Greg Lesnewich

Senior Threat Researcher at Proofpoint

Greg Lesnewich is a Senior Threat Researcher at Proofpoint, focused on identifying, tracking, detecting, and disrupting malicious activity linked to North Korea and Russia. Greg has a background in threat intelligence, incident response, and managed detection, previously working at Recorded Future, Leidos, and NCFTA, with experience in developing methods of tracking espionage and state-sponsored activity. Greg enjoys the topics of weird forensic artifacts, measuring malware similarity, YARA, and infrastructure tracking.

Social twitter linkedin

AllSessions

Day 1

May 9, 2024

10:40 am

Like Their Malware? You'll Love Their Phish

Greg Lesnewich

9 May

Time: 10:40 am - 11:10 am

Location:

Speaker: Greg Lesnewich

In the threat research and intelligence space, practitioners are familiar with pivoting across files, network traffic, and infrastructure to track their actors and discover new variants of evil. Many of those same principles can be used even further upstream, in the initial access phase, where actors very often leave behind fingerprints and patterns to enable clustering. This talk will explore how tracking these artifacts in email campaigns enables high fidelity detection of state-aligned actors, and will provide a behind-the-scenes look at how some of the best known threat actors leave behind a plethora of goodies for those who know where to look. This presentation will include the leakage of operator location, evidence of poorly-configured automation, common toolmarks left in email bodies or headers, and distinct threat actor naming conventions, and will present previously unpublished phishing and malware campaigns. Examples of examined actors will include TA421 (APT29), TA422 (APT28), TA427 (Kimsuky), TA453 (Charming Kitten) and multiple unnamed activity sets.

Profile

Greg Lesnewich

AllSessions

Like Their Malware? You'll Love Their Phish

[email protected]