Elliot Parsons
Elliot is a cyber threat intelligence consultant at AmeXio. He is from New Zealand with a background in Financial Services, Technology Services and Government organisations. His expertise is in threat intelligence, threat hunting, reverse engineering, malware analysis, and incident response.
Sessions
Something we hear constantly as defenders is that attacks scale, implying that defences do not. While it is undeniable an attacker can take a 0-day and exploit thousands or millions of hosts, we can also turn the tables as defenders and scale our efforts. In this talk I will show you how you can take a phishing attempt and turn it into a major pain in the ass for an attacker.
Many SOCs invest into powerful Risk&AI-based tools to generate and classify their alerts to "clear-out the noise" and pin-point actual "value" out of the massive amount of data they collect. It is not a secret that nowadays we're collecting on SIEM more data than we'd ever thought possible decades ago, most of which are of no real operational relevance. Some even say "SOC is dead" as this model isn't humanly bearable. Some also offer flashy magic wands that may solve all these issues in a painless plug&play way, while at the same time magically reducing cost (or not).
What's the solution, then? Agentic-AI? Data Lakes? Cloud-first? All valuable solutions, but there's something we can also do upstream: On top of trying to clean a dirty river, decrease its source pollution.
This approach allows also to mitigate a lesser known risk, yet very serious: unknown unknowns in data collection. In the same way alert-fatigue is correlated with False Positives figures/ratio, most CyberSecurity departments focus on the unsustainability of telemetry volumes and forget about False Negatives, hence the useful logs you should be collecting but don't know you don't have. Caring for your car's longevity / performances means also not assuming any fuel would do and hope for the best.
Our solution: Governance and Data Quality. It's not a coincidence that NIST recently added this as a new pillar into its CSF. With the "Identify" pillar you get "informed" decision, yet it's "Governance" that gives the "deliberate" element on what to collect, why, and if it's enough. Having no Logging Data-Compliance framework, or having one that doesn't take into account business values (e.g. BIA, crown-jewels, investments) ultimately results in building Security Monitoring on sand, or focusing in scopes that are so narrow that only security may benefit from it, fueling the "working in silos" approach and goes against the "holistic observability" and "management buy-in" elements.
The as-a-service model has become ubiquitous across the cybercrime ecosystem. Previously dominated by tight-knit, exclusive groups, cybercrime is now a distributed international marketplace of service providers and consumers. As a result, it is more resilient than ever, with the gaps left by law enforcement takedowns quickly filled by the next opportunistic teenager. However, to operate effectively in this anonymous distributed economy threat actors need to build a reputation to gain trust. Does this give us an opportunity?
In this presentation I will discuss the importance of trust in the cybercrime ecosystem and walk through a real-world investigation involving a prominent phishing-as-a-service (PhaaS) provider. The case study illustrates that trust and OpSec do not mix, exposing threat actors to identification. Attendees will leave with additional insight into the cybercrime ecosystem, hacker culture, and some nifty OSINT tricks.