Underground Markets developed a niche for selling and buying access to compromised network systems and other network assets. In this presentation we cover a life cycle of a compromised network asset using examples from our honeypots and monitoring systems. We demonstrate what exploitation techniques are frequently used by attackers to gain an initial footprint on the systems, how they laterally move in compromised networks, and how they sell access to acquired resources. We show how the compromised resources are monetized while the attacker is waiting for a higher bidder of these assets. Finally, we demonstrate using a case study, what happens when an asset is sold to the highest bidder, and who is interested in taking over your network and extorting your organization for ransom. In other scenarios your data, or even your network access and trust relationships may turn out to be a valuable asset for the attackers. We examine these cases and discuss attacker techniques in supply-chain attacking scenarios.
We further examine these cases from the defender point of view and identify the potential red-flags which incident response teams should be taking into account, when monitoring network security or responding to security incidents and explain how to understand and attribute attacker actions and intentions as well as predict the attacker potential next steps. We believe this experience is invaluable to the network security analysts.
The presentation material is built based on analysis of our own data and features unique views on attacker exploitation techniques.
Vladimir Kropotov is a researcher with Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, BHEU and many others.
Fyodor Yarochkin is a researcher at Trend Micro, incident investigation volunteer at Academia Sinica and a Ph.D. candidate at EE, National Taiwan University. An early Snort developer, and open source evangelist as well as a “happy” programmer. Prior to that, Fyodor professional experience includes over eight years as an information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organizations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.