Blake Butler
Unveiling Hidden Infrastructure: Tracking Threats via SSH Public Keys
This presentation delves into an advanced technique leveraging SSH public keys for tracking and correlating malicious activities across disparate systems. SSH keys, typically employed for secure remote access, inadvertently leave identifiable fingerprints across networks. By systematically analyzing these keys, security professionals can uncover linked infrastructure operated by threat actors. Our methodology involves collecting SSH public keys from known criminal infrastructure, code repositories and open-source intelligence (OSINT) enabling targeted identification of systems associated with actors of interest and supporting cybercriminal operations.
We will cover the technical aspects of SSH key fingerprinting, mass internet scanning, and data collection strategies associated with this technique. We will also explore case studies where SSH key analysis successfully exposed criminal networks, highlighting the efficacy of this approach in real-world scenarios. Attendees will gain insights into the tools and techniques for implementing SSH key tracking in their security operations, the challenges encountered, and the best practices for maximizing the accuracy and impact of this method. By unveiling the hidden connections within malicious infrastructure, this approach empowers cybersecurity professionals to further identify and covertly disrupt criminal operations at scale.
Blake Butler is an Emerging Threat Researcher and the Head of Fraud Threat Intelligence in PayPal’s Global Investigations organization. A premier investigator and subject-matter expert on fraud, money laundering, Open-Source Intelligence (OSINT), and offensive techniques, he holds numerous patents and has multiple publications in the security and anti-fraud field. Over the past decade at PayPal, his expertise has significantly contributed to complex investigations and takedowns.
Blake is also an international speaker, having presented at prestigious events such as the Microsoft Digital Crime Consortium (DCC), Underground Economy (UE), Anti-Phishers Working Group (APWG), Slam Spam (NCFTA), Regional Internet Security Event (RISE), and CactusCon. Additionally, he developed the Intelligence Capture the Flag (iCTF) event at DEFCON, designed to teach individuals how to conduct digital investigations with an emphasis on adversarial attribution.