Uncovering and Visualizing Malicious Infrastructure - SANS Threat Hunting Summit 2018

How much information about a threat can you find using a single IP address, domain name, or indicator of compromise (IOC)? What additional threats can you identify when looking at attacker
and victim infrastructure? To discover and analyze the infrastructure behind large-scale malware activity, we’ll look at known indicators from popular botnets spreading such threats as Locky, Globeimposter, and Trickbot. We will highlight co-occurring malicious activities observed on the infrastructure of popular botnets, and demonstrate practical techniques to find threats, analyze botnet and malware infrastructure in order to identify actor and victim infrastructure, and show how to pivot to discover additional IOCs using such techniques as passive DNS and OSINT. Finally, we will demonstrate how visualizing known IOCs helps to better understand the connections between infrastructure, threats, victims, and malicious actors.

Josh has worked in security for 14 years. He’s been a threat analyst at NASA and also helped to build
the Security Operations Center at Mandiant. His professional interests involve network, computer, and
data security.

Andrea worked as a Sysadmin for 12 years and has worked with Hewlett Packard and the city of Danville, CA. She began working with Open DNS in 2015 and has worked tirelessly to make the Internet a safer place.