A Practical Case of Threat Intelligence - From IoC to Unraveling an Attacker Infrastructure 

SANS Cyber Threat Intelligence Summit 2023
Luna Moth: A Practical Case of Threat Intelligence - From IoC to Unraveling an Attacker Infrastructure
Oren Biderman, Senior Incident Response & Threat Hunting Expert, Sygnia
Noam Lifshitz, Incident Response Team Leader, Sygnia
Pivoting, or being able to move between indicators of compromise and up David Bianco's Pyramid of Pain to uncover the threat actor's tactics, techniques and procedures (TTPs) is a common practice in Cyber threat intelligence (CTI) operations. However, it is sometimes regarded more as a black art than a science. In this talk we will discuss a threat group dubbed "Luna Moth" that leverages call-back phishing techniques, as a case study to walk you through the process of leveraging indicators of compromise identified while responding to several security breaches to uncover the threat actor's infrastructure. The talk will include: 1. An overview of several breaches we investigated focusing on the attacker's modus operandi. 2. A breakdown of two techniques which were used to pivot between IOCs to uncover and track the threat actor infrastructure. 3. Example of employing automation to continuously monitor the threat actor's infrastructure.
View upcoming Summits: www.sans.org/u/DuS
Download the presentation slides (SANS account required) at www.sans.org/u...