Bohemia Ballroom 07 Dec 2017 16:00 - 16:30

Effective cooperation between governments, industry/private sector and law enforcement agencies/data protection authorities is an essential element to fight cyber crime. Cybersecurity researchers do not always build relationships with counterparts outside of the cybersecurity research community, however, it can be essential to work in a cross-functional team to combat sophisticated threats.

This talk describes our investigation last year looking into rogue hosting activity in The Netherlands using various threat intelligence techniques such as large scale network data mining, OSINT research, and on the ground HUMINT investigative work. Bulletproof hosting providers, a critical part of cybercrime operations, are used to carry out ransomware, phishing, and other attacks. They offer customers reliable infrastructure protected by the complex laws of cyberspace and are able to avoid takedown attempts by law enforcement by leveraging the anonymity of the internet.

We describe the ‘recipe’ that criminal hosting providers often use to enable their operations, and we highlight key threat intelligence best practices that any cybersecurity threat researcher should follow, to include:

  • The value in investigating higher level tactics, techniques, and procedures (TTPs) and threat actors as opposed to indicators of specific toxic content
  • The possibilities for enriching data through open source material
  • The broad community of people that may be necessary to bring together in order to address a cyber threat.

Cisco Umbrella (OpenDNS)
Head of Security Research
Security Links
Independent Researcher


Discussion not started yet.