Getting ahead of the bad guys with Internet Scanning data.

Detecting adversaries ahead of time is the holy grail to any defender. In this presentation we propose the usage of internet scanning services as a hunting ground of adversaries. Services like Shodan and BinaryEdge provide a great source of adversarial indicators, allowing defenders to get ahead of the risk. While this is not possible all the time many defenders try to get ahead by collecting information from several sources, some open some through private feeds. In this presentation we will demonstrate how these services can be used to find unknown adversarial infrastructure. We will illustrate how this can be done hunting for ip addresses serving payloads that match the MZ header. This allows the identification of attack framework hosting sites serving executable payloads directly, Metasploit is a good example of such frameworks. The technique does not end with the MZ header, other patterns can be searched which contribute to a better mapping of the Internet threat landscape. The presentation will continue to explain how this data can be processed in order to be transformed into something useful for defenders and threat researchers.

During our research we also found different results, from funny stuff without any harm to powershell scripts or even source to be compiled locally.

This method has been used to triage logs on incident response cases where we wanted to see if CobalStrike had been used. By supplying a list of recent CS servers delivering payloads we were able to identify the initial attack vector and corresponding patient zero of that incident. The presentation will finish with the presentation of other use cases, for this kind of data analysis.