Tracking Down the Cyber Criminals: Revealing Malicious Infrastructures with Umbrella
- Chris Bilodeau
- Thursday, June 18th, 12:30pm - 1:15pm
Time Zone: US - Eastern
Cyber criminals are exploiting the Internet to build agile and resilient infrastructures. The Internet is open and info to expose these infrastructures is out there. The challenge is making sense of the fragmented data out there. Connecting the dots, by analyzing data (DNS queries, BGP anomalies, ASN reputation, network prefixes/IP fluctuations), allows us to map out where malicious infrastructure is and attacks are staged. This gives the defender the upper hand by letting them pivot through the criminal infrastructure.
This session will explain how some of the Cisco Umbrella classifiers work and provide examples of threats that have been detected using this technology. First we focus on the detection models that can be built and applied (such as co-occurrences, NLPRank, Spike Detectors, Malvertising-clustering), and how these can expose malicious infrastructures and APTs. The next part provides a practical use case on how this innovative approach can be used to pivot through attackers' infrastructure and protect organizations from advanced threats. Examples include crypto phishing and crypto jacking. Finally, we will show some of this analysis visualized in 3D.
Bonus Sessions
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
- Lunch & Learn: Short presentations given during the lunch break.
Monday, June 15
| Session | Speaker | Time | Type |
|---|---|---|---|
| Cybersecurity: Why Asset Management Matters | Andrew Senko | Monday, June 15th, 12:30pm - 1:15pm | Lunch and Learn |
| Leverage DNS OSINT at Scale | Taylor Wilkes-Pierce | Monday, June 15th, 12:30pm - 1:15pm | Lunch and Learn |
| ISC Handler Series: SANS@MIC -Arcane web and mobile application vulnerabilities | Bojan Zdrnja | Monday, June 15th, 3:30pm - 4:30pm | SANS@Night |
| ISC Handler Series: SANS@MIC- A walk through logs hell | Xavier Mertens | Monday, June 15th, 8:30pm - 9:30pm | SANS@Night |
Tuesday, June 16
| Session | Speaker | Time | Type |
|---|---|---|---|
| Does Your Web Browser Need a Stunt Double? | Rajiv Raghunarayan | Tuesday, June 16th, 12:30pm - 1:15pm | Lunch and Learn |
Wednesday, June 17
| Session | Speaker | Time | Type |
|---|---|---|---|
| How Implementing SOAR Improves Efficiency In Your Organization | Jay Spann | Wednesday, June 17th, 12:30pm - 1:15pm | Lunch and Learn |
| Proactive Threat Hunting with SOAR | Alex Valdivia | Wednesday, June 17th, 12:30pm - 1:15pm | Lunch and Learn |
| ISC Handler Series: SANS@MIC - Catch and release: phishing techniques for the good guys | Jan Kopriva | Wednesday, June 17th, 3:30pm - 4:30pm | SANS@Night |
| ISC Handler Series: SANS@MIC - Maldocs: a bit of blue, a bit of red | Didier Stevens | Wednesday, June 17th, 8:30pm - 9:30pm | SANS@Night |
Thursday, June 18
| Session | Speaker | Time | Type |
|---|---|---|---|
| Effortlessly Immunize Software - Rapidly Inoculate Compiled Code Against Software Memory Vulnerabilities | Doug Britton | Thursday, June 18th, 12:30pm - 1:15pm | Lunch and Learn |
| Expert Playbooks for Non-Expert Use | Alex Kirk | Thursday, June 18th, 12:30pm - 1:15pm | Lunch and Learn |
| Tracking Down the Cyber Criminals: Revealing Malicious Infrastructures with Umbrella | Chris Bilodeau | Thursday, June 18th, 12:30pm - 1:15pm | Lunch and Learn |
