This document discusses the rise of malware as a service and the business models that cybercriminals use. It notes that cybercriminals are mirroring legitimate business models by offering malware creation, distribution, leadership, and resilience services. Customers can get custom or off-the-shelf malware, distribution networks, command and control resilience, and 24/7 support. This document warns that these criminal models pose serious threats and are difficult for defenders to detect and disrupt in a timely manner.
Presentation on how to chat with PDF using ChatGPT code interpreter
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean Bodmer
1. Technology Deathmatch
The arms race is on
Sean M. Bodmer, CEH, CISSP, NCIA
Chief Researcher
Counter-Exploitation Intelligence
CounterTack
2. Who is this tool?
Sean M. Bodmer, CISSP, CEH, NCIA
Arrested @16 years of age for hacking NASA and 3 other .gov networks
Yes, it did put a damper on my life for a few years
>50% of my time spent in non-gov’t based clandestine cyber operations
2012 – Helped US Entities seize and recuperate > $6M USD
Brief Bio
Over 16 Years in IT Systems Security
Over 10 Years in Intelligence and Counter-Intelligence Operations
Lectured at numerous Industry Conferences
Co-Authored 2 Books w/McGraw-Hill (writing 2 more)
Quoted and Named in > 400
Magazines, newspapers, radio, and tv-news
CounterTack, Inc.
Focused on in-progress detection and attribution of threats
Develops and deploys custom high-interaction honeypots
Provides customers tailored Threat Intelligence Services
Knowledge Bridge Intelligence, Inc
US IO Subject Matter Expert
4. There is more than one
Author(s)
• Original malware creator(s)
• Offer malware “off-the-rack”
or custom built
• May offer DIY construction kits
• Money-back guarantee if detected
• 24x7 support
Distribution/Delivery (MAS)
•
•
•
•
•
Specialized distribution network
Attracts and infects victims
Global & targeted content delivery
Delivery through Spam/drive-by/USB/etc.
Offers 24x7 support
Leader
• Individual or criminal team
• Maintains and controls order
• Holds admin credentials
Operator
• Operates a section
• Issues commands
• May be the leader
Resilience/Recovery (MAS)
•
•
•
•
•
Provides C&C resilience services
Anti-takedown network construction
Bullet-proof domain hosting
Fast-flux DNS services
Offers 24x7 Support
5.
6.
7. Cloud as a Service Model
• YES, criminals are mirroring our e-biz models
17. Today’s Problem Set
• Almost all discoveries are post-mortem
– Next day or countless days later
• Generally, through laborious manual analysis
• Easily detectable over time
– Static defenses can be identified by skilled adversaries
• Difficult to use
–
–
–
–
Heavily dependent on human expertise
Staging and maintaining honeynets
Manual reporting and analysis
Manual correlation between data sources
18.
19. Let’s Look @ Something
• What can one find when p0wning bad-actors?
Carberp Source Code Leak