Detecting Blue Team Research Through Targeted Ads

Presented at DEF CON 26 (2018), Aug. 11, 2018, 1:30 p.m. (20 minutes)

When my implant gets discovered how will I know? Did the implant stop responding for some benign reason or is the IR team responding? With any luck they'll upload the sample somewhere public so I can find it, but what if I can find out if they start looking for specific bread crumbles in public data sources? At some point without any internal data all blue teams turn to OSINT which puts their searches within view of the advertising industry. In this talk I will detail how I was able to use online advertising to detect when a blue team is hot on my trail.

Presenters:

• 0x200b - Hacker
  I'm just a Security researcher who's always using tools in unintended ways. I'm a defender by trade, I work on understating the adversary then designing the mitigations based on what I've learned. Currently I work at the intersection of healthcare and the cloud, designing systems that make it harder for the adversary to operate.

Links:

• https://defcon.org/html/defcon-26/dc-26-speakers.html#0x200b
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - 0x200b - Detecting Blue Team Research Through Targeted Ads.mp4
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - 0x200b - Detecting Blue Team Research Through Targeted Ads.srt (subtitles)
• https://www.youtube.com/watch?v=wlKqyuefE1E

Similar Presentations:

• May Contain Hackers (MCH2022) / How to sneak past the Blue Team of your nightmares
• Diana Initiative 2020 Virtual / No Mom, I’m not a Hacker
• BruCON 0x0A (2018) / Mirror on the wall: using blue team techniques in red team ops