2025-12-13 –, Track 3
This talk will discuss how Team Cymru can track North Korea Threat Actor Infrastructure using our network intelligence collection. Using real-world examples, attendees will see how using NetFlow, Open Ports data, PDNS, and X509 certificates it is possible to monitor the activities of one of the world's most advanced financially motivated state-sponsored campaigns.
Using Team Cymru's telemetry, the technical details about North Korean threat actor infrastructure shall be discussed at length. Particularly what technologies they use to evade detection as well as which ASNs they use to connect to the rest of the open internet. With Team Cymru's data, it is possible to identify command-and-control (C2) servers and potential victims of North Korean campaigns, as well as what online web services these adversaries use to support their operations.
From attending this talk, you will walk away with practical knowledge, repeatable hunting techniques, and new visibility into one of the world's most persistence cyber threat, the North Korean regime.
Currently working as a Senior Threat Intel Advisor at Team Cymru. Previously Will was a CTI Researcher and Threat Hunter at the Equinix Threat Analysis Center (ETAC). Prior to this, I worked for Cyjax, a UK-based CTI vendor. His other main commitment is as the co-author of the SANS FOR589: Cybercrime Intelligence course. I have also volunteered my spare time to being the co-founder and main organiser of the Curated Intelligence trust group, Bournemouth 2600, and BSides Bournemouth.