Back to Talks 2026
Talk

Your OpSec Is Showing

Recon Village @ DEF CON 34August 7-9, 2026

1:30 PM – 2:00 PMSaturday, August 8DEF CON Creator Stage 2

Abstract

Most threat intelligence focuses on what attackers have already done: payloads, malware families, and post-compromise behavior. But adversaries are far more fluid at the payload layer than they are at the infrastructure layer. Domains rotate, IPs churn, and malware gets recompiled but infrastructure leaves patterns.

This article explores how to track threat actors through their infrastructure by leveraging fingerprinting techniques that expose those patterns at scale.

We’ll walk through practical methods including JARM for active TLS stack fingerprinting, JA3/JA4 for identifying consistent communication behaviors, SSH host key correlation for infrastructure pivoting, and MurmurHash for clustering phishing kits and web panels through shared assets. Individually, these signals are useful. Combined, they allow defenders to map infrastructure clusters tied to a single actor or campaign—even when traditional indicators change.

The focus is not on attribution for its own sake, but on building a repeatable approach to discovering “sister infrastructure” and identifying campaigns earlier in their lifecycle. By shifting attention away from payloads and toward the systems attackers stand up to operate, defenders can detect patterns before deployment and reduce time to awareness.

Attackers rely on reuse of configurations, tooling, and infrastructure. That reuse creates fingerprints. And those fingerprints are often more durable than the indicators most teams prioritize.

If you want to track threat actors effectively, stop chasing malware.

Track the infrastructure they can’t help but reuse.

Speaker

Fae Carlisle

Blu3Bird

Fae Carlisle (Blu3Bird) is a threat intelligence and DFIR practitioner working at the intersection of intelligence, detection, and threat hunting. She is an active member of hackers.town hacking community. Her work focuses on operationalizing intelligence, building systems and workflows that turn fragmented signals into actionable insights for real-world defense. She has experience developing intelligence pipelines and supporting detection efforts in production environments, with a focus on bridging the gap between analysis and response.

View full speaker profile →