King of the hill: nation-state counterintelligence for victim deconfliction

Friday 4 October 14:30 - 15:00, Green room

Juan Andres Guerrero-Saade (Chronicle)



Cyber situational awareness is the ultimate outcome of mature threat intelligence. Though we normally think of threat intelligence as a defender’s practice, extensive study of advanced cyberespionage operations reveals that attackers are engaged in a similar activity. Defenders apply threat intelligence insights to ensure that attackers don’t gain persistent access to their enterprise machines. Similarly, attackers monitor for the presence of other threat actors to ensure that they’re the sole owners of a given victim box. While allied organizations engage in a bureaucratic process of victim deconfliction, it turns out that adversarial organizations have turned to embedding anti-virus-like techniques into their malware in order to do the same. This paper will focus on in-the-wild examples of these techniques and provide a conceptual framework for understanding adversarial deconfliction and its ramifications.

 

Juan-Andres-Guerrero-Saade-web.jpg

Juan Andrés Guerrero-Saade

Juan Andrés is Research Tsar at Chronicle, tracking cyberespionage groups. Prior to joining Chronicle, he was Principal Security Researcher at Kaspersky's GReAT team, focusing on targeted attacks, and worked as Senior Cybersecurity and National Security Advisor to the Government of Ecuador. Juan Andrés comes from a background of specialized research in philosophical logic. His publications include 'The Ethics and Perils of APT Research: An Unexpected Transition Into Intelligence Brokerage', 'Wave your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks’, and 'Walking in your Enemy's Shadow: When Fourth-Party Collection Becomes Attribution Hell''

@juanandres_gs



Back to VB2019 Programme page

Other VB2019 papers

Domestic Kitten: an Iranian surveillance program

Aseel Kayal (Check Point)
Lotem Finkelstein (Check Point)

HELO, is that you? New challenges tracking Winnti activity

Stefano Ortolani (Lastline)
Jason Zhang (Lastline)

For reserve paper

Reserve speaker (TBA)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.