Tweet
Title: (Intermediate) Low Value Indicators For High Value Decisions
Description:
We will present how the Abuse Operations team uses collections of indicators to fingerprint and track adversaries on one of the largest pure-play, remote-code-execution-as-as service platforms on the Internet: Heroku. We can detect when they change tactics, we can spot the number of people involved, and we can misdirect them to the point that they become even easier to track!
We hope the ideas presented here will help your day to day routine as well as provide a solid model to guide future decisions from architecture to automation.
Introduction
Allan and Spencer
Heroku - A PaaS that's basically RCEaaS
We keep customers from doing bad things on, to, and from the platform
Adversaries
Adversary classification and evolution - skids to apex threat actors
Establishing intent to differentiate good from bad actor.
Definitions
"Abuse" - misuse, malice, crime
Indicators, TTPs, Fingerprints
Slang: splash, pivot, etc.
Methodology
Hunting - environment and tools (and lack of)
Leveraging the home field advantage
Determining intent with constellation of indicators
Detecting adversary changes when pressure is applied - from TTP shifts to spotting multiple actors from a campaign
Leading the adversary - limit their available choices
Examples of frustrating specific actors/campaigns
Cryptocurrency mining
Phishing
Blackhat SEO
Takeaways
Break spirits, not code!
Identify all sources of indicators - internal and external TI
All low value indicators are equal until they are not.
Speaker(s): Allan Stojanovic, Spencer Cureton
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-08 11:30 (11:30 AM) PDT (UTC -07:00)
Event ends: 2020-08-08 12:00 (12:00 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-03T00:12 (UTC).
Description:
We will present how the Abuse Operations team uses collections of indicators to fingerprint and track adversaries on one of the largest pure-play, remote-code-execution-as-as service platforms on the Internet: Heroku. We can detect when they change tactics, we can spot the number of people involved, and we can misdirect them to the point that they become even easier to track!
We hope the ideas presented here will help your day to day routine as well as provide a solid model to guide future decisions from architecture to automation.
Introduction
Allan and Spencer
Heroku - A PaaS that's basically RCEaaS
We keep customers from doing bad things on, to, and from the platform
Adversaries
Adversary classification and evolution - skids to apex threat actors
Establishing intent to differentiate good from bad actor.
Definitions
"Abuse" - misuse, malice, crime
Indicators, TTPs, Fingerprints
Slang: splash, pivot, etc.
Methodology
Hunting - environment and tools (and lack of)
Leveraging the home field advantage
Determining intent with constellation of indicators
Detecting adversary changes when pressure is applied - from TTP shifts to spotting multiple actors from a campaign
Leading the adversary - limit their available choices
Examples of frustrating specific actors/campaigns
Cryptocurrency mining
Phishing
Blackhat SEO
Takeaways
Break spirits, not code!
Identify all sources of indicators - internal and external TI
All low value indicators are equal until they are not.
Speaker(s): Allan Stojanovic, Spencer Cureton
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-08 11:30 (11:30 AM) PDT (UTC -07:00)
Event ends: 2020-08-08 12:00 (12:00 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-03T00:12 (UTC).