Thursday 25 September 09:00 - 09:30, Red room
Navin Thomas, Renzon Cruz & Cuong Dinh (Palo Alto Networks)
In this presentation we'll cover an incident response case where Unit 42 discovered a threat actor testing an EDR bypass tool using the Bring Your Own Vulnerable Driver (BYOVD) technique. The adversary's attempt to bypass EDR gave Unit 42 access to their rogue system, revealing their tools, tactics and identity, thus offering critical insights into their operations.
The investigation focused on understanding the various files and tools that were obtained from the rogue VM. Using the information gained from this part of the analysis, Unit 42 performed searches on underground forums such as XSS and Exploit, and conducted OSINT (open-source intelligence) analysis to capture the identity of the adversary in question.
The three key areas are as follows:
 |
Navin Thomas Navin Thomas is a threat researcher at Unit 42, Palo Alto Networks, with over eight years of experience in cybersecurity. He has provided threat intelligence support to a wide array of incident response cases, by analysing attacker TTPs and infrastructure, and providing insights into various cybercriminal operations. Driven by a passion for efficiency, Navin is also dedicated to building tools and automations that enhance threat intelligence gathering and analysis. Navin began his journey in cybersecurity working at FireEye, focusing on Endpoint Detection Engineering. He then went on to pursue his Master's degree in information security at Carnegie Mellon University, before specializing in threat intelligence.
|
 |
Renzon Cruz Renzon Cruz is a technical director of incident response at Unit 42 by Palo Alto Networks. In his role, he assists clients worldwide in responding to targeted cyber attacks, including ransomware, network intrusions, and APTs. Previously, Renzon served as a security consultant for a national cybersecurity agency in the Middle East, helping safeguard the entire country's infrastructure. He is also an analyst and contributor to The DFIR Report, a collaborative group that publishes in-depth reports on cyber intrusions, and Xintra Labs, where he contributes by simulating APT scenarios and transforming them into training labs for knowledge sharing. He also loves speaking at conferences, having presented at multiple conferences such as DEFCON, BSides London/Qatar, Deep Intel Vienna, NorthSec Montreal, HackCon2024 Norway, and RootCon PH, to name a few.
|
 |
Cuong Dinh Cuong Dinh is a principal consultant at Unit 42, Palo Alto Networks, where he brings over a decade of IT and cybersecurity experience. His expertise extends beyond ransomware incidents to include broader incident response, threat intelligence, and digital forensics. He has worked with Fortune 500 companies, assisting them in investigating and recovering from sophisticated cyber attacks, helping clients minimize the financial and operational impact. Before his consulting career, Cuong helped build cybersecurity programs that secure environments for organizations in various industries. His work in the financial sector included investigating fraud that led to criminal arrests. He holds a Master's degree in information systems and nearly a dozen industry certifications. |
Back to VB2025 conference page