Presented at ShmooCon XV (2019)
Jan. 19, 2019, 11 a.m.
WhiteRabbit is an open source security research tool built on top of BlockSci, a blockchain analysis and exploration framework. In this presentation we will show how to leverage Bitcoin addresses associated to known ransomware campaigns and track payments made to these addresses. Our goal is to provide a tool that can act as another intelligence collection system for SOC analysts, threat hunters, malware researchers, and other defenders by leveraging Bitcoin public ledger data. This intelligence collection system allows analysts to track the activity of known ransomwares and assess the impact of these campaigns by directly looking into the amount of payments received. Furthermore, as cryptocurrencies continue gaining traction in public markets and criminal networks, we will demonstrate why Bitcoin wallet and other cryptocurrency addresses should be added as indicators of compromise (IOCs) to the “Pyramid of Pain.”
Nicolas (@NKseib) is the Lead Data Scientist at TruSTAR Technology, a cyber intelligence platform built to accelerate enterprise security investigations. He leads the company’s data science initiatives and roadmap. He is always thinking of ways to leverage analytics and machine learning to design features improving the operational efficiency of security teams. Before joining TruSTAR, Nicolas received his M.S. and Ph.D. in Mechanical Engineering from Stanford University specializing in Flow Physics and Computational Engineering.
Olivia Thet (@thet_threat) is a Fullstack Software Engineer at TruSTAR Technology, an intelligence platform that helps organizations leverage multiple sources of threat intelligence and fuse it with historical event data to prioritize and enrich investigations. Olivia oversees TruSTAR’s Enclave knowledge management architecture and she’s passionate about helping teams collaborate better. Before joining TruSTAR, Olivia received her B.A. in Applied Mathematics and Computer Science at UC Berkeley.