In recent years, we have delivered many talks detailing threat actors, their operations, and their tools. How did we conduct such research and gather such intel? In this talk, we share 25 techniques for gathering threat intel and tracking actors (for example: crimeware (undisclosed) vulnerabilities, C&C misconfig, and underground marketplaces). We explain our use of these techniques using 30 real cases.
We will also uncover an underground marketplace that has over 1,400 registered attackers. Products for sale includes webshells, ssh passwords, ftp passwords, email lists, and crimeware. We show how their purchased crimeware contained vulnerabilities that allowed us to track them.