SlideShare a Scribd company logo

Weaponizing Intelligence: Interdiction in Today’s Threat Landscape

Priyanka Aash
Priyanka Aash

The document discusses threat intelligence and interdiction efforts at Cisco Systems. It describes Cisco's threat intelligence capabilities including hundreds of researchers, billions of daily network requests and emails monitored, and trillions of threats blocked. It then discusses how interdiction involves disrupting threats outside networks through cooperation with law enforcement, hosting providers, and other partners. An example interdiction case study involving the Samsam ransomware actor targeting vulnerable JBoss servers is provided.

Technology
1 of 38
Download to read offline
SESSION ID:SESSION ID: #RSAC Matthew Olney Weaponizing Intelligence: Interdiction in Today’s Threat Landscape SP01-W11 Manager, Threat Intelligence and Interdiction Cisco Systems @kpyke
Matthew Olney Talos Threat Intelligence & Interdiction Group WEAPONIZING INTELLIGENCE INTERDICTION IN TODAY’S THREAT LANDSCAPE
Matthew Olney Manager of Threat Intelligence and Interdiction 11 Years with Sourcefire VRT and Cisco Talos Prior to that 10 years in network engineering and security I’m on Twitter @kpyke WHO AM I?
250+ Full Time Threat Intel Researchers MILLIONS Of Telemetry Agents 4 Global Data Centers 1100+ Threat Traps 100+ Threat Intelligence Partners THREAT INTEL 1.5 MILLION Daily Malware Samples 600 BILLION Daily Email Messages 16 BILLION Daily Web Requests Honeypots Open Source Communities Vulnerability Discovery (Internal) Product Telemetry Internet-Wide Scanning 20 BILLION Threats Blocked INTEL SHARING TALOS INTEL BREAKDOWN Customer Data Sharing Programs Provider Coordination Program Open Source Intel Sharing 3rd Party Programs (MAPP) Industry Sharing Partnerships (ISACs) 500+ Participants
“Interdiction is a military term for the act of delaying, disrupting, or destroying enemy forces or supplies en route to the battle area.” Threat Intelligence and Interdiction takes action: • Outside the border of our customer’s networks • To disrupt and degrade actor capability • Using linguists, reverse engineers, incident responders, mathematicians, researchers and developers • Working with law enforcement organizations (LEO), government and industry organizations, hosting providers and other intelligence partners WHAT IS INTERDICTION?
Easy • ISAC (Information Sharing and Analysis Center) • Industry, National and Multinational CERTs • Internet Service Providers • Individual Researchers and Research Groups • Industry Partners • Competitors (Seriously) Tricky • Web Hosting Providers Strategic • Law Enforcement • Military • Government “I apologize for being a black hole.” – Undisclosed Government Agency WE ARE SUCCESSFUL WITH FRIENDS — NOT TECHNOLOGY
“It seems like they gave up after about 4 days of 2-3 orders a day. We have not seen any order attempts since 5/15. Thanks for the quick heads up, getting those C&C IPs into our netflow system stopped them cold.” – Intelligence Partner, Angler Investigation • Legal and economic barriers to cooperation • Narrow profit margins • Limited investment in abuse and security services • But there are costs incurred by hosting malicious actors • LEO interactions • Abuse handling • Bandwidth, engineering, charge-backs Let’s help each other TRICKY: WEB HOSTING PROVIDERS
INTERDICTION CASE STUDY #1: SAMSAM & JBOSS
CVE-2007-1036 • “…JBoss does not restrict access to the console and web management interfaces…” CVE-2010-0738 • “The JMX-Console web application … performs access control only for the GET and POST methods...” TWO CRITICAL JBOSS CVES
“João Filho Matos Figueiredo, what did you do?” – João’s mother, probably JEXBOSS
• Telemetry indicates December, 2015 start date • Network-wide ransomware attack • Ransom paid via Bitcoin SAMSAM • Seen in many verticals, but best known for activity in healthcare • Uses ‘Jexboss’ • Multiple Cisco IR engagements • Strong LEO interest 0.7- 1.5BTC BTC/workstation 22BT C Total for all keys
Preliminary blog post: • Samsam: The Doctor Will See You, After He Pays The Ransom Research: How bad is this JBoss problem? • Full IPv4 scan Found roughly 3.2M IP addresses that behaved in a way suggesting they were vulnerable JBoss servers Express mild concern on social media: TALOS RESPONSE (MARCH)
Day X • JexBoss Invocation & JBossAss backdoor installation X+47 Days • File Upload Installed on web server X+49 Days • Full Webshell installed and CVSDE Executed – Active Directory dump Forensic Timeline Developed By Cisco IR X+73 Days • tunnel.jsp installed allowing IP Tunnel • Elevated privileged user connect via RDP • Recon with Hyena • Likely first use of admin credential X+74 Days • Samsam encryption operation begins EMAIL OF THE YEAR: CISCO IR SHARES CRITICAL INTEL
• There is a window between shell installation and file encryption • I dramatically fail at math and also manage to underestimate the capabilities and determination of my team. They finished it over the weekend and had the results waiting for me Monday morning. “ACTIONABLE”
2104 Shells 1575 Unique IPs 88 Countries
http://<Jboss IP address>/status
http://<Jboss IP address>/status&full=true
2,176 Uniquely-named shells
Almost 2000 notifications • Intel partners • Sales staff • 20 Talos researchers • 2 Weeks Samples gathered • IR specialists on site • Sample exchange with Follett and intel partners New actors tracked • JBoss status pages • JBoss honeypots Tracking compromised servers STATUS CHECK
• IR received a SAMSAM engagement from an unmarked IP address • Could be SSL on 443 • Or, fairly often, on port 8080 • Run the same play • 2^32 scan for all 443 and 8080 ports displaying vulnerable JBOSS behavior • Scan potentially vulnerable hosts for known backdoors NEW DATA FROM CISCO IR
2,104 New targets 625 New backdoor IPs
• Notified servers not 100% remediated • Actors continue to attack JBOSS servers • Working with LEO JBOSS – THE SAGA CONTINUES
Floki Bot Strikes Talos, Flashpoint and FIRST
WHAT IS FLOKI BOT?
IDA Pro FIRST – FIRST-PLUGIN.US Function Identification and Recovery Signature Tool Streamline code research • Prevent duplication of effort • Reduce analysis time • Detect code reuse between malware family Open Beta 133 Users 187,988 Functions annotated
IDA Pro FIRST SYSTEM OVERVIEW Check for Metadata 56 6A 0C 6A 01 E8 64 AB 00 00 Add Function Metadata Name / Prototype / Comment Update Function Metadata With the most recent version
sub_401000 -------------------------------------------------- 56 6a 0c 6a 01 e8 64 ab 00 00 8b f0 8b 44 24 10 89 46 04 8b 44 24 14 89 46 08 a1 08 b4 47 00 85 c0 59 59 74 12 83 3d 00 b4 47 00 00 75 09 ff 35 0c b4 47 00 ff d0 59 a1 04 b4 47 00 85 c0 74 04 89 30 eb 06 89 35 00 b4 47 00 89 35 04 b4 47 00 83 26 00 5e c3 HOW THE PLUGIN WORKS Check for a function or many at once Plug-in sends the server the opcodes, architecture, and APIs called by function
BEFORE AND AFTER FIRST
USING FIRST TO ANALYZE FLOKI BOT
TOR SUPPORT
COLLABORATION WITH FLASHPOINT
CUSTOMER SERVICE IS IMPORTANT
TAKEAWAYS
WHAT SHOULD YOU DO? • There is more to defense than just what happens on your network • Demand that your information security operation spend time building relationships with peers • Demand that your security software supports customized detection • Snort Rules • ClamAV Signatures • IP and domain blacklisting • Arbitrary IOC tracking and blacklisting • Ensure you have the visibility and policies necessary to share critical information with your partners before you reach out for help • Maneuver yourself in advance into a position that allows for flexibility and speed when a crisis occurs
Q&A
talosintelligence.com @talossecurity @kpyke
INTELLIGENCE COMMUNITIES Project Aspis – collaboration between Talos and host providers • Talos provides expertise and resources to identify major threat actors • Providers potentially save significant costs in fraudulent charges • Talos gains real world insight into threats on a global scale, helping us improve detection and prevention, making the internet safer for everyone CRETE – collaboration between Talos and participating customers • Talos provides a FirePower NGIPS sensor to deploy inside the customer network • Talos gathers data about real world network threats and security issues • Customers receive leading-edge intel to protect their network AEGIS – information exchange between Talos and participating members of the security industry • Open to partners, customers, and members of the security industry • Collaborative nexus of intelligence sharing in order to provide better detection and insight into worldwide threats
#RSAC

Recommended

The EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organizationThe EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organizationSophos Benelux
 
Null hyderabad - October Newsbytes
Null hyderabad - October NewsbytesNull hyderabad - October Newsbytes
Null hyderabad - October Newsbytesn|u - The Open Security Community
 
DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET Sukhdeep Singh Sandhu
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed Great Bay Software
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
NewsBytes - Nullhyd
NewsBytes - Nullhyd NewsBytes - Nullhyd
NewsBytes - Nullhyd n|u - The Open Security Community
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 

Recommended

The EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organizationThe EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organizationSophos Benelux
 
Null hyderabad - October Newsbytes
Null hyderabad - October NewsbytesNull hyderabad - October Newsbytes
Null hyderabad - October Newsbytesn|u - The Open Security Community
 
DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET Sukhdeep Singh Sandhu
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed Great Bay Software
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
NewsBytes - Nullhyd
NewsBytes - Nullhyd NewsBytes - Nullhyd
NewsBytes - Nullhyd n|u - The Open Security Community
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Apurv Singh Gautam
 
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSDDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSijfls
 
CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacNCCOMMS
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsDaniel Miessler
 
IoT Security - Preparing for the Worst
IoT Security - Preparing for the WorstIoT Security - Preparing for the Worst
IoT Security - Preparing for the WorstSatria Ady Pradana
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damentalSatria Ady Pradana
 
IoT Honeypots: State of the Art
IoT Honeypots: State of the ArtIoT Honeypots: State of the Art
IoT Honeypots: State of the ArtBiagio Botticelli
 
Snooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSSnooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSPriyanka Aash
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017chauhananand17
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Arbor Presentation
Arbor Presentation Arbor Presentation
Arbor Presentation J Hartig
 
The IoT Attack Surface
The IoT Attack SurfaceThe IoT Attack Surface
The IoT Attack SurfaceDaniel Miessler
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
AtlSecCon 2016
AtlSecCon 2016AtlSecCon 2016
AtlSecCon 2016Earl Carter
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 

More Related Content

What's hot

Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Apurv Singh Gautam
 
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSDDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSijfls
 
CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacNCCOMMS
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsDaniel Miessler
 
IoT Security - Preparing for the Worst
IoT Security - Preparing for the WorstIoT Security - Preparing for the Worst
IoT Security - Preparing for the WorstSatria Ady Pradana
 
IoT Honeypots: State of the Art
IoT Honeypots: State of the ArtIoT Honeypots: State of the Art
IoT Honeypots: State of the ArtBiagio Botticelli
 
Snooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSSnooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSPriyanka Aash
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017chauhananand17
 
Arbor Presentation
Arbor Presentation Arbor Presentation
Arbor Presentation J Hartig
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 

What's hot (20)

Android system security
Android system securityAndroid system security
Android system security
 
Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)
 
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSDDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
 
CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha Kranjac
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
 
IoT Security - Preparing for the Worst
IoT Security - Preparing for the WorstIoT Security - Preparing for the Worst
IoT Security - Preparing for the Worst
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damental
 
IoT Honeypots: State of the Art
IoT Honeypots: State of the ArtIoT Honeypots: State of the Art
IoT Honeypots: State of the Art
 
Snooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSSnooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICS
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
Arbor Presentation
Arbor Presentation Arbor Presentation
Arbor Presentation
 
The IoT Attack Surface
The IoT Attack SurfaceThe IoT Attack Surface
The IoT Attack Surface
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 

Similar to Weaponizing Intelligence: Interdiction in Today’s Threat Landscape

Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackPriyanka Aash
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...Felipe Prado
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOsama Mustafa
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsEmulex Corporation
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 

Similar to Weaponizing Intelligence: Interdiction in Today’s Threat Landscape (20)

AtlSecCon 2016
AtlSecCon 2016AtlSecCon 2016
AtlSecCon 2016
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation Track
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
PyMultitor
PyMultitorPyMultitor
PyMultitor
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
Security analytics
Security analyticsSecurity analytics
Security analytics
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Weaponizing Intelligence: Interdiction in Today’s Threat Landscape

  • 1. SESSION ID:SESSION ID: #RSAC Matthew Olney Weaponizing Intelligence: Interdiction in Today’s Threat Landscape SP01-W11 Manager, Threat Intelligence and Interdiction Cisco Systems @kpyke
  • 2. Matthew Olney Talos Threat Intelligence & Interdiction Group WEAPONIZING INTELLIGENCE INTERDICTION IN TODAY’S THREAT LANDSCAPE
  • 3. Matthew Olney Manager of Threat Intelligence and Interdiction 11 Years with Sourcefire VRT and Cisco Talos Prior to that 10 years in network engineering and security I’m on Twitter @kpyke WHO AM I?
  • 4. 250+ Full Time Threat Intel Researchers MILLIONS Of Telemetry Agents 4 Global Data Centers 1100+ Threat Traps 100+ Threat Intelligence Partners THREAT INTEL 1.5 MILLION Daily Malware Samples 600 BILLION Daily Email Messages 16 BILLION Daily Web Requests Honeypots Open Source Communities Vulnerability Discovery (Internal) Product Telemetry Internet-Wide Scanning 20 BILLION Threats Blocked INTEL SHARING TALOS INTEL BREAKDOWN Customer Data Sharing Programs Provider Coordination Program Open Source Intel Sharing 3rd Party Programs (MAPP) Industry Sharing Partnerships (ISACs) 500+ Participants
  • 5. “Interdiction is a military term for the act of delaying, disrupting, or destroying enemy forces or supplies en route to the battle area.” Threat Intelligence and Interdiction takes action: • Outside the border of our customer’s networks • To disrupt and degrade actor capability • Using linguists, reverse engineers, incident responders, mathematicians, researchers and developers • Working with law enforcement organizations (LEO), government and industry organizations, hosting providers and other intelligence partners WHAT IS INTERDICTION?
  • 6. Easy • ISAC (Information Sharing and Analysis Center) • Industry, National and Multinational CERTs • Internet Service Providers • Individual Researchers and Research Groups • Industry Partners • Competitors (Seriously) Tricky • Web Hosting Providers Strategic • Law Enforcement • Military • Government “I apologize for being a black hole.” – Undisclosed Government Agency WE ARE SUCCESSFUL WITH FRIENDS — NOT TECHNOLOGY
  • 7. “It seems like they gave up after about 4 days of 2-3 orders a day. We have not seen any order attempts since 5/15. Thanks for the quick heads up, getting those C&C IPs into our netflow system stopped them cold.” – Intelligence Partner, Angler Investigation • Legal and economic barriers to cooperation • Narrow profit margins • Limited investment in abuse and security services • But there are costs incurred by hosting malicious actors • LEO interactions • Abuse handling • Bandwidth, engineering, charge-backs Let’s help each other TRICKY: WEB HOSTING PROVIDERS
  • 8. INTERDICTION CASE STUDY #1: SAMSAM & JBOSS
  • 9. CVE-2007-1036 • “…JBoss does not restrict access to the console and web management interfaces…” CVE-2010-0738 • “The JMX-Console web application … performs access control only for the GET and POST methods...” TWO CRITICAL JBOSS CVES
  • 10. “João Filho Matos Figueiredo, what did you do?” – João’s mother, probably JEXBOSS
  • 11. • Telemetry indicates December, 2015 start date • Network-wide ransomware attack • Ransom paid via Bitcoin SAMSAM • Seen in many verticals, but best known for activity in healthcare • Uses ‘Jexboss’ • Multiple Cisco IR engagements • Strong LEO interest 0.7- 1.5BTC BTC/workstation 22BT C Total for all keys
  • 12. Preliminary blog post: • Samsam: The Doctor Will See You, After He Pays The Ransom Research: How bad is this JBoss problem? • Full IPv4 scan Found roughly 3.2M IP addresses that behaved in a way suggesting they were vulnerable JBoss servers Express mild concern on social media: TALOS RESPONSE (MARCH)
  • 13. Day X • JexBoss Invocation & JBossAss backdoor installation X+47 Days • File Upload Installed on web server X+49 Days • Full Webshell installed and CVSDE Executed – Active Directory dump Forensic Timeline Developed By Cisco IR X+73 Days • tunnel.jsp installed allowing IP Tunnel • Elevated privileged user connect via RDP • Recon with Hyena • Likely first use of admin credential X+74 Days • Samsam encryption operation begins EMAIL OF THE YEAR: CISCO IR SHARES CRITICAL INTEL
  • 14. • There is a window between shell installation and file encryption • I dramatically fail at math and also manage to underestimate the capabilities and determination of my team. They finished it over the weekend and had the results waiting for me Monday morning. “ACTIONABLE”
  • 19. Almost 2000 notifications • Intel partners • Sales staff • 20 Talos researchers • 2 Weeks Samples gathered • IR specialists on site • Sample exchange with Follett and intel partners New actors tracked • JBoss status pages • JBoss honeypots Tracking compromised servers STATUS CHECK
  • 20. • IR received a SAMSAM engagement from an unmarked IP address • Could be SSL on 443 • Or, fairly often, on port 8080 • Run the same play • 2^32 scan for all 443 and 8080 ports displaying vulnerable JBOSS behavior • Scan potentially vulnerable hosts for known backdoors NEW DATA FROM CISCO IR
  • 22. • Notified servers not 100% remediated • Actors continue to attack JBOSS servers • Working with LEO JBOSS – THE SAGA CONTINUES
  • 23. Floki Bot Strikes Talos, Flashpoint and FIRST
  • 25. IDA Pro FIRST – FIRST-PLUGIN.US Function Identification and Recovery Signature Tool Streamline code research • Prevent duplication of effort • Reduce analysis time • Detect code reuse between malware family Open Beta 133 Users 187,988 Functions annotated
  • 26. IDA Pro FIRST SYSTEM OVERVIEW Check for Metadata 56 6A 0C 6A 01 E8 64 AB 00 00 Add Function Metadata Name / Prototype / Comment Update Function Metadata With the most recent version
  • 27. sub_401000 -------------------------------------------------- 56 6a 0c 6a 01 e8 64 ab 00 00 8b f0 8b 44 24 10 89 46 04 8b 44 24 14 89 46 08 a1 08 b4 47 00 85 c0 59 59 74 12 83 3d 00 b4 47 00 00 75 09 ff 35 0c b4 47 00 ff d0 59 a1 04 b4 47 00 85 c0 74 04 89 30 eb 06 89 35 00 b4 47 00 89 35 04 b4 47 00 83 26 00 5e c3 HOW THE PLUGIN WORKS Check for a function or many at once Plug-in sends the server the opcodes, architecture, and APIs called by function
  • 29. USING FIRST TO ANALYZE FLOKI BOT
  • 32. CUSTOMER SERVICE IS IMPORTANT
  • 34. WHAT SHOULD YOU DO? • There is more to defense than just what happens on your network • Demand that your information security operation spend time building relationships with peers • Demand that your security software supports customized detection • Snort Rules • ClamAV Signatures • IP and domain blacklisting • Arbitrary IOC tracking and blacklisting • Ensure you have the visibility and policies necessary to share critical information with your partners before you reach out for help • Maneuver yourself in advance into a position that allows for flexibility and speed when a crisis occurs
  • 35. Q&A
  • 37. INTELLIGENCE COMMUNITIES Project Aspis – collaboration between Talos and host providers • Talos provides expertise and resources to identify major threat actors • Providers potentially save significant costs in fraudulent charges • Talos gains real world insight into threats on a global scale, helping us improve detection and prevention, making the internet safer for everyone CRETE – collaboration between Talos and participating customers • Talos provides a FirePower NGIPS sensor to deploy inside the customer network • Talos gathers data about real world network threats and security issues • Customers receive leading-edge intel to protect their network AEGIS – information exchange between Talos and participating members of the security industry • Open to partners, customers, and members of the security industry • Collaborative nexus of intelligence sharing in order to provide better detection and insight into worldwide threats
  • 38. #RSAC