Silas Cutler
Unveiling Hidden Infrastructure: Tracking Threats via SSH Public Keys
The burgeoning landscape of cyber threats necessitates sophisticated methods to track and dismantle criminal infrastructure. This presentation delves into an advanced technique leveraging SSH public keys for tracking and correlating malicious activities across disparate systems. SSH keys, typically employed for secure remote access, inadvertently leave identifiable fingerprints across networks. By systematically analyzing these keys, security professionals can uncover linked infrastructure operated by threat actors. Our methodology involves collecting SSH public keys from known criminal infrastructure, code repositories and open-source intelligence (OSINT) enabling targeted identification of systems associated with actors of interest and supporting cybercriminal operations.
This presentation will cover the technical aspects of SSH key fingerprinting, mass internet scanning, and data collection strategies associated with this technique. We will explore case studies where SSH key analysis successfully exposed criminal networks, highlighting the efficacy of this approach in real-world scenarios. Attendees will gain insights into the tools and techniques for implementing SSH key tracking in their security operations, the challenges encountered, and the best practices for maximizing the accuracy and impact of this method. By unveiling the hidden connections within malicious infrastructure, this approach empowers cybersecurity professionals to further identify and covertly disrupt criminal operations at scale.
Silas Cutler is a security researcher with more than decade of experience tracking threat actors and developing methods for pursuit. Silas currently runs the Internet scanning service OnlyScans and the public malware repository MalShare. Before launching OnlyScans, he worked as Resident Hacker for Stairwell, Reverse Engineering Lead for Google Chronicle and as a Senior Security Researcher on CrowdStrike’s Intelligence team.
Since 2021, he has played an active role in advancing the Ransomware Task Force’s initiatives for fostering collaboration between the public and private sectors.
