34th Annual FIRST Conference | Neart Le Chéile - Strength Together
Conference Program
The agenda times are reflected in local Irish Standard Time (UTC +1).
About TLP Designations
If you are unfamiliar with the Traffic Light Protocol ("TLP"), please visit https://www.first.org/tlp/ for details. In the use case for FIRSTCON22, TLP levels specifically indicate whether press, social media, and photography/videography may occur. You do not need to be "invited" to attend a TLP:RED session as a confirmed, registered delegate. Please see the Registration Terms & Conditions: Photography or Recording Usage by Attendees at https://www.first.org/conference/2022/registration-terms.
Meetings notated with "invite-only" or "invitation only" are private meetings.
Sunday Training Registration
Sunday trainings are limited opportunity. There is no additional fee to particiate, a separate registration is required. Seating is first-come, first-served. The only requirment is that you must be registered to attend the conference.
Sign up is available at: https://portal.first.org/registration/firstcon22-sunday-training
Sessions Available to Virtual Participants
TLP:WHITE sessions from General Session/Breakout 1, Breakout 2, and Breakout 3 will be available to our virtual ticket participants via the conference mobile/desktop app. Details on access will be distributed Thursday, June 23rd via email.
PDF Copy of Agenda for Print https://www.first.org/conference/2022/FIRST2022-Conference-Program.pdf
CPE Information Sheet Please find an CPE information for ISC2 and ISACA submissions here: https://www.first.org/conference/2022/FIRSTCON22-CPE-Sheet.pdf
If you have any questions regarding the agenda, please contact the event office via email at events@first.org.
Pre-conference Activity
Pre-conference Training
General Session / Breakout 1 (Auditorium - Level 3)
Breakout 2 (Liffey A)
Breakout 3 (Liffey B)
Workshop 1 (Liffey Hall 1)
Workshop 2 (Liffey Hall 2)
CSAM Workshop (Liffey Meeting Room 3AB)
Member Updates (Wicklow Hall 1)
SIG Room 1 (Wicklow Meeting Room 1)
SIG Room 2 (Wicklow Meeting Room 2)
AWS Security Jam Lounge (Liffey Meeting Room 1)
FIRST SecLounge SIG Challenges (Level 3 Foyer)
General Session / Breakout 1 (Auditorium - Level 3)
Breakout 2 (Liffey A)
Breakout 3 (Liffey B)
Workshop 1 (Liffey Hall 1)
Workshop 2 (Liffey Hall 2)
Lightning Talks (Wicklow Hall 1 )
SIG Room 1 (Wicklow Meeting Room 1)
SIG Room 2 (Wicklow Meeting Room 2)
AWS Security Jam Lounge (Liffey Meeting Room 1)
FIRST SecLounge SIG Challenges (Level 3 Foyer)
General Session / Breakout 1 (Auditorium - Level 3)
Breakout 2 (Liffey A)
Breakout 3 (Liffey B)
Workshop 1 (Liffey Hall 1)
Workshop 2 (Liffey Hall 2)
SIG Room 1 (Wicklow Meeting Room 1)
SIG Room 2 (Wicklow Meeting Room 2)
SIG Room 3 (Wicklow Meeting Room 3 )
AWS Security Jam Lounge (Liffey Meeting Room 1)
FIRST SecLounge SIG Challenges (Level 3 Foyer)
General Session / Breakout 1 (Auditorium - Level 3)
Breakout 2 (Liffey A)
Breakout 3 (Liffey B)
Workshop 1 (Liffey Hall 1)
Workshop 2 (Liffey Hall 2)
Lightning Talks (Wicklow Hall 1 )
SIG Room 1 (Wicklow Meeting Room 1)
SIG Room 2 (Wicklow Meeting Room 2)
AWS Security Jam Lounge (Liffey Meeting Room 1)
FIRST SecLounge SIG Challenges (Level 3 Foyer)
General Session / Breakout 1 (Auditorium - Level 3)
Breakout 2 (Liffey A)
Breakout 3 (Liffey B)
Workshop 1 (Liffey Hall 1)
Workshop 2 (Liffey Hall 2)
SIG Room 1 (Wicklow Meeting Room 1)
SIG Room 2 (Wicklow Meeting Room 2)
Sunday, June 26th
Pre-conference Activity | Pre-conference Training | |
---|---|---|
08:00 – 09:00 | Training & Fellowship Registration Only | |
09:30 – 12:00 | GB DNS: Prevention, Detection, Disruption and Defense Jonathan Flaherty (Shadowserver, GB) 09:30 – 13:30 CH Frank Herberg (SWITCH, CH) CH MANRS: How to Implement Routing Security Massimiliano Stucchi (ISOC, CH) FR DE PL SIM3 Training Morning Session: Measuring and Improving Your Team's Maturity Using SIM3 Olivier Caleff (ERIUM, FR); Klaus-Peter Kossakowski (Univ. of Applied Sciences, Hamburg, Germany, DE); Miroslaw Maj (ComCERT.PL, PL) US Threat-Informed Defense Workshop Desiree Beck (The MITRE Corporation, US); Mike Cunningham (MITRE Engenuity, US); Kellyn Wagner Ramsdell (MITRE Corporation, US); Jon Baker (MITRE, US) | |
10:00 – 10:30 | Session Chairs Meetings | |
11:00 – 20:00 | 10:00 – 15:00 Registration | |
13:00 – 17:00 | FR PL SIM3 Training Afternoon Session A: SIM3 for Novice Teams and Those Aspiring to Become FIRST Members Olivier Caleff (ERIUM, FR); Miroslaw Maj (ComCERT.PL, PL) NL DE SIM3 Training Afternoon Session B: SIM3 for Experienced Teams and Membership Sponsors Don Stikvoort (Elsinore, NL); Klaus-Peter Kossakowski (Univ. of Applied Sciences, Hamburg, Germany, DE) | |
14:00 – 16:00 | GFCE CIM Working Group Meeting (INVITATION ONLY) TLP:RED | |
17:30 – 18:00 | FR Welcome to FIRST Newbie Session Olivier Caleff (ERIUM, FR) TLP:CLEAR | |
18:00 – 20:00 |
Monday, June 27th
General Session / Breakout 1 (Auditorium - Level 3) | Breakout 2 (Liffey A) | Breakout 3 (Liffey B) | Workshop 1 (Liffey Hall 1) | Workshop 2 (Liffey Hall 2) | CSAM Workshop (Liffey Meeting Room 3AB) | Member Updates (Wicklow Hall 1) | SIG Room 1 (Wicklow Meeting Room 1) | SIG Room 2 (Wicklow Meeting Room 2) | AWS Security Jam Lounge (Liffey Meeting Room 1) | FIRST SecLounge SIG Challenges (Level 3 Foyer) | |
---|---|---|---|---|---|---|---|---|---|---|---|
07:30 – 09:00 | Continental Breakfast and Coffee Service | ||||||||||
08:00 – 17:00 | Registration | ||||||||||
09:00 – 09:30 | Conference Opening and Welcome Remarks TLP:CLEAR | ||||||||||
09:30 – 10:30 | IE CH Keynote: Online Child Sexual Abuse Material (CSAM): The Insider Attack You Have Not Seen Coming Mick Moran (AGS, IE); Romain Wartel (CERN, CH) TLP:CLEAR | ||||||||||
10:30 – 11:00 | Networking Break with Exhibits | TLP:CLEAR 10:30 – 16:30 | |||||||||
11:00 – 11:35 | NL EDR Internals From a Defenders Perspective Olaf Hartong (FalconForce, NL) TLP:CLEAR | HU Reversing Golang Binaries with Ghidra Dorka Palotay (Palotay Dorka, HU) TLP:CLEAR | GB Knowledge Management - Nourishing and Enhancing Your Communication and Intelligence Rebecca Taylor (Secureworks, GB) TLP:CLEAR | IE Advanced Go Reverse Engineering Joakim Kennedy (Intezer, IE) TLP:RED 11:00 – 16:25 | DE Securing the Supply Chain Together - Through Automation of Advisories and Vulnerability Management Thomas Schmidt, Jens Wiesner (BSI, DE) TLP:CLEAR 11:00 – 15:20 | TLP:CLEAR 11:00 – 15:00 | |||||
11:45 – 12:20 | RU Your Phone is Not Your Phone: A Dive Into SMS PVA Fraud Vladimir Kropotov (Trend Micro, RU) TLP:CLEAR | DE Speed is key: Leveraging the Cloud for Forensic Artifact Collection & Processing Lukas Klein, Christian Koepp (SAP, DE) TLP:CLEAR | AU Living with Ransomware - The New Normal in Cyber Security Vishal Thakur, John Lopes (Ankura, AU) TLP:CLEAR | ||||||||
12:20 – 14:00 | Lunch Break with Exhibits | ||||||||||
14:00 – 14:35 | GB RU RaaS: Ransomware as a Science (Chan eil tuil air nach tig traoghadh) Eireann Leverett (Waratah Analytics, GB); Vladimir Kropotov (Trend Micro, RU) TLP:AMBER | JP How an Electric Utility prepared for Tokyo 2020 Games Hiroshi Kida (Tokyo Electric Power Company Holdings, Inc., JP) TLP:AMBER | US NL CA Traffic Light Protocol 2022: Updates for An Improved Sharing Experience Tom Millar (CISA, US); Don Stikvoort (Elsinore, NL); Ted Norminton (CCCS, CA) TLP:CLEAR 14:00 – 15:20 | IEP SIG Meeting 14:00 – 15:00 | CTI SIG Meeting 14:00 – 16:30 | ||||||
14:45 – 15:20 | NL US All in All It's Just Another Phish in the Wall Curtis Hanson (PwC, NL); Allison Wikoff (PwC, US) TLP:RED | DE CSAF - the Magic Potion for Vulnerability Handling in Industrial Environments Tobias Limmer (Siemens, DE); Thomas Pröll (Siemens ProductCERT, DE) TLP:CLEAR | |||||||||
15:20 – 15:50 | Networking Break with Exhibits | ||||||||||
15:50 – 16:25 | US Sightings Ecosystem: A Data-driven Analysis of ATT&CK in the Wild Kellyn Wagner Ramsdell (MITRE Corporation, US); Mike Cunningham (MITRE Engenuity, US) TLP:CLEAR | LU Watching Webpages in Action with Lookyloo Raphaël Vinot (CIRCL - Computer Incident Response Center Luxembourg, LU); Quinn Norton (N/A, LU) TLP:CLEAR | GB Stuart Murdoch (Surevine, GB) TLP:CLEAR | IE CH Mick Moran (AGS, IE); Romain Wartel (CERN, CH) TLP:CLEAR 15:50 – 17:10 | |||||||
16:35 – 17:10 | PL Build Automated Malware Lab with CERT.pl Open-Source Software Paweł Srokosz, Paweł Pawliński (CERT Polska / NASK, PL) TLP:CLEAR | SE The SolarWinds Supply Chain Compromise Erik Hjelmvik (Netresec, SE) TLP:CLEAR | FR Phishing Management at VINCI Using Thehive Vincent Le Toux (VINCI-CERT, FR) TLP:AMBER | CH FIRST Financial & Business Review Michael Hausding (SWITCH, CH) TLP:GREEN | |||||||
17:15 – 19:15 |
Tuesday, June 28th
General Session / Breakout 1 (Auditorium - Level 3) | Breakout 2 (Liffey A) | Breakout 3 (Liffey B) | Workshop 1 (Liffey Hall 1) | Workshop 2 (Liffey Hall 2) | Lightning Talks (Wicklow Hall 1 ) | SIG Room 1 (Wicklow Meeting Room 1) | SIG Room 2 (Wicklow Meeting Room 2) | AWS Security Jam Lounge (Liffey Meeting Room 1) | FIRST SecLounge SIG Challenges (Level 3 Foyer) | |
---|---|---|---|---|---|---|---|---|---|---|
07:45 – 09:15 | Continental Breakfast and Coffee Service | |||||||||
08:00 – 17:00 | Registration | |||||||||
09:15 – 09:30 | Morning Remarks TLP:CLEAR | |||||||||
09:30 – 10:30 | US Keynote: What Do We Owe One Another In Cybersecurity? Wendy Nather (Cisco, US) TLP:CLEAR | |||||||||
10:30 – 11:00 | Networking Break with Exhibits | TLP:CLEAR 10:30 – 16:30 | ||||||||
11:00 – 11:35 | UA CERT-UA: Research and Technical Analysis of Large-Scale Cyber Attacks in Ukraine in 2021 Victor Zhora (The State Service of Special Communications and Information Protection of Ukraine, UA); Yevheniia Volivnyk, Yevhen Bryksin (CERT-UA (SCPC SSSCIP), UA) TLP:CLEAR | US Lindsay Kaye, Scott Small (Recorded Future, US) TLP:CLEAR | PL LU A Toolset Supporting Cooperation of EU CSIRTs Paweł Pawliński (CERT Polska / NASK, PL); Andras Iklody (CIRCL - Computer Incident Response Center Luxembourg, LU) TLP:GREEN | JP Shellcode Interactive Basic Analysis Course with Radare2/IDA Shinichi Nagano (LAC Co., Ltd., JP); Hendrik Adrian (LACERT, Cyber Emergency Center, LAC, JP) TLP:CLEAR 11:00 – 17:10 | JP Hiroshi Suzuki, Hisao Nashiwa (Internet Initiative Japan Inc., JP) TLP:AMBER 11:00 – 17:10 | Vulnerability Coordination SIG & VRDX SIG Meeting 11:00 – 13:00 | TLP:CLEAR 11:00 – 15:00 | |||
11:45 – 12:20 | SE AU Shining a Light on a Global Threat Actor Rhys Mataira (Ericsson, SE); Robert Byrne (Ericsson, AU) TLP:AMBER | US Formulating An Intelligence-Driven Threat Hunting Methodology Joe Slowik (Gigamon, US) TLP:CLEAR | AU Cybersecurity Maturity in the Pacific Islands - Integrating CERT Services in a Regional Framework Anthony Adams (Monash University, AU) TLP:CLEAR | |||||||
12:20 – 14:00 | Lunch Break with Exhibits | |||||||||
14:00 – 14:35 | IE Ransomware Incident Response - The Real-World Story of a Ransomware Attack Joseph Carson (Delinea, IE) TLP:CLEAR | US DNS as Added Security Against Ransomware Attacks Artsiom Holub (Cisco, US) TLP:CLEAR | US Business and Org Challenges of Running a PSIRT Tania Ward (Dell, US) TLP:GREEN | Ethics SIG Meeting 14:00 – 15:50 | ||||||
14:45 – 15:20 | GB Incident Response Investigations in the Age of the Cloud Mehmet Surmeli (WithSecure Limited, GB) TLP:CLEAR | LU Community Management and Tool Orchestration the Open-Source Way via Cerebrate Andras Iklody, Sami Mokaddem (CIRCL - Computer Incident Response Center Luxembourg, LU) TLP:CLEAR | DE Ransomware, Risk, & Recovery: Protecting and Creating Resilience for Hybrid Active Directory Calum Field (Semperis, DE) TLP:CLEAR | ICS SIG Meeting 14:45 – 15:45 | ||||||
15:20 – 15:50 | Networking Break with Exhibits | |||||||||
15:50 – 16:25 | IE Threats versus Capabilities - Building Better Detect and Respond Capabilities Thomas Fischer (Riot Games, IE) TLP:CLEAR | US Open Source Doesn't Care About You, But You Should Care About It Christopher Robinson (Intel, US) TLP:CLEAR | US How to Talk to a Board so the Board Will Talk Back Helen Patton (Cisco, US) TLP:CLEAR | 15:50 – 17:10 | ||||||
16:35 – 17:10 | TW No More Ransomware in Critical Infrastructure! Hank Chen (TXOne Networks Inc., TW) TLP:CLEAR | US GB Enhancing Operations Through the Tracking of Interactive Linux-based Intrusion Campaigns Justin Swisher (CrowdStrike, US); Ami Holeston (CrowdStrike, GB) TLP:CLEAR | GB Decoding the Diversity Discussion Emma Jones (CrowdStrike, GB) TLP:CLEAR |
Wednesday, June 29th
General Session / Breakout 1 (Auditorium - Level 3) | Breakout 2 (Liffey A) | Breakout 3 (Liffey B) | Workshop 1 (Liffey Hall 1) | Workshop 2 (Liffey Hall 2) | SIG Room 1 (Wicklow Meeting Room 1) | SIG Room 2 (Wicklow Meeting Room 2) | SIG Room 3 (Wicklow Meeting Room 3 ) | AWS Security Jam Lounge (Liffey Meeting Room 1) | FIRST SecLounge SIG Challenges (Level 3 Foyer) | |
---|---|---|---|---|---|---|---|---|---|---|
07:45 – 09:15 | Continental Breakfast and Coffee Service | |||||||||
08:30 – 12:30 | Registration | |||||||||
09:15 – 09:30 | Morning Remarks TLP:CLEAR | |||||||||
09:30 – 10:30 | SG IE GB Featured Panel: Driving Public-Private Cooperation to Combat Cybercrime Tal Goldstein (World Economic Forum); Derek Manky (Fortinet); Pei Ling Lee (INTERPOL, SG); Caroline Canna (Microsoft, IE); Nick Tuppen (Bank of America, GB) TLP:AMBER | |||||||||
10:30 – 11:00 | Networking Break with Exhibits | TLP:CLEAR 10:30 – 16:30 | ||||||||
11:00 – 11:35 | FR CZ Daniel Lunghi (Trend Micro, FR); Jaromir Horejsi (Trend Micro, CZ) TLP:CLEAR | BE Don't Blame the User! Stop the Phish Before it is Even Sent Wout Debaenst (NVISO, BE) TLP:CLEAR | US Creating an Information Security/Information Assurance Program - Lessons Learned Kenneth Grossman (HHS/National Institutes of Health, US) TLP:CLEAR | BE Analyzing Cobalt Strike Beacons, Servers and Traffic Didier Stevens (NVISO, BE) TLP:CLEAR 11:00 – 13:05 | GB David Cannings, John Southworth (PwC UK, GB) TLP:CLEAR 11:00 – 13:05 | SecLounge SIG Meeting 11:00 – 13:00 | Malware SIG Meeting 11:00 – 12:00 | WoF SIG Meeting 11:00 – 12:00 | TLP:CLEAR 11:00 – 15:00 | |
11:45 – 12:20 | US Justin Novak (CERT/CC, US) TLP:CLEAR | US Charity Wright (Recorded Future, US) TLP:CLEAR | US Sherif Hashem (George Mason University, US) TLP:CLEAR | |||||||
12:30 – 13:05 | US 0-day In-the-Wild Exploitation in 2022...so far. Maddie Stone (Google, US) TLP:CLEAR | IL IE Follow the Dynamite: Commemorating TeamTNT's Cloud Attacks Nicole Fishbein (Intezer, IL); Joakim Kennedy (Intezer, IE) TLP:CLEAR | DE Beyond Incident Reporting - An Analysis of Structured Representations for Incident Response Daniel Schlette (University of Regensburg, DE); Marco Caselli (Siemens AG, DE) TLP:CLEAR | |||||||
13:05 – 14:30 | Lunch Break with Exhibits | |||||||||
14:45 – 16:00 | AGM TLP:CLEAR | |||||||||
18:30 – 22:00 |
Thursday, June 30th
General Session / Breakout 1 (Auditorium - Level 3) | Breakout 2 (Liffey A) | Breakout 3 (Liffey B) | Workshop 1 (Liffey Hall 1) | Workshop 2 (Liffey Hall 2) | Lightning Talks (Wicklow Hall 1 ) | SIG Room 1 (Wicklow Meeting Room 1) | SIG Room 2 (Wicklow Meeting Room 2) | AWS Security Jam Lounge (Liffey Meeting Room 1) | FIRST SecLounge SIG Challenges (Level 3 Foyer) | |
---|---|---|---|---|---|---|---|---|---|---|
08:00 – 09:30 | Continental Breakfast and Coffee Service | |||||||||
08:30 – 17:30 | Registration | |||||||||
09:30 – 10:05 | DE AT Timing is Everything: Generic Trigger Events for Malware Memory Dumping Mateusz Lukaszewski (VMRay, DE); Patrick Staubmann (VMRay, AT) TLP:CLEAR | BR Daniel Oliveira De Lima (NTT, BR); Thales Cyrino (NTT Ltd Brazil, BR) TLP:CLEAR | US More Than a CSIRT: Lessons Learned from Supporting a National Response to COVID-19 Tom Millar (CISA, US); Joshua Corman (IamTheCavalry.org, US) TLP:CLEAR | LU Sami Mokaddem, Andras Iklody (CIRCL - Computer Incident Response Center Luxembourg, LU) TLP:CLEAR 09:30 – 17:20 | AU Forensics and Malware Analysis in Linux Environments Vishal Thakur, John Lopes (Ankura, AU) TLP:CLEAR 09:30 – 17:20 | |||||
10:15 – 10:50 | BE The Blue Side of Documentation Nicholas Dhaeyer (NVISO Security, BE) TLP:CLEAR | US JP Attack Flow - Beyond Atomic Behaviors Desiree Beck (The MITRE Corporation, US); Gabriel Bassett (Verizon, US); Ryusuke Masuoka (Fujitsu System Integration Laboratories Limited, JP) TLP:CLEAR | GR EU Cyber Crisis Management - How to Help with Maturity? Andrea Dufkova (ENISA, GR) TLP:GREEN | Academic SIG 10:15 – 12:15 | Cyber Insurance SIG Meeting 10:15 – 11:15 | |||||
10:30 – 16:30 | TLP:CLEAR | |||||||||
10:50 – 11:20 | Networking Break with Exhibits | |||||||||
11:00 – 15:00 | TLP:CLEAR | |||||||||
11:20 – 11:55 | IE IL Going with the (work)flow? Incident Response for Vicious Workflows Ryan Robinson (Intezer, IE); Nicole Fishbein (Intezer, IL) TLP:CLEAR | US DE VEXed by Vulnerabilities That Don't Affect Your Product? Try This! Allan Friedman (CISA, US); Thomas Schmidt (BSI, DE) TLP:CLEAR | IE Cyber Ireland - Addressing Cyber Crime Through Industry-Academia-Government Collaboration Eoin Byrne (Cyber Ireland, IE) TLP:CLEAR | 11:20 – 12:40 | ||||||
12:05 – 12:40 | IE IL Rise of the Vermilion: Cross-platform Cobalt Strike Beacon Targeting Linux and Windows Ryan Robinson (Intezer, IE); Avigayil Mechtinger (Intezer, IL) TLP:CLEAR | US Prioritizing Vulnerability Response with a Stakeholder Specific Vulnerability Categorization Jonathan Spring (Carnegie Mellon University, US) TLP:CLEAR | NL Jaap van Oss (Citi Cyber Intelligence Centre (CIC), NL) TLP:CLEAR | |||||||
12:40 – 14:15 | ||||||||||
14:15 – 14:50 | GB Sharifah Roziah (School of Computing, University of Kent, GB) TLP:AMBER | GB Global IR in a Fragmented World Serge Droz (FIRST, GB) TLP:CLEAR | US IE Insider Scoop - Tackling Insider Threats Denise Anderson (Health Information Sharing and Analysis Center (H-ISAC), US); Mick Ryan (ICON plc, IE); Tony Clarke (Marken, IE); Diarmuid O'Sullivan (Regeneron, IE) TLP:AMBER 14:15 – 15:35 | 14:15 – 15:35 | ||||||
15:00 – 15:35 | US John Stoner (Google, US) TLP:CLEAR | LU How to Secure Your Software Supply Chain and Speed-Up DFIR with Hashlookup Alexandre Dulaunoy, Jean-Louis Huynen (CIRCL - Computer Incident Response Center Luxembourg, LU) TLP:CLEAR | Metrics SIG Meeting 15:00 – 17:00 | |||||||
15:35 – 16:05 | Networking Break with Exhibits | |||||||||
16:05 – 16:40 | CH Never Walk Alone: Inspirations From a Growing OWASP Project Christian Folini (OWASP ModSecurity Core Rule Set, CH) TLP:CLEAR | TW Let's Catch Phish Together: A Case Study of Large-scale Targeted Phishing Attacks Meng-Han Tsai (Taiwan National CERT, TW) TLP:AMBER | TR Muhammed Ali Çetin, Semih Gelişli (Yapi Kredi Teknoloji, TR) TLP:CLEAR | Automation SIG Meeting 16:05 – 17:20 | ||||||
16:50 – 17:25 | PL US Internet Spelunking: IPv6 Scanning and Device Fingerprinting Piotr Kijewski (The Shadowserver Foundation, PL); Dave De Coster (The Shadowserver Foundation, US) TLP:CLEAR | JP A Case Study of Cyberattack Attribution: How Do Attack Groups Create Malware? Kanichiro Tsuno (National Police Agency, Japan, JP) TLP:AMBER | DE Adapting PSIRT Processes for the Automotive B2B World Hans Ulmer (Bosch, DE) TLP:GREEN |
Friday, July 1st
General Session / Breakout 1 (Auditorium - Level 3) | Breakout 2 (Liffey A) | Breakout 3 (Liffey B) | Workshop 1 (Liffey Hall 1) | Workshop 2 (Liffey Hall 2) | SIG Room 1 (Wicklow Meeting Room 1) | SIG Room 2 (Wicklow Meeting Room 2) | |
---|---|---|---|---|---|---|---|
08:00 – 09:30 | Continental Breakfast and Coffee Service Registration 08:00 – 12:00 | ||||||
08:30 – 09:30 | TLP:CLEAR | ||||||
09:30 – 10:05 | NO Martin Eian (mnemonic, NO) TLP:CLEAR | BE In Curation We Trust: Generating Contextual & Actionable Threat Intelligence Bart Parys, Michel Coene (NVISO, BE) TLP:CLEAR | US Tony Kirtley (Dell SecureWorks, US) TLP:CLEAR | US NL Roll Up Your Sleeves: Threat Hunting an APT in a Hands-On Workshop Megan Parsons (Splunk, US); Floris Ladan (Splunk, NL) TLP:CLEAR 09:30 – 10:50 | IL Avigayil Mechtinger, Nicole Fishbein (Intezer, IL) TLP:CLEAR 09:30 – 10:50 | ||
10:00 – 11:00 | CVSS SIG Meeting | TLP SIG Meeting | |||||
10:15 – 10:50 | FR TLP and PAP: Just the Two of Us...(to Enforce ANSSI's Sharing Policy) Claire Anderson, Thomas Fontvielle (CERT-FR – ANSSI, FR) TLP:GREEN | JP Toshitaka Satomi, Ryusuke Masuoka (Fujitsu System Integration Laboratories Limited, JP) TLP:CLEAR | LT CSIRT and SOC Modernization Practices Vilius Benetis (NRD Cyber Security, LT) TLP:CLEAR | ||||
10:50 – 11:15 | Networking Break | ||||||
11:20 – 12:25 | GB Keynote: Cybersecurity's Image Problem and What We Can All Do About It Dr. Victoria Baines (Bournemouth University, GB) TLP:CLEAR | ||||||
12:25 – 13:05 | Closing Remarks TLP:CLEAR | ||||||
13:05 – 14:35 | Closing Lunch Break |
- USTLP:CLEAR
0-day In-the-Wild Exploitation in 2022...so far.
Maddie StoneMaddie Stone (Google, US)
Maddie Stone (@maddiestone) is a Security Researcher on Google Project Zero where she focuses on 0-day exploits used in-the-wild. Previously, she was a reverse engineer and team lead on the Android Security team, focusing predominantly on pre-installed and off-Google Play malware. Maddie also spent many years deep in the circuitry and firmware of embedded devices. Maddie has previously spoken at conferences including Black Hat USA, REcon, OffensiveCon, and others. She holds a Bachelors of Science, with a double major in Computer Science and Russian, and a Masters of Science in Computer Science from Johns Hopkins University.
0-day exploitation occurs when an attacker abuses a vulnerability that the defenders don't yet know about. This makes it very hard to protect against 0-day exploits and also makes 0-day vulnerabilities highly valuable. So how do we protect against the exploitation of unknown vulnerabilities? It starts with understanding everything we can about 0-day exploits.Each time a 0-day exploit is detected in-the-wild, it's the failure case for attackers. Therefore as defenders, we should use these "failures" as an opportunity to learn as much as we can about the vulnerabilities targeted, the exploitation methods used, the techniques for discovering the vulnerabilities, and more. As a security and technical community, we can then use this data to prioritize what vulnerability research to undertake, gaps in our detection methods, exploit mitigations that will have the most return on mitigation, and overall, how to make it harder for attackers to exploit 0-days to harm users.This talk synthesizes what we can learn from the 0-days that have been exploited in-the-wild so far in 2022. For each of these 0-days, a root cause analysis was performed, which details the vulnerability exploited and the exploit methodology used. From these facts, we then developed ideas for better detections and systemic fixes, hypothesized on what methods the actors used to discover the vulnerability, and performed variant analysis. We'll also talk about the trends we see and how this compares to what has been seen in years prior.
June 29, 2022 12:30-13:05
- JPTLP:AMBER
A Case Study of Cyberattack Attribution: How Do Attack Groups Create Malware?
Kanichiro TsunoKanichiro Tsuno (National Police Agency, Japan, JP)
Kanichiro Tsuno is a technical official in the National Police Agency of Japan. He had been engaged in computer forensics and cybercrime investigation for eight years in local police. He also had been engaged in CSIRT in national police. Currently, he works at Cyber Force Center as a manager of malware analysis team.
We share the results of our analysis of attack groups by using a combination of packer and compiler estimation techniques using neural networks. We focused on "how" attack groups create malware. In particular, we focused on a "compiler" used to create malware and on a "packer" used after the compilation of malware. Our analysis reveals that packer usage rates and types of compilers and packers that attack groups use are different from each attack group. Our findings are believed to be effective for the attribution of cyberattacks.
June 30, 2022 16:50-17:25
- USTLP:CLEAR
A Diamond is an Analyst's Best Friend: Introducing the Diamond Model for Influence Operations Analysis
Charity WrightCharity Wright (Recorded Future, US)
Charity Wright is a threat intelligence analyst with over 15 years of experience in the US Army and the National Security Agency, where she translated Mandarin Chinese. She has spent over six years analyzing cyber threats in the private sector, with a focus on China state-sponsored threats and dark web cybercrime. Charity now researches cyber threat intelligence, influence operations, and strategic intelligence at Recorded Future.
Malign influence is one of the greatest challenges the world faces today. State-sponsored threat actors, criminals, and political actors alike are weaponizing information in online spaces to thwart elections, incite social disruptions, disrupt supply chains, and manipulate markets. Due to the inherent overlaps in modern day digital influence campaigns and cyber intrusion campaigns, information security teams have been enlisted to contribute their skills, experience, and education to help detect, analyze, and defend against malign influence, but current analytic frameworks are either oversimplified or overcomplicated. In this presentation, Charity Wright presents the Diamond Model for Influence Operations, a holistic and familiar method for researchers and cybersecurity analysts to identify, track, analyze, and report on malign influence operations. This framework addresses both the technical axis and the socio-political axis, which are familiar from previous diamond models, and adds the core aspect of narrative warfare to the center of the diamond, the anchor to every effective influence operation. With the Diamond Model for Influence Operations, analysts will discover what malign information is being spread, how it is disseminated, for what purpose, and which influence actors are behind each operation, enabling faster defense and more informed security decisions.
June 29, 2022 11:45-12:20
MD5: df1cabb93d58b865e47d9212ac7f01d3
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.21 Mb
- PL LUTLP: GREEN
A Toolset Supporting Cooperation of EU CSIRTs
Paweł PawlińskiAndras IklodyPaweł Pawliński (CERT Polska / NASK, PL), Andras Iklody (CIRCL - Computer Incident Response Center Luxembourg, LU)
Pawel Pawlinski is a principal specialist at CERT.PL. His job experience includes data analysis, threat tracking and automation. In his current role, Pawel leads a R&D team and manages projects in the area of information exchange and threat monitoring.
Andras Iklody works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL as a software developer and has been leading the development the MISP core since early 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.
Our talk will introduce the MeliCERTes project, which aims at creating a common open source toolset that enables collaboration in the CSIRTs Network (a group of 39 teams established in the EU by the NIS directive in 2016) and similar cooperation groups. We will present a functional break-down of cooperation needs and how these requirements can be addressed by a combination of central services and local tools. Covered topics include communication channels, collaboration on incidents, data exchange and administrative tasks.
June 28, 2022 11:00-11:35
- DETLP: GREEN
Adapting PSIRT Processes for the Automotive B2B World
Hans UlmerHans Ulmer (Bosch, DE)
Hans has 20 years experience in Security. Before joining the Bosch PSIRT in 2016, he held various IT and Information Security and Business Continuity roles at SAP and BNP Paribas Cardif. Hans took over the lead of the Bosch PSIRT in 2018 and, as part of a great team of dedicated professionals, has overseen the continuous development of PSIRT processes and tools, always with a tight focus on automation and ease of management.
The Bosch PSIRT was established in 2016 to coordinate Incident Response and Vulnerability Management across Bosch's wide range of products and solutions for consumers, industry, building management and the automotive industry. Over the years, it has become clear that each market domain has its own specific requirements; this is not the least true for Automotive. We want to share some of these specific requirements and the processes and tools we are continuing to develop with a focus on this domain, along with key learnings for other B2B business areas.
June 30, 2022 16:50-17:25
MD5: 11bec91ecb9b02550010ee87e676bd8a
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.05 Mb
- IETLP:RED
Advanced Go Reverse Engineering
Joakim KennedyJoakim Kennedy (Intezer, IE)
Dr. Joakim Kennedy is a Security Researcher for Intezer. On a daily basis he analyzes malware, tracks threat actors, and solves security problems. His work is mainly focused on threats that target Linux systems and Cloud environments. Dr. Kennedy began in the industry as a security researcher at Rapid7 where he got his start in vulnerability research. Following his time with Rapid7, he joined Anomali. While there, he managed Anomali's Threat Research Team, where they focused on creating threat intelligence. Dr. Kennedy has been a featured speaker at multiple BSides and at the CCB's Quarterly Cyber Threat Report Event. He has also presented at various other industry events. For the last few years, Dr. Kennedy has been researching malware written in Go. To make the analysis easier he has written the Go Reverse Engineering Toolkit (github.com/goretk), an open-source toolkit for analysis of Go binaries.
Malware written in Go has been something that many reverse engineers have stayed away from due to the shortcomings in the tooling. We are not at this place anymore, and reversing Go malware has reached a point where it can be easier than reversing C-based malware. To reach this panacea, an understanding of the Go language and the binary internals is needed. This workshop targets reverse engineers that want to reach that point. You don't have to have analyzed a Go binary before, but you should have experience with reversing using tools such as IDA, Ghidra, or radare.The workshop will cover a crash course in the language and some of the paradigms used by Go developers, data structures and calling conventions, multiprocessing communication, control flow obfuscation techniques, inline functions, data and type extraction, and obfuscators.Attendees must provide an environment that they can use to analyze malware. A disassembler, preferably IDA or radare as they have more Go tooling.
June 27, 2022 11:00-16:25
- NL USTLP:RED
All in All It's Just Another Phish in the Wall
Curtis HansonAllison WikoffCurtis Hanson (PwC, NL), Allison Wikoff (PwC, US)
As a senior analyst in PwC's Threat Intelligence team, Curtis focuses on tracking Iran-based threat actors, along with other regional advanced persistent threats. His specialty is leveraging open source intelligence (OSINT) to uncover new and emerging threats, attributing threat actors and using his first-hand experience of living in the Middle East to contextualise the geopolitical landscape of the region. Prior to joining PwC, Curtis specialised in OSINT investigations at a boutique due diligence firm.
Allison is the lead for the Americas region in PwC's threat intelligence practice where she supports numerous business and strategic research initiatives. She has 20 years of experience working as a network defender, incident responder, intelligence analyst and threat researcher. The focus of the latter half of Allison's career has been researching APT with a focus on Iran. In addition to Iran-based threats, her research interests include emerging threats and threat actor mistakes. She holds numerous industry certifications and an advanced degree from Columbia University where she guest lectures for several information security-focused graduate courses.
In 2018, nine members of Iran-based threat actor, Yellow Nabu (a.k.a. Silent Librarian, Cobalt Dickens, TA407) were indicted by the US Government for stealing more than 31 terabytes of data from hundreds of universities, at the behest of the Iranian Government. Since then, PwC has observed Yellow Nabu targeting over 400 universities, libraries and research institutes in nearly 50 different countries. Open source reporting on this threat actor is often cyclical, with blogs appearing around August and September to coincide with the US school year, while the content is usually a snapshot of the threat actor's phishing infrastructure. Yellow Nabu is active and capable of conducting campaigns at scale which represents a challenge for defenders globally. Pulling back the curtain on Yellow Nabu, this presentation attempts to fully detail the threat actor's operations. We will cover tactics, tools and procedures (TTPs) not publicly documented, such as clever methods used to collect credentials and attempts to evade email filters. In addition to analysing statistics that show periods of activity and specific university targeting beyond the expected norms, target sets outside of universities that focus on social media platforms, closely related clusters of activity and attribution to specific organisations within Iran. The topics discussed are intended to support defenders in tackling this specific threat, while being able to adapt the wider techniques and lessons learnt for other intrusions.
June 27, 2022 14:45-15:20
- BETLP:CLEAR
Analyzing Cobalt Strike Beacons, Servers and Traffic
Didier StevensDidier Stevens (NVISO, BE)
Didier Stevens (SANS ISC Handler, Microsoft MVP) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier is a pioneer in malicious document research and analysis, and has developed several tools to help with the analysis of Cobalt Strike artifacts. You can find his open source security tools on his IT security related blog. http://blog.DidierStevens.com
In this workshop, Didier Stevens will guide you through exercises that will familiarize you with his tools to analyze Cobalt Strike beacons, fingerprint team servers
June 29, 2022 11:00-13:05
01-AnalyzingCobaltStrike-Stevens-Willpresentownslides.pdf
MD5: 3d7246632ef6a1f3f6e590a5195ac892
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.07 Mb
- US JPTLP:CLEAR
Attack Flow - Beyond Atomic Behaviors
Desiree BeckGabriel BassettRyusuke MasuokaDesiree Beck (The MITRE Corporation, US), Gabriel Bassett (Verizon, US), Ryusuke Masuoka (Fujitsu System Integration Laboratories Limited, JP)
Desiree Beck is a principal cybersecurity engineer at the MITRE Corporation and is the project leader for the Attack Flow project within the Center for Threat Informed Defense, a non-profit, privately funded research and development organization operated by MITRE Engenuity. She also leads the Malware Behavior Catalog (MBC) project, a malware-centric supplement to MITRE ATT&CK, and supports the Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII) efforts. Dez lives in Northern California and holds a PhD in mathematics from the University of California, San Diego.
Gabriel Bassett is the lead data scientist and a contributing author on the Data Breach Investigations Report team at Verizon Enterprise Solutions specializing in data science and graph theory applications to cyber security. He supports several information security data science conferences, is game architect for the Pros vs Joes Capture the Flag series and has previously held cyber security risk management, testing, intelligence, architect, and program management positions at the Missile Defense Agency and Hospital Corporation of America.
Dr. Ryusuke Masuoka is a Fujitsu Distinguished Engineer and a research principal at Fujitsu System Integration Laboratories Limited (FSI), working on Cyber Security. Over 30 years, he has conducted research in neural networks, simulated annealing, agent system, pervasive/ubiquitous computing, Semantic Web, bioinformatics, Trusted Computing, Software/Security Validation, Cloud Computing, Smart Grid, the Internet of Things, Cyber Security Policy, and Cyber Security. He also led numerous standardization activities and collaborations with universities, national and private research institutes, and startups. He is an ACM senior member and an IEEE senior member.
Defenders typically track adversary behaviors atomically, focusing on one specific action at a time. This is a good first step toward adopting a threat-informed defense. However, adversaries use multiple actions in sequence. We call these sequences attack flows, and understanding adversary behavior in terms of attack flows, rather than considering only individual indicators, significantly improves defensive capabilities. For example, red teamers can use attack flows to emulate adversaries or replay an incident; defenders can use attack flows to understand lessons learned during an incident or to explain defensive posture to executives.To enable the community to visualize, analyze, and share attack flows, we have developed a publicly available data format for describing sequences of adversary behaviors, as well as an attack flow builder tool. In this presentation, we will present the attack flow format, provide an example flow, and discuss the most common use cases, such as those above. Our presentation will also show how the attack flow format can enable defensive resource prioritization, rapid analytic development, and complex machine-to-machine automation workflows. Attendees will be invited to provide feedback after the talk to make attack flows as useful as possible to the community.
June 30, 2022 10:15-10:50
02-AttackFlow-MasuokaBeckandBassett.pdf
MD5: 30ff295e1ac76fce8710823fa9d9ddf0
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.69 Mb
- TLP:CLEAR
AWS Jam Lounge
The Jam Lounge is a activity based event that can last from one day to a few weeks and allow you to register at any time while the event is on. You can choose to register with colleagues, join an existing team, or as an individual. The lounge has a long duration; feel free to get in and out and workout challenges in a self-paced manner and work at any time of convenience. In the Jam lounge, you can choose to learn best practices and new AWS features and explore the challenges and learn something new on the way. The lounge typically has 14 challenges, including various AWS services and domains like Security, DevOps, and Analytics or any other AWS service. To keep fun going, work at your own pace , 24/7, in-person or virtually anywhere. Work Alone or with your team. To sign-up, head to the 5th level foyer and talk to an AWS team member to get started. An informational PDF flyer will be available in the conference mobile app with more information on the Jam.
June 27, 2022 11:00-15:00
MD5: 2207e5dc31b5baaf643fc05df3ee1313
Format: application/pdf
Last Update: June 7th, 2024
Size: 157.56 Kb
- USTLP:CLEAR
Being A Better Defender By Channeling Your Worst Adversary: Lessons Learned Building Adversary Emulations
John StonerJohn Stoner (Google, US)
John Stoner is a Principal Security Strategist at Google. In his current role, he leverages his experience to educate and improve users' capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He has authored multiple hands-on workshops that focus on enhancing these specific security skills. John has presented at various industry symposia including BSides, FIRST CTI, DefCon Packet Hacking Village and SANS and has briefed members of the US Congress and other senior government leaders on the threat landscape. When not doing cyber things, John enjoys reading or binge-watching TV series that everyone else has already seen. During the fall and winter, you can find him driving his boys to hockey rinks across the northeastern United States. John also enjoys listening to, as his teammates call it, "80s sad-timey music."
My background is on the defensive side, blue team, but I always had an interest in the red team side of things. After taking SANS Incident Handling 504 back in 2006, who wouldn't? Over the past five years, I have either built or assisted with building adversary emulations using techniques that adversary groups from around the world utilize. Why? To help blue teamers identify threats and use their tool sets more effectively, as well as demonstrate the value of certain data sets and techniques that can be applied everyday. I've been the adversary and I will share with you my experiences, lessons learned, pitfalls that I have encountered and share guidance that may help you as you contemplate if adversary emulation is something that your blue team would benefit from. Attendees will come away with a better understanding of where scenario based adversary emulation fits, how to focus your efforts to ensure that everyone is getting something out of it, guidance on data sets and ideas around where to start when building your scenarios. Finally, links to existing data sets that we have created will be provided so if you want to see what we produced and use them to improve your own hunting and detection, you can!
June 30, 2022 15:00-15:35
- DETLP:CLEAR
Beyond Incident Reporting - An Analysis of Structured Representations for Incident Response
Daniel SchletteMarco CaselliDaniel Schlette (University of Regensburg, DE), Marco Caselli (Siemens AG, DE)
Daniel Schlette is a third-year Ph.D. candidate and research assistant at the Chair of Information Systems, University of Regensburg. He received his Master's Degree (Hons.) in management information systems from the Elite Graduate Program at the University of Regensburg in 2019. His research interests focus on cyber threat intelligence and incident response. While examining structured data formats, core research results indicate the importance of data quality and collaborative cyber defense.
Marco Caselli joined Siemens in 2017 and he is the Senior Key Expert of the "Attack Detection" topic. He received his Ph.D. in computer security at the University of Twente with a thesis titled "Intrusion Detection in Networked Control Systems: From System Knowledge to Network Security". His research interests focus on security of industrial control systems and building automation with a special focus on critical infrastructures. Before starting his Ph.D. he worked at GCSEC, a not-for-profit organization created to advance cyber security in Italy, and Engineering S.p.A., an international company for software development.
Novel approaches to structure and represent incident response are broadening the scope of threat intelligence. In this presentation, we describe different representation options by defining key aspects of incident response formats. Our in-depth analysis shows the differences and similarities between formats and allows organizations to understand individual benefits and shortcomings. We find a consistent focus on incident response actions within all formats and the importance of both playbooks and frameworks. Additionally, we outline how to apply the key aspects to drive the selection of incident response formats based on a given use case (e.g., automation, sharing, or reporting).
June 29, 2022 12:30-13:05
Schlette_Caselli_75_Beyond_Incident_Reporting_20220628.pdf
MD5: 23b8e063fd5712aa753767d63974b513
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.63 Mb
- JPTLP:CLEAR
Bridging Together Independent Islands - STIX Custom Objects and Matching Mechanisms to Correlate Cyberspace and Real-World Data
Toshitaka SatomiRyusuke MasuokaToshitaka Satomi (Fujitsu System Integration Laboratories Limited, JP), Ryusuke Masuoka (Fujitsu System Integration Laboratories Limited, JP)
Toshitaka Satomi is a researcher with Fujitsu System Integration Laboratories LTD (FSI). He joined Fujitsu PC Systems in 1997 after graduating from the Tokyo Institute of Technology. He worked on the development of an F-BASIC compiler and insurance business systems. After that, he became interested in cybersecurity research and he developed various cybersecurity PoC systems. Since he moved to FSI in 2017, he has been conducting research on Cyber Threat Intelligence (CTI) and has developed a Cyber Threat Intelligence Platform, "S-TIP" which is now available as OSS.
Dr. Ryusuke Masuoka is a Fujitsu Distinguished Engineer and a research principal at Fujitsu System Integration Laboratories Limited (FSI), working on Cyber Security. Over 30 years, he has conducted research in neural networks, simulated annealing, agent system, pervasive/ubiquitous computing, Semantic Web, bioinformatics, Trusted Computing, Software/Security Validation, Cloud Computing, Smart Grid, the Internet of Things, Cyber Security Policy, and Cyber Security. He also led numerous standardization activities and collaborations with universities, national and private research institutes, and startups. He is an ACM senior member and an IEEE senior member.
"Toshi" and "Ryu" present and demonstrate how to correlate cyberspace and real-world data, using STIX custom objects and new matching mechanisms. After presenting bridging CTI sharing between humans and systems at FIRST2020, we continued our journey to widen CTI applications. Toshi was asked to correlate bank accounts and IP addresses during discussions with law enforcement (LE) practitioners. He thought he could use "bank-account" and "person" objects in MISP Standard. However, Ryu, having recently created his bank account in Japan, found the "person" object an inadequate model to represent a Japanese bank account owner and issues matching a Japanese person and a "person" object. For cyberspace data like IP addresses, exact matching would suffice, but not for real-world data. It is like many independent islands.To bridge those islands, we propose STIX Customizer and new matching mechanisms. STIX Customizer helps users easily create STIX custom objects to model real-world data."Fuzzy Matching" absorbs notation fluctuations. "Ryuusuke" is the phonetically correct representation of Ryu's given name, but he used "Ryusuke" for his bank accounts in the US. "Fuzzy Matching" is required to match them."Explicit Matching" limits matching among specific properties of different models. "Satomi" is Toshi's family name, but also a female given name in Japan. It is no use to match "Satomi" as a family name and "Satomi" as a given name. We have implemented the above mechanisms in S-TIP, an OSS Threat Intelligence Platform, available in GitHub. We will demonstrate those mechanisms and explain its LE use case.
July 1, 2022 10:15-10:50
FinalBridging_Together_Independent_Islands-Toshitaka.pdf
MD5: 0e8a2a7b60d7b5a9000b9dcab2525c9c
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.49 Mb
- PLTLP:CLEAR
Build Automated Malware Lab with CERT.pl Open-Source Software
Paweł SrokoszPaweł PawlińskiPaweł Srokosz (CERT Polska / NASK, PL), Paweł Pawliński (CERT Polska / NASK, PL)
Pawel Srokosz is a security researcher and a malware analyst at CERT.PL, constantly digging for fire and doing reverse engineering of ransomware and botnet malware. Core developer of MWDB Core and Karton projects. Free-time spends on playing CTFs as a p4 team member.
Pawel Pawlinski is a principal specialist at CERT.PL. His job experience includes data analysis, threat tracking and automation. In his current role, Pawel leads a R&D team and manages projects in the area of information exchange and threat monitoring.
Malware analysis is one of the most common challenges facing almost any organization dealing with cybersecurity. From year to year, it becomes a harder nut to crack, because of the growing scale of activities undertaken by criminals and their increasing sophistication.Most organizations are trying to automate malware analysis processes using various loosely-connected scripts, toolkits and sandboxes to extract actionable information like indicators of compromise, dropped files, static configurations and webinjects. As our in-house setup became increasingly complex and other solutions on the market did not meet our needs, we decided to create a central system to provide a convenient storage for this data and to share it with the wider security community.The resulting platform is called MWDB. It is not just a repository but a complete modular malware analysis framework and is freely available for white-hat analysts as a service via mwdb.cert.pl. All core parts of the platform are released as open-source so other teams can build their own self-hosted malware repositories and automate analysis workflows. During the presentation we will explain features and the architecture of the system. We will also show how it is used in practice to support analysis at scale with examples of recent malware campaigns.
June 27, 2022 16:35-17:10
08-CERT.plOpenSource-SrokoszandPawlinski.pdf
MD5: 63f0a7935b5882dfcf31f2cfafdbecbf
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.6 Mb
- USTLP: GREEN
Business and Org Challenges of Running a PSIRT
Tania WardTania Ward (Dell, US)
Tania Ward is a Director within the Vulnerability Response, Community Enablement, and Customer Security Team at Dell Technologies. In this role, she oversees the Vulnerability Response Champions, Vulnerability Response Training, and Customer Security. Prior to this role, Tania has worked as a program manager within Dell Product Security Incident Response Team for just under 6 years. In that time, she revamped the vulnerability response program, instituted company-wide KPIs, and participated in a number of FIRST initiatives. She also participated in establishing the PSIRT and the Multi-Vendor Coordination frameworks from FIRST and participates in SAFECode. Tania is from Northern Ireland and graduated with a degree in Computer Science from the University of Aberystwyth, Wales. She moved to the United States in 1999 to join Microsoft where she spent just over 14 years working on a multitude of different products such as SQL Server, Windows Live, and Microsoft Office.
Let's face it, aligning all the businesses within a company to adhere to PSIRT practices can be difficult. You must balance your companies' customers and your internal customers oh not to mention marketing, sales, Comms, Legal and the business execs that might not understand security at all. Where do you start? How do you get the businesses buy-in, but keep industry best practices and your customers security needs inline all while trying to protect the business brand? This talk will cover how to get the business buy in while keeping control of your PSIRT Program and meet customer security needs. From setting expectations, growing to handling bug bounties and third-party vulnerabilities (oh and that SBOM) to continually assessing the maturity of your program. All the while figuring out how to make sure your team can handle the influx of issues and pressure of the customers, and making sure the business is aligned and ready for all that you are going to bring on.
June 28, 2022 14:00-14:35
- TRTLP:CLEAR
CANCELLED SESSION
Muhammed Ali ÇetinSemih GelişliMuhammed Ali Çetin (Yapi Kredi Teknoloji, TR), Semih Gelişli (Yapi Kredi Teknoloji, TR)
Muhammed Ali Çetin earned Bachelor Degree in Telecommunication Engineering from Slovak University of Technology. He has started his career as a “Network Security Engineer” in Atos 2018. He entered to Consulting Sector with SoftwareOne as “Cyber Security Engineer” in 2018 and He moved to Financial sector "Yapi Kredi Bank" and work as “Senior Cyber Securiy Engineer” at YapıKredi Bank since 2019.
Semih Gelişli earned Bachelor Degree in Computer Engineering from Yıldız Technical University and is a graduate of the Management Information System program from Bahçeşehir University. He has started his career as a “Network Security Specialist” in Media Sector in 2010. He entered to Financial Sector with Garanti Technology as “Network Security Specialist” in 2012 and work as “Senior Incident Responder” at YapıKredi Bank in 2015. He has been serving as Unit Manager of Cyber Security at YapıKredi Bank since December, 2017. He has more than 12+ years of experience in Cyber Security and Information Security with 4+ years of people management experience.
Semih Gelişli earned Bachelor Degree in Computer Engineering from Yıldız Technical University and is a graduate of the Management Information System program from Bahçeşehir University. He has started his career as a “Network Security Specialist” in Media Sector in 2010. He entered to Financial Sector with Garanti Technology as “Network Security Specialist” in 2012 and work as “Senior Incident Responder” at YapıKredi Bank in 2015. He has been serving as Unit Manager of Cyber Security at YapıKredi Bank since December, 2017. He has more than 12+ years of experience in Cyber Security and Information Security with 4+ years of people management experience.
June 30, 2022 16:05-16:40
- UATLP:CLEAR
CERT-UA: Research and Technical Analysis of Large-Scale Cyber Attacks in Ukraine in 2021
Victor ZhoraYevheniia VolivnykYevhen BryksinVictor Zhora (The State Service of Special Communications and Information Protection of Ukraine, UA), Yevheniia Volivnyk (CERT-UA (SCPC SSSCIP), UA), Yevhen Bryksin (CERT-UA (SCPC SSSCIP), UA)
Victor Zhora was a CEO and Co-founder in Infosafe IT from 2012 to 2021. Infosafe IT is one of the leading cybersecurity companies in the Ukraine. He supported non-profit activities in cybersecurity being a Board Member in NGO 'Ukrainian Information Security Group', by participating in public councils of government agencies and organization committees of cybersecurity conferences UISGCON. As an engineer and project manager, Victor participated in the creation of complex information security systems of national importance. He was one of the defenders of the system of the Central Election Commission during the cyberattack on the 2014 Presidential election. From January 15, 2021 Viktor Zhora was appointed as the Deputy Chairman of the State Service of Special Communications and Information Protection of Ukraine on digital development, digital transformation and digitization.
Yevheniia Volivnyk is the Chief of the Computer Emergency Response Team of Ukraine (CERT-UA) which is part of The State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine. Worked in CERT-UA since 2015. The Chief since 2019. The main task is to manage all processes of CERT-UA.
Yevhen Bryksin is Deputy Chief of the Computer Emergency Response Team of Ukraine (CERT-UA) which is part of The State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine. Worked in CERT-UA since 2014. Deputy Chief since 2020. The main tasks are the development and implementation of CERT-UA services and managing processes of ?ncident investigation, computer forensics, and malware analysis.
Ukraine is one of the youngest countries in Europe who experienced a great need in cyber security from early years of its independency. We will start the presentation with an overview of the activities and task carried out by the CERT-UA, the State Cyber Protection Centre, and the creation of the UA30 Center aimed at protection of state information resources, critical information infrastructure and Ukrainian cyberspace in general. We will also present plans for further development of the cyber function in Ukraine.The main part of the presentation will be dedicated to the overview of the current attacks on Ukrainian infrastructure in 2021 and incident responses carried out by CERT-UA. We will share tactics and instruments used by the attackers when targeting governmental institutions and infrastructure as well as challenges when conducting cyber investigations and interacting with affected organizations. We will conclude with outlining the main vulnerabilities and flaws which were exploited by threat actors and resulted in cyber incidents.
June 28, 2022 11:00-11:35
- LUTLP:CLEAR
Community Management and Tool Orchestration the Open-Source Way via Cerebrate
Andras IklodySami MokaddemAndras Iklody (CIRCL - Computer Incident Response Center Luxembourg, LU), Sami Mokaddem (CIRCL - Computer Incident Response Center Luxembourg, LU)
Andras Iklody works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL as a software developer and has been leading the development the MISP core since early 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.
Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools
The Cerebrate Platform is a new open source project, built to allow organisations to manage trusted communities and orchestrate the tooling between its constituentsManage contact information of your community members, open dialogues to interconnect various security tools within the network or simply manage a fleet of your internal security tools. Cerebrate handles a host of day-to-day tasks for automation and trust building within security communities.This talk aims to introduce the issues we are trying to tackle with Cerebrate and how the platform can assist CSIRTs and SOCs in managing their community and tools.
June 28, 2022 14:45-15:20
MD5: df0799f0c0a8f54cdd20f75e141cb93f
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.2 Mb
Conference Social Event
Join us for the always fun, conference social event located in the Forum of the CCD! We have live music, performances, and an array of fun activities lined up. Dinner buffet and beverages will be provided.
June 29, 2022 18:30-22:00
- USTLP:CLEAR
Creating an Information Security/Information Assurance Program - Lessons Learned
Kenneth GrossmanKenneth Grossman (HHS/National Institutes of Health, US)
Ken Grossman has worked in the information security field for over 20 years and has been instrumental in various major security initiatives. He was a founding member of the Department of Homeland Security's National Cyber Security Division/United States Computer Emergency Readiness Team after establishing an Information Security Program at the US General Services Administration/ Federal Supply Service. Ken joined the National Institutes of Health/National Institute of Allergy and Infectious Diseases (NIH/NIAID) in 2006 where he manages the NIAID Cyber Security Program. Ken oversees the handling and mitigation of NIAID information security events. He also ensures that NIAID adheres to Federal security policies/guidelines and ensures that security audits are performed on covered information systems. He develops NIAID information security policies and training programs and is the liaison with the NIH and other Institutes security programs. Mr. Grossman has an M.S. in Computer Systems Management from the UMUC and a B.S. in Aerospace Engineering from Virginia Tech. His certifications include Certified|Chief Information Security Officer, Certified Information Systems Security Professional, Heathcare Information Security and Privac Practitioner, Certified Information Security Manager, GIAC Certified Incident Handler, GIAC Continuous Monitoring Certification and GIAC Cyber Threat Intelligence.
The presentation will discuss the lessons learned from creating an Information Security/Information Assurance program from scratch. Some of the issues that needed to be considered were organization's mission and nature, scope and structure of IS/IA organization (formal vs. virtual, core vs. adhoc), the customer base, organizational politics, regulatory requirements, and organizational dependencies (internal and external). I will also discuss the capabilities, proactive and reactive, that an IS/IA program requires.
June 29, 2022 11:00-11:35
01-CreatinganInformation-Grossman.pdf
MD5: ba4dc1f865de3aa1aa6a195f6a38545c
Format: application/pdf
Last Update: June 7th, 2024
Size: 321.85 Kb
- DETLP:CLEAR
CSAF - the Magic Potion for Vulnerability Handling in Industrial Environments
Tobias LimmerThomas PröllTobias Limmer (Siemens, DE), Thomas Pröll (Siemens ProductCERT, DE)
Being involved in the field of security since 20 years ago, Tobi has been focusing on the industrial side of IT infrastructures for over 10 years now. Starting with vulnerability handling in Siemens ProductCERT, he was very involved into the automation of security tests. Now one of his research areas is tool-based vulnerability management & risk-based mitigation decisions. And he likes French comics.
Tom is working for Siemens in product security since 15 years. After five years of penetration testing he changed sides and is leading the incident handling and vulnerability response team for Siemens ProductCERT.
Vulnerability management for operators of segmented networks such as industrial environments and software suppliers still largely relies on manual processes. This results in high efforts and has tremendous impact on mitigative actions such as patching.Siemens has ramped up its vulnerability handling efforts in the last decade which resulted in publishing over 250 CVEs in 150 advisories in 2021. This amount of information can hardly be handled in the manual way for even moderately complex environments.By supporting the Common Security Advisory Format (CSAF), standardized by OASIS end of 2021, Siemens helps automatable vulnerability management in industrial environments, our Gallic villages.This talk will give an overview of the new CSAF 2.0 release and our experience implementing it. We need a community to support this effort and to improve the situation of vulnerability management, both on the side of publishing vendors and consuming operators. Especially tools are needed that support and automate this process. We will sketch a possible way forward for the whole community, also including SBOMs and VEX in the discussion.
June 27, 2022 14:45-15:20
MD5: e7b166302d74b48de24e3186a57bede5
Format: application/pdf
Last Update: June 7th, 2024
Size: 932.86 Kb
- IE CHTLP:CLEAR
CSAM Case Simulation
Mick MoranRomain WartelMick Moran (AGS, IE), Romain Wartel (CERN, CH)
Mick MORAN is a member of An Garda Síochána, Ireland's national Police Service. He has worked most of his career in online child safety both as an investigator and digital forensics supervisor. He also served on secondment to INTERPOL where he finished as Assistant Director of the Vulnerable Communities sub-directorate with responsibility for the child exploitation, trafficking in human beings and people smuggling teams.
Mick MORAN is a member of An Garda Síochána, Ireland's national Police Service. He has worked most of his career in online child safety both as an investigator and digital forensics supervisor. He also served on secondment to INTERPOL where he finished as Assistant Director of the Vulnerable Communities sub-directorate with responsibility for the child exploitation, trafficking in human beings and people smuggling teams. Teacher at UCD, ECTEG and ICMEC. Board member at CAUCE, cybersafekids.ie, la Strada Moldova and safety board YUBO. Advisor to Point de Contact, EU commission and anyone else who'll listen. Brian Honan stalker.
Romain has been actively trying to protect the academic & research community and "Science For Peace" for more than 15 years.
Romain has been actively trying to protect the academic & research community and "Science For Peace" for more than 15 years.His main interests include large scale intrusions spanning across organisations and critical infrastructures, threat intelligence, DFIR, and casual botnet hunting.
Romain has been actively trying to protect the academic & research community and "Science For Peace" for more than 15 years.His main interests include large scale intrusions spanning across organisations and critical infrastructures, threat intelligence, DFIR, and casual botnet hunting.He works at the European Organization for Nuclear Research (CERN), where he acts as the security officer for the Worldwide Computing Grid used by CERN’s accelerator.
Welcome to the Zebra Scientific Alliance!
The Zebra Scientific Alliance is an organisation relying on multiple teams.
Together they need to overcome the many challenges of collaborating, achieving their own goals, and most importantly, trusting each other.
And today, the organisation is being put to the test. The Zebra Scientific Alliance has been hit hard by a CSAM case.
The details are opaque. Log files are missing. Time is running out. Pressure is rising. Police is pushing. Journalists are inquiring. And nothing is as it seems.
Will the Zebra Scientific Alliance teams be able to solve the case?Participants will be mapped to the different teams. Together they will experience the typical phases of any crisis: chaos, connection, and hopefully, resolution.
Each team is given a bespoke file with their specific identity, mission & goal.At the end of the workshop, participants are expected to have gained expertise in cooperating to handle CSAM cases with confidence.
They will have learned about strategies and procedures they can bring back to their respective organisations, in order to be better positioned to fight CSAM.
June 27, 2022 15:50-17:10
- LTTLP:CLEAR
CSIRT and SOC Modernization Practices
Vilius BenetisVilius Benetis (NRD Cyber Security, LT)
Dr. Vilius Benetis is member of NRD CIRT (in NRD Cyber Security), where he leads a team of experts to consult, establish and modernize CSIRT/SOCs for sectors, governments and organizations in Africa, Asia, Europe, and Latin America. He is an active contributor and speaker for ISACA's cybersecurity research and contributes to development of CSIRT methodologies for ENISA, FIRST.org and ITU. He is an industry professor in Cybersecurity at Kaunas Technology University (ktu.edu).
CSIRTs and SOCs are increasingly expected to work as professional and effective organizations, reflecting on own performance and able to self-improve. Such expectations are challenging to meet for many teams around the world. Presentation is geared to support listeners in this path by providing practical tips, tricks, and demonstrations on different methods for improvements. Speaker's knowledge is based on broad experience in modernizations of national, sectorial and organization CSIRT/SOCs. Talk will touch practical maturity models, mandate review, service model tuning, operational KPI updates, focusing on state-of-the-art competence models.
July 1, 2022 10:15-10:50
MD5: 4c5bf4fdde04c9ce0548be58ae23193e
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.98 Mb
- IETLP:CLEAR
Cyber Ireland - Addressing Cyber Crime Through Industry-Academia-Government Collaboration
Eoin ByrneEoin Byrne (Cyber Ireland, IE)
Dr Eoin Byrne is Cluster Manager at Cyber Ireland, he has led the establishment and management of the cluster since 2018. His PhD research of ICT clusters across Europe produced a cluster development model applied in Ireland for the first time through the establishment of Cyber Ireland.
With the increasing cost of cyber crime we must not only address the technical cyber security challenges, but also the political, economic and societal aspects.In 2019, Ireland established a cyber security cluster with the aim of bringing Industry, Academia and Government together to support collaboration and address key challenges for the sector: from skills shortages, to the low-level of industry-academic research and innovation, lack of education and awareness, and need for greater co-ordination of organisations at a national level.The cluster now represents over 130 organisations, with 110 companies, 11 universities and several government agencies including the National Cyber Security Centre. It has a wide range of collaborative activities including meet-ups, events and a Threat Intelligence Special Interest Group. The Talent & Skills Working Group has published a cyber skills survey leading to a national training programme to address the critical skills shortage. The cluster has built stronger ties with government and assisted in the response to the cyber attack on the National Health Service in May 2021.There are learnings for industry professionals, academia and policy makers from the Cyber Ireland cluster model of collaboration that can be applied to other regions.
June 30, 2022 11:20-11:55
MD5: 23c9af3193033225ea8e70f2df3ccb41
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.33 Mb
- AUTLP:CLEAR
Cybersecurity Maturity in the Pacific Islands - Integrating CERT Services in a Regional Framework
Anthony AdamsAnthony Adams (Monash University, AU)
Tony Adams is a PhD student at Monash University, with research interests centering on the development of cybersecurity threat detection and response capabilities. Tony's Master thesis (Monash University) developed a conceptual model for a Pacific Islands regional cybersecurity framework. Tony has worked as a Project and Program Manager for almost 30 years, with a particular focus over the last 7 years on delivering strategic cybersecurity capabilities in Australia, USA, England, Austria, South Africa, Singapore, Malaysia, Hong Kong and Thailand.
Cybersecurity acts as a driver for national economic, social and defence interests. A common policy goal of national governments is to protect their respective interests by developing cybersecurity threat and attack response capabilities that allow their businesses, communities, partners and visitors to use the internet, safely and securely. Contemporary research confirms the importance of nations working with partners within multinational, regional frameworks to improve their national cybersecurity capability maturity and resilience, however relatively little research has been conducted into the efficacy of such frameworks within the Pacific Islands region.In 2020, this research examined the factors that influence the purpose, form and function of a regional threat response capability, and proposed a conceptual Pacific Islands regional cybersecurity framework. The framework included a network of affiliated national CERTs that operate independently and reflect their respective national interests while collaborating on matters of shared interest, supported by regional partners who provide targeted and measured support to build national cybersecurity capability and resilience. In 2021, we are extending the conceptual framework by working with regional cybersecurity participants and partners to examine how Pacific Island nations integrate their cybersecurity threat response capabilities. This research is examining how national and sectoral CERTs build capabilities that align with their national governments, policy directions, and collaborate with regional CERTs to develop a suite of complementary capabilities.
June 28, 2022 11:45-12:20
MD5: 7b63c80056ead66702224378ec090792
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.61 Mb
- GBTLP:CLEAR
Decoding the Diversity Discussion
Emma JonesEmma Jones (CrowdStrike, GB)
Emma is a multi-disciplinary leader who is passionate about cyber incident readiness and specialises in executive engagements. She unexpectedly embarked upon a cyber security career during her former occupation in national law enforcement. Now, as a Senior Consultant, she has a strong focus on consequence management and works with a variety of organisations to enhance their response readiness.
Emma is a multi-disciplinary leader who is passionate about cyber incident readiness and specialises in executive engagements. She unexpectedly embarked upon a cyber security career during her former occupation in national law enforcement. Now, as a Senior Consultant, she has a strong focus on consequence management and works with a variety of organisations to enhance their response readiness. Emma continues to be deeply committed to fostering inclusion and championing diversity. She has led, advised, and implemented multiple initiatives in both her professional and voluntary positions. Using her personal insights and broad knowledge, she positively advocates for everyday inclusion as a benefit to all.
Undoubtedly, the cyber community is dedicated to increasing diversity and fostering inclusion. However, the conversation can be largely focused on strategic, long-term initiatives. This often leaves individuals within the sector wondering if they play a part, at all, in achieving this industry-wide objective.
This session will reference typical actions carried out during the incident response lifecycle and highlight how responders can practice active inclusion. With a focus on how these behaviours can directly enhance the effectiveness of the response, it will also generate thinking about the small but profound actions which will bring significant and long-lasting benefits to everyone.
June 28, 2022 16:35-17:10
06-DecodingDiversityDiscussion-Jones.pdf
MD5: c0c3b849e028505a33b05ae949ebef54
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.2 Mb
FIRSTCON22-DecodingtheDiversityDiscussionv0.8compressed.pdf
MD5: ceb3fb2f44f57b85b572f054bcedf98a
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.58 Mb
DNS Abuse Techniques Matrix
Peter Lowe
The advice currently takes the form of a matrix indicating whether a specific stakeholder can directly help with a specific technique. By “help”, we mean whether the stakeholder is in a position to detect, mitigate, or prevent the abuse technique. We have organized this information under three spreadsheets covering these incident response actions. For example, during an incident involving DNS cache poisoning, the team can go to the mitigation tab and look at the row for DNS cache poisoning, to find which stakeholders they might be able to contact to help mitigate the incident.
Thanks is given in the document, which is the result of collaboration between many people representing a wide of range roles in the DNS industry.
DNS-Abuse-Techniques-Matrix_v1.1-ja.pdf
MD5: da185482f68880ded9bc03feda873bc3
Format: application/pdf
Last Update: June 7th, 2024
Size: 716.38 Kb
DNS-Abuse-Techniques-Matrix_v1.1.pdf
MD5: 8a1ebe12a886efa5e00a1807d977220f
Format: application/pdf
Last Update: June 7th, 2024
Size: 901.74 Kb
- USTLP:CLEAR
DNS as Added Security Against Ransomware Attacks
Artsiom HolubArtsiom Holub (Cisco, US)
Artsiom Holub is a Senior Security Analyst on the Cisco Umbrella Threat Intelligence team. Throughout the course of the day, he works on Security Threat Reports for existing and potential clients, finds new threats and attacks by analyzing global DNS data coming from Cisco Umbrella resolvers, and designs tactics to track down and identify malicious actors and domains. Frequent presenter at major cybersecurity conferences including Black Hat, RSA and THEFirst. Currently focused on analysis and research of various cybercrime campaigns, and building defensive mechanisms powered with ML.
Cyber criminals have gotten highly sophisticated in how they attack networks today, but one thing remains the same: Both detection and mitigation start at the DNS layer. In this presentation, Cisco’s Artsiom Holub, senior security research analyst, will explore the fundamentals of modern attacks and discuss the early detection and defensive tactics needed to stop them using DNS-layer security. From tagging domains with specific features to exploring post-exploitation frameworks that use DNS as covert channel for command and control, this comprehensive defense oriented workshop will cover every important angle.
June 28, 2022 14:00-14:35
TheFirst_DNS_vs_Ransomware_final.pdf
MD5: 519b351e64ef8bc70b980baecab9d40c
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.76 Mb
MD5: a9553d66288f7fbf2a2adb3b2193d5b3
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.76 Mb
- GB
DNS: Prevention, Detection, Disruption and Defense
Jonathan FlahertyJonathan Flaherty (Shadowserver, GB)
Joining Shadowserver in 2016, Jon brings a range of skills and experience from UK Law Enforcement cyber crime investigation to the Foundation.
Joining Shadowserver in 2016, Jon brings a range of skills and experience from UK Law Enforcement cyber crime investigation to the Foundation. Engaging in consumer outreach, incident handling and the training of constituents in the use of Shadowserver public benefit services allows Jon the opportunity to deliver current threats and insights to all areas of the cyber community.
Joining Shadowserver in 2016, Jon brings a range of skills and experience from UK Law Enforcement cyber crime investigation to the Foundation. Engaging in consumer outreach, incident handling and the training of constituents in the use of Shadowserver public benefit services allows Jon the opportunity to deliver current threats and insights to all areas of the cyber community.Of specific interest to Jon is international liaison and with the support of key public/private sector partners, the upskilling of developing cyber regions and National CERTs to ensure the effective use and understanding of Shadowserver’s bespoke datasets for a more secure internet.
The training on DNS: Prevention, Detection, Disruption and Defense offers a comprehensive introduction from a basic level on how adversaries abuse and leverage the Domain Name System and domain registration services to carry out different types of attacks.
Looking at both the technical aspect of the domain resolution process to the lifecycle of domain names, with a focus on the vulnerabilities in the processes and systems, participants in the training will gain an understanding on how they can prevent the malicious activity, detect and disrupt it, as well as defend their specific constituencies.
1)· DNS Basics and Ecosystem
- How do domains resolve?
- What are the components in the DNS?
- How does a domain get registered?
- Who is who in the domain ecosystem and why this matters?
2) Phishing - Hands-on: Participants will learn which steps to take, with real-life examples, when addressing phishing cases against their constituencies:
- Detect the phishing
- Identify the relevant entities
- Gather the evidence
- Decide who to submit reports of abuse
- Decide on information sharing
Workshop sign-up will be available to registered conference delegates only.
June 26, 2022 09:30-13:30
- BETLP:CLEAR
Don't Blame the User! Stop the Phish Before it is Even Sent
Wout DebaenstWout Debaenst (NVISO, BE)
Wout is a senior Red Team Operator at NVISO and specializes in the simulation of Advance Persistent Threat (APT) groups that might target your organization. He is the main driver behind the phishing methodology of NVISO's Red Team engagements and loves explaining happily how to make his job harder. Outside of getting hyped over nerdy stuff, he is an avid traveler with a love for extreme sports like parkour and freediving.
Can we avoid blaming the user by stopping a phishing campaign before it is even launched? Well, this talk will demonstrate multiple techniques to detect and block malicious domains before the mail lands in the inbox of your employee. By first analyzing how Red Teams and adversaries set up phishing campaigns, we zoom in on what OPSEC mistakes can be used to the advantage of Blue teams. We define techniques to detect malicious domains that are targeting your organization and further use NetLoc intelligence to correlate these to related threat infrastructure. Based on the defense in depth principles Bleu Teams can implement additional security controls to prevent mails from reaching the inbox of their organization. Through practical demos and real-life examples, attendees will learn techniques and tools to uncover threat infrastructure that might be used in upcoming targeted phishing campaigns.
June 29, 2022 11:00-11:35
- NLTLP:CLEAR
EDR Internals From a Defenders Perspective
Olaf HartongOlaf Hartong (FalconForce, NL)
Olaf Hartong is a Defensive Specialist and security researcher at FalconForce. He is a Microsoft MVP and specialises in understanding the attacker tradecraft and thereby improving detection. He has a varied background in blue and purple team operations, network engineering, and security transformation projects. Olaf is the author of various tools including ThreatHunting for Splunk, ATTACKdatamap and Sysmon-modular.
Companies often put a high level of trust on their tools to support them in their quest to protect them from harm. But is that trust warranted? What are the out of the box capabilities and what can be gained from the telemetry that they produce in terms of custom detections.
June 27, 2022 11:00-11:35
MD5: 353f379215f415e4b6d62bb5c05daa28
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.93 Mb
- ILTLP:CLEAR
ELF Malware Analysis 101
Avigayil MechtingerNicole FishbeinAvigayil Mechtinger (Intezer, IL), Nicole Fishbein (Intezer, IL)
Avigayil is a security researcher at Intezer specializing in malware analysis and threat hunting. During her time at Intezer, she has uncovered and documented different malware targeting both Linux and Windows platforms. As part of her ongoing work she has initiated the ELF Malware Analysis 101 series, to make ELF analysis approachable for beginners. Prior to joining Intezer, Avigayil was a cyber analyst in Check Point's mobile threat detection group.
Nicole Fishbein is a security researcher and malware analyst. Prior to Intezer she was an embedded researcher in the Israel Defense Forces (IDF) Intelligence Corps. Nicole has been part of research that led to discovery of phishing campaigns, undetected malware and attacks on Linux-based cloud environments.
With the industry's migration to cloud, Linux is practically everywhere, encouraging attackers to target this operating system aggressively in recent years. Researchers have disclosed different malware families, including highly sophisticated ELF malware, proving attackers are increasingly adding Linux malware to their arsenal. As Linux continues to gain popularity, more threats are expected to be exposed over time. It's critical that security researchers have the ability to analyze and understand Linux malware as part of their evolving skillset. This hands-on workshop will provide practical knowledge and tools for effective ELF malware analysis. Attendees will gain a better understanding of the ELF format and learn how to analyze ELF files using static and dynamic methods.This workshop is most suitable for attendees with a basic understanding of malware analysis and some technical background. Attendees must have a Linux-based virtual machine where they can run malware.
In order to gain the maximum from the workshop, attendees should prepare:
1.) Ubuntu 64 bit based Virtual machine (preferable) or Docker with access to the internet. For those who use Docker - use the docker image from the workshop's git repository at: https://github.com/intezer/ELF-Malware-Analysis-101/blob/master/workshop/dockerfile (the image has all of the tools)
2.) Tools that should be installed on the Virtual Machine/docker : tcpdump (or Wireshark), upx, strace, elfutils, gcc, git
3.) Pull the ELF Malware Analysis 101 repository from: https://github.com/intezer/ELF-Malware-Analysis-101
July 1, 2022 09:30-10:50
01-ELFMalware-MechtingerandFishbein.pdf
MD5: d0f6da3c41bd328399ec9a3fb300d5da
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.17 Mb
- USTLP:CLEAR
Endorsing the New Rules
Sherif HashemSherif Hashem (George Mason University, US)
Dr. Sherif Hashem is a Professor of Information Sciences and Technology at George Mason-USA. He is a member of the Board of Directors of FIRST, a Senior IEEE member and an ISACA Certified Information Security Manager. Dr Hashem was a member of the UN Group of Government Experts (UN GGE) on the Developments In The Field Of Information And Telecommunications In The Context Of International Security, (2012-13). Dr. Hashem led key national cybersecurity efforts in Egypt, especially establishing EG-CERT (2009). In 2015, Dr Hashem became the Chairman of the Executive Bureau of Egypt's Supreme Cybersecurity Council (ESCC), and led efforts to draft Egypt's first National Cybersecurity Strategy. Successful initiatives led by Dr. Hashem contributed to Egypt's advanced cybersecurity rank: 14th among 194 countries, as reported by the ITU in 2017. Dr. Hashem received a B.Sc. in Communication and Electronic Engineering and a M.Sc. in Engineering Mathematics from Cairo University-Egypt, and a Ph.D. in Industrial Engineering from Purdue University-USA. He completed the Senior Executive Program at Harvard Business School-USA. He received several awards including: the Global Bangemann Challenge Award from the King of Sweden (1999).
In this talk, we will discuss recent efforts towards the creation of internationally recognized rules for a safer and more secure and stable cyber space, with a special focus on the United Nations efforts in view of the reports of both: 1) the Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security; and 2) the Open-Ended Working Group (UN OEWG). The remarkable process of developing the recent reports and their endorsement by consensus, has been a significant highlight of cyber diplomacy in 2021.
We here discuss the outcomes of the UN-GGE and UN OEWG reports and focus on the relevance of those reports to the FIRST community. We summarize the key issues that may affect the Incident Response teams. We emphasize the opportunities for vital roles that FIRST.org and its membership can play to further support the process of implementing the new rules, towards a safer and more secure cyber space.June 29, 2022 11:45-12:20
02-Endorsingthenewrules-Hashem.pdf
MD5: 9dc650e8fa6e31024a967df6ee041c33
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.1 Mb
- US GBTLP:CLEAR
Enhancing Operations Through the Tracking of Interactive Linux-based Intrusion Campaigns
Justin SwisherAmi HolestonJustin Swisher (CrowdStrike, US), Ami Holeston (CrowdStrike, GB)
Justin Swisher has over a decade of experience in cybersecurity, including network security monitoring, endpoint threat hunting, and threat intelligence. Justin started his career as an Intelligence Analyst with the US Air Force, reporting on adversary C4ISR networks and malware operations aimed at air and space systems. After leaving the intelligence community, Justin brought his government experience to several cybersecurity vendors, supporting customers' development of threat intelligence programs. He currently works as a Senior Security Researcher with the CrowdStrike OverWatch team.
Ami Holeston is a Tactical Intelligence Researcher helping to track adversary tradecraft and trends as part of the CrowdStrike OverWatch team. She has five plus years experience in threat-intelligence led incident response and threat hunting against both nation state and eCrime adversaries. She is also a CREST registered Threat Intelligence analyst, who has produced and supported the creation of intelligence products across a range of industry verticals.
This presentation will give attendees an understanding of adversary trends in the Linux space, empowering them to build proactive hunting capabilities specifically targeted towards Linux operating systems. Hear from our full-time threat hunters on how they see today's sophisticated adversaries conduct hands-on attacks on Linux operating systems. Learn how systematic hunting methodologies like SEARCH, and established adversary behavior frameworks such as MITRE ATT&CK are foundational to comprehensive day-to-day hunting operations.
June 28, 2022 16:35-17:10
06-Linux-basedIntrusion-SwisherandHoleston.pdf
MD5: b4b397675f15df2c4ef262c880bf0df5
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.75 Mb
- GRTLP: GREEN
EU Cyber Crisis Management - How to Help with Maturity?
Andrea DufkovaAndrea Dufkova (ENISA, GR)
Ms Andrea Dufkova is a senior cyber security expert in the Operational Cooperation Unit at ENISA. She joined ENISA in 2008 and since than she supports development of CSIRT teams and Incident Response capabilities in Europe. Between 2017 and 2020, she lead a dedicated team of cyber security professionals at ENISA with focus on operational security, EU CSIRTs Network secretariat, technical trainings, CSIRT development and maturity. Among all the activity portfolio, the Reference Incident Classification Taxonomy (RSIT WG) and CSIRT maturity framework are some of examples of successful projects that are being currently run on EU scale. Before joining ENISA Andrea was a member of the military CIRC in the Czech Republic. Andrea joined TF-CSIRT in 2009 and is listed as TI Associate since 2017. She holds FIRST liaison status since 2011 and served in Board of Directors in 2019-2020. Andrea is also SIM3 certified auditor for assessing maturity of CSIRTs.
Despite the importance of effectively preparing and responding to large scale cyber incidents or crises, there is no currently available cyber crisis management maturity framework that allows an assessment or evaluation of the maturity of EU institutions, bodies and agencies (EUIBA) participating in the execution of its function during different stages of the EU cyber crisis management phases. ENISA aims to lay out the key elements of the proposed maturity model for EU cyber crisis management stakeholders which are involved at the technical and operational level of the <2017 Blueprint>.
June 30, 2022 10:15-10:50
ENISA-EUcybercrisismanagementmaturityproject-TLP-WHITE-contact.pdf
MD5: 87731b1358f01b0436ea3cdc010fdf95
Format: application/pdf
Last Update: June 7th, 2024
Size: 267.09 Kb
Exhibitor Move-In
For our participating sponsors, please find your details timings within the Exhibitors Resource Kit.
June 26, 2022 10:00-15:00
- SG IE GBTLP:AMBER
Featured Panel: Driving Public-Private Cooperation to Combat Cybercrime
Tal GoldsteinDerek MankyPei Ling LeeCaroline CannaNick TuppenTal Goldstein (World Economic Forum), Derek Manky (Fortinet), Pei Ling Lee (INTERPOL, SG), Caroline Canna (Microsoft, IE), Nick Tuppen (Bank of America, GB)
Tal is head of Strategy of the World Economic Forum Centre for Cybersecurity. He leads the Centre’s Public engagements and strategic initiatives, including the Partnership against Cybercrime. Before joining the Forum, Tal took part in the establishment of Israel National Cyber Directorate, leading the formation of Israel's national cyber security strategy. Prior to that, he served as an officer in the Military Intelligence Directorate. Tal holds B.Sc. in physics and mathematics from the Hebrew University of Jerusalem, as a graduate of the elite IDF Talpiot program, and M.A. in economics from Tel-Aviv University.
Derek Manky plays a strategic and visionary role in consulting with leading CSOs/CISOs of Fortune 500 companies worldwide across multiple industries, bringing with him over twenty years of cyber security experience. He leads FortiGuard Labs’ Global Threat Intelligence Team. Mr. Manky has established frameworks in the security industry including responsible vulnerability disclosure, which has exercised the responsible handling of over 1000 zero day vulnerabilities. Manky has been with the Cyber Threat Alliance since it was founded in May 2014 and sits on the steering committee. He has helped to build collaborative platforms in the cyber security industry for over 15 years. Manky collaborates with global forums and expert groups alongside leading political figures, key policy stakeholders and law enforcement, including the World Economic Forum C4C, NATO NICP, INTERPOL, and FIRST.org. His vision is applied to help shape the future of proactive cyber security, with the ultimate goal to make a positive impact towards the global war on cybercrime.
Ms LEE Pei Ling joined INTERPOL’s Cybercrime Directorate in September 2020 and is currently responsible for leading, managing and coordinating activities in relation to cyber strategy, outreach and public-private partnerships, as well as capacity building efforts to enhance the capabilities of INTERPOL’s 194 member countries to prevent, detect and investigate cybercrime.
Ms LEE Pei Ling joined INTERPOL’s Cybercrime Directorate in September 2020 and is currently responsible for leading, managing and coordinating activities in relation to cyber strategy, outreach and public-private partnerships, as well as capacity building efforts to enhance the capabilities of INTERPOL’s 194 member countries to prevent, detect and investigate cybercrime.
Ms LEE Pei Ling joined INTERPOL’s Cybercrime Directorate in September 2020 and is currently responsible for leading, managing and coordinating activities in relation to cyber strategy, outreach and public-private partnerships, as well as capacity building efforts to enhance the capabilities of INTERPOL’s 194 member countries to prevent, detect and investigate cybercrime.
Pei Ling is a seconded officer from the Singapore Police Force (SPF), where her policing career started in 2006. There, she last held the post of Head, Technology Crime Policy Branch in the SPF CyberCrime Command from 2018 to 2020, leading a team comprising uniformed and civilian officers to oversee SPF’s efforts to combat cybercrime in the areas of policy, prevention, liaison, training, research and development. Prior to this, she worked in numerous divisions of the Criminal Investigation Department (CID), SPF’s staff authority for investigation, where she was responsible for areas such as research, strategic planning, organizational development, as well as operation and contingency planning.Nick has been part of Bank of America’s Global Information Security team since 2011. He is currently the lead for the bank’s Cyber Crime Partnerships team, involved in multiple international coalitions focused on financial crime, including, the World Economic Forum Partnership Against Cybercrime and EUROPOL Financial Intelligence Public/Private Partnership. He is the industry secretary for the UK’s joint industry, regulator and government cyber resilience steering committee and has represented the UK finance sector at the G7 Cyber Experts Group.
Cybercrime presents a major risk to prosperity in the global digital economy. To systematically address this threat, it is imperative to raise the cost of conducting cybercrime and increase the risks for cybercriminals. This can only be achieved through effective public-private cooperation, with global businesses, and other cyber responders, working side by side with law enforcement. What in needed to achieve such collaberation?
June 29, 2022 09:30-10:30
- CHTLP: GREEN
FIRST Financial & Business Review
Michael Hausding (SWITCH, CH)
FIRST.Org Inc. is recognized by the US IRS as a not-for-profit, 501(c)(3) organization.
FIRST is incorporated in North Carolina, USA.
The exempt purposes set forth in section 501(c)(3) are charitable, religious, educational, scientific, literary, testing for public safety, fostering national or international amateur sports competition, and preventing cruelty to children or animals.June 27, 2022 16:35-17:10
FIRST-2021-Finance-Business-Review.pdf
MD5: 1d3c9984a0e1872ff16f26f9539b00a4
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.2 Mb
- TLP:CLEAR
FIRST SecLounge Challenges
Overview. Since the 24th Annual FIRST Conference in Malta in 2012, a Capture the Flag event is organized during the week of the annual conference, currently organized by the Security Lounge ("SecLounge") SIG.
How to Play. The CTF consists of a series of technical exercises (challenges) where the participants must find an answer or flag and submit it to the CTF platform.
Every flag submitted contributes to the team's score. A number of new challenges are released every day during the conference and are categorized as network, web, ICS, cryptography, reverse engineering, programming, miscellaneous, puzzle, and so on.
Do You Need a Team? It is strongly recommended to participate as a team with a maximum of 4 members. Please start planning ahead with your peers also participating. Each team can strategize and assign challenges to members based on their expertise such that the team's combined knowledge is exploited to its fullest potential.
Will There Be Prizes? Yes! We will be awarding three teams with some really nice swag!
How to Register and Next Steps? Details coming soon!
Learn more about the SecLounge SIG at: https://www.first.org/global/sigs/seclounge/
June 27, 2022 10:30-16:30
- TLP:CLEAR
FIRST SIG Updates
Attending SIG chairs will share brief updates on their SIG. Participating SIGs include:
CVSS SIG Update – presented by Dave Dugal
CTI SIG Update – presented by Rick Adrian
Academic Security SIG Update – presented by Nina Solha and Roderick Mooi
Metrics SIG Update – presented by Mark Zajicek
Malware Analysis SIG Update – presented by Andreas Mühlemann and Olivier Caleff
Ethics SIG Update – presented by Jeroen van der Hamm
IEP SIG Update – presented by Merike Kaeo
Vul Co and VDRX SIG Updates – presented by Art Manion
Automation SIG Update – presented by Aaron Kaplan
Passive DNS SIG Update – presented by Aaron Kaplan
Sec Lounge SIG Update – presented by David Durvaux
TLP-SIG Update – presented by Tom MillarThe following SIGs have provided recorded updates which will be available in app: EPSS SIG and WoF SIG.
July 1, 2022 08:30-09:30
MD5: 66676ec0ead56190f6eba97ad9e41812
Format: application/pdf
Last Update: June 7th, 2024
Size: 162.95 Kb
MD5: d7a85b980ff1fade240a90b97de2a10a
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.07 Mb
MD5: 2eb1e9f6c87d80f93600509e9052a1f6
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.64 Mb
MD5: ee4a2ece8bfe92082912b0759f00aa00
Format: application/pdf
Last Update: June 7th, 2024
Size: 817.65 Kb
MD5: e251c996ac90cf60198cafdbc7fc77d1
Format: application/pdf
Last Update: June 7th, 2024
Size: 390.64 Kb
MD5: 5ababef5b7bd4697aef16999f46557ba
Format: application/pdf
Last Update: June 7th, 2024
Size: 230.54 Kb
MD5: 732e7f60c6c7c3fd7345c0d4b2f3a8d3
Format: application/pdf
Last Update: June 7th, 2024
Size: 496.13 Kb
MD5: 98d31f2cda84c11c8bdff5e46d17ca39
Format: application/pdf
Last Update: June 7th, 2024
Size: 333.58 Kb
MD5: ad29aa3568bd68a94a5dbf255f6b2717
Format: application/pdf
Last Update: June 7th, 2024
Size: 234.13 Kb
- IL IETLP:CLEAR
Follow the Dynamite: Commemorating TeamTNT's Cloud Attacks
Nicole FishbeinJoakim KennedyNicole Fishbein (Intezer, IL), Joakim Kennedy (Intezer, IE)
Nicole Fishbein is a security researcher and malware analyst. Prior to Intezer she was an embedded researcher in the Israel Defense Forces (IDF) Intelligence Corps. Nicole has been part of research that led to discovery of phishing campaigns, undetected malware and attacks on Linux-based cloud environments.
Dr. Joakim Kennedy is a Security Researcher for Intezer. On a daily basis he analyzes malware, tracks threat actors, and solves security problems. His work is mainly focused on threats that target Linux systems and Cloud environments. Dr. Kennedy began in the industry as a security researcher at Rapid7 where he got his start in vulnerability research. Following his time with Rapid7, he joined Anomali. While there, he managed Anomali's Threat Research Team, where they focused on creating threat intelligence. Dr. Kennedy has been a featured speaker at multiple BSides and at the CCB's Quarterly Cyber Threat Report Event. He has also presented at various other industry events. For the last few years, Dr. Kennedy has been researching malware written in Go. To make the analysis easier he has written the Go Reverse Engineering Toolkit (github.com/goretk), an open-source toolkit for analysis of Go binaries.
Cloud computing is growing swiftly and misconfigured cloud services can be low-hanging fruit for an attacker. Misconfigured cloud services are swiftly compromised by threat actors, recent studies found that 80% of honeypots were infected within a day and all the honeypots within seven days. Most of these misconfigurations are exploited to engage in cryptojacking, with TeamTNT being one of the most active threat actors in this field. TeamTNT is a well known threat actor group that systematically targets Linux servers and also compromises Kubernetes clusters and servers running Docker. This presentation will cover the evolution of TeamTNT's activity, including TTPs throughout the various campaigns and services they targeted, such as Redis and Windows servers. The scripts and tools used in each of their campaigns will be presented, along with TeamTNT's uniqueness when it comes to targeting cloud and ways you can identify their tools in your environment.
June 29, 2022 12:30-13:05
03-FollowtheDynamite-FishbeinandKennedy.pdf
MD5: 516fc61f30fbee76d6402c71dc4aae84
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.76 Mb
- AUTLP:CLEAR
Forensics and Malware Analysis in Linux Environments
Vishal ThakurJohn LopesVishal Thakur (Ankura, AU), John Lopes (Ankura, AU)
Vishal Thakur has worked in the information security industry for many years in hands-on technical roles, specialising in Incident Response with a heavy focus on Emerging Threats, Malware Analysis and Research. Vishal regularly conducts training sessions and presents research at international security conferences. Vishal also regularly publishes his research; some of the links have been included in this document. Other research teams have used Vishal's publications to carry out further work in malware analysis. Vishal is currently Director of DFIR at Ankura Consulting. Before joining Ankura, Vishal worked as a Senior Researcher at Salesforce, helping their Incident Response Center with advanced threat analysis and developing DFIR tools. Vishal has also worked as a member of the CSIRT at the Commonwealth Bank of Australia and in the consulting industry in the past.
John is a passionate information security professional with specialist knowledge in digital forensics and incident response (DFIR), cyber threat intelligence and offensive security practices. He has over 20 years industry experience with a proven ability to help organisations defend and protect against cyber threats. John is a member of Institute of Electronic and Electrical Engineers (IEEE), International Information System Security Certification Consortium Inc. (ISC2) and a member of the Information Systems Audit and Control Association (ISACA). He also provides pro-bono information security consulting for one of Australia's largest not-for-profit organisations. John Lopes is currently Director of DFIR at Ankura Consulting. Before joining Ankura, John was a part of the Global Incident Response Team at Salesforce, Cyber Security Manager at Insurance Australia Group, Macquarie Bank and BAE Systems Australia.
This workshop teaches students Linux-based digital forensics and malware reverse engineering techniques used in responding to real-world incidents. The instructors are incident response Directors in Ankura Consulting's DFIR team and will go through techniques, tools and analysis steps involved in responding to a security incident in Linux environments and how to analyse malware that targets Linux systems. The workshop relies heavily on "hands-on" labs to teach the practical skills of how to set-up and use the tools and techniques necessary to get started performing incident response on Linux-based systems. It covers Linux memory forensics, all the way to conducting reverse engineering of Linux-based malware. The labs will utilise systems and digital artefacts based on a simulated security incident.
June 30, 2022 09:30-17:20
MD5: 14a879aee09c3fbc41f3329cb5c623b1
Format: application/pdf
Last Update: June 7th, 2024
Size: 214.39 Kb
- USTLP:CLEAR
Formulating An Intelligence-Driven Threat Hunting Methodology
Joe SlowikJoe Slowik (Gigamon, US)
Joe Slowik has over 10 years experience in various roles within information security, spanning offensive and defensive perspectives. Following several years in the US Navy, Joe led the incident response team at Los Alamos National Laboratory, where he integrated threat intelligence perspectives into operational defense to improve defensive outcomes. After this period, Joe researched ICS threats for several years at Dragos and conducted wide-ranging intelligence analysis for DomainTools. Currently, Joe leads threat intelligence and detection engineering functions for Gigamon where he is able to apply insights into the threat landscape directly to customer-facing applications.
Consultants and marketing departments refer to "threat hunting" as a desired position for network defenders. By adopting this mindset, defenders can take a an active role pursuing intrusions. Yet precise methodologies for threat hunting are hard to come by, making the concept something amorphous. In this discussion, we will explore a methodology to standardize the threat hunting process, using an intelligence-driven, adversary-aware approach to drive investigation. This discussion will reveal a series of concrete steps or operational techniques that defenders can leverage to produce a measurable, repeatable, sustainable hunting process. To illustrate the concept, we will also look at several recent examples of malicious activity where an intelligence-driven hunting process allows defenders to defeat fundamental aspects of adversary tradecraft. Audiences will emerge with a roadmap for building a robust threat hunting program to improve the defensive posture of their organizations.
June 28, 2022 11:45-12:20
MD5: c1cbc14a313f15abebfaef2e4dd51e18
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.81 Mb
- GBTLP:CLEAR
Global IR in a Fragmented World
Serge DrozSerge Droz (FIRST, GB)
Serge Droz is a senior IT-Security expert and seasoned incident responder. After more than twenty years work in different CSIRTs he now works as a senior adviser for the Swiss FDFA. He studied physics at ETH Zurich and the University of Alberta, Canada and holds a PhD in theoretical astrophysics. He has worked in private industry and academia in Switzerland and Canada in different security roles as well as at the national CERT in Switzerland.
Serge Droz is a senior IT-Security expert and seasoned incident responder. After more than twenty years work in different CSIRTs he now works as a senior adviser for the Swiss FDFA. He studied physics at ETH Zurich and the University of Alberta, Canada and holds a PhD in theoretical astrophysics. He has worked in private industry and academia in Switzerland and Canada in different security roles as well as at the national CERT in Switzerland.Serge is a member of the board of directors of FIRST (Forum for Incident Response and Security Teams), the premier organisation of recognised global leaders in incident response. In this role he actively participates in discussion relating to cyber security at various policy bodies, in particular related to norm building.
Serge Droz is a senior IT-Security expert and seasoned incident responder. After more than twenty years work in different CSIRTs he now works as a senior adviser for the Swiss FDFA. He studied physics at ETH Zurich and the University of Alberta, Canada and holds a PhD in theoretical astrophysics. He has worked in private industry and academia in Switzerland and Canada in different security roles as well as at the national CERT in Switzerland.Serge is a member of the board of directors of FIRST (Forum for Incident Response and Security Teams), the premier organisation of recognised global leaders in incident response. In this role he actively participates in discussion relating to cyber security at various policy bodies, in particular related to norm building.Serge is an active speaker and a regular trainer for CSIRT (Computer Security Incident Response Team) courses around the world.
Serge Droz will present
June 30, 2022 14:15-14:50
- IE ILTLP:CLEAR
Going with the (work)flow? Incident Response for Vicious Workflows
Ryan RobinsonNicole FishbeinRyan Robinson (Intezer, IE), Nicole Fishbein (Intezer, IL)
Ryan Robinson is a security researcher for Intezer. He specializes in malware reverse engineering and incident response. In previous roles, Ryan has worked as a Security Engineer securing cloud applications and as an analyst in Anomali's Threat Research team.
Nicole Fishbein is a security researcher and malware analyst. Prior to Intezer she was an embedded researcher in the Israel Defense Forces (IDF) Intelligence Corps. Nicole has been part of research that led to discovery of phishing campaigns, undetected malware and attacks on Linux-based cloud environments.
Most cloud breaches are a result of an attacker exploiting a misconfiguration or default configurations. Most misconfigurations are public knowledge. What if you didn't know that a service you use is misconfigured? How can this be quickly remediated? Workflow platforms are an indispensable tool for automating business tasks. These widely used platforms are often hosted on the cloud to provide accessibility and scalability. Internet-wide access combined with insecure configurations can make them the perfect candidate for exploitation.Understand security risks behind these applications, how to respond to threats, and how to detect misconfigurations in popular open-source workflow software and tackle breaches once they occur, citing real-world attacks. We discovered thousands of exposed credentials, sensitive data, and cryptojacking campaigns through workflow software. The way to combat this is a defense in depth strategy, most can be tackled with open-source defensive tools.
June 30, 2022 11:20-11:55
- JPTLP:AMBER
How an Electric Utility prepared for Tokyo 2020 Games
Hiroshi KidaHiroshi Kida (Tokyo Electric Power Company Holdings, Inc., JP)
Hiroshi Kida is a cybersecurity specialist on digital risk management office at TEPCO. He has over 6 years of experience in incident response, digital forensics and threat intelligence. He holds several certificates as CISSP, CISA and CISM.
Tokyo 2020 Games was the biggest international sports event and many potential cyber threats were expected. TEPCO is the largest electric utility in Japan and successfully supported Tokyo 2020 Games, providing electricity stably.We will share our experience in preparation of cybersecurity for Tokyo 2020 Games for five years. It describes three level approach: strategy, action plans and resources, that improved our cybersecurity significantly. We also discuss our integrated physical and cyber response posture, and remote incident response posture due to pandemic. These practices will be helpful to other CSIRTs preparing for and responding to international events in other regions.
June 27, 2022 14:00-14:35
- BRTLP:CLEAR
How I Handled One of the Biggest Banking Fraud Incidents of 2020 - The Importance of CSIRT and Going Further in Threat Investigations
Daniel Oliveira De LimaThales CyrinoDaniel Oliveira De Lima (NTT, BR), Thales Cyrino (NTT Ltd Brazil, BR)
Daniel Lima holds a bachelor's degree in Technology Management, has been working in the Information Security area for over 9 years, and is a specialist in Incident Response and Encryption. Currently SOC manager for at least 4 years.
Thales Cyrino is the Cybersecurity Sales Director for NTT Ltd Brazil. He is a member of Cisco Secure Partner Advisory Council and has more than 20 years of experience in IT and Cybersecurity. The last 4 years his work has been focused on cybersecurity and developing cybersecurity business at LATAM market. He understands the customers' challenges and aims to offer the best solution to solve them. Thales works creating a cybersecurity go-to-market strategy and specific offers to LATAM market.
Thales Cyrino is the Cybersecurity Sales Director for NTT Ltd Brazil. He is a member of Cisco Secure Partner Advisory Council and has more than 20 years of experience in IT and Cybersecurity. The last 4 years his work has been focused on cybersecurity and developing cybersecurity business at LATAM market. He understands the customers' challenges and aims to offer the best solution to solve them. Thales works creating a cybersecurity go-to-market strategy and specific offers to LATAM market. Thales received a certificate in data processing from Unicamp, a BS in business administration from Anhembi Morumbi, and an MBA in Marketing from FGV.
Through a real use case, I'm sharing how the incident response team was able to identify and contain one of the biggest gangs that operated defrauding financial institutions through a combination of attacks.
June 30, 2022 09:30-10:05
01-HowIHandled-OlivieraDeLimaandCyrino.pdf
MD5: e17dce3577f5b4fae6d655a646804708
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.14 Mb
- LUTLP:CLEAR
How to Secure Your Software Supply Chain and Speed-Up DFIR with Hashlookup
Alexandre DulaunoyJean-Louis HuynenAlexandre Dulaunoy (CIRCL - Computer Incident Response Center Luxembourg, LU), Jean-Louis Huynen (CIRCL - Computer Incident Response Center Luxembourg, LU)
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.
Jean-Louis Huynen is a security researcher at CIRCL. He works on threat detection/intel, incident response, and the development of related tools. Previously he collaborated with LIST--Luxembourg Institute of Science and Technology (LU)--to the development of a Mixed Reality platform called TARGET for the training for Security Critical Agents (mainly on firearms events and CBRN incidents). Previous research works (and PhD) at SnT--Interdisciplinary Centre for Security, Reliability and Trust (LU)--focused on the usability of security systems and Root Cause Analysis techniques for investigating security incidents. Prior to that he worked as a software engineer.
Hashlookup aim is to index the hashes of all the published and released software. It crawls and indexes the hashes from many different public sources which include Linux distributions, operating systems such as Windows or alternative distributions. The goal is provide a fast and efficient way for analysts, digital forensic investigators and security researchers contextual information about published software. hashlookup goal is to support digital forensic investigation but also the review of software supply chain and distribution channels.
June 30, 2022 15:00-15:35
- USTLP:CLEAR
How to Talk to a Board so the Board Will Talk Back
Helen PattonHelen Patton (Cisco, US)
Helen Patton is an Advisory CISO at Cisco. Previously she spent eight years as the CISO at The Ohio State University and before joining Ohio State she spent ten years in risk and resiliency at JPMorganChase. Helen has a Master's Degree in Public Policy and has earned various industry certifications. She serves on multiple boards and is a faculty member for the Digital Director's Network, and the Educause Leadership Institute. Helen advocates for more naps and is anti-bagpipes. She is the author of "Navigating the Cybersecurity Career Path".
There is a disconnect between people who run security programs, and board members whose job it is to oversee the security of an organization. On the one hand, most security leaders are unaware of how boards work, and how to present information using the language of boards. On the other hand, board members don't understand security, or the systemic risks of technology. It's like people lobbing tennis balls at one another, but from the ends of different tennis courts. Both have a responsibility to engage, but neither really understands how to make that work. In this session, we will talk about what boards care about, and how to present security information to them. We will suggest ways to help security people foster productive board engagement in their security program. Attendees will receive ideas and resources to help them take action upon leaving the talk.
June 28, 2022 15:50-16:25
MD5: 7601d1fbe9cde74de1553d74cc9ff83e
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.09 Mb
05-HowtoTalktoBoard-Patton-Willpresentownslides.pdf
MD5: 823ba2a7d7e5f0bbb67e0d8c049d7451
Format: application/pdf
Last Update: June 7th, 2024
Size: 919.39 Kb
- USTLP:CLEAR
Improving Sector Based Incident Response: A New Framework for Developing Sector CSIRTs and Integrating with National Cybersecurity Ecosystems
Justin NovakJustin Novak (CERT/CC, US)
Justin Novak is a Senior Security Operations Researcher at the CERT Division of the Software Engineering Institute, a Federally Funded Research and Development Center hosted at Carnegie Mellon University. At the SEI, he is involved in research on the operation of CSIRTs, Sector CSIRTs, and Security Operations Centers, focusing on incident response and incident management. Prior to the SEI, Justin worked in a variety of government roles, including with the federal government at the Department of Defense, and in state government. Justin holds a bachelor’s degree in Physics from the University of Pittsburgh, a master’s degree in Security Studies from the University of Pittsburgh, and a PhD in Public Policy from George Mason University. Justin is an active member of the FIRST community and serves on the FIRST membership committee.
The development of computer security incident response teams (CSIRTs) has followed a trend of growth and increased specialization, including the establishment of sector CSIRTs responsible for facilitating incident response and management for a particular sector of a country or economy. Yet little guidance exists to enable public and private sector stakeholders to come together to address the challenges that are unique to the organizations in a particular sector.
The Sector CSIRT Framework provides guidance to interested parties for (1) developing a sector-based computer security incident response and coordination capability and (2) integrating this capability into a larger, national cybersecurity ecosystem.
June 29, 2022 11:45-12:20
04-ImprovingSectorBased-Novak.pdf
MD5: 5b0e07b1c1bc5a5a57fc51b0cd647122
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.63 Mb
- BETLP:CLEAR
In Curation We Trust: Generating Contextual & Actionable Threat Intelligence
Bart ParysMichel CoeneBart Parys (NVISO, BE), Michel Coene (NVISO, BE)
Bart is a manager at NVISO where he mainly focusses on Threat Intelligence and Malware Analysis. As an experienced consumer, curator and creator of Threat Intelligence, Bart loves to and has written many TI reports on multiple levels such as strategic and operational across a wide variety of sectors and geographies.
Michel is a senior manager at NVISO where he is responsible for the Incident Response and Threat Intelligence services. As an incident responder, Michel has been (and still is) involved in large scale incidents and forensic investigations. Additionally, Michel is a certified instructor for the SANS Institute.
Just like many organizations, we are ingesting Threat Intelligence from a number of different sources. Very frequently however, we notice that the data received is lacking context or generates a lot of false positives (which in turn causes alert fatigue). In this talk we would like to demonstrate how we achieved to get around this problem by setting up a MISP ecosystem backed by a number of automation scripts and processes that support us in the curation and contextualization of individual events.
This dedicated MISP ecosystem consists of multiple MISP instance and ZMQ scripts. In conjunction with the extensive use of the MISP tagging features and workflow procedures, we were able to set up a curation process that not only saves us a lot of time, but also provides a clean feed of directly actionable threat intelligence. A happy side effect of this setup was that it allowed us to instill a full TI feedback loop between the SOC, Incident response team and our malware analysts.
Attendees will learn how we at NVISO have set up a functional MISP architecture and operational curation process. The attendees will then be able to duplicate this setup in their own organization to ensure an optimal threat intelligence feedback loop and workflow.
July 1, 2022 09:30-10:05
- GBTLP:CLEAR
Incident Response Investigations in the Age of the Cloud
Mehmet SurmeliMehmet Surmeli (WithSecure Limited, GB)
Mehmet Surmeli is a Senior Incident Response Consultant at WithSecure™, a research-led cyber security consultancy.
Mehmet initially started his cyber security career in the telecommunications industry as an incident responder, specialising in forensic investigations and malware reverse engineering. Since joining WithSecure™, he has undertaken several research projects including a Linux Triage Collection project called “Linux CatScale” and Microsoft Azure and M365 Investigation scripts. He has led multiple major investigations at multi-national organizations involving advanced threat actors. Mehmet has also authored several blog posts on WithSecure’s website and Labs portal, and has presented at CRESTCon UK 2021.With the increase in organisations transitioning to the cloud and making more use of SaaS and Container technology, attackers have had to adapt their techniques. How have organisations and incident responders had to adapt to the changing landscape? The talk will cover the trends WithSecure's blue team has observed in cloud-centric attacks affecting multinational organisations, as well as provide insight into the tools and techniques used for cloud forensic investigations.
June 28, 2022 14:45-15:20
FirstTalk-IRInvestigationsintheAgeoftheCloud.pptx
MD5: a83d7d4330d3586359b61ecde53fe607
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 12.45 Mb
- US IETLP:AMBER
Insider Scoop - Tackling Insider Threats
Denise AndersonMick RyanTony ClarkeDiarmuid O'SullivanDenise Anderson (Health Information Sharing and Analysis Center (H-ISAC), US), Mick Ryan (ICON plc, IE), Tony Clarke (Marken, IE), Diarmuid O'Sullivan (Regeneron, IE)
Denise Anderson, MBA, is President and CEO of the Health Information Sharing and Analysis Center (H-ISAC), a non-profit organization dedicated to protecting the global health sector from physical and cyber attacks and incidents through dissemination of trusted and timely information.
Denise currently serves as Chair of the National Council of ISACs, sits on the Board of Directors for the Global Resilience Federation (GRF) and the Executive Committee of the Cyber Working Group for the Health and Public Health Sector Coordinating Council. In addition she participates in numerous industry advisory groups and initiatives and has spoken at events all over the globe.
Denise was certified as an EMT (B), and Firefighter I/II and Instructor I/II in the state of Virginia for twenty years and was an Adjunct Instructor at the Fire and Rescue Academy in Fairfax County, Virginia for ten years.
She is a graduate of the Executive Leaders Program at the Naval Postgraduate School Center for Homeland Defense and Security.
Mick Ryan is Vice President & Head of Cyber & Information Security in ICON PLC. ICON is a world-leading clinical research organisation powered by healthcare intelligence. We are a global provider of outsourced drug and device development and commercialisation services to pharmaceutical, biotechnology, medical device and government and public health organisations. Prior to joining ICON, Mick spent over 15 years as a security practitioner providing security services to Healthcare, Government Bodies, telecommunication providers and financial services. He holds numerous Cyber & Information security qualifications and regularly contributes to the information security community, including ISF, OWASP & the Health Information Sharing and Analysis Centre (Health-ISAC).
Tony is VP of IT Operations and Information Security at Marken who provide flexible supply chain solutions for the clinical trial landscape. He started his career in electronics and transitioned into Information Technology where he began to focus in cybersecurity. Tony worked in consultancy for several years providing IT services and building environments for banking, telecoms, government, UN and EU agencies. Over the last 20 years, Tony has provided IT & security services to several organisations across a wide variety of industries before specialising in healthcare. His previous role was Head of Information Security with ICON Clinical Research where he led a global security team and won several Cybersecurity awards.
Tony is VP of IT Operations and Information Security at Marken who provide flexible supply chain solutions for the clinical trial landscape. He started his career in electronics and transitioned into Information Technology where he began to focus in cybersecurity. Tony worked in consultancy for several years providing IT services and building environments for banking, telecoms, government, UN and EU agencies. Over the last 20 years, Tony has provided IT & security services to several organisations across a wide variety of industries before specialising in healthcare. His previous role was Head of Information Security with ICON Clinical Research where he led a global security team and won several Cybersecurity awards.He is a strong believer in contributing to the IT & security community and is currently chair of the Health-ISAC European Council. Tony has been a speaker and expert panel participant discussing cybersecurity topics across European and US security conferences including H-ISAC, ISACA & OWASP events.
Tony is VP of IT Operations and Information Security at Marken who provide flexible supply chain solutions for the clinical trial landscape. He started his career in electronics and transitioned into Information Technology where he began to focus in cybersecurity. Tony worked in consultancy for several years providing IT services and building environments for banking, telecoms, government, UN and EU agencies. Over the last 20 years, Tony has provided IT & security services to several organisations across a wide variety of industries before specialising in healthcare. His previous role was Head of Information Security with ICON Clinical Research where he led a global security team and won several Cybersecurity awards.He is a strong believer in contributing to the IT & security community and is currently chair of the Health-ISAC European Council. Tony has been a speaker and expert panel participant discussing cybersecurity topics across European and US security conferences including H-ISAC, ISACA & OWASP events. He holds a M.Sc. in Security and Forensic computing and an M.Sc. in Artificial Intelligence, a post-graduate certificate in Artificial Intelligence, drug development and numerous IT, cybersecurity, privacy and artificial intelligence certifications.
Tony is VP of IT Operations and Information Security at Marken who provide flexible supply chain solutions for the clinical trial landscape. He started his career in electronics and transitioned into Information Technology where he began to focus in cybersecurity. Tony worked in consultancy for several years providing IT services and building environments for banking, telecoms, government, UN and EU agencies. Over the last 20 years, Tony has provided IT & security services to several organisations across a wide variety of industries before specialising in healthcare. His previous role was Head of Information Security with ICON Clinical Research where he led a global security team and won several Cybersecurity awards.He is a strong believer in contributing to the IT & security community and is currently chair of the Health-ISAC European Council. Tony has been a speaker and expert panel participant discussing cybersecurity topics across European and US security conferences including H-ISAC, ISACA & OWASP events. He holds a M.Sc. in Security and Forensic computing and an M.Sc. in Artificial Intelligence, a post-graduate certificate in Artificial Intelligence, drug development and numerous IT, cybersecurity, privacy and artificial intelligence certifications. LinkedIn: https://www.linkedin.com/in/tonyclarke/
Diarmuid O'Sullivan is Senior Manager in Regeneron Pharmaceuticals and leads the global Cyber Incident Response team. Regeneron is a leading biotechnology company that invents life-transforming medicines for people with serious diseases. Regeneron's unique ability to repeatedly and consistently translate science into medicine has led to nine FDA-approved treatments and numerous product candidates in development, nearly all of which were homegrown in our laboratories.
Diarmuid O'Sullivan is Senior Manager in Regeneron Pharmaceuticals and leads the global Cyber Incident Response team. Regeneron is a leading biotechnology company that invents life-transforming medicines for people with serious diseases. Regeneron's unique ability to repeatedly and consistently translate science into medicine has led to nine FDA-approved treatments and numerous product candidates in development, nearly all of which were homegrown in our laboratories.
Diarmuid O'Sullivan is Senior Manager in Regeneron Pharmaceuticals and leads the global Cyber Incident Response team. Regeneron is a leading biotechnology company that invents life-transforming medicines for people with serious diseases. Regeneron's unique ability to repeatedly and consistently translate science into medicine has led to nine FDA-approved treatments and numerous product candidates in development, nearly all of which were homegrown in our laboratories.
During his time within Regeneron, Diarmuid worked as an Incident Response analyst, vulnerability management lead and founded the Cyber Threat Intelligence team, before going back to lead the Incident Response team. Prior to joining Regeneron, Diarmuid served for 14 years in the Irish Defence Forces. He holds a master’s in forensic computing & cybercrime investigations from University College Dublin.In the COVID era, countless companies in healthcare, particularly those involved with vaccine and therapeutic development, have experienced a rash of insider incidents. For example, in November 2021, a large pharmaceutical firm alleged that an employee stole trade secrets for personal gain. Also with a move to remote work and limited staff, there have been numerous unintentional insider incidents. These incidents can be spurred by nation state actors, criminal actors, personal employee motivation for financial gain or revenge or just through non-malicious acts. A report from Cybersecurity Insiders suggests that 57% of organizations feel insider incidents have become more frequent over the past 12 months and data from the 2021 Verizon Breach Investigations Report notes that 22% of security incidents in 2021 involved insiders, with the healthcare and finance industries experiencing the most. This panel of experts from healthcare organizations will provide a view of the insider threat landscape, talk about actual incidents and lessons learned, describe how they collaborate through the Health ISAC to protect against these threats and also impart strategies and tips for developing an insider threat program based upon their experiences.
June 30, 2022 14:15-15:35
- PL USTLP:CLEAR
Internet Spelunking: IPv6 Scanning and Device Fingerprinting
Piotr KijewskiDave De CosterPiotr Kijewski (The Shadowserver Foundation, PL), Dave De Coster (The Shadowserver Foundation, US)
Piotr makes things happen as the Shadowserver Foundation CEO, and also coordinates large-scale data collection, analysis projects, and Shadowserver's CSIRT relationships. He has a strong CSIRT background, working at NASK in Poland for 14 years at the CERT Polska (CERT.PL) team. He was the Head of the CERT Polska team from 2010 - 2016, where he expanded the sensor projects, malware analysis and malware disruption capability. Piotr's interests include threat intelligence, incident response, honeypot technologies (he is a member and ex-Director of the Honeynet Project) as well as botnets/malware networks (which he likes to disrupt).
Dave De Coster is the Internet Spelunker for The Shadowserver Foundation and has been involved in internet security for over 20 years. When he is not scanning the internet, you can find him doing things not online.
Ever wonder what it takes to scan the entire IPv4 Internet dozens of times a day and get that data (for free) into the hands of people that need it? This talk will discuss how Shadowserver scans the Internet many dozens of times per day (68 different protocols and constantly increasing) and how our scanning cluster operates. We will explain the rationale behind our scanning decisions. We will also go into recent developments: how we have recently started to expand into the realm of IPv6 scanning, and the huge challenges faced there due to the seemingly near infinite address space. We will show how our scanning benefits the Internet defender community, and how we additionally began to use it to fingerprint remote devices at scale by type/vendor/model, enabling defenders to better understand their exposed attack surface. The presentation will also include snapshots of our scanning and device identification results.
June 30, 2022 16:50-17:25
08-InternetSpelunking-KijewskiandDeCoster.pdf
MD5: 885a8cd99ab046840059790d8f2713a0
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.28 Mb
- CH
IPv6 Security Training
Frank HerbergFrank Herberg (SWITCH, CH)
After completing his studies in engineering, Frank Herberg worked on IT infrastructure and security projects for a number of technology consulting firms. In 2012, he joined SWITCH-CERT. Frank is the author of the FIRST IPv6 Security training. In the past years, he conducted divers IPv6 security trainings and hands-on workshops for the security community. Frank is Head of SWITCH-CERT (Commercial Sectors).
The Training will give an overview of the security aspects of the 'new' Internet Protocol IPv6. Participants will learn the differences to IPv4-related to security. The training also covers a deep dive into selected protocol details and their accompanied attacks. The participants will get recommendations on the mitigation of IPv6-related attacks and how to strategically approach IPv6 Security in an organization. Last but not least, an overview of useful IPv6 Security Resources and Tools will be provided.
Agenda:
• A short introduction to IPv6
• Introduction to IPv6 Security - Why IPv6 is an extensive security topic - Overview of the differences to IPv4, relating to Security
• Selected IPv6 attacks - ICMPv6 - SLAAC - Local / Remote Attacks
• Recommendations, Resources and ToolsJune 26, 2022 09:30-13:30
- USTLP:CLEAR
It's Just a Jump To The Left (of Boom): Prioritizing Detection Implementation With Intelligence and ATT&CK
Lindsay KayeScott SmallLindsay Kaye (Recorded Future, US), Scott Small (Recorded Future, US)
Lindsay Kaye (Recorded Future, US)
Lindsay Kaye is the Senior Director of Operational Outcomes for Insikt Group at Recorded Future. Her primary focus is driving the creation of actionable technical intelligence - providing endpoint, network and other detections that can be used to detect technical threats to organizational systems. Lindsay's technical specialty and passion is malware analysis and reverse engineering. She received a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.Scott Small (Major retailer, US)
Scott Small is a security & intelligence practitioner and expert in open source research, investigations, and analysis. He is currently a senior analyst supporting adversary emulation and threat modeling efforts at a major U.S. retailer. Scott’s prior roles focused on advising clients on technical and strategic applications of intelligence and using technology to help identify and mitigate supply chain and cyber risk. His favorite ATT&CK technique is T1027.Many organizations ask: "Where do I start, and where do I go next" when prioritizing behavior-based detections. We often hear "use threat intelligence!", but goals must be qualified & quantified in order to properly prioritize relevant TTPs. A wealth of open-source resources now exists, giving teams greater access to detections & red team tests, but intelligence is essential to ensure that efforts are focused. This session covers a new prioritization approach, starting with an analysis of the current defensive landscape (measured by ATT&CK coverage for more than a dozen repos and technologies) and guidance on sourcing TTP intelligence. We then show how defensive strategies can be strengthened by encompassing a full-spectrum view of threat detection. Alignment of intelligence and defenses enables defenders to move the focus of detection to malicious activity before the final payload is deployed, where controls are most effective at preventing serious damage to an organization.
June 28, 2022 11:00-11:35
01-JumptotheLeft-KayeandSmall-Willpresentownslides.pdf
MD5: 3e95246f77586ebc4d6be2e1a48074c6
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.21 Mb
- GBTLP:CLEAR
Keynote: Cybersecurity's Image Problem and What We Can All Do About It
Dr. Victoria BainesDr. Victoria Baines (Bournemouth University, GB)
Victoria Baines frequently contributes to major broadcast media outlets on digital ethics, cybercrime and the misuse of emerging technologies. Her areas of research include electronic surveillance, cybercrime futures, and the politics of security. She also provides research expertise to a number of international organisations.
Victoria Baines frequently contributes to major broadcast media outlets on digital ethics, cybercrime and the misuse of emerging technologies. Her areas of research include electronic surveillance, cybercrime futures, and the politics of security. She also provides research expertise to a number of international organisations.For several years Victoria was Facebook’s Trust & Safety Manager for EMEA. Prior to this, Victoria led the Strategy team at Europol’s EC3, where she was responsible for the EU’s cyber threat analysis.
Victoria Baines frequently contributes to major broadcast media outlets on digital ethics, cybercrime and the misuse of emerging technologies. Her areas of research include electronic surveillance, cybercrime futures, and the politics of security. She also provides research expertise to a number of international organisations.For several years Victoria was Facebook’s Trust & Safety Manager for EMEA. Prior to this, Victoria led the Strategy team at Europol’s EC3, where she was responsible for the EU’s cyber threat analysis.Victoria chairs the Security Panel of the Worshipful Company of Information Technologists. She has an MA from Oxford and a doctorate from Nottingham.
Those of us who work in cybersecurity have become immune to the ways we tend to represent threats: military and fantasy imagery, acronyms, and fancy animals among them. How do these representations play out for so-called 'ordinary' people who don't share our specialist knowledge? Based on new research into the rhetoric of cybersecurity, this talk combines a light-hearted critique of security jargon with serious analysis of its impact on protection from threats, and even who gets to work in cybersecurity. It doesn't have to be this way, and Victoria has ideas for how we might empower people to protect themselves and help solve our recruitment issues.
July 1, 2022 11:20-12:25
03VictoriaBAINESKEYNOTESlides.pdf
MD5: 7a96a5d3c6306ff06c0363876c2f7dd8
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.63 Mb
- IE CHTLP:CLEAR
Keynote: Online Child Sexual Abuse Material (CSAM): The Insider Attack You Have Not Seen Coming
Mick MoranRomain WartelMick Moran (AGS, IE), Romain Wartel (CERN, CH)
Mick MORAN is a member of An Garda Síochána, Ireland's national Police Service. He has worked most of his career in online child safety both as an investigator and digital forensics supervisor. He also served on secondment to INTERPOL where he finished as Assistant Director of the Vulnerable Communities sub-directorate with responsibility for the child exploitation, trafficking in human beings and people smuggling teams.
Mick MORAN is a member of An Garda Síochána, Ireland's national Police Service. He has worked most of his career in online child safety both as an investigator and digital forensics supervisor. He also served on secondment to INTERPOL where he finished as Assistant Director of the Vulnerable Communities sub-directorate with responsibility for the child exploitation, trafficking in human beings and people smuggling teams. Teacher at UCD, ECTEG and ICMEC. Board member at CAUCE, cybersafekids.ie, la Strada Moldova and safety board YUBO. Advisor to Point de Contact, EU commission and anyone else who'll listen. Brian Honan stalker.
Romain has been actively trying to protect the academic & research community and "Science For Peace" for more than 15 years.
Romain has been actively trying to protect the academic & research community and "Science For Peace" for more than 15 years.His main interests include large scale intrusions spanning across organisations and critical infrastructures, threat intelligence, DFIR, and casual botnet hunting.
Romain has been actively trying to protect the academic & research community and "Science For Peace" for more than 15 years.His main interests include large scale intrusions spanning across organisations and critical infrastructures, threat intelligence, DFIR, and casual botnet hunting.He works at the European Organization for Nuclear Research (CERN), where he acts as the security officer for the Worldwide Computing Grid used by CERN’s accelerator.
This keynote will explain how and why CSAM has become a major issue not only for online business and connected organisations, but to society as whole. After explaining the issue of online child exploitation, the nature of offending against children online, and Child Sexual Abuse Material itself, the speakers will focus on the offenders and how they access it and store it, including using their work devices. The speakers will share their direct experience with handling CSAM and supporting organisations managing CSAM cases, including actual case studies, and crucial lessons learnt. The key take-away message is that online Child Sexual Abuse Material (CSAM) distribution is growing out of control, but there are concrete steps we can take to protect our organisation, and the victims, without being exposed directly to CSAM. At this stage, this has become a crucial collective responsibility for all organisations and security teams, who need to urgently address this type of cybercrime.
June 27, 2022 09:30-10:30
- USTLP:CLEAR
Keynote: What Do We Owe One Another In Cybersecurity?
Wendy NatherWendy Nather (Cisco, US)
Wendy Nather leads the Advisory CISO team at Cisco. She was previously the Research Director at the Retail ISAC, and Research Director of the Information Security Practice at 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation (now UBS), and served as CISO of the Texas Education Agency. She was inducted into the Infosecurity Europe Hall of Fame in 2021. Wendy serves on the advisory board for Sightline Security. She is a Senior Fellow at the Atlantic Council's Cyber Statecraft Initiative, as well as a Senior Cybersecurity Fellow at the Robert Strauss Center for International Security and Law at the University of Texas at Austin.
As the cybersecurity ecosystem evolves, we understand more about how interconnected we are: the ripple effects from breaches, the fact that supply chains aren’t discrete lines but rather a web, and that mapping our vulnerabilities is harder than we thought. In this session, Wendy Nather will talk about the concept of civic duty on the Internet — not just sporadic charity efforts or “nice to have” information sharing, but the social norms and obligations we should face together if we want a sustainable world of technology. Shared risk requires shared defence.
June 28, 2022 09:30-10:30
MD5: b5b2597510b51dff1f8993c1a97c92ad
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.26 Mb
- GBTLP:CLEAR
Knowledge Management - Nourishing and Enhancing Your Communication and Intelligence
Rebecca TaylorRebecca Taylor (Secureworks, GB)
Rebecca joined Secureworks in 2014, where she developed an immediate passion for cybersecurity. Rebecca quickly expanded her cyber acumen, moving into Secureworks Incident Command’s first Knowledge Manager role in 2020. Rebecca coordinates the smooth delivery of Secureworks largest and most challenging incidents, ensuring victims receive the best possible support during their time of crisis. Furthermore, she leads the ingestion, management and subsequent sharing of intelligence and knowledge gleaned as part of Incident Response delivery.
This session will share tips and tricks on knowledge management during a reactive incident. We will look at how to collect and manage the influx of new data and potential intelligence, as well as how to align your workstreams. We will discuss how to handle communications across the organization, and how to get the best out of your staff, customers, Insurers and Regulators during a crisis. Finally we will discuss toolkits, procedures and other "spin ups" which could be put into place once an incident is declared, to best preserve and support data gathering, and how this information can then be nourished and ingested into the organization post-incident.
June 27, 2022 11:00-11:35
01-KnowledgeManagement-Taylor.pdf
MD5: 40bbd02e80c34dc8107e0d0e330db0f9
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.09 Mb
- TWTLP:AMBER
Let's Catch Phish Together: A Case Study of Large-scale Targeted Phishing Attacks
Meng-Han TsaiMeng-Han Tsai (Taiwan National CERT, TW)
Meng-Han Tsai is a cybersecurity researcher in Taiwan National Computer Emergency Response Team (TWNCERT) which is also known as NCCST in Taiwan. His research covers Malware Analysis, Network Forensics, and Threat Hunting. He is currently the section head of Endpoint Security Team and responsible for detecting email threats/spear-phishing attacks against Taiwan Government Agencies.
Phishing is one of the most deceptive ways to lure targets into taking damaging actions against themselves or the organization. Because people remain susceptible to manipulation and human psychological weaknesses result in the principal vulnerabilities that can be exploited by social engineering. Adversaries may send phishing messages to bypass security systems to steal personal information and reveal sensitive data. This case study sheds light on large-scale targeted phishing attacks against Taiwan in 2021 and shares the investigation results. In addition, we share how we conduct joint defense to defend against attacks. According to the correlation and investigation results, we conceive that many worldwide official agencies might also become adversaries' targets.
June 30, 2022 16:05-16:40
Lightning Talks
The Lightning Talk sessions consist of informal, 5-minute presentations given by your peers. Sign-up is open to all conference attendees. The sign-up process is old school - find the the flip chart near registration and add your name and topic title. First-come, first-served. Lightning Talks are moderated and you are welcome to present with slides.
June 28, 2022 15:50-17:10
- AUTLP:CLEAR
Living with Ransomware - The New Normal in Cyber Security
Vishal ThakurJohn LopesVishal Thakur (Ankura, AU), John Lopes (Ankura, AU)
Vishal Thakur has worked in the information security industry for many years in hands-on technical roles, specialising in Incident Response with a heavy focus on Emerging Threats, Malware Analysis and Research. Vishal regularly conducts training sessions and presents research at international security conferences. Vishal also regularly publishes his research; some of the links have been included in this document. Other research teams have used Vishal's publications to carry out further work in malware analysis. Vishal is currently Director of DFIR at Ankura Consulting. Before joining Ankura, Vishal worked as a Senior Researcher at Salesforce, helping their Incident Response Center with advanced threat analysis and developing DFIR tools. Vishal has also worked as a member of the CSIRT at the Commonwealth Bank of Australia and in the consulting industry in the past.
John is a passionate information security professional with specialist knowledge in digital forensics and incident response (DFIR), cyber threat intelligence and offensive security practices. He has over 20 years industry experience with a proven ability to help organisations defend and protect against cyber threats. John is a member of Institute of Electronic and Electrical Engineers (IEEE), International Information System Security Certification Consortium Inc. (ISC2) and a member of the Information Systems Audit and Control Association (ISACA). He also provides pro-bono information security consulting for one of Australia's largest not-for-profit organisations. John Lopes is currently Director of DFIR at Ankura Consulting. Before joining Ankura, John was a part of the Global Incident Response Team at Salesforce, Cyber Security Manager at Insurance Australia Group, Macquarie Bank and BAE Systems Australia.
Not unlike the Corona Virus and its variants, the infosec community need to accept the fact that Ransomware is not going away anytime soon. This talk focuses on how busines can move away from the elimination approach towards a managed prevention approach. This is a presentation that covers everything you need to know to get started towards transforming your organisation to be ransomware resilient. Ransomware has been around for quite some time now and the good thing about that is that we have learnt a lot about this threat in that time. We dig deep into our past experiences from responding to security incidents involving ransomware and share our learnings with the audience. We discuss what to focus on while analysing ransomware and how to create effective detections for ransomware, based on core components of the malware and its behaviour. We share our ideas on how to create an environment within organisations that is ransomware aware and ready for response when an attack involving ransomware eventuates. From our experiences across industries spanning healthcare, technology, finance, manufacturing and commerce, we share knowledge that can be used to build a ransomware-resilient infrastructure. We cover topics such as what to look for when taking out a cyber insurance policy, along with strategies on how to handle communications during and after the incident. Let's face it, ransomware is a threat that is here to stay, we need to adapt to living with it and best preparing organisations to manage it when it strikes.
June 27, 2022 11:45-12:20
02-LivingwithRansomware-LopesandThakur.pdf
MD5: ed8198dea3dbb6b22476ca8385427d08
Format: application/pdf
Last Update: June 7th, 2024
Size: 705.7 Kb
- CH
MANRS: How to Implement Routing Security
Massimiliano StucchiMassimiliano Stucchi (ISOC, CH)
Massimiliano (Max) joined the Internet Society in 2019 and is currently working on the MANRS routing security initiative. He previously worked as a trainer and IPv6 Programme Manager at the RIPE NCC, and before that the founder and technical director of a small Internet Service Provider and Wireless Internet Service Provider in Northern Italy.
- BGP 101
- Introduction to BGP
- BGP Attributes and the Path Selection Process
- BGP traffic engineering tools (Local Pref, MED, AS path prepend, communities etc)
- Understanding RPSL and the Internet Routing Registry (IRR) system
- The Art of Route Filtering - Practical demo with the global routing table
- BGP Operations and Security (RFC7454), BCP38 (RFC2827) – Network Ingress Filtering
- BCP84 (RFC3704) – Ingress Filtering for Multihomed Networks
- Understanding RPKI (ROA and ROV)
- Anatomy of a ROA
- Creating Route Origin Authorisation (ROA) in various RIRs
- Demo and Exercise
- Relying party software (RPKI validator)
- How they work
- Exercise/Demo
- Route Origin Validation (ROV)
- How ROV is performed
- Configuration exercise
June 26, 2022 09:30-16:30
- LUTLP:CLEAR
MISP CTI Analyst Training
Sami MokaddemAndras IklodySami Mokaddem (CIRCL - Computer Incident Response Center Luxembourg, LU), Andras Iklody (CIRCL - Computer Incident Response Center Luxembourg, LU)
Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools
Andras Iklody works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL as a software developer and has been leading the development the MISP core since early 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.
MISP is an open source Threat Information Sharing Platform (TISP), aiming to provide a broad spectrum of sharing with machines and humans alike.The training is meant as an introductory workshop, tackling the main functionalities of the platform from an analyst perspective, producing highly contextualised information, enriching it, collaborating on it and sharing it with partners and tools.After the introductory session, participants will make use of their newly acquired skills by participating in an exercise mimicking a real incident in regards to extracting, modelling and sharing the data in a way that is meaningful and automate-able by their communities.
June 30, 2022 09:30-17:20
- USTLP:CLEAR
More Than a CSIRT: Lessons Learned from Supporting a National Response to COVID-19
Tom MillarJoshua CormanTom Millar (CISA, US), Joshua Corman (IamTheCavalry.org, US)
Mr. Millar has been apart of the US Cybersecurity and Infrastructure Security Agency (CISA) for 12 years working to strengthen the agency's information sharing capabilities, increasing the level of public, private and international partner engagement, and supporting initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar holds a Master's of Science from the George Washington University and is a Distinguished Graduate of the National Defense University's College of Information and Cyberspace.
JOSHUA CORMAN is a Founder of I am The Cavalry and the former Chief Strategist of the CISA COVID Task Force. He has previously served in CSO, CTO, and other senior roles. He co-founded RuggedSoftware and IamTheCavalry.org to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure. He is a member of the Adjunct Faculty for Carnegie Mellon’s Heinz College, and was a member of the Congressional Task Force for Healthcare Industry Cybersecurity.
To respond to the COVID-19 pandemic, The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the agency tasked with National CSIRT functions for the US, established a COVID Task Force, bringing in experienced experts from outside the agency to work alongside career analysts and advisors. Early on, it became apparent that to rapidly secure the pandemic response against cyber threats, it would take more than just threat tracking and incident response. CISA drew on its cybersecurity assessments capabilities to help secure critical organizations in the vaccine supply chain, rapidly worked to strengthen relationships with the healthcare sector, and began analyzing data on the progress of the pandemic to help inform strategic decisions about the whole-of-government response. This presentation will describe CISA's response and explain how other security teams can be prepared to creatively deal with sudden changes in mission sets and priorities.
June 30, 2022 09:30-10:05
01-MoreThanaCSIRT-Millar-WILLBRINGOWNLAPTOP.pdf
MD5: 61f21e03d1bc2a9cf7c4bd47bc87d516
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.95 Mb
- CHTLP:CLEAR
Never Walk Alone: Inspirations From a Growing OWASP Project
Christian FoliniChristian Folini (OWASP ModSecurity Core Rule Set, CH)
Christian Folini is the author of the second edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the "Swiss Cyber Storm" conference. In 2020, the Swiss government invited him to moderate a dialogue with 25 scientists on questions of online voting security. Christian Folini is a frequent speaker at conferences, where he tries to use his background in the humanities to explain hardcore technical topics to audiences of different backgrounds.
The OWASP ModSecurity Core Rule Set (CRS) was a dormant project, when a group of three developers picked it up in 2016. Today, this open source web application firewall project counts 14 active developers, annual sponsoring of over 40K USD and the rules run on over 100Tbit/s. This presentation explains how the new management took over the project and developed it in three key areas: (1) the code, (2) the developers and (3) the users and partners. The growth of OWASP CRS serves as an example how you can grow and mature your project too.
June 30, 2022 16:05-16:40
MD5: 1886aac6e13badd3d7c4eac0f3fe1de5
Format: application/pdf
Last Update: June 7th, 2024
Size: 18.92 Mb
- TWTLP:CLEAR
No More Ransomware in Critical Infrastructure!
Hank ChenHank Chen (TXOne Networks Inc., TW)
Hank Chen (@hank0438) is a threat researcher at TXOne Networks. Hank is in charge of malware analysis, product security,and vulnerability research. Hank was a teaching assistant of Cryptography at Taiwan's National Tsing Hua University (NTHU), as well as joined in many CTF competitions with BalsiFox and 10sec to focus on crypto, reverse, and pwn challenges
Attacks on critical infrastructure are becoming more and more rampant, especially since 2019. Ransomware has become a necessary subject of study for stakeholders and personnel, and has also had a substantial operational impact on industrial control system (ICS) environments. The continuous evolution of ransomware and the peculiarities of the ICS environment make it difficult to ensure that ICSes are protected from ransomware attacks under operating conditions. In this talk, in addition to in-depth analysis of the ransomware behaviors and ransomware-related techniques that have affected ICS environments, we also propose effective defense methods and strategies perfected to ICS environments to strengthen protection against ransomware.
June 28, 2022 16:35-17:10
- USTLP:CLEAR
Open Source Doesn't Care About You, But You Should Care About It
Christopher RobinsonChristopher Robinson (Intel, US)
Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. CRob has been a featured speaker at Gartner's Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/facilitator of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups. CRob is one of the hosts of The Security Unhappy Hour podcast that seeks to education Product and Computer Incident Response teams. He enjoys hats, herding cats, and moonlit walks on the beach.
Open Source Software (OSS) is an amazing innovative ecosystem that impacts virtually every aspect of software and products around the globe. Most end-consumers of OSS are blissfully unware of how OSS *actually* works, which leads to downstream consumers and suppliers inadvertently accepting significantly more risk from using OSS. This session seeks to educate suppliers and end-consumer security teams on how OSS works, how vulnerabilities get fixed, and how best they can engage with this amazing ecosystem better.
June 28, 2022 15:50-16:25
- FR CZTLP:CLEAR
Operation GamblingPuppet: Analysis of a Multivector and Multiplatform Campaign Targeting Online Gambling Customers
Daniel LunghiJaromir HorejsiDaniel Lunghi (Trend Micro, FR), Jaromir Horejsi (Trend Micro, CZ)
Daniel Lunghi is a threat researcher at Trend Micro. He has been hunting malware and performing incident response investigations for years. Now he focuses on long-term monitoring of advanced threat actors from all over the world, exploring new ways of tracking them, and enjoying their mistakes. The result of such investigations are shared through blogposts, whitepapers, and conference talks.
Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.
Despite being illegal in some countries, global online gambling industry growths steadily year after year, flourishing in current environment dominated by the global pandemic. This trend was not surprisingly noticed by advanced threat actors as we observed and analyzed campaigns targeting online gambling platforms.In this research, we will focus on a multiplatform (Windows and Linux) campaign involving known espionage tools as well as new malware families. Operated by individuals with knowledge of Chinese language, the victims of this campaign are mostly online gambling customers in South East Asia.We noticed some interesting infection vectors, such as backdoored or fake installers for popular applications, or even for a custom chat application, suggesting a very targeted campaign.The delivered malware families are well known espionage tools such as PlugX and Gh0stRAT, or lesser known XNote and HelloBot. Some of these Linux malwares were previously reported for their cybercrime usage, but never for espionage purposes. We also found some previously unreported malware families dubbed GoRAT and PuppetRAT, one of which uses images for payload storage. After carefully analyzing their unique features, we will highlight one interesting case where a flawed cipher implementation led us to the discovery of an additional malware likely implemented by the same threat actor.As a conclusion, we will discuss the multiple links we found with known advanced threat actors and older investigations.
June 29, 2022 11:00-11:35
03-OperationGamblingPuppet-LunghiandHorejsi.pdf
MD5: 6d34ccb13ac42f49f98b4f1e0a6e3487
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.14 Mb
- FRTLP:AMBER
Phishing Management at VINCI Using Thehive
Vincent Le TouxVincent Le Toux (VINCI-CERT, FR)
Vincent Le Toux is head of the VINCI-CERT and also the author of Ping Castle: an Active Directory security tool. He has also made many open source contributions such as mimikatz, OpenPGP, OpenSC, GIDS applet, etc. Finally, he already did presentations in security events, mainly BlackHat, FIRST and BlueHat.
When looking at presentations in security conferences, it seems so easy to handle phishing and keep track of attack groups. But nobody talks about how they started and the difficulties they faced. With hundreds of companies and no unique SOC, the VINCI group is quite complex. Surprisingly, something as trivial as previewing an email turned out to be a challenge. We could have talked about SOC products such as Sentinel or CortexXSOAR, but we went for TheHive since it is well spread in the CSIRT community.This presentation will address why we used phishing as an enabler, what architecture we have put in place with TheHive and many of the intricacies around this project. With such a flexible product, the possibilities are endless. We will give our feedback on how we were able to make it work with many entities. We will also include our on-field experience and statistics.
June 27, 2022 16:35-17:10
- USTLP:CLEAR
Prioritizing Vulnerability Response with a Stakeholder Specific Vulnerability Categorization
Jonathan SpringJonathan Spring (Carnegie Mellon University, US)
Jonathan Spring is a senior member of the technical staff in the CERT division of the Software Engineering Institute at Carnegie Mellon University. Dr. Spring's work focuses on producing reliable evidence in support of crafting effective cybersecurity policies at the operational, organizational, national, and Internet levels. Jono's research and practice interests include incident response, vulnerability management, machine learning, and threat intelligence.
SSVC can help organizations prioritize vulnerabilities consistently and communicate priorities between management and analysts. The problem SSVC helps solve is vulnerability triage. The focus of the solution is to take in the appropriate amount of context about the system, organization, and vul, without taking in more detail than is relevant. This talk will help you learn how to ask no more questions than is necessary to reach an adequate vulnerability management decision.
June 30, 2022 12:05-12:40
121_04-PrioritizingVulnerability-Spring.pdf
MD5: dd5610e4fd8559e54e3962c09154c582
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.31 Mb
- GB RUTLP:AMBER
RaaS: Ransomware as a Science (Chan eil tuil air nach tig traoghadh)
Eireann LeverettVladimir KropotovEireann Leverett (Waratah Analytics, GB), Vladimir Kropotov (Trend Micro, RU)
Eireann Leverett is a humble hacker lucky enough to hang out with the rest of these epic nerds. He is a co-chair of the Mutli Stakeholder Ransomware Special Interest Group with Barry Greene.
Vladimir Kropotov is a researcher with Trend Micro Forward-Looking Threat Research team. Active for over 20 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, BHEU and many others.
Ransomware metrics require collaboration. We have used time series analysis to innovate ways to syntheise data from multiple sources (endpoint sightings and ransoms in the BTC blockkchain). This gives us a perspective on the effectiveness of different ransomware groups operations, their capacity, and their methods. We also look into CVE data and measure those CVEs according to impact. From binary analysis to sightings, from ransoms to operating frequency, from comparative analysis of groups to an insurers view of the effectiveness of incident responders, we aim to give you methods and tools to strategically prepare for ransomware in your teams. How many incidents have we seen hsitorically? How many might we see next year? Which groups are doing the most damage, and how do we move beyond endlessly reverse engineering the next binary sample towards effective collaborative response?
June 27, 2022 14:00-14:35
FIRST22_RansomwareasaScience_TLP_WHITE_WITHOUT_SOME_SLIDES.pdf
MD5: 15326afcccab798c33c21d6bebf07e26
Format: application/pdf
Last Update: June 7th, 2024
Size: 10.48 Mb
- IETLP:CLEAR
Ransomware Incident Response - The Real-World Story of a Ransomware Attack
Joseph CarsonJoseph Carson (Delinea, IE)
Joseph Carson is an award-winning cyber security professional and ethical hacker with more than 25 years’ experience in enterprise security specialising in blockchain, endpoint security, network security, application security & virtualisation, access controls and privileged account management. Joe is a Certified Information Systems Security Professional (CISSP), active member of the cyber security community frequently speaking at cyber security conferences globally, often being quoted and contributing to global cyber security publications.
June 28, 2022 14:00-14:35
- DETLP:CLEAR
Ransomware, Risk, & Recovery: Protecting and Creating Resilience for Hybrid Active Directory
Calum FieldCalum Field (Semperis, DE)
Calum Field is a Solution Archictect with Semperis and joined our team in 2022. Calum was born in Scotland but has been living living Germany for many years. In the past Calum has worked with many new and exciting technologies, including the security space and will now be concentrating helping our customers and partners achieve a better security posture with their Active Directory environments.
Can you defend your hybrid Active Directory environment from cyberattacks? How do you recover when the inevitable occurs? Active Directory is the heart of many organizations' information systems: It's used for identity management by 90 percent of businesses. But this 20-year-old technology is increasingly under attack by cyber-criminals who use AD to gain access to your network--and your data. Ninety percent of all attacks exploit AD in some form or another highlighting the urgent need to constantly monitor for vulnerabilities and to properly, quickly and safely restore an AD forest when attacks happen. What you'll learn: The dos and don'ts of recovering AD from a cyber disaster; The essentials of securing a hybrid AD environment; Actionable insights into a cyber-first approach to hybrid AD resilience.
June 28, 2022 14:45-15:20
- USTLP:CLEAR
Ransomware Stages of Grief
Tony KirtleyTony Kirtley (Dell SecureWorks, US)
Tony Kirtley joined Secureworks in 2015 as a Senior Consultant focusing on incident response planning and testing for our customers. In 2018, he became Secureworks' first Incident Commander, focused on managing major cybersecurity incidents for our customers. Tony has since led the response to many data breach and ransomware incidents for large and small customers. Tony has more than 21 years of experience in information security. He has built and led cybersecurity incident response teams for Fortune 500 companies and has a wide breadth of experience and knowledge in many aspects of information security in the private sector and the U.S. Military. He retired from the Missouri Army National Guard in 2014 at the rank of Lieutenant Colonel after building and leading the nationally recognized Missouri National Guard Cyber Team.
Secureworks conducts over 1000 incident response engagements a year and has done more than 600 post detonation ransomware engagements since 2018. These engagements provide us an incredibly wide aperture on threat behaviors and their respective tradecraft, but it also provides us a very wide aperture of victim behaviors. We have observed a commonality of victim behaviors that nearly every one of our client victims go through, so much so that we began calling our observations the stages of ransomware grief.In much the same way as the Kubler-Ross Grief Cycle illustrates the emotional journey people go through with the loss of a loved one, business leaders and their key personnel go through a similar emotional journey when faced the crippling business impacts from a ransomware attack. The sooner business leaders can recognize objectively that their emotional response is normal, expected, and can be managed, the sooner leaders and their respective teams can reach acceptance of their situation and make more rational and pragmatic decisions that lead to a quicker recovery.
July 1, 2022 09:30-10:05
RansomwareStagesofGrief-FIRST2022-Kirtley.pdf
MD5: 8fcfeb45dc66c12d5561f3d8562fa16d
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.71 Mb
RansomwareStagesofGrief_FIRST.pdf
MD5: d2016caca2f3ccc7362f9a620bcfe809
Format: application/pdf
Last Update: June 7th, 2024
Size: 10.62 Mb
- HUTLP:CLEAR
Reversing Golang Binaries with Ghidra
Dorka PalotayDorka Palotay (Palotay Dorka, HU)
Dorka has a Bachelor's degree in applied mathematics. She continued her studies in the field of security and privacy, where she gained her Master's degree in computer science specializing in advanced cryptography. She started her career at Sophos, mainly focusing on ransomware analysis, but as a member of the Emerging Threats team, she had the opportunity to gain experience in reverse engineering a wide range of malware attacks. Before joining CUJO AI she was working in the financial industry as an IT security analyst, focusing on threat hunting and forensics investigations. Currently, she is working at CUJO AI as a senior threat researcher focusing on reverse engineering IoT malware.
Golang is Google's open-source programming language, which in recent years has gained attention among developers. It is not only used for good purposes but, in a developing trend, it is a popular choice of malware authors as well. The fact that Golang supports cross-compiling makes it a tempting option for IoT malware attacks. This has resulted in a proliferation of IoT malware written in Go. For this reason, we decided to dive deeper and develop our own toolset to become more effective at combating Go malware. When it came to dissecting Go malware, reverse engineers found themselves faced with a hurdle. Go presents new challenges that make binary analysis more difficult. In order to aid and automate this process, we have created custom scripts for Ghidra. The talk will consist of:
- Introduction to IoT malware families written in Go.
- Discussion of the unique features and hurdles of Go binaries.
- Tackling common problems when reverse engineering Go malware in general and specifically with Ghidra.
- Sharing our Ghidra scripts that we use during reverse engineering.
June 27, 2022 11:00-11:35
MD5: 216a4302abd461def88dad506c42da14
Format: application/pdf
Last Update: June 7th, 2024
Size: 11.58 Mb
- IE ILTLP:CLEAR
Rise of the Vermilion: Cross-platform Cobalt Strike Beacon Targeting Linux and Windows
Ryan RobinsonAvigayil MechtingerRyan Robinson (Intezer, IE), Avigayil Mechtinger (Intezer, IL)
Ryan Robinson is a security researcher for Intezer. He specializes in malware reverse engineering and incident response. In previous roles, Ryan has worked as a Security Engineer securing cloud applications and as an analyst in Anomali's Threat Research team.
Avigayil is a security researcher at Intezer specializing in malware analysis and threat hunting. During her time at Intezer, she has uncovered and documented different malware targeting both Linux and Windows platforms. As part of her ongoing work she has initiated the ELF Malware Analysis 101 series, to make ELF analysis approachable for beginners. Prior to joining Intezer, Avigayil was a cyber analyst in Check Point's mobile threat detection group.
As one of the most heavily used tools by threat actors, Cobalt Strike is an integral part of many attack chains targeting Windows environments. It was used as a post exploitation tool in high-profile breaches including the infamous SolarWinds and Colonial Pipeline. Until recently, Cobalt Strike was not documented targeting Linux systems in the wild, which makes sense as there is no official Cobalt Strike version for Linux. Recently, we discovered a fully undetected ELF implementation of Cobalt Strike's Beacon, which we named Vermilion Strike. After further analysis, Windows versions were found sharing the same functionalities with the Linux version, contacting the same C2. Based on telemetry, this threat has been active in the wild targeting high profile entities in multiple industries. This talk will discuss Cobalt Strike and it's popularity, provide an in-depth analysis of Vermilion Strike including its TTPs, and suggest methods for detection and response to these threats.
June 30, 2022 12:05-12:40
04-RiseofVermilion-RobinsonandMechtinger.pdf
MD5: c572b7f625b26afe5dd9a719427c804b
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.78 Mb
- US NLTLP:CLEAR
Roll Up Your Sleeves: Threat Hunting an APT in a Hands-On Workshop
Megan ParsonsFloris LadanMegan Parsons (Splunk, US), Floris Ladan (Splunk, NL)
Over the last 20 years, Megan has built up a proven record of delivering security and consulting expertise to clients worldwide. Her professional experience includes leadership of global security enablement organizations and a follow-the-sun combined SOC/NOC, as well as architecture and consulting on managed security services, security programs, and networks. As a proud Splunk Security Strategist, she provides in-depth security market analysis and innovative enablement for product and field organizations focusing on improved customer security outcomes.
Floris Ladan is a Staff Security Strategist working at Splunk. He has been working in the security space for over 15 years as both an attacker and defender. As the Designer of the Magma Use case framework he has a broad experience in getting the most value out of operational security by calculating the most efficient way to break attack chains, achieve the most value from existing security tooling and how to measure and improve SOC performance.
Perhaps you want to be a threat hunter and are looking for an opportunity to learn how to hunt. Maybe you are a threat hunter, but would like to hunt when an incident isn't hovering over you. Or as a leader, you would like to understand the value of threat hunting and to try your hand at it. There is a lot of buzz about threat hunting and the goal of our workshop is to cut through the talk and give attendees a chance to get hands-on with a data set that contains a "fictional" adversary we refer to as the Violent Memmes (APT-VM). We will provide a foundation and discuss what threat hunting is and how MITRE ATT&CK, the Diamond Model and the Lockheed Martin Kill Chain tie in since they help frame our hunts. From there we will set the scene and start hunting. For each hunt a hypothesis or threat advisory will serve as a starting point along with guidance in the form of questions to help focus our hunt for less experienced hunters. Time will be allocated for each hunt and allow participants to hunt on their own as well as ask questions for guidance. Then, we will reconvene and share how we conducted each specific hunt as well as discuss how our findings can be operationalized. At the end of this workshop, we will provide pointers to similar datasets that attendees can work with after the conference to refine their skills!
July 1, 2022 09:30-10:50
- DETLP:CLEAR
Securing the Supply Chain Together - Through Automation of Advisories and Vulnerability Management
Thomas SchmidtJens WiesnerThomas Schmidt (BSI, DE), Jens Wiesner (BSI, DE)
Thomas Schmidt works in the 'Industrial Automation and Control Systems' section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM work. Prior to this, Schmidt was BSI's lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric's TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).
Jens Wiesner heads the section 'Cyber Security in Industrial Control Systems' of the German Federal Office for Information Security (BSI). To increase security of critical infrastructures he and his team cover many areas starting with establishing trust and good relations with vendors and asset owners over committee work, baseline security documents over supporting standardization efforts (ISA99 and DKE 62443) to working with academia to improve research and education. He started his career in times of NCSA Mosaic and administrating DEC Alphas while studying physics. He advanced in digital and analog measurement technology and programmed EIB (nowadays known as KNX) to finance his studies. After graduating he set up and ran a computing lab at the University of Stuttgart for several years. For some years he programmed risk management (Sarbanes Oxley 404) for a German car manufacturer. Since 2013 he works for BSI and since 2016 he is responsible for 'Cyber Security in Industrial Automation and Control Systems' and technical aspects of critical infrastructure protection in Germany. In his spare time he is cycling and rowing all over the world. (Mostly quad sculls)
Securing the supply chain is a complex task. However, the current threat landscape makes it clear that this has to be tackled immediately. As vulnerabilities are frequently (ab)used by adversaries, one step to a more secure supply chain is the downstream propagation of vulnerability and remediation related information. This includes not only remediation measures, as mitigations and updates, but also the information if a product is not affected. The workshop gives an overview of the current situation of human-readable security advisories and the problems, which arise here. It will introduce the Common Security Advisory Framework (CSAF) as a solution, which provides not only a machine-readable format for security advisories but also covers the distribution and discovery part. CSAF was developed as an industry-led effort by the international community at the standardization organization OASIS Open. In the first part, the workshop will illustrate the eco-system including live demos of available open source tools. In the second part, it will give a step-by-step guidance how to become a part of that eco-system: starting with writing and publishing security advisories as CSAF documents over consuming them up to matching them against an asset database or SBOM. The second part will provide hands-on experience.
June 27, 2022 11:00-15:20
20220627_103_Schmidt_Wiesner_email.pdf
MD5: dd840e7597ea0e115dee4c3d819253f7
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.85 Mb
- JPTLP:CLEAR
Shellcode Interactive Basic Analysis Course with Radare2/IDA
Shinichi NaganoHendrik AdrianShinichi Nagano (LAC Co., Ltd., JP), Hendrik Adrian (LACERT, Cyber Emergency Center, LAC, JP)
Shinichi Nagano is a member, cyber threat analyst, and malicious binary analyst for the Cyber Emergency Center of FIRST Team LACERT with the background as Network Forensic Analyst. He is currently a representative of Team LACERT in FIRST dot org. He analyzes various of malware and network log threat specially incidents and sharing his work in the security community as speakers and lecturer, like BOTCONF, NCA (Japan CSIRT Association). His recent contribution for the global security community is the founding of WellMess botnet which has been presented in BOTCONF 2018, as per shown in below link: https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf
Hendrik Adrian is the cyber threat intrusion analyst of FIRST Team LACERT at Cyber Emergency Center and he is active in FIRST dot org activities. Hendrik has joined LACERT and works as Japan government support for various educational security lecture activities in IPA, he is putting more efforts in contribution to local (Japan) and international security communities as an active speaker in various conferences i.e. IOTSecJP, R2CON, BotConf, AV Tokyo, ROOTCON, Brucon, DefCon Japan HACK.LU, etc., along with contribution as lecturer in security educational events in Japan at All Japan Security Camp, SECCON and IPA ICSCoE's CyberCrest supporter. He contributed his analysis in malwaremustdie dot org media, listed in the Wikipedia as URL below: https://en.wikipedia.org/wiki/MalwareMustDie
The recent increasing cyber threat mis-used the red team's exploitation framework is increasing and most of them are using shellcode as on-memory executable loader, code execution and stager for further intrusion. The shellcode itself is not new, and it is rapidly developed by red teams in order to make intrusion and penetration to the targeted system accomplished successfully under mitigated modern operating systems and its protection layers. We find it is important for the incident response analysts to follow the recent progress of shellcode itself by comprehension and understanding the basic know-how of its analysis, which is the objective of this course. The course is aiming to educate analysts for the basic concept of the shellcode to help them dealing with its usage to the recent related incidents trigger by post exploitation attack tools.
June 28, 2022 11:00-17:10
- SE AUTLP:AMBER
Shining a Light on a Global Threat Actor
Rhys MatairaRobert ByrneRhys Mataira (Ericsson, SE), Robert Byrne (Ericsson, AU)
Rhys leads major incident response activities which involve Ericsson’s product and services portfolio, and brings these learnings back to the threat intelligence function for improving Ericsson’s product security posture.
Robert is a principal security specialist hosted in a global competence center for security within the Ericsson CTO office. Bringing 16 years of experience in telecommunication engineering and information security, Robert holds cross functional roles, spending his time performing vulnerability assessments and incident response activities that touch Ericsson’s product and services portfolio. Robert holds a double degree in Engineering and Computer science and is Offensive Security OSCP and (ISC)² CISSP certified.
LightBasin: the term likely does not evoke frightening connotations or threatening imagery. This is the now common moniker awarded to a threat actor aggressively targeting and exploiting telecommunication network providers across the world, likely with the objective to support nation state intelligence services. In October this year, CrowdStrike lifted the lid on LightBasin; however, at this stage it was already provoking images of espionage and modern cyber spy craft for those involved within PSIRT. Ericsson PSIRT share the story as seen from the trenches on this LightBasin threat actor, covering the TTP with a deep dive into the gritty details.
June 28, 2022 11:45-12:20
- USTLP:CLEAR
Sightings Ecosystem: A Data-driven Analysis of ATT&CK in the Wild
Kellyn Wagner RamsdellMike CunninghamKellyn Wagner Ramsdell (MITRE Corporation, US), Mike Cunningham (MITRE Engenuity, US)
Kellyn Wagner Ramsdell is a Senior Cyber Threat Intelligence Analyst at the MITRE Corporation. At MITRE, she splits her time across documenting how to do cyber threat intelligence (CTI), discovering new ways to do CTI, and actually developing/writing CTI. Kellyn began her career in local government combining intelligence analysis and incident response, often in response to ransomware attacks. When not knee-deep in CTI, Kellyn can typically be found hiking with her dog or climbing with her husband.
Mike Cunningham is a Lead Cyber Operations Engineer at the MITRE Corporation. He currently conducts ATT&CK-based research in the Center for Threat Informed Defense and as part of the ATT&CK Evaluations team. When he's not researching new ways to implement ATT&CK, Mike helps bring Adversary Emulation to MITRE's government sponsors. Before joining MITRE, Mike worked as an Interactive On-Net operator in the infamous Tailored Access Operations at the NSA.
Mike Cunningham is a Lead Cyber Operations Engineer at the MITRE Corporation. He currently conducts ATT&CK-based research in the Center for Threat Informed Defense and as part of the ATT&CK Evaluations team. When he's not researching new ways to implement ATT&CK, Mike helps bring Adversary Emulation to MITRE's government sponsors. Before joining MITRE, Mike worked as an Interactive On-Net operator in the infamous Tailored Access Operations at the NSA.When Mike is not performing cybersecurity research, he loves hanging in his backyard in sunny San Diego with his wife while his three girls run around and play.
The Sightings Ecosystem is a community-driven effort to track ATT&CK techniques seen in the wild. The Center for Threat-Informed Defense, along with Center participants, has collected, aggregated, and analyzed Sightings data to give insights into frequency and co-occurrence of ATT&CK techniques. By giving defenders unprecedented visibility into the most common ATT&CK techniques utilized by our adversaries, Sightings can reduce some of the biases in CTI reporting, such as novelty and producer bias. Sightings is also an example of what the cybersecurity community can accomplish when we work together in the public interest.
June 27, 2022 15:50-16:25
- FR PL
SIM3 Training Afternoon Session A: SIM3 for Novice Teams and Those Aspiring to Become FIRST Members
Olivier CaleffMiroslaw MajOlivier Caleff (ERIUM, FR), Miroslaw Maj (ComCERT.PL, PL)
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL)
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities.
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities. Founder and president of the Cybersecurity Foundation, Vice-president of the ComCERT company, a former leader of CERT Polska team. The member of the Digital In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures and establishing international cooperation in the field of cyberdefence. In March 2021 was appointed a member of the Digitalization Council at the Ministry of Digital Affairs.
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities. Founder and president of the Cybersecurity Foundation, Vice-president of the ComCERT company, a former leader of CERT Polska team. The member of the Digital In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures and establishing international cooperation in the field of cyberdefence. In March 2021 was appointed a member of the Digitalization Council at the Ministry of Digital Affairs.European Network Information Security Agency expert and co-author of many ENISA publications including CERT exercises and papers on improvement CSIRT maturity. He organised 10 editions of cyber exercises (Cyber-EXE™) in several countries for most essential sectors (e.g energy, banking, telecommunication). Speaker on many international conferences including the FIRST conferences. He is also the originator and organiser Security Case Study conference, one of the largest cybersecurity event in Poland.
Prequel: to follow the morning SIM3 training is essential before joining this session.
This session is aimed at newer teams, and teams who want to become a member of FIRST - this includes teams who are in the FIRST Fellowship Program. The application of SIM3 for such teams is explained, and also how the membership process works, including the use of SIM3.
Trainers: Olivier Caleff, Miroslaw Maj - both on behalf of Open CSIRT Foundation
June 26, 2022 13:00-17:00
- NL DE
SIM3 Training Afternoon Session B: SIM3 for Experienced Teams and Membership Sponsors
Don StikvoortKlaus-Peter KossakowskiDon Stikvoort (Elsinore, NL), Klaus-Peter Kossakowski (Univ. of Applied Sciences, Hamburg, Germany, DE)
Don Stikvoort MSc.
Don Stikvoort MSc.In 1988 Don joined the Dutch national research network SURFnet, after studying physics and serving as army officer. Don was among the pioneers who created the European Internet starting in 1989. He recognized “security” as a concern in 1991, chaired SURFcert between 1992-8, and was the founding father of NCSC-NL, the Dutch national team, and of the European TF-CSIRT community. Don became a member of FIRST in 1992 and has been very active during his membership: he was program chair for the FIRST conference in Australia in 1999, initiated the FIRST Secretariat,
Don Stikvoort MSc.In 1988 Don joined the Dutch national research network SURFnet, after studying physics and serving as army officer. Don was among the pioneers who created the European Internet starting in 1989. He recognized “security” as a concern in 1991, chaired SURFcert between 1992-8, and was the founding father of NCSC-NL, the Dutch national team, and of the European TF-CSIRT community. Don became a member of FIRST in 1992 and has been very active during his membership: he was program chair for the FIRST conference in Australia in 1999, initiated the FIRST Secretariat, is a longtime member of the Membership Committee and co-chair of the Traffic Light Protocol SIG. In 1998 he co-wrote the ‘Handbook for Computer Security Incident Response Teams (CSIRTs)’. Don continues to support the global cyber security community through S-CURE the company he founded in 1998. Don created the SIM3 maturity model for CSIRTs, is a sought-after keynote speaker and also finds the time to do executive coaching and psychotherapy with a limited set of clients.
Don Stikvoort MSc.In 1988 Don joined the Dutch national research network SURFnet, after studying physics and serving as army officer. Don was among the pioneers who created the European Internet starting in 1989. He recognized “security” as a concern in 1991, chaired SURFcert between 1992-8, and was the founding father of NCSC-NL, the Dutch national team, and of the European TF-CSIRT community. Don became a member of FIRST in 1992 and has been very active during his membership: he was program chair for the FIRST conference in Australia in 1999, initiated the FIRST Secretariat, is a longtime member of the Membership Committee and co-chair of the Traffic Light Protocol SIG. In 1998 he co-wrote the ‘Handbook for Computer Security Incident Response Teams (CSIRTs)’. Don continues to support the global cyber security community through S-CURE the company he founded in 1998. Don created the SIM3 maturity model for CSIRTs, is a sought-after keynote speaker and also finds the time to do executive coaching and psychotherapy with a limited set of clients.More info: see https://www.first.org/hof/inductees
Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.
Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.Since 1998 he is continuously providing feedback on research topics, operational experiences and lessons learned to the community. This started with the “CSIRT Handbook” in 1998, republished in 2003, that he co-authored with Moira West-Brown and Don Stikvoort. His research work was mostly supported by the CERT Coordination Center at the CMU/SEI for which he worked as visiting scientist from 1998 to 2011.
Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.Since 1998 he is continuously providing feedback on research topics, operational experiences and lessons learned to the community. This started with the “CSIRT Handbook” in 1998, republished in 2003, that he co-authored with Moira West-Brown and Don Stikvoort. His research work was mostly supported by the CERT Coordination Center at the CMU/SEI for which he worked as visiting scientist from 1998 to 2011.He was elected as a member of the FIRST Steering Committee in 1997 and had been on the committee until 2005, being re-elected three times and served the two last years as Chair of the FIRST Steering Committee. Frequently he has been involved with FIRST Conferences as volunteer, organizer and presenter or served on the program committee. In 2015 he was representing the local host of the FIRST Conference in Berlin, in 2017 he was the Program Chair for the FIRST Conference on Puerto Rico.
Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.Since 1998 he is continuously providing feedback on research topics, operational experiences and lessons learned to the community. This started with the “CSIRT Handbook” in 1998, republished in 2003, that he co-authored with Moira West-Brown and Don Stikvoort. His research work was mostly supported by the CERT Coordination Center at the CMU/SEI for which he worked as visiting scientist from 1998 to 2011.He was elected as a member of the FIRST Steering Committee in 1997 and had been on the committee until 2005, being re-elected three times and served the two last years as Chair of the FIRST Steering Committee. Frequently he has been involved with FIRST Conferences as volunteer, organizer and presenter or served on the program committee. In 2015 he was representing the local host of the FIRST Conference in Berlin, in 2017 he was the Program Chair for the FIRST Conference on Puerto Rico.Together with Don Stikvoort he developed the accreditation and certification frameworks for CERTs and security teams including the now commonly accepted SIM3 maturity model adopted by ENISA and now maintained by the openCSIRT Foundation. Since 2011 he coordinates the Trusted Introducer framework providing infrastructure services, accreditation and certifications to nearly 400 security, product security and incident response teams internationally. Through the Trusted Introducer service and the support of his university he promotes and supports approaches like SIM3 or emerging frameworks or taxonomies for CERTs, most namely the “FIRST CSIRT Services Framework” and the “eCSIRT Incident Taxonomy”, which goes back to the eCSIRT.net project of 2003 successfully lead by him.
Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.Since 1998 he is continuously providing feedback on research topics, operational experiences and lessons learned to the community. This started with the “CSIRT Handbook” in 1998, republished in 2003, that he co-authored with Moira West-Brown and Don Stikvoort. His research work was mostly supported by the CERT Coordination Center at the CMU/SEI for which he worked as visiting scientist from 1998 to 2011.He was elected as a member of the FIRST Steering Committee in 1997 and had been on the committee until 2005, being re-elected three times and served the two last years as Chair of the FIRST Steering Committee. Frequently he has been involved with FIRST Conferences as volunteer, organizer and presenter or served on the program committee. In 2015 he was representing the local host of the FIRST Conference in Berlin, in 2017 he was the Program Chair for the FIRST Conference on Puerto Rico.Together with Don Stikvoort he developed the accreditation and certification frameworks for CERTs and security teams including the now commonly accepted SIM3 maturity model adopted by ENISA and now maintained by the openCSIRT Foundation. Since 2011 he coordinates the Trusted Introducer framework providing infrastructure services, accreditation and certifications to nearly 400 security, product security and incident response teams internationally. Through the Trusted Introducer service and the support of his university he promotes and supports approaches like SIM3 or emerging frameworks or taxonomies for CERTs, most namely the “FIRST CSIRT Services Framework” and the “eCSIRT Incident Taxonomy”, which goes back to the eCSIRT.net project of 2003 successfully lead by him.Prof. Dr. Kossakowski helped considerably to raise the awareness for CERTs concentrating on international issues, information sharing and coordinated cooperation, and establishing an international infrastructure for Cyber Defense.
Prequel: to follow the morning training is strongly recommended, unless the delegate already has good working knowledge of SIM3.
This session is aimed at more experienced teams, who may also act as FIRST membership sponsors. How to use SIM3 to become more mature is discussed, and also how SIM3 works as part of the membership process. Emphasis is on the sponsor perspective.
Trainers: Don Stikvoort, Klaus-Peter Kossakowski - both on behalf of Open CSIRT Foundation
June 26, 2022 13:00-17:00
- FR DE PL
SIM3 Training Morning Session: Measuring and Improving Your Team's Maturity Using SIM3
Olivier CaleffKlaus-Peter KossakowskiMiroslaw MajOlivier Caleff (ERIUM, FR), Klaus-Peter Kossakowski (Univ. of Applied Sciences, Hamburg, Germany, DE), Miroslaw Maj (ComCERT.PL, PL)
Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.
Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.Since 1998 he is continuously providing feedback on research topics, operational experiences and lessons learned to the community. This started with the “CSIRT Handbook” in 1998, republished in 2003, that he co-authored with Moira West-Brown and Don Stikvoort. His research work was mostly supported by the CERT Coordination Center at the CMU/SEI for which he worked as visiting scientist from 1998 to 2011.
Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.Since 1998 he is continuously providing feedback on research topics, operational experiences and lessons learned to the community. This started with the “CSIRT Handbook” in 1998, republished in 2003, that he co-authored with Moira West-Brown and Don Stikvoort. His research work was mostly supported by the CERT Coordination Center at the CMU/SEI for which he worked as visiting scientist from 1998 to 2011.He was elected as a member of the FIRST Steering Committee in 1997 and had been on the committee until 2005, being re-elected three times and served the two last years as Chair of the FIRST Steering Committee. Frequently he has been involved with FIRST Conferences as volunteer, organizer and presenter or served on the program committee. In 2015 he was representing the local host of the FIRST Conference in Berlin, in 2017 he was the Program Chair for the FIRST Conference on Puerto Rico.
Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.Since 1998 he is continuously providing feedback on research topics, operational experiences and lessons learned to the community. This started with the “CSIRT Handbook” in 1998, republished in 2003, that he co-authored with Moira West-Brown and Don Stikvoort. His research work was mostly supported by the CERT Coordination Center at the CMU/SEI for which he worked as visiting scientist from 1998 to 2011.He was elected as a member of the FIRST Steering Committee in 1997 and had been on the committee until 2005, being re-elected three times and served the two last years as Chair of the FIRST Steering Committee. Frequently he has been involved with FIRST Conferences as volunteer, organizer and presenter or served on the program committee. In 2015 he was representing the local host of the FIRST Conference in Berlin, in 2017 he was the Program Chair for the FIRST Conference on Puerto Rico.Together with Don Stikvoort he developed the accreditation and certification frameworks for CERTs and security teams including the now commonly accepted SIM3 maturity model adopted by ENISA and now maintained by the openCSIRT Foundation. Since 2011 he coordinates the Trusted Introducer framework providing infrastructure services, accreditation and certifications to nearly 400 security, product security and incident response teams internationally. Through the Trusted Introducer service and the support of his university he promotes and supports approaches like SIM3 or emerging frameworks or taxonomies for CERTs, most namely the “FIRST CSIRT Services Framework” and the “eCSIRT Incident Taxonomy”, which goes back to the eCSIRT.net project of 2003 successfully lead by him.
Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.Since 1998 he is continuously providing feedback on research topics, operational experiences and lessons learned to the community. This started with the “CSIRT Handbook” in 1998, republished in 2003, that he co-authored with Moira West-Brown and Don Stikvoort. His research work was mostly supported by the CERT Coordination Center at the CMU/SEI for which he worked as visiting scientist from 1998 to 2011.He was elected as a member of the FIRST Steering Committee in 1997 and had been on the committee until 2005, being re-elected three times and served the two last years as Chair of the FIRST Steering Committee. Frequently he has been involved with FIRST Conferences as volunteer, organizer and presenter or served on the program committee. In 2015 he was representing the local host of the FIRST Conference in Berlin, in 2017 he was the Program Chair for the FIRST Conference on Puerto Rico.Together with Don Stikvoort he developed the accreditation and certification frameworks for CERTs and security teams including the now commonly accepted SIM3 maturity model adopted by ENISA and now maintained by the openCSIRT Foundation. Since 2011 he coordinates the Trusted Introducer framework providing infrastructure services, accreditation and certifications to nearly 400 security, product security and incident response teams internationally. Through the Trusted Introducer service and the support of his university he promotes and supports approaches like SIM3 or emerging frameworks or taxonomies for CERTs, most namely the “FIRST CSIRT Services Framework” and the “eCSIRT Incident Taxonomy”, which goes back to the eCSIRT.net project of 2003 successfully lead by him.Prof. Dr. Kossakowski helped considerably to raise the awareness for CERTs concentrating on international issues, information sharing and coordinated cooperation, and establishing an international infrastructure for Cyber Defense.
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL)
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities.
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities. Founder and president of the Cybersecurity Foundation, Vice-president of the ComCERT company, a former leader of CERT Polska team. The member of the Digital In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures and establishing international cooperation in the field of cyberdefence. In March 2021 was appointed a member of the Digitalization Council at the Ministry of Digital Affairs.
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities. Founder and president of the Cybersecurity Foundation, Vice-president of the ComCERT company, a former leader of CERT Polska team. The member of the Digital In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures and establishing international cooperation in the field of cyberdefence. In March 2021 was appointed a member of the Digitalization Council at the Ministry of Digital Affairs.European Network Information Security Agency expert and co-author of many ENISA publications including CERT exercises and papers on improvement CSIRT maturity. He organised 10 editions of cyber exercises (Cyber-EXE™) in several countries for most essential sectors (e.g energy, banking, telecommunication). Speaker on many international conferences including the FIRST conferences. He is also the originator and organiser Security Case Study conference, one of the largest cybersecurity event in Poland.
This session is aimed at both starting and experienced teams, who do not have much experience yet with using SIM3 to assess their team's maturity levels. SIM3 is introduced and explained in short, including FIRST's adoption of SIM3 for the membership process. The goal of SIM3 is to help you improve your team's maturity, and set goals and timelines for doing so.
Trainers: Don Stikvoort, Olivier Caleff, Miroslaw Maj, Klaus-Peter Kossakowski - all on behalf of Open CSIRT Foundation
June 26, 2022 09:30-12:00
- DETLP:CLEAR
Speed is key: Leveraging the Cloud for Forensic Artifact Collection & Processing
Lukas KleinChristian KoeppLukas Klein (SAP, DE), Christian Koepp (SAP, DE)
Lukas Klein is an Incident Response Analyst at SAP. In his two years at SAP, he’s been working on various topics ranging from improved visibility to forensic artifact collection and processing. Before joining SAP, he earned a Master’s degree in Security and Cloud Computing.
Christian Koepp is the Head of Incident Response EMEA at SAP. He previously worked in Cybersecurity R&D and was part of Siemens Corporate Technology where he worked in the Computer Emergency Response Team for five years. Before joining SAP, Christian ramped up a Security Operation Center to protect critical infrastructure in the utilities sector in Canada.
June 27, 2022 11:45-12:20
MD5: 97038bcf107a5dfcd01c4678e19dbf9a
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.21 Mb
Sponsor Showcase & Networking Reception
Join us for this networking reception with our sponsors! Grab your Passport to Prizes raffle card and network with our participating sponsors for a chance to win some cool gear during Friday's closing remarks. Several of our sponsors will be raffling off their own goodies as well--be sure to check out your digital swag bag for those offers and sign-ups! Beverages and light snacks will be provided.
June 27, 2022 17:15-19:15
- JPTLP:AMBER
Super Easy Memory Forensics - You Can "Mount" Memory Images and Analyze them with Explorer and Notepad
Hiroshi SuzukiHisao NashiwaHiroshi Suzuki (Internet Initiative Japan Inc., JP), Hisao Nashiwa (Internet Initiative Japan Inc., JP)
Hiroshi Suzuki is a malware analyst, a forensic investigator, an incident responder and a researcher, working for a Japanese ISP, Internet Initiative Japan Inc. He is a member of IIJ-SECT, which is the private CSIRT of his company. He is especially interested in targeted attacks, their RATs and their attack tools, such as PlugX, Mimikatz and so on. He has over 16 years dedicated to these areas. He has been a speaker and a trainer for international conferences such as Black Hat (USA, Europe, Asia and Japan), Virus Bulletin, and FIRST conference (Annual and TC) multiple times.
Hisao Nashiwa is a threat analyst, working for Internet Initiative Japan as a CSIRT member of the company. His main jobs include incident response, analyzing malware and analyzing network traffic. He has observed malicious activities for over ten years. He researches cyber crimes, He has eight years of experience and knowledge in analyzing malware. He has been a speaker and a trainer for international conferences such as Black Hat and FIRST (Annual and TC) multiple times.
Memory forensics is mainly used to discover malware infection on a machine rapidly. Although Volatility Framework is the de-facto standard tool, the version 3 is unstable and still needs to be matured more. And, it does not support CompressedMemory pages and swap files.In this workshop, we will use a relatively new tool, called MemProcFs, although we will also use Volatility Framework in some situations. MemProcFs can "mount" a memory image like a disk image. You can check each process memory space as a file, even each segment on a process memory. You can easily check analysis results with common applications such as explorer and notepad. MemProcFs can handle page files and CompressedMemory pages as well. Being able to load swap files would be very useful if reflective PE injection techniques were used. It is because, the PE header of a loaded PE image with the technique will be paged out. You will feel the power of the analysis with swap files.
June 28, 2022 11:00-17:10
- BETLP:CLEAR
The Blue Side of Documentation
Nicholas DhaeyerNicholas Dhaeyer (NVISO Security, BE)
Nicholas is a SOC analyst at NVISO and self-proclaimed data hoarder. His hoarding skills have been valuable in creating and maintaining the documentation and training program of the NVISO SOC team. His day-to-day activity involves analysing security threats, looking for Indicators Of Compromise, writing allow-lists. Within the SOC team, Nicholas is responsible for standardizing and structuring daily operational workflows. Next to his professional work, Nicholas has interests in a number of other activities, like setting up a home lab and troubleshooting all problems that come with it. Nicholas hosts a community for students where they can collaborate, ask questions to other students and alumni and share their knowledge of experience and job offers/internships with each other. Nicholas is also familiar with hackerspaces to teach kids the wonders of cybersecurity, ranging from broad topics like lock picking to forensically analysing a USB disk.
Missing documentation, processes or resources? With this presentation we want to give you some insights on how to improve your documentations skills. In current remote-working times its crucial to be organized and to structure your day. No matter what your position in the company is, everyone needs to take notes of something or has to document something. In this presentation you'll learn tips & tricks to keeps your notes and documentation short, simple and usable. As an added bonus we'll be going over maintaining and managing this knowledgebase in a live environment.
June 30, 2022 10:15-10:50
02-TheBlueSideofDocumentation-Dhaeyer.pdf
MD5: 4cde64472c8e1dfecafaf56a1253e2ad
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.55 Mb
- SETLP:CLEAR
The SolarWinds Supply Chain Compromise
Erik HjelmvikErik Hjelmvik (Netresec, SE)
Erik Hjelmvik is an incident responder and software developer who has spent most of his career analyzing network traffic from malware and intrusions. He started analyzing network traffic from a security perspective while working at the R&D department a major energy company, where he focused on SCADA and industrial control system security. Erik has also worked as an incident responder at the Swedish Armed Forces CERT, where he got the chance to focus even more on network forensics and network security monitoring. Nowadays Erik runs the company Netresec where he develops software, such as NetworkMiner and PolarProxy, for doing network forensics.
Software supply chain attacks have received a great deal of attention after the SolarWinds hack was discovered in December 2020. In this presentation Erik dives deep into the functionality of the malicious SolarWinds Orion update in order to explain how the attackers managed to avoid detection for so long as well as to show how the attackers leveraged DNS based command-and-control traffic to their advantage. The talk also provides guidance on what can be done to protect against supply chain attacks, such as the SolarWinds hack.
June 27, 2022 16:35-17:10
MD5: bdda556df9bf6e92474f8747c162c329
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.71 Mb
- NOTLP:CLEAR
There is No TTP
Martin EianMartin Eian (mnemonic, NO)
Dr. Martin Eian is a Researcher at mnemonic. He has more than 20 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is a member of the Europol EC3 Advisory Group on Internet Security.
Do not try and detect the TTP. That's impossible. Instead, only try to realize the truth.There is no TTP. It is either a tactic, a technique, or a procedure. The MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) knowledge base has become the de facto industry standard for tactical threat intelligence. But if we look closely, it only covers one of the Ts in TTPs: techniques. This presentation challenges some common "known truths" about tactics, techniques and procedures, and suggests steps to improve detection, response and attribution. The aim is to trigger discussion and highlight what we don't know.
July 1, 2022 09:30-10:05
MD5: d45f2c7f09e3483a8056c51f55af503e
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.67 Mb
- US
Threat-Informed Defense Workshop
Desiree BeckMike CunninghamKellyn Wagner RamsdellJon BakerDesiree Beck (The MITRE Corporation, US), Mike Cunningham (MITRE Engenuity, US), Kellyn Wagner Ramsdell (MITRE Corporation, US), Jon Baker (MITRE, US)
Desiree Beck is a principal cybersecurity engineer at the MITRE Corporation and is the project leader for the Attack Flow project within the Center for Threat Informed Defense, a non-profit, privately funded research and development organization operated by MITRE Engenuity. She also leads the Malware Behavior Catalog (MBC) project, a malware-centric supplement to MITRE ATT&CK, and supports the Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII) efforts. Dez lives in Northern California and holds a PhD in mathematics from the University of California, San Diego.
Mike Cunningham is a Lead Cyber Operations Engineer at the MITRE Corporation. He currently conducts ATT&CK-based research in the Center for Threat Informed Defense and as part of the ATT&CK Evaluations team. When he's not researching new ways to implement ATT&CK, Mike helps bring Adversary Emulation to MITRE's government sponsors. Before joining MITRE, Mike worked as an Interactive On-Net operator in the infamous Tailored Access Operations at the NSA.
Mike Cunningham is a Lead Cyber Operations Engineer at the MITRE Corporation. He currently conducts ATT&CK-based research in the Center for Threat Informed Defense and as part of the ATT&CK Evaluations team. When he's not researching new ways to implement ATT&CK, Mike helps bring Adversary Emulation to MITRE's government sponsors. Before joining MITRE, Mike worked as an Interactive On-Net operator in the infamous Tailored Access Operations at the NSA.When Mike is not performing cybersecurity research, he loves hanging in his backyard in sunny San Diego with his wife while his three girls run around and play.
Kellyn Wagner Ramsdell is a Senior Cyber Threat Intelligence Analyst at the MITRE Corporation. At MITRE, she splits her time across documenting how to do cyber threat intelligence (CTI), discovering new ways to do CTI, and actually developing/writing CTI. Kellyn began her career in local government combining intelligence analysis and incident response, often in response to ransomware attacks. When not knee-deep in CTI, Kellyn can typically be found hiking with her dog or climbing with her husband.
As the General Manager for the Center for Threat-Informed Defense, Jon Baker is responsible for the Center’s strategy and its outcomes as he convenes the global cybersecurity community to advance the state of the art and the practice in threat-informed defense. Jon co-founded the Center as a privately funded research and development organization where he partners with sophisticated cybersecurity teams to systematically advance the global understanding of adversary tradecraft and apply that knowledge to improve the community’s ability to defend against those threats.
As the General Manager for the Center for Threat-Informed Defense, Jon Baker is responsible for the Center’s strategy and its outcomes as he convenes the global cybersecurity community to advance the state of the art and the practice in threat-informed defense. Jon co-founded the Center as a privately funded research and development organization where he partners with sophisticated cybersecurity teams to systematically advance the global understanding of adversary tradecraft and apply that knowledge to improve the community’s ability to defend against those threats. Jon has extensive experience leading research teams and collaborating with industry to advance cybersecurity capabilities. Most recently, he led MITRE’s Cyber Threat Intelligence and Adversary Emulation Department where he was responsible for advancing those critical capabilities across MITRE’s work program and overseeing MITRE’s work on CALDERA and MITRE ATT&CK®. Jon led MITRE’s team in the early development of the OASIS STIX and TAXII standards while supporting the Department of Homeland Security. Jon led MITRE’s security automation team through the development of SCAP and managed the CVE team. He was a cocreator of OVAL, a standard language for describing and checking for the presence of misconfigurations, vulnerabilities, and other endpoint artifacts.
As the General Manager for the Center for Threat-Informed Defense, Jon Baker is responsible for the Center’s strategy and its outcomes as he convenes the global cybersecurity community to advance the state of the art and the practice in threat-informed defense. Jon co-founded the Center as a privately funded research and development organization where he partners with sophisticated cybersecurity teams to systematically advance the global understanding of adversary tradecraft and apply that knowledge to improve the community’s ability to defend against those threats. Jon has extensive experience leading research teams and collaborating with industry to advance cybersecurity capabilities. Most recently, he led MITRE’s Cyber Threat Intelligence and Adversary Emulation Department where he was responsible for advancing those critical capabilities across MITRE’s work program and overseeing MITRE’s work on CALDERA and MITRE ATT&CK®. Jon led MITRE’s team in the early development of the OASIS STIX and TAXII standards while supporting the Department of Homeland Security. Jon led MITRE’s security automation team through the development of SCAP and managed the CVE team. He was a cocreator of OVAL, a standard language for describing and checking for the presence of misconfigurations, vulnerabilities, and other endpoint artifacts. Jon holds a Master's in Computer Science from Boston University and a Bachelor’s in Psychology from Tufts University.
2 hrs – Modeling and attack with Attack Flow
1 hr - Extending and Customizing MITRE ATT&CK with the ATT&CK Workbench
2 hrs – Making CTI Actionable – CTI to controls to control validation
1 hr – Center for Threat-Informed Defense R&D DiscussionJune 26, 2022 09:30-16:30
- IETLP:CLEAR
Threats versus Capabilities - Building Better Detect and Respond Capabilities
Thomas FischerThomas Fischer (Riot Games, IE)
Thomas has over 35 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. While currently focused on SecOps, Thomas continues as a security advocate and threat researcher focused on understanding data protection activities against malicious parties and continuous improvement in the incident response process. Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, and regular shares at events like SANS DFIR EMEA, DeepSec, Shmoocon, ISSA, and various BSides events.
CERT and IR teams keep adding tools to their portfolios and are pushed by vendors to adopt new technologies or the latest buzzword. Teams adopt frameworks like MITRE ATT&CK which provide TTPs; but are these relevant to what you need to actually detect? All this is very generic and may or may not help teams defend their organizations; as defenders a key to success needs to be our capability to defend against threats that target our organizations. Can we do things better? This session will introduce a methodology and process to help teams build better detect and response based on mapping required data points, creating a gap analysis and prioritizing requirements independently of tooling. Teams will then be able to use this analysis to identify the right tools needed to defend their organization and implement a process of continuous improvement and tool alignment.
June 28, 2022 15:50-16:25
FIRST2022ThreatsversusCapabilities.pdf
MD5: b93ff80e3598b372884894b5a376ae54
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.7 Mb
- DE ATTLP:CLEAR
Timing is Everything: Generic Trigger Events for Malware Memory Dumping
Mateusz LukaszewskiPatrick StaubmannMateusz Lukaszewski (VMRay, DE), Patrick Staubmann (VMRay, AT)
Mateusz is part of the Threat Analysis team at VMRay and is responsible for investigating the threat landscape, improving detection capabilities and implementing configuration extractors. He is especially interested in reverse-engineering, low-level system security and exploitation.
Patrick Staubmann joined VMRay as a threat researcher back in 2019. As part of the Threat Analysis team, he continuously researches the threat landscape and conducts analyses of malware samples in depth. To further improve the companies’ product, he also extends its detection capabilities in form of behaviour-based rules, YARA rules, and configuration extractors.
During malware analysis, we typically deal with packed, or otherwise obfuscated malware. To identify malware families, extract malware configurations and understand the inner workings of malware without manual unpacking, we need to dump its unpacked code and data from memory.Though the idea of memory dumping is simple, it's challenging to find exactly what events should trigger memory dumping in a way that is generic, covers most malware families, but does not cause too many unnecessary memory dumps.We have researched many malware families and arrived at a minimal set of memory dump trigger events that achieve good coverage of common malware. In this talk we share these memory dump trigger events, the pitfalls we found when trying to define them, and show some examples of the malware families they work against.
June 30, 2022 09:30-10:05
- FRTLP: GREEN
TLP and PAP: Just the Two of Us...(to Enforce ANSSI's Sharing Policy)
Claire AndersonThomas FontvielleClaire Anderson (ANSSI, FR), Thomas Fontvielle (ANSSI, FR)
Claire Anderson, Head of IoC management UNIT, ANSSI
Claire Anderson, Head of IoC management UNIT, ANSSIClaire joined the ANSSI in 2016 where she first worked in the regulatory framework management unit. In 2020, she joined the IOC management unit within the operations department. This unit aims at improving the management and sharing of IoC both internally and with the ANSSI's partners and beneficiaries. Before joining ANSSI, Claire worked for ten years in the field of energy, where she was head of compliance, risks and regulation of the French gas exchange. She is a law graduate of Cambridge and Paris II universities.
Thomas joined the ANSSI in July 2021 as International Cooperation Officer, furthering data sharing and relationships with partners. Before that, he managed and helped develop Signal Spam, the French National Spam Reporting Center as General Secretary for 10 years.
Presentation of the information sharing policy of ANSSI (France), which aims at providing an easily interpretable framework for both sharing and using CTI, taking into account the wide variety of entities that can receive it as well as the ease of use needed by the analysts.
July 1, 2022 10:15-10:50
- US NL CATLP:CLEAR
Traffic Light Protocol 2022: Updates for An Improved Sharing Experience
Tom MillarDon StikvoortTed NormintonTom Millar (CISA, US), Don Stikvoort (Elsinore, NL), Ted Norminton (CCCS, CA)
Mr. Millar has been apart of the US Cybersecurity and Infrastructure Security Agency (CISA) for 12 years working to strengthen the agency's information sharing capabilities, increasing the level of public, private and international partner engagement, and supporting initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar holds a Master's of Science from the George Washington University and is a Distinguished Graduate of the National Defense University's College of Information and Cyberspace.
Don Stikvoort MSc.
Don Stikvoort MSc.In 1988 Don joined the Dutch national research network SURFnet, after studying physics and serving as army officer. Don was among the pioneers who created the European Internet starting in 1989. He recognized “security” as a concern in 1991, chaired SURFcert between 1992-8, and was the founding father of NCSC-NL, the Dutch national team, and of the European TF-CSIRT community. Don became a member of FIRST in 1992 and has been very active during his membership: he was program chair for the FIRST conference in Australia in 1999, initiated the FIRST Secretariat,
Don Stikvoort MSc.In 1988 Don joined the Dutch national research network SURFnet, after studying physics and serving as army officer. Don was among the pioneers who created the European Internet starting in 1989. He recognized “security” as a concern in 1991, chaired SURFcert between 1992-8, and was the founding father of NCSC-NL, the Dutch national team, and of the European TF-CSIRT community. Don became a member of FIRST in 1992 and has been very active during his membership: he was program chair for the FIRST conference in Australia in 1999, initiated the FIRST Secretariat, is a longtime member of the Membership Committee and co-chair of the Traffic Light Protocol SIG. In 1998 he co-wrote the ‘Handbook for Computer Security Incident Response Teams (CSIRTs)’. Don continues to support the global cyber security community through S-CURE the company he founded in 1998. Don created the SIM3 maturity model for CSIRTs, is a sought-after keynote speaker and also finds the time to do executive coaching and psychotherapy with a limited set of clients.
Don Stikvoort MSc.In 1988 Don joined the Dutch national research network SURFnet, after studying physics and serving as army officer. Don was among the pioneers who created the European Internet starting in 1989. He recognized “security” as a concern in 1991, chaired SURFcert between 1992-8, and was the founding father of NCSC-NL, the Dutch national team, and of the European TF-CSIRT community. Don became a member of FIRST in 1992 and has been very active during his membership: he was program chair for the FIRST conference in Australia in 1999, initiated the FIRST Secretariat, is a longtime member of the Membership Committee and co-chair of the Traffic Light Protocol SIG. In 1998 he co-wrote the ‘Handbook for Computer Security Incident Response Teams (CSIRTs)’. Don continues to support the global cyber security community through S-CURE the company he founded in 1998. Don created the SIM3 maturity model for CSIRTs, is a sought-after keynote speaker and also finds the time to do executive coaching and psychotherapy with a limited set of clients.More info: see https://www.first.org/hof/inductees
Ted Norminton (CCCS) manages the Operational Relationships team for the Canadian Centre for Cyber Security, promoting domestic and international cooperation. Over his 30 year career he has been a programmer, database designer, business analyst and during major part of the past decade has focussed on operational coordination and cyber planning for major events, as well as providing practical advice for cyber policy makers in the government of Canada. Ted is an active member of the Traffic Light Protocol SIG and will be the program chair for the 2023 annual FIRST conference in Montreal.
Since 2018, the FIRST Traffic Light Protocol Special Interest Group (TLP-SIG) has been working on updating the FIRST TLP standard to comply with the current FIRST Standards Policy and to better reflect the needs of TLP's most frequent users. Some changes were also necessary to simply reflect the changes in the world we live in. The result is a new FIRST TLP for 2022: an evolution, not a revolution, but a standard we hope the worldwide CSIRT and PSIRT community will embrace and find even more effective than its predecessor. In this panel, members of the SIG will present the updated version, highlighting the significant changes, explain why they were made, and take questions from the audience to help clarify the value of the updated TLP.
June 27, 2022 14:00-15:20
- GBTLP:AMBER
Use of Public Data, OSINT and Free Tools in National CSIRTs: Findings from a Systematic Literature Review and an Empirical Study
Sharifah RoziahSharifah Roziah (School of Computing, University of Kent, GB)
Sharifah is a second-year PhD Computer Science student at the School of Computing, University of Kent, UK, focusing on research in the area of cyber security. Sharifah is also a Specialist in Malaysia Computer Emergency and Response Team (MyCERT) under the umbrella of CyberSecurity Malaysia, a registered and semi-government entity in Malaysia. Her research interest is primarily in computer security incident response and cyber threat intelligence.
National CSIRTs use public data, open-source intelligence (OSINT) and free tools for incident responses but very little is known about how such data and tools are actually used and perceived by the staff of national CSIRTs in operational practices. Therefore, an online survey and semi-structured interviews with 13 national CSIRTs across Asia, Europe, Caribbean and North America were conducted to gain detailed insights on how public data, OSINT and free tools are used and perceived by staff in national CSIRTs. This led to three main findings. First, the active use of public data, OSINT and free tools by national CSIRT staff was confirmed - all participants had used public data for incident investigation. Second, the majority (92%) of participants perceived public data, OSINT and free tools are useful in their operational practices. Third, there is a number of operational challenges regarding the use of public data, OSINT and free tools that need to be addressed with further research.and Public information and systematic discussions regarding how public data and free tools are used and perceived by staff in national CSIRTs are lacking. Hence, this study provides a systematic literature review (SLR) to understand deeply how national CSIRTs use and perceive public data and free tools in the operations. Our SLR method follows three stages. In Stage 1 we searched the websites of 100 national CSIRTs and 11 cross CSIRT organisations. In Stage 2 we searched the Scopus scientific database and identified 20 relevant research papers. In Stage 3 we synthesised results from the above two stages to achieve a more complete understanding of the topic studied. We found most discussions concerning the use of public data and free tools in national CSIRTs are incomplete and largely fragmented. How staff of national CSIRTs perceive the usefulness of public data and free tools is also lacking.
June 30, 2022 14:15-14:50
- US DETLP:CLEAR
VEXed by Vulnerabilities That Don't Affect Your Product? Try This!
Allan FriedmanThomas SchmidtAllan Friedman (CISA, US), Thomas Schmidt (BSI, DE)
Allan Friedman is the guy who won't shut up about SBOM at the Cybersecurity and Infrastructure Security Administration. He coordinates the global cross-sector community efforts around software bill of materials (SBOM), and works to advance its adoption inside the US government. He was previously the Director of Cybersecurity Initiatives at NTIA, leading pioneering work on vulnerability disclosure, SBOM, and other security topics. Prior to joining the Federal government, Friedman spent over a decade as a noted information security and technology policy scholar at Harvard's Computer Science department, the Brookings Institution, and George Washington University's Engineering School. He is the co-author of the popular text "Cybersecurity and Cyberwar: What Everyone Needs to Know", has a degree in computer science from Swarthmore college, and a PhD in public policy from Harvard University. He is quite friendly for a failed-professor-turned-technocrat.
Thomas Schmidt works in the 'Industrial Automation and Control Systems' section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM work. Prior to this, Schmidt was BSI's lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric's TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).
Vulnerabilities in soft- and hardware have become a growing concern in the supply chain. Therefore, organisations developing products invest into new security programs, doing security assessments of their products, analysing the results and publishing security advisories. Also the community of security researchers contributes to this process by actively searching for vulnerabilities in widely used components.
However, as SBOMs become more widespread, many of the results can be “false positives,” as the underlying component vulnerability isn’t actually exploitable. Vendors and users will have to prioritize and process this information.This talk gives an overview of the Vulnerability Exploitability eXchange (VEX). VEX allows software providers and PSIRTs to explicitly communicate that their software is *not* affected by a vulnerability. Built on the OASIS Common Security Advisory Framework (CSAF), VEX will increase SBOM adoption. It also helps in propagating information faster through the supply chain.
June 30, 2022 11:20-11:55
FIRSTfriedmanschmidtvexcsafemail.pptx
MD5: 0049f4710879db87c275d7f08f0d7280
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 3.19 Mb
- LUTLP:CLEAR
Watching Webpages in Action with Lookyloo
Raphaël VinotQuinn NortonRaphaël Vinot (CIRCL - Computer Incident Response Center Luxembourg, LU), Quinn Norton (N/A, LU)
Raphaël Vinot is a security researcher at the Computer Incident Response Center Luxembourg (CIRCL) since 2012. Raphaël wants to increase the IT consciousness of the human beings populating the internet in order to make it safer for everyone. His day job is a mixture of forensic and malware analysis with a lot of Python on top of it to glue all the pieces together. He loves sharing and thinks everyone should contribute to open source projects.
Quinn Norton is a writer who likes to hang out in the dead end alleys and rough neighborhoods of the Internet, where bad things can happen to defenseless little packets. She started studying hackers in 1995, after a wasted youth of Usenet and BBSing. Her writing tends towards science and technology, and her projects tend towards supporting journalists and activists. She has covered sci/tech, copyright law, robotics, body modification, digital politics, culture, and medicine, but no matter how many times she tries to leave, she always comes back to hackers.
Websites can be chaotic: huge, crufty, full of tracking, or bugginess, or both. Sometimes they're downright malicious. We're making them easier to understand with Lookyloo, an open source forensics tool for investigating websites -- in motion. Lookyloo allows you to see all the parts of a webpage and how they're working together, exposing the underlying structure of websites in ways that let you not only understand them, but also collect and correlate useful information about the web over time.
June 27, 2022 15:50-16:25
Welcome Reception
All registered attendees are welcome to join! Located on Level 3 of the CCD. Come network with your peers and stop by our various meet and greet tables that will include: participating Special Interest Groups, SEI CERT/CC, and FIRST Membership. Beverages and light appetizers will be provided. Registration will be open during the reception.
June 26, 2022 18:00-20:00
- FRTLP:CLEAR
Welcome to FIRST Newbie Session
Olivier CaleffOlivier Caleff (ERIUM, FR)
Are you new to FIRST, new to the conference, or interested in membership? Join this useful informational session to help you navigate and make the most of your week's participation.
June 26, 2022 17:30-18:00
- GBTLP:CLEAR
Who Do You Think You Are?
Stuart MurdochStuart Murdoch (Surevine, GB)
Stuart Murdoch is Founder and CEO of Surevine, one of the UK's leading Cyber security companies. Surevine specialises in smart and secure collaboration technology for the National, Homeland and Cyber Security domain, and is relied on by the UK Government to keep them one step ahead of the cyber threat. Stuart is a Chartered Engineer with a BSc in Computer Science from Royal Holloway, home of the world-leading Information Security Group, and an advanced MSc in Computing from Imperial College, London. He is a guest lecturer at the University of Surrey, a professional member of the BCS (British Computer Society), a member of the IoD (Institute of Directors) and a Liveryman at the Worshipful Company of Information Technologists. He is a published author in the field of cyber security, most recently as a contributor to The Oxford Handbook of Cyber Security (Oxford University Press, 2021)
“Who do you think you are?” is a popular TV series, franchised globally, in which celebrities trace their family trees, often uncovering unsavoury ancestors. This session, will stretch the analogy to its breaking point, using the format of that engaging TV programme to dig up the “family trees” of information sharing:
• Tracing the links between the standards used in information sharing and their evolution and adoption
• Super-imposing the growth of information sharing organisations and the historical events and legislation which has often led to their creation
Along the way, we will hope to uncover some “skeletons in the closet” and won’t shy away from airing our dirty laundry.June 27, 2022 15:50-16:25
04-WhodoYouThinkYouare-Murdoch.pdf
MD5: 2009c59a856883b960d098d8de0715e1
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.28 Mb
murdoch_161_who_do_you_think_you_are_first2022_v2.pdf
MD5: 2248bcd4125fbb8cb02968d852d2fe44
Format: application/pdf
Last Update: June 7th, 2024
Size: 15.36 Mb
- NLTLP:CLEAR
Who Shares Wins
Jaap van OssJaap van Oss (Citi Cyber Intelligence Centre (CIC), NL)
Jaap van Oss (Dutch, 19-11-1964) recently joined Citi's Cyber Intelligence Center (CIC) as the Cyber Intelligence Lead for EMEA. He is responsible for the Partnership & Engagement in the EMEA region, with particular focus on keeping the European Cyber Threat Picture up to date. Jaap van Oss gained his Cyber-experience in a substantial career in Law Enforcement; as a Chief Inspector at the Dutch High Tech Crime Unit and as a Senior Specialist at the European Cybercrime Centre (EC3) at Europol. For EC3 he also drafted the Darkweb strategy. Previous to his jump to private industry, Jaap was the Chairman of the Joint Cybercrime Action Taskforce (J-CAT), an international group of Cyber investigators developing and coordinating cross-border Cyber operations and investigations. In 2016 Jaap graduated from the FBI National Academy where he honed his leadership skills. Furthermore, he holds a degree in Technology Assessment at the Technical University Eindhoven (NL) and he obtained his Masters in Computer Forensics and Cybercrime Investigations at the UCD in Dublin (IE). The topic of his dissertation, "Cybercriminal Organisation", is still a very present-day topic in the fight against cybercrime.
Sharing threat intelligence, information, analysis and other insight in our possession, and collaborating with our peers and other external contacts who may be facing the same threats are a key aspect of a dynamic, intelligence-driven cybersecurity and information security program. Intelligence sharing and collaboration help peer financial institutions and other external partners to prevent, detect and respond to cyber incidents and threats, strengthening our joint defenses and strengthening the broader financial and cyber ecosystems.
However, whilst many organizations firmly support intelligence sharing, and aspire to become good citizens and to actively share with others - there are often internal, organizational barriers, perceived barriers and limiting factors, and very few organizations achieve an effective and efficient level and consistency, of sharing and collaboration. This, we argue, is limiting the amount of valuable insight being shared directly between peers, and via existing sharing groups and communities; and this in turn is slowing the development of cross-sector, multi-agency, multi-disciplinary collaboration.
Through our Cyber Intelligence Centre Partnership and Engagement team, we made a determined effort to examine and address the internal barriers and to create a program, policies and processes to facilitate efficient, effective, safe and scalable external intelligence-sharing, with legal, regulatory and supervisory oversight. We call our program ‘Who Shares Wins’ and we’d like to present some of the details.June 30, 2022 12:05-12:40
MD5: 6225e49cc5383aa50b56a0540f703e45
Format: application/pdf
Last Update: June 7th, 2024
Size: 3 Mb
- GBTLP:CLEAR
Yet Another YARA Workshop
David CanningsJohn SouthworthDavid Cannings (PwC UK, GB), John Southworth (PwC UK, GB)
David is a Director of Incident Response at PwC UK, and leads the capability development function for building scalable capability to detect and investigate cyber attacks. He also works within threat intelligence, applying his reverse engineering skills to understand the techniques of China-based threat actors, and develop YARA rules to track them.
John is a Principal Threat Intelligence Analyst at PwC UK, who focuses on tracking advanced persistent threat actors based in the Asia-Pacific region. His main focus in his research is tracking threat actors through the malware families they use, and making the most of YARA to hunt for the latest activity.
The ability to detect and classify malware samples lends defenders a significant advantage wherever they sit in a Blue Team: it can aid analysts to quickly triage suspicious samples, and help threat intelligence analysts cluster artefacts to draw out and understand intrusion sets. With YARA, rules can be written for both of these objectives, which also allow for easy/convenient ways to share indicators of compromise and context with other defenders.In this workshop, we will cover the topic of writing YARA rules from the very basics, starting with YARA's syntax, how to write rules, and how to run YARA against samples; but we will build up to a solid, versatile, and directly applicable foundation that attendees can use for everyday hunting, right after the workshop. We will dive into techniques for writing good YARA rules, including how to pick and choose unique strings/code blocks, and how to make the best use of YARA modules to give you even more versatile options to write better, and targeted rules.We will also share with participants some case studies of how we have used YARA rules in our day jobs as threat intelligence analysts to track malware families deployed by both advanced persistent threats (APTs), and cyber crime threat actors. With the commercial tools available that integrate YARA, writing a good suite of rules can allow defenders to keep on top of the latest activity in threat actors, respond faster to new campaigns, and even find code overlaps between malware families.
June 29, 2022 11:00-13:05
- RUTLP:CLEAR
Your Phone is Not Your Phone: A Dive Into SMS PVA Fraud
Vladimir KropotovVladimir Kropotov (Trend Micro, RU)
Vladimir Kropotov is a researcher with Trend Micro Forward-Looking Threat Research team. Active for over 20 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, BHEU and many others.
Mobile phones are the inseparable part of our lives. Mobile phone numbers are often used in place of user identity on many online services, from e-commerce to online banking and government portals. Mobile phone numbers in many countries are required to be verified through national identity documents and often used in place of a national identity token. Many of the social media and online messaging rely on accounts to be verified through user phone - so called phone verified accounts (PVA). But can they be trusted? We analyzed a number of PVA provision services and uncovered the whole flow of operation of such services - from sourcing the messages via pre-infected phones, to how those devices are "horded" and sold in bulk via online portals. The fraud group that we investigated claims to control over 20M devices distributed across 180 countries and monetizes their "farm" of infected devices through ad fraud and SMS access sale. Further, we also investigated the criminal use of disposable SMS services and identified a number of fraudulent campaigns including romance scams, stock and brand manipulation and inauthentic online behavior. The presentation covers a number of use cases detailing these incidents.
June 27, 2022 11:45-12:20
FIRSTCON22-Yourphoneisnotyourphone_pub.pdf
MD5: 747d8850a5d4556478c0e78100694f00
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.96 Mb