This week we are joined by Dan Perez (@MrDanPerez) of FireEye’s Adversary Pursuit team. We discuss our experiences from last month’s congressional roundtable on artificial intelligence, provide insight into the analysis leading up to our report on TEMP.Periscope targeting Cambodian election operations, and break down several notable adversary methods observed during the past few weeks of responding to intrusions that matter.
Episode Recap and More Information
"State of the Hack Goes to Congress!": Cyber! Machine learning! Last month, Nick gathered his buzzwords and represented FireEye and the broader cyber security industry at a closed session with the U.S. House of Representatives Armed Services Committee. On this episode, we chat about the experience, as well as our own successes with machine learning (ML) and some cautionary observations about misunderstanding the technology. As congress works on Department of Defense (DoD) machine learning application and prioritization, including policies that accelerate domestic growth in artificial intelligence (AI) and ML, FireEye continues to share ML tools and experiences with the community. These include a framework to identify obfuscated PowerShell scripts by @danielhbohannon, details on how we implemented security operations center (SOC) augmentation by @secbern and @awalinsopan, and our Natural Language Processing (NLP) solution to detecting malicious PowerShell by @vicfcs.
- Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science
- Reverse Engineering the Analyst: Building Machine Learning Models for the SOC
- Malicious PowerShell Detection via Machine Learning
NOTE: As mentioned on this episode, we raised the need for H1B visa reform and scholarship programs in data science and engineering with the subcommittee. Our ICE Data Science Team is a small, highly-trained team and is currently hiring – see our Innovation & Custom Engineering careers.
"Behind the DADBOD": We get to know Dan Perez (@MrDanPerez), chatting with him about his background and his path from veteran Navy submariner to cyber security, and eventually to FireEye’s Adversary Pursuit team where he tracks the groups that matter from the frontlines of our investigations. We overview this week’s TEMP.Periscope report, walking through Dan’s analysis of the threat activity cluster from initial lead to victim identification and eventually a full understanding of this Chinese espionage group’s massive campaign targeting Cambodia ahead of the July 2018 elections. This is the second large campaign we’ve discussed this year, as we covered TEMP.Periscope’s targeting of maritime operations on episode 2 of State of the Hack. Dan also provides his insights on whether this represents a change for TEMP.Periscope, and who may be behind the keyboard. He also reveals that he is the mastermind behind the DADBOD malware naming.
- Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally
- State of the Hack Episode 02’s original TEMP.Periscope segment
- Twitter thread by Ben Read from our Cyber Espionage team
"Threat Activity Round-up": We start the round-up segment discussing the so-called “#DFIR 0day” – also known as the Office365 Activities API – including what it is, who’s been using (and misusing) it, and why it was so interesting to the incident response community. We then recap several adversary methods that are trending in-the-wild, including Matt Nelson’s (enigma0x3) SettingContent-ms #DeepLink method and SensePost’s ruler being used by several targeted groups.
- Office365 Activities API discussion from Mandiant responder Josh Madeley
- FireEye studying attackers’ tinkering and weaponization of DeepLink
- Uptick in SensePost ruler Homepage shell & persistence usage in-the-wild
- Newly released “You’ve Got Mail!” Mandiant IR talk by Dan Caban and Muks Hirani
State of the Hack® is FireEye's monthly broadcast series, hosted by Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that discusses the latest in information security, cyber espionage, attack trends, and tales from the front lines of responding to targeted intrusions. If you want to experience the magic, you can watch all State of the Hack episodes now. All episodes are also available as podcasts.