S1E03: Hunting Targeted Attackers @ Scale, Live-ish from RSA

Spela upp

In episode 3, we were joined by Alex Lanstein (@alex_lanstein) - one of the first employees at FireEye who hunts through product telemetry data to identify new targeted campaigns. During the RSA conference, and with so many others referencing breaches and hunting from the periphery, we thought it would be good to chat about primary source data from our on-going APT and FIN attack investigations and how to identify anomalies the way Alex does.

We live streamed this episode from the RSA Conference 2018 expo floor. In an unforeseen twist of events, the sheer number of cyber threat maps on the conference floor degraded the bandwidth and video quality. We re-recorded the episode the next day from an undisclosed location with a better connection.

“Community Protection: Southeast Asian Campaign”: We discuss our on-going Community Protection Event (CPE) where we’ve pulled together teams within the company to identify and protect against a suspected Chinese attack group using new methods to compromise Southeast Asian entities. We explore how it was found with custom passwords to decrypt phishing docs as well as the unique PowerShell-laden shortcut (.LNK) builder that was last seen with APT29 campaign around the 2016 U.S. election.

“APT19 and RepeaTTPs”: We chat about APT19 resuming their targeting of law firms this month using many of the exact same techniques as our 2017 blog post on the activity. Alex shares some insight into interesting APT19 phishing lure choices. • 2017 TTPs: https://www.fireeye.com/blog/threat-r...

“RO-BORAT Kazakhstani Attribution”: #ThreatIntel attribution can be difficult, but not always. We chat about the level of rigor we applied to analyzing some recent activity that we attributed to Kazakhstan. Very nice! • Related reading - https://www.eff.org/press/releases/ma...

“What’s M-Trending”: We close out the show by some round-robin discussion of evolving attacker methods and what we found most interesting within our M-Trends 2018 report released in April, which compiled technical intelligence and #DFIR breach data from our 500+ Mandiant investigations in 2017. • https://www.fireeye.com/content/dam/c...

State of the Hack is FireEye’s monthly live broadcast series, hosted by Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that discusses the latest in information security, cyber espionage, attack trends, and tales from the front lines of responding to targeted intrusions. You can catch it live each month on FireEye's Twitter account: https://twitter.com/fireeye