DEF CON , Events , Security Operations

Tracking Elusive Cybercriminals Through Domain Analysis

Malachi Walker of DomainTools on How Scattered Spider Adapts Despite Arrests
Malachi Walker, security adviser, DomainTools

Scattered Spider, a notorious cyberthreat group, has continued its operations despite a series of high-profile arrests. These arrests have not weakened the group but have instead prompted it to adopt new tactics, such as using different domain name patterns to target new employees who may not be familiar with company security protocols.

See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware

The group's decentralized structure, in which members operate independently, contributes to its resilience, said Malachi Walker, security adviser at DomainTools. This structure, he said, allows the group to continue its activities even when some members have been apprehended.

Walker advised analyzing domain registrations and IP addresses of threat actor groups to help uncover connections between various campaigns and enhance law enforcement's ability to track and disrupt cybercriminals.

"Once we have one domain name that we know about, we can know when this domain was spun up. That narrows our window of when we were compromised, and it can give us a lot more room to work in resolving and remediating the event," Walker said. "We can also see whether this one domain is connected to any other domains, and if they are and we see the shared infrastructure, we can - in our own internal firewalls - create blocking rules for all of the associated domains so they can't hit us back. We can learn about their infrastructure."

In this video interview with Information Security Media Group at DEF CON 2024, Walker also discussed:

  • The decentralized operations of Scattered Spider;
  • The importance of having a domain activity timeline;
  • The need for proactive threat detection and incident response.

Walker develops cybersecurity communications and content related to the DomainTools product line and produces high-quality documentation on Domain Name System monitoring. He previously worked as a senior marketing associate at FTI Consulting.


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.