2023-10-07 –, Track 2
This talk is about leveraging open source intelligence to track and detect rapidly-changing initial execution techniques used by adversaries. You’ll learn about TA570 and TA577, two threat groups that continuously research, test, and implement new ways to download and run malicious payloads on victim endpoints. One of their favorite payloads is Qbot (aka Qakbot), a fast-moving trojan that can lead to ransomware. Detecting evil execution early can reduce or eliminate the risk of follow-on activity, but frequent changes to Qbot downloaders makes early detection more difficult for defenders. Fortunately there are analysts and researchers dedicated to tracking such changes and sharing them with the security community almost as quickly as they happen.
You will leave the talk understanding how you can use open source intelligence to help you track changes adversaries make to their initial execution techniques, like in the example above. You’ll be given specific resources you can use to stay up-to-date as threats continue to change and develop. You’ll also be armed with detection opportunities to help detect loaders delivering malware like Qbot. Newcomers to cybersecurity will learn about techniques prevalent in today’s threat landscape. More experienced analysts will go home with up-to-date behavioral and atomic indicators for initial execution detection.
Stef is an Intelligence Analyst at Red Canary. Prior to joining Red Canary, she was a consultant at Mandiant, specializing in digital forensics and incident response. She graduated from the Augusta University School of Computer and Cyber Sciences in the fall of 2019. Before Stef started her career in cybersecurity she earned a master’s degree in Clinical Psychology. She loves finding new ways to integrate psychology and cybersecurity in her research, writing, and conference presentations. If she's not at her computer she's probably hiking, camping, or crafting.