This talk will turn the defensive measures used by APT malware in-the-wild into actionable insights into previously unknown operations. Hunting on seemingly innocuous strands reveals the unknown breadth of offensive activity out there unbeknownst to us for the past decade.
Proactive defense is a matter of situational awareness. It involves hunting on what are sometimes anemic threads and deriving actionable context. Whenever defenders share information with the community, we jump on the opportunity to build off of each other’s work. Why not do the same with our attackers?
In recent years, we’ve become increasingly aware that defenders (conventionally defined) are not the only ones interested in cyber situational awareness. High-end malware families employ defensive measures to avoid operating on victim boxes already infected by ‘friends or foes’. The attackers are trying to avoid the possibility of getting burned alongside another attacker’s noisier toolkit, conflicting with a friendly operation, or perhaps more complex fourth-party collection dynamics that make their intelligence collections operations vulnerable to piggybacking.
For us, studying attacker dynamics in-the-wild represents an opportunity to piggyback on the situational awareness of organizations situated to view APT-conflicts from an entirely different vantage point, from the trenches of shared victimology. As defenders, we have an obvious remit to turn all possible insights into actionable defense for the internet ecosystem as a whole to be better defended.
This talk will explore insights into how attackers monitor one another, revealing the blindspots of previously unknown operations and actor dynamics, and expanding our defensive capabilities against our common foes.