Fernando Tomlinson is a Principal Digital Forensics and Incident Response Consultant with Mandiant. Before joining Mandiant and retiring from the U.S. Army as a Chief Warrant Officer 4, he was the Senior Technical Advisor at the U.S. Army Cyber Command for forensics and malware analysis and all defensive actions within the U.S. Army. He also previously was a Technical Director of a Cyber Operations Center and has led multi-level Digital Forensics and Incident Response (DFIR) and threat hunting teams. Additionally, he is a collegiate cybersecurity Adjunct Professor who enjoys contributing to the community through his blog at https://cyberfibers.com and projects at https://github.com/wiredpulse.
Many organizations are employing technology to help lessen the burden on helpdesk personnel. In some cases, that technology is the vector that enables advanced actors to gain a foothold in a network. In other cases, actors are installing the technology to enable command and control. In both cases, the organization generally is unaware as an actor is running rampant in their network. This talk will dive into firsthand tactics from an advanced actor as they took advantage of helpdesk and IT software on their way to owning the domain and critical assets within a few hours of gaining initial access. We will also highlight actionable detection mechanisms that an organization can employ to reduce the chances of them being the next victim.