Mining Disputed Territories: Studying Attacker Signatures for Improved Situational Awareness

Presented at REcon 2019, June 30, 2019, 10 a.m. (60 minutes)

This talk will turn the defensive measures used by APT malware in-the-wild into actionable insights into previously unknown operations. Hunting on seemingly innocuous strands reveals the unknown breadth of offensive activity out there unbeknownst to us for the past decade.

Proactive defense is a matter of situational awareness. It involves hunting on what are sometimes anemic threads and deriving actionable context. Whenever defenders share information with the community, we jump on the opportunity to build off of each other’s work. Why not do the same with our attackers?

In recent years, we’ve become increasingly aware that defenders (conventionally defined) are not the only ones interested in cyber situational awareness. High-end malware families employ defensive measures to avoid operating on victim boxes already infected by ‘friends or foes’. The attackers are trying to avoid the possibility of getting burned alongside another attacker’s noisier toolkit, conflicting with a friendly operation, or perhaps more complex fourth-party collection dynamics that make their intelligence collections operations vulnerable to piggybacking.

For us, studying attacker dynamics in-the-wild represents an opportunity to piggyback on the situational awareness of organizations situated to view APT-conflicts from an entirely different vantage point, from the trenches of shared victimology. As defenders, we have an obvious remit to turn all possible insights into actionable defense for the internet ecosystem as a whole to be better defended.

This talk will explore insights into how attackers monitor one another, revealing the blindspots of previously unknown operations and actor dynamics, and expanding our defensive capabilities against our common foes.


Presenters:

  • Juan Andrés Guerrero-Saade as Juan Andres Guerrero-Saade
    Juan Andrés specializes in tracking advanced threat actors and elucidating concepts of digital espionage. He was formerly Principal Security Researcher with Kaspersky Lab's GReAT team. Before joining Kaspersky, he worked as Senior Cybersecurity and National Security Advisor for the Ecuadorian government. Juan Andrés comes from a background of specialized research in philosophical logic. His latest publications include 'The Ethics and Perils of APT Research: An Unexpected Transition Into Intelligence Brokerage', 'Wave your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks', and 'Walking in your enemy's shadow: when fourth-party collection becomes attribution hell'.

Links:

Similar Presentations: