Presented at SuriCon 2018 by Tom Hegel, ProtectWise
In May 2018 ProtectWise 401TRG released an intelligence report titled Burning Umbrella, detailing attacks originating from the Chinese Intelligence Apparatus. In addition, the report details active operations leading to a greater politically focused mission, and links to nearly a decade of attacks. In this talk we will share the process of uncovering the attacking entity and turning it into detection and hunting techniques across network telemetry. This includes review of the entity and basic concepts used to identify and detect active compromises using Suricata. Lastly, we will review broad network hunting techniques we used to detect these attacks and similar groups in the United States and East Asia.