Meet the Minds behind F5’s Advanced Threat Research Center of Excellence (ATRCoE)

As part of the F5 Office of the CTO, the Advanced Threat Research Center of Excellence is focused on uncovering the secrets of the most pervasive threats plaguing the Internet. Complementing F5 Labs' emphasis on threat intelligence, ATRCoE conducts advanced threat research to present outside-in views about cybersecurity risks. This research is then analyzed to produce compelling thought leadership and insights in the field of cybersecurity.

Led by Dr. Aditya Sood, this new group has already uncovered advanced threats and released research at multiple publications such as Virus Bulletin, Elsevier Magazines, BlackHat Arsenal, and industry-leading security conferences such as Texas Cyber Summit, BSides Berlin, Hack-in-Paris, Secure 360, Virus Bulletin and others. Some notable pieces are presented below:

• Collector-Stealer: Russian-Origin Information Stealer
• Dissecting AZORult C&C panel
• The Covid-19 Threat Landscape
• Enfilade Tool: Detecting Ransomware Infections in MongoDB
• Detecting DGA (Domain Generation Algorithm) Attacks Using ML/AI
• Cryptojacking: Compromised Kubernetes Clusters Using NVIDIA Drivers
• Compromising IoT C&C Panels for Unearthing Infections

The team is comprised of threat researchers and development engineers:

1. Amit Nagal is a principal data scientist at F5. He has more than 15 years of experience in machine learning and analytics. He holds a Ph.D. degree in developmental science from MGS university. In the past, he has worked at Verizon and JPMorgan Chase.  
2. Bharathasimha Reddy Devarapally is a software engineer at F5. He received his bachelor's degree in computer science from the National Institute of Technology, Warangal (India), in 2020. He has been actively working on threat research at F5. 
3. Ruthvik Reddy Sankepally is a software engineer at F5. He graduated with a B.E. degree in computer science from BITS Pilani Hyderabad.

How the team uncovers threats

The ATRCoE team focuses on the strategic, operational, tactical, and analytical aspects of a threat. By understanding the business risks and impact of the advanced threats, they decide on the threat research topic. Then, they dissect those threats to find their TTPs (Techniques, Tactics, and Procedures), KSAs (Knowledge, Skills, and Abilities), and AILs (Attack Infrastructure and Launchpads). With this context and by studying the prevailing work, the team forms the base of their research and decides on the best approach to tackle it. The approach can be defensive, offensive, or hybrid. The techniques employed may be proactive, reactive, or a combination of both. They share threat intelligence by building opensource tools and publishing research at various security portals and conferences.

How threats get the attention of the ATRCoE

The method of choosing research topics is based on an in-house developed TRIG (Threat Research and Intelligence Generation) framework. The research is selected based on relevance to ongoing advanced threats on the Internet. Highly severe and heavily publicized advanced threats including zero-day vulnerabilities command primary attention due to the urgency and impact on F5’s product offerings. For example, ATRCoE analyzed advanced threats such as AZORult, Collector-stealer, Blackguard, etc. specifically used by nation-state adversaries.

Additionally, ATRCoE invests efforts towards the use of ML/AI to handle cybersecurity challenges. For example: analyzing large sets of DNS (Domain Name Server) and HTTP (Hypertext Transfer Protocol) logs in a structured format within F5’s Security Data Warehouse, then exploring the data to find interesting threat artifacts and trends in the threat landscape to understand the current challenges. Examples include the team’s published work on Phishing sites that used Covid-19 themes and Project Astra’s DGA detection research.

Tools employed for ATRCoE research

The team practices a hybrid-approach in which a wide variety of tools are utilized for analysis, automation, and intelligence, including in-house design custom scripts, opensource tools, such as nmap, masscan, wireshark, tshark, bro, Radare2/Cutter, Ghidra, python, etc. and enterprise tools such as Burp proxy.
_____

Because of the nature of this kind of research, it's difficult to predict when new content will be published, but you can anticipate seeing more from this group soon.