Skip to main content

SANS Cyber Threat Intelligence Summit 2023

Conference: Practical CTI Analysis Over 2022 ITW Linux Implants: Extending Detection Over Blind Spots

Date: January 30th, 2023

Linux ecosystem remains underplayed. Cybercriminals and TA threat actors have continuously invested in tooling, from Ransomware to persistent backdoors with infostealer capabilities. As the industry, we have developed great technologies for hunting, detection, and response on Windows, while the visibility on Linux is minimal. So, the question is, how can CTI lessen the risk on Linux? Using the Cyber Kill Chain and the Diamond Model of Intrusion Analysis, we made our detection and correlation for the latest Linux campaigns. We also extracted similarities between distinct threat actors through practical in-the-wild 2022 attacks on Linux. And we created mapping based on commonly shared TTPs for different Linux threat actors. Our presentation will share different framework deliverables to detect the most recent 2022 cybercrime and TA threat actors' implants. In addition, we will also share detection rules for the families covered in our talk.

Slides: Presentation slides

Other resources shared during the presentation: https://github.com/blackberry/threat-research-and-intelligence/tree/main/Talks/2023-01-30%20-%20SANS%20Cyber%20Threat%20Intelligence%20Summit%20%26%20Training%202023