The Good, the Bad, and The Not So Bad: Tracking Threat Operators with Our Threat Research Team - Willis McDonald, Threat Research Manager, Core Security
How do you separate the good from the bad actors? Put on your white hat as we go on an adventure to separate the wheat from the chaff; or the good from the bad and not so bad. Join us for a chance to learn from our Threat Research team and how they track and expose threat operators and build that intelligence into Network Insight. Not only that, but discover the different ways our Threat Research team is able to apply their findings. This will be an insightful session for anyone interested in learning more about a day in the life of a threat researcher.
Similar to The Good, the Bad, and The Not So Bad: Tracking Threat Operators with Our Threat Research Team - Willis McDonald, Threat Research Manager, Core Security
Similar to The Good, the Bad, and The Not So Bad: Tracking Threat Operators with Our Threat Research Team - Willis McDonald, Threat Research Manager, Core Security (20)
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
The Good, the Bad, and The Not So Bad: Tracking Threat Operators with Our Threat Research Team - Willis McDonald, Threat Research Manager, Core Security
2. AGENDA
• Threat
Research
• Threat
Actors
and
Attribution
• Carbanak Gang
/
FIN7
• Getting
Started
with
Threat
Research
• Q&A
3. L E A R N M O R E
Willis
McDonald
Threat
Research
Manager,
Core
Security
4. About
Me
Subtitle
left
Threat
Research
Manager
at
Core
Security
Past:
• 20
years
of
experience
in
security
and
administration
• Offensive
operations
with
Federal
LE
and
Intelligence
Community
• Forensic
investigations
for
Federal
LE
and
the
Intelligence
Community
• Red
team
and
blue
team
for
government
and
financial
institutions
9. P R E V E N T
B R E A C H E S
Know
How
to
Stop
Them
K N O W
Y O U R
A D V E R S A R Y
Know
What
They’re
After
When
They
Target
You
R E S P O N D
W I T H
I N T E L L I G E N C E
Know
How
to
Respond
When
They
Get
In
and
Reduce
Dwell
Time
Why
Attribution?
13. 2014
Carbanak
Reported
$1Bn
Stolen
From
Banking
Industry
2013
Carbanak
Appears
First
samples
of
Carbanak malware
Discovered
2016
Retail
Targeted
Carbanak Appears
in
Retail
Card
Processors
2015
Hospitality
Targeted
Hotel
Industry
POS
Attacks
2017
Restaurant
Chains
Large
Restaurant
Chains
targeted
with
new
malware
Carbanak Gang
BadEyeballWreckers
14. Carbanak Gang
2016-‐2017
Activities
• 2016-‐2017
Carbanak Targets
Restaurant
Chains
• 2017-‐04-‐25
Chipotle
reports
breach
• Others
targeted
for
POS
systems
• Utilized
DNSMESSENGER
backdoor
to
evade
detection
• 2017-‐02-‐13
Alerts
from
Network
Insight
devices
point
to
suspicious
DNS
activity
later
identified
as
Carbanak’s exfil over
DNS
15. Carbanak Gang
DNSMESSENGER
• 2017-‐02-‐27
A
single
client
in
a
customer
network
queries
a
domain
2787
times
in
an
hour
with
extremely
long
query
lengths
• Query
Format:
• [a-‐z]{3,4}.[a-‐f0-‐9]{57}.[a-‐f0-‐9]{56,57}.[a-‐f0-‐9]{8,10}.[0-‐9]{5,8}.<domain>
16. Carbanak Gang
DNSMESSENGER
• 2016-‐02-‐27:
First
records
of
malicious
activity
identified
on
2017-‐02-‐27
using
the
same
format
for
file
transfer
over
DNS.
• 2017-‐03-‐02:
Security
vendors
started
alerting
users
to
this
same
activity
after
obtaining
the
malicious
files.
17. Getting
Started
Data
• Passive
DNS
• Internal
Threat
Intelligence
• Bridging
IT,
Security
and
IA
• External
Threat
Intelligence
• We
sell
ourselves!
• There
are
other
great
TI
subscriptions
also
• OSINT
• It’s
free
but
time
consuming
18. Getting
Started
Tools
• Paterva Maltego
• A
picture
is
worth
a
thousand
words
• Analyst’s
Notebook
is
great
also
• IDA
Pro
• Great
for
analyzing
binaries
but
there’s
a
steep
learning
curve
• Scripting
Languages
• Pick
a
few
to
get
the
job
done
• Yara
• People
• People
are
tools
20. Problems
The
internet
is
a
strange
place
Things
that
look
strange
are
not
always
malicious.
Legitimate
applications
employ
evasion
techniques
to
bypass
filtering.