Watching Commodity Malware Get Sold to a Targeted Actor

Black Hat USA 2016

Presented by: Israel Barak
Date: Wednesday August 03, 2016
Time: 17:30 - 18:00
Location: Lagoon K

Detected breaches are often classified by security operation centers and incident response teams as either "targeted" or "untargeted." This quick classification of a breach as "untargeted," and the following de- prioritization for remediation, often misses a re-classification and upgrade process several attack groups have been conducting. As part of this process, assets compromised as part of broad, untargeted "commodity" malware campaigns are re-classified based on the organizational network they're part of to determine their potential value in the market. The higher value ones are upgraded and taken out of the "commodity" campaign to prepare them for a sale, for buyers planning a targeted attack. Organizations overlooking this often miss the opportunity to eliminate the threat prior to its escalation.

This session will cover the analysis of endpoint and network data captured during these re-classification operations, demonstrating the techniques and procedures used by some of the attack groups as they migrate compromised endpoints from the "commodity" threat platform to the valuable-target's platform. What measures can be taken to detect that a commodity threat is going through a migration process? How can this be leveraged to increase the efficiency of the incident response process?

Israel Barak

Israel Barak has nearly decades of cybersecurity experience, includingspending nine years in the Israel Defense Forces where he specialized indeveloping cyberdefense systems. At Cybereason, he leads the incident responseteam. Israel has also co-founded two cybersecurity companies, Q.rity, anIsraeli company that was acquired by CITI Venture Capital International, andSentrix.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats