The (f)utility of indicators

Thursday 1 October 14:30 - 15:00, Red room

Gabriela Nicolao (Deloitte)
Brenden Conrad (Deloitte)



Are indicators enough to deal with threats? After conducting an in-depth investigation of the cyber espionage group known as Machete, we obtained a unique insight into the evolution of the malware, the tactics, objectives and, ultimately, the nation-state responsible for these campaigns.

Our findings have several implications in terms of the general threats posed by nation-state-affiliated groups. First, they clearly demonstrate that many countries – far beyond the 'elite' cyber actors prominently focused upon – possess a capability to conduct campaigns relatively undetected over the course of almost a decade. Secondly, they are able to accomplish this in large part because the adversary understands the limitations of traditional security controls which place undue emphasis on the 'indicators' as the basis of detection rather than observables applicable only for investigative purposes.

As a result, Deloitte developed a new analytic method called the 'Core Component' functional model which identifies the consistent tactics, techniques, and procedures (TTPs) leveraged by Machete by rigorously mapping 100+ samples over a 10-year period to the MITRE ATT&CK framework. In this talk we will describe this method and how it was developed.

 

Gabriela-Nicolao-web.jpg

Gabriela Nicolao

Gabriela has a degree in information systems engineering from the Universidad Tecnológica Nacional (UTN) and a postgraduate degree in cryptography and teleinformatics security specialization from Escuela Superior Técnica of Facultad del Ejercito in Argentina. She works at Deloitte in the cyber threat intelligence area. Her tasks include malware analysis, network traffic analysis, incident response and indicators of compromise (IoC) hunting. She has six years of experience in the security field. She is also a teacher at UTN.

 
VB2020-generic-silhouette.jpg

Brenden Conrad

Brenden is a security researcher and former government analyst who specializes in novel approaches to cybersecurity. Research areas have included economic models for underground criminal activity, advanced persistent threat tracking, bulletproof hosts and DNS hijacking, and the evolution of adversary tactics.


Back to VB2020 Programme page

Other VB2020 papers

TBA

TBA

Unveiling the CryptoMimic

Hajime Takai (NTT Security)

Shogo Hayashi (NTT Security)

Rintaro Koike (NTT Security)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.