Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

Inside an active APT incident response

brian candlish (Telstra), Christian Teutenberg (Telstra)
11:20am–12:00pm Wednesday, November 1, 2017
Security analytics
Location: Beekman

Who is this presentation for?

  • Security analysts and researchers and incident responders

Prerequisite knowledge

  • A basic understanding of incident response and threat research techniques (passive DNS, whois, etc.)

What you'll learn

  • Explore a security incident Telstra suffered as a result of an acquisition and the ongoing year of incident response that followed to evict the intruders


In early 2015, during an acquisition by Telstra, Pacnet was breached. The company spent most of the year responding to a series of security incidents in the Pacnet network, which were linked together and believed to be targeted. Using examples from the Pacnet breach and follow-on waves, Brian Candlish and Christian Teutenberg explain how Telstra responded to the incidents and detail the visibility required to respond to a security incident that spans a global network. Along the way, they cover the combination of intelligence, hunting, and active defense required to address this problem, explore actor TTPs, and outline the tools and activity associated with this campaign. Expect to see pcap decodes, command-line activity, and actor typos.

brian candlish


Brian Candlish is a security researcher at Telstra, Australia’s largest telecommunications company, where he spends his days and nights making the internet a safer place. His interests in information security include attack and detection techniques, intelligence, and active defense. He enjoys hunting adversaries on large corporate networks.

Christian Teutenberg


Christian Teutenberg is a security researcher at Telstra, Australia’s largest telecommunications provider, where he specializes in hunting for evidence of breach with endpoint, network, and log data. He has over a decade of experience in information security, with a background focusing on intrusion detection, incident response, and computer forensics for the enterprise.