My key takeaways
Anomali
- it takes up to 200+ days on average before a breach might be detected
- one challenge in many SOCs is to find relevant information in a growing "data lake"; this is where tools are needed
- wannacry example: blocking the kill switch domain as suspicious would have helped the worm spread; getting the information about the purpose of this domain as fast as possible was mission critical
- cross combining information from different sources and perspectives may increase the amount of data, but also make the neccesary data available to detect threads and breaches earlier
RISKIQ
- Skimmer are collecting credit card data online like their equivalent in RL on ATMs
- A common way to place them, is infiltrating javascript that is not self hosted but imported into websites
- loading assets from third party websites on critical pages like a checkout-page is a big no-no
- A full functioning skimmer can be bought on the darkweb with a shared revenue model so very low entry barriers for criminals
- A lot of esp. smaller websites are still infected
Crowdstrike
- 2019 crowdstrike identified 35.000 potential intrusions, in Q1 and Q2 2020 already 41.000
- The most part of it, are conducted by cyber crime organisations followed by nation state actors
- Panda, Bear, Kitten, Chollima, Tiger and Buffalo are code names for APTs
Env
- Provided by Anomali
- Supported by
- Presenter:
- Frank Lange (Anomali)
- Fabian Libeau (RISKIQ)
- Jörg Schauff (Crowdstrike)