DISCARDED: Tales From the Threat Research Trenches

Send us fan mail!In this episode, Konstantin Klinger, Senior Security Research Engineer at Proofpoint, joins the show to chat about his role on the threat research team, focusing on DDX (Detonation, Detection, and Extraction). You won’t want to miss his breakdown of the Pyramid of Pain and how to utilize it for threat detection engineering.Join us as we discuss:Real-life examples of complex attack chain with multiple steps and how to they can be detectedUtilizing the Pyramid of Pain for threat detection engineeringHow to write detections for geofencingThe perks of incorporating automated MITRE ATT&CK detections into your sandbox Resources:https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandookhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-easthttps://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionagehttp://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.htmlKeep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!In this episode, Joshua Miller and Zydeca Cass, Senior Threat Researchers at Proofpoint, join the show to discuss attribution, specifically APT actor attribution. Joshua and Zydeca dive into their experiences of attribution successes and failures, sharing tales of threat actors impersonating Russian opposition leaders and an Iranian kidnapping plot in New York. As Crista says, the good, the bad and the ugly.Join us as we discuss:Understanding the difference between the two types of attributionHow attribution can be used in e-crime versus state-aligned investigationStories from Josh and Zydeca of threat actors they are tracking based in Russia and IranCheck out these resources we mentioned:https://twitter.com/ChicagoCyber/status/1521492543707430912https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdfhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.htmlhttps://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-kidnapping-conspiracy-charges-against-iranianKeep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!In this episode, Jared Peck, Senior Threat Researcher at Proofpoint, explains cryptocurrency and how bad actors are causing trouble with these new decentralized, anonymous currencies.Join us as we discuss:Credential harvesting and phishingMalicious campaigns and extortionDigital money launderingResources:https://www.proofpoint.com/us/blog/threat-insight/how-cyber-criminals-target-cryptocurrencyhttps://twitter.com/ChicagoCyber/status/1521492543707430912https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.htmlhttps://www.proofpoint.com/us/podcasts/threat-digest#113131https://www.proofpoint.com/us/blog/threat-insight/advance-fee-fraud-emergence-elaborate-crypto-schemesKeep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!Tony Robinson, Threat Researcher, joins the podcast to share his expertise as a member of the Emerging Threats team at Proofpoint. Tony gives us an inside look into a day in his life as he and his teammates discover new strains of malware, respond to major vulnerabilities, and ensure that customers are protected. He also shares his advice for those interested in a career in Threat Research.Join us as we discuss:How the Emerging Threats team at Proofpoint impacts customers daily livesUsing cybersecurity rule-sets to find new strains of malwareUtilizing the open source security community to write new rules and stay up to date on the developing threat landscapeThe difference between rules detecting threat behaviors vs. indicators of compromise Check out these resources we mentioned:https://www.proofpoint.com/us/products/advanced-threat-protection/et-intelligence https://twitter.com/da_667/status/1512255056573255693https://twitter.com/da_667/status/1503876806478385168 Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!Float like a butterfly. Sting like Bumblebee malware.In this episode, Kelsey Merriman, Threat Research Analyst, and Pim Trouerbach, Senior Reverse Engineer, both with Proofpoint, share their insights from their research of the new malware downloader called Bumblebee. You won’t want to miss their breakdown of Bumblebee’s unique characteristics and their predictions of how its features will develop over time.Join us as we discuss:The difference in tracking Crimeware versus AAPTHow threat actors are using BumblebeeThe exit of BazaLoader malware and its connection to Bumblebee  Check out these resources we mentioned:https://www.proofpoint.com/us/blog/threat-insight/isnt-optimus-primes-bumblebee-its-still-transforminghttps://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!Threat actors always take the path of least resistance to their payday. But it's a mistake to think they aren't willing to put in the work to get a human to hand feed them.Their attempts to manipulate their targets into taking action are called social engineering. What role do people play in cybersecurity?In this episode, Daniel Blackford, Threat Researcher at Proofpoint, explains how bad actors capitalize on our humanity to attack us.Join us as we discuss:What lies beneath 95% of cyber attacksThe two factors that reduce people's sensitivity to threatsWhen social engineering content might be waiting for you    Check out these resources we mentioned:https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-mediahttps://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-stealhttps://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453https://www.bankinfosecurity.com/kansas-man-faces-federal-charges-over-water-treatment-hack-a-16328https://twitter.com/selenalarson/status/1224674562882834432  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!When you think about the most costly threat by personal losses, most people will assume ransomware.The real threat, however, is business email compromise (BEC). But why aren’t more companies talking about it, then?In this episode, Tim Kromphardt and Jake G. explain BEC and why organizations need to start paying more attention.Join us as we discuss:The definition of BEC & why companies are paying so little attentionUsing Supernova to defend against email attacksReporting on employment fraud   Check out these resources we mentioned:BEC Taxonomy: https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-proofpoint-frameworkSupernova: https://www.proofpoint.com/us/newsroom/press-releases/proofpoint-launches-industrys-first-cloud-native-information-protection-andIC3 Report: https://www.ic3.gov/TOAD blog post: https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-deliveryRailroad theft: https://www.cnn.com/2022/01/14/economy/la-freight-railroad-theft/index.html  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!Chinese Threat Actor TA416, otherwise known as Mustang Panda, has been active for a long time, and every time they get knocked down, they get up again. In this episode, Michael Raggi, Senior Threat Researcher, and Pim Trouerbach, Senior Reverse Engineer, both with Proofpoint, give us an overview of TA416 — the “Tubthumping” villains of the threat landscape. Join us as we discuss:The evolving tactics of TA416PlugX malware and control flow flatteningTips for dealing with emerging threats Check out these resources we mentioned:Michael’s Twitter: https://twitter.com/aRtAGGI/status/1501030779480125441 https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-europeanhttps://www.theregister.com/2022/03/09/china_apt41_mandiant_usaherds/ Tubthumping by Chumbawamba  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!Cybercriminals. They’re just like us. With the Russia Ukraine conflict, Conti found itself at odds with internal team members over the issue — Eventually leading to self destruction.Which begs the question: Are these organizations as impenetrable as we thought? In this episode, we hear from Andrew Northern, Senior Threat Researcher at Proofpoint, about the resurrection of the Emotet malware, the Conti implosion, and advice to cyber defenders. Join us as we discuss:The journey leading to Emotet’s returnThe importance of the Conti group leaksWhat defenders should be thinking about against cyber threats  Check out this resource we mentioned:Andrew's Twitter: https://mobile.twitter.com/ex_raritas https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/03/UPDATED-ACTI-Global-Incident-Report-Ideological-Divide-Blog-14MARCH22.pdf https://www.wired.com/story/conti-ransomware-russia/https://www.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/index.html   Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!How are threat actors like Olympic snowboard halfpipe athletes?When their good tricks get stolen by competitors, they add new ones to their repertoire.In this episode, we hear from Joe Wise, Threat Researcher at Proofpoint, about the latest tricks from TA2541 (and why it’s so fun to research that group).Join us as we discuss:Changes that TA2541 has made over timeTheir current strategies and patternsSnowboarding, Home Alone, and what makes TA2541 unique  Check out this resource we mentioned:Charting TA2541's Flight | Proofpoint US Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!