Tracking North Korean Threat Actor Infrastructure

Thanks very much. Anyone here before we get started? Anyone here travel over from North Korea today? Hands up. One or two at the back. Yeah, thanks for coming. Um, yes. So, here all about talking uh about everyone's favorite nation state cyber criminal combination thread actor. Um and then I'm here from team Camry to talk about how we track their infrastructure which is sort of we're focused on that perspective of things. Um a little bit about me. I've been recently joined team Camry in April as a senior threat intelligence adviser. I've got over 9 years experience in cyber security. worked at various different organizations in a CTI vendors or in as a defender inside a large enterprise uh

corporate CTI team and then also run my own uh co-author of a sand cyber crime intelligence course as well. uh also the co-founder of created intelligence which is a trust group of about 200 CCI analysts from around the world and I also do quite a lot in Bournemouth as well lead organizer of Bournemouth 2600 and besides Bournemouth as well which hopefully a couple of you will attend next year and and also attended this year so I had good times at Bides and just talk you know say how thankful I am for the movement great to be back here I spoke last year and it's really good to come and really glad that they accepted me to come and speak again at this one

um for anyone if this is your first bides I recommend attending some of the others around the country you've got Chelnham Bristol Bazing Stoke our own one Bulma Fexter and besides Camry as well in Wales um which is relevant for the next slide so team Camry if anyone's not heard of us you may be a little bit confused like is it a Welsh company no actually American u we're not the Welsh government we're not the Welsh rugby team either um and for any Americans in the room it's not pronounced Team Camry like a Toyota Camry is as team Camry. Um it was created and founded by uh Rabbi Rob Thomas almost 20 25 years ago.

So Team Camry is for the community. Um if you've not heard of the company before we've done various different events around the world underground economy is our biggest one about 600 attendees 4day CTI conference where we talk about law enforcement operations and tracking cyber criminals. And it's the type of research I talk about today. just all all day long uh for four days in a row. Uh we actually sponsor up to 30 conferences a year. So if anyone um has their own conference that they're running and and is interested in hearing about uh you what we do, what the company does and how we can how we can work together, then you know, please speak to me afterwards. Um and then we

have Team Camry also has loads of different malware uh loads of different free community services like the malware hash registry, IP to ASN, uh unwanted traffic removal services, and then the Bogon reference list as well. So please check those out. I have a QR code at the end of the talk so you can scan and there's all sorts of stuff uh there available free goodies for you to to get your hands on. So the other thing interesting about team memory is we worked with uh various um law enforcement agencies. We helped uh majorly with operation endgame taking down malware botn nets to stop ransomware campaigns. We also helped with operation serenetti with interpol um to be able to stop sort of cyber

crime originating from Africa. So what does team cry actually have? So for you to actually understand how I was able to do this research, I thought it's important to give you context about how this is even possible because it may seem kind of unusual and it's not really many other CTI companies in the world can actually do this type of work. So the way team currently works is that we have over 300 billion net flow samples every single day. uh that goes into our platform and then you can search IP to IP communications but we also enrich the data with things like open ports data X509 certificates JARM fingerprints who is information so you know you can

understand where what the source IP is and what the destination IP is and then we tag things as well so as you'll see for throughout the talk I'll I'll tag things as a VPN or some sort of uh you know cloud server or something like that um and then you also in the product there's over 2,000 and different unique tags. So what actually is net flow? I like to explain net flow like it's the postal service. So you can see the the recipient of the of the of the letter and the sender as well, but you can't see the contents of the letter either. Um that's basically, you know, the IP to IP communication. But then we what we do is called sampled

net flow. So we only see one out of every 3,000 to 10,000 packets. So, we can only tell you that there has been a communication, but we can't [snorts] reconstruct packets or decrypt anything. Basically, it's one in every 3,000. Uh we can only tell you the things like the the source, the sender, the port, uh the client port, the server port, uh the TCP, uh flags, bytes, packets, all that sort of stuff. But we can't tell you exactly how many communications there has actually been. Just that that that there was some communication and when it happened. This is really in this is really useful for when you're tracking command and control servers because you can find uh the administrators logging

in and configurating this stuff but then you can also identify the victims as well. So what can't you do? Uh what's what's like the important thing to remember with talking about sample net flow. Um basically we can't help you identify all of the victims. We just give you some idea of where where you can like who's been targeted by command and control server or by malicious infrastructure. U we do not record all connections as I mentioned it's sampled and then it basically it's a collaborative effort from network providers from around the world so we work with over 800 ISPs from around the world and they share their data with us that allows us to analyze it and track

command and control and malicious communications so we don't have complete visibility of the entire internet but we have a pretty good pretty good visibility and it's pretty much the best you can get of this type of data so why is it valuable I mean here's an example of a case study of something we worked on with a Dutch DFIR firm, instant response firm called Inviso. We managed to track 1500 Vshell servers, which is a sort of a Chinese language offensive security tool used by v variety of thread actors around 1500 of those. Then we identified the victims of those C2 servers and then we were working with Viso to notify those victims that an intrusion that an

incident had happened. Um, so you can kind of get an idea of the power of of the of the data that we have and how we can track and stop malicious threat actors almost in near real time. So where does the net flow come from? As I mentioned, it comes from data sharing agreements with ISPs. We help the ISPs monitor their own networks. We give them, you know, give them uh the the ability to detect and stop bad IPs and remove them from their networks. Actively helping the internet become a safer place. Um, and we do this through the strict non-disclosure agreements. So I can't say who any of them are. [gasps] So tracking North Korea. Bit more

context about this threat actor. Maybe some of you are surprised that North Korea has offensive security operations. Um but they absolutely do. Over the last 10 years or so, they've been prolific. Uh kind of one of the major attacks that caught headlines over 10 years ago was the Sony Pictures uh you know data destruction attack. They managed to destroy and wipe all of Sony's corporate servers and and the Sony Pictures Entertainment uh organization and then they dumped all the data online. Then they progressed on to launch the Bangladesh bank heist where they tried to steal a billion dollars. Um shout out to Jeff Y who did an amazing podcast on the Lazarus heist. Definitely recommend

checking that out. Uh, W to Cry was then released after that and then they got into launching cryptocurrency based attacks, stealing the private keys of various hot wallets by exchanges, draining all of the draining all of the crypto currency, sending it back to themselves, and then laundering it through a vast money laundering network. Um, it's kind of just progressively gotten bigger and bigger and more daring. And this year they actually did their largest ever heist where they stole over $ 1.5 billion in cryptocurrency from the Bybit exchange. And what do you do with all that cryptocurrency? You spend it on a tricked out lab for your cyber warriors. There's the the glorious leader there with his with his henchmen. Um,

so this also gives you a good understanding of the sort of org chart of where the different operations inside North Korea, the different uh AP groups and what departments they align with. Shout out to DEX for coming up with this very detailed and awesome uh sort of chart that explains the configuration of these groups. But the one that I want to work focus on today is something called the DPRK IT workers. So these are remote workers who get hired at companies and go undercover. And it's probably one of the, you know, massive largest campaigns that they've probably run to date. So the DPRK IT workers so remote working culture I imagine half the room here probably works from home

as most of us do in cyber security. I worked from home for the last 5 years. Um and it basically exploded during the pandemic. Uh and as a result people kind of figured out that you can take up multiple jobs because you know you're not in you're not in a team meeting 24/7. So you can actually go and work various jobs from around the world all of different locations. Um, and this actually spawned an infamous subreddit called r/over employed. And people were giving tips to each other about how to set up uh, you know, these uh, configurations like what what systems to buy, what uh, services to to rent to then be able to run these jobs. And they

were talking about things like, you know, they they would discuss things like if you have two meetings, what do you do? Well, you join from you join from different laptops and then you have a headphone in each ear. Stuff like that. It was quite funny. Um, and I think North the North Koreans were lurking on this subreddit because they kind of figured out, oh, it's easy. You could just get like two, three jobs per person and make, you know, thousands, tens of thousands of dollars a month. And this is where they was, this is where they were born. Um, and some of them have already been deanonymized and things like this is uh, you know, it's

not something that I've discovered on my own. There's so much research behind this. The FBI has put multiple DPRK uh North Korea based threat actors on their cyber most wanted list. Um and you've got a lot of things like sanctions and and unsealed charges explaining how they managed to figure out where they were from and and who they are. Um so it's it's a massive problem. So the typical Bryton profile, the interesting thing to consider about these DPRK IT workers is the fact that they're applying for jobs at you for Fortune 1000 companies. people are doing software development, they need IT outsourcing. Uh but then they're also working at the IT contractors and software contractors as well who have

much less stricter vetting requirements to be able to get a job at these organizations as well. Um so essentially you could be uh outsourcing some project to another company that develops code for you for a very specific project and then they subcontract essentially these North Koreans who apply and get a job there. uh but now you've essentially let them have access to your code uh and systems. So there's no hacking involved. They've just applied and got the job. And this actually leads to examples where they're able to once they have that privileged access, they can then steal the private keys uh to be able to basically excfiltrate the cryptocurrency like taking the cryptocurrency from the

hot wallet, sending it back to themselves. uh after they've done you know maybe a few months work got the money for that they gain enough trust to be g granted access to spec specific repos um and then they just you know they seize the opportunity weigh it up like is it worth it to work there longer get other IT workers hired or is it we can just steal it and move on to the next target so from studying these campaigns there's been a lot of research put out as I mentioned um in the in the QR code at the end you can see the reference list um but basically from going all of these reports. I I built something called this

the DPRK IT worker killchain um where they start with creating accounts. They apply for jobs on on sites like LinkedIn and Upwork and Indeed. Pretty much all the job uh recruiting sites that have you know developers and stuff and IT um IT administrators they will apply for [snorts] and then they will use things like AI to bypass sort of coding tests or questions that you ask them. They're constantly using LLMs to generate those answers and appear like they're, you know, normal, you know, well well speaking English speakers. Um, and then they're also using a a very sort a semicmplex system to anonymously connect into those networks as well and to remain detected. They use all sorts of

different pieces of hardware. uh so that your the system that sometimes when you uh ship them a corporate laptop then they can connect to it and you can't tell that they're actually working from North Korea which I'll explain much more deeply later and then once inside they they they'll they'll do the work they'll actually code things and administrate systems so that they get paid but then they can do more nefarious things. So, here's an example of some uh video interview videos that I came across where companies have actually uh you know gone on Zoom and recorded them who someone who they suspect to be a North Korean. Um and then I think Kraken took it one step further and started trolling

them and asking them who wants to be a millionaire questions. Um it's quite funny videos. Um and then people took it a little bit further and they created certified North Korean systems professional. So it's yeah it's it's getting it's getting a bit it's going a bit viral. Um but yeah this is you know one of the things I want to focus on is how they can why this is such a big problem is you have let them into your network. You've let them have access to your systems and they have elevated privileged access to those systems. Once they're in they can collect all the data they can send all the code back to the regime. Um they can

then work on things themselves. Remember North Korea is a very isolated sanctioned embargo country. No one trades with them. uh openly. I think China and Russia are their only real link to the outside world. Um but so they have to develop a lot of that stuff internally. Um and and through this they can steal the code, write their own software, write their own hardware, um all that sort of stuff. So it's it's a multi- beneficial campaign for them. Um and once they've got that data, you know, they'll exfiltrate it and then they can extort that organization as well. They can say, you know, if you don't pay a ransom in cryptocurrency, then we're going to public. We're going

to publicly release it. or maybe they delete that data and they ransom it back to you to get it back. There's all sorts of different angles they can take it here. Discuss cryptocurrency theft quite a bit as well. But that last point is probably the one that scares me the most is the software supply chain attacks where they can maliciously plant uh back doors into legitimate software using signed code cosigning certificates um and spread via update servers. Uh we've already seen how effective these types of attacks can be with things like Solar Winds, not Peter. uh some of the worst largecale uh cyber crime and cyber espionage campaigns have started with a software supply chain attack. So the

fact that there's thousands of North Koreans working on priv like privileged access to legitimate software that we all use is kind of scary to me. Um and although it wasn't directly tied to a North Korean IT worker per se, they did have they have a lot of experience of doing this themselves. Um I mentioned Solar Winds, but that was kind of attributed to the Russian SVR and not Petra. that was attributed to to the GRU. But they have done their own software supply chain attacks as well. They've done a a double software supply chain attack in fact where they uh infected 3CX which then pushed a malicious backd dooror onto X-rader systems um and then you know sprung off

from there and got into the target organizations from there. So it's you know it's getting pretty complex uh ecosystem of threat actors. So how are we able to deanonymize and identify some of these North Koreans? Um there's a there's a lot of body of work. A lot of CTI companies have access to info steeler logs. Um I saw in the the vendor hall downstairs you have flare. Um they have a lot of these info steer logs. You can go and talk to them, ask them about it after this if you want. But essentially loads of different CTI companies have these info stealer logs. And from these info steeler logs you can find things like auto browser autofill

data, addresses, phone numbers, email addresses, um what software is installed on these systems. And then they can search through and they can say ah what's a endpoint in Japan which has these developer tools on that has accounts on these jobs websites um and is basically applying for all sorts of things and connecting from a VPN as well. You can piece these together just find all the systems that have been uh self-infected by the North Koreans. The other funny thing to consider here is the fact that the North Koreans are so isolated and they're so kind of inexperienced in the general internet that they're downloading all sorts of free software and cracked games and all that sort of stuff not realizing that

they contain malware. Um another example of some of that research goes into deonymizing these um campaigns. um two companies, Yanbian Silverstar and uh Volus Silverstar, one in China, one in Russia, uh was actually known was actually sanctioned for having uh basically an army of these DPRK workers. Uh and 14 of them were named in a in an indictment, an unsealed indictment by the Department of Justice. Um and at the end of the day, it's such a prolific campaign over the it's been tracked at least to the last six years. Some people go even farther back, maybe last 10 years, even further for some people or some organizations who say they have evidence of this going on. Um,

and the Department of Justice said that there's they've the schemes that they've tracked have already generated at least $88 million. That's just what we know about. It could be 10 times higher. So, at team, coming back to what team Camry does and how we work, I have to give you the context before I can explain to you the research that we do. We focus on the technology side of it. So we focus on them using virtualized infrastructure. Uh VPNs, AstroVPN, IP Royal, Oculus Proxy, they use mouse jigglers as well to stay online within certain time zones. Um they use artificial intelligence and stuff. Um and they al they use all these different remote monitoring and management tools.

So if we can see the telemetry, internet telemetry of IP to IP communications, if we can see one IP communicating to these types of services and link it back to North Korean ASN, we have a pretty good idea that it's probably them. So again, coming back to this idea of them working for these US companies, if you work for a US company, they're going to generally ship you a laptop to work from. Um, and but you can't really ship a laptop to North Korea very easily. So they decide to put them in these addresses which we call facilitator addresses and these facilitators have dozens of laptops installed in them. They kind of just prop them up and leave

them turned on and then the threat actors can come in and log in uh remotely to those. Pretty straightforward when you think about it. Um couple [snorts] of year maybe last year late last year or earlier this year there was a woman based in Arizona who had dozens of these laptops. Um, and she was sentenced to something like 10 years in jail for creating fake identities and harboring these laptops and getting money and helping these North Koreans. Uh, whether she realized they were North Korean or not is, you know, hard to say, but she was definitely conducting fraud. And that kind of leads me on to something quite funny is you go on Reddit and sometimes you'll see people

saying, "Someone's trying to pay me $100 a month just to put a laptop in my bedroom and connect it to my Wi-Fi. Seems like a pretty good deal." uh not realizing that it's likely um you know the regime um and you know this they're reaching out to sort of vulnerable people in many cases sometimes you'll see students and stuff talking about this as well um yeah they're they're preying on people to get these laptops installed and and it's not just Reddit you see them on um other websites and things where they're offering just sort of like cheap cheap work so the start of our investigation here like at in Camry is the fact that North

Korea only has four ciders. So it's only like a thousand IPs. It's not really that much. Um and on their ASM um so anyone can you know monitor this. Um you could even block these connections if you really wanted to but the chances of them connecting directly from these IPs to your network is very low um because they peer with the rest of the internet. So in this example I've taken basically the BGP routing and and of the peer ASN. So you can see that North Korea's ASN peers with uh one called Senbong and one called uh Trans Telecom TTK. Um these are the two sort of peer ASNs that they use to connect to the rest of the

internet. You can see that it goes from North Korea to Song to China Unicom and then to the rest of the internet backbone the tier one ISPs. Same with uh TTK that can also connect to the rest of the internet as well. So that's how they're able to get out. they're not um connecting directly from you know their SN to your to your corporate gateway necessarily. And then how is it that like how do where where are these cables and how does it work? um sort of researchers from South Korea and things international bodies have focused very very heavily on North Korea um internet monitoring and things and it's quite interesting because there is a literal

bridge called the Russia Korea friendship bridge and a fiber optic cable runs along that and that's how they get to the rest of the internet [snorts] um which is pretty interesting um yeah so here's what here's what team Camry can do is we can see all of the North Korean IPs that have connected to AstralVPN nodes. So AstralVPN is a VPN brand like I think it's a China based VPN company um that is basically the North Korean's favorite. If we monitor all of the IPs all the those you know thousand IPs from North Korea and look at what what they're connecting to on the rest of the internet. It's a lot of it is AstralVPN. It's the most favorite

proxy brand uh VPN brand. So we can see we can take this is one list. So it's from North Korea to the AstroVPN nodes. So which of those North Korean IPs have communicated with AstroVPN nodes? And now we can see which of those AstralVPN nodes have communicated with the North Korean IP. So this would be kind of like list one for you to go and threat hunt with, detect on, block, all that sort of stuff. But it changes every single day. So you kind of have to have that real-time infrastructure tracking to be able to uh understand this and have a up-to-date list of this. So working backwards from from that list, we can actually see the

connections between um web services, job hunting websites, Upwork, um we transfer, workday. These are all uh services that they are known to use uh to conduct their operations. Um and we can work backwards from that list to to go from North Korea uh and and to the to this service. And and this is just a s small simple diagram of how that works. So you've got the the DPRK ASN IPs, you've got the AstroVPN IPs and then you've got the web services. So through team Cry from our monitoring of IP to IP communications, you can see the full chain and you can monitor those. So here's an example of diving into our data a little bit more. Uh you can see

uh one IP from the Senbong ASN. So one of the ASNs at Pier of North Korea. You can see that communicating with AstralVPN IP and then you can see that AstroVPN IP communicating with one of Upwork's IPs. Uh so we have you know evidence here of this going on um from just monitoring internet traffic. The interesting thing here is to consider is that basically we can also see what ports and protocols that these are coming on. I believe it's 443. So it's just general internet browsing traffic HTTPS. Um and we can also line it up via the dates as well. So if they communicated on this specific date in this specific time then we we can

understand you know the basically the path there between from North Korea to Upwork via the via AstralVPN. And here's another example. We can see an AstralVPN IP uh communicating uh with North Korean ASN. Um and then also that that same AstralVPN IP communicating with Workday. So you can kind of rinse and repeat this process and turn it into what we like to like we we call them playbooks. So we have built like a North Korean internet playbook to help our customers use this to track their infrastructure on a day-to-day basis. Then if we actually zoom in and look at that workday IP, it's pretty interesting because you can see some very big companies who have

their workday instances hosted on that IP. You can see things like Nvidia, Crowdstrike, Equifax, uh Verizon, Washington Post. Um the the trouble with this in one way is the fact that workday uses so many different customer instances on one IP. That's just a sampling. I think there's about thousand other uh subdomains on there. So we can't really know exactly which uh North Korean thread actor has which organization they applied to a job for. But if you are one of these companies, you should go and threat hunt for that AstroVPN node because they are applying for jobs at your companies. And this is where things get a little bit more complicated. So instead of the AstroVPN uh instead of the um instead of

the web service being the final destination here, we're looking from the North Korean IP going to the AstroVPN IP, the AstroVPN IP going to a PIKBM. So PYKVM is interesting because it's basically a keyboard video mouse system that allows you to remotely control a laptop uh using uh physical hardware. So remember thinking back to the the laptop farms, you see one of those laptops propped up. You plug a Pi KVM into that. So then your connection just looks like it's coming from a US residential IP rather than from a National VPN IP or rather than from a North Korean IP. So but then again because of the way that we track the net flow data, we could uh

tag this PIKBM as being linked to suspected North Korean traffic. And we can also see here the communication port was over this specific port number. I think it's triple triple24. Um, and then in our open port scan data, we can see that it's tagged as RTSP or real-time streaming protocol, which makes sense if they're controlling a laptop remotely. And here's another another interesting artifact that we came across as we're studying the web traffic, the the sort of internet traffic coming from North Korean strangers is we saw communications to something called Hangrovp. and Hangrove VPN. If we actually go to their website on wayback machine, we can see that it was a software developed by North Korean software developers. It's

like one of these in-house tools that they use to connect to the rest of the internet. Um, and it's got a pretty uh obvious fingerprint when you scan for these. And then we looked at there's only five of these IPs when we looked for them. Um, and three of them were on North Korea's ASN and two of them were on TTK, Trans Telecom. Um and then we actually again we did the net flow analysis from one of these uh IPs and we saw them communicating with the residential IP in Singapore which again is another interesting uh lead for us to go and understand what sort of activity is going on here like what are the why

are the North Koreans remoting into this residential IP in Singapore. The the other interesting thing to consider is when we actually looked at those um uh TTK IPs, we actually saw two of those IPs had the net name Kpost uh uh -net 2. Um and to to us, we believe that's likely related to again this um the these this ciders have been specifically allocate allocated to North Korean to be able to use uh via by uh TTK. So there is collaboration there between Russia and North Korea to allow them to have access to the internet. Right? So again we take those we take that entire range of all those IPs uh with the kostnet on on TTK. Um and then we

actually go and identify uh other IPs that we have tagged uh things like PKVMs and anyes IPs all the sorts of tools that the North Koreans love to use. Uh and we see them commu again evidence of them communicating with these proxy laptop farms with these uh other systems that they just have control over remotely. So they are able to branch out and communicate with the rest of the internet. It's just through these proxy networks. But if you don't have the ability to track the net flow traffic, you can't know that it's related to North Korea. Again, another example of some more uh net flow traffic analysis that team's research team was able to do. we're able

to see those TTK IPs communicating uh with uh websites posing as uh job related um uh fake recruiting websites. So there's another campaign that the North Koreans uh have been attributed to which they're distributing malware such as Beavertail, Invisible Ferret and things funny names for malware. Um but we were able to identify those same ranges communicating with those types of sites um to identify some potentially overlaps here between the IT workers uh and the those same malicious malware campaigns coming out of the same ranges which makes sense because you know they only have a limited amount of internet space they can actually really come out of. Um and if you're if you're like us and we're kind of spawn camping their

their ciders then yeah it's quite quite easy to spot this stuff. Um and then the other interesting thing is one of the domains that we saw communications to was actually seized by the FBI. So all sorts of other researchers are working on this as well. Um and some of them have worked to get some of that infrastructure taken down by the authorities. So as we were monitoring it, we saw this seizure banner pop up and we you know saw the FBI getting involved which is quite fun. Um the other interesting thing is one of those jump servers have been communicating with things like telegram and Dropbox which is again all sorts the similar type types of tools that the IT

workers love to use as well. So that kind of brings me to the end of my talk uh so far. Um but the main conclusion to take away from this is that North Korea has a very limited amount of internet space it can really come out of. Um but you can't you may be able to build you know you may obviously you can track the IPs from those North Korean ciders. you can track the IPs of AstroVPNs, but without the camera, you can't know which are the ones that are being controlled by North Korea at any one time. Um, so through this, you know, you can understand how you can track hostile nation state thread actors with

our data. You can understand their TTPs, what C2 servers they're communicating from, how they're running their campaigns, and then the overlaps as well between different campaigns. So, if anyone has any information on North Korean threat actors, um there's up to up to $5 million that's being given away by the US Department of State and their rewards for justice program. So, um yeah, if you if you do come across any interesting info stealer logs in your travels, then feel free to tip off the feds. Uh so, something to think about, something to leave you with, kind of a scary thought that, you know, I I think about is the fact that North Korea is known for these destructive attacks as

well. So they're very financially motivated stealing cryptocurrency. But the the DOS attacks against government websites. The Dark Soul wiper attack, which is one I don't think it's talked about enough. Very interesting wiper attack. Uh again use one of these software supply chain updates via an anti South Korean antivirus software uh to deliver a wiper. And then the Sony pictures wiper as well like took down all of their corporate servers. And then one cry was released pretty much broken. So just destroyed any system uh that they that they encrypted. And the fact that they have these North Koreans at these companies having access to software that we all use and rely on um is a pretty scary thought. And it's

something that as an industry, as a cyber security industry, we should be telling the rest of technology, IT, software development, whoever, networking about this threat so that they can, you know, uh fix up their hiring processes and things. Um, maybe have someone come in in person to verify who they are. Uh, instead of hiring a North Korean. And that's pretty much my talk. I'll leave a QR code up. [applause]

[applause] I think we've got time for a couple questions.

Um, I'm aware that ISPs are starting to deploy deep packet inspection software on their endpoints. I was wondering if your well if your team will at some point get access to that and how you expect that will impact your work. >> Sorry, can you hold the mic up? >> Yeah. Yeah. Sorry. Sorry. So, um I know that ISPs are starting to um deploy deep packet inspection on their endpoints, uh at least in the UK and Australia and likely elsewhere that I've not heard of. Um I was wondering if you know if your organization will get access to that at some point and how you expect that will impact your work. Um well, as I mentioned, we only take sampled net flow

traffic. So, one in every 3,000 to 10,000 packets. So, we don't do deep packet inspection and get the the full packets and things. I I was just thinking maybe it'll give you summaries or something like that, right? But yeah, fair enough. >> Yeah. >> So, do you need to uh comply with legislation from all the different countries? Well, you must comply with legislation from all the different countries. And that presumably means you aren't don't have any packet sampling from a whole bunch of countries [snorts] like Russia and China and North Korea. >> Sorry, again, it's it's >> sorry. um you presumably comply with legislation for specific countries to get that data. So presumably there are

big areas of the world like China and Russia that you don't get any sle data from. >> Yeah, exactly. Team Camry is an American company. So if anyone's friendly with America, it's easier for us. If anyone is America's hostile to then they're not necessarily going to cooperate with us. So yeah, we do have like a visibility bias. It's not global every single country, right? Um, so yeah, it's basically that's how it works. Yeah. >> Yeah. I've never won. Yeah. [snorts] [sighs] Regarding visibility, I was wondering how much more difficult uh your net flow analysis and life um gets when uh people use multihops uh in their VPNs. >> Yeah. Yeah. VPNs is is a question we get

a lot. Essentially, a lot of VPNs have millions of traffic because so they're so used by all the all the different users. Um, so that does make it harder for us. Things like the tour network where it bounces around loads of different nodes. Uh, due to our visibility, we are not going to be able to see every single route of every single thing and we only get one out of 3,000 packets, remember, at the end of the day. So, it's not it's not deep packet inspection. It's not the ability to to deanonymize VPN users. like we can only really use it to track malicious communications and identify those victims. Uh question down here. [snorts] >> Thanks. Uh one of the things I was

thinking of as you were doing the talk was about inviting them in if they're successful at interview to come and collect their laptop. Are there any other practical mitigations that you could suggest? because uh [snorts] to me that that's probably going to be one of the most robust measures considering they can't leave their jurisdiction. >> Yeah, exactly. There's there's there's a lot of um practical advice and things out there as well. You I I recommend Yes. at le if you do hire someone remotely, try and have them come to a local office at least once before you hire them just to verify who they are. Um you ask for their IDs and things. Um but you know from a global organization

network to threat hunt for these things in case one of your outsource software providers isn't doing that um then you can only really rely on things like network telemetry or endpoint based telemetry. So there's a whole load of EDR vendors out there that can help you with the endpoint stuff. Tamry is probably one of the few vendors that can really help you with the internet network telemetry based stuff. Um yeah at the end of the day it comes down to having good HR vetting processes uh a lot of the time. But then with all this outsourcing um you know there's some companies that will even have policies written in place where they have to review everyone that they hire. They

install they install EDR agents on every endpoint they give out to these contractors. Um but enforcing that across an entire global organization is really hard. Um and that's where as long as you're collecting some telemetry and some IP related activity you can use us to enrich that. Yep. question down here. >> Hi, thank you for the talk. Um, I guess one of the slides you had some information on some domains and uh stuff like I guess did you ever reach point where you could actually like I guess report it to domain providers. Do you know which domain provider is massively being used by these North Korean traders? Um like is there any push back from them? I guess

>> from the VPN providers. >> From the domain providers. >> From the domain providers. >> Yeah. um for like the registars >> yes >> um well it's again it's a big debate on around how much KYC know your customer requests and vetting do you want to do with your customers VPS providers and domain d providers don't always really have that very strong KYC and that's why the threat actors love going to them and using them and that's why we're constantly battling it every day and it's job security for us [snorts] at the end of the day unless there's some law that forces them to uh verify every single customer then they're always going to abuse it.

Uh any more questions? Yeah, one down here. All done. um IPv4 and IPv6 obviously being huge spaces and all these ports and when you factor in multi hopping how long do you see like or how what's the rotation time for like a route before it dies and then you have to basically you know republish like these are the threats this week like how what's your like turnaround like >> yeah yeah yeah so so actually monitoring the net communication so we so we get net flow data every 10 minutes. Um, and then we can use that to update those lists. So like from the North Korean IPs to the AstroVPN IPs, um, you could run a

scheduled API call against our data to grab that as frequently as you want. But then it is a query based system. So you couldn't run millions of queries of or hundreds of thousands of queries in in any one go. Um, so it is uh is there are there are limits to this, but it's it's a capability that no one else can really offer. Yeah. Oh, one down here. [laughter] >> I was just going to ask um how do you provide the data feeds? >> The data is provided via platform. >> Yep. >> Um and then we also we have three different platforms um and then we also have a feed of C2 servers uh suspicious

IPs and then just general context tags as well. So it's a platform and then feeds as well. >> Okay. So it's all API driven. can't take can we get like BGP connections or something like that to take a feed of IPs? >> Uh yeah yeah we do have BGP related uh routing net flow data as well. Yeah. >> Yeah. Yeah. [clears throat] >> Another question here. [snorts] >> Hi there. Great talk. That was a lot before. Um just a clarification on the contractor component. Is it mainly you're seeing an impersonating contractor being first party to the business or are you seeing [snorts] a third party supplier or fourth party supplier being compromised and then from

that causing a wider spread >> yeah infection vector? >> Uh both things can happen. So one company can outsource a specific project to a software developer and then they subcontract it just to bring individuals in to work on it. But then you could also have just a general software provider for all sorts of different companies get compromised and they work on all sorts of projects simultaneously. Yeah, it can happen both ways and I've even seen them going as far to become recruiters now themselves and recruit people in to do their work. [laughter] Yeah, it's getting very complex. Uh I think that's it for question. any any oh yeah one more >> hey how's it going um so I don't know

how to phrase this correctly so where you've got your net flow traffic coming in and you've got the connections coming from North Korea to your airtoVPN uh hop or proxy what is your how do you measure the confidence of the originating connection via the VPN to the target endpoint in the sense that it's obsidated from the via the VPN hop in the sense of multiple or clients connecting to that VPN hop. If you're doing a onetoone, how are you tracking that relation and the confidence that that originated to that destination? >> Yeah, you you would have to do that on a sort of a granular timing based analysis. So you'd have to see if they

if they connected from North Korea to that AstroVPN IP and then to that web service, it'd all be in a very similar time frame. That's pretty much how we do it. >> Sorry. Uh down to the Yeah, down to the second. Yeah. Yeah. >> Hi, I was just wondering about the one in 3,000. How was that number reached? Was that a business decision, a technical limitation on storage or data flow or is it from the ISPs? And have you done any work about how much you might be missing with with that sort of sample size? Yeah, it's it's a combination of between how the net flow protocol works from Cisco um because these things come from Cisco devices uh

ISPs and stuff as well as other sorts of devices, JFlow, Sflow and things. Um and it's also up to the data sharing provider how much they want to give us. But it's also it's a data storage issue as well. If it's if you've got 100 GB of second links, uh we can't take all of that and store that, right? So so our data goes back 90 days. Um and then uh yeah, it's about 300 250 to 300 billion a day and then anything past that we just kind of drop cuz it's not really as useful anymore. Yeah. And unfortunately that is us. We have uh we've used up the entire Q&A time there. Please join me in giving massive round

of applause for Will