We can't stop here! This is bot country!

Every day the Internet is scanned & probed by a quarter of a million IP addresses - some of this traffic is benign, but most (around 60%) is malicious. High-profile names like Mirai and EternalBlue receive most of the media attention, but they’re the “Devil you know”. What I find more fascinating are the ports & services which are inexplicably “interesting” and the networks looking for them.

In this talk, I’ll dive into:

• The tools I use to monitor automated scans
• Patterns I’ve observed over the last 18 months
• Which networks are the most aggressive and their targets of choice
• How organizations can leverage my hunting tactics to better defend & respond to threats in their own environments

This is important because even today, in 2019, significant vectors for compromise are poor network security hygiene, patching, access control and weak or nonexistent authentication. While zero-day exploits receive most of the media attention, most networks are compromised through completely avoidable security mistakes.

I’ll demonstrate the strategies I use to fingerprint and identify at-risk VMs in Azure which have proven effective when hunting risk against an attack surface of 2.8 million Internet-exposed IP addresses. The same methodologies can be applied by anyone with an Internet footprint and are a critical part of responding to new vulnerabilities, attack campaigns and finding compromised hosts in your environment. The techniques are environment-agnostic, effective across all cloud providers and don’t require anything more than accounts with a few OSINT providers.