Technology DeathmatchThe arms race is onSean M. Bodmer, CEH, CISSP, NCIA
Chief ResearcherCounter-Exploitation Intelligence
CounterTack
Who is this tool? Sean M. Bodmer, CISSP, CEH, NCIA
Arrested @16 years of age for hacking NASA and 3 other .gov networks Yes, it did put a damper on my life for a few years
>50% of my time spent in non-gov’t based clandestine cyber operations 2012 – Helped US Entities seize and recuperate > $6M USD
Brief Bio Over 16 Years in IT Systems Security Over 10 Years in Intelligence and Counter-Intelligence Operations Lectured at numerous Industry Conferences Co-Authored 2 Books w/McGraw-Hill (writing 2 more) Quoted and Named in > 400
Magazines, newspapers, radio, and tv-news CounterTack, Inc.
Focused on in-progress detection and attribution of threats Develops and deploys custom high-interaction honeypots Provides customers tailored Threat Intelligence Services
Knowledge Bridge Intelligence, Inc US IO Subject Matter Expert
04/10/2023 3
There is more than oneDistribution/Delivery (MAS)
• Specialized distribution network• Attracts and infects victims• Global & targeted content delivery• Delivery through Spam/drive-by/USB/etc.• Offers 24x7 support
Author(s)• Original malware creator(s)• Offer malware “off-the-rack”
or custom built• May offer DIY construction kits• Money-back guarantee if detected• 24x7 support
Leader• Individual or criminal team • Maintains and controls order• Holds admin credentials
Operator• Operates a section • Issues commands• May be the leader
Resilience/Recovery (MAS)
• Provides C&C resilience services• Anti-takedown network construction• Bullet-proof domain hosting• Fast-flux DNS services• Offers 24x7 Support
Cloud as a Service Model• YES, criminals are mirroring our e-biz models
Malware As A Service
Malware As A Service
Malware As A Service
Malware As A Service
Host/End-point
Host/End-point
The Arbitrary Icon
THIS DOES NOT MEAN YOU ARE SAFE !!!
Today’s Problem Set
• Almost all discoveries are post-mortem – Next day or countless days later
• Generally, through laborious manual analysis
• Easily detectable over time– Static defenses can be identified by skilled adversaries
• Difficult to use– Heavily dependent on human expertise– Staging and maintaining honeynets– Manual reporting and analysis– Manual correlation between data sources
Let’s Look @ Something
• What can one find when p0wning bad-actors?
Carberp Source Code Leak