Trawling for IOCs: Catching C2 in a Sea of Data
Moses Schwartz
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Detection engineering today scales linearly with headcount — more rules require more engineers, and the backlog compounds. Moses Schwartz from Google Security Operations presents a data-driven detection engineering approach that uses VirusTotal's signing certificate data, sandbox execution behavior, and GitHub repository tracking to automatically generate and maintain threat feeds and detection rules, reducing the manual toil that keeps the discipline from scaling. ---
AI review
Schwartz shows his work, which is refreshing. Data-driven detection engineering via VirusTotal signing certificate pivoting and GitHub sandbox behavior YARA hunting is practical, replicable, and honest about where the automation dragons live. The 'basics still produce high-value signals at Google scale' anti-hype take is as important as any technique demonstrated.