S1E06: Black Hat USA 2018 Edition

“FIN7”: It’s a matter of “when, not if” for organizations and
breaches, and the same goes for criminals and getting caught. The U.S.
District Attorney’s Office for the Western District of Washington
recently unsealed indictments and announced the arrests of three
leaders in a criminal organization we have tracked since 2015 as FIN7.
Referred to by many vendors as “Carbanak Group” (although we don’t
attribute all usage of the CARBANAK backdoor with the group), FIN7 is
well-known for the technical innovation, social engineering ingenuity,
and other creativity that has fueled their success. We open up this
episode by talking about all things FIN7, including their tools, their
tactics, techniques and procedures (TTPs), and some of the ways FIN7
activity changed following arrests made as far back as January.

• On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global
Criminal Operation
• To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for
Persistence
• FIN7 Evolution and the Phishing LNK
• FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC
Filings
• Tracking a Cyber Crime Group: FIN7 at a Glance

“Special Guest Katie Nickels (@likethecoins)”: Katie Nickels attended
a liberal arts school and intended to get into journalism, but instead
she took on a researcher role and the rest is history. Now Katie is
the Lead Cyber Security Engineer at MITRE. MITRE is a not-for-profit
that operates federally funded research and development centers
(FFRDC) responsible for R&D that helps the U.S. government. Katie
specializes in cyber threat intelligence and how it can improve
network defenses. Part of that involves applying threat intelligence
to ATT&CK, a knowledge base of real-world attacker tactics, techniques
and procedures (TTPs) that is used to assist analysts. Very cool
stuff! During our chat, Katie talked about how her team processes new
intel as it’s made public (she said she was really excited about our
latest FIN7 blog post – thanks Katie!), and about a new ATT&CK
philosophy paper MITRE recently released that describes the
collaborative process of incorporating new TTPs. We also talked about
PRE-ATT&CK, which focuses on what threat actors do to prepare for an
attack, such as reconnaissance and weaponizing.

“Special Guest Matt Graeber (@mattifestation)”: Early in Matt
Graeber’s professional life he was a rock climbing instructor, but
then he joined the Navy and that decision kicked off his journey into
the wonderful world of InfoSec. Matt is now a security Researcher at
SpecterOps, a company that provides adversary-focused solutions to
help organizations better defend themselves against the types of
attacks we see every day. At SpecterOps, Matt specializes in reverse
engineering and advancement of attacker tradecraft and detection.
Prior to SpecterOps, Matt did a stint with FireEye on a team that
would go on to become our FLARE unit, so of course we took a moment to
go down memory lane. Some of the other topics we covered include
PowerShell, Matt’s “Subverting Sysmon” Black Hat USA 2018 talk, and
the things that Matt will do in the name of a good cause.

“Special Guest Sean Metcalf (@Pyrotek)”: Sean Metcalf is a trailblazer
in the InfoSec field who is most well-known for his expertise in
Active Directory security. He’s given talks on the topic at several
security conferences, including Black Hat USA, DEF CON, DerbyCon and
BSides. Fun fact about Sean: he is one of roughly 100 Microsoft
Certified Masters (MCMs) in Directory Services in the world. Active
Directory security plays a huge part in his current role as Founder
and Chief Technology Officer of Trimarc Security. Trimarc is a company
that protects organizations primarily through the security of Active
Director