Historically, threat intelligence analysts viewed adversaries as having particular, specific „fingerprints” or operational tendencies in cyber operations. While this perspective worked historically, subsequent evolution in adversary tradecraft and operational security has muddled matters significantly.

At present, adversaries coalesce around a common set of behaviours or tradecraft: credential phishing or exploitation of unpatched vulnerabilities, credential capture and re-use, and leveraging one of several post-exploitation frameworks, most notably Cobalt Strike. On the one hand, this makes threat intelligence and attribution significantly harder given the great convergence of tradecraft. On the other hand, defenders have the benefit of operating against a common set of techniques and behaviours to secure networks and evict adversaries.

In this presentation, we will explore the convergence of cyber operations, its implications for threat analysis and intelligence, and what this means for network defenders in a concrete fashion.

About the speaker

Joe Slowik

Threat Intelligence Manager at Huntress

Joe Slowik has over 15 years of experience across multiple domains in information and cybersecurity. Currently, Joe leads threat intelligence, hunting, and detection engineering operations for Huntress, while also teaching classes in threat intelligence, threat hunting, and ICS security through his company Paralus. Previously, Joe has led detection and intelligence operations at Gigamon, performed extensive security research and analysis at DomainTools and Dragos, and led the incident response team at Los Alamos National Laboratory. Joe started his information security and cyber operations career in the US Navy, where he participated in defensive and offensive operations.
Read more …