Can Ducks Teach Us how to Share: What hunting Qakbot and other threats teach us about CTI

Presented at CactusCon 11 (2023), Jan. 27, 2023, 10:30 p.m. (60 minutes).

Do current industry Threat Intelligence practices often leave you tired of chasing IoCs only to find previously remediated victim servers and terminated cloud instances, leaving you feeling unprepared to face the threat you've just been informed of? What can hunting for Qakbot and other Threats Teach us about how we can improve our Cyber Threat Intelligence? Some threats evolve so quickly that attacks on our environments precede the prerequisite intel and signatures to detect and prevent them. Our adversaries can leverage ephemeral or compromised infrastructure so effectively that by the time CTI contributors and vendors are able to aggregate, analyze, and decimate actionable intelligence, the adversaries have moved on. Botnets comprised of Internet of Things appliances, Enterprise Servers, and personal computing devices host services available for rent on eCriminal marketplaces. Networks such as these, automation, affiliate programs, and more Third-Party eCriminal services empower the adversaries we face today. That doesn't mean Threat Intelligence Sharing is dead; however, perhaps the evolving practices of our adversary's toolset and their growing collaboration can be met with some adaptation of our own. Let's talk about how the Threat Hunting Discipline has enabled a new level in the ongoing evolution of Threat Information Sharing. In this talk, we will examine some CTI-driven Threat Hunts for some elusive and dangerous threats while considering the lessons they have to teach us on our Threat Intelligence Sharing.

Presenters:

• Christian Taillon - Threat Response Engineer - Grand Canyon Education
  Christian contributes to Grand Canyon Education's IT Security team as a Threat Response Engineer. His efforts focus primarily on improving the Security team's operational tools and capabilities to efficiently detect and effectively respond to threats. This is done primarily through work relating to SIEM, EDR, NTA, and an evolving Threat Intelligence program. He enjoys contributing to the larger community via various Threat Intelligence Content Development efforts and open-source projects. He leads Threat Exchanges as a Global Watch Center Handler for ACTRA, where he teaches for their Academy. He works as a Solutions Architect for the Cyber Resiliency Institute and contributes to SPORTS-ISAO as a member of the COTH team. When away from the keyboard, he enjoys camping, kayak, and hiking with his wife.

Links:

• https://cactuscon-11.sessionize.com/session/394154

Similar Presentations:

• BSidesLV 2014 / A Better Way to Get Intelligent About Threats
• BSidesDC 2014 / A Better Way to Get Intelligent About Threats
• VB2018 / Levelling up: why sharing threat intelligence makes you more competitive