All too often, we hear about the ways in which APT actors and criminals are adding to and enhancing their cyber arsenal. In an effort to fight back and support our on-going intelligence collection capabilities, the Context Threat Intelligence team worked with our in-house developers to create a tool that would not only parse sophisticated adversary malware command and control, but replay the RDP sessions buried within to reveal a fly-on-the-wall view of operator activities.
This talk will briefly cover the motivations and technical challenges of the project, and dig deep into the positive outcomes for both the victim and for our own intelligence relating to adversary TTPs. We will discuss the challenges of detecting encrypted malware command and control at the periphery of the network and ways in which we have leveraged knowledge of attacker TTPs in order to track movement throughout the enterprise.
Mark Graham (Magpie), Head of Threat Intelligence, Context Information Security leads the Context Threat Intelligence team, supporting internal products and services, as well as providing both strategic guidance and tactical, actionable intelligence to its clients.
Mark's duties include reverse engineering of sophisticated malware, development of signatures and bespoke systems to assist in the detection of malware across network and host domains, analysis of proprietary communications protocols and conducting investigations to attribute Threat Actor activity.
Eric Thompson is the IT Threat Strategist for RSA. Formerly, Thompson led Capital One's customer-facing digital security strategy and roadmap team, responsible for managing the enterprise-level process and controls, protecting customers' assets and privacy. Thompson is an active thought leader and visionary, partnering on security efforts across the financial industry for years in cross-functional working groups, such as the eFraud Global Forum and FS-ISAC.