Global Speaking Events
I am an experienced conference speaker, delivering complex technical content in an easy-to-comprehend way. I love to tell a compelling story about the research I've done. Check out where I've been and where to find me next!
Upcoming Conferences
Intro to Android Reverse Engineering: Tear Through Apps Like A Pro
DEF CON Training - Las Vegas, United States - August 12-13, 2024
This introductory Android reverse engineering course is meant for students who are looking for a hands-on, lab-intensive class to expand their RE skills to Android. This course aims to introduce people into the world of Android reversing. It will be a mostly hands on experience with just enough theory to provide the student a solid base upon which to build their reversing skills. We will cover the basics of Android, APK structure, DEX file internals and how this can be exploited in order to decompile and deobfuscate malware. The hands-on exercises provided use fresh malware samples that represent what those...
An Uninvited House Guest: How PROXYLIB Overstayed its Welcome on Android Devices
Insomni'hack - Lausanne, Switzerland - April 25, 2024
Cybercriminal threat actors sell access to residential proxy networks to other threat actors who are looking to hide malicious behavior behind residential IPs, including credential stuffing attacks, password spraying or large-scale ad fraud. In May 2023, we identified a cluster of VPN apps available on the Google Play Store that transformed the user’s device into a proxy node without their knowledge. We’ve dubbed this operation PROXYLIB after the common library in each of the apps. Researchers at IAS identified this malicious behavior in a single free VPN application — Oko VPN— on Google’s Play Store, and projected that the operators earned $2...
Past Conferences
One SMALI Step for Man, One Giant Leap for Researchers
FIRST TC - Amsterdam, Netherlands - March 5, 2024
With more and more people using their phones as their primary device, mobile malware's prevalence skyrocketed. People nowadays store their money, memories and digital identities in their pockets, making their phones a ripe avenue for attackers. From the high-level threat landscape down to the nitty-gritty of every specific actor, understanding the basics of Android reverse engineering can give an analyst the necessary cutting edge. This is what this workshop wants to deliver: taking people from zero to hero in order to give them a more thorough understanding of the Android malware landscape.
Started from the Bottom, Now We’re Here: The Evolution of ESXi Ransomware
SEC-T - Stockholm, Sweden - September 13, 2023
Ransomware targeting Linux/ESXi has existed since 2015, but since then has gained popularity and become more sophisticated; what was once a niche tool was later adopted by groups focused on “Big Game Hunting” and later became a key piece of ransomware threat actors’ toolkits. Ransomware targeting ESXi has become substantially more popular, and is now used by high-profile groups such as ALPHV, BlackBasta, Royal and LockBit. The shift towards ESXi stems from the virtualization of entire organizations’ infrastructure, with minimal defensive capabilities available. As a result, this provides more incentive for a threat actor looking to extort the organization into...
Till There Was Unix: Defending ESXi Against Ransomware Attacks
FIRST Conference - Montreal, Canada - June 9, 2023
Over the past 18 months, ransomware targeting ESXi has become substantially more popular, with several high-profile groups such as ALPHV, BlackBasta, Hive, and LockBit developing their own lockers. The shift towards ESXi stems from the virtualization of entire organizations' infrastructure, with minimal defensive capabilities available. As a result, this provides more incentive for a threat actor looking to extort the organization into paying the ransom.Our talk will provide a technical discussion and overview of the specific TTPs ransomware operators employ to target ESXi systems prior to dropping ransomware. We will also discuss techniques we can use to detect and defend...
Maturing Threat Hunting Capabilities Leveraging Threat Intelligence
HammerCon - Laurel, Maryland - May 18, 2023
Abstract coming soon!
Harder, Better, Faster, Locker: Ransomware Groups Flex On Defenders
FIRST Technical Colloquium - Amsterdam, Netherlands - April 18, 2023
Ransomware actors continue to evolve their tools and TTPs; innovation by cybercriminals in response to global and local events is nothing new. However, recently we have observed several interesting innovations - some very successful for the threat actors, some not so much. We will present case studies, including technical deep-dives on a few of these, including: ALPHV’s Morph AV-evasion tool, usage of an access token to prevent chat hijacking, ARM locker and blog of indexed victim files, LockBit’s adoption of the BlackMatter code, PLAY ransomware’s evolution to use ROP, and multiple actors’ implementations of intermittent file encryption. We will also...
Turn and Face the Strange: Ch-Ch-Changes In Ransomware Techniques
Insomni'hack - Lausanne, Switzerland - March 23, 2023
Everyone makes mistakes - including threat actors who deploy ransomware. Sometimes, “technical innovation” on the locker goes sideways and makes it easier to track or reverse engineer, or a false flag operation doesn’t quite pin enough blame on the intended party. We will highlight some interesting examples of ransomware techniques, such as PLAY’s usage of ROP, LockBit’s acquisition of BlackMatter code, ALPHV’s Morph obfuscation tool, and the myriad of threat actors who use custom-designed crypto or hard-coded, cryptographically insecure keys, and the opportunities they presented for us as defenders to signature and detect their malicious behavior. We will present technical...
Turn and Face the Strange: Ch-Ch-Changes in Ransomware Techniques
Disobey - Helsinki, Finland - February 18, 2023
Ransomware actors continue to evolve their tools and TTPs; innovation by cybercriminals in response to global and local events is nothing new. However, recently we have observed several interesting innovations - some very successful for the threat actors, some not so much. We will present case studies, including technical deep-dives on a few of these, including: ALPHV’s Morph AV-evasion tool, usage of an access token to prevent chat hijacking, ARM locker and blog of indexed victim files, LockBit’s adoption of the BlackMatter code, PLAY ransomware’s evolution to use ROP, and multiple actors’ implementations of intermittent file encryption. We will also...
Crossing the Event Horizon: Intergalactic Travels of a Ransomware Crew
GreHack - Grenoble, France - November 18, 2022
Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later…or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...
Crossing the Event Horizon: Intergalactic Travels of a Ransomware Crew
GRRcon - Michigan, United States - October 13, 2022
Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later…or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...
Pop, Log, And Drop It: Credential Access to Ransomware
Recorded Future Predict - Virginia, United States - October 5, 2022
Ransomware remains a looming threat to organizations in nearly every industry, and we see the specific groups themselves frequently evolve their tools, disband, rebrand and reemerge. Outside of all this change, what remains consistent is the need for ransomware threat actors to gain initial access to organizations in order to conduct these attacks, and largely, the key methods in which they do so. Infostealer malware infections, initial access brokerage services on dark web and special-access forums, or the purchase of infostealer logs from dark web shops and marketplaces are key sources of initial access for these actors. Other attack vectors,...
It’s Just a Jump To The Left (of Boom): Prioritizing Detection Implementation With Intelligence and ATT&CK
FIRST Conference - Dublin, Ireland - June 28, 2022
Many organizations ask: 'Where do I start, and where do I go next' when prioritizing behavior-based detections. We often hear 'use threat intelligence!', but goals must be qualified & quantified in order to properly prioritize relevant TTPs. A wealth of open-source resources now exists, giving teams greater access to detections & red team tests, but intelligence is essential to ensure that efforts are focused. This session covers a new prioritization approach, starting with an analysis of the current defensive landscape (measured by ATT&CK coverage for more than a dozen repos and technologies) and guidance on sourcing TTP intelligence. We then...
Malware Wars: DarkSide Strikes Back as BlackMatter
REcon - Montreal, Canada - June 4, 2022
Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later...or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...
Malware Wars: DarkSide Strikes Back as BlackMatter
BSides Charm City - Maryland, United States - April 28, 2022
Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later...or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...
Malware Wars: DarkSide Strikes Back as BlackMatter
FIRST Technical Colloquium - Amsterdam, Netherlands - April 13, 2022
Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later...or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...
It’s Just a Jump To The Left (of Boom): Prioritizing Detection Implementation With Intelligence and ATT&CK
ATT&CKCON 3.0 - Virginia, United States - March 29, 2022
Many organizations ask: 'Where do I start, and where do I go next' when prioritizing behavior-based detections. We often hear 'use threat intelligence!', but goals must be qualified & quantified in order to properly prioritize relevant TTPs. A wealth of open-source resources now exists, giving teams greater access to detections & red team tests, but intelligence is essential to ensure that efforts are focused. This session covers a new prioritization approach, starting with an analysis of the current defensive landscape (measured by ATT&CK coverage for more than a dozen repos and technologies) and guidance on sourcing TTP intelligence. We then...
Detecting Cobalt Strike Across the Enterprise
Recorded Future Predict - Virtual - October 13, 2021
Cobalt Strike is a commercial post-exploitation tool designed to aid penetration testers and red team operators in conducting authorized intrusions. Despite its original goal, since its release in 2012, Cobalt Strike has gained widespread popularity among state-sponsored threat actors and financially motivated threat actors. sing adversarial emulation to recreate scenarios of the tool’s use, Insikt Group analyzed Cobalt Strike to identify detection opportunities from the earliest stages of its use across the enterprise. Come hear from the team behind the research in a panel discussion on taking a multifaceted approach to combat the use of Cobalt Strike by threat actors...
Egregor Awakens: Taking a Tour Of A Threat Actor’s New Digs
BSides Dublin 2021 - Virtual
Egregor ransomware made its debut in September 2020 and has since been used against several organizations across many industries while also employing anti-analysis techniques that complicate reverse engineering and in some cases, make it impossible. With connections to the threat actors behind Maze and Qakbot at the infrastructure, technical and contextual levels, Egregor presents a fascinating case study of how a ransomware threat actor morphs their operations. This talk will cover what we know about the threat actors behind Egregor, including a technical deep dive on the ransomware and discussion of TTP overlaps with other related ransomware threat actors. We...
Egregor Awakens: Taking a Tour Of A Threat Actor’s New Digs
BSides Tampa 2021 - Virtual
Egregor ransomware made its debut in September 2020 and has since been used against several organizations across many industries while also employing anti-analysis techniques that complicate reverse engineering and in some cases, make it impossible. With connections to the threat actors behind Maze and Qakbot at the infrastructure, technical and contextual levels, Egregor presents a fascinating case study of how a ransomware threat actor morphs their operations. This talk will cover what we know about the threat actors behind Egregor, including a technical deep dive on the ransomware and discussion of TTP overlaps with other related ransomware threat actors. We...
Dump Me If You Can: Malware Hide and Seek with Obfuscation
BSides Kobenhavn - Virtual - September 18, 2020
When a new piece of malware is discovered, some of the first questions an incident responder asks are: What does it do? What command and control infrastructure is involved? What is the impact on my organization? How can I detect it using commonly used tools?. With the rise in the use of code obfuscation by malware authors, answering these questions becomes significantly more complicated - taking apart sophisticated malware that employs obfuscation is often more time and resource-intensive and can require a more skilled analyst. In this talk, we will provide current, real-world examples of malware employing obfuscation techniques and...