As part of the F5 Office of the CTO, the Advanced Threat Research Center of Excellence is focused on uncovering the secrets of the most pervasive threats plaguing the Internet. Complementing F5 Labs' emphasis on threat intelligence, ATRCoE conducts advanced threat research to present outside-in views about cybersecurity risks. This research is then analyzed to produce compelling thought leadership and insights in the field of cybersecurity.
Led by Dr. Aditya Sood, this new group has already uncovered advanced threats and released research at multiple publications such as Virus Bulletin, Elsevier Magazines, BlackHat Arsenal, and industry-leading security conferences such as Texas Cyber Summit, BSides Berlin, Hack-in-Paris, Secure 360, Virus Bulletin and others. Some notable pieces are presented below:
The team is comprised of threat researchers and development engineers:
The ATRCoE team focuses on the strategic, operational, tactical, and analytical aspects of a threat. By understanding the business risks and impact of the advanced threats, they decide on the threat research topic. Then, they dissect those threats to find their TTPs (Techniques, Tactics, and Procedures), KSAs (Knowledge, Skills, and Abilities), and AILs (Attack Infrastructure and Launchpads). With this context and by studying the prevailing work, the team forms the base of their research and decides on the best approach to tackle it. The approach can be defensive, offensive, or hybrid. The techniques employed may be proactive, reactive, or a combination of both. They share threat intelligence by building opensource tools and publishing research at various security portals and conferences.
The method of choosing research topics is based on an in-house developed TRIG (Threat Research and Intelligence Generation) framework. The research is selected based on relevance to ongoing advanced threats on the Internet. Highly severe and heavily publicized advanced threats including zero-day vulnerabilities command primary attention due to the urgency and impact on F5’s product offerings. For example, ATRCoE analyzed advanced threats such as AZORult, Collector-stealer, Blackguard, etc. specifically used by nation-state adversaries.
Additionally, ATRCoE invests efforts towards the use of ML/AI to handle cybersecurity challenges. For example: analyzing large sets of DNS (Domain Name Server) and HTTP (Hypertext Transfer Protocol) logs in a structured format within F5’s Security Data Warehouse, then exploring the data to find interesting threat artifacts and trends in the threat landscape to understand the current challenges. Examples include the team’s published work on Phishing sites that used Covid-19 themes and Project Astra’s DGA detection research.
The team practices a hybrid-approach in which a wide variety of tools are utilized for analysis, automation, and intelligence, including in-house design custom scripts, opensource tools, such as nmap, masscan, wireshark, tshark, bro, Radare2/Cutter, Ghidra, python, etc. and enterprise tools such as Burp proxy.
Because of the nature of this kind of research, it's difficult to predict when new content will be published, but you can anticipate seeing more from this group soon.