Secureworks Global Threat Intelligence Summit 2022 Agenda

Welcome

29 September | 2pm BST | 9am ET

Keynote

Roundtable – Understanding and Defending Against the Ransomware Threat

BREAK

The Venerable Drive-By Download in 2022

The Ransomware Ecosystem: Operators, Affiliates & Access Brokers

The Humanity

The Path to TI Enlightenment

Info Stealers – A Growing Corporate Threat

DarkTortilla: A Malware Research Case Study

Design Decisions Around Structured Threat Intelligence

Getting Loaded, with BRONZE PRESIDENT

BREAK

Ukraine: What Have We Learned About Russian Cyber Capabilities?

Who’s At My Door? Chinese Threat Group Tradecraft and the Trend Towards Blending in with Ransomware Precursor Activity

COBALT MIRAGE: Blurring the Line Between Espionage and Cybercrime

BREAK

Identity Abuse In Azure AD

Visualizing the Threat through Tactic Graphs

Intelligence and Response – Bolstering Synergy

Closing

09:00

10:15

09:25

09:50

10:25

10:55

11:20

11:41

11:27

11:34

11:52

11:59

12:06

12:13

12:38

13:03

13:15

13:40

14:00

14:20

09:05

Barry Hensley Senior Vice President Chief Threat Intel Officer

Matt Hartman Deputy Executive Assistant Director for Cybersecurity, DHS and CISA

Don Smith Vice President, Threat Research

Keith Jarvis Senior Security Researcher, Threat Research

Tim Mitchell Senior Security Researcher, Threat Research

Frank Hackett Security Researcher, Threat Research

Rebecca Taylor Threat Intelligence Knowledge Manager, Threat Research

John Mancuso Security Researcher, Threat Research

Rob Pantazopoulos Senior Security Researcher, Threat Research

Eric Jenko Security Researcher, Threat Research

Mark Osborn Security Researcher, Threat Research

Tony Adams Senior Security Researcher, Threat Research

Dr. Nestori Syynimaa Senior Principal Security Researcher, Detection Research

TJ Nelson Director, Detection Research

Archana Yasas Principal Consultant, Incident Response

Wendy Thomas President & CEO

Marc Burnard Senior Security Researcher, Threat Research

Rafe Pilling Principal Researcher, Threat Research

Ryan Cobb Principal Researcher, Detection Research

Insert Keynote description here.

Roundtable – Understanding and Defending Against the Ransomware Threat Network defenders often look at ‘dwell time’ – the time between an adversary gaining access and achieving their objectives – as a key metric in understanding threat and risk. Based on Secureworks direct observations through incident response engagements, the average dwell time for post-intrusion ransomware attacks has remained fairly constant this year compared to last, at four and a half days in 2022 compared to five in 2021. What that means is that on average an organization has almost a whole working week to detect and contain an intrusion before the lights go out. Understanding how ransomware operators act once inside a network is the key to exploiting this ‘detection window’. In this session, Vice President of Threat Research Don Smith will lead a roundtable discussion looking at how best we can prepare for and defend against the pervasive threat of ransomware.

The Venerable Drive-By Download in 2022 The early to mid-2010's were a markedly dangerous time to browse the web due to the proliferation of browser and plugin exploits. Concerted efforts by browser vendors to reduce attack surfaces and the near elimination of third-party plugins brought the salad days of exploit kits largely to a close. Through it all the social engineering powered drive-by download lingered as a persistent threat to unwary web visitors. Keith Jarvis, CTU technical lead for cybercrime research, investigates the state of the drive-by download in 2022 where it maintains its place amongst malspam, scan-and-exploit, and credential theft as the preferred infection vector for malware. We demonstrate that drive-by downloads are not limited to unwanted browser extensions and tech support scams but through threats like SocGolish, GootLoader, DarkTortrilla, and others they are a major entry point for destructive ransomware and sophisticated threat actors.

The Ransomware Ecosystem: Operators, Affiliates & Access Brokers When ransomware-as-a-service (RaaS) was introduced to the cybercrime landscape in the mid-2010s, it significantly lowered the bar to entry for cybercriminals. As a result, the scale of ransomware operations expanded, allowing cybercrime groups and their affiliates to exploit more networks resulting in higher revenue. Expertise also improved as each element of the process became specialised, making ransomware the formidable threat it is today. In this session, Senior Security Researcher and intel analysis lead for cybercrime Tim Mitchell will discuss why understanding and tracking the TTPs of everyone involved in ransomware operations is important, regardless of the variant. He’ll also outline why the attribution of precursor activity is important, and how accurately doing so can inform our customers and better protect them from ransomware.

The Humanity In this session Security Researcher Frank Hackett will sample various threads showcasing the human aspect of the darkweb. He'll also take a look at typical advertisements from foreign threat actors. In this short talk, Frank aims to provide a greater appreciation of the diverse (and sometimes peculiar) threat actors monitored by the CTU's darkweb researchers.

The Path to TI Enlightenment Threat Intelligence (TI) is evidence based knowledge used to inform an organisation of the threat landscape and subsequently allow them to better prepare, prevent and detect threats which could impact their ability to perform. Organisations who leverage Secureworks services, are tapped into our wealth of TI and researcher analysis, which is used on a day-to-day basis to protect and equip our own teams and customers. Secureworks use a selection of different tools and processes to ensure TI is searchable, accessible and trustworthy. Join our Lightning talk with Rebecca Taylor and get a glimpse on the path Secureworks take to ingest, process and manage their intelligence, as well as takeaways on how to enlighten those around you with the latest and greatest TI insights.

Info Stealers – A Growing Corporate Threat Information stealers are nothing new but are sometimes viewed as nuisances to corporate environments rather than legitimate threats. These malware families often seem more of a threat to individual users, focusing on siphoning cryptocurrency wallets and gaming passwords instead of sensitive corporate data. This session will provide a brief overview of some of the major information stealers currently available for sale or for free, how they work, and why organizations should care.

DarkTortilla: A Malware Research Case Study This presentation by Senior Security Researcher and malware research lead Rob Pantazopoulos offers insight into how malware research is performed at Secureworks using the recently reported on DarkTortilla crypter as a case study.

Design Decisions Around Structured Threat Intelligence Structuring threat intelligence data is difficult. Striking a balance between human and machine readability can be a struggle; especially when the data comes from multiple sources in a wide variety of formats. In this lightning talk, Security Researcher Eric Jenko will discuss how seemingly simple objects like files introduce challenges to data modeling and share some insights for others to bear in mind when processing threat intelligence or building their own structured threat intelligence systems.

Getting Loaded, with BRONZE PRESIDENT This technical session by Chinese APT expert and malware engineer Mark Osborn will take a deep dive into one threat group’s use of shellcodes and loaders. We look at the evolution of the threat group's tradecraft in getting payload files executed on target hosts. Starting from a review of DLL search order hijacks and the resulting shellcodes, we look at some of the tactics that have enabled this threat group to prosper.

Ukraine: What Have We Learned About Russian Cyber Capabilities? For decades, Russian hostile state actors have employed a range of cyber capabilities to achieve their tactical objectives and strategic goals. They have been brought to bear in a variety of operations against political, economic, and military targets. They have been used to harass or snoop on perceived enemies abroad, to disrupt national critical infrastructure, and even to influence foreign presidential elections. The current military invasion into Ukraine has provided the most recent view into Russia's digital arsenal. But how have Russia’s capabilities evolved? And what can network defenders do to best protect their organizations from Russian APTs? Based on an analysis of recent campaigns, Russian thematic lead Tony Adams will use this session to review some of the latest tools and methods used by Russia’s main threat groups and ways to counter them.

Who’s At My Door? Chinese Threat Group Tradecraft and the Trend Towards Blending in with Ransomware Precursor Activity Over the past year CTU researchers have observed multiple incidents that have been attributed (with varying degrees of confidence) to Chinese threat groups motivated by either espionage OR intellectual property theft. This session will run through a selection of these incidents to demonstrate the range in tradecraft and level of operational security among Chinese threat groups. At one end of this is the trend towards adopting tools and techniques that blend in with ransomware pre-cursor activity. Senior Security Researcher and China thematic lead, Marc Burnard, will explore the challenges this poses in terms of attribution, tracking, and detection for security researchers and network defenders.

COBALT MIRAGE: Blurring the Line Between Espionage and Cybercrime What does it mean when a state sponsored APT group also conducts opportunistic ransomware attacks on a global scale? Since 2020 COBALT MIRAGE has been at the centre of that question, attacking organisations from America to Australia and across the Middle East. In this talk, CTU Principal Security Researcher Rafe Pilling, will disclose the results of 18 months of research on an Iranian APT group that has been prolific in their attacks but often fails to capitalise on their early success, in multiple cases getting edged out by Russian speaking ransomware groups. We’ll explore their tools, tactics and reveal opsec mistakes that hint at the people behind this activity.

Identity Abuse in Azure AD For many organizations, moving to cloud provides scale and reduces complexity, but it also provides opportunities for adversaries. Cloud services present new and different security challenges, and these need to be understood and addressed because threat actors are actively exploring how to leverage these technologies against the organizations that use them. In this session, CTU researchers will describe their work exploring technologies like Azure Active Directory and how the abuse of identity is likely to become the key contested space as adversaries and network defenders move their conflict to the cloud.

Visualizing the Threat through Tactic Graphs In a world where SOCs are overwhelmed with event volume, analysts can't differentiate between user behavior and abuser behavior. As a result, it is more important now than ever to evolve how we look at modern threats. This talk by CTU Director TJ Nelson will discuss how graphs to map threat behavior can help analysts understand the threats they face. In addition, we will talk about the advantages of visualizing the threat behavior verse relying solely on atomic alerts. Finally, through practical examples, we will discuss our solution to this problem via Taegis Tactic Graphs.

Intelligence and Response – Bolstering Synergy Threat actors are continually evolving their attacks and keeping up is an infinite game. Operating in siloes can only get us so far – defending against constantly evolving tactics requires fortification of our abilities by enhancing the feedback loop. How do Threat Intelligence and Incident Response work hand in hand to defeat the latest and greatest attacks?