Seth Lacy

While we are all focused on hunting the cutting-edge techniques deployed by top-tier adversaries, many “second-tier” adversaries continue grinding away in the shadows with more limited attention from the larger security community. While not always as sophisticated in their operations, many of these adversaries remain highly motivated – compensating for their lack of sophistication with clever and often resourceful approaches to their operations.

This talk focuses on one such adversary, SideCopy, and how a serendipitous re-encounter with a curious, previously unattributed malware sample serves as a reminder that these adversaries are also worth checking up on from time to time. This talk will discuss the current state of SideCopy’s network infrastructure derived through the lens of NetFlow analysis, techniques for pivoting through NetFlow data and combining it with other data sources to develop a more comprehensive picture of multiple tiers of adversary infrastructure, and the increasing relevance of data science techniques for triaging and visualizing these large data sets.

Attendees should walk away from this presentation with a solid grasp of the current state of SideCopy network infrastructure, a better understanding of NetFlow as a telemetry source, analytical approaches to extract unique insights out of NetFlow which may not be available from other sources, and a framework for how to think about adversary operations beyond the first tier of victim-facing infrastructure.