October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Deriving actionable intelligence from spoofed domain registrations

Kyle Ehmke (ThreatConnect)
1:15pm–1:55pm Wednesday, 11/02/2016
Security in context (security datasci)
Location: Trianon Ballroom Level: Beginner
Average rating: ***..
(3.33, 3 ratings)

What you'll learn

  • Learn to use knowledge of domain spoofing practices to potentially discover targeted APT activity or proactively identify indicators that attackers may use against you

Description

For many of the notable APT breaches over the last two years, domains that spoofed or typosquatted legitimate ones belonging to the target were an essential part of the adversaries’ attacks. Notably, Chinese APT actors have leveraged such domains to breach healthcare and government organizations, ultimately compromising personal information for millions of individuals. A Russian APT has also used these types of domains recently to steal and ultimately leak documents from the Democratic political party. An organization can use knowledge of these practices to potentially discover targeted APT activity or proactively identify indicators that attackers may use against them.

This presentation will expand on information identified in our research on the Anthem and DNC hacks, and show how an organization can leverage threat intelligence in conjunction with domain registration data to further bolster their defensive efforts. More specifically, ThreatConnect intelligence researchers will detail the process by which they identified potential Chinese APT activity against the pharmaceutical sector using registration information for spoofed and typosquatted domains.

Kyle Ehmke

ThreatConnect

Kyle Ehmke is a threat intelligence researcher with ThreatConnect. Kyle has seven years of experience as a cyber intelligence analyst in the intelligence community and within the healthcare sector. Kyle has followed a wide range of cyberthreats ranging from extremists in the Middle East to, more recently, those specifically affecting the healthcare and pharmaceutical sector. He is currently ThreatConnect’s main contributor for the medical and healthcare community, where he focuses on providing healthcare-specific threat intelligence that can facilitate members’ defensive efforts.