Detected breaches are often classified by security operation centers and incident response teams as either "targeted" or "untargeted." This quick classification of a breach as "untargeted," and the following de- prioritization for remediation, often misses a re-classification and upgrade process several attack groups have been conducting. As part of this process, assets compromised as part of broad, untargeted "commodity" malware campaigns are re-classified based on the organizational network they're part of to determine their potential value in the market. The higher value ones are upgraded and taken out of the "commodity" campaign to prepare them for a sale, for buyers planning a targeted attack. Organizations overlooking this often miss the opportunity to eliminate the threat prior to its escalation.
This session will cover the analysis of endpoint and network data captured during these re-classification operations, demonstrating the techniques and procedures used by some of the attack groups as they migrate compromised endpoints from the "commodity" threat platform to the valuable-target's platform. What measures can be taken to detect that a commodity threat is going through a migration process? How can this be leveraged to increase the efficiency of the incident response process?