Chi-en Shen (Ashley) is security researcher at Cisco Talos. She specializes in researching emerging threats, including nation-state targeted attacks, financially motivated crimes, spyware, and exploitation carried out by mercenary groups. Previously, she worked as a security engineer at Google Threat Analysis Group, where she focused on zero-day exploit hunting and tracking botnets. Prior to that, she was a member of the Mandiant Global Research Team, where she tracked APT groups in APAC and contributed to the development of the Threat Intelligence platform.
Passionate about supporting women in InfoSec, Ashley co-founded HITCON GIRLS, the first security community for women in Taiwan. Additionally, she serves as an organizer for Rhacklette, a security community for FINTA in Switzerland. To support the security community, Ashley serves as a review board member for Black Hat Asia, Hacks in the Box and HITCON conferences. She has also shared her expertise as a speaker at conferences such as Black Hat, Hack in the Box, HITCON, FIRST, CODE BLUE, Troopers, Confidence, RESET, and others. In her free time, she enjoys playing CTF and traveling.
Initial Access Brokers (IABs), once primarily associated with criminal actors, are now taking on an increasingly pivotal role in espionage. Traditionally, IABs were viewed as criminal organizations selling compromised network access to financially motivated attackers, especially ransomware operators, effectively splitting a single attack kill chain into two stages: the initial compromise and subsequent exploitation.
Our research reveals a significant shift in the landscape. For example, State-sponsored groups are acquiring or providing access for espionage purposes, sometimes passing it between separate APTs. Alternatively, a state actor may purchase access from financially motivated brokers or even sell it to criminal organizations for profit. Furthermore, we have observed opportunistic attackers reselling high-value targets to government entities while offloading other victims onto the black market.
In light of these developments, the classical definition of IABs—focused solely on the intent to sell initial access—no longer holds. From a defender’s standpoint, recognizing how disparate groups collaborate within the same attack chain is crucial for effective actor profiling, campaign tracking, and attribution.
To address this complexity, our work introduces a refined definition of Initial Access Groups and an enhanced actor profiling framework. These updates are aimed at adapting to emergent multi-party dynamics, improving threat hunting, and strengthening defensive strategies.
Moreover, our findings highlight the limitations of conventional profiling approaches when applied to these increasingly segmented operations, underscoring the need for models that account for both financial incentives and state-sponsored agendas.
A knowledge sharing platform with monthly/bi-monthly webinars, covering ground-breaking security topics in the current context that impacts both technical and operations community as well as leadership and even businesses as a whole.
Find out what’s buzzing in the cybersecurity domain, what is making headlines or has potential to do so. This section we will cover the latest research from our members – expert analyses, original study/reports, or summary of an industry-wide policy issue and more.
