BSidesSF 2026 - Threat Chords: Tuning into Persistent Patterns in... (Karthika, Samhita Vempatti)

I would like to welcome Gartika and Samita who are cyber security researchers at Adobe. They are here to talk to you today about threat chords tuning into persistent patterns in adversary behavior. Kartika, take it away. >> Thank you. Uh welcome everyone. So today we are here to talk about thread cords tuning into persistent patterns in adversary behavior. We've really leaned into the besides musical theme, but if you're not a music nerd like me, just the one thing that you need to know is chords are a combination of notes. Uh if you play a chord in multiple instruments, it kind of sounds similar. And what we are trying to go for here is that adversary behaviors uh they may

change a lot of tools and indicators, but the patterns remain and that's what we are calling chords. So uh I'm Karthika and joining me today is my colleague Samita. We are both uh threat researchers at Adobe and we are primarily focused on thread actor profiling and adversary tracking. Uh let's jump into it. So today's set list is going to be uh we'll set the stage. This is a beginner level talk. So we're going to kind of go through the basics first. We'll talk about why threat intelligence exists. After that we'll talk about the problem that we are kind of addressing today which is chasing the nodes why indicators fail. Then we'll talk about patterns in

practice. We'll actually talk about some real world attacks, break it down and talk about why we need to trace the patterns and not the notes. Uh and in the end we want everybody to take away some something. So we'll try to uh see how you can make threat intelligence part of your band and how you can apply it in your environment. Awesome. Let's get straight into it. So, threat intelligence, how did it come into existence? Threat intelligence did not start in socks. It was not the security operations center where threat intelligence came into existence. It started way back on battlefields and back rooms. The image that you see here is from an intelligence bulletin uh from

March 1945. So, it predates us a lot a long time ago. Intelligence was born in military and national security operations and it was designed to understand the opponent's intentions and capabilities. The core question that kind of drove intelligence back then is the same core question that drives cyber threat intelligence today and that is what is the enemy going to do next? Let's see how this has evolved from the battlefields to back doors. Then intelligence was primarily human intelligence and signal intelligence. Think of it as agents, informants or intercepted communications. At that time, campaigns were long. They were slow. Think of it as wars. And the opponents were generally nation states or like regional territories. And the

questions were, hey, when is the enemy going to come and you know uh attack our territory. Now things have changed. Intelligence primarily comes from logs and telemetry. The opponents are not generally always nation states, but criminal groups. This can also include teenagers who are able to social engineer Fortune 500 companies through just a help desk call. More on that coming. And the campaigns are not slow anymore. From initial access to data expiltration, this can happen within hours. And again, the attack attack surface has changed. It's no longer physical territories. It can be a cloud identity provider. The thing to note here is that the instruments have changed, but again the mission remains the same to predict what the enemy is

going to do next. We've seen the evolution. Let's now talk about what cyber threat intelligence is and what's the modern spycraft. At a very high level, you can think about threat intelligence with two fundamental layers. First is data. This is that the raw logs, the telemetry, the feeds that we receive, everything that your SIM ingests today. This may tell you that something has happened. This is often always like has a lot of noise and is something that is high volume. Uh to actually make sense of it, you really need context, which is the second core layer. This is where the analysis happens. This is where you kind of see what's the behavior. Is this activity

normal? what is the intent behind this data doing this particular thing. Only when you combine data and context is where you'll get actionable intelligence. This is where you actually make a decision. Uh it can be as simple as a detection rule that has resulted from this data and context. Or it can also be a prioritization strategy. You may say something that hey based on this data in this context we should prioritize this thread category for the next 90 days in our organization. or this will be some other highle strategic decisions as well. The one thing that I would like you to take away from this slide is that data tells you what happens but context tells you what it

means and both of them are really important for intelligence. Now we've understood what intelligence is. Let's kind of talk about what is the problem with today's CTI models. And just to be clear, CTI is cyber threat intelligence. So we'll talk about what, how, and why of IOC's. But before we do that, let's make sure that everybody in this room is speaking the same language. IOC is a word that you'll hear again and again. It's an indicator of compromise. It's think of it as a detectable artifact, an IP, hash, domain, something of an evidence that something has occurred. TTPs is tactics, techniques, and procedures. This is how the adversary operates the behavioral patterns. Threat actor can be a group or

an entity conducting activity, often rebranded or renamed. We'll talk more about that as well. And infrastructure here is servers, domains, hosting, staging systems, the backbone that enables thread actors to actually conduct their campaigns. Indicators are artifacts, TTPs, and infrastructure are behavior. Now, let's look at the traditional CTI model. If we have folks here who are part of the CTI teams, I want you to kind of as I go through this model, see if you've also seen the same pattern within your organization. The first stage typically is collecting feeds. CTI teams collect feeds from commercial sources, open feed sources. They are coming from vendor reports, some ITIS. All of these feeds are then enriched. This enrichment, think of it as like

adding some kind of metadata based on passing it through virus total, shortens, stuff like that. Once we have these enriched feeds, the next step often is to share this intelligence with our stakeholder teams. Think of it as sharing it with a detection team or a sock or even product teams in some cases. And the action that often leads after sharing these indicators is blocking these indicators. So the detection engineering team, sock teams, they go ahead and block these indicators the moment they know that this has been used by some attacker. This cycle repeats. Most of these CTI programs revolve around this model. And to be completely clear, I'm not saying that this model has no value. This definitely

does. But the structural problem here is that all of this is heavily reliant on indicators. Now let's move on to the next uh next part. These indicators are designed to burn. On your slide here are two images. Let's start with the one on the left. This is the IOC life cycle. This is pretty much similar to what we saw in the CTI model, but we'll go and make it specific to one particular indicator. Here we're taking an example of a domain. So from an attacker's perspective, the domain is created by them when they are trying to launch a campaign. They use the domain in a in a in a campaign and often times a defender

is able to detect and share it. Once this is getting once this gets shared with the community, the community will go ahead and block the indicator. The attacker will know this and they will replace it. This is something that the attackers budget for. They are know they know that these indicators will get shared and they will they will get uh rotated by them. On the right is pyramid of pain. For folks who are not aware of this, this is one of the core fundamental frameworks of cyber threat intelligence. And this kind of talks about the cost that the attackers need to uh take for changing any of these indicators in case this gets shared in

the outside community. So let's go bottom up. So hash values and IP addresses. If you look at these, the attacker does not have to incur a lot of cost or spend a lot of money to change these if they get shared publicly. It's very easy for them. Domain names again pretty much easy. probably they need to register a new domain but now there are a lot of automations available for a domain registration there is some amount of work but it's fairly simple now as you move up the pyramid things get hard network and host artifacts think of this as you know how a particular malware is going to get delivered these may cause disruptions in an attacker's you know

workflow if the if these details are coming out similarly tools think of it as like particular RMM tools particular exploit frameworks that the attackers are using. The more of these details that get shared, the attacker really needs to do some background work to kind of change and pivot their uh their campaign. On the apex of this is TTPs. This is what the behavioral method uh behavioral uh methodology of an adver adversary. This kind of talks about the muscle memory that the attackers kind of base their whole campaign on. The moment defenders like us kind of start targeting TTPs, start detecting that, start talking about that more, that's when we uh the attackers really need to

change their campaigns and uh and make it less deductible for them to kind of uh be successful. This is the point that we want to drive forward that it's not the IOC's, it's not the bottom part of the pyramid that we need to focus on. But the reality is a lot of our CTI programs today are botnheavy. We have really complex intelligence uh indicator platforms, IOC management systems, some things that enrich these indicators, but all of them are primarily focused on atomic indicators. We need to let go of these notes and go chase the chords. We have seen a lot of this theory. Now, let's talk about what it what it is in the actual real world.

We will today break down two campaigns to show you the real arrive scenarios where these uh you know chasing the notes would not be as helpful as chasing the chords. First we would like to talk about a global thread actor ecosystem something that's more high-profile. Maybe a lot of you here have heard about them. And then we'll go and talk about more of a smaller campaign called info steeler a particular info steeler campaign which has not been covered by the press at large but it's also equally technically fascinating and also kind of follows the same format. As we go through both of these campaigns the one thing that I would like all of you to think about is what is persisting

through these stages. What is changing? What is persisting? what would make sense for us to focus on. Let's jump right in. So the first scenario and the first uh case study that we want to look at is of scattered spider and shiny hunters. These are two big cyber criminal groups. Both have different origins but very similar operational playbooks. Scattered spyor is also tracked by multiple other names like an 3944, octoest. They are a financially motivated intrusion cluster and they are specifically known for their social engineering campaigns. They are really uh sophisticated in their social engineering attempts and we'll talk more about that as well and they are known to target large enterprises and SAS platforms.

Another group that we have here is shiny hunters. They are also of uh they are known for their data theft and extortion campaigns and they're uh they are also uh known for targeting large scale breach uh disclosures. They are known for their pay and leak model where they uh have these websites unlock dark webs where they say that hey these companies data we have them in our uh database if you don't pay we will leak them. And if folks are following the news, they have been uh known for like uh attempt uh known for accepting breaches of some companies even till last uh last week. The reason that we're talking about both of them together is

that now looks like both of these groups are have joined hands and are working together. Uh and the one thing that we really want to drive uh through this particular campaign is that labels may change. we should not really focus on you know the specific uh actor labels but focus more on their operational playbooks. If you look more from the operational playbook perspective you will cover more much more thread actors than if you go and focus on particular thread actors. Some notable incidents here are just for you to be aware of how active these thread actors are and how long they've been operating. uh MGM resorts breach in 2023 and Caesar's entertainment breach as well was in 2023. Then what followed

was a snowflake customer data theft and then Salesforce campaign. And as I said, we all we've had multiple even happen this year. Now to go into more technical details, I will walk you through the attack chain of a typical attack chain of this particular group. And as I go through each of these phase, we'll also talk about you know what is something that is persisting in in the next few slides. So in a typical attack uh graph for this particular threat group, it starts with recon. Scattered spider is specifically known for doing extensive OENT on their target employees and their target uh companies. They will go ahead and look at LinkedIn, look at the name of the

person, what's the title, what is who is their manager, what are their direct reports. also tap into databases which have SSN details of of these employees and collect all of these to go on to the next uh phase which is the identity access. This particular phase of of the uh intrusion graph is extremely relevant especially today. This is where these thread actors conduct an uh social engineering call and do a wishing campaign to uh impersonate the target employee uh and call the help desk of these companies. They do this and in often cases it has been documented that just knowing the name uh the you know the manager that they report to the position that they

have is good enough to pass the authentication check. In the MGM breach, it is documented that it just took a 10-minute breach uh this call u help desk call to breach and have an $100 million incident. This particular layer is again more active today and more relevant today because shiny hunters and scattered spider have confirmed the use of AI to to conduct this particular phase. They are using AI for voice cloning and in some cases deep fake for video verification as well. So this this phase is like uh something that's extremely relevant today and something that we all should be uh aware of. Once they are able to successfully social engineer this particular company they the next

particular step is targeting their identity provider which of late has been octa. What they do here is they en enroll a new device within Octa and that this particular phase is not really talking about a particular malware or an exploit but just a valid authentication token which is indistinguish indistinguishable from an real employee login. This is where they evade detection. Following this is an SSO session. Every application that is federated within Octa your IDP is now accessible to that particular thactor. SAS control plane is then uh you know is exploited. Octa has this feature of app self assignment. If the employee that they were breaching has access to certain apps now the uh now the threat actor also has this.

Following this they go ahead and do data access and exfiltration and that is then published in uh in these dark web websites. If you look at this whole intrusions, there's not a single step that will stand out in terms of detections. A helpless call from an employee is normal. An MFA reset also probably normal. A new device getting enrolled by a legitimate employee is also normal. So maybe all of these individual steps may not really trigger an alert. But when you look at the sequence, that's when you kind of observe what's really going on. This intrusion does not really rely on a particular malware. Let's dig deep into the actual chords of this particular intrusion graph. This is

the identity compromise chord. The first chord that uh is most consistently used by this uh scattered spider and shiny hunters group in every campaign. I kind of walked you through it. It's a typical wishing or help desk social engineering that leads to a password reset or an MFA transfer which then leads to SSO compromise. Scattered spider has played this exact sequence against MGM, Caesars, Octar, Twilio, Markx and Spencer and even this year. So this campaign, this particular attack pattern has been used across years. The tools have changed, the employees and the targets have changed, but the work and the playbook remains the same. Similarly, the infrastructure code here we have fishing domain templates target/SSO.com octal login target company.com. These

are the templates that these threat actors have seen to be used across years. If you monitor the domain, you may miss it. But if you see the metadata across all of these domains, which will also be something that will be covered in the next campaign, you will be able to detect this. They're also known to have network anonymization using MalvadVPN or uh you know uh residential proxies. All of these are tools that they specifically choose because they mimic legitimate traffic. Operational infrastructure does the same thing. So it's really important here to understand that the categories persist even when the domains and IPs rotate. The last particular chord here is the behavioral chord. This is the SAS

behavior. This is the exact phase where the attackers actually get value from their particular attack. Privilege expansion here happens through SAS permissions. It's not the traditional lateral movement of moving from server to server. It is exploiting the permission that the targeted employee already had. So here the the thing to note is that the lateral movement occurs through SAS permissions and not networks. This is why this particular chord notations are something that we really need to focus on. As a summary, these are the things that you can see. Every uh time a defender publishes a scattered spider domain, the attacker registers a new one. Every time an IP gets burnt, the attacker then rotates it. But the identity workflow,

the OENT of the employee, the going ahead with social engineering, all of these do not change. This has not changed in the last four years because it works. Because changing it is expensive. human layer of identity verification is consistently the weakest link regardless of what endpoint uh tools you have deployed. So the mind mindset shift that we are asking for is move from is this IP on your block list block list but rather does this sequence of action actually match a known pattern you've we've been trained to kind of react to individual indicators look at individual notes but all we asking is kind of go to uh check for chords this would be something that Samita will also

talk about in the next uh campaign which is as I said more of a lowprofile campaign but equally technically Fascinating. Passing it on to you Samita. >> Uh awesome. Uh thank you Kartika. So moving on to um uh moving on to a kind of like another campaign that flew a bit under the radar if it of course it was reported uh by uh some vendors and they definitely talked about it but not as much as like the previous campaigns that Kartika was talking about. So quick introduction to what the Amos info info stealer is. uh this has been in circulation uh since April 2023 and uh this threat actors have definitely realized that uh enterprises have uh

begun or employees have begun choosing Apple devices now more than ever and they've also noticed that it's an underdefended target and then they've al and and they have decided to target that and kind of have an info stealer for Mac OS specifically and this follows the typical uh info stealer pattern steals keychain passwords browser credentials and crypto wallets and system files. Uh earlier it was pretty much a smash and grab kind of campaign but now it is evolving to have persistence in the in the host machine and that's what's uh changed over the years. Uh so kind of to set the stage for what this campaign uh was and what was what was the research that came out uh that

was public uh the research for uh this was public around early December around December 9th of last year. Uh so what was happening was there there was a group of threat actors that basically bought out ad spaces for any Mac OS related issue. So for example, if I went and searched for my USB was not working or my sound was not working in Mac OS. Uh they they had sponsored ads in Google searches that would lead them to AI chats. So uh think like claude now it's also evolving to cloud but it started off with like chat GPT and gro chats uh that displayed this exact page. So here what happens is the user is instructed

to copy this particular command onto their uh terminal and run it. So at that stage what exactly happens is it it downloads the first stage of the malware from the first endpoint and then it goes on to do some checking uh and then it also goes on to download the Amos inforce dealer. Um so quickly looking at the domain that was reported in this research right uh the first domain this was the first domain that was reported. uh and then we'll also talk about how we kind of went about discovering the other domains in the process. So the first domain had this resource the first term script if you will uh at this clean GPT uh endpoint and this is a

simple script just prompts the user for their password uh checks if it's running in a VM machine and then goes goes on to download the second stage which is basically the Amos info stealer. Um so kind of like I was very curious like what what more details about this domain can I learn? So I did a quick look up on like URL scan and then I also looked into the TLS issuers. So a couple of things uh a couple of things to kind of make note here. Uh the end points that were that were consistently reported had some pattern uh and then the cleaner one update of course and they they surprisingly have cleaner two update and

they also have a hidden files endpoint uh that we will talk about uh shortly. uh but just kind of pivoting to the TLS the TLS uh issuer that they used was WE1 uh which is basically a Google uh Google services uh TLS issuer a pretty common one so moving on so I was curious I just wanted to understand if the first domain that the research talked about is it still active are are they still distributing it because by the time I had seen this research and by the time they they had reported it it it had already been a couple of months so I was curious and I just reached out to this particular clean GPT endpoint

uh on uh on that uh basically the clean GPT endpoint and then I did notice something strange. So when the article reported it, it said that the second stage of the malware was on the same domain but here what I saw was a completely different domain but the same endpoint and a couple of things uh that that I was really curious about was of course just because this domain is in this particular uh script it does it mean that is it still active? Is it is it part of the campaign? Uh is this their backup domain? So these are the questions that I wanted to answer. So I again did the same thing. I I I looked

at looked up what are the what are the endpoints this domain could have and then I also looked at what are the TLS issuers and voila like exactly they use the same uh the the TLS issuers were same and it also had that clean GPT endpoint that we did not see from the first uh in our in our script. So I was curious. So a couple of things that we also uh saw uh and I also did a quick reshout of the clean GPT endpoint and I also saw the similar pattern as was reported publicly. It has that uh second stage of malware on cleaner one update. So pretty so this is pretty consistent with what was reported publicly but now

we have a new domain. Um and we have now we've moved on to the second domain. So now I and I was curious like now we have the first domain and then we have the second one and what about the hidden files that we saw that hidden files endpoints that we all already saw we haven't kind of explored that part right so I was like what if I reached out to this particular endpoint uh on the new domain that we discovered are the threat actors kind of using a consistent pattern to deploy do they have kind of scripts that they have deployed and uh here is where it gets really interesting so yes they do have the they did have

the first stage of the script where uh they just download it and again they're just checking uh checking for you know they're just prompting for the system password and then uh they're also kind of pulling the second stage of the malware. But what was interesting was the the the second stage of the malware didn't follow the pattern as the first uh as the one that was publicly reported. But here they have a completely new domain and they also have it on a completely new endpoint which was not the cleaner one update uh that we saw. And another thing to kind of call out here is that just by changing the domain, they've also changed our uh

change the hash completely. And this also kind of ties back to the pyramid of pain and how how low of a pain this it is for the attackers to just change the hash. Kind of moving on right now, we've we've from the publicly report reported data, we've had the first one and then we found out about the second one and then now we also found out another new domain. And then are there more? Does it still is there more that we can find out about this? Uh but just like quickly kind of taking a step back to see and trying to again confirm if this domain indeed follows those kind of infrastructural patterns. We do see that

it has the WE1 as a TLS issuer, the Google uh services uh uh TLS issuer and then it also has these endpoints which are very similar to the ones that are publicly reported. kind of also one other thing that we can probably deduce from this is there are couple of there is a fixed ad space that the threat actors have decided to buy uh fixing camera issues fixing USB issues uh and they're also probably using reusing their same server scripts across the domains so that also shows us how uh how how this is kind of like low pain for them to keep changing domains but they have uh they have strong TLS issuer preferences here and what if now this is

whatever we found out was just from like infrastructure that was lying around for a bit. But what if I actually went and searched for fixing the issue myself and that's exactly what I did. Uh and this here I specifically searched for my USB drive was not working and mine is a Mac OS uh Mac OS system. And that's where uh that's where I saw this Medium article and that Medium article kind of led me to an official looking support page. Again, not not at all hard for attackers to generate in this day of AI. Um and but but surprisingly this payload here is was completely different from the one that was reported publicly. Uh which

also shows that attackers are also evolving. Uh just a closer look here. So the the string that was there uh in the payload that was that that the basically the page claimed uh that you know would fix your problem was basically heavily offiscated code. Uh so it was hex encoded and then gunzip compressed. So they did start noticing that you know simple base 64 enc uh encoding wasn't working for them anymore and their domains are being tracked. So they tried something a little more complex and they and in the hope that it won't be tracked. And this by the way is a slightly more active campaign right now. And you can also see how the domain uh

the TLS issuers uh they have a strong preference for Google services mainly because it's cheap it's throwaway uh and E7 and W E1 happen to be the same intermed intermediary CAS so what do we see here right so uh yeah so what do we see here the domains changed so but what kind of remained uh on a in a larger picture was that the fixed pages and the copypaste methodology remained the same that TLS provided preferences remained the same and uh the endpoint naming conventions that they chose they chose remain same throughout the domains even in the latest campaigns. So kind of this kind of kind all ties back together to kind of talk about like how the

attackers don't go behind or it's very or least painful for them to change like IPs domains and things like that but kind of changing TLS issuers or TLS preferences are harder for them. uh and what happens when everyone blocks the same IPs. Attackers are just going to pivot in in a flash. Uh and then now moving on to the last section of our presentation is how do you make threat intelligence part of your band or part of your uh practice. So the first one is how do you kind of extract threat intelligence through research? Uh and then we we just have like a fourstep uh process. The first one is prioritization. Uh and of course

this may seem a little obvious but it's just that when when you're in a threat intelligence team all this gets really overwhelming. There's lot of threat intel but what matters to your organization and what you are tracking and that that's what gives you what that's what drives value the most. So identify those subset of risks that that you think are really important to your organization and then map your map those risks back to your industry and then business context. So the context is king here. Uh so that could be fishing, it could be info steelers, it could be uh persistent campaigns, whatever you think that is poses the biggest threat to your organization. And the second one is time

boxed research. So I want to focus on the time boxed part because research is uh it's it kind of it kind of treads in a way where uh it can get get into a zone where you're you know rabbit holeing into this trying to find a specific answer and then you spent a lot of time but it's really important to know to keep it really time boxed uh so that you're able to extract meaningful value and then you're also able to explore alternate hypothesis and the third one is analyze. So here you want to uncover uh patterns in the data that you uh that you have decided to research on. uh and uh and also here in this

particular uh phase you also want to focus on any detection gaps any coverage blind spots and sometimes you might not even have the logging uh for you might not even have the log source or you you've discovered that oh god we don't even log this particular thing to even find any pattern right that's also a really meaningful uh outcome from your result and report uh here is the goal is uh just to kind of land on something concrete something.

Okay, there it is. Oh, no. Okay. >> No. >> Um, yeah. Uh, and then we also want uh so basically the goal is to kind of land your work on something more concrete. And then you also another really important point is don't assume that you will be the one picking up the research later. Also account for the fact that someone else could pick up your research and they need something to work off of. So all kind of document your research as thoroughly as you can and that will go a long way. Um and how to think it's a bit zoomed in. >> Yeah, that's okay. >> Okay. Uh and then basically uh kind of how to adopt this threat intelligence as

as a way of thinking, right? What and we we we've been in this space for some time now and uh what we've realized drives value is contextual analysis. Basically trying to understand the attacker behavior but also what that means to your organization and identifying the relevant data sources, log sources if you will. Uh that could mean anything. So and also it's important to call out here that not every log source has meaningful value. So you also want to take also want to do the research on what what gives you most value and what doesn't. And the third one is stakeholder prioritization. Uh we've also heard like talks uh till now talk about like executive reporting for

threat intel uh and uh other teams that consume threat intel. So trying to understand what is it that your consumers or basically the uh the consumers of your threat intel product uh ask for. uh it kind of gets easier to deliver value when you understand what they need and what what is that that that exactly drives value for them. Uh and extracting threat intelligence from logs is once you prioritize the logs you also are uh you're also able to extract meaningful intelligence from them. uh but kind of pivoting to uh the other part like what does what is uh what is sustainable what is sustainable and what scales well or kind of amplifies the value that uh the first few uh points

that I spoke about right uh formal CTI processes uh there you have if you have structure and repeatability it also kind of takes the practice a long way uh threat intelligence feeds of course but it's very important to choose the ones that have most context uh so uh that's very very important And also like collaboration and sharing. This is also another uh key thing where uh if you're kind of able to collaborate with industry partners or industry peers, you also get to know about the current campaigns right when they're happening uh more than more than 3 months later when it's out from somebody's research etc. Um yeah so I just wanted to leave uh leave everyone in the room with a little

bit like you know what can you take back from this talk? Uh so if you if you're just building systems and you're you're not in a security or a threat intelligence team uh then maybe just find out if your organization has one. So like because threat intelligence kind of is deeply embedded into the security p practice. It's hard to know uh for uh people outside the security organization that such a team exists. Uh but do connect with them, educate yourself about them. Um and also uh identify uh identity action. So they're they're the starting point to any ent to entry to any organization. So you'd want to focus on that specifically. Uh and you also sh

if you know of any log sources that you have access to uh that might deliver value to security also kind of surface that to the security team if they already are not aware of it. Uh and if you're already in the security team or if you're already part of the sock uh where do you start? Start with identity abuse mainly because that's the it kind of sits in the parimeter and now more than ever uh employees have become targets for nation state actors even like uh smaller actor uh small smaller actors with less budgets. So you'd want to start there. Uh and then you'd also like Katka mentioned we also want to focus on detecting sequences then atomic

alerts. So maybe uh group together like uh logs from various sources and try to see the bigger picture. This is definitely time consuming but it's also drives uh that that's what drives more value. Uh and yeah focus on data movement. So just looking at couple of different sources will help you kind of drive that uh value there. Uh with that hopefully we have convinced you after uh 40 minutes of talking to chase the notes start uh not chase the notes sorry uh but start hearing the cards um because patterns and uh preferences of threat actors always uh outlive the atomic indicators uh and and we do acknowledge that it's always a challenge uh but we want to enforce we

want to kind of like uh send people with the message that hearing the cause is what will kind of uh accelerate and accelerate us being able to find threat actor activity sooner. With that, we come to the end of this presentation and that's our uh LinkedIn uh QR codes. If anyone wants to connect with us, chat chat with us about anything that you have uh you're doing similar in your organization, we'd love to hear about that. Thank you so much. >> Thank you very much, Karthika and Samita. As a reminder, we are doing questions through Slido this year. You can access that at bsidesf.org/q. org/qna. We have a few questions already, so I'll go ahead and get started.

Actors will orientate ttps or activities around capability strengths and their organization topology. How does this apply to the chords concept? >> I agree. Yeah, like it it's not like always that the uh you know the topology as the question mentions is going to be exactly applicable to every company at the same point but if you look at thread adapters in general there was also a talk before this about salt typhoon the overall structure remains the same. So yeah definitely the chords in here are more about you know the individual layers that you can look at identity layer infrastructure layer uh it may not always directly replicate for every company every organization at the same in the same manner but that's the

pattern that we are asking everybody to kind of detect. It's a challenge I'm not saying it's it's an easy thing to do uh but yeah that's that's where the court kind of uh uh you know terminology comes into play. Uh and just to add on to that uh even awareness even sock having awareness that such a chord exists will kind of help them uh analyze and alert better because when they're looking at like you know one of IOC's one of like IP's domains they're looking at like geographical uh relevance ASN but when you tell them that you know what in this particular campaign this is the particular TLS issuer that they have seen it'll probably ring a bell for them

and hopefully you're also able to document it in a way that they're able to consume better. So that that also helps your sock uh analysts better. >> Thank you. All right. Have you seen indicators of actors creating websites in clear text that poison LLM training knowledge to generate malicious instructions? >> Okay, that was a complicated question. So if I'm understanding it correct uh clear text websites which in the background use LLM is that to deliver malicious payloads is that >> I think the question is more like uh creating websites that then LLM's train on and it forces the LLM to give bad information because that's what it's been trained on it. Whoever asked that question did I get it right?

>> Sweet. Thank you. I have not seen particularly that happen but given like the company that we're coming from Adobe it's it's it's a fairly you know uh big uh big tech tech company we have seen a lot of Adobe related fake websites uh where people are kind of u you know delivering malicious payloads and also using AI lures for kind of customers to get into those websites uh in the background if that's what they're using for training is not something that you know I'm aware of unless Yeah, I think this is talking about the LLM poisoning uh attack. Uh if I'm uh if I'm understanding this correctly. Uh yes. Yeah, there are certain uh there

are certain one-off cases where we do see LLM poisoning, but I don't think this is happening at a mass scale where they're intentionally trying to poison and that's not their goal because at least the way I see it again this is just my opinion uh no way set in stone. uh the main thing that I see is that like these large uh uh LLM train on massive amounts of data and they also have the budget to account for these cases. So there's some definitely some kind of filtering happening. But if you're talking about like custom models training on something really specific like if I were to train like a custom model for uh specifically for like you

know Mac OS support then yes I would see like influence there. Uh but I wouldn't say like something like GPT or Claude getting poisoned already. All right, this process seems incredibly slow. What is the realistic improvement in my security programs? What kind of tools can be used to speed up this process? >> AI. Uh yeah, that that's the that that's that's actually something that I uh I didn't mention is that I'm al we're also looking to scale up this process. Uh and we do acknowledge that it's a really slow process. Uh but the kind of again kind of goes back to my uh point about like prioritization, right? If you feel like info steelers, if you if your

organization is not already protected against info steelers, this time is definitely worth it and informing your analysts about like you know this is the threat that we see today or this is the pivot that we see because couple of pivots that we talked about was not even there publicly but it was valuable for the analysts to know about them. So uh but like yeah to to their question I think just trying to automate uh this process uh through like AI and agentic workflows is something that we are looking into internally as well. Thank you. Uh this is a fairly specific question. We saw that the uh the second attacker group always has two certificates from different CAS around

the same time. Why do you think they're doing this? >> Uh so this is what even I've been uh curious about. Uh so it is I think a couple of things. Uh at least the last domain that I talked about uh had a legitimate website. So my my uh hunch here is that they are compromising these uh domains uh websites to begin with and then also going and registering uh these certificates. Uh but that's a research that's still underway. So that's why I did not like talk about it too much. But uh two is also because for backup uh thread actors tend to do that mainly because they know that uh if if there is

specifically the WE1 uh they're moving away from that and they're also f focusing more on the E7 and the E8 even though it's from the same intermediary CA uh they are are trying to they're basically trying to move away from that >> and just a quick uh add on to that is that we are also seeing that's not only in like these uh smaller uh criminal groups but also in like nation states where they are relying on like one or two of these resources and kind of maintaining that across patterns if folks attended the salt typhoon that was also one of the things that they suggested. So yeah, it is something that I think it's reliable for us to kind of

from defenders point of view just look at and detect that and pass it on to our stakeholder teams as well. >> Thank you. I think we have time for one more question from the audience. If anyone has one, you want to raise your hand. All right. Well, if you do have more questions, I will ask you to find our presenters outside. Kartikat Samita, thank you again so much for your time here and uh we look forward to seeing the rest of you you at the rest of the convention here. Thank you.