Program Agenda
Check out the recorded TLP:CLEAR content from the conference on our YouTube channel.
The agenda is subject to change. The agenda times are reflected in local Japanese Standard Time (UTC +9). All pre-conference and conference activities--including FIRST hosted social activities--will take place on premisis at the Hilton Fukuoka Sea Hawk Hotel.
- Additional side meetings, SIG Meetings, and BoFs to be posted by end of April.
- Additional room designations to be posted at a later date.
About TLP Designations
If you are unfamiliar with the Traffic Light Protocol ("TLP"), please visit https://www.first.org/tlp/ for details. In the use case for FIRST events, TLP levels specifically indicate whether press, social media, and photography/videography may occur. You do not need to be "invited" to attend a TLP:RED session as a confirmed, registered delegate. Please see the Registration Terms & Conditions: Photography or Recording Usage by Attendees at https://www.first.org/conference/2024/registration-terms.
Meetings notated with "invite-only" or "invitation only" are private meetings.
Sunday Trainings
Sunday pre-conference trainings are limited opportunities for interested conference delegates and locals who may not be planning to attend the full event. A separate registration is required. To view the training fees, agenda, and access the registration form, please visit https://www.first.org/conference/2024/training/program.
Sessions Available to Virtual Participants
TLP:CLEAR sessions from Plenary talks, Breakout 1, Breakout 2, and Breakout 3 will be available to registered virtual participant ticket holders via the conference mobile/desktop app. Access information will be provided several days from the start of the event.
Registration Hours & Location
Registration will be located on the 1st Floor of the Hilton Fukuoka next to the main conference halls. Hours are as follows:
- Sunday, June 9 | Training Participants Only from 07:00-08:30; All Conference Participants 12:00-18:00
- Monday, June 10 | 07:00-18:00
- Tuesday, June 11 | 07:00-16:00
- Wednesday, June 12 | 08:00-16:00 (please pick up any guest badges for the social event by 15:00)
- Thursday, June 13 | 08:00-15:30
- Friday, June 14 | 08:00-11:00
If you have any questions regarding the agenda, please contact the event office via email at events@first.org.
Plenary (Argos DEF)
Social Activity
Breakout 1 (Argos D)
Breakout 2 (Argos E)
Breakout 3 (Argos F)
Breakout 1 (Argos D)
Breakout 2 (Argos E)
Breakout 3 (Argos F)
Breakout 1 (Argos D)
Breakout 2 (Argos E)
Breakout 3 (Argos F)
Breakout 1 (Argos D)
Breakout 2 (Argos E)
Breakout 3 (Argos F)
Breakout 1 (Argos D)
Breakout 2 (Argos E)
Breakout 3 (Argos F)
Sunday, June 9th
Plenary (Argos DEF) | Social Activity | |
---|---|---|
17:00 – 18:00 | Welcome to FIRST! A Newbie Session TLP:CLEAR | |
18:00 – 20:00 | Conference Welcome Reception in the Seala Restaurant at the Hilton Fukuoka Sea Hawk TLP:CLEAR |
Monday, June 10th
Breakout 1 (Argos D) | Breakout 2 (Argos E) | Breakout 3 (Argos F) | |
---|---|---|---|
07:30 – 09:00 | Arrival Coffee & Continental Breakfast | ||
08:30 – 09:30 | Conference Opening & Welcome Remarks | ||
09:30 – 10:30 | JP Akira Saka (Digital Agency, JP) TLP:CLEAR | ||
10:30 – 11:00 | Networking Break with Exhibits (Argos ABC) | ||
11:00 – 11:35 | SE Demystifying Cloud Infrastructure Attacks Alexander Andersson (Truesec, SE) TLP:CLEAR | FR IN SBOMs for the Win! How PSIRT Teams Could Use SBOM Fabrice Kah (Schneider Electric, FR); Harish Shankar (Schneider Electric, IN) TLP:CLEAR | AR Tales From a Cloud CSIRT- Let’s Deep Dive into a Kubernetes (k8s) Infection Santiago Abastante (Solidarity Labs, AR) TLP:CLEAR |
11:45 – 12:20 | US AL Cloud Console Cartographer: Tapping Into Mapping > Slogging Thru Logging Daniel Bohannon (Permiso Security, US); Andi Ahmeti (Permiso Security, AL) TLP:CLEAR | DE Thomas Proell (Siemens AG, DE) TLP:CLEAR | IT IntelOwl: Making the Life of Security Analysts Easier Matteo Lodi, Simone Berni (Certego, IT) TLP:CLEAR |
12:20 – 14:00 | Standing & Seated Lunch | ||
14:00 – 14:35 | JP Email Breach Analysis and Response Tips to Avoid Risk Yumi Iida (ITOCHU Cyber & Intelligence Inc., JP) TLP:GREEN | IL Breaking the Holy Trinity of Open-Source Ecosystem - Malicious Code in Open-Source Packages Artur Oleyarsh (PANW, IL) TLP:CLEAR | LU Version Fingerprinting Tricks: Automating Software Identification for Vulnerability Scanners Alexandre Dulaunoy (CIRCL.lu, LU); Luciano Righetti (CIRCL – CIRCL.lu, LU) TLP:CLEAR |
14:45 – 15:20 | US Dissecting Tradecraft: Building Robust Detections Through Tradecraft Decomposition Matt Hand (Prelude, US) TLP:CLEAR | JP AI Governance with Multistakeholder for Safer AI Society Satoshi Okada, Takuho Mitsunaga (INIAD, Toyo University, JP) TLP:CLEAR | NL Attack Path Based Detection Engineering - Leveraging BloodHound for Robust Defense Olaf Hartong (FalconForce, NL) TLP:CLEAR |
15:20 – 15:50 | Networking Break with Exhibits (Argos ABC) | ||
16:00 – 17:15 | FIRST AGM (Annual General Meeting) TLP:CLEAR | ||
17:30 – 19:30 | Sponsor Showcase Reception (Argos ABC) TLP:CLEAR |
Tuesday, June 11th
Breakout 1 (Argos D) | Breakout 2 (Argos E) | Breakout 3 (Argos F) | |
---|---|---|---|
07:30 – 09:00 | Arrival Coffee & Continental Breakfast | ||
09:00 – 09:35 | LU Unmasking Threat Actors: In-Depth Analysis and Monitoring of Chat and Community Activities Aurelien Thirion, Alexandre Dulaunoy (CIRCL.lu, LU) TLP:AMBER | GB Lost In An Ocean of Emotion: Considering the Human Factors in Cyber Response Keir P (National Cyber Security Centre (NCSC-UK), GB) TLP:GREEN | BR Beyond Buzzwords: Navigating Security Challenges in AI Adoption Antonio Horta, Renato Marinho (Accenture Cyber Lab LATAM, BR) TLP:AMBER |
09:45 – 10:20 | SG Point of Sale (PoS) Break: Ransomware's Ingress via Compromised POS at Mobile Phone Retailer Lik Hau Seet, Clifton Soh (Infocomm Media Development Authority of Singapore, SG) TLP:GREEN | BT LT Experiences of BtCIRT Making Impact for Bhutan Cyber Resilience: Challenges and Successes Pratima Pradhan (Bhutan Computer Incident Response Team, BT); Vilius Benetis (NRD Cyber Security, LT) TLP:CLEAR | DE Turn the Tables: How We Use GPT to Detect Phishing Websites Eduard Alles (G DATA CyberDefense AG, DE) TLP:CLEAR |
10:20 – 10:50 | Networking Break with Exhibits (Argos ABC) | ||
10:45 – 11:20 | US Accelerating Incident Response with Automation: A Case Study in MFA Meghan Donohoe, Susan Paskey (Cisco Systems, US) TLP:GREEN | DE Tearing Down the Silos - Cyber Defense Needs an Integrated Approach Daniel Kaestle (Mercedes-Benz Group AG, DE) TLP:CLEAR | JP ES Masato Ikegami (Canon IT Solutions Inc., JP); Josep Albors (Ontinet.com, ES) TLP:CLEAR |
11:30 – 12:05 | US Enrico Lovat (Siemens Corp., US) TLP:GREEN | NL Collaborative Response to Emerging Critical RCE Vulnerabilities in Exposed Assets Piotr Kijewski (The Shadowserver Foundation, NL) TLP:AMBER | DE Sharing Communities: The Good, the Bad, and the Ugly Thomas Geras (HM Munich University of Applied Sciences, DE) TLP:CLEAR |
12:05 – 13:30 | Standing & Seated Lunch | ||
13:30 – 14:05 | US Help! My CISO is Visibly Bored When I Present IR Metrics! Merisa Lee (Cisco Meraki, US) TLP:CLEAR | US Andrew Steyer (Booz Allen Hamilton, US) TLP:CLEAR | JP Yuichi Kikuchi (Panasonic Holdings Corporation, JP) TLP:CLEAR |
14:15 – 14:50 | GB IT US Éireann Leverett (Concinnity Risks, GB); Lorenzo Nicolodi (Microlab.red, IT); Divya Ramjee (Rochester Institute of Technology, US) TLP:RED | NL Lazarus Exposed: Insights by Recovering and Decrypting C2 Data Yun Hu, Lennart Haagsma (Fox-IT, part of NCC Group, NL) TLP:AMBER | FI An Evolutionary Tale of Attackers and Defenders in Telecom Threat Landscape Umair Bukhari (Ericsson, FI) TLP:GREEN |
15:00 – 15:35 | GB Inside(r) Out: Responding to The Dangers Within Eloise Hindes, Jason Middleton (Bank of England, GB) TLP:GREEN | IT Giuseppe Morici, Claudio Calì (Intesasanpaolo Bank S.p.A., IT); Beatrice Fissi (Intesa Sanpaolo Bank S.p.A., IT) TLP:AMBER | US Metamorphosis in Vulnerability Analysis: Navigating VeX Challenges and Soaring Towards Solutions Jessica Butler, Kaajol Dhana (NVIDIA, US) TLP:CLEAR |
15:45 – 16:15 | Networking Break with Exhibits (Argos ABC) | ||
16:15 – 17:15 | TLP:CLEAR |
Wednesday, June 12th
Breakout 1 (Argos D) | Breakout 2 (Argos E) | Breakout 3 (Argos F) | |
---|---|---|---|
07:30 – 09:00 | Arrival Coffee & Continental Breakfast | ||
08:45 – 09:00 | Wednesday Morning Remarks | ||
09:00 – 10:00 | US Wednesday Keynote Address: Incident Command System 4 Industrial Control Systems (ICS4ICS) Megan Samford (Schneider Electric, US) TLP:CLEAR | ||
10:00 – 10:30 | Networking Break with Exhibits (Argos ABC) | ||
10:30 – 11:05 | Improving ICS/OT Threat Hunt & Incident Response Capabilities Through Adversary Emulation Shaun Long (Cybersecurity & Infrastructure Security Agenc) TLP:CLEAR | LV From Laboratory to Grid: Advancing IACS Incident Response and Cyber Resilience Rudolfs Kelle (CERT.LV, LV) TLP:CLEAR | NZ Developing a New Cyber Security Brand for Consumers and Small Businesses Jane O'Loughlin (CERT NZ, NZ) TLP:CLEAR |
11:15 – 11:50 | RU Walking Through the Minefield of Mobile Forensics Georgy Kucherin (Kaspersky, RU) TLP:GREEN | IN FR Vulnerability Response for Heterogenous OT Products – Principles to Build Your Own Framework Harish Shankar (Schneider Electric, IN); Fabrice Kah (Schneider Electric, FR) TLP:CLEAR | US Matthew Grote (Cybersecurity and Infrastructure Security Agency, US) TLP:GREEN |
11:50 – 13:15 | Standing & Seated Lunch | ||
13:15 – 13:50 | JP Are You Prepared for On-Going Cyber Warfare? Masatoshi Sato (LAC.Corp, Tokyo, Japan (LACERT),CYBER GRID JAPAN, JP) TLP:AMBER | LU BE BR Alexandre Dulaunoy (CIRCL.lu, LU); David Durvaux (European Commission - EC Cybersecurity Operations Centre, BE); Renato Otranto Jr. (CERT.br / NIC.br, BR) TLP:CLEAR | JP Streamline Security Operations with the SOAR/SIEM Tool and the ITSM Solution Yutaro Ichimura, Keisuke Tokuda, Hironori Yokote (NTT Communications, JP) TLP:GREEN |
14:00 – 14:35 | FI Lessons Learned from a Countrywide Scanning Program Juhani Eronen (NCSC-FI, FI) TLP:CLEAR | HR The Art of Bonsai: How to Build a Cyber Security Expert? Dona Šeruga, Jakov Đogić (CARNET - CERT.hr, HR) TLP:GREEN | LU PL JTAN - Building a Data Sharing Network Using Open Source Tools Alexandre Dulaunoy, Jean-Louis Huynen (CIRCL.lu, LU); Paweł Pawliński (CERT.PL, PL) TLP:CLEAR |
14:45 – 15:20 | JP The Art of Incident Management Yoshiki Sugiura (NTT DATA Intellilink Corporation, JP); Yusuke Kon (Trend Micro Incorporated, JP) TLP:AMBER | US Carson Zimmerman (Ardalyst, US) TLP:CLEAR | CZ ES When One Does Not Rule Them All: Building a Threat Hunting Framework with Ansible Lukas Hajn (Red Hat, CZ); Fran Marquez (Red Hat, ES) TLP:GREEN |
19:00 – 22:00 | Conference Social Event at the Hilton Sea Hawk TLP:CLEAR |
Thursday, June 13th
Breakout 1 (Argos D) | Breakout 2 (Argos E) | Breakout 3 (Argos F) | |
---|---|---|---|
07:30 – 09:00 | Arrival Coffee & Continental Breakfast | ||
09:00 – 10:00 | TLP:CLEAR | ||
10:00 – 10:30 | Networking Break with Exhibits (Argos ABC) | ||
10:30 – 11:05 | JP Understanding the Chinese Underground Card Shop Ecosystem and Becoming a Phishing Master Strawberry Donut (Independent Researcher, JP) TLP:CLEAR | US Cybersecurity Performance Goals for Critical Infrastructure: A Primer and A Progress Report Tom Millar (CISA, US) TLP:CLEAR | JP Hikohiro Lin, Kosuke Ito (PwC Consulting LLC, JP) TLP:AMBER |
11:15 – 11:50 | US Navigating the New Normal, In the Remote/Hybrid Cybersecurity Landscape James Potter, Raja Jasper (Huntington National Bank, US) TLP:GREEN | JE Building a National CSIRT on a Nano Scale Paul Dutot (Jersey Cyber Security Centre, JE) TLP:CLEAR | US Kathleen Noble (Intel, US) TLP:CLEAR |
11:50 – 13:15 | Standing & Seated Lunch | ||
13:15 – 13:50 | KR Dissecting the Arsenal of LockBit HuiSeong Yang (S2W inc., KR) TLP:CLEAR | BE Sigma Unleashed: A Realistic Implementation Mathieu Le Cleach (CERT-EU, BE) TLP:CLEAR | VN Defensive Solutions - The Golden Gate for Targeted Attack Tu Nguyễn Thanh, Quang Tran Minh (Viettel Cyber Security, VN) TLP:GREEN |
14:00 – 14:35 | JP Are You Lazarus? - Cryptocurrency Hackers Targeting Japanese Organizations Kota Kino, Tomoya Kamei (Japan Computer Emergency Response Team Coordination Center, JP) TLP:CLEAR | NL NO Gearing Towards the Next Level in Playbook-Driven Security Automation - Leveraging CACAO V2 Luca Morgese Zangrandi (TNO, NL); Vasileios Mavroeidis (University of Oslo, NO) TLP:CLEAR | NL Eduardo Barbaro (TUDelft, NL) TLP:AMBER |
14:45 – 15:20 | AU Tales from the Deep: Diving into Barracuda Exploitation by PRC Actors Mathew Potaczek (Mandiant/Google, AU) TLP:AMBER | US John Stoner (Google Cloud, US) TLP:CLEAR | GB Enhancing Leadership Readiness for Cyber Incidents: A Strategic Pre-Briefing Approach Robert Floodeen (CyXcel, GB) TLP:CLEAR |
15:20 – 15:50 | Networking Break with Exhibits (Argos ABC) | ||
15:50 – 16:50 | TLP:CLEAR |
Friday, June 14th
Breakout 1 (Argos D) | Breakout 2 (Argos E) | Breakout 3 (Argos F) | |
---|---|---|---|
07:30 – 09:00 | Arrival Coffee & Continental Breakfast | ||
09:00 – 09:35 | JP Pushing Coordinated Vulnerability Disclosure Forward in Asia Pacific Tomo Ito (JPCERT/CC, JP) TLP:CLEAR | FR Monitoring DDoS Activists Activity Paul Jung (CERT-XLM (Thales/Excellium Services), FR) TLP:GREEN | US Building up a PSIRT Team for an Open Source Project: Lessons Learned from Zephyr Kate Stewart (Linux Foundation, US) TLP:CLEAR |
09:45 – 10:20 | NL Integrating Data Science into Security Detection and Response in Corporate Environments Dinu Smadu (-, NL); Eduardo Barbaro (TUDelft, NL) TLP:AMBER | NO CurveBack: A Backdoor Analysis Rafael Lukas Maers, Stian Jahr (mnemonic, NO) TLP:AMBER | AU Collaboratively Caring and Securely Sharing of Information that Matters Dave Matthews (Gen Digital, AU) TLP:CLEAR |
10:30 – 11:05 | ES How AI is Changing the Way We Analyze Malware Fernando Urbano (ES) TLP:CLEAR | FR Unveiling Active Directory Secrets: Uncommon Tricks for Enhanced Security Vincent Le Toux (VINCI, FR) TLP:CLEAR | US How to Tell a Company They're Hacked: Lessons Learned from Over 2,600 Pre-Ransomware Notifications Dave Stern (CISA, US); Aurora Johnson (SpyCloud Labs, US) TLP:GREEN |
11:15 – 11:50 | AT LU NeuroCTI - a Custom Fine-Tuned LLM for CTI - Benchmarking, Successes and Lessons Learned Aaron Kaplan (Independent / EC-DIGIT-CSIRC, AT); Alexandre Dulaunoy (CIRCL.lu, LU); Jürgen Brandl (Federal Ministry of the Interior, Austria, AT) TLP:GREEN | IN CZ From Code to Crime: Exploring Threats in GitHub Codespaces Nitesh Surana (Trend Micro, IN); Jaromir Horejsi (Trend Micro, CZ) TLP:CLEAR | US Tod Beardsley (CISA); Lindsey Cerkovnik (CISA, US) TLP:CLEAR |
11:50 – 12:15 | Networking Break (Argos BC) | ||
12:15 – 12:45 | Closing Remarks TLP:CLEAR | ||
12:45 – 14:15 | Closing Lunch |
- USTLP:CLEAR
14 Questions Are All You Need
Carson ZimmermanCarson Zimmerman (Ardalyst, US)
Carson Zimmerman has been working in and around security operations centers (SOCs) and CSIRTs for over 20 years. In his current role at Ardalyst, Carson helps clients transform uncertainty into understanding in their digital landscape. In his previous role at Microsoft, Carson led the investigations team responsible for defending the M365 platform and ecosystem. His experiences as a SOC analyst, engineer, architect, and manager led Carson to author Ten Strategies of a World-Class Cybersecurity Operations Center, and co-authored its second edition, Eleven Strategies… which may be downloaded for free at mitre.org/11Strategies.
How is your SOC or CSIRT doing, really? It’s easy to become lost in compliance and regulatory requirements soup. There are plenty of respected consultancies that will perform multi-month SOC assessments. A quick Internet search yields several SOC capability maturity models. And yet, a one-hour conversation with a SOC veteran will yield a gut sense of how a SOC is doing on its journey, and where investments are needed. What if SOCs had a lighter weight method that identifies key strengths and weaknesses: one can be done in an afternoon, or more than twice a year? In this talk, Carson Zimmerman will challenge your thinking about how to measure and drive SOC effectiveness. He will present 14 key indicators of performance, that survey not only how the SOC is doing at a given point of time, but also how well growth and improvement are baked into the SOC culture.
June 12, 2024 14:45-15:20
1445-14-Questions-Carson-Zimmerman.pdf
MD5: 5f5e8d066c84224e30f689d68d97886a
Format: application/pdf
Last Update: June 26th, 2024
Size: 3.8 Mb
- USTLP:CLEAR
A Deep Dive into KEV
Tod BeardsleyLindsey CerkovnikTod Beardsley (CISA), Lindsey Cerkovnik (CISA, US)
Tod Beardsley is employed at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government. There, he spends most of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member has authored several research papers, and hosted the Security Nation podcast. He is also a Travis County Election Judge in Texas, and is an internationally-tolerated horror fiction expert.
Lindsey is the Chief of CISA’s Vulnerability Response & Coordination (VRC) Branch. Her team is responsible for CISA’s Coordinated Vulnerability Disclosure (CVD) process, the Known Exploited Vulnerabilities (KEV) catalog, and CISA’s Stakeholder Specific Vulnerability Categorization (SSVC) process. Lindsey and her team help to maintain, support, and advance the global vulnerability ecosystem by sponsoring and overseeing the CVE and CVE Numbering Authority (CNA) programs, leading the production and dissemination of machine-readable vulnerability information, and engaging in valuable technical collaboration with the vulnerability research community.
In this session, Tod Beardsley from CISA will educate the audience on the ins and outs of what goes into building and publishing the Known Exploited Vulnerabilities catalog (the KEV). While building a list of known exploited vulnerabilities may sound straightforward, the devil in the details. Tod will explain and explore those details, and perhaps exorcise a devil or two.
June 14, 2024 11:15-11:50
- USTLP:CLEAR
A Recipe for Improving SecOps Detections: Take Three Security Controls, add a Tablespoon of Threat Intelligence, and Let it Rise
John StonerJohn Stoner (Google Cloud, US)
John Stoner is a Global Principal Security Strategist at Google Cloud and leverages his experience to improve users' capabilities in Security Operations, Threat Hunting, Incident Response, Detection Engineering and Threat Intelligence. He blogs on threat hunting and security operations and has built multiple APT threat emulations for blue team capture the flag events. John has presented and led workshops at various industry symposia including FIRST (CTI, Tech Colloquium), BSides (SF, Las Vegas), SANS Summits (DFIR, Threat Hunting, Cloud and SIEM), WiCyS, Way West Hacking Fest and DefCon Packet Hacking Village. He also enjoys listening to what his former teammates referred to as "80s sad-timey music."
OK, it’s not that simple, but this talk is designed to identify a prescriptive approach to building detections. Purple teaming, adversary simulation/emulation and automated red teaming are all intended to help defenders to be better prepared. The problem is that these are more initiatives that many of us don’t have the time to undergo with all of the other requirements thrown at us.At the heart of these initiatives is the desire to help organizations build better detections that can handle threats more effectively. Rather than tie ourselves into knots around questions like “is it better to emulate or simulate or run an automated red team”, we need to focus on determining the threats that we need to detect in our environments that align with the actors targeting us.This talk provides attendees with a methodology around testing and validating detections to drive rule development in security operations. Testing cannot take place in a vacuum and should be executed in a representative target environment that includes an organization’s telemetry (EDR/sysmon, NDR/Zeek, for example). We will also examine the role that threat intelligence plays in determining how to prioritize and focus our detection development to the most relevant threats for an organization.This methodology should evolve into an on-going cycle and we will discuss how this ensures rules will continue to function with an added bonus of identifying if data is being ingested and normalized as expected. Finally we will walk through an example that applies this methodology.
June 13, 2024 14:45-15:20
A-Recipe-for-Improving-SecOps-John-Stoner.pdf
MD5: 5ba034a4aa326235ab27e0d8d2b0e6e0
Format: application/pdf
Last Update: June 28th, 2024
Size: 3.12 Mb
- USTLP:GREEN
Accelerating Incident Response with Automation: A Case Study in MFA
Meghan DonohoeSusan PaskeyMeghan Donohoe (Cisco Systems, US), Susan Paskey (Cisco Systems, US)
Meghan Donohoe is a Security Software Engineer in Cisco’s incident response team. She started out on this team during university, focusing on creating tools that help analysts and investigators detect and respond to incidents. While she has found her niche as a developer in the security world, Meghan is also the pillar lead of community outreach for Women of Cisco and volunteers her time to help create security trainings with the cyber resiliency team.
Susan Paskey started her career as a network security engineer for all stages of the firewall, intrusion detection, and VPN lifecycle. Joined Cisco's CSIRT for a change of pace as a security analyst and quickly worked her way up to a threat hunting investigator. Enjoys hunting threats in MFA and authentication logs to develop detection and response processes. Lead organizer for information security conferences within her community.
As the complexity of incident response continues to grow, security professionals face challenges that impede efficiency and contribute to burnout.Responders constantly juggle the tracking of elusive threats with the pressures of tight time constraints. Everyone has seen colleagues run out of steam from the stress of working one high-priority alert after another, leading many to ask, "How can we overcome these challenges?"This is where automation enters the conversation.The process of responding to MFA fraud reports during a live incident is put under the microscope in this comprehensive case study, enabling the audience to see the impact of automation on the incident lifecycle and the investigator's role. Unlike other presentations that solely focus on automating the detection stage, this case study includes multiple phases of incident response.Developers will learn about flexible coding practices and the fast-paced environment of an incident response event. Simultaneously, responders will gain insights into the advantages of automation. Everyone will be inspired to explore and embrace automation as a means to accelerate incident response.
June 11, 2024 10:45-11:20
- JPTLP:CLEAR
AI Governance with Multistakeholder for Safer AI Society
Satoshi OkadaTakuho MitsunagaSatoshi Okada (INIAD, Toyo University, JP), Takuho Mitsunaga (INIAD, Toyo University, JP)
Satoshi Okada received B.E. and M.E. degrees in engineering from The University of Tokyo in 2020, 2022. His research interests include cybersecurity and Digital Transformation.
Takuho Mitsunaga is an Associate Professor at INIAD, Toyo University. He is also an advisor at Industrial System Security Center of Excellence of IPA.
In this session, we focus on developing an understanding of the vital role of multi-stakeholder collaboration in AI governance to ensure a safer AI society. We first introduce AI technology and its social positive and negative impacts. For instance, AI technologies can be applied to cyber security areas such as predicting attacker behavior, Red/Blue teaming hands-on, and SOAR approach. Meanwhile, AI decisions and predictions can be subject to bias due to datasets and algorithms.AI is not always able to make fair and responsible decisions, as evidenced by the false arrests caused by AI-based facial recognition technology. Then, we emphasize the need for inclusive and diverse perspectives in AI governance and show the importance of multi-stakeholder approaches in achieving appropriate AI governance. We also highlight the challenges and opportunities in implementing such approaches by introducing best practices and case studies demonstrating successful examples . The session aims to provide attendees with a comprehensive overview of how multi-stakeholder collaboration can enhance AI safety, ethics, and societal benefits.
June 10, 2024 14:45-15:20
- FITLP:GREEN
An Evolutionary Tale of Attackers and Defenders in Telecom Threat Landscape
Umair BukhariUmair Bukhari (Ericsson, FI)
I am a cyber security enthusiast and leader with a passion to bring a positive change to the information security & privacy landscape. As Head of Ericsson Product Security Incident Response Team (PSIRT) I am responsible for leading the vulnerability management, incident response and situational awareness for the Ericsson's product portfolio. I am an active member of the global security community and believe in solving problems through collaboration. I have been an active speaker at FIRST and other cyber security forums.
This presentation will provide audience an overview of the telecom landscape evolution supported by relevant attacks and incidents along the timeline. Showcasing how telecom threat landscape has changed since the introduction of GSM and how the defense needs to evolve accordingly. 20 years ago, targeting of telecom networks required specific skills, as shown in early reports of SS7 attacks. Due to convergence with IT and cloud technologies, threat actors now increasingly utilize the same tools and exploits against telecom as they use for other industries. Emergence of initial access broker market and online criminal communities have impact on telecom threat landscape. Telecom protocols are no longer ‘a mystery’ – one can build an IMSI catcher at home or get access to signaling network for subscriber tracking. Attackers are heavily using mobile spyware for espionage instead of wiretapping the networks so the defenders need to update their arsenal accordingly.
June 11, 2024 14:15-14:50
- JPTLP:CLEAR
Are You Lazarus? - Cryptocurrency Hackers Targeting Japanese Organizations
Kota KinoTomoya KameiKota Kino (Japan Computer Emergency Response Team Coordination Center, JP), Tomoya Kamei (Japan Computer Emergency Response Team Coordination Center, JP)
Kota Kino is Malware/Forensic Analyst at Incident Response Group, JPCERT/CC. He is in charge of investigating various incident cases observed in Japan, including APT and malspam campaigns. Previously he was engaged in implementation of email security products at a Japanese IT service company. He has delivered training on malware analysis techniques and also shared technical findings on JPCERT/CC's blog (https://blogs.jpcert.or.jp/en/). He has presented at CODE BLUE, Botconf.
Tomoya Kamei is a malware analyst at Incident Response Group, JPCERT/CC. In his previous position, he worked as a network engineer, designing and building networks.
Cryptocurrency companies have been targeted by many attackers these days. Cryptocurrency hackers target organizations in various countries, and their activities are revealed by many security vendors. When such hackers are described in detail, they are associated with Lazarus so often that all cryptocurrency hackers seem to be Lazarus. However, cases in which non-Lazarus attackers are involved have also been confirmed. It is problematic that there is insufficient attention to and information of non-Lazarus cryptocurrency hackers while Lazarus gains a lot of attention. This presentation shares recent attacks against cryptocurrency companies by Lazarus and other attackers.Specifically, the following attacks are presented:* Campaign MalDoc in PDF* Campaign CryptoParallax* Campaign JokerSpyThese attacks should be noted to discuss future security measures since they use new attack techniques and malware that had never been observed before. Although the presentation covers attack cases confirmed in Japan, there should have also been similar attacks in other countries since cryptocurrency hackers target organizations in various countries. This presentation helps the participants learn and understand recent attacks targeting cryptocurrency companies and improve their security against similar attacks.
June 13, 2024 14:00-14:35
- JPTLP:AMBER
Are You Prepared for On-Going Cyber Warfare?
Masatoshi SatoMasatoshi Sato (LAC.Corp, Tokyo, Japan (LACERT),CYBER GRID JAPAN, JP)
Director of the National Security Laboratory at LAC.
CISA (Certified Information Systems Auditor).
I joined the Japan Air Self-Defense Force in 1984 and held various commanding positions, including the 23rd Aircraft Control and Warning Group, the Communications and Systems Management Group. In my last three years of service, I served as the inaugural commander of the Cyber Defense Group. I retired from the military with the rank of Colonel in 2017 and am currently the Director of the National Security Laboratory at LAC, a corporate security company and the parent of LACERT. In this role, I primarily conduct research and investigations focusing on nation-state activities in cyberattacks. I disseminate my research findings through lectures at government agencies and media interviews, aiming to raise awareness about cyber warfare. In 2023, I published the book 'Information Warfare, Psychological Warfare, and Cognitive Warfare.'"The contemporary cybersecurity landscape is diverse and volatile, marked by adversaries ranging from nation-states and their allies to criminals, hacktivists, and individuals. This diversity necessitates a multifaceted approach to cyber defense, for that objective, proactive strategies are essential, emphasizing active information gathering and applying collectable data as tactical and actionable intelligence, i.e. warfare scenario study. The strategy's key component is the generation and utilization of Cyber Threat Intelligence (CTI), which has become more vital than ever.In an assumptive scenario, drawing on military strategies, we are simulating China's hypothetical invasion of Taiwan as a case study, is a used dynamic scenario of potential cyber conflict in a geopolitical context to be studied during the presentation.The outline details in the presentation will underscore the needs to coordinate efforts between observation networks, integrating policy and technology in analytical processes for better understanding This collaboration aims to foster approach to information sharing, enhancing threat intelligence and reducing the risk of severe outcomes.We hope our shared knowledge and methodology in the presentation will motivate the FIRST community to be better prepared in their incident response mechanism and cyber defense readiness as impact and reflection to the possible incoming warfare situation.
June 12, 2024 13:15-13:50
- NLTLP:CLEAR
Attack Path Based Detection Engineering - Leveraging BloodHound for Robust Defense
Olaf HartongOlaf Hartong (FalconForce, NL)
Olaf Hartong is a Defensive Specialist and security researcher at FalconForce. He specialises in understanding the attacker tradecraft and thereby improving detection. He has a varied background in blue and purple team operations. Olaf has presented at many industry conferences and is the author of various tools including ThreatHunting for Splunk, FalconHound and Sysmon-modular.
In an era where threats are constantly evolving, understanding your environment’s possible attack paths is critical. This presentation will guide you through the complex landscape of Azure and Active Directory, revealing misconfigurations, unintentional security gaps and protect against potential threats.Dive deep into the world of BloodHound, a tool that has revolutionized the way we identify and analyze attack paths. Despite its benefits, many teams struggle to maximize its potential due to time constraints and knowledge gaps. This talk aims to bridge these gaps, unveiling tips and tricks to keep your BloodHound database up-to-date and use it for automatic detection and enrichment.But that’s not all - we’re excited to introduce you to FalconHound, a toolkit designed to augment BloodHound’s capabilities. Discover how FalconHound integrates with a host of security yools, offering features like tracking sessions, environment changes, alerts, and incidents - all in near-real time!Embrace the power of bi-directional contextual information to prioritize critical alerts better and stop attackers in their tracks before they reach their goal. Learn how tools like BloodHound and FalconHound can serve as extensions of your live monitoring capabilities, helping you catch attackers in real-time and limit the impact of breaches.
June 10, 2024 14:45-15:20
- BRTLP:AMBER
Beyond Buzzwords: Navigating Security Challenges in AI Adoption
Antonio HortaRenato MarinhoAntonio Horta (Accenture Cyber Lab LATAM, BR), Renato Marinho (Accenture Cyber Lab LATAM, BR)
Antonio Horta is Doctoral candidate in Defense Engineering - Military Institute of Engineering (IME), Master’s degree in Computer Science - IME, executive MBA in telecom - IBMEC, postgraduate degree in management - COPPEAD, internet technology - COPPE and several certifications. He works as Principal Cyber Research Scientist at Accenture Cyber Lab LATAM. He has presented his research in the area of cybersecurity, decision making and artificial intelligence at relevant international conferences such as IEEE Big Data 20/21, SBSeg 22/23, FIRSTCON23, CERTBR23.
Renato Marinho is Director of Cyber Lab at Accenture Security and Incident Handler at SANS Internet Storm Center. PhD in Applied Informatics, he is also a professor of Computer Forensics and Malware Analysis in postgraduate courses. He presented works at national and international events, such as CSIRTs National Forum 2015/2017/2018/2022, SANSFIRE 2018/2019/2023, RSA Conference 2018/2019, SANS Blue Team Summit 2018, Botconf 2017/2018, SANS Data Breach Chicago 2017 and FIRSTCON 2023.
As the use of generative artificial intelligence (AI) becomes pervasive in various industries, the critical issue of security in this domain demands deeper exploration. This presentation delves into the challenges posed by the adoption of AI technologies, particularly those leveraging Large Language Models (LLMs), and emphasizes the potential risks if security measures are not diligently implemented. Our study aims to dissect and analyze threats, consolidating knowledge from sources like CVE, MITRE ATLAS, published case studies, and vulnerabilities outlined in OWASP that afflict AI systems, especially those employing generative AI.We present a comprehensive method for evaluating AI systems, focusing on identifying the Threat Critical Path (TCP). TCP is a kill chain formed by a set of less visible steps in which adversaries take to achieve their objectives within the ecosystem supporting these technologies. Throughout our research, numerous kill chains were scrutinized, forming a taxonomy of attack types and objectives against AI systems. We explore vulnerabilities from a systemic perspective, including issues with LLM models and plugins connecting internal information sources like documents, databases, and spreadsheets.The significance of our work is underscored by tangible outcomes, including a novel security evaluation method for AI systems, a detailed case study involving a kill chain against AI systems submitted to MITRE ATLAS, and the discovery and publication of a high-impact CVE related to a remotely exploitable SQL injection vulnerability. This vulnerability poses a severe risk to companies connecting AI systems with internal databases, potentially leading to sensitive information leaks or data destruction.
June 11, 2024 09:00-09:35
- USTLP:GREEN
Beyond Information Sharing: A New Framework for Maturing Operational Collaboration Across Organizations
Matthew GroteMatthew Grote (Cybersecurity and Infrastructure Security Agency, US)
Matthew R. Grote is a Senior Lead for Cyber Defense Innovations in the Joint Cyber Defense Collaborative where his mission is to identify and support community projects that help shift advantage away from attackers and toward defenders. His career has focused on national cybersecurity policy, including strategy and operations oversight roles in CISA, the Department of Defense, and the United States Senate.
CISA would like to introduce our new UN!TE Framework project and invite attendees to contribute to its development. UN!TE aims to be a reference tool for cyber defenders to work as a national or international team to detect and disrupt adversaries by highlighting key actions that defenders can take as part of a team of organizations against every step of an APT campaign.Cyber intrusions are often part of a broader campaign by the threat actor that involves operations targeting multiple organizations. Stopping the overarching campaign requires collective action as a team of network defenders within targeted organizations, cybersecurity service providers, government, and other partners. Like in any team sport, acting as a group is not easy. Cyber operational collaboration requires constant communication, planning, leadership, and adaptation. In order to fully mature our collective cyber defense operations, we need to better systematize and routinize the collaborative operations and tactics. UN!TE seeks to do this by laying out a framework of high-level potential actions that defensive partners can reference to ensure they are fulling their role in the national team. It aligns these key actions against every step of an APT campaign.CISA is beginning a collaborative effort to engage with the community to shape UN!TE into a useable public tool. Since the FIRSTCON audience works on these issues everyday, they are the ideal contributors to UN!TE.
June 12, 2024 11:15-11:50
- ILTLP:CLEAR
Breaking the Holy Trinity of Open-Source Ecosystem - Malicious Code in Open-Source Packages
Artur OleyarshArtur Oleyarsh (PANW, IL)
Artur Oleyarsh is a Security Researcher from Palo Alto Networks. Researching vulnerabilities related to Open Source Software, Vulnerability Management, and Cloud Native Technologies.
Open-source ecosystem based on trust relationship between package managers, package maintainers, and end users – The Holy Trinity!In the absence of standard security features for the reliability of packages being uploaded to package managers - Malicious packages exploit this middleware of “Open Source unwritten rule and concept”.A piece of a few lines of malicious code or entire module that uploaded into legit and trusted software can slip under the radar and bypass the security alerts and can be one of the links and sometimes even the first link of a Supply Chain attack.This is undoubtedly one of the biggest challenges in the open source ecosystem, mainly because of the increasing use and adoption of open source libraries and frameworks and lack of holistic solution for ensuring safe use of open-source packages.It was quite clear that as the number of attack attempts increased, there would also be an increase in copycats who would try to reuse the malicious code in order to carry out new or mimic other threat actors.In this talk Shaul and Artur will discuss about new research of Python packages that contained reused malicious code of famous threat actor in an attempt to launch an independent attack, which is an exploitation example of abusing the “Holy Trinity” in Open-Source ecosystem.They will analyze the rapid but inefficient solution of corporations that are almost helpless against new attack techniques.And talk about future solution and standardization that Open-Source community should adopt.
June 10, 2024 14:00-14:35
- NLTLP:AMBER
Bridging Advanced Analytics and Incident Response: The Power of an Analytics Education Curriculum to Improve Incident Response in a Large European Bank
Eduardo BarbaroEduardo Barbaro (TUDelft, NL)
I am a seasoned, results-driven leader with extensive experience in AI and cybersecurity. As the Head of Security Analytics, I lead the strategic direction and execution of high-quality analytics and data strategy. My expertise in AI and cybersecurity has been honed through a series of progressive leadership roles. My academic background includes a PhD in Atmospheric Physics from Wageningen University, the Netherlands, and several well-cited papers in top-tier international scientific journals. In 2023, I became a visiting researcher at the Cybersecurity Lab of the Faculty of Technology, Policy and Management at Delft University. I am adept at leading cross-functional teams and have a proven ability to drive strategic initiatives, leveraging my deep understanding of data science and AI to drive business growth. I am committed to staying at the forefront of the industry and am always looking for ways to bring the latest technologies and best practices to the organisation.
Can a data-driven educational curriculum revolutionise incident response in a major financial institution? The answer is a resonant yes. In a pioneering initiative at a large European bank with over 50,000 employees, we have successfully shrunk the gap between advanced analytics and incident response. Our unique two-part training, comprising theoretical and hands-on sessions followed by a three-day intensive hackathon, empowered our incident response team with fundamental analytics skills and awareness. This collaboration led to the co-creation of a machine-learning model that effectively reprioritises SOC alerts, enhancing our response efficiency. This presentation will detail the training structure, implementation challenges, and the transformative impact of combining cybersecurity with data analytics. Our experience offers a replicable model for organisations seeking to combine these critical albeit still far apart domains.
June 13, 2024 14:00-14:35
- JETLP:CLEAR
Building a National CSIRT on a Nano Scale
Paul DutotPaul Dutot (Jersey Cyber Security Centre, JE)
Paul Dutot is head of Cyber Defence and CIO at the Jersey Cyber Security Centre.
Previously, he held a CTO position at a cybersecurity business which provided both offensive and defensive services. Paul's particular skills before joining the Jersey Cybersecurity Centre include global penetration testing for over 10 years as well as custom SIEM design , incident management, response and forensics.
This talk is about a “nano” national CSIRT delivering capabilities beyond its scale including delivery a “Cyber Shield” program as driving constituency engagement and outreach. We will also discuss legal issues, metrics and automation and introduce “C-FIRST” threat model as part of our operational security. Lastly, we will highlight our cyber security lab with a live demo of an exploit that is present in many companies around the world today.The talk is of interest to all national CSIRTS of all sizes looking to improve their services.
June 13, 2024 11:15-11:50
- USTLP:CLEAR
Building up a PSIRT Team for an Open Source Project: Lessons Learned from Zephyr
Kate StewartKate Stewart (Linux Foundation, US)
Kate Stewart works with the safety, security and license compliance communities to advance the adoption of best practices into embedded open source projects. Kate was one of the founders of SPDX, and is currently one of the technical working group leads. She is also the co-lead for the CISA SBOM tooling working group, and the OpenSSF SBOM everywhere SIG. Since joining The Linux Foundation, she has launched the ELISA and Zephyr Projects, as well as supporting other embedded projects. With over 30 years of experience in the software industry, she has held a variety of roles and worked as a developer in Canada, Australia, and the US. For the last 20 years has worked with software development teams in the US, Canada, UK, India, and China contributing upstream to opensource.
When the Zephyr project (https://zephyrproject.org/) launched in 2016, one of the goals was to apply known security best practices to make the S in IoT actually mean something. This talk will go through the journey of the last 8 years of applying known best security practices to an open source project, including becoming a CVE Numbering Authority, and forming a PSIRT team from volunteers from different companies. Along the way we had to adjust embargo policies due to a bulk vulnerability report, in addition to the occasional vulnerability reported from the community.
June 14, 2024 09:00-09:35
Building-Up-A-PSIRT-Team-Kate-Stewart.pdf
MD5: 9b842f2d9bced892e7ccc3545ede071c
Format: application/pdf
Last Update: July 11th, 2024
Size: 10.24 Mb
- US ALTLP:CLEAR
Cloud Console Cartographer: Tapping Into Mapping > Slogging Thru Logging
Daniel BohannonAndi AhmetiDaniel Bohannon (Permiso Security, US), Andi Ahmeti (Permiso Security, AL)
Daniel Bohannon is a Principal Threat Researcher on Permiso Security’s P0 Labs team with over thirteen years of information security experience, including incident response consulting at MANDIANT, security research at FireEye and threat hunting at Microsoft.
He is the author of the Invoke-Obfuscation, Invoke-CradleCrafter and Invoke-DOSfuscation open-source obfuscation frameworks and co-author of the Revoke-Obfuscation PowerShell obfuscation detection framework.
Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology (2013) and a Bachelor of Science in Computer Science from The University of Georgia (2010).
Andi Ahmeti is an Associate Threat Researcher on Permiso Security's P0 Labs team. Since the age of 17 Andi has been fascinated with technology and cyber security, participating in numerous Capture the Flag events and security trainings in his hometown of Prishtina, Kosovo.
Mr. Ahmeti obtained a Bachelor of Science in Computer Engineering from the University of Prishtina Faculty of Computer and Electrical Engineering (2023). During his time as a student he led his university's CDC team to a 2nd place finish at the 2nd annual CDC competition and placed 1st at the Cyber ZERO competition.
Prior to joining Permiso, Andi worked as an entry-level security engineer and an instructor teaching students about offensive cyber security at ICK (Innovation Centre Kosovo), a local technical training organization.
Event logs are a fundamental resource for security professionals seeking to understand the activity occurring in an environment. Cloud logs serve a similar purpose as their on-premise counterparts, though differing significantly in format and granularity between cloud providers.While most cloud CLI tools provide a one-to-one correlation between an API being invoked and a single corresponding API event being generated in cloud log telemetry, browser-based interactive console sessions differ profoundly across cloud providers in ways that obfuscate the original actions taken by the user. For example, when a user clicks IAM->Users in an interactive AWS console session it produces 300+ CloudTrail events to support the numerous tiles and tables in the UI.Since March 2023 the presenters have developed a solution to this challenge and are proud to demo and release the open-source Cloud Console Cartographer framework (including a full CLI and supplemental GUI visualizer) as part of this presentation.The presenters will demonstrate the extent of the console logging problem and the technical challenges and capabilities required to solve it, showcasing the tool’s usefulness in translating real-world examples of malicious console sessions produced by notable cloud threat actors during first-hand incident response investigations.Come and learn how the open-source Cloud Console Cartographer framework can provide clarity for threat hunters and detection engineers alike, helping defenders stop slogging through logging while putting the “soul” back in “console.”
June 10, 2024 11:45-12:20
- NLTLP:AMBER
Collaborative Response to Emerging Critical RCE Vulnerabilities in Exposed Assets
Piotr KijewskiPiotr Kijewski (The Shadowserver Foundation, NL)
Piotr is the CEO and a Member of the Board of Trustees at The Shadowserver Foundation, a non-profit organization with a mission of making the Internet a more secure environment. He also manages Shadowserver's large-scale data threat collection and sharing projects, as well as National CSIRT relationships. Piotr has over 20 years of operational experience in cybersecurity and incident response. He headed CERT.PL (CERT Polska) building up its various security data gathering and analysis projects as well as managing its anti-malware operations, including numerous botnet disruptions. Piotr is also a member of the Honeynet Project (where he has also served on the Board of Directors), a well-known and respected non-profit that is committed to the development of honeypot technologies and threat analysis.
The non-profit Shadowserver Foundation (https://shadowserver.org) has been active for over 15 years, delivering free daily cyber threat intelligence feeds to National CSIRTs (currently 201 National CSIRTs covering 175 countries and territories) and many other organizations that have an Internet presence (currently over 8000 organizations worldwide, including Sectoral CSIRTs, ISP/CSPs, hosting providers, enterprises, banks, academia, hospitals, SMEs, etc).This talk will tell the story of how The Shadowserver Foundation has responded to many recent high-profile critical vulnerabilities such as Citrix NetScaler (CVE-2023-3519 etc), Ivanti MobileIron (CVE-2023-35078), Cisco IOS XE device implants (CVE-2023-20198), and others affecting tens of thousands of organizations globally. This includes how we worked on new vulnerability scans on an Internet scale to be able to quickly detect exposed, vulnerable or compromised instances and understand the scale of each incident. It will also cover how we improved our attack detection signatures and utilized our global honeypot sensor network to be able to quickly detect exploitation attempts. All information gathered was then quickly disseminated to the affected parties and their National CSIRTs via our free remediation feeds. None of that would be possible without close collaboration with multiple partners who provided a lot of information observed “on-the-ground”, which we could combine with our own data collection mechanisms to maximize remediation effects. We will cover the lessons learned from this collaboration, which will hopefully allow for even more effective response from the community in future incidents.
June 11, 2024 11:30-12:05
- AUTLP:CLEAR
Collaboratively Caring and Securely Sharing of Information that Matters
Dave MatthewsDave Matthews (Gen Digital, AU)
After getting his PhD in Mathematics, Dave spent the next 25 years consulting for the Australian Government, primarily working with Defence, Intel and Law Enforcement, before moving to CrowdStrike, and Gen Digital (which is formed from the merger of Avira, Avast and NortonLifelock). He has continually worked in Incident Response and Forensics and has had the privilege of helping people while they are having their worst days at work. He has experience with all flavours of cybersecurity - ranging from attack and defence to incident response as well as security capability development. He is particularly passionate about digital forensics and incident response, helping people prevent and recover from attacks.When he's not working or learning something new, Dave loves spending time with his family and their puppy, Rufus!
This presentation, 'Collaboratively Caring and Securely Sharing', describes situations where sharing Intel would greatly help others. The talk initially discusses forms of Intelligence that are valuable and worth promptly communicating. Examples of how this lack of sharing prevents rapid response to incidents and, in many cases, allows threat actors time to achieve their objectives.Common reasons that prevent sharing are discussed to highlight problems and to show how secure collaboration can help. For example, your organisation might have suffered a breach; you want to share pertinent lessons learned and even Intelligence to help others. However, doing so could expose your reputation. What can you do?Or your organisation might be attacked, and you want to ask for help - anonymously, without divulging where you work.We show how Intel sharing can be achieved in an Incident Responder community and provide step-by-step instructions on implementing with popular team messaging platforms like Slack, Mattermost, Discord and Microsoft Teams. The presentation will demonstrate how this can work in a trusted IR community like FIRST, other CERTs or Incident Response communities.
June 14, 2024 09:45-10:20
0945-Collaboratively-Caring-and-Securely-Sharing-DM.pdf
MD5: 0c0ea1e76aafdb5e004f24c5b1453e95
Format: application/pdf
Last Update: June 26th, 2024
Size: 13.49 Mb
- NOTLP:AMBER
CurveBack: A Backdoor Analysis
Rafael Lukas MaersStian JahrRafael Lukas Maers (mnemonic, NO), Stian Jahr (mnemonic, NO)
Rafael Lukas Maers has a Master's degree in Mathematics and has worked in mnemonic since 2013. He began his cybersecurity career as an analyst, before he ventured into network analysis and developed a world-class decoder for an ICS/OT network protocol. In 2017, he started working as a full time incident responder in a multiyear engagement and got a taste for malware reverse engineering. His interest and knowledge grew, and he has lead mnemonic's reverse engineering team since 2021.
Stian Jahr holds a Master’s degree in Information Security and has been part of mnemonic’s Managed Security Services since 2006. He has played a central role in the formation and technical management of mnemonic’s Security Services, where he has been focusing on network analysis, threat intelligence, forensics, and incident handling and response for customers. He has always been interested in diving into the bits and bytes of complex problems, and he joined mnemonic's reverse engineering team in 2021.
The evolution of China-nexus based backdoors the last decade has rapidly produced several families that have been documented in great detail. One of the latest additions to this order are SideWalk / ScrambleCross which employ challenging techniques and are difficult to detect without prior knowledge about their functionality. In the fall of 2023, the mnemonic Incident Response Team (mIRT) was engaged to uncover an attack as part of an esponiage campaign, and discovered a previously undocumented backdoor in the evolutional trail. Keeping track of the development of these malware families is essential for defenders. This talk shares the highlights from our analysis of the malware and reflections on how to detect it.
June 14, 2024 09:45-10:20
- USTLP:CLEAR
Cybersecurity Performance Goals for Critical Infrastructure: A Primer and A Progress Report
Tom MillarTom Millar (CISA, US)
Tom Millar has served in CISA for 15 years, working to strengthen the agency's information sharing capabilities, increasing the level of public, private and international partner engagement, and supporting initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar holds a Master's of Science from the George Washington University and is a Distinguished Graduate of the National Defense University's College of Information and Cyberspace.
In July 2021, in order to raise the baseline of critical infrastructure cybersecurity across the nation, the President of the US issued a National Security Memorandum requiring the development and issuance of Cybersecurity Performance Goals (CPGs) for Critical Infrastructure. As a result, the Cybersecurity and Infrastructure Security Agency (CISA), the national CSIRT for the US, created a catalog of 38 CPGs all critical infrastructure owners and operators to adopt. These range from well-known basic practices, such as having an asset inventory and publishing security.txt files, to less obvious and less common activities such as improving IT and OT security team relationships and supply chain vulnerability disclosure. This presentation will provide an introduction to the CPGs and the development process, the evolution of the CPG program, and a glimpse into the future shape of the CPGs as they become more informed by cybersecurity incident reporting data and other measurements.
June 13, 2024 10:30-11:05
- USTLP:CLEAR
Defending Forward: How National Organizations Can Identify Adversary Infrastructure and Attacks Before They Occur
Andrew SteyerAndrew Steyer (Booz Allen Hamilton, US)
Andrew Steyer is the Technical Lead of Booz Allen's DarkLabs Detect business. As a cyber expert with more than 15 years of experience, Andrew has led and worked on multiple programs across various client spaces focused on cybersecurity operations, analytic development, and forensics. Andrew has established and rebuilt multiple analytic environments and developed first-of-a-kind, innovative approaches to rapid detection and response to cyber threats.
Join us for a discussion on how National-level cyber security teams can revolutionize and advance the way they protect their nations and stakeholders with adversary infrastructure hunting. We will share insights into our innovative methodologies, leveraging advanced techniques like domain registration analysis, certificate purchases, JARM and JA4+ analysis, and lessons we’ve learned along the way. We will help National-level Cybersecurity teams advance their intelligence and threat hunting missions using unconventional strategies to identify adversary pre-positioning. We'll delve into the challenges of analyzing vast data sets with over 250 million websites, presenting a game-changing integration of AI and ML for efficient threat detection. Attendees will gain a fresh perspective on cyber threat intelligence and leave armed with practical knowledge to defend forward against adversaries.
June 11, 2024 13:30-14:05
- VNTLP:GREEN
Defensive Solutions - The Golden Gate for Targeted Attack
Tu Nguyễn ThanhQuang Tran MinhTu Nguyễn Thanh (Viettel Cyber Security, VN), Quang Tran Minh (Viettel Cyber Security, VN)
Tú is a Threat Intelligence Manager with 12 years of experience in cyber security, especially in threat intelligence solution that helps our company and other organizations (big enterprises, government organizations in Vietnam, Philippines) protect & prevent emergency threats.
Quang has 15 years of experience in cyber security, handled 100+ incidents for various entities, conducted 10,000+ hours of research. International certifications include GCTI, GCFA, CHFI... Frequent speaker at many conferences. A member of Vietnam CSIRT.
During the process of handling and investigating targeted attack incidents, Viettel Threat Intelligence has discovered several malwares exhibiting highly distinctive behaviors. These new malwares exploit the organization's Endpoint Detection and Response system for persistence and operation. In this presentation, Viettel Threat Intelligence will elaborate on the advanced techniques employed by these targeted malwares, including specific mechanisms that indicate how the attacking group meticulously researched their targets. Additionally, VTI conducts extended research to identify the attacking group and detect similar malwares.
June 13, 2024 13:15-13:50
- SETLP:CLEAR
Demystifying Cloud Infrastructure Attacks
Alexander AnderssonAlexander Andersson (Truesec, SE)
Alexander is a Principal Forensic Consultant at Truesec, a Swedish cyber security firm within consulting and managed services. Alexander has a background as a red teamer but today he spends most of his time providing incident response services to companies that have suffered from an attack. He has led hundreds of complex investigations into everything from full-scale ransomware attacks to zero-day exploits and APT campaigns. Whenever not in an active incident, Alexander spends time in research and development with a focus on both novel forensic techniques and offensive vulnerability research.
Threat actor tactics in a classic on-premises environment are well documented and understood. For example, extracting credentials from memory and then pass-the-hash is a common technique to move laterally in Windows. But how do threat actors move laterally between cloud workloads and compute instances? What are the common persistence techniques, and what are the high value targets we need to protect?Alexander is Principal Forensic Consultant at Truesec and will in this session share his learnings from over 10 000 billable hours of enterprise forensics. You will learn how cloud tactics differ from on-premises and see the latest techniques used in real attacks against cloud infrastructure.
June 10, 2024 11:00-11:35
- NZTLP:CLEAR
Developing a New Cyber Security Brand for Consumers and Small Businesses
Jane O'LoughlinJane O'Loughlin (CERT NZ, NZ)
Jane O’Loughlin is the Manager of Engagement, Communications and Partnerships at CERT NZ. Jane has worked in behaviour change in government for more than 10 years and is interested in how design and human psychology can support better decision-making. It was a rude awakening for Jane when she joined CERT NZ three years ago and discovered that having the same password for every account was a bad idea. Since then, it’s been a rapid journey of discovery into the world of cyber security, and Jane is passionate about helping other ‘average’ New Zealanders understand why and how security controls work. Her major achievement to date at CERT NZ is overseeing the launch of the new Own Your Online platform.
Cyber security is often portrayed as part of a shadowy world of hackers and international espionage.As a result, everyday humans find it hard to see it as relevant.In this case study, CERT NZ explains how it has re-branded its ‘front door’ for consumers and small businesses and organisations, to make cyber security more relevant and appealing.After a review of its communications approach and extensive market research, CERT NZ realised that a radical change was needed to engage New Zealanders in the vital task of improving their cyber security practices.This resulted in the birth of ‘Own Your Online’ (ownyouronline.govt.nz), a new platform for communicating with everyday audiences.In this presentation Engagement, Communications and Partnerships Manager Jane O’Loughlin will talk about CERT NZ’s journey in developing a new brand that is helping the agency better engage with consumers and businesses.
June 12, 2024 10:30-11:05
- KRTLP:CLEAR
Dissecting the Arsenal of LockBit
HuiSeong YangHuiSeong Yang (S2W inc., KR)
HuiSeong Yang is a researcher in the Threat Analysis Team at S2W in Korea. He is in charge of analyzing various malware, including ransomware, and has recently been working on methodologies to analyze malware written in Go and Rust languages, which are often used to make analysis more difficult. His main research focuses on tracking ransomware groups operating as Ransomware-as-a-Service (RaaS).
While many RaaS groups have come and gone in recent years, the LockBit group has been one of the most active. LockBit operates as a ransomware-as-a-service (RaaS) and employs multiple affiliates, causing far more damage than any other ransomware group. As of 2023, it has inflicted 1,029 ransomware victims out of a total of 4,951 ransomware victims, and is aggressive enough to rank first in the number of victims among RaaS groups, at about 20%.the LockBit group has continued to grow their arsenal (which they refer to as a collection): LockBit Red, a 2.0 version of the original LockBit ransomware they developed in June 2021; LockBit Black, which cribbed code from the BlackMatter ransomware in June 2022; and the Conti-based LockBit Green, released this year... How far is the group willing to go to quote code from other ransomware? And then there's the rumored Babuk. As you can see, we've been tracking the LockBit group since its inception.
June 13, 2024 13:15-13:50
Dissecting-the-Arsenal-of-LockBit-HuiSeong-Yang.pdf
MD5: 2faba2402ae2fcf9d228e0a9b2c2b200
Format: application/pdf
Last Update: July 10th, 2024
Size: 14.44 Mb
- USTLP:CLEAR
Dissecting Tradecraft: Building Robust Detections Through Tradecraft Decomposition
Matt HandMatt Hand (Prelude, US)
Matt Hand is the Director of Security Research at Prelude where he conducts research and development with the goal of making endpoint protection products more effective. Matt spent the vast majority of his career working as a red team operator, targeting well-defended organizations across virtually every industry and sector. Matt is the author of Evading EDR (No Starch Press, 2023) and is passionate about endpoint security, specifically endpoint detection and response and vulnerability research.
As we work to secure our organizations against ever-evolving threats, understanding adversary tactics is crucial for building effective defense strategies. This talk aims to delve deep into the layers of attack chains, emphasizing the need to decompose adversary tactics to enhance detection capabilities. Adversaries employ a diverse toolbox of techniques, and a breach merely represents a discreet manifestation of a fraction of these tactics. This presentation will underscore the importance of dissecting these tactics into actionable components. Using the MITRE ATT&CK framework as a foundation, we will explore how adversary procedures can be broken down further into variants, each comprising a series of discrete operations. By zooming in on these operations, security professionals can attain a granular understanding of the threat landscape, enabling the development of more effective detection mechanisms. The talk will provide insights into how focusing on the detection coverage of these operations can significantly bolster an organization's detection posture.
June 10, 2024 14:45-15:20
- JPTLP:GREEN
Email Breach Analysis and Response Tips to Avoid Risk
Yumi IidaYumi Iida (ITOCHU Cyber & Intelligence Inc., JP)
After working as a customer engineer in the authentication and security field at an IT vendor, I am currently in charge of responding to and analyzing security incidents at ITOCHU Cyber & Intelligence.
Business Email Compromise (BEC) poses a global threat, leading to substantial financial losses. Despite the widespread adoption of multi-factor authentication (MFA), attackers have evolved their tactics, notably through Adversary-in-the-Middle (AiTM) attacks, increasingly prevalent since 2021. The Anti-Phishing Working Group (APWG) reports a doubling of phishing attacks between 2020 and 2022, indicating a persistent rise in BEC phishing.Microsoft 365 (M365), the world's most utilized webmail service, is a prime target for these attacks. However, available information on M365 account breaches lacks detailed insights into attackers' behaviors and intrusion trace deletion. The absence of comprehensive incident data hampers effective analysis and monitoring by company CERT (Computer Emergency Response Team).Current defense recommendations, scattered across various documents for different products (Microsoft Entra ID, Exchange, etc.), are not systematically organized. This complicates the work of CERT staff in investigating and responding to incident-related logs. Inadequate incident data may lead to ineffective responses, allowing intrusion risks to persist and potentially amplify damages.This presentation addresses the identified attacker techniques (email theft, app installation, and intrusion trace deletion) from actual M365 account breaches, offering insights for confirmation and response in case of incidents. Through real incident analyses, practical steps for incident handling will be shared to minimize the risk of account compromise and subsequent damage expansion.The goal is to enhance on-site staff response efficiency, disseminate appropriate countermeasures against intrusions and BEC risks, and ultimately contribute to safeguarding numerous companies.
June 10, 2024 14:00-14:35
MD5: d41d8cd98f00b204e9800998ecf8427e
Format: application/pdf
Last Update: July 10th, 2024
Size: 4 Kb
- LU BE BRTLP:CLEAR
Empowering Cybersecurity Outreach and Learning through Collaborative Challenge Building, Sharing, and Execution
Alexandre DulaunoyDavid DurvauxRenato Otranto Jr.Alexandre Dulaunoy (CIRCL.lu, LU), David Durvaux (European Commission - EC Cybersecurity Operations Centre, BE), Renato Otranto Jr. (CERT.br / NIC.br, BR)
Alexandre Dulaunoy enjoys when humans are using machines in unexpected ways. I break stuff and I do stuff at CIRCL
David Durvaux is active in the incident response field for more than a decade. He has work on many IT security incidents and especially on computer forensics aspects. Since 2015 he is actively preparing the FIRST CTF. David presented several time at the FIRST annual conference among others.
Renato Otranto Jr. is in IT area for more than 25 years and he has experience with security, network and system administration. He joined CERT.br in 2013 as an incident handler and also develop other activities with the team. Since 2012 he is involved in the organization of the Capture the Flag at FIRST Annual Conferences. He is also a former member the of Dragon Research Group.
In the dynamic landscape of cybersecurity, continuous skill development is paramount. This presentation, titled "Empowering Cybersecurity Outreach and Learning through Collaborative Challenge Building, Sharing, and Execution," delves into innovative approaches to enhance outreach and learning in the field.Focused on the creation, sharing, and execution of challenges, particularly through platforms like Capture The Flag (CTF), the session aims to illustrate the transformative impact of hands-on experiences with the FIRST.org challenges.The discussion will also outline how it has grown, offering a wide variety of knowledge fields and strong collaboration between the volunteers and their supporting organization.
June 12, 2024 13:15-13:50
1315-Empowering-Cybersecurity-Outreach.pdf
MD5: ebd29011b18f46f130b6368f3d4785d1
Format: application/pdf
Last Update: June 26th, 2024
Size: 639.95 Kb
- GBTLP:CLEAR
Enhancing Leadership Readiness for Cyber Incidents: A Strategic Pre-Briefing Approach
Robert FloodeenRobert Floodeen (CyXcel, GB)
Rob Floodeen is a CyXcel Partner at Weightmans, leading the response services blending legal and technical response. Rob has worked across federal, defense, and commercial operations. Highlights from his cybersecurity career include Pentagon IR team lead, member of CERT/CC, manager of a DoD agency CERT, Technical Advisor to the Director of the SEI managing the FFRDC contract, proactive services lead for PwC, and EMEA director of incident response services at Dell Secureworks. Rob has engaged in the security community through FIRST as the Program Chair, Membership Chair, and Education & Training Chair. He was the editor for ISO 27035:2016 Incident Management and has delivered dozens of DFIR technical and academic courses as an Adjunct Professor at Carnegie Mellon University and as a Visiting Scientist at the Software Engineering Institute, CMU. He holds a BS and MS in computer science and an MBA.
In the digital age, where cyber threats loom large, organizations need robust strategies not just for defense, but for decisive action during incidents. This session introduces a structured approach to prepare organizational leadership for cyber incidents. By implementing tailored pre-briefings, leaders can be equipped with essential knowledge on cybersecurity terminologies, decision-making thresholds, critical questioning, and regulatory obligations. This framework empowers leaders to move beyond mere awareness to active and effective participation in crisis management, enabling quicker, more informed decision-making, and enhanced organizational resilience.
June 13, 2024 14:45-15:20
- BT LTTLP:CLEAR
Experiences of BtCIRT Making Impact for Bhutan Cyber Resilience: Challenges and Successes
Pratima PradhanVilius BenetisPratima Pradhan (Bhutan Computer Incident Response Team, BT), Vilius Benetis (NRD Cyber Security, LT)
Pratima Pradhan is a Deputy Chief ICT officer with BtCIRT, Cybersecurity Division under the Government Technology Agency, Bhutan. She received her bachelor’s degree in Computer Science Engineering from the PSNA College of Engineering and Technology, Anna University. She is Australia Awards Scholarship recipient of 2018-2019 cohort, where she pursued Masters of Cybersecurity from Edith Cowan University.
Dr. Vilius Benetis is member of NRD CIRT (@NRD Cyber Security), where he leads a team of experts to consult, establish, and modernise CSIRT/SOCs for governments, organisations, and sectors in Africa, Asia, Europe, and Latin America. He is an active contributor to the development of CSIRT/SOC-related methodologies for ENISA, FIRST.org, and ITU.
BtCIRT was established in 2016 as small team of 5 people, guided with very clear mandate for Bhutan as nation, and government ICT network and systems. Bhutan experiences similar challenges as all small nations – being islands, or mountenous places – where human resources are very scarce, however it is very easy to reach and talk to each other. Natural cycle of organizational development with ups, downs and restructurings have heavily impacted the team too. The presentation will tell the story of what was learned on the way, about successes and failures of small team moving forward, which recently tripled and looking positively at their future.
June 11, 2024 09:45-10:20
- ITTLP:AMBER
Fighting Fraud with the Ethical Fraudster Project: Human Honeypot, Processes, and Multi-skills Team CTI Lead
Giuseppe MoriciClaudio CalìBeatrice FissiGiuseppe Morici (Intesasanpaolo Bank S.p.A., IT), Claudio Calì (Intesasanpaolo Bank S.p.A., IT), Beatrice Fissi (Intesa Sanpaolo Bank S.p.A., IT)
Giuseppe Morici, Global Head of Cyber Threat Intelligence IntesaSanpaolo Bank, Experienced Manager, with technical Background in Offensive and Defensive Security.
Claudio Calì, Global Head of Red Team & Offensive Security IntesaSanpaolo Bank, Experienced Manager, with technical Background in Offensive and Defensive Security.
Beatrice Fissi, Global Head of Cybersecurity Prevention & Response in IntesaSanpaolo Bank.
In response to the changes in the global cybersecurity landscape, Intesa Sanpaolo has developed a new detection, analysis, and response process called Ethical Fraudster, based on Cyber threat Intelligence activities with multiple skilled-team collaboration (Red Team, Threat Hunting, Anti-Banking Fraud Department) . This process is built on three pillars that work collaboratively to explore fraudsters’ tactics, subsequently creating a comprehensive fraud response plan. During the panel discussion, the Ethical Fraudster process will be comprehensively explored, featuring real-world use cases to illustrate its application. A special emphasis will be placed on the recently introduced technique — the Human Honeypot, this term describes the application of Human Intelligence and the concept of Honeypot to the world of banking fraud, and, why not, replicable for all the industries.The merit of this approach is shared throughout the whole sector, and its adoption by other organizations would exponentially amplify its benefits.
June 11, 2024 15:00-15:35
- IN CZTLP:CLEAR
From Code to Crime: Exploring Threats in GitHub Codespaces
Nitesh SuranaJaromir HorejsiNitesh Surana (Trend Micro, IN), Jaromir Horejsi (Trend Micro, CZ)
Nitesh Surana is a Senior Threat Researcher with Trend Micro where he specializes in cloud vulnerability & security research. He has been in the top 100 MSRC Most Valuable Security Researchers in 2023 for his submissions to Microsoft via the Zero Day Initiative. He has presented across conferences such as Black Hat USA, HackInTheBox, HackInParis, Nullcon, c0c0n, Security BSides, NDC Oslo and OWASP/Null Bangalore meetups. Apart from playing with packets and syscalls, Nitesh is found attending concerts and writing/playing music.
Jaromir Horejsi is a Senior Threat Researcher for Trend Micro Research. He specializes in tracking and reverse-engineering threats such as APTs, DDoS botnets, banking Trojans, click fraud, and ransomware that target both Windows and Linux. His work has been presented at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf, and CARO.
Cloud-based development environments enable developers to work from any device with internet access. Introduced during the GitHub Universe event in November 2022, Codespaces offers a customizable cloud-based IDE, simplifying project development. However, the openness of this service has been exploited by attackers, leading to in-the-wild campaigns leveraging GitHub Codespaces for developing, hosting, and exfiltrating stolen information.The presentation will showcase GitHub Codespaces' features and explore typical methods of abuse by threat actors, focusing on observed malicious campaigns. Highlighted is DeltaStealer, a credential-stealing malware family with diverse variants, some featuring unique capabilities like persistent Discord authentication compromise and cloud-based data exfiltration.Developed using GitHub Codespaces, these infostealers reveal interesting artifacts, including debug symbols, exposing insights into the developers' identities. The presentation will showcase social media evidence and conclude with practical recommendations on configuring cloud-based IDEs securely, identifying suspicious instances, and proactively addressing similar cyber threats.
June 14, 2024 11:15-11:50
1115-From-Code-to-Crime-Surana-and-Horejsi.pdf
MD5: aff4a14687da9f70dead6b6e04f6678a
Format: application/pdf
Last Update: June 26th, 2024
Size: 3.92 Mb
- LVTLP:CLEAR
From Laboratory to Grid: Advancing IACS Incident Response and Cyber Resilience
Rudolfs KelleRudolfs Kelle (CERT.LV, LV)
Rudolfs Kelle is an incident responder who also delves into threat hunting and conducts research in Industrial Automation and Control System (IACS) security at CERT.LV. He holds a Master's degree in Cybersecurity from Tallinn University of Technology (Taltech).
This presentation and the underlying work address the lack of visibility in the Operational Technology (OT) networks by developing a prototype sensor. It concentrates on electricity distribution networks and the IEC 60870-5-104 (IEC 104) protocol. IEC 104 regulates electricity transmission and distribution and is present in the most European countries and has been the main target in numerous attacks aimed at power station networks.
CERT.LV has developed a prototype sensor which provides visibility into such networks focusing on the IEC 104 protocol. The work has been tested in the CERT.LV’s IACS (Industrial Automation Control Systems) laboratory which mimics the electricity & energy network communications across Latvia. Such a solution is beneficial to different teams across the industrial network - from SOC analysts and incident responders to industry network engineers all of which benefit from having more visibility into the industrial networks.
The speaker (Rudolfs Kelle) has been in the forefront of the prototype’s development since it was the main part of his MSc’s thesis. He continues to work on the sensor after finishing the thesis to advance its capabilities in accordance with needs and requirements of different stakeholder communities.
June 12, 2024 10:30-11:05
- NL NOTLP:CLEAR
Gearing Towards the Next Level in Playbook-Driven Security Automation - Leveraging CACAO V2
Luca Morgese ZangrandiVasileios MavroeidisLuca Morgese Zangrandi (TNO, NL), Vasileios Mavroeidis (University of Oslo, NO)
Luca Morgese received a MSc in Cybersecurity at the University of Twente, Netherlands, in 2021. He is currently employed as a Cybersecurity Scientist at the Netherlands Organization for Applied Research (TNO). His work at TNO involves design, development, and validation of cybersecurity automation technologies for security operations in several domains, among which Defense organizations, financial organizations, telecommunications, and the energy sector. He is technical committee member in OASIS standards for cybersecurity interoperability and information sharing: CACAO, CSAF, STIX, OpenC2.
Vasileios Mavroeidis is a Professor of Cybersecurity at University of Oslo and a board member of the esteemed standards development organization OASIS Open. His research focuses on security automation and threat-informed and collaborative defense, including cyber threat intelligence representation, reasoning, and exchange. Vasileios has published numerous scientific papers contributing to the body of knowledge and has been involved in Norwegian and European research and innovation cybersecurity actions supporting critical infrastructure operators and authorities responsible for cybersecurity. He is a member of the ENISA ad hoc working groups on Cyber Threat Landscapes and Security Operations Centres, and he has assisted the agency as a rapporteur, performing desk research, analysis, and advisory tasks pertinent to standardization. Additionally, Vasileios participates in the EU's Stakeholder Cybersecurity Certification Group, which was established to advise on strategic cybersecurity certification issues. Other involvements include contributing to standardization works and co-chairing the FIRST Automation special interest group and the OASIS Open Threat Actor Context and CACAO standardization committees. In 2022, OASIS Open awarded Vasileios the distinguished contributor designation for his contributions to cybersecurity standardization and open-source projects.
SOC and CSIRT teams are increasingly automating their workflows for security management, incident and threat response. To this end, many are embracing the concept of playbook-driven workflow orchestration: fully or partially automated sequences of tasks carried out in response to a triggering event. Current proprietary formats for such playbooks limit interoperability and the ability to collaborate and exchange defensive tradecraft across organizational boundaries. The OASIS Collaborative Automated Course of Action Operations (CACAO) standard overcomes this by providing a common framework and a machine-processable schema that caters for playbooks that are natively interoperable and can be shared and executed across technological and organizational boundaries. As a next step, TNO and University of Oslo developed open-source software tools that allow seamless creation and execution of CACAO security playbooks. This presentation will showcase these tools, demonstrate their use in a test environment and highlight practical learnings from adopting and promoting CACAO in national and pan-European projects.
June 13, 2024 14:00-14:35
- USTLP:CLEAR
Help! My CISO is Visibly Bored When I Present IR Metrics!
Merisa LeeMerisa Lee (Cisco Meraki, US)
I’m Merisa Lee, a Security Professional with over 26 in technology, 14 of those years specifically in Security. I’ve been an engineer, a people manager, and a technical program manager during my career. I have commanded incidents at companies such as Amazon, Meta, Cisco Meraki, DoorDash, and Uber, and managed teams at Dell, Meta, and Cisco Meraki. I can be reached on LinkedIn at https://www.linkedin.com/in/merisalee/!
Let’s tell a better story to your senior leadership. Incident Response team managers spend a lot of their time working on the technical side, but translating this to something for senior leadership or even a board can be difficult. While industry standard metrics are measured with metrics such as Time to Detect (TTD), Time to Acknowledge (TTA), Time to Mitigate (TTM), and Time to Resolve (TTR), none of this actually tells leaders how your program is doing or how mature your security stance is. Successfully telling a clear and concise story to your leadership and board with a measurable standard will effectively highlight where your Incident Response program is succeeding and where you need more budget or resourcing to improve your program.
June 11, 2024 13:30-14:05
- ESTLP:CLEAR
How AI is Changing the Way We Analyze Malware
Fernando UrbanoFernando Urbano (ES)
Fernando is a software engineer at VirusTotal. His experience involves analysis of banking trojans and development of automated binary analysis solutions. He also teaches binary instrumentation for UMA’s Malware Intelligence M.Sc. course. Fernando is the author of learnfrida.info, a free web resource for learning about binary instrumentation and its applications using the Frida toolkit.
Last April 2023 we implemented in VirusTotal several AI engines to assist malware analysis. We learnt many things, from analyzing AI-generated malware to different AI-evasion techniques. We found that AIs interpret malicious code differently than AVs, offering a new angle for malware detection but also showing strong and weak points, including astonishing capabilities for malware script analysis and different criteria than AVs for detection. We offer a very down-to-earth vision of our experience and how we think can be leveraged for malware analysis in an surprisingly efficient way.
June 14, 2024 10:30-11:05
- USTLP:GREEN
How to Tell a Company They're Hacked: Lessons Learned from Over 2,600 Pre-Ransomware Notifications
Aurora JohnsonDave Stern (CISA, US), Aurora Johnson (SpyCloud Labs, US)
Dave works within CISA's Vulnerability Management Team, focusing on ransomware. Before this role, David most recently worked within CISA’s Analytic Cell team within the Joint Cyber Defense Collaborative. This team worked across CISA’s industry, state and local, international, and federal partners to develop and share actionable cyber threat intelligence. David previously led CISA’s cybersecurity collaboration efforts with state, local, tribal and territorial (SLTT) governments and also served as CISA’s Section Chief overseeing SLTT and election cyber exercises. In both roles, David worked with states, cities and local governments, tribal nations, boards of election, public utilities and others to help strengthen their cybersecurity postures. David holds a CISSP certification.
Aurora Johnson is an information security researcher and cybersecurity policy expert with experience working in both the public and private sectors, most recently as a Senior Analyst for the Cybersecurity and Infrastructure Security Agency (CISA). She is currently the Responsible Disclosure Coordinator for SpyCloud Labs, managing the program to alert organizations when SpyCloud finds their sensitive breached, leaked, or exposed data through their collections. Aurora is passionate about combating cybercrime and participates in a range of volunteer and public-private initiatives to track and disrupt the cybercriminal ecosystem; she was a recipient of the President’s Volunteer Service Award in 2023 for work with the U.S. government against cyber security threats.
Dave and Aurora will present a deep dive of CISA’s new Pre-Ransomware Notification Initiative (PRNI). This will include an explanation of the overall model for the program, best practices for collaboration between security researchers, cyber threat intelligence companies and international CERTs, effective translation of researcher raw data for victims, and how public-private collaboration ultimately results in the prevention of ransomware incidents and generates defensive insights for the United States and partner nations.For a long time, there have been insights generated by the private sector and researcher community that may not have been effectively utilized by governments and national CERTs, especially not quickly enough to prevent harm. This presentation will explain how PRNI has overcome various obstacles to more effectively communicate with researchers, apply insights, and notify affected entities in a timely manner. Dave and his team created this initiative within CISA and have successfully notified over 1000 organizations of pre-encryption ransomware activity on their networks, based on researcher insights.
June 14, 2024 10:30-11:05
- TLP:CLEAR
Improving ICS/OT Threat Hunt & Incident Response Capabilities Through Adversary Emulation
Shaun LongShaun Long (Cybersecurity & Infrastructure Security Agenc)
Shaun Long is the Deputy Chief for CISA’s Threat Hunting - Industrial Control System Section (ICSS), with a focus on reducing risk for small-medium sized critical infrastructure partners, building free & open-source community operational technology (OT) cyber tools, and building scalable service offerings using the Control Environment Laboratory Resource (CELR) platform. In addition to enabling internal CISA Threat Hunting teams & established partners, Mr. Long's team prioritizes partnerships with regional critical infrastructure utilities to demystify OT Cyber Security through interactive CELR Threat Hunting exercises, capture the flag events, and technical training modules focused on sector specific challenges.
Prior to joining CISA, Mr. Long spent eight years working at Booz Allen Hamilton -- supporting clients with technical product assessments, security and network architecture assessments, and enterprise level cyber security tool deployments. In addition to client work, Mr. Long helped to stand up an entirely new cross-cutting business unit, targeting the industrial control system security in the Defense & Civilian market by partnering with functional market leaders and leading commercial vendors.
This presentation will delve into the challenges and opportunities involved in upskilling the current workforce and training the future workforce to tackle the emerging field of cybersecurity—cyber-physical systems and operational technology that power our modern world. We will examine how the Cybersecurity & Infrastructure Security Agency (CISA) leverages our Control Environment Laboratory Resource (CELR) to conduct simulated OT threat hunt and incident response exercises. Additionally, we will explore how these systems are used to develop products and services for public and community use, and investigate new use cases and offerings to strengthen critical infrastructure against evolving threat actors.
June 12, 2024 10:30-11:05
Improving-ICS-OT-Threat-Hunting-Shaun-Long.pptx
MD5: ea34a8385e403280d3197d2a6fe4ec44
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 28th, 2024
Size: 15.84 Mb
- GBTLP:GREEN
Inside(r) Out: Responding to The Dangers Within
Eloise HindesJason MiddletonEloise Hindes (Bank of England, GB), Jason Middleton (Bank of England, GB)
Eloise Hindes, Head of Emerging Cyber Threats, Bank of England Coming to Cyber Security after five years as a communications consultant, and four years as the Chief of Staff for Technology, Ellie Hindes heads the Emerging Cyber Threats team within the Bank of England. A non-traditional route to the Cyber Security industry has given Ellie a perspective that places organisational concerns and good comms at the heart of her work. She’s a firm believer that if the business doesn’t care what you’re doing, or can’t understand it, you’ll never have the impact you want.
Jason Middleton, Senior Cyber Consultant, Bank of England With two decades dedicated to securing organisations’ technology environments, Jason has specialised in several Cyber domains, most recently as a Security Architect helping to build robust infrastructures. Jason has been a committed force in Cybersecurity, predominantly within the financial services sector, joining the Bank’s Cyber Security Division in 2022 as a member of the Emerging Threats Team, where he is focused upon addressing the significant challenges posed by Insider Threats.
The challenges of detecting and responding to incidents caused by legitimate users are complex and multiple. How do we define insider risk? How do we manage the minutiae of monitoring? And who is responsible for what when it comes to incident response? Learn how the Bank of England has developed its own insider detection capability.
June 11, 2024 15:00-15:35
- NLTLP:AMBER
Integrating Data Science into Security Detection and Response in Corporate Environments
Dinu SmaduEduardo BarbaroDinu Smadu (-, NL), Eduardo Barbaro (TUDelft, NL)
Dinu Smădu: Over 13 years spent in offensive and defensive security roles, currently focusing on security detection and response (SDR) architecture. Dinu and Eduardo constantly work together within the SDR domain in one of the largest banks in Europe, where their complementary backgrounds have proven to shrink the gap between SDR and analytics.
Eduardo Barbaro: Proven experience in successfully embedding data analytics in corporate environments. Dinu and Eduardo constantly work together within the SDR domain in one of the largest banks in Europe, where their complementary backgrounds have proven to shrink the gap between SDR and analytics.
Embarking on the journey of integrating advanced data science in a compliance-driven banking environment is a complex challenge, marked by technical, regulatory, and cultural hurdles. This presentation examines these challenges, from the technical aspects of implementing data models needed in security detection and response (SDR) to navigating the stringent regulatory landscape inherent in the banking sector. We discuss the nuances of dealing with vendor relationships and establishing a robust data platform, governance and architecture, which are essential in a highly regulated environment. We also focus on the creation and execution of a data analytics training program tailored to upskill the SDR team and establish a common language for all. Through this approach, we highlight how a large bank can transform its incident response framework through data science and successfully transition to a more agile, data-driven organisation, overcoming internal resistance and fostering a culture of innovation and adaptability. The insights and strategies shared provide a blueprint for similar institutions facing the daunting task of embracing data science to enhance their cybersecurity posture amidst a slow-moving corporate culture.
June 14, 2024 09:45-10:20
- ITTLP:CLEAR
IntelOwl: Making the Life of Security Analysts Easier
Matteo LodiSimone BerniMatteo Lodi (Certego, IT), Simone Berni (Certego, IT)
Matteo is the Threat Intelligence Team Leader in Certego, an Italian MDR and TI provider, where he researches and studies upcoming cyber threats to develop new solutions to fight against them. He is a member of the non-profit organization The Honeynet Project where he promotes open source culture and knowledge sharing by administering popular programs like the Google Summer of Code.
Simone has been with Certego since its graduation where he started working on malware analysis and sandboxes, allowing the creation of Dragonfly, a sandbox that uses the emulation principle. Now, his responsibilities have shifted to a more engineering role, with a focus on the management and improvement of our Threat Intelligence pipeline.
IntelOwl is an Open Source solution for management of Threat Intelligence at scale.As we are working on a daily basis with such data and had no tool which solved our problems, we built our own one and contributed it to the security community as open source software.IntelOwl integrates more than 150 different services available online, like VirusTotal and Crowdsec, and embeds a lot of cutting-edge malware analysis tools, like Yara and CAPA.IntelOwl aggregates all the collected information in an easy-to-use interface, it can be integrated with other security tools like MISP and OpenCTI and it can be highly customized based on your needs.In this talk we will guide the audience through how this open source framework works and how it can be leveraged by infosec people to save time and optimize their work during their day-to-day activities.
June 10, 2024 11:45-12:20
- LU PLTLP:CLEAR
JTAN - Building a Data Sharing Network Using Open Source Tools
Alexandre DulaunoyJean-Louis HuynenPaweł PawlińskiAlexandre Dulaunoy (CIRCL.lu, LU), Jean-Louis Huynen (CIRCL.lu, LU), Paweł Pawliński (CERT.PL, PL)
Alexandre Dulaunoy enjoys when humans are using machines in unexpected ways. I break stuff and I do stuff at CIRCL
Jean-Louis Huynen is a security researcher at CIRCL. His work focuses on threat detection, intelligence, and incident response, along with creating tools to support these areas.
Paweł Pawliński is a principal specialist at CERT.PL. His job experience includes data analysis, threat tracking and automation. Paweł's current responsibilities include managing projects in the area of CTI and information exchange.
Nowadays CSIRTs routinely collect vast amounts of data to support monitoring and threat hunting activities, however analysis and sharing with the community can still be a challenge. This talk will showcase multiple open source tools that were developed to address these gaps. We will focus on the operational value coming from having collaboration mechanisms that support efficient exchange of bulk data feeds and reducing duplication of analytical work.Presented open source tools are developed by European national CSIRTs to address their pain points however the resulting sharing and analysis network can be replicated in many other communities.
June 12, 2024 14:00-14:35
- NLTLP:AMBER
Lazarus Exposed: Insights by Recovering and Decrypting C2 Data
Yun HuLennart HaagsmaYun Hu (Fox-IT, part of NCC Group, NL), Lennart Haagsma (Fox-IT, part of NCC Group, NL)
Yun Hu is a Security Researcher at Fox-IT, part of NCC Group. His focus is on innovation and research of new detection methods and capabilities, ensuring a proactive approach in staying ahead of bad actors. His expertise includes threat hunting, detection engineering and incident response.
Lennart Haagsma currently works as an Sr. Incident Handler as part of the Incident Response team of Fox-IT. Lennart has worked for over 10 years at Fox-IT holding roles as security analyst in the Security Operation Center, Threat Intelligence, and Incident Response teams.
The Lazarus hacking group, renowned for its relentless targeting of cryptocurrency and financial institutions, continues to pose a significant threat in the cybersecurity landscape. This talk presents insights gleaned from past Incident Response engagements where this Lazarus sub-group's activities were scrutinized. Leveraging recovery and decryption techniques of Command & Control data, our team successfully unveiled C2 traffic that was executed on compromised Windows systems, gaining unique insight into their tools, techniques, and modus operandi.
June 11, 2024 14:15-14:50
- FITLP:CLEAR
Lessons Learned from a Countrywide Scanning Program
Juhani EronenJuhani Eronen (NCSC-FI, FI)
Juhani "Jussi" Eronen has worked at NCSC-FI, the Finnish National Cyber Security Center, since 2006 with various responsibilities related to vulnerabilities, incidents and information assurance.
According to an old adage, you cannot protect what you don’t know you’ve got. Network scanning is one of the most cost-effective methods for identifying assets and services, reducing attack surface and responding to published vulnerabilities. NCSC-FI has been systematically scanning Finnish networks since 2015 and notifying constituents of the findings. In addition, topical vulnerabilities are scanned and reported when they’re considered critical for the nation or a specific critical constituent sector. In 2023, NCSC-FI implemented the Hyöky service, currently targeted at improving the security posture of Finnish municipalities by performing automated and on demand scans. The service could also be used to scan the Finnish critical infrastructure sectors, as required by the upcoming NIS2 regulation of the EU.This talk recounts the experiences and lessons learned from the years of scanning and notification as well as the work on implementing a scanning service.
June 12, 2024 14:00-14:35
- TLP:CLEAR
Lightning Talks
All are welcome to participate! To submit a talk, find the Lightning Talk flip chart near registration on the lobby level and enter your talk on-site. Talks will go in order received. No pre-signup.
June 11, 2024 16:15-17:15
- GBTLP:GREEN
Lost In An Ocean of Emotion: Considering the Human Factors in Cyber Response
Keir P (National Cyber Security Centre (NCSC-UK), GB)
Keir is the Head of Strategic Response and Coordination at the UK's National Cyber Security Centre (NCSC-UK). He focuses on developing the NCSC-UK and UK Government response to significant cyber events. Keir sees partnership, collaboration and community as the best way of tackling challenges both big (pyramids), and small (personal wellbeing); if it worked when we tried it for the past 50,000 years, why stop now!?
Keir has been with NCSC-UK since its foundation in 2016, having previously worked an in incident response in the NCSC's precursor organisation, CERT-UK. Keir has had wide experience at both a technical and strategic level in dealing with a variety of prominent cyber events with significant impact in both the UK, and across the globe.
Today, as a community, we are starting to recognise the increasing impact that cyber security incidents, data breaches, and the associated responses are having on the people caught in the middle; IR professionals pushed to the edge, CISOs taking the stand, and everyday citizens left vulnerable. We are still in a position where most of our focus in incident response looks at TTPs and technical proficiency or, from the strategic side, strategic management and senior comms. Are we doing enough to change the conversation on the human factor? Delving into the realms of fear, complacency, resignation, loss, burnout, and confidence, I want to start a conversation as to how we, as a community, start to more heavily weigh this human cost as part our response and awareness plans.
June 11, 2024 09:00-09:35
- GB IT USTLP:RED
Lucky Leaks
Éireann LeverettLorenzo NicolodiDivya RamjeeÉireann Leverett (Concinnity Risks, GB), Lorenzo Nicolodi (Microlab.red, IT), Divya Ramjee (Rochester Institute of Technology, US)
Éireann Leverett has a history of innovating research in cyber crime and DFIR. Over the years he has shifted from vulnerability notification (10k reasons to worry about critical infrastructure) to red teaming. From there he developed ransomcoin tooling, metrics for measuring the ransomware market economies, and vulnerability forecasting. He loves collaborating with other people on these innovations and helping them maximise their own potential in their specialty.
Lorenzo is a long time hacker, embarked on his career as a forensic examiner before being captivated by the thrill of offensive security, with a penchant for ICS/embedded systems. Throughout the years, he has actively engaged in multiple Incident Response (IR) initiatives, progressively deepening his expertise in cyber security Research and Development (R&D). Since August 2022, Lorenzo has been immersed day and night in the pursuit of ransomware data with Sentinel, that Eireann uses for his black-magic statistical analysis.
Lorenzo and Éireann became friends with 'switches get stitches' back in 2014, and now collaborate on systematic measurement of ransomware operations.
Divya Ramjee is an assistant professor at the Rochester Institute of Technology and researcher at the ESL Global Cybersecurity Institute. She is also a fellow in the International Security Program at the Center for Strategic and International Studies (CSIS), serving as the inaugural data fellow in the Futures Lab. Dr. Ramjee’s research focuses on technology, security, and public policy, as well as statistical and computational methodologies. She has spent the last decade working at nonprofit organizations and various federal government agencies including the Executive Office of the President of the United States, the U.S. Consumer Product Safety Commission, and, most recently, the Computer Crime and Intellectual Property Section at the U.S. Department of Justice. Dr. Ramjee is a dual graduate of the Ohio State University and received her dual MS from the Johns Hopkins University’s Krieger School of Arts & Sciences and School of Advanced International Studies and her PhD from the American University’s School of Public Affairs.
What can we learn from analysing ransomware leak data? Does Locard's Exchange Principle apply to file paths? Can we see how many leaks have backups present? Can we learn the TTPs of different affiliates and study their post exploitation habits? Of course we can.
June 11, 2024 14:15-14:50
- USTLP:CLEAR
Metamorphosis in Vulnerability Analysis: Navigating VeX Challenges and Soaring Towards Solutions
Jessica ButlerKaajol DhanaJessica Butler (NVIDIA, US), Kaajol Dhana (NVIDIA, US)
Jessica Butler is an engineering manager for NVIDIA’s Product Security Tools team. Her passion is providing an easy button for security tools by designing and implementing internal enterprise applications with a focus on developer integration and support. Jessica has over 17 years of experience and earned her MS in Computer Engineering from Washington University in St Louis. In her free time Jessica enjoys gardening, rehabbing her 100+ year old urban home and traveling with her family, BJ, Sebastian, Eliza and Azalea.
Kaajol Dhana is a software engineer for NVIDIA’s Product Security Tools team. She is interested in container security and providing actionable and insightful reports for teams to be able to remediate security risks. Kaajol has over 4 years of experience and earned her BS in Computer Engineering from the University of Texas at Austin. Outside of work, Kaajol enjoys playing tennis, trying out new restaurants, and traveling with her husband.
The Vulnerability Exploitability eXchange (VeX) is a central concern for organizations managing vulnerability management and Software Bill of Materials (SBOM). It signifies a pivotal shift in vulnerability response, unifying CVE and potentially affected component data. We will explore the complexities of this industry buzzword and automation challenges amidst the diverse nature of vulnerabilities, an evolving threat landscape, and the need for precise analysis of each software stack issue. The question lingers: Is VeX our panacea or another unexpected wrench in the system?Join industry experts for a discussion of how NVIDIA is approaching the future of vulnerability response by diving into several VeX case studies and potential solutions. The presenters will address the industry's challenges in response and disclosure by highlighting the following:-Lifecycle of an Open Source vulnerability and handling the elephant in the room.. FALSE POSITIVES-Automating VEX analysis inheritance-Improvements for effective vulnerability prioritization beyond CVSS-How Generative AI can help decrease initial triage time
June 11, 2024 15:00-15:35
- USTLP:GREEN
MISP Unleashed: Observing a Litter of Adorable MISP Puppies Turning into a Gang of Untamed Wild Beasts
Enrico LovatEnrico Lovat (Siemens Corp., US)
Enrico Lovat received his PhD from the Technical University of Munich for his research on the topics of usage control and information flow tracking. He joined Siemens CERT in 2016 in the dual role of Incident Handler and Cyber Threat Intelligence Team Lead. In 2022 he moved to Siemens Technology as Principal Key Expert, supervising the research in technologies and innovations for cybersecurity services.
Once upon a time, a central Threat Intelligence Platform (TIP) started to show the first signs of aging.A group of experts assembled and decided to replace it with a new and exciting one called MISP.The team designed a majestic architecture with a dozen interconnected new instances of MISP, each one dedicated to specific tasks. All the MISP puppies enjoyed the new kingdom and happily played along with each other, exchanging data using MISP native synchronization and filtering capabilities. Every issue that the old platform suffered from was catered to so, on paper, everything was perfect.But was it? What happened when the puppies grew up?Join us for the fascinating tale of one of the most complex MISP ecosystems ever built - where the joy of raising feature-packed MISP puppies clashed with the tricky challenges of taming a technological beast - and we will share the valuable lessons that we learned in the vibrant chaos of our overengineered MISP zoo. This presentation was made possible by the contributions of both Enrico Lovat and Tobias Mainka.
June 11, 2024 11:30-12:05
- JPTLP:CLEAR
Monday Keynote Address: Challenges of Digital Agency - Initiatives for Robust Infrastructure Systems for Government Agencies and Citizens’ Lives in Japan
Akira SakaAkira Saka (Digital Agency, JP)
Akira SAKA is the CISO of Digital Agency Japan and was the CISO of The Tokyo Organising Committee of The Olympic and Paralympic Games in 2021. He is also the Managing Director of the Council of Public Policy Japan and a director of JC3, the Japan Cybercrime Control Center. He served a career in the National Police Agency for 33 years, including serving as the Director of the Cybercrime division and the Director of the Security System Planning Office, NPA.
The Digital Agency is a new administrative agency established in Japan on September 1, 2021. Digital Agency aims to implement the infrastructure for the public and private sectors in the digital age in a very short term. It is also responsible for developing the annual national plan for digitalization with the cooperation of various stakeholders. In this talk, I will discuss details on the activities of the agency from strategic planning to technical projects, including our CSIRT and security monitoring operations.
June 10, 2024 09:30-10:30
- FRTLP:GREEN
Monitoring DDoS Activists Activity
Paul JungPaul Jung (CERT-XLM (Thales/Excellium Services), FR)
Paul Jung is since a long time a security enthusiast. He works in the security field in Luxembourg since more than a decade. During this time, Paul has covered operations as well as consulting within various industries. He possesses a wide range of skills and experiences that enable him to perform multiple roles from offensive security audit to security incident handling. From 2008 to 2014, prior to join Excellium Services, Paul was Senior Security Architect in the Managed Network Security department of the European Commission. In this previous position, Paul was responsible for leading technical aspects of security projects. Since 2014, Paul works at Excellium Services as senior security consultant. He leads Excellium Services CSIRT (CERT-XLM). In 2022 Excellium Services was acquired by Thales Group. Within this position, Paul leads the response team involved in incident handling and intrusion responses. He provides security awareness and recommendations to Excellium Services customers. Paul is often speaker at local event or security conferences such as First Conference, Virus Bulletin, Botconf or Hack.lu. He also wrote a few articles in MISC magazine (French) about DDos, Botnets and incident response. His mother tongue is French, and he speaks English.
In September 2023, the activist group Noname057(16) claimed responsibility for a series of attacks against European CSIRT, highlighting the constant escalating activities of activists amid the Ukraine and Gaza conflicts. At CERT-XLM, the CSIRT of Excellium Services, a Thales Groups company, we monitor such menaces for our customer. This presentation focusses on our Telegram channel monitoring approach to track DDoS attacks orchestrated by activist groups.We delve into the Telegram activist landscape. The presentation discusses the technical challenges of extracting diverse data from Telegram, emphasizing the intricacies of managing continuous data flow and identifying various chat room formats.We will try to share valuable experiences and strategies for effectively monitoring Telegram channels, addressing the dynamic landscape shaped by geopolitical events and activist-driven cyber threats.
June 14, 2024 09:00-09:35
- USTLP:GREEN
Navigating the New Normal, In the Remote/Hybrid Cybersecurity Landscape
James PotterRaja JasperJames Potter (Huntington National Bank, US), Raja Jasper (Huntington National Bank, US)
James Potter: Is a VP, Principal Threat Hunting Lead on the Incident Response team at Huntington Bank. He has over 14 years of experience as a cyber security practitioner, focusing on digital forensics, incident response, and threat intelligence. In his free time, he travels with his family exploring national parks. When not travelling he enjoys watching his kids’ Irish dance and other activities.
Raja Jasper: Is a VP, Senior Manager on the Incident Response team at Huntington Bank. He has over 13 years of experience in developing a security operation center, incident response, and forensics. He is an Adjunct Professor at Robert Morris University teaching Network Security. He is a founder for "FRIENDS Charities" where scholarships are presented to high school students who are in financial need and entering STEM related degrees. In his free time, he brews beer.
The past few years created a paradigm shift from teams being collocated in offices to remote/hybrid. We share our strategies, challenges, and triumphs, revealing how we fostered a cohesive team, nurtured a collaborative culture, and managed the complexities of a remote/hybrid workforce.
June 13, 2024 11:15-11:50
- AT LUTLP:GREEN
NeuroCTI - a Custom Fine-Tuned LLM for CTI - Benchmarking, Successes and Lessons Learned
Aaron KaplanAlexandre DulaunoyJürgen BrandlAaron Kaplan (Independent / EC-DIGIT-CSIRC, AT), Alexandre Dulaunoy (CIRCL.lu, LU), Jürgen Brandl (Federal Ministry of the Interior, Austria, AT)
Aaron is currently working for EC-DIGIT-CSIRC where he focuses on how to leverage the power of Large Language Models (LLMs) for CTI purposes. Prior to joining EC-DIGIT-CSIRC, Aaron was employee #4 of CERT.at. He co-founded intelmq.org.
In the field of AI, Aaron co-founded deep-insights.ai, a medical AI research group focussing on delivering deep learning based classifiers for the rapid detection of lesions in the human body. He also co-chairs the AI Security SIG at FIRST.org. Aaron likes to come up with ideas which have a strong benefit for (digital) society as a whole and which scale up. He loves sharing knowledge and open source tools to automate stuff.
Alexandre Dulaunoy enjoys when humans are using machines in unexpected ways. I break stuff and I do stuff at CIRCL
Jürgen Brandl is a senior cyber security analyst at the Federal Ministry of the Interior and has 10 years of experience working in incident response, protecting both governmental and critical infrastructure from cyber attacks. In his current role, he is researching and advocating for the need to use AI to face the emerging threat landscape.
Phd. Paolo Di Prodi was a senior data scientist at Microsoft and Fortinet. Since late 2022 he founded a company called Priam Cyber AI ltd that uses virtual agents to automate security operations. He contributes regularly to open source projects from OASIS like STIX2.1,MITRE ATLAS,IOB and various LLM projects such as OLLAMA and LiteLLM. He also a member of the Automation AI SIG in FIRST ORG and contributed to developing EPSS at the RAND ORG.
LLMs turn out to be highly practical for summarising and extracting information from unstructured Cyber Threat Intelligence (CTI) reports. However, most models were not trained specifically for understanding CTI. We will present a custom LLM, fine-tuned for CTI purposes. But of course, that only makes sense with a CTI text benchmark dataset. Creating these two systems is a challenging journey. Set-backs guaranteed. We will share our findings. Comes with batteries and MISP-integration.
June 14, 2024 11:15-11:50
1115-Neurocti-Kaplan-Dulaunoy-Brandl.pdf
MD5: 8ffa6d10d9ef99e8c1f0d09e3bd9e0ef
Format: application/pdf
Last Update: June 26th, 2024
Size: 11.86 Mb
- DETLP:CLEAR
One Chain to Shackle Them All
Thomas ProellThomas Proell (Siemens AG, DE)
Thomas Proell has been working for Siemens in product security for 15 years. After five years of penetration testing he changed sides and is leading the incident handling and vulnerability response team for Siemens ProductCERT.
His goal is to push for more transparency in vulnerability handling to give affected stakeholders all necessary information about vulnerabilities to defend their systems.
When vulnerabilities like Log4J show up in the supply chain, the reaction of many vendors is disappointing in speed and quality. It takes much too long to publicly disclose robust information which products and which versions are affected, and which are not. In most cases, this information is not released at all.The security community, customers and law makers have suspected this for some time now and approaches like VEX and SBOM are pushed for that reason. We see demands for this information in legislation on most continents.However, the impact of all these efforts will be limited in real life as long as we do not properly understand the key issues. This talk will give some insights of where the problems lie and how we need to adapt our tools and approaches.
June 10, 2024 11:45-12:20
- JPTLP:CLEAR
Organizing Security Issues Discovered During Product Testing for Easier Consumption by Product Developers
Yuichi KikuchiYuichi Kikuchi (Panasonic Holdings Corporation, JP)
Yuichi Kikuchi joined Panasonic in 2019 out of school and joined the vulnerability testing team at the Product Security Center as his first job in the cyber security field.
His daily work involves vulnerability testing various products and devices for Panasonic business units and alongside that work he thinks about better ways to score and classify vulnerabilities.
At the Product Security Center at Panasonic, we have a team dedicated to testing for vulnerabilities in products prior to shipment. The testing activities cover a wide range of products and has been ongoing for around 20 years. One of the main challenges the vulnerability testing team encounters is the need to provide easy to understand "actionable" vulnerability information to our internal developers.When providing vulnerability information and testing results to product developers, confusion arises when we just provide some technical information about the vulnerability alongside widely used classifications and scores (such as CWE and CVSS). With our goal being, to provide more secure products to our users, it is critical that we make vulnerability information easier to understand so it is ‘actionable’ for the developers.In this presentation, I will provide an overview into how we organized/classified years’ worth of vulnerability and testing data, and how we at Panasonic have devised a better way to effectively communicate with product developers about discovered vulnerabilities.
June 11, 2024 13:30-14:05
- SGTLP:GREEN
Point of Sale (PoS) Break: Ransomware's Ingress via Compromised POS at Mobile Phone Retailer
Lik Hau SeetClifton SohLik Hau Seet (Infocomm Media Development Authority of Singapore, SG), Clifton Soh (Infocomm Media Development Authority of Singapore, SG)
Mr Seet Lik Hau currently leads the Infocomm Singapore Computer Emergency Response Team (ISG-CERT) which he manage a team of forensics and malware analysts. Lik Hau specialises in Digital Forensics and Incident Management. During his years in IMDA, he has involved in incident investigations with operators from Infocomm and Media Sector.
Mr. Clifton Soh is one of the pioneer members of the Infocommunications Singapore Computer Emergency Response Team (ISG-CERT) under IMDA, responsible for handling cyber security incident and digital forensics in Singapore's Infocomm and Media sectors. Clifton has 15 years' of experiences in cyber security incident investigations. Before IMDA, Clifton was part of the Singapore Computer Emergency Response Team (SingCERT).
Ransomware incidents pose a significant threat to small and medium-sized telecommunication companies. This sharing highlights the vulnerability of these enterprises to cyberattacks, underscoring the crucial role played by frontline customer services. Moreover, there is a growing awareness of how Point of Sales (PoS) systems serve as potential entry points for threat actors into retail stores or dealers which in turn become a supply chain risk for a telecom business. Small and medium-sized telecom businesses often lack robust cybersecurity measures, making them prime targets for ransomware attacks. Frontline customer service teams, being the first line of defence, require increased awareness and preparedness to prevent potential breaches. It is essential to emphasize cybersecurity training and reinforce defences, particularly securing PoS systems, to safeguard the integrity of telecommunication operations in smaller entities.
June 11, 2024 09:45-10:20
- JPTLP:CLEAR
Pushing Coordinated Vulnerability Disclosure Forward in Asia Pacific
Tomo ItoTomo Ito (JPCERT/CC, JP)
Working as a vulnerability coordinator at JPCERT/CC for 8 years, Tomo currently leads the Global CVD project of the organization, which aims to contribute to the global CVD ecosystem stability through collaborations with the stakeholders from different parts of the world.
Coordinated Vulnerability Disclosure (CVD) is a global challenge. In its process, vulnerability information flows through global supply chain. It is often complicated - many stakeholders are involved in many CVD cases. Asia Pacific region is no exception. There are many software product/component suppliers in the region. Several CERT organizations in the region conduct CVD or act as CNA individually, but there never has been a cooperative system built. Also, in the region there is so much CVD adoption space left. To start tackling the issues together, also aiming to create a cooperative framework in the region, CVD working group was created in APCERT - the CSIRT community of Asia Pacific. In this presentation, the motivation, background, activities and the challenges found, as well as the future aims of the working group will be explained.
June 14, 2024 09:00-09:35
- FR INTLP:CLEAR
SBOMs for the Win! How PSIRT Teams Could Use SBOM
Fabrice KahHarish ShankarFabrice Kah (Schneider Electric, FR), Harish Shankar (Schneider Electric, IN)
Fabrice Kah is the PSIRT Operations Leader at Schneider Electric, based in France. He has 23 years of experience in cybersecurity, with a strong focus on OT technology over the past few years. Former pentester, Fabrice has defined and consolidated the cybersecurity testing program for products between 2017 and 2022, focusing on Industrial products like PLCs, engineering applications, HMIs, drives and IIoT. His current activities cover vulnerability management, incident response, relationship with researchers and suppliers, and threat intelligence at Schneider Electric. Fabrice is a certified ISA/IEC 62443 Cybersecurity Expert.
Harish Shankar is a seasoned cybersecurity professional who is currently working as Director – Head of Product Vulnerability Management in Schneider Electric. In this role, he heads Schneider Electric’s PSIRT Team which is represented as SE - Corporate Product Cyber Emergency Response Team (CPCERT) where he is responsible for defining and governing product vulnerability response.
Harish Shankar is a seasoned cybersecurity professional who is currently working as Director – Head of Product Vulnerability Management in Schneider Electric. In this role, he heads Schneider Electric’s PSIRT Team which is represented as SE - Corporate Product Cyber Emergency Response Team (CPCERT) where he is responsible for defining and governing product vulnerability response. Prior to this role, he handled Product Incident Response and has hands-on experience on Incident Response and Digital Forensics. He also held the positions of Information Security Officer for the APAC region in Schneider Electric. He is the winner of NEXT100 award in 2018. He is based in Bangalore, India.
There is some debate as to how SBOMs can enhance vulnerability management practices and some believe that collecting SBOMs from internal teams or suppliers is too difficult and time-consuming. Learn how Schneider Electric has collected thousands of our product SBOMs and how we are leveraging the SBOMs as part of our corporate product CERT to quickly analyze and focus our attention when time is of importance. This presentation describes how we modified our policies and processes to collect, generate, and store thousands of SBOMs. You will hear how we have leveraged SBOMs during the Log4j and OpenSSL vulnerability events. Then we will conclude with key learnings, suggestions, and opportunities for improvement.
June 10, 2024 11:00-11:35
- DETLP:CLEAR
Sharing Communities: The Good, the Bad, and the Ugly
Thomas GerasThomas Geras (HM Munich University of Applied Sciences, DE)
Thomas Geras is a Doctoral Candidate at HM Munich University of Applied Sciences.
There are many mysteries surrounding sharing communities, mainly due to their hidden workings and the complexity of joining. Nevertheless, these communities are critical to the security ecosystem, so a more profound understanding is necessary. In addition, they face challenges such as building trust, communicating effectively, and addressing social problems.This work aims to understand better the working methods, organizational structures, goals, benefits, and challenges of sharing communities to help improve their effectiveness and efficiency. To achieve this goal, we conducted video interviews with 25 experts from different countries worldwide who participate in various types of sharing communities. In addition, we applied socio-technical systems (STS) theory in our analysis process to elaborate on our findings from the interviews, identify correlations between them, and explore the interrelationships between social and technical elements of sharing communities.Our findings underscore the need for a holistic view of how sharing communities work. Instead of looking at individual aspects in isolation, considering the interrelationships between the different elements, especially the social, is crucial. This holistic perspective allows us to understand better the complexity and dynamics of sharing communities and how they can function effectively and efficiently. The findings of this study provide valuable impetus for the further development of sharing communities and can serve as a basis for future research.
June 11, 2024 11:30-12:05
- TLP:CLEAR
SIG Updates
Featuring Updates From:
- Cyber Threat Intelligence SIG
- Security Lounge SIG
- Ai Security SIG
- DNS Abuse SIG
- Law Enforcement SIG
- Malware Analysis SIG
- Metrics SIG
- NETSEC SIG
- Standards SIG
- TLP SIG
- CVSS SIG
- EPSS SIG
- Human Factors in Security SIG
- Next Gen SIRT
- Red Team SIG
- Women of FIRST SIG
June 13, 2024 09:00-10:00
- BETLP:CLEAR
Sigma Unleashed: A Realistic Implementation
Mathieu Le CleachMathieu Le Cleach (CERT-EU, BE)
Mathieu is a member of CERT-EU's Digital Forensics and Incident Response team. He has two hats: respond to security incidents, including significant ones, and engineer CERT-EU's detection strategy. Before joining CERT-EU, Mathieu worked as a CSIRT analyst for a French financial institution.
Sigma is a well-known generic detection rule format in the cybersecurity landscape. While this free, open-source project is very active and offers a wide range of features, its implementation is challenging, and especially for MSSPs. At CERT-EU, we serve the 90 European Union institutions, bodies, offices and agencies (Union entities) and we strive to deliver the best possible services to them. This is why we relentlessly try to enhance the detection capabilities of our Security Log Monitoring Service. To this endeavour, we created droid, a tool that we specifically built to introduce Detection-as-Code in our environment. In the spirit of fostering a culture of collective progress, we are very excited to share droid as our take to facilitate the ingestion of Sigma rules for any organisation. The tool unlocks the following use cases: detection content versioning, vendor agnostic approach, cross-tool detection content, testing and validating detection rules, by taking advantage of Atomic Red Team, automation of exporting the rules to multiple SIEMs and EDRs.
June 13, 2024 13:15-13:50
1315-1350-Sigma-Unleashed-Mathieu-Le-Cleach.pdf
MD5: f61a148675d27ca06d0994c6dae05904
Format: application/pdf
Last Update: July 2nd, 2024
Size: 19.01 Mb
- JP ESTLP:CLEAR
So Far and Yet so Close. A Story of Collaboration Between Japan and Spain While Analyzing Simultaneous Infostealers Campaigns
Masato IkegamiJosep AlborsMasato Ikegami (Canon IT Solutions Inc., JP), Josep Albors (Ontinet.com, ES)
Masato Ikegami is a malware analyst at Canon IT Solutions with 10 years of experience in cybersecurity. His primary focus is on the automated analysis and classification of malware. He currently holds the following certifications: CISSP, GREM, GCTI, GCIH.
Josep Albors is the Head of Awareness & Research at ESET Spain (Operated by Ontinet.com). He has more than 18 years’ experience in cybersecurity and now specializes in security awareness. He is also the editor at the ESET Spain blog and one of the contributors to the international ESET blog WeLiveSecurity.
He participated as a speaker at the AVAR 2019 international conference in Osaka, CARO Workshop 2023 in Bochum (Germany)and at many important local security conferences in Spain. Josep is a teacher in cybersecurity courses at several Spanish universities. He collaborates with the Spanish Guardia Civil, Spanish National Police and the Spanish Army, and teaches their units how to fight cybercrime.
Malware doesn’t know about frontiers but some malicious campaigns are more effective in some countries rather than others. When one of these countries is the one you are living in you might have a seriuos problem, specially if you work in cybersecurity. Luckily for us, we live in a connected world and you can find a colleague that is also facing the same problem in his country and work together with him, even if you are more than 10.000 Km away. This is the story and lessons learned of two researchers working together, facing several infostealer campaigns targeting Japan and Spain and how they started sharing information that helped them understand why the cybercriminals were so focused on their countries. This is also an example on how to create and maintain a collaboration channel between two distant countries that can be used as an example if you are facing similar problems.
June 11, 2024 10:45-11:20
1045-1120-So-Far-and-Yet-so-Close-Ikegami-Albors.pptx
MD5: 7a44becbe92ab8218a23e0bd34df7d11
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 26th, 2024
Size: 19.25 Mb
- JPTLP:GREEN
Streamline Security Operations with the SOAR/SIEM Tool and the ITSM Solution
Yutaro IchimuraKeisuke TokudaYutaro Ichimura (NTT Communications, JP), Keisuke Tokuda (NTT Communications, JP), Hironori Yokote (NTT Communications, JP)
Yutaro Ichimura is a Security Engineer at NTT Communications since 2022. As a member of NTT Com-SIRT, he develops applications to streamline security operations for incident response. He has a GIAC Cloud Security Automation (GCSA) certification.
Keisuke Tokuda is a member of NTT Com-SIRT, NTT Communications Corporation since 2017 and works as a SOAR/SIEM developer for incident response and a netflow analysis for NDR solution operations. He is a Certified Information Systems Security Professional (CISSP).
Hironori Yokote is a member of NTT Com-SIRT. NTT Communications Corporation since 2020 and work as a security engineer. His job is streamlining security operations for incident response. He is a GIAC Incident Handler (GCIH).
We have been able to streamline our security operations with the SOAR/SIEM tool and the ITSM solution. Previously, we were responding manually to a high volume of alerts. We had to investigate each alert with a variety of security tools, which increased workload of us Also, we had problems with incident management too. Because we used multiple management tools for different operations Therefore, information was scattered and it caused delay in incident response. We used SOAR/SIEM tools and ITSM solution to automate incident response and to improve incident management. Specifically, by integrating Sentinel with various security tools, we automated generating tickets, investigation, removing false positive, removing threats, and remediation. We also standardized processes and unified management tools to ensure smooth coordination among the parties involved. Finally, we reduced security operations workload by 73%.
June 12, 2024 13:15-13:50
- ARTLP:CLEAR
Tales From a Cloud CSIRT- Let’s Deep Dive into a Kubernetes (k8s) Infection
Santiago AbastanteSantiago Abastante (Solidarity Labs, AR)
Ex-Police Officer and Cloud Incident Responder with 10+ years of IT experience. During the course of my career, I’ve worn many different hats, being able to intervene in incidents of multiple magnitudes in both the private and public sector, from bank robberies to cybersecurity breaches to confidential information leaks, leading multidisciplinary teams, learning and improving our security posture with strategic focus.
Kubernetes (k8s) is an orchestration system for automating software deployment, scaling and management, and if you don’t know… this is really hot right now.
When implemented in a cloud environment, it allows a service to grow almost limitless, because the k8s Cluster can create and destroy servers at will, based on the load of the containers running. Imagine what can go wrong when attackers get to own this power for themselves… you are right, lightspeed growth equals a lot of destruction power.
In this talk, we are going to analyze a real example of an AWS Kubernetes cluster infection through a software development supply chain compromise. The attackers were able to get AWS credentials from a DevOps workstation and use them to introduce a poisoned docker image into a kubernetes cluster. It allowed them to move laterally within the cluster and to the cloud provider, retrieving secrets, passwords, tokens, and a bunch of other data.
Luckily, we were able to detect them just in time, as they had retrieved secrets that would have allowed them to move laterally to other companies or execute a new docker image with nastier results.We are going to present the examples using a real-time lab, offering examples for incident responders and malware analysts to understand how to investigate these techniques, getting through the cyber kill chain and explaining what went wrong and what could have been done better.
June 10, 2024 11:00-11:35
- AUTLP:AMBER
Tales from the Deep: Diving into Barracuda Exploitation by PRC Actors
Mathew PotaczekMathew Potaczek (Mandiant/Google, AU)
Mathew is a Principal Threat Analyst on Mandiant Intelligence’s Advanced Practices team, he is based out of Adelaide, Australia. Mathew's primary role is to provide Frontline Intelligence support to Mandiant Incident Responders in the Asia Pacific region, including technical attribution of intrusion activity. Prior to Mandiant, Mathew was a Cyber Warfare Officer in the Royal Australian Air Force, where he performed various roles within Defensive Cyber Operations.
On May 30th, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) had been exploited in-the-wild as early as October 2022 against their Barracuda Email Security Gateway (ESG) and engaged Mandiant to assist in the investigation. Through this investigation, Mandiant identified an expansive espionage campaign believed in to be support of the People’s Republic of China. This activity, tracked as UNC4841 targeted a wide range of sectors and regions across the world and utilized at least 9 different malware families. The exploitation of zero-day vulnerabilities by PRC nexus actors is not new, but the rate at which these campaigns occur is obviously increasing. This presentation will initially cover notable zero-day exploitation by China nexus actors. It will then go in depth on CVE-2023-2868 exploitation by UNC4841 from targeting and tooling, to overlaps to existing groups. The talk will conclude by seeking to identify key characteristics and trends within this campaign that defenders and intelligence analysts can leverage in the future.
June 13, 2024 14:45-15:20
- DETLP:CLEAR
Tearing Down the Silos - Cyber Defense Needs an Integrated Approach
Daniel KaestleDaniel Kaestle (Mercedes-Benz Group AG, DE)
Daniel is an advocate for threat & risk based cyber security. He is the head of Cyber Defense at Mercedes-Benz Group AG and has vast security operations experience in SOC, DFIR and TI. Holding a track record in building high performance teams & services and a true car guy, with a love for exciting Mercedes-Benz cars. He is a certified CISSP and holds various SANS GIAC certificates.
The talk will share insights on the Mercedes-Benz journey and my personal learnings along the path to a fully integrated team. Threat detection & response is not effective in silos, that’s why I set out to tear them down wherever I could find them and build a strong follow the sun team which does it all. I will share experience and failures along to path to our current setup, which includes IT, OT & Product security under the umbrella of our Cyber Intelligence & Response Center (CIRC). The team is delivering all the capabilities like Monitoring, Incident Management, Detection Engineering, DFIR, Malware analysis, Threat Hunting, Threat Intelligence and others across the different verticals and is fully organized in Virtual Teams. This has enabled us to successfully tackle some of the most severe threats & incidents of the last years.
June 11, 2024 10:45-11:20
- HRTLP:GREEN
The Art of Bonsai: How to Build a Cyber Security Expert?
Dona ŠerugaJakov ĐogićDona Šeruga (CARNET - CERT.hr, HR), Jakov Đogić (CARNET - CERT.hr, HR)
Dona Šeruga is a cyber security adviser in National CERT sector in CARNET - Croatian Academic and Research Network. She has a Masters Degree in computer science research (Information and Communication Sciences). She is a member of Incident Handling Team, and her duties include reporting on national and EU level, incident handling and cyber crisis management. She has experience in organizing national CTF competitions, working on e-University project maturity model and raising security awareness.
Jakov Đogić is a senior cyber security technician, working for Croatian National CERT/CARNET for three years. He has a Masters Degree in computer science teaching (Information and Communication Sciences) at Faculty of Humanities and Social Sciences, University of Zagreb. He is a part of Penetration Testing Team and his duties include electronic certificate management and vulnerability scanning. He has experience in coordinating national CTF competitions, raising security awareness and applying artificial intelligence in education.
What can we do in a world where cyber security talent shortage is a reality we live in? The key idea starts with youth education, because tomorrow, it’s their talent that will bridge the workforce gap. Just like a bonsai tree, the path to becoming a cyber security expert has many branches and twigs, but if perfected can become a skillful tree crown that will secure our online world.As both National CSIRT and Education and Research Network, it is our duty to raise awareness and educate high school and university students to become a competitive cyber security workforce.With todays’ youth living online and playing video games, we are bringing gamification as a way to start or expand their interest in cyber security. By organizing national CTF competitions, we are raising cyber security awareness so that the next generation will be able to protect our ever-growing digital world.
June 12, 2024 14:00-14:35
- JPTLP:AMBER
The Art of Incident Management
Yoshiki SugiuraYusuke KonYoshiki Sugiura (NTT DATA Intellilink Corporation, JP), Yusuke Kon (Trend Micro Incorporated, JP)
Yoshiki Sugiura has been working in CSIRTs for 25 years. He used to be a member of JPCERT/CC from 1998 to 2002. He works for IL-CSIRT and NTT-CERT. He is also a board member of Nippon CSIRT Association. He is a certified trainer and auditor for SIM3. His current working area is management of CSIRT.
Yusuke Kon is a seasoned Incident Responder with over 12 years of experience in the field. He leverages his expertise to focus on threat intelligence sharing and customer support, ensuring organizations stay informed and receive assistance when facing security threats. He holds certifications including CEH, CHFI, ECSA, CISSP, and SIM3 Auditor.
This presentation will share the speaker's insights gained from their experience in building, operating, and supporting various CSIRTs. The speaker will also propose management techniques that can be used by CSIRTs.Many organizations have a large amount of documentation and checklists for Incident Response plans and procedures. However, it is not realistic to use these documents in incident response due to their sheer volume. In many cases, these documents are simply created and then forgotten. As a result, many CSIRTs are forced to respond to incidents in a state of panic and high stress. They are also often underresourced, which prevents them from reflecting on the incidents they have responded to and incorporating the lessons learned. As a result, they are often repeating the same mistakes.This presentation will clarify these challenges and provide techniques for advancing the maturity of the Incident Management using SIM3, and for improving efficiency using the CSIRT Services Framework. They will also propose a technique for identifying actions from incident response activities and incorporating them into the incident response plan.
June 12, 2024 14:45-15:20
- DETLP:CLEAR
Turn the Tables: How We Use GPT to Detect Phishing Websites
Eduard AllesEduard Alles (G DATA CyberDefense AG, DE)
Eduard Alles studied at the Ruhr-University Bochum and wrote his master's thesis about the decryption of encrypted files after a ransomware attack from the point of an antivirus company. Early in his career at G DATA CyberDefense AG, he focused on Web Threats, especially on Phishing. In this field, he participated in conferences like the SAS and AVAR conferences as a speaker.
We utilized OpenAI’s API to finetune several models based on GPT-3 for phishing website classification. The evaluation of our classifier shows an F1 Score of 0.92 with a phishing certainty threshold of 90%. The classification is modular and based on nine methods to extract relevant features from DOMs but can be easily expended. After an initial evaluation of these DOM features we combined them into a robust ensemble classifier to efficiently distinguish phishing from clean sites. The cost saving in this approach is remarkable, we spend less than 20$ to train all our models and each classification costs on average 0.001$. In our research, we show that this approach can be scaled to track a large number of sites and classify them in a short time. While we have a phishing classifier that can be used in production we evaluate GPT-3.5 and Llama 2 for further improvement and coverage of more use cases in cybersecurity.
June 11, 2024 09:45-10:20
- JPTLP:CLEAR
Understanding the Chinese Underground Card Shop Ecosystem and Becoming a Phishing Master
Strawberry DonutStrawberry Donut (Independent Researcher, JP)
Strawberry Donut is a data scientist with expertise in fraud detection and machine learning. Apart from eating strawberry donuts, she is also interested in dark web analysis, threat intelligence, and anti-fraud social engineering. Extensive background in implementing anti-fraud measures within leading banks, securities firms, and internet companies. Invited speaker of 10+ cyber security conferences including RSA Conference 365, CODE BLUE, etc.
Personal Identifiable Information (PII) leaks have become more frequent in recent years, and losses from credit card fraud in 2022 have set records respectively in Japan and the US. Where did this information get leaked and sold in the first place?The term "Dark web" refers to websites inaccessible without the use of Tor protocol, and given added privacy and anonymity while using Tor, and marketplaces in it are proven to be very attractive to criminals.An anonymous researcher will share experiences of dealing with vendors from card shops on marketplaces among dark web, focused on insights of shops selling PIIs, and therefore, TTPs of hackers from these card shops. The TTPs of real-time phishing performed by Chinese fraudsters will also be demonstrated in this session.We hope to inspire audiences to rethink how to reduce credit card frauds.
June 13, 2024 10:30-11:05
- JPTLP:AMBER
Understanding the Readiness of Japan's Manufacturing Industry for Cybersecurity and what the "PSIRT 2.0" should be for fulfilling Product Liability?
Hikohiro LinKosuke ItoHikohiro Lin (PwC Consulting LLC, JP), Kosuke Ito (PwC Consulting LLC, JP)
Hikohiro Lin had been in charge of Product Security at Panasonic headquarters for over 15 years. He led several projects, including devising and deploying security test methods and risk assessments for IoT devices, formulating product security standard rules and guidelines, building a global product security system, formulating head office product security strategies, establishing Panasonic Cyber Security Lab for future cybersecurity research and product-focused security incident responses team, etc. He had served as Head of Panasonic PSIRT, Head of Product Security at Panasonic Global, and Director of Panasonic Cyber Security Laboratory.Also, He has received (ISC)² ISLA(Information Security Leadership Achievement)APAC Senior Information Security Professional 2018 Showcased Honoree and Community Service Star. He is Review Board member of HITCON and HITB(Hack In The Box) and a much used cyber security speaker at many international conferences such as Black Hat, CODE BLUE, Kaspersky Security Analyst Summit (SAS),HITCON and Government invited roundtable Panelist. He is currently appointed Managing Director of Cyber Security & Privacy at PwC Consulting LLC.
Kosuke Ito is an IoT security expert with over 15 years of experience and was the first PSIRT leader founding the product security activities at JVCKENWOOD Corp. before joining PwC. He is one of the pioneers in automotive security. He had led several projects to found the basic security activities, including formulating corporate product security policy and strategies, product security standard rules and guidelines, deployment of security test methods and risk assessments for IoT devices. He also developed the product security educational materials and delivered seminars group-wide. He was also involved in developing the IoT Security Guideline v1.0 in Japan and ISO/IEC 27400. He was the founder of a manufacturing industry-wide product security promotion council and played a key role in launching the first IoT security certification program in Japan. He holds a PhD with a thesis on IoT security quality metrics.
As we live in a world where billions of IoT devices are connected to the Internet, there are streams of news articles that depict damages caused by malware and other threats that target such devices. While there are some things that users can do to prevent such damages, end users expect manufacturers to provide their products in security as part of the product quality.Many companies in the Japanese manufacturing industry are becoming aware of the need for product security. To visualize this situation, we conducted a survey of the Japanese manufacturing community.While about 70% of companies conduct some kind of threat analysis at the product planning and basic design stages, about 40% cited the collection and analysis of vulnerability information after shipment and securing the technical capabilities and remediation costs of responding to vulnerability fixes as challenges.Among Japanese companies that have established PSIRT activities to some extent, how to cost-effectively address vulnerabilities after shipment and how long security maintenance needs to continue are also recognized as common issues.In order to solve these problems, we believe that it is necessary to change the PSIRT from a manpower operation by limited security personnel to a new PSIRT that can systematically deal with these problems.In this session, we will share the current status of product security response in the Japanese manufacturing industry based on the results of the survey we conducted, and discuss the future vision of PSIRT, "PSIRT 2.0", based on the challenges faced by the manufacturing industry.
June 13, 2024 10:30-11:05
- LUTLP:AMBER
Unmasking Threat Actors: In-Depth Analysis and Monitoring of Chat and Community Activities
Aurelien ThirionAlexandre DulaunoyAurelien Thirion (CIRCL.lu, LU), Alexandre Dulaunoy (CIRCL.lu, LU)
Aurelien Thirion, an open-source developer and security researcher since 2020, specializing in leak detection and secure information sharing. He's a core developer of the AIL project at CIRCL and contributes to the MISP project, all while maintaining tools like Passive SSH. His commitment to innovation and collaborative progress defines his impactful career in open-source development and security research.
Alexandre Dulaunoy enjoys when humans are using machines in unexpected ways. I break stuff and I do stuff at CIRCL
The landscape of threat actors has evolved, with a growing tendency to exploit chat platforms as hubs for orchestrating operations and cultivating communities. These nefarious actors employ a diverse array of communication formats, encompassing text messages, images, videos, documents, and emojis, rendering the tracking of their activities a formidable challenge. Complicating matters, the moderation of these platforms often conceals or removes vital information, while language barriers introduce an additional layer of complexity.In this presentation, we will demonstrate a comprehensive approach that leveraging open-source projects to unveil the activities of threat actors. Our methodology involves dissecting the intricate web of user interactions, user activities, emojis interactions, EXIF metadata, moderation efforts, and even harnessing message timestamps to track user activity patterns. Furthermore, we will demonstrate the application of open-source Language Models (LLMs) to extract and translate information, enabling a deeper comprehension of these actors' motives and actions.Our methodology aims to provide insights and tools to assist security professionals in effectively monitoring and countering threats within chat and community spaces.
June 11, 2024 09:00-09:35
- FRTLP:CLEAR
Unveiling Active Directory Secrets: Uncommon Tricks for Enhanced Security
Vincent Le TouxVincent Le Toux (VINCI, FR)
Vincent Le Toux is head of the VINCI-CERT and also the author of Ping Castle: an Active Directory security tool. He has also made many open source contributions such as mimikatz, OpenPGP, OpenSC, GIDS applet, etc. Finally, he already did presentations in security events, mainly BlackHat, FIRST and BlueHat.
Embark on a journey into the concealed world of Active Directory (AD), where we disclose a dozen lesser-known insights obtained from X and the official MS-ADTS documentation. Delve into common yet overlooked configuration errors, advanced reconnaissance techniques, and strategies to gain control of AD.This knowledge, absent in standard incident response reports, offers a clandestine perspective derived from unconventional sources. In this session, we present real-world scenarios, demystifying each trick while providing insights into detection and mitigation.This discourse is distinguished by the elusive nature of the shared knowledge, making it a valuable addition to your AD security arsenal. Join us for an exploration that goes beyond the ordinary, arming you with uncommon insights to fortify your AD environment.
June 14, 2024 10:30-11:05
- LUTLP:CLEAR
Version Fingerprinting Tricks: Automating Software Identification for Vulnerability Scanners
Alexandre DulaunoyLuciano RighettiAlexandre Dulaunoy (CIRCL.lu, LU), Luciano Righetti (CIRCL.lu, LU)
Alexandre Dulaunoy enjoys when humans are using machines in unexpected ways. I break stuff and I do stuff at CIRCL
Luciano is a software developer who enjoys crafting nmap scanners and working on DIY projects. For the past three years, he has been contributing his skills to CIRCL as a MISP, core developer, working alongside a team to enhance the project.
Effective communication and timely notification of constituents are essential aspects of a CSIRT’s mandate. This talk explores how CSIRTs can leverage Nmap scripting to enhance communication strategies and keep their constituency informed about emerging threats and vulnerabilities. The talk will cover two case studies, Microsoft Exchange and Gitlab, demonstrating how Nmap scripting can be utilized to identify and notify stakeholders about specific vulnerabilities in these products.This talk will show how the use of automation helps to keep the scanners up-to-date and assist incident responders when handling newly discovered vulnerabilities.
June 10, 2024 14:00-14:35
- IN FRTLP:CLEAR
Vulnerability Response for Heterogenous OT Products – Principles to Build Your Own Framework
Harish ShankarFabrice KahHarish Shankar (Schneider Electric, IN), Fabrice Kah (Schneider Electric, FR)
Harish Shankar is a seasoned cybersecurity professional who is currently working as Director – Head of Product Vulnerability Management in Schneider Electric. In this role, he heads Schneider Electric’s PSIRT Team which is represented as SE - Corporate Product Cyber Emergency Response Team (CPCERT) where he is responsible for defining and governing product vulnerability response.
Harish Shankar is a seasoned cybersecurity professional who is currently working as Director – Head of Product Vulnerability Management in Schneider Electric. In this role, he heads Schneider Electric’s PSIRT Team which is represented as SE - Corporate Product Cyber Emergency Response Team (CPCERT) where he is responsible for defining and governing product vulnerability response. Prior to this role, he handled Product Incident Response and has hands-on experience on Incident Response and Digital Forensics. He also held the positions of Information Security Officer for the APAC region in Schneider Electric. He is the winner of NEXT100 award in 2018. He is based in Bangalore, India.
Fabrice Kah is the PSIRT Operations Leader at Schneider Electric, based in France. He has 23 years of experience in cybersecurity, with a strong focus on OT technology over the past few years. Former pentester, Fabrice has defined and consolidated the cybersecurity testing program for products between 2017 and 2022, focusing on Industrial products like PLCs, engineering applications, HMIs, drives and IIoT. His current activities cover vulnerability management, incident response, relationship with researchers and suppliers, and threat intelligence at Schneider Electric. Fabrice is a certified ISA/IEC 62443 Cybersecurity Expert.
As a result of digitization and connected technologies, the attack surface of OT landscape has increased . The requirement of securing the OT devices has changed drastically and responding to the product vulnerabilities identified is vital for the OT vendors.
An important characteristic of OT is that different categories of products interact with each other (PLC, engineering software, HMI, sensor, UPS, Power meters etc.), and the multiple development teams come with their own experience, skillsets, and perspectives. Vendors need framework to manage the vulnerabilities holistically with the right balance of flexibility.
The proposed guidance principles help organizations to create their own framework by incorporating various elements, including organization model, scope of impact, prioritization, remediation, reporting and disclosure. It will also emphasize automation and integration of tools to be efficient, consistent and to scale with speed.
June 12, 2024 11:15-11:50
- RUTLP:GREEN
Walking Through the Minefield of Mobile Forensics
Georgy KucherinGeorgy Kucherin (Kaspersky, RU)
Georgy Kucherin is a junior researcher at Kaspersky’s Global Research and Analysis Team and a fourth-year student at Moscow State University. He is passionate about analysis of complex malware and reverse engineering. His previous research includes attribution of the SolarWinds attack, as well as thorough investigations into APTs such as Turla, FinFisher, APT41, Lazarus and Operation Triangulation.
Over the last few years, the cybersecurity community has observed a significant increase in sophisticated attacks targeting mobile devices. Indeed, nowadays we see a lot of news about deployments of spyware such as Pegasus, Predator or Operation Triangulation. So, what can we do to better deal with such attacks?When investigating infections of smartphones or tablets, it is common to perform forensic analysis of compromised devices. However, in the case of top-notch mobile spyware, the process of extracting and examining forensic artifacts becomes quite complicated. It is to some extent similar to walking across a minefield, as a tiny mistake can have a detrimental impact on the analysis outcome. Thus, it is crucial to know how to perform mobile forensics carefully and efficiently.During this talk, we will share practical techniques that can be used to investigate mobile device infections in a skillful manner. To demonstrate how to apply the discussed ideas, we will use examples of known cyberespionage campaigns. Specifically, we will refer to existing reports on spyware like Pegasus, as well as personal experience gained from analyzing Operation Triangulation, a recent cyberespionage campaign targeting iOS devices.
June 12, 2024 11:15-11:50
- USTLP:CLEAR
Wednesday Keynote Address: Incident Command System 4 Industrial Control Systems (ICS4ICS)
Megan SamfordMegan Samford (Schneider Electric, US)
Presently the only female CPSO for a major industrial, Megan is a security executive with a focus on industrial control systems security, critical infrastructure protection, and risk analysis. Megan drives the product security strategy and program for Schneider Electric’s Energy Management business.
Prior to Schneider Electric, Megan was the Global Director of Product Safety and Security for Rockwell Automation, Product Security Leader for GE Global Research and lead for the GE Product Security Incident Response Team. While working in the public sector, she served as the Commonwealth of Virginia’s Critical Infrastructure Protection Coordinator and Special Assistant for Homeland Security Projects within the Governor’s Offices of Tim Kaine and Bob McDonnell.
Megan brings a unique perspective to the security community, based on her diverse security background, with an interest in utilizing proven concepts from traditional critical infrastructure protection and emergency management foundations, such as Incident Command System and preparedness, and applying those to cyber, in particular for industrial control systems incident response.
She is an incoming 2024 Executive Board member of the International Society of Automation and the immediate past Chairperson for the ISA Global Cybersecurity Alliance. She is also leading a community-driven effort known as Incident Command System for Industrial Control Systems (ICS4ICS), which seeks to establish a common language for responding to cyber incidents and provide avenues for mutual assistance between organizations.
She is a non-resident Sr Fellow at The Atlantic Council’s Scowcroft Cyber-Statecraft Initiative where she has provided policy guidance to the National Security Council and Congress, testifying in November 2021. She also served in 2024 as a subject matter expert to the President’s Council of Advisors on Science and Technology (PCAST) for the publication of the Strategy for Cyber-Physical Reslience: Fortifying our Critical Infrastructure for a Digital World.
Lastly, Megan recently returned from Luxembourg in February 2024, where she addressed the member countries of the NATO Support and Procurement Agency (NSPA) on ICS4ICS.
Megan has served on numerous boards, including Virginia Commonwealth University’s School of Electrical and Computer Engineering (ECE), Security Analysis and Risk Management Association (SARMA), Department of Homeland Security’s Control Systems Security Working Group (CSWG), Trusted Computing Group (TCG), and Virginia Aviation Security Advisory Council (VASAC). She is also a returning 2024 Program Chair for the RSA Conference, “Consumer and Industrial Devices” track.
Megan holds a bachelor’s degree in homeland security and emergency preparedness as well as a master’s in public administration, both from Virginia Commonwealth University.
ICS4ICS leverages the Incident Command System to improve Industrial Control System cybersecurity incident management capabilities. The Federal Emergency Management Administration (FEMA) created the NIMS (National Incident Management System) to prevent, protect against, mitigate, respond to, and recover from incidents. NIMS provides stakeholders with the shared vocabulary, systems and processes to successfully deliver the capabilities described in the National Preparedness System. Other governments around the world have adopted an Incident Command System based-on or similar to NIMS.
The Incident Command System is used by First Responders globally every day when responding to motor vehicle accidents, small and large fires, hurricanes, floods, earthquakes, industrial accidents, and other high impact situations. The Incident Command System has been tested for more than 30 years of emergency and non-emergency applications, throughout all levels of government and within the private sector. In this keynote, Megan will discuss ICS4ICS and how organizations can move towards adoption, and ultimately help to strengthen global cyber response capability.
ics4ics.org is also live, with our newly redesigned website.
June 12, 2024 09:00-10:00
- CZ ESTLP:GREEN
When One Does Not Rule Them All: Building a Threat Hunting Framework with Ansible
Lukas HajnFran MarquezLukas Hajn (Red Hat, CZ), Fran Marquez (Red Hat, ES)
Lukas Hajn is a Senior Information Security Analyst at Red Hat Incident Response team. As part of his role, he is responsible for development and maintenance of automation tools to support the team's operations. As a Red Hat Certified Architect, he is passionate about utilizing Ansible for information security purposes.
Fran Marquez is a Principal Cyber Threat Intelligence Analyst at Red Hat CTI team. In his role, he is responsible for the Threat Hunting program, the development of threat detection capabilities, and providing intelligence analysis, with a focus on Linux threats.
For intelligence-driven threat hunting, we typically use data from SIEM, MDR or other security analytics tools to actually accomplish the task. This approach expects all necessary sources and tools are integrated within an environment, and they cover all the systems in scope. But, what if we discover a part of infrastructure without the instrumentation required to investigate? Or if an owner wants to check their system for a specific threat, but doesn’t have the knowledge or security tools available? Do we have means to readily scan hosts for indicators regardless of their installed software or environment? If you’ve ever asked yourselves these questions, you are not alone.This talk will introduce the Ansible Threat Hunting Framework we built, aiming to increase the reach of our threat hunts by employing standard IT automation tooling to perform ad-hoc and delegated hunting in environments with low or no direct visibility, using customizable detections for TTPs commonly employed by threat actors on Linux environments, as well as describe the different avenues we've explored and what we've learned so far.
June 12, 2024 14:45-15:20
- USTLP:CLEAR
Zero Trust and Jurassic Park
Kathleen NobleKathleen Noble (Intel, US)
Director, PSIRT and Bug Bounty Katie serves as a CVE Program Board, Bug Bounty Community of Interest Board, and Hacking Policy Council member. She is a passionate defensive cybersecurity community activist, she is regularly involved is community driven projects and is most happy when she is able to effect positive progress in cyber defense. In her day-job Katie Noble serves as a Director of PSIRT, Bug Bounty, and the Security Working Artifacts Team at a fortune 50 Technology Company. Prior to joining private sector, Katie spent over 15 years in the US Government. Most recently as the Section Chief of Vulnerability Management and Coordination at the Department of Homeland Security, Cyber and Infrastructure Security Agency (CISA). Her team is credited with the coordination and public disclosure of 20,000+ cybersecurity vulnerabilities within a two-year period. During her government tenure, in roles spanning Intelligence Analyst for the National Intelligence Community to Senior Policy Advisor for White House led National Security Council Cyber programs, Katie’s work directly impacted decision making for government agencies in the United States, United Kingdom, Canada, and Australia.
Did you think the 1993 film Jurassic Park was a movie about Dinosaurs. It’s not. The Jurassic Park film is a cautionary tale of overreliance on Industrial Control Systems, with clear lack of zerotrust principles across the network. In addition to a lack professional acceptance of Cyber Security and Incent response as a necessary element of any business operations plan. This talk will focus on the many examples of how zerotrust principles should be employed in your and your customers networks and will provide many examples, taken from the film, on the results and consequence of failures. This talk is not meant to change the world or have some great deep meaning. It is meant to be a lighthearted way of familiarizing ourselves with some basic cyber hygiene principals.
June 13, 2024 11:15-11:50