Profile

HomeProfilesMichael Raggi

Michael Raggi

Principal Analyst at Mandiant Google Cloud

Michael August Raggi is a Principal Analyst at Mandiant Google Cloud. Previously, he has worked as a Cyber Intelligence Analyst at BAE Systems and a Staff Threat Research Engineer at Proofpoint. Michael’s historic publications have focused on APT targeting against the US critical infrastructure sector, recent operations conducted during the Russia Ukraine conflict, and repeated targeting of Tibetan dissidents by threat actors aligned with the Chinese State. His primary focus is tracking APT adversaries in the APAC region and developing analyst tools to automate the detection of top tier threat actors.

AllSessions

Day 2
May 10, 2024
9:50 am

Understanding the ORBs: PRC Actors, Obfuscation Networks, and the Coming IOC Extinction

Michael Raggi
10 May
Time:  9:50 am - 10:20 am
Location: 
Speaker:  Michael Raggi

In this landscape of extinction, precision is next to Godliness - Samuel Beckett

Since 2020 Chinese Espionage operations have fundamentally changed. Gone are the days of actor registered infrastructure and command and control reuse. A new practice of "Operational Relay Box" (ORB) networks has risen to obfuscate CNE network traffic via a TOR like network of registered VPS space and compromised end of life home routers.

    This presentation will:

  • Demonstrate the ways ORBs have made blocking network IOCs Extinct
  • Provide a 4 quadrant signature and detection approach that will allow defenders and threat hunters to pivot through these complex networks. (Censys, YARA, Netflow, Active Scanning)
  • Define a scalable universal anatomy for talking about ORB networks and map signature types to these components.
  • Utilize an active PLA and MSS leveraged ORB network to provide real world examples of what manifestations of these ORB networks look like.
  • And Finally Shift the world view of network defenders from IOC blocking to detecting ephemeral infrastructure networks leveraged by multiple malicious APT actors.