SlideShare a Scribd company logo

Blackhat - Do you trust your Threat Intelligence

Christopher Doman
Christopher Doman

Blackhat - Do you trust your Threat Intelligence

Technology
1 of 32
Download to read offline
© 2019 AT&T IntellectualProperty. AT&T, Globe logo, andDIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliated companies. Allother marksare the property oftheir respectve owners. Do you trust your threat intelligence? Black Hat 2019 Christopher Doman, Principle Informaton Security Engineer, AT&T Alien Labs - @chrisdoman
2 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Atackers are watching • A blog post was published September 2017 on how to track APT28 • Immediately, the group was harder to follow “ . . . a [blog] post burning the few tracking methods we have, likely for PR over substance” @safronsec, 2018
3 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Some groups disappear quickly
4 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Some disappear more slowly APT1 report released February 18, 2013 Old infrastructure New infrastructure See “M-Trends 2014”, FireEye for more informaton 66.79.165.154 208.44.242.107
5 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Did group members contnue in other groups? See “APT1 & putter panda: collaboration or a shared contractor?”, PwC / @tlansec for more information Barkiofork / APT1 Matchaldru / Puter Panda hgcurtain.com
6 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Or digital quartermasters? See "A Detailed Examinaton of the Siesta Campaign", FireEye March 2014 for more informaton Poison Ivy / APT1 Poison Ivy / APT10 Shared Icon fb080cef60846... PDF
7 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. “The mysterious return of years-old malware” in 2018? Malware author known as "feng_911" (2006-09-22), Babyface Backdoor htp://read.pudn.com/downloads62/sourcecode/hack/trojan/215589/SRC/Client/ClientDlg.cpp__.htm
8 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Some like atenton
9 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Some don’t like atenton
10 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Atackers watch platorms too
11 © 2019 AT&T Intellectual Property. AT&T, Globe logo, andDIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliated companies. Allother marksare the property oftheir respectve owners. So, can you trust sharing partners?
12 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Example sharing platorm: VirusTotal User uploads sample of new malware to VirusTotal If Vendor B doesn’t detect the malware They get a hint to write a new signature Vendor A writes signature for new malware > > >
13 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Theoretcal atack demonstrated Create benign binaries and write own signatures See “On the way to beter testng” by Kaspersky Submit to VirusTotal The binaries are initally detected by just your engine Over 20 vendors then start detectng as malicious too > > >
14 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Sophistcated atack seen in the wild Take multple versions of benign binaries Insert “known bad fragments” to benign binaries Submit to VirusTotal Watch false positves cascade > > >
15 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Non-sharing vendors kicked out of VirusTotal “There are a number of endpoint products that use VirusTotal to determine if a fle is malicious. Without any contributon to the community. Without giving anything in return.” Alex Eckelberry, 2016 A. Eckelberry (2017-05-04), "A BOMB JUST DROPPED IN ENDPOINT SECURITY… AND I’M NOT SURE ANYONE NOTICED" Retreived from htp://blog.eckelberry.com/a-bomb-just-dropped-in-endpoint-security-and-im-not-sure-anyone-notced/
16 © 2019 AT&T Intellectual Property. AT&T, Globe logo, andDIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliated companies. Allother marksare the property oftheir respectve owners. Should you share atack code?
17 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Hidden Tear, should it have been shared? Open source ransomware shared for "educatonal use" v1
18 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Hidden Tear, should it have been shared? Author retrieves victms fles using a backdoor 13-year-old removes the backdoor 3 Blackmailed into taking down code “I’m sorry. I failed this tme.” Now . . . v2 v3
19 © 2019 AT&T Intellectual Property. AT&T, Globe logo, andDIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliated companies. Allother marksare the property oftheir respectve owners. Can your SOC trust open source informaton?
20 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Don’t trust everything you read online “First Law of Thermodynamics”, Wikipedia Retrieved from htps://en.wikipedia.org/wiki/First_law_of_thermodynamics Creatve Commons Atributon-ShareAlike
21 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Whitelists
22 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Whitelists / warning lists Cisco Umbrella misp-warninglistsTM
23 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. DIY IPv4 whitelists Domain Whitelist IPv4 /24
24 © 2019 AT&T Intellectual Property. AT&T, Globe logo, andDIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliated companies. Allother marksare the property oftheir respectve owners. Future threat intelligence sharing
25 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Building a domain oracle using AI machine learning xgboost
26 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Automated indicator generaton Malware sample Domains from sandbox Domain Oracle> >
27 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Automated indicator pivots?
28 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. New types of sharing — JA3 See “JA3 Fingerprints”, https://sslbl.abuse.ch/ja3-fingerprints/ for more informaton
29 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. New types of sharing — Sigma See “Sigma”, https://github.com/Neo23x0/sigma/ for more informaton
30 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. New types of sharing - OsQuery
31 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. In summary . . . Share how to detect, but be careful sharing how to track Trust your sharing partners, but verify their data Lots of room for automaton, but manual verifcaton is stll needed
Blackhat - Do you trust your Threat Intelligence

Recommended

At&t cybersecurity introduction with alien vault
At&t cybersecurity introduction with alien vaultAt&t cybersecurity introduction with alien vault
At&t cybersecurity introduction with alien vaultMohamed Abdelhakim
 
Being A Socially Responsible Social Developer: Mobile App Security
Being A Socially Responsible Social Developer: Mobile App SecurityBeing A Socially Responsible Social Developer: Mobile App Security
Being A Socially Responsible Social Developer: Mobile App SecurityDoug Sillars
 
Quality Assessment of Qualcomm Patents for the IoT(Internet of Things) Connec...
Quality Assessment of Qualcomm Patents for the IoT(Internet of Things) Connec...Quality Assessment of Qualcomm Patents for the IoT(Internet of Things) Connec...
Quality Assessment of Qualcomm Patents for the IoT(Internet of Things) Connec...Alex G. Lee, Ph.D. Esq. CLP
 
Near Real-time Outlier Detection and Interpretation - Part 1 by Robert Thorma...
Near Real-time Outlier Detection and Interpretation - Part 1 by Robert Thorma...Near Real-time Outlier Detection and Interpretation - Part 1 by Robert Thorma...
Near Real-time Outlier Detection and Interpretation - Part 1 by Robert Thorma...DataWorks Summit/Hadoop Summit
 
Near Real-Time Outlier Detection and Interpretation
Near Real-Time Outlier Detection and InterpretationNear Real-Time Outlier Detection and Interpretation
Near Real-Time Outlier Detection and InterpretationDataWorks Summit/Hadoop Summit
 
Managing the Cyberthreat Landscape
Managing the Cyberthreat LandscapeManaging the Cyberthreat Landscape
Managing the Cyberthreat LandscapeAT&T
 
Jason Yu, AT&T
Jason Yu, AT&TJason Yu, AT&T
Jason Yu, AT&THilary Ip
 
Firewall Webinar
Firewall WebinarFirewall Webinar
Firewall WebinarAT&T
 

Recommended

At&t cybersecurity introduction with alien vault
At&t cybersecurity introduction with alien vaultAt&t cybersecurity introduction with alien vault
At&t cybersecurity introduction with alien vaultMohamed Abdelhakim
 
Being A Socially Responsible Social Developer: Mobile App Security
Being A Socially Responsible Social Developer: Mobile App SecurityBeing A Socially Responsible Social Developer: Mobile App Security
Being A Socially Responsible Social Developer: Mobile App SecurityDoug Sillars
 
Quality Assessment of Qualcomm Patents for the IoT(Internet of Things) Connec...
Quality Assessment of Qualcomm Patents for the IoT(Internet of Things) Connec...Quality Assessment of Qualcomm Patents for the IoT(Internet of Things) Connec...
Quality Assessment of Qualcomm Patents for the IoT(Internet of Things) Connec...Alex G. Lee, Ph.D. Esq. CLP
 
Near Real-time Outlier Detection and Interpretation - Part 1 by Robert Thorma...
Near Real-time Outlier Detection and Interpretation - Part 1 by Robert Thorma...Near Real-time Outlier Detection and Interpretation - Part 1 by Robert Thorma...
Near Real-time Outlier Detection and Interpretation - Part 1 by Robert Thorma...DataWorks Summit/Hadoop Summit
 
Near Real-Time Outlier Detection and Interpretation
Near Real-Time Outlier Detection and InterpretationNear Real-Time Outlier Detection and Interpretation
Near Real-Time Outlier Detection and InterpretationDataWorks Summit/Hadoop Summit
 
Managing the Cyberthreat Landscape
Managing the Cyberthreat LandscapeManaging the Cyberthreat Landscape
Managing the Cyberthreat LandscapeAT&T
 
Jason Yu, AT&T
Jason Yu, AT&TJason Yu, AT&T
Jason Yu, AT&THilary Ip
 
Firewall Webinar
Firewall WebinarFirewall Webinar
Firewall WebinarAT&T
 
Securing the Internet of Things: What the CEO Needs to Know
Securing the Internet of Things: What the CEO Needs to KnowSecuring the Internet of Things: What the CEO Needs to Know
Securing the Internet of Things: What the CEO Needs to KnowAT&T
 
Cyber Threat Detection and Interpretation
Cyber Threat Detection and InterpretationCyber Threat Detection and Interpretation
Cyber Threat Detection and InterpretationDataWorks Summit/Hadoop Summit
 
The CEO’s Guide to Cyberbreach Response
The CEO’s Guide to Cyberbreach ResponseThe CEO’s Guide to Cyberbreach Response
The CEO’s Guide to Cyberbreach ResponseAT&T
 
Not If, But When: A CEO's Guide to Cyberbreach Response
Not If, But When: A CEO's Guide to Cyberbreach ResponseNot If, But When: A CEO's Guide to Cyberbreach Response
Not If, But When: A CEO's Guide to Cyberbreach ResponseAT&T
 
Getting Your Piece of the Mobile Pi 2017
Getting Your Piece of the Mobile Pi 2017Getting Your Piece of the Mobile Pi 2017
Getting Your Piece of the Mobile Pi 2017Doug Sillars
 
2022 apidays LIVE Helsinki & North_APIs are the Last Missing Piece to Enable ...
2022 apidays LIVE Helsinki & North_APIs are the Last Missing Piece to Enable ...2022 apidays LIVE Helsinki & North_APIs are the Last Missing Piece to Enable ...
2022 apidays LIVE Helsinki & North_APIs are the Last Missing Piece to Enable ...apidays
 
Coming to Tech's Mecca 2020
Coming to Tech's Mecca 2020Coming to Tech's Mecca 2020
Coming to Tech's Mecca 2020Matteo Fabiano
 
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...Amazon Web Services
 
June 27 top_10_techtrends_dcearley_176465
June 27 top_10_techtrends_dcearley_176465June 27 top_10_techtrends_dcearley_176465
June 27 top_10_techtrends_dcearley_176465Kirill Goncharuk
 
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy Challenge
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy ChallengeWebinar: Consent 2.0: Applying User-Managed Access to the Privacy Challenge
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy ChallengeForgeRock
 
Enterprise Global Messaging
Enterprise Global MessagingEnterprise Global Messaging
Enterprise Global MessagingJonathan Spinney
 
Broad Sky Partner Webinar - State of 5G - August 2018
Broad Sky Partner Webinar - State of 5G - August 2018Broad Sky Partner Webinar - State of 5G - August 2018
Broad Sky Partner Webinar - State of 5G - August 2018Maureen Donovan
 
AT&T Competitive Analysis
AT&T Competitive AnalysisAT&T Competitive Analysis
AT&T Competitive AnalysisAdManScott
 
Android App performance - Europe 2015
Android App performance - Europe 2015Android App performance - Europe 2015
Android App performance - Europe 2015Doug Sillars
 
Knock, Knock…The Internet of Things wants to come in?
Knock, Knock…The Internet of Things wants to come in? Knock, Knock…The Internet of Things wants to come in?
Knock, Knock…The Internet of Things wants to come in? CA Technologies
 
IANAL: what developers should know about IP and Legal
IANAL: what developers should know about IP and LegalIANAL: what developers should know about IP and Legal
IANAL: what developers should know about IP and LegaliText Group nv
 
IoT Solutions - Dashboarding Real-Time Data | Internet of Things | IoT Techno...
IoT Solutions - Dashboarding Real-Time Data | Internet of Things | IoT Techno...IoT Solutions - Dashboarding Real-Time Data | Internet of Things | IoT Techno...
IoT Solutions - Dashboarding Real-Time Data | Internet of Things | IoT Techno...Edureka!
 
(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced API(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced APIAmazon Web Services
 
Intellectual Property Fraud Protection
Intellectual Property Fraud ProtectionIntellectual Property Fraud Protection
Intellectual Property Fraud ProtectionNEW Momentum
 
The Recent FakeSpy's Activity in Japan
The Recent FakeSpy's Activity in JapanThe Recent FakeSpy's Activity in Japan
The Recent FakeSpy's Activity in JapanAPNIC
 
Five Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response AutomationFive Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response AutomationChristopher Doman
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfChristopher Doman
 

More Related Content

Similar to Blackhat - Do you trust your Threat Intelligence

Securing the Internet of Things: What the CEO Needs to Know
Securing the Internet of Things: What the CEO Needs to KnowSecuring the Internet of Things: What the CEO Needs to Know
Securing the Internet of Things: What the CEO Needs to KnowAT&T
 
The CEO’s Guide to Cyberbreach Response
The CEO’s Guide to Cyberbreach ResponseThe CEO’s Guide to Cyberbreach Response
The CEO’s Guide to Cyberbreach ResponseAT&T
 
Not If, But When: A CEO's Guide to Cyberbreach Response
Not If, But When: A CEO's Guide to Cyberbreach ResponseNot If, But When: A CEO's Guide to Cyberbreach Response
Not If, But When: A CEO's Guide to Cyberbreach ResponseAT&T
 
Getting Your Piece of the Mobile Pi 2017
Getting Your Piece of the Mobile Pi 2017Getting Your Piece of the Mobile Pi 2017
Getting Your Piece of the Mobile Pi 2017Doug Sillars
 
2022 apidays LIVE Helsinki & North_APIs are the Last Missing Piece to Enable ...
2022 apidays LIVE Helsinki & North_APIs are the Last Missing Piece to Enable ...2022 apidays LIVE Helsinki & North_APIs are the Last Missing Piece to Enable ...
2022 apidays LIVE Helsinki & North_APIs are the Last Missing Piece to Enable ...apidays
 
Coming to Tech's Mecca 2020
Coming to Tech's Mecca 2020Coming to Tech's Mecca 2020
Coming to Tech's Mecca 2020Matteo Fabiano
 
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...Amazon Web Services
 
June 27 top_10_techtrends_dcearley_176465
June 27 top_10_techtrends_dcearley_176465June 27 top_10_techtrends_dcearley_176465
June 27 top_10_techtrends_dcearley_176465Kirill Goncharuk
 
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy Challenge
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy ChallengeWebinar: Consent 2.0: Applying User-Managed Access to the Privacy Challenge
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy ChallengeForgeRock
 
Enterprise Global Messaging
Enterprise Global MessagingEnterprise Global Messaging
Enterprise Global MessagingJonathan Spinney
 
Broad Sky Partner Webinar - State of 5G - August 2018
Broad Sky Partner Webinar - State of 5G - August 2018Broad Sky Partner Webinar - State of 5G - August 2018
Broad Sky Partner Webinar - State of 5G - August 2018Maureen Donovan
 
AT&T Competitive Analysis
AT&T Competitive AnalysisAT&T Competitive Analysis
AT&T Competitive AnalysisAdManScott
 
Android App performance - Europe 2015
Android App performance - Europe 2015Android App performance - Europe 2015
Android App performance - Europe 2015Doug Sillars
 
Knock, Knock…The Internet of Things wants to come in?
Knock, Knock…The Internet of Things wants to come in? Knock, Knock…The Internet of Things wants to come in?
Knock, Knock…The Internet of Things wants to come in? CA Technologies
 
IANAL: what developers should know about IP and Legal
IANAL: what developers should know about IP and LegalIANAL: what developers should know about IP and Legal
IANAL: what developers should know about IP and LegaliText Group nv
 
IoT Solutions - Dashboarding Real-Time Data | Internet of Things | IoT Techno...
IoT Solutions - Dashboarding Real-Time Data | Internet of Things | IoT Techno...IoT Solutions - Dashboarding Real-Time Data | Internet of Things | IoT Techno...
IoT Solutions - Dashboarding Real-Time Data | Internet of Things | IoT Techno...Edureka!
 
(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced API(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced APIAmazon Web Services
 
Intellectual Property Fraud Protection
Intellectual Property Fraud ProtectionIntellectual Property Fraud Protection
Intellectual Property Fraud ProtectionNEW Momentum
 
The Recent FakeSpy's Activity in Japan
The Recent FakeSpy's Activity in JapanThe Recent FakeSpy's Activity in Japan
The Recent FakeSpy's Activity in JapanAPNIC
 

Similar to Blackhat - Do you trust your Threat Intelligence (20)

Securing the Internet of Things: What the CEO Needs to Know
Securing the Internet of Things: What the CEO Needs to KnowSecuring the Internet of Things: What the CEO Needs to Know
Securing the Internet of Things: What the CEO Needs to Know
 
Cyber Threat Detection and Interpretation
Cyber Threat Detection and InterpretationCyber Threat Detection and Interpretation
Cyber Threat Detection and Interpretation
 
The CEO’s Guide to Cyberbreach Response
The CEO’s Guide to Cyberbreach ResponseThe CEO’s Guide to Cyberbreach Response
The CEO’s Guide to Cyberbreach Response
 
Not If, But When: A CEO's Guide to Cyberbreach Response
Not If, But When: A CEO's Guide to Cyberbreach ResponseNot If, But When: A CEO's Guide to Cyberbreach Response
Not If, But When: A CEO's Guide to Cyberbreach Response
 
Getting Your Piece of the Mobile Pi 2017
Getting Your Piece of the Mobile Pi 2017Getting Your Piece of the Mobile Pi 2017
Getting Your Piece of the Mobile Pi 2017
 
2022 apidays LIVE Helsinki & North_APIs are the Last Missing Piece to Enable ...
2022 apidays LIVE Helsinki & North_APIs are the Last Missing Piece to Enable ...2022 apidays LIVE Helsinki & North_APIs are the Last Missing Piece to Enable ...
2022 apidays LIVE Helsinki & North_APIs are the Last Missing Piece to Enable ...
 
Coming to Tech's Mecca 2020
Coming to Tech's Mecca 2020Coming to Tech's Mecca 2020
Coming to Tech's Mecca 2020
 
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
 
June 27 top_10_techtrends_dcearley_176465
June 27 top_10_techtrends_dcearley_176465June 27 top_10_techtrends_dcearley_176465
June 27 top_10_techtrends_dcearley_176465
 
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy Challenge
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy ChallengeWebinar: Consent 2.0: Applying User-Managed Access to the Privacy Challenge
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy Challenge
 
Enterprise Global Messaging
Enterprise Global MessagingEnterprise Global Messaging
Enterprise Global Messaging
 
Broad Sky Partner Webinar - State of 5G - August 2018
Broad Sky Partner Webinar - State of 5G - August 2018Broad Sky Partner Webinar - State of 5G - August 2018
Broad Sky Partner Webinar - State of 5G - August 2018
 
AT&T Competitive Analysis
AT&T Competitive AnalysisAT&T Competitive Analysis
AT&T Competitive Analysis
 
Android App performance - Europe 2015
Android App performance - Europe 2015Android App performance - Europe 2015
Android App performance - Europe 2015
 
Knock, Knock…The Internet of Things wants to come in?
Knock, Knock…The Internet of Things wants to come in? Knock, Knock…The Internet of Things wants to come in?
Knock, Knock…The Internet of Things wants to come in?
 
IANAL: what developers should know about IP and Legal
IANAL: what developers should know about IP and LegalIANAL: what developers should know about IP and Legal
IANAL: what developers should know about IP and Legal
 
IoT Solutions - Dashboarding Real-Time Data | Internet of Things | IoT Techno...
IoT Solutions - Dashboarding Real-Time Data | Internet of Things | IoT Techno...IoT Solutions - Dashboarding Real-Time Data | Internet of Things | IoT Techno...
IoT Solutions - Dashboarding Real-Time Data | Internet of Things | IoT Techno...
 
(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced API(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced API
 
Intellectual Property Fraud Protection
Intellectual Property Fraud ProtectionIntellectual Property Fraud Protection
Intellectual Property Fraud Protection
 
The Recent FakeSpy's Activity in Japan
The Recent FakeSpy's Activity in JapanThe Recent FakeSpy's Activity in Japan
The Recent FakeSpy's Activity in Japan
 

More from Christopher Doman

Five Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response AutomationFive Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response AutomationChristopher Doman
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfChristopher Doman
 
AWS Incident Response Cheat Sheet.pdf
AWS Incident Response Cheat Sheet.pdfAWS Incident Response Cheat Sheet.pdf
AWS Incident Response Cheat Sheet.pdfChristopher Doman
 
A New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud ForensicsA New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud ForensicsChristopher Doman
 
Cloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdfCloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdfChristopher Doman
 
AWS Guard Duty Forensics & Incident Response.pdf
AWS Guard Duty Forensics & Incident Response.pdfAWS Guard Duty Forensics & Incident Response.pdf
AWS Guard Duty Forensics & Incident Response.pdfChristopher Doman
 
EKS Forensics & Incident Response.pdf
EKS Forensics & Incident Response.pdfEKS Forensics & Incident Response.pdf
EKS Forensics & Incident Response.pdfChristopher Doman
 
AWS IAM Forensics & Incident Response
AWS IAM Forensics & Incident ResponseAWS IAM Forensics & Incident Response
AWS IAM Forensics & Incident ResponseChristopher Doman
 
AWS Forensics & Incident Response
AWS Forensics & Incident ResponseAWS Forensics & Incident Response
AWS Forensics & Incident ResponseChristopher Doman
 
Lambda Forensics & Incident Response.pdf
Lambda Forensics & Incident Response.pdfLambda Forensics & Incident Response.pdf
Lambda Forensics & Incident Response.pdfChristopher Doman
 
Case Studies Denonia - Lambda DFIR.pdf
Case Studies Denonia - Lambda DFIR.pdfCase Studies Denonia - Lambda DFIR.pdf
Case Studies Denonia - Lambda DFIR.pdfChristopher Doman
 
Cloud Security Fundamentals for Forensics and Incident Response.pdf
Cloud Security Fundamentals for Forensics and Incident Response.pdfCloud Security Fundamentals for Forensics and Incident Response.pdf
Cloud Security Fundamentals for Forensics and Incident Response.pdfChristopher Doman
 
AWS Detective Forensics & Incident Response.pdf
AWS Detective Forensics & Incident Response.pdfAWS Detective Forensics & Incident Response.pdf
AWS Detective Forensics & Incident Response.pdfChristopher Doman
 
Google Cloud Forensics & Incident Response
Google Cloud Forensics & Incident ResponseGoogle Cloud Forensics & Incident Response
Google Cloud Forensics & Incident ResponseChristopher Doman
 
GKE Forensics & Incident Response.pdf
GKE Forensics & Incident Response.pdfGKE Forensics & Incident Response.pdf
GKE Forensics & Incident Response.pdfChristopher Doman
 
AWS SSM Forensics and Incident Response
AWS SSM Forensics and Incident ResponseAWS SSM Forensics and Incident Response
AWS SSM Forensics and Incident ResponseChristopher Doman
 
Kubernetes Docker Forensics & Incident Response.pdf
Kubernetes Docker Forensics & Incident Response.pdfKubernetes Docker Forensics & Incident Response.pdf
Kubernetes Docker Forensics & Incident Response.pdfChristopher Doman
 
Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdf
Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdfCase Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdf
Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdfChristopher Doman
 
EC2 Forensics & Incident Response.pdf
EC2 Forensics & Incident Response.pdfEC2 Forensics & Incident Response.pdf
EC2 Forensics & Incident Response.pdfChristopher Doman
 

More from Christopher Doman (20)

Five Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response AutomationFive Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response Automation
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdf
 
AWS Incident Response Cheat Sheet.pdf
AWS Incident Response Cheat Sheet.pdfAWS Incident Response Cheat Sheet.pdf
AWS Incident Response Cheat Sheet.pdf
 
A New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud ForensicsA New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud Forensics
 
Cloud Forensics Tools
Cloud Forensics ToolsCloud Forensics Tools
Cloud Forensics Tools
 
Cloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdfCloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdf
 
AWS Guard Duty Forensics & Incident Response.pdf
AWS Guard Duty Forensics & Incident Response.pdfAWS Guard Duty Forensics & Incident Response.pdf
AWS Guard Duty Forensics & Incident Response.pdf
 
EKS Forensics & Incident Response.pdf
EKS Forensics & Incident Response.pdfEKS Forensics & Incident Response.pdf
EKS Forensics & Incident Response.pdf
 
AWS IAM Forensics & Incident Response
AWS IAM Forensics & Incident ResponseAWS IAM Forensics & Incident Response
AWS IAM Forensics & Incident Response
 
AWS Forensics & Incident Response
AWS Forensics & Incident ResponseAWS Forensics & Incident Response
AWS Forensics & Incident Response
 
Lambda Forensics & Incident Response.pdf
Lambda Forensics & Incident Response.pdfLambda Forensics & Incident Response.pdf
Lambda Forensics & Incident Response.pdf
 
Case Studies Denonia - Lambda DFIR.pdf
Case Studies Denonia - Lambda DFIR.pdfCase Studies Denonia - Lambda DFIR.pdf
Case Studies Denonia - Lambda DFIR.pdf
 
Cloud Security Fundamentals for Forensics and Incident Response.pdf
Cloud Security Fundamentals for Forensics and Incident Response.pdfCloud Security Fundamentals for Forensics and Incident Response.pdf
Cloud Security Fundamentals for Forensics and Incident Response.pdf
 
AWS Detective Forensics & Incident Response.pdf
AWS Detective Forensics & Incident Response.pdfAWS Detective Forensics & Incident Response.pdf
AWS Detective Forensics & Incident Response.pdf
 
Google Cloud Forensics & Incident Response
Google Cloud Forensics & Incident ResponseGoogle Cloud Forensics & Incident Response
Google Cloud Forensics & Incident Response
 
GKE Forensics & Incident Response.pdf
GKE Forensics & Incident Response.pdfGKE Forensics & Incident Response.pdf
GKE Forensics & Incident Response.pdf
 
AWS SSM Forensics and Incident Response
AWS SSM Forensics and Incident ResponseAWS SSM Forensics and Incident Response
AWS SSM Forensics and Incident Response
 
Kubernetes Docker Forensics & Incident Response.pdf
Kubernetes Docker Forensics & Incident Response.pdfKubernetes Docker Forensics & Incident Response.pdf
Kubernetes Docker Forensics & Incident Response.pdf
 
Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdf
Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdfCase Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdf
Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdf
 
EC2 Forensics & Incident Response.pdf
EC2 Forensics & Incident Response.pdfEC2 Forensics & Incident Response.pdf
EC2 Forensics & Incident Response.pdf
 

Recently uploaded

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Blackhat - Do you trust your Threat Intelligence

  • 1. © 2019 AT&T IntellectualProperty. AT&T, Globe logo, andDIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliated companies. Allother marksare the property oftheir respectve owners. Do you trust your threat intelligence? Black Hat 2019 Christopher Doman, Principle Informaton Security Engineer, AT&T Alien Labs - @chrisdoman
  • 2. 2 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Atackers are watching • A blog post was published September 2017 on how to track APT28 • Immediately, the group was harder to follow “ . . . a [blog] post burning the few tracking methods we have, likely for PR over substance” @safronsec, 2018
  • 3. 3 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Some groups disappear quickly
  • 4. 4 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Some disappear more slowly APT1 report released February 18, 2013 Old infrastructure New infrastructure See “M-Trends 2014”, FireEye for more informaton 66.79.165.154 208.44.242.107
  • 5. 5 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Did group members contnue in other groups? See “APT1 & putter panda: collaboration or a shared contractor?”, PwC / @tlansec for more information Barkiofork / APT1 Matchaldru / Puter Panda hgcurtain.com
  • 6. 6 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Or digital quartermasters? See "A Detailed Examinaton of the Siesta Campaign", FireEye March 2014 for more informaton Poison Ivy / APT1 Poison Ivy / APT10 Shared Icon fb080cef60846... PDF
  • 7. 7 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. “The mysterious return of years-old malware” in 2018? Malware author known as "feng_911" (2006-09-22), Babyface Backdoor htp://read.pudn.com/downloads62/sourcecode/hack/trojan/215589/SRC/Client/ClientDlg.cpp__.htm
  • 8. 8 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Some like atenton
  • 9. 9 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Some don’t like atenton
  • 10. 10 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Atackers watch platorms too
  • 11. 11 © 2019 AT&T Intellectual Property. AT&T, Globe logo, andDIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliated companies. Allother marksare the property oftheir respectve owners. So, can you trust sharing partners?
  • 12. 12 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Example sharing platorm: VirusTotal User uploads sample of new malware to VirusTotal If Vendor B doesn’t detect the malware They get a hint to write a new signature Vendor A writes signature for new malware > > >
  • 13. 13 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Theoretcal atack demonstrated Create benign binaries and write own signatures See “On the way to beter testng” by Kaspersky Submit to VirusTotal The binaries are initally detected by just your engine Over 20 vendors then start detectng as malicious too > > >
  • 14. 14 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Sophistcated atack seen in the wild Take multple versions of benign binaries Insert “known bad fragments” to benign binaries Submit to VirusTotal Watch false positves cascade > > >
  • 15. 15 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Non-sharing vendors kicked out of VirusTotal “There are a number of endpoint products that use VirusTotal to determine if a fle is malicious. Without any contributon to the community. Without giving anything in return.” Alex Eckelberry, 2016 A. Eckelberry (2017-05-04), "A BOMB JUST DROPPED IN ENDPOINT SECURITY… AND I’M NOT SURE ANYONE NOTICED" Retreived from htp://blog.eckelberry.com/a-bomb-just-dropped-in-endpoint-security-and-im-not-sure-anyone-notced/
  • 16. 16 © 2019 AT&T Intellectual Property. AT&T, Globe logo, andDIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliated companies. Allother marksare the property oftheir respectve owners. Should you share atack code?
  • 17. 17 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Hidden Tear, should it have been shared? Open source ransomware shared for "educatonal use" v1
  • 18. 18 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Hidden Tear, should it have been shared? Author retrieves victms fles using a backdoor 13-year-old removes the backdoor 3 Blackmailed into taking down code “I’m sorry. I failed this tme.” Now . . . v2 v3
  • 19. 19 © 2019 AT&T Intellectual Property. AT&T, Globe logo, andDIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliated companies. Allother marksare the property oftheir respectve owners. Can your SOC trust open source informaton?
  • 20. 20 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Don’t trust everything you read online “First Law of Thermodynamics”, Wikipedia Retrieved from htps://en.wikipedia.org/wiki/First_law_of_thermodynamics Creatve Commons Atributon-ShareAlike
  • 21. 21 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Whitelists
  • 22. 22 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Whitelists / warning lists Cisco Umbrella misp-warninglistsTM
  • 23. 23 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. DIY IPv4 whitelists Domain Whitelist IPv4 /24
  • 24. 24 © 2019 AT&T Intellectual Property. AT&T, Globe logo, andDIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliated companies. Allother marksare the property oftheir respectve owners. Future threat intelligence sharing
  • 25. 25 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Building a domain oracle using AI machine learning xgboost
  • 26. 26 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Automated indicator generaton Malware sample Domains from sandbox Domain Oracle> >
  • 27. 27 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. Automated indicator pivots?
  • 28. 28 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. New types of sharing — JA3 See “JA3 Fingerprints”, https://sslbl.abuse.ch/ja3-fingerprints/ for more informaton
  • 29. 29 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. New types of sharing — Sigma See “Sigma”, https://github.com/Neo23x0/sigma/ for more informaton
  • 30. 30 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. New types of sharing - OsQuery
  • 31. 31 © 2019 AT&T IntellectualProperty. AT&T, Globe logo, and DIRECTV are registeredtrademarksandservice marks of AT&T IntellectualPropertyand/or AT&T afliatedcompanies. Allother marksare the propertyof their respectve owners. In summary . . . Share how to detect, but be careful sharing how to track Trust your sharing partners, but verify their data Lots of room for automaton, but manual verifcaton is stll needed