Billy James "Beejay" Velasco is a seasoned cybersecurity practitioner with more than 12 years of experience in incident response, threat hunting, malware analysis, digital forensics, penetration testing, and security auditing. He is part FireEye's Managed Defense Advanced Analysis team where his expertise is focused on threat hunting, incident response, and development of new hunting techniques. He and his team has responded to the latest and greatest compromises perpetrated by advanced threat actors to hundreds of subscribed Managed Defense customers globally.
Beejay has presented at security events, including Cyber Defense Live in Singapore, Australia and the Philippines and Null Singapore (Open Security Community). He currently holds the CISSP, EC-Council Certified Hacking Forensics Investigator (C|HFI), Microsoft Certified Engineer (MCSE) and Microsoft Certified Administrator (MCSA) certifications.
Prior to FireEye, Beejay held various lead and senior security analyst roles at Tyche Consulting, Emerson Electric and the Bank of the Philippine Islands.
Cyber Operations & Response
Attacker Campaign Identification
Earlier this year, FireEye's Managed Defense team responded to an incident that involves a phishing email containing an embedded link to a domain masquerading as a legitimate Single Sign-On portal of a telecom client. The final payload of the compromise was BEACON backdoor. Through deep-dive analysis of passive DNS and SSL hosting histories of the identified attacker infrastructure, FireEye identified several other domains masquerading as various Telecom companies based in Turkey, Indonesia, Philippines, etc. These domains similarly served fake SSO and VPN pages, and were registered dating back to late 2018. The team also performed Global Analysis and discovered DNS requests for a fake VPN page masquerading as another one of Managed Defense's telecom clients. The finding was immediately relayed to the client for proper remediation.
This story highlights FireEye's identification of an attacker campaign through deep-dive analysis of passive DNS and SSL hosting histories of the identified attacker infrastructure.