SANS DFIR Summit 2022

Speaker: Abi Waddell

Little attention is given to tracking the perpetrators of cyberattacks in the world of forensics. DFIR teams can usually attempt to answer the question of what an attacker did, how they did it and when, but rarely who has done something. Fortunately, there are some methods of answering this question using opensource intelligence – methods which have been used successfully to trace the location and identity of threat actors in recent years. Attendees will learn how to get OSINT leading to the identification of a threat actor, based on real life examples, techniques and demos of new free tools including:

• Revealing deleted parts of screenshots and PDF files
• Discerning fake social media accounts
• Finding IP addresses belonging to VPN services likely to be used by cyber criminals
• Results of original research of thousands of leaked accounts, into identifying gender, age and predicted passwords in use, from the chosen usernames and passwords.
• Uncovering identities from pseudonyms
• Using account leaks, search engine analytics, maps, social media, images and more, to hunt threat actors.

This talk will show how focusing more on finding the source of cyber breaches will reduce attacks in the long run and how OSINT can be harnessed legally to discover the identity of cyber criminals. Key takeaways:

Techniques and tools to find the identity of a threat actor based on real life examples, how focusing more on finding the source of cyber breaches will reduce these attacks in the long run and the types of OSINT and how it can be harnessed legally to discover the identity of threat actors.

View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE