John Jarocki

Tracking the Cyber Space Ghost from Oast to Oast

According to nearly every cybersecurity blog post, living off the land (LotL) techniques are currently very popular. This talk will challenge the assumption that this is hiding in the noise of normal activity. In fact, the unique patterns caused by idiosyncratic way each actor uses common tools, combined with their lack of perfect knowledge about how those tools work (and unobvious signals they produce), can actually make it easier to fingerprint and track them.

Specifically, we are going to cover a use case that dives deep into the use of Out-of-Band Application Security Testing (OAST) tools for blind vulnerability testing. Our research will show how to detangle the not-so-covert-signals from OAST tool use into fingerprints, timing patterns, and infrastructure tracking. It is popularly said that defenders have to stop every attempt, but attackers only have to succeed once. Let’s flip that logic on it’s head and make the new catchphrase: “Defenders only have to find one clue… to eventually find you.”

John Jarocki is a Distinguished Member of Technical Staff at Sandia National Laboratories, where he chases shiny squirrels from incident response, to cyber threat intel, to analytic research and development. His alignment is chaotic orthogonal thinker, and his current focus is leveling up the blue team against operational technology and edge device threats.

John has a BA in Computer Science from UT Austin and a Masters of Information Security Engineering from the SANS Technology Institute.