Infrastructure Tracking with Passive Monitoring and Active Probing presented at Shmoocon 2015

by Dhia Mahjoub, Anthony Kasza,

Summary : Threat intelligence is crucial in our industry to proactively monitor for attacks, detect active breaches, and analyze incidents post-mortem. Intelligence is created by researching, tracking, and interpreting attacker movements with a focus on preemptively countering malicious campaigns as soon as they emerge. In this talk, we will describe tools and methodologies we use in-house to provide context on evil at Internet scale. We will also present concrete use cases on how to leverage threat intelligence, both open source and proprietary, to track internet threats and pivot around specific indicators to further the investigative effort. Our use case of choice will be the new Zeus GameOver variant that re-emerged last summer and which we've been tracking for several months. The various aspects of campaign tracking include command and control infrastructure, preferred hosting providers, domain registration practices, and compromised client behaviors.