DEF CON , Events , Security Operations
Tracking Elusive Cybercriminals Through Domain Analysis
Malachi Walker of DomainTools on How Scattered Spider Adapts Despite ArrestsScattered Spider, a notorious cyberthreat group, has continued its operations despite a series of high-profile arrests. These arrests have not weakened the group but have instead prompted it to adopt new tactics, such as using different domain name patterns to target new employees who may not be familiar with company security protocols.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
The group's decentralized structure, in which members operate independently, contributes to its resilience, said Malachi Walker, security adviser at DomainTools. This structure, he said, allows the group to continue its activities even when some members have been apprehended.
Walker advised analyzing domain registrations and IP addresses of threat actor groups to help uncover connections between various campaigns and enhance law enforcement's ability to track and disrupt cybercriminals.
"Once we have one domain name that we know about, we can know when this domain was spun up. That narrows our window of when we were compromised, and it can give us a lot more room to work in resolving and remediating the event," Walker said. "We can also see whether this one domain is connected to any other domains, and if they are and we see the shared infrastructure, we can - in our own internal firewalls - create blocking rules for all of the associated domains so they can't hit us back. We can learn about their infrastructure."
In this video interview with Information Security Media Group at DEF CON 2024, Walker also discussed:
- The decentralized operations of Scattered Spider;
- The importance of having a domain activity timeline;
- The need for proactive threat detection and incident response.
Walker develops cybersecurity communications and content related to the DomainTools product line and produces high-quality documentation on Domain Name System monitoring. He previously worked as a senior marketing associate at FTI Consulting.