SOCMINT – Hunting Threats In Social Media Networks
Date: 15th Oct – TuesdayTime: 10:30-11:30Location: Ballroom B
Information distribution in the era of social networks is an important leverage to distribute messages. There is a massive attention to online social media manipulation because of fake news. But is the social media about the fake news only? Can any other useful information be seen there? What will happen if we apply threat hunting methods to analyse social media message. Can we make such hunting useful to Infosec domain? This session will discuss uses and mis-uses of social media from the point of a threat intelligence analyst.
This presentation shares techniques how an organization can build an effective threat intelligence and SOCMINT collection program by monitoring social media. Many things are worth to look on Social Media, from threat actors maintaining social bots to promote content, to malware samples using social media as a hidden communication channel. Through our research we have build a set of tools to look for anomalies on social media traffic to detect these kinds of abnormal behaviour. But it is not only the malicious content we look for on Social Media. We also want to see how the social media can be used as a “situational awareness” tool by ingesting information about disclosed vulnerabilities, on-going exploitation campaigns and more. Whether we discuss weaponization of recent CVEs or disclosure of new n-day vulnerabilities we want to know, at which stage threat actors now, how long it take to weaponize particular CVE, what threats this activity brings to particular Critical infrastructures and Geographical regions. We have built tools to visualize, process and automatically aggregate this kind of information.
The presentation is illustrated with a number of demonstrations and detailed case studies showing our discoveries including correlation of recent attacks and activities in social media, practical approaches, how to estimate most important twitter accounts and threads, related to InfoSec events in particular period of time. Examples of malware campaigns where social media has been used as a part of malware infrastructure.