DISCARDED: Tales From the Threat Research Trenches

Send us fan mail!Oh the days when spam was the only concern for email security!Our guest today is Chris Wakelin, a Senior Threat Researcher at Proofpoint. He recounts the era when email attachments were plain text, and the concept of malicious URLs had yet to become prevalent. Chris was a pioneer in implementing email security measures and recalled introducing Spam Assassin, an early open-source program for spam detection, at his university.Chris emphasized his belief in not shipping emails into a black hole (where emails are never seen by humans and they do not return error but instead directing them to spam folders or rejecting them at the gateway.) He stressed the importance of precision in cybersecurity, a lesson learned from his mathematical background.TIMESTAMPS[5:00] First Spam Filtering Implementation[6:00] Spam Assassin[12:15] Differences between static/dynamic detections and various signatures[14:00] Running the Sandbox[19:00] Naming New Malware[23:50] Best PracticesResources mentioned:LCG Kit BlogTA 558 BlogET Open Rule SetFor more information, check out our website.

Send us fan mail!Billions of dollars in losses is bad enough. But when a friend loses $1,000 on a platform he trusted, online fraud gets personal.In this podcast episode, we dive deep into the world of online fraud with the personal account of Tim Utzig, a Senior Associate Analyst at Anser and friend of his Selena Larson. Utzig, who is blind, lost $1,000 in an online scam. His story highlights the difficulties and risksof being a person with a disability in an online world that enables cyber crime and often neglects accessibility.Timothy Kromphardt, an email fraud researcher at Proofpoint, used his expertise tracking scams and engaging directly with threat actors to help Utzif recover. He explains the complexities of cyber crime investigations and the roadblocks to bringing scammers to justice.TIMESTAMPS[1:00] Twitter scam story[6:00] Viewing images with a screen reader[8:45] Scam Busting[12:30] Cautions to scam busting[17:40] Unraveling the Twitter scam follow up[20:20] Involvement of the police force & government[26:35] Protection techniques for people with disabilities[27:20] Key characteristics of fraudResources mentioned:https://www.wired.com/story/twitter-laptop-scam-hunters/For more information, check out our website.

Send us fan mail!Live from New York City, it’s your Discarded podcast team at Protect 2023! Joining Selena Larson, is our special guest, John Hultquist, Chief Analyst at Mandiant, now part of Google Cloud.They discuss various cybersecurity threats and activities of nation-states like Russia, China, and North Korea. China stands out as it hasn't executed significant destructive cyberattacks like its peers. Most of China's cyber activity involves intellectual property theft, targeting dissidents, and espionage. However, there's growing concern about their interest in critical infrastructure, particularly in times of geopolitical tension. Russia, on the other hand, has a history of destructive and disruptive attacks, such as those seen in the Middle East and South Korea.They also discuss the role of threat intelligence and information sharing in combating cyber threats, emphasizing the importance of responsible government involvement in providing leads to the cybersecurity community.Of course, the influence of AI in cyber threat creation is also covered, particularly in generating fake media and content.[4:00] China sets themselves apart[8:00] Concerns about cyber enabled kinetic impacts[14:00] Thoughts about Russia and Ukraine[20:00] Techniques that analysts would find helpful[24:00] Target anticipations for 2024Resources mentioned:https://www.mandiant.com/resources/blog/threat-actors-generative-ai-limitedhttps://www.cyberwarcon.com/https://www.goodreads.com/en/book/show/41436213https://www.reuters.com/article/us-france-election-macron-cyber-idUSKBN17Q200https://www.helpnetsecurity.com/2015/07/08/sophisticated-successful-morpho-apt-group-is-after-corporate-data/https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-tritonhttps://podcast.silverado.org/episodes/how-russian-intelligence-operatives-have-attacked-ukraine-in-cyberspace-interview-with-ukrainian-security-service For more information, check out our website.

Send us fan mail!Regardless of location, it’s important to understand what is happening in the global threat landscape because we are a global economy. What affects one region may affect one closer to home. Part of the reason Brazil has become a recent hotbed is the amount of online population is expanding rapidly. Today’s guest, Jared Peck (Senior Threat Researcher at Proofpoint), dives deeper into his knowledge of this region and breaks down the unusual characteristics. [3:30] The threat landscape in Brazil [5:20] Brazilian banking malware being financially motivated[9:10] Credential theft in Brazil[13:30] Identifying threat actor clusters[17:00] Types of Brazilian campaigns[21:00] Diversity of malware leadersFor more information, check out our website.

Send us fan mail!Just like a forensic scientist, the job of a threat analyst is to search for the digital fingerprints. The key is to have a starting reference point, and then being able to see what is off from there.Our guest today is Bryan Campbell, a Staff Threat Analyst at Proofpoint. He breaks down what is happening on the China cybercrime threat landscape, as well as, the importance of staying aware of past trends. Join us as we also discuss:[7:09] The Renaissance of Chinese malware in email data[12:05] Chinese themed malware and malware families[13:55] The campaigns delivering this type of malware[20:00] How the China cybercrime landscape has changed[25:04] Expectations for the future [28:32] LLMs being used for these circumstancesFor more information, check out our website.

Send us fan mail!Engineering skills can play a massively beneficial role in cyber security, as Pim Trouerbach, a Senior Reverse Engineer at Proofpoint and Jacob Latonis, Senior Threat Research Engineer at Proofpoint, are able to share. They emphasize the importance of understanding the requirements and context of security researchers to build effective tools. The conversation touches on the potential impact of AI and LLMs (large language models) in threat research. While AI tools can be valuable for entry-level tasks, the context, experience, and expertise of human engineers are essential for handling complex code and understanding threat actors' behaviors.Join us as we also discuss:[02:59] The uniqueness of engineering skills in understanding researchers' requirements for data cleaning, tool development, and working in a security environment.[11:06] How the versioning in malware samples can provide insights into the threat actors' behavior and trajectory.[13:24] How malware is simply software with malicious intent, and how practices of developers and threat actors can overlap.[17:10] The tools and techniques used by threat actors, including obfuscation and encryption methods.[21:42] The importance of context and experience in writing tools and understanding researchers' workflows.For more information, check out our website.

Send us fan mail!What is new with Iranian actor TA453, and what is happening with their attack chains? To answer these questions, today’s guest is Joshua Miller, a Senior Threat Researcher on the APT team at Proofpoint. Since his last visit, Joshua has published new research on TA453, highlighting new malware and social engineering techniques, which can be found here.Join us as we discuss the following:[1:25] What’s new with threat actor T453[2:35] Multi Persona Impersonation[6:25] Use case of LNKs in the attack chain[8:10] Use of free cloud services[11:15] Attacking different operating systems[16:15] Convoluted attack chains[27:40] Collaborating with researchers, like DropboxFor more information, check out our website.

Send us fan mail!When researching cyber threats, there is a bias towards to the West and most of Europe. But what about the global majority?Today’s guest is Martijn Grooten, a Digital Security Threat Analyst with Internews. With 16 years of experience in cybersecurity, he has recently focused on the impact of security for at risk groups and people. Join us as we discuss the following:Outdated ideas of security for the general publicCommon trends geographicallyThe distinction of threats between devicesFor more information, check out our website.Resources:Martijn’s BotConf talk: https://youtu.be/CcqOy6WdUjwMartijn on social media: Twitter, Mastodon, LinkedIn

Send us fan mail!It's shaping up to be a weird and wacky summer for threat researchers.While it’s been quieter on the front end, there are still many stories to share with some weird and wacky incidents. This episode also includes a fun, dramatized read of an email tactic. Join us as we discuss the following:Where the team identifies on the Cyber Alignment ChartUse of celebrity names within email luresRecent PDF anticsUpdates about activity from current threat actorsFor more information, check out our website!

Send us fan mail!Who’s quiet and who’s making noise? What’s the backchannel chatter over at Proofpoint?Proofpoint threat researchers Joe Wise and Pim Trouerbach join this week’s episode to discuss the e-crime vibe for the first half of 2023. Join us as we discuss the following: Emotet’s activity, or lack thereofChaotic vibes from IcedIDTA570 and TA577 setting trends