"Knowing the Enemy"- Creating a Cyber Threat Actor Attribution Program

BSidesDC 2016

Presented by: Jack Johnson
Date: Sunday October 23, 2016
Time: 13:30 - 14:20
Location: Grand South
Track: Track 1

My presentation will focus on Social Engineering attacks and the steps needed to create a Cyber Threat Attribution program and the various areas of consideration.

This will include identification of data sources, collection and storage of key artifacts into a data base, analyzing the data to identify clusters of related data points and finally tying this all together to create Threat Actor Attribution profiles.

The talking points of my presentation will be:

• Where to start
  • Understanding your Cyber Threat Landscape
  • Capturing and classifying your attacks
• Internal Data Sources
  • Weblogs
  • User submissions
  • SPAM Filters
• External Data Sources
  • Open Source Intelligence Feeds
  • NGOs
  • Vendors
• Collecting Artifacts
  • E-mail messages
  • URLs
  • File Attachments
  • Binaries
• Conducting Analysis
  • Meta-data
  • Unique Identifiers
  • Network Artifacts
  • Hours of Operation
  • Methods of Operation
  • Attack Patterns
• Clustering data
  • Patterns
  • Related Data Points
  • Key Points of Interest
• Attribution
  • Behaviors
  • Habits
  • Investigative tools
  • Identification

Jack Johnson

Jack Johnson Manager of the MarkMonitor Security Operations Center (SOC) has over 20 years of experience in the Enterprise Systems Engineering and Security space. Jack is a recognized subject matter expert in Cyber Security and Enterprise level System Administration and Security best practices. He is currently working on multiple projects developing new and improved Phishing and Malware detection, analysis and mitigation systems.