DadPunkNov 28, 2022

In an effort to be more social as folks migrate from birdsite to Mastodon here's my first post.

Something that I have been running into lately is the decision to take action on adversary infrastructure or to let it ride and monitor for new intelligence. Personally, I try to keep the actor from gaining anymore new victims if I can help it.

When faced with the opportunity to impact the actor's infrastructure what do you choose?

Take Action
50%
Let It Ride
50%
Poll ended at .
Show threadjroosen
@dadpunk It is very very hard to answer that without any sort of background on what infrastructure we are talking about. When it comes to Tier 1 distro I am a firm believer in burn it all down in most cases. When it comes to C2 or T2 or higher, this is something that requires some surveillance and thought. EG- If it switches often and you cant get much out of it, burn it. If it is novel or static, report it to LEA to see if it helps their investigation or keep it with tight knit group actively working on it if valuable intel is being gained. If it is compromised and lower tier facing, report it to hosters/abuse. These are some examples of what I go through thinking about these types of things. Varies obviously by adversary or malware etc. Very hard to just do one or the other always. My first approach is surveil and understand what you have and then decide to act. 😀
Nov 28, 2022 at 5:33amWeb
Show threadDadPunkNov 28, 2022

@jroosen Ya these are all good points. It's another one of those "it depends" questions. In most cases the context of this decision is like cobalt strike c2 or other more static infrastructure and not the tiered networks used by come of the bigger commodity malware variants. I do think interacting with law enforcement is unlikely for most people though.

The reason I ask is because I think both sides have value and its really a question of what motivates you, understanding or impacting the actor.

Show threadjroosenNov 28, 2022
@dadpunk Yes it is very much a "it depends" in my opinion hehe. Interesting to think about though and thanks for posting. Now that I know your intentions and scope, voting.