exploitation of NSO Group’s spyware that was discovered in 2021, but its phones still join Android and other mobile products as prime targets of APTs.
  • More supply-chain attacks: As exemplified by Solar Winds, supply chain attacks should continue to provide an especially fruitful approach to reaching high-value government and private targets.
  • Continued exploitation of work-from-home (WFH): With the rise of WFH arrangements since 2020, threat actors will continue to exploit employees’ remote systems until those systems are sufficiently hardened to discourage exploitation.
  • Increase in APT intrusions in the Middle East, Turkey and Africa (META) region, especially in Africa: With a deteriorating global geopolitical situation, espionage is rising where relevant systems and communications are most vulnerable.
  • Explosion of attacks against cloud security and outsourced services: With the trend toward using an initial breech via a third-party system to reach an ultimate target, cloud and outsourcing services are more often being challenged.
  • The return of low-level attacks: With the increased use of Secure Boot closing down more straightforward options, attackers are returning to rootkits as an alternative path into systems. 
  • States clarify their acceptable cyber-offense practices: With national governments increasingly both targets and perpetrators of cyber intrusions, they are increasingly formalizing their positions as to what they officially consider to be acceptable.

10 examples of advanced persistent threat groups

APTs can’t be thought of in the same way as the latest strain of malware. They should be considered to be threat groups that use a variety of different techniques. Once an APT gains success, it tends to operate for quite some time. Here are some examples from MITRE’s database: 

  1. APT29: Thought to be connected to Russia’s Foreign Intelligence Service (SVR). It has been around since at least 2008. Targets have included governments, political parties, think tanks and industrial/commercial entities in Europe, North America, Asia and the Middle East. Sometimes called Cozy Bear, CloudLook, Grizzly Steppe, Minidionis and Yttrium.
  2. APT38: Also known as Lazarus Group, Gods Apostles, Gods Disciples, Guardians of Peace, ZINC, Whois Team and Hidden Cobra. It tends to target Bitcoin exchanges, cryptocurrency, and most famously Sony Corp. Believed to be North Korean in origin.
  3. APT28: Also known as Fancy Bear, Sofacy and Sednit. This group has gained notoriety for attacking political groups, particularly in the U.S., but also in Germany and Ukraine.
  4.  APT27: Also known as LuckyMouse, Emissary Panda and Iron Tiger. Successes have included aerospace, education and government targets around the world. Thought to be based in China.
  5. REvil: Also known as Sodinokibi, Sodin Targets, GandCrab, Oracle and Golden Gardens. It gained prominence a few years back via REvil ransomware attacks.
  6. Evil Corp: Also known as Indirk Spider. This group specializes in the financial, government and healthcare sectors. The BitPaymer ransomware, for example, paralyzed IT systems around the U.S. The group originated in Russia and has been the subject of investigation and sanctions by the U.S Justice Department.
  7. APT1: Also known as Comment Crew, Byzantine Hades, Comment Panda and Shanghai Group. Operating out of China, it targets aerospace, chemical, construction, education, energy, engineering, entertainment, financial and IT around the world.
  8. APT12: Also known as Numbered Panda, Calc Team and Crimson Iron. It primarily goes after East Asian targets but has enjoyed success against media outlets including the New York Times.
  9. APT33: Also known as Elfin and Magnallium. It obtains support from the government of Iran and focuses on the aerospace and energy sectors in Saudi Arabia, South Korea and the U.S.
  10. APT32: Also known as OceanLotus, Ocean Buffalo and SeaLotus. Primary targets have been in Australia and Asia including the breach of Toyota. The group is based in Vietnam.

10 best practices for advanced persistent threat identification and management 

It is inherently difficult to identify APTs. They are designed to be stealthy, facilitated by the development and illicit traffic in zero-day exploits. By definition, zero-day exploits cannot be directly detected. However, attacks tend to follow certain patterns, pursuing predictable targets such as administrative credentials and privileged data repositories representing critical enterprise assets. Here are 10 tips and best practices for avoiding and identifying APT intrusion:  

 1.           Threat modeling and instrumentation: “Threat modeling is a useful practice that helps defenders understand their risk posture from an attacker’s perspective, informing architecture and design decisions around security controls,” according to Igor Volovich, vice president of compliance for Qmulos. “Instrumenting the environment with effective controls capable of detecting malicious activity based on intent rather than specific technique is a strategic direction that enterprises should pursue.”

 2.           Stay vigilant: Pay attention to security analyst and security community postings that keep track of APT groups. They look for related activities that indicate the actions of threat groups, activity groups and threat actors, as well as signs of activities such as new intrusion sets and cyber-campaigns. Organizations can gain intelligence from these sources and use it to analyze their own assets to see if they overlap with any known group motivations or attack methods. They can then take appropriate action to safeguard their organizations.

 3.           Baseline: In order to detect anomalous behavior in the environment and thereby spot the tell-tale signs of the presence of APTs, it is important to know your own environment and establish a common baseline. By referring to this baseline, it becomes easier to spot odd traffic patterns and unusual behavior.

4.           Use your tools: It may be possible to identify APTs using existing security tools such as endpoint protection, network intrusion prevention systems, firewalls and email protections. Additionally, consistent vulnerability management and the use of observability tools along with quarterly audits can be helpful in deterring an advanced persistent threat. With full log visibility from multiple layers of security technology, it may be possible to isolate actions associated with known malicious traffic.

 5.           Threat Intelligence: Data from security tools and information on potentially anomalous traffic should be reviewed against threat intelligence sources. Threat feeds can help organizations clearly articulate the threat and what it can potentially mean to the affected organization. Such tools can assist a management team in understanding who might have attacked them and what their motives might have been.

 6.           Expect an attack: Advanced persistent threats are generally associated with state-sponsored cyberattacks. But public and private sector organizations have also been hit. Financial and tech companies are considered at greater risk, but these days no one should assume they will never receive such an attack, even SMBs. “Any organization that stores or transmits sensitive personal data can be a target,” says Lou Fiorello, vice president and general manager of security products at ServiceNow. “It stems, in part, from the rise of commodity malware: We are seeing some crime groups gaining large amounts of wealth from their nefarious activities that enable them to purchase and exploit zero-day vulnerabilities.”

 7.           Focus on intent: Volovich recommends that organizations adopt controls capable of detecting malicious activity based on intent rather than a specific technique as a strategic direction that enterprises should pursue in thwarting APTs. This can be looked upon as an outcomes-based risk management strategy that informs tactical decisions about tool portfolios and investment priorities, as well as architecture and design direction for critical applications and workflows.

 8.           Compliance: As part of ongoing compliance initiatives, organizations should establish a solid foundation of security controls aligned to a common framework such as NIST 800-53 or ISO 27001. Map current and planned technology investments to the chosen framework’s control objectives to identify any gaps to be filled or mitigated.

 9.           Know your tools and frameworks: Some organizations go to great lengths to comply with every line item in one security or compliance framework or another. However, this can take on the color of achieving compliance for its own sake (which may be required in some industries). Various compliance and security frameworks should serve as useful guides as well as models for consistent management of risk, but they are not the ultimate objective of a program that will stop APTs in their tracks. Focus on assessing and improving the maturity of the controls and tools themselves and your overall capacity for managing risk.

Vendors and service providers tasked with helping organizations respond to an incident know this well: The victims are often guilty of not even covering security program hygiene at a basic level. Some have little or no detection and response capability, so they miss obvious signs of APT activity. This boils down to implementing standards, frameworks and tools superficially. These organizations did not take the extra steps of ensuring that IT and security personnel become skilled (and certified) in their use.

“Having a tool isn’t the same as knowing how to use it and achieving mastery,” Dooley observes. “I can go buy a combo table saw, router and lathe, but with no experience, what do you think my furniture will look like?” 

10.        Simple fundamentals: There are so many security systems out there, and so many new ones appearing every month, that it is easy to lose track of the fundamentals. Despite all the complexity and sophistication behind the APT, malicious actors often make their initial forays using the simplest attack vectors. They use all manner of phishing techniques to trick users into installing applications or letting them into systems. Two actions that should now be regarded as essential are security awareness training of all employees to guard against social engineering, and two-factor authentication.

“A key component of reducing risk is training your users on how to identify and respond to phishing attempts,” offers Brad Wolf, senior vice president, IT operations at NeoSystems. “A password alone is insufficient to protect yourself against today’s threat landscape; enable two-factor authentication if you haven’t done so yet.”

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

Tech

China bots flood Twitter with porn spam to drown protest news

Avatar

Published

on

China bots flood Twitter with porn spam to drown out protest messages

Widespread protests erupted in China this weekend, marking “the largest opposition demonstration against the ruling Communist Party in decades.” AP News reports. Many protesters attempted to live-document the events to raise awareness and show solidarity on Twitter. The demonstrations were so strong that the Chinese authorities actually appeared to relent, appeasing some of the protesters’ demands by easing the tight lockdown restrictions that had sparked the protests.

This could have been a moment that showed that under Elon Musk, Twitter is still a relevant source for breaking news, still a place for free speech demonstrations to reach the masses, and therefore still the only place to see escalating protests how to track this. Instead of this, The Washington Post reported that a barrage of “useless tweets” effectively buried live footage of protests. This prevented users from easily following protest messages, while Twitter appeared to do nothing to stop what researchers called an apparent Chinese influence operation.

For hours, those tweets dropped Chinese city names where protests took place in posts mostly promoting pornography and adult escort services. And it worked, preventing users trying to search city names in Chinese from easily seeing updates on the protests. Researchers told the Post that the tweets were posted by a number of Chinese-language accounts that haven’t been used in months or even years. The tweets appeared early Sunday, shortly after protesters began calling for the resignation of Communist Party leaders.

Examples of tweets can be seen here.

researchers quickly Took note of the alleged Chinese influence operation very early on Sunday. Some took to Twitter directly. Eventually, an outside researcher was able to reach a current Twitter employee who confirmed that Twitter was working to resolve the issue. However, experts told the post that Twitter’s solution appeared to only reduce the problem, not solve it entirely. Alex Stamos, director of the Stanford Internet Observatory, told the Post his team continued to study the scope and impact of the operation.

Stamos did not immediately respond to Ars’ request for comment. Twitter reportedly does not have a communications team.

A former Twitter employee told The Post that what Stamos’ team observed was a common tactic used by authoritarian regimes to restrict access to news. Normally, Twitter’s anti-propaganda team would have manually deleted the accounts, the former employee said. But like many other teams hit by Twitter layoffs, layoffs and resignations, this team has been severely reduced.

“All China influence operations and analysts at Twitter have all resigned,” the former Twitter staffer told The Post.

Verification of automatic content removal is increasing

In reducing content moderation teams, Musk appears to be relying primarily on automated content removal to detect violations that previous employees had manually monitored. It has become an issue that extends beyond China. Also this weekend French regulators said they had become dubious about Twitter The spread of misinformation was skillfully stopped and the New Zealand government had to step in and contact Twitter directly when this was the case Twitter failed to identify banned footage of the Christchurch terrorist attack.

A spokesman for New Zealand Prime Minister Jacinda Ardern said The Guardian that “Twitter’s automated reporting feature did not identify the content as harmful.” Apparently, the entire Twitter team that New Zealand wanted to work with to block such extremism-related content was fired.

Now Ardern’s office says “only time will tell” if Twitter is truly committed to removing harmful content, and other governments around the world seem to agree. Just today, French regulator of communications Arcom said Reuters that “Twitter has demonstrated a lack of transparency in its fight against misinformation” by releasing a report that specifically notes how “inaccurate” the company has been about how its automated tools combat misinformation.

Corresponding European Union data verified by AP, Twitter had already become lazy about removing hate speech and misinformation over the past year, even before Musk took over. But it’s Musk who must face up to governments scrambling to ensure Twitter’s content moderation actually works to prevent extremism and disinformation campaigns from spreading online and causing real harm.

By mid-2023, Musk will feel more pressure to respond to concerns from countries in the EU, which will soon enact stricter rules to protect online safety. If he doesn’t, he risks fines of up to 6 percent of Twitter’s global revenue. AP reports.

Right now, however, Musk is basically doing the opposite of what online security experts want, according to the AP. While Musk is granting “amnesty” to suspended Twitter accounts, experts told AP they predict misinformation and hate speech will only increase on the platform.

Those experts included members of Twitter’s Trust and Safety Council, who confirmed that the group has not met since Musk acquired it and appears unsure if a scheduled meeting for mid-December will take place. So far, Musk seems to favor Twitter polls over trusting expert opinion when making decisions about restoring suspended accounts. One council member, University of Virginia cyber civil rights expert Danielle Citron, told the AP that “the whole point of the permanent suspension is that these people were so bad, they were bad for business.”

Ars couldn’t immediately reach Citron for comment, but she told AP that — like rumors Twitter could crack at any moment — Musk’s amnesty for suspended accounts is another “disaster to come.”

Continue Reading

Tech

BlockFi Files for Bankruptcy as FTX Fallout Spreads

Avatar

Published

on

BlockFi, a cryptocurrency lender catering to ordinary investors craving a slice of crypto-mania, filed for bankruptcy Monday, brought down by its financial connections FTXthe embattled exchange whose recent demise has shaken the crypto industry to the core.

Based in Jersey City, NJ, BlockFi marketed primarily to retail investors, offering them cryptocurrency-backed loans and accounts paying high interest on crypto deposits in minutes with no credit checks. Last year, the lender said it had more than 450,000 retail customers.

On Monday, 2017-founded BlockFi filed for Chapter 11 protection in New Jersey. Its implosion is the latest example of an industry on shaky foundations, with companies so intertwined that a single wobble can unleash financial chaos.

BlockFi isn’t the first crypto lender to file for bankruptcy. In July, two of its competitors, Celsius Network and Voyager Digital, collapsed within a week. They struggled to find their feet after a spring market panic when the value of many high-profile cryptocurrencies plummeted. Bitcoin alone fell 20 percent in a week.

BlockFi had faltered ever since. In June, to stabilize itself, the lender struck a deal with FTX, which was then seen as a safety net given the exchange’s credibility and dominance in the crypto industry. FTX agreed provide The company has a $400 million line of credit — essentially a loan that BlockFi can draw on as needed.

Announcing the funding, BlockFi CEO Zac Prince said, said it would “give access to capital that further strengthens our balance sheet.” The deal also gave FTX an option to buy BlockFi.

BlockFi then borrowed $275 million from a subsidiary of FTX, according to its bankruptcy filings. This financial entanglement meant that when FTX plummeted and was forced to file for bankruptcy amid revelations Corporate missteps and suspicious managementBlockFi also began to struggle.

A few days after the stock market crash, BlockFi said Clients who were unable to withdraw their deposits because they had “significant exposure” to FTX, including additional funds the company had hoped to receive under the agreement and other assets held on the FTX platform.

In its Monday filing, BlockFi said it had about $257 million in cash on hand to support its business through bankruptcy. The company said in court filings it had more than 100,000 creditors and $10 billion in assets and liabilities. It also said it would significantly reduce costs, including labor costs. Last year it employed 850 people.

BlockFi also said it will focus on collecting all obligations to the company, including those from FTX. However, it warned of delays in recovering assets from FTX amid the exchange’s bankruptcy.

John J. Ray III, FTX’s new chief executive officer, who previously ran Enron during its bankruptcy, has called corporate dysfunction at FTX “unprecedented.” Legal experts say it could take years to wind down and recover assets.

Regulators had already scrutinized BlockFi. In February, the Securities and Exchange Commission obtained a $100 million settlement with the company’s credit department for offering loans without registering them as securities and for not registering as an investment company. The SEC also found that BlockFi made false and misleading statements about the level of risk in its loan portfolio and its lending operations.

BlockFi still owes the SEC $30 million according to its bankruptcy filing, making the country’s top securities cop its fourth-largest creditor. It owes $275 million to West Realm Shires, the parent company of US exchange FTX and BlockFi’s second-largest creditor. Its largest creditor is the Ankura Trust Company, which specializes in administering loans to distressed companies, at around US$729 million.

“BlockFi has worked from the beginning to positively shape the cryptocurrency industry and move the sector forward,” said Mark Renzi of Berkeley Research Group, a financial advisor to the company. “BlockFi looks forward to a transparent process that achieves the best outcome for all customers and other stakeholders.”

BlockFi’s other bankruptcy advisors include law firm Haynes and Boone, investment bank Moelis & Company and strategic advisor C Street Advisory Group.

Continue Reading

Tech

The 10 best games of 2022, according to Time

Avatar

Published

on

Editorial opinion: Another year is almost in the record books, and that’s reason enough for Time to share its top 10 video games of 2022. These kinds of lists usually disappoint, but it seems the release got it right for the most part this time.

Teenage Mutant Ninja Turtles came in 10th place: Shredder’s revenge, a co-op brawler from Dotemu featuring side-scrolling action, a pixelated art style and voice acting from the original cartoon actors. Shredder’s Revenge launched digitally on most major platforms, and Limited Run did Collector’s Edition that should be delivered in early 2023.

Lego Star Wars: The Skywalker Saga and Resident Evil Village: Shadows of Rose take 9th and 8th place respectively. Lego and Star Wars are two of the hottest brands out there, and the newly launched Resident Evil DLC adds even more content to an already great game.

martial arts game Sifu is Time’s seventh favorite game, just behind The Last of Us Part 1. The former released in February for PS4, PS5 and Windows (and earlier this month for Switch) and puts players in control of the child of a martial arts school master who seeks revenge for her father’s death. The Last of Us needs no introduction – Part 1 is a remake of the original 2013 game, improving the overall formula for the PS5.

cat simulator Stray took fifth place, but it’s more than just performing basic cat activities. The game challenges players to use their skills to survive their environment, solve puzzles and unravel mysteries.

Fourth finisher elden ring got off to a flying start, selling over 12 million copies in less than a month (and over 17.5 million in October). Interactive horror drama The Quarry, the spiritual successor to Until Dawn, took third place after its launch in mid-2022. I’m a bit surprised it finished ahead of some of the other heavyweights on the list, but maybe it’s worthy.

Horizon: Forbidden West and God of War: Ragnarok Second and first, and nobody feels out of place here. Horizon Forbidden West currently has a Metacritic Score of 88 and God of War: Ragnarok is ranked even higher at 94.

Here is a brief summary of the time list:

  • 10. TMNT: Shredder’s Revenge
  • 9. Lego Star Wars: The Skywalker Saga
  • 8. Resident Evil Village: Shadow of the Rose
  • 7. Sifu
  • 6. The Last of Us Part 1
  • 5. Stray
  • 4. Elden Ring
  • 3. The quarry
  • 2. Horizon Forbidden West
  • 1. God of War: Ragnarok

Do you think time has mostly got it right? Are there any glaring omissions? Do let us know your thoughts in the comment section below.

Continue Reading

featured