As part of the F5 Office of the CTO, the Advanced Threat Research Center of Excellence is focused on uncovering the secrets of the most pervasive threats plaguing the Internet. Complementing F5 Labs' emphasis on threat intelligence, ATRCoE conducts advanced threat research to present outside-in views about cybersecurity risks. This research is then analyzed to produce compelling thought leadership and insights in the field of cybersecurity.
Led by Dr. Aditya Sood, this new group has already uncovered advanced threats and released research at multiple publications such as Virus Bulletin, Elsevier Magazines, BlackHat Arsenal, and industry-leading security conferences such as Texas Cyber Summit, BSides Berlin, Hack-in-Paris, Secure 360, Virus Bulletin and others. Some notable pieces are presented below:
- Collector-Stealer: Russian-Origin Information Stealer
- Dissecting AZORult C&C panel
- The Covid-19 Threat Landscape
- Enfilade Tool: Detecting Ransomware Infections in MongoDB
- Detecting DGA (Domain Generation Algorithm) Attacks Using ML/AI
- Cryptojacking: Compromised Kubernetes Clusters Using NVIDIA Drivers
- Compromising IoT C&C Panels for Unearthing Infections
The team is comprised of threat researchers and development engineers:
- Amit Nagal is a principal data scientist at F5. He has more than 15 years of experience in machine learning and analytics. He holds a Ph.D. degree in developmental science from MGS university. In the past, he has worked at Verizon and JPMorgan Chase.
- Bharathasimha Reddy Devarapally is a software engineer at F5. He received his bachelor's degree in computer science from the National Institute of Technology, Warangal (India), in 2020. He has been actively working on threat research at F5.
- Ruthvik Reddy Sankepally is a software engineer at F5. He graduated with a B.E. degree in computer science from BITS Pilani Hyderabad.
How the team uncovers threats
The ATRCoE team focuses on the strategic, operational, tactical, and analytical aspects of a threat. By understanding the business risks and impact of the advanced threats, they decide on the threat research topic. Then, they dissect those threats to find their TTPs (Techniques, Tactics, and Procedures), KSAs (Knowledge, Skills, and Abilities), and AILs (Attack Infrastructure and Launchpads). With this context and by studying the prevailing work, the team forms the base of their research and decides on the best approach to tackle it. The approach can be defensive, offensive, or hybrid. The techniques employed may be proactive, reactive, or a combination of both. They share threat intelligence by building opensource tools and publishing research at various security portals and conferences.
How threats get the attention of the ATRCoE
The method of choosing research topics is based on an in-house developed TRIG (Threat Research and Intelligence Generation) framework. The research is selected based on relevance to ongoing advanced threats on the Internet. Highly severe and heavily publicized advanced threats including zero-day vulnerabilities command primary attention due to the urgency and impact on F5’s product offerings. For example, ATRCoE analyzed advanced threats such as AZORult, Collector-stealer, Blackguard, etc. specifically used by nation-state adversaries.
Additionally, ATRCoE invests efforts towards the use of ML/AI to handle cybersecurity challenges. For example: analyzing large sets of DNS (Domain Name Server) and HTTP (Hypertext Transfer Protocol) logs in a structured format within F5’s Security Data Warehouse, then exploring the data to find interesting threat artifacts and trends in the threat landscape to understand the current challenges. Examples include the team’s published work on Phishing sites that used Covid-19 themes and Project Astra’s DGA detection research.
Tools employed for ATRCoE research
The team practices a hybrid-approach in which a wide variety of tools are utilized for analysis, automation, and intelligence, including in-house design custom scripts, opensource tools, such as nmap, masscan, wireshark, tshark, bro, Radare2/Cutter, Ghidra, python, etc. and enterprise tools such as Burp proxy.
_____
Because of the nature of this kind of research, it's difficult to predict when new content will be published, but you can anticipate seeing more from this group soon.
About the Author
Related Blog Posts
Multicloud chaos ends at the Equinix Edge with F5 Distributed Cloud CE
Simplify multicloud security with Equinix and F5 Distributed Cloud CE. Centralize your perimeter, reduce costs, and enhance performance with edge-driven WAAP.
At the Intersection of Operational Data and Generative AI
Help your organization understand the impact of generative AI (GenAI) on its operational data practices, and learn how to better align GenAI technology adoption timelines with existing budgets, practices, and cultures.
Using AI for IT Automation Security
Learn how artificial intelligence and machine learning aid in mitigating cybersecurity threats to your IT automation processes.
Most Exciting Tech Trend in 2022: IT/OT Convergence
The line between operation and digital systems continues to blur as homes and businesses increase their reliance on connected devices, accelerating the convergence of IT and OT. While this trend of integration brings excitement, it also presents its own challenges and concerns to be considered.
Adaptive Applications are Data-Driven
There's a big difference between knowing something's wrong and knowing what to do about it. Only after monitoring the right elements can we discern the health of a user experience, deriving from the analysis of those measurements the relationships and patterns that can be inferred. Ultimately, the automation that will give rise to truly adaptive applications is based on measurements and our understanding of them.
Inserting App Services into Shifting App Architectures
Application architectures have evolved several times since the early days of computing, and it is no longer optimal to rely solely on a single, known data path to insert application services. Furthermore, because many of the emerging data paths are not as suitable for a proxy-based platform, we must look to the other potential points of insertion possible to scale and secure modern applications.