Program Overview

• A Canadian Payment Processor’s Response To A New Phishing Strategy

  BrandProtect: Dylan Sachs

  A Canadian Payment Processor’s Response To A New Phishing Strategy" A Canadian consumer-level money transfer service – initially started as a means for Canadian FI’s to move money between themselves without relying on ACH or other, more complicated (read: costly) technology – saw 100x increases in phishing volumes virtually overnight, due to the release of a new kit.  These phish do not target this company’s customers – their customers are the FI’s themselves – but their customers’-customers (Canadian banking consumers).  These attacks are unique in that this company does not have any login functionality, but the operation of the service requires users log into their banking website in order to process the transaction.  This functionality is leveraged by the phishing kit, meaning each phish using this company’s branding (lure and landing page) also affects 5-20 other Canadian brands (banks, government, and telecoms are all affected).  This presentation will outline the function and impact of these phishing attacks, as well as approaches to help mitigate the overall impact to the affected brands.

  April 17, 2018 10:45-11:45

• Advanced Incident Detection and Threat hunting with Sysmon & Splunk

  Swiss Post : Tom Ueltschi

  This presentation will give an overview and detailed examples on how to use the free Sysinternals tool SYSMON to greatly improve host-based incident detection and enable threat hunting approaches. Splunk is just an example of a SIEM to centralize Sysmon log data and be able to search and correlate large amounts of data to create high-quality alerts with low false-positive rates. The same could likely be done using another free or commercial SIEM.

  April 18, 2018 16:45-17:45

• Agent-Based Modeling and Simulation in Cybersecurity

  Cisco: Petr Cernohorsky

  As the number and variety of malware types increases, the industry is seeking ways to automate the detection and response. With the abundance of data and recent developments in machine learning and artificial intelligence, we are seeing applications of those methods in every corner of the enterprise including cybersecurity. However, even though data is readily available, not always it is available in a labeled format ready for training up the algorithms. I would like to introduce the concept of computational simulations and debate possible applications in the domain of cybersecurity and as an extension to today's capabilities in machine learning.

  April 18, 2018 09:45-10:45

  Simulations-in-Cybersecurity-Petr-Cernohorsky.pdf

  MD5: f6d03392790e5a60da37663102780f6d

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1 Mb

• Challenges Of Phone Fraud

  MyCERT: Faiszatulnasro Mohd Maksom

  Challenges Of Phone Fraud In 2017, MyCERT had seen that fraudsters were getting increasingly sophisticated in their attempts to get money and personal details causing to the rise of e-crime particularly phones fraud. Some of the reported incidents mentioned that the fraudsters impersonated as a regulator officer and asked them to give out their financial details and personal information. This is referred as “vishing”. By definition, vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.

  April 18, 2018 15:45-16:45

• DNS RPZ intro and examples

  Switch: Mathias Seitz

  "DNS RPZ intro and examples" This talk is a follow up from the previous talks at the FIRST-TC 2016 and 2017 in Amsterdam. Users which are not familiar with DNS RPZ yet will receive an introduction to this technology. Attendees from the previous talks will hear about new examples from SWITCH-CERT's daily work, in which the DNS Firewall was an important and very useful tool to protect end users from threats.

  April 17, 2018 12:15-13:15

  SWITCH_DNS_Firewall_FIRST-TC_external.pdf

  MD5: e2e3f9418559a0d3e71a55552e95717a

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 7.4 Mb

• Economic impact of DDoS attacks: How can we measure it?

  University of Twente : Abhishta

  "Economic impact of DDoS attacks: How can we measure it?" We divide the study of economic impact of DDoS attacks into five components:

  C1 Recognise the stakeholders of DDoS attacks. C2 Study attacker motives. C3 Analyse and measure the indirect losses to the victim. C4 Analyse the direct losses to the victim. C5 Build a model for businesses to chose the correct protection strategy. For each of these components we use publicly available data (Google alerts and OpenIntel) to conduct the analysis. In this talk I would be able to present the finalised results of two of my studies.

  April 17, 2018 16:45-17:45

• Introduction to Red Teaming

  The purpose of this open session is to introduce the concept of red teaming to the participants. During this session, the Red Team SIG co-chairs will discuss the following: • the definition of red teaming and how it compares to similar activities • the purpose of the SIG and its work program • considerations in setting up a red team • considerations in operating a red team

  April 16, 2018 13:00-14:30

• Investigator Opsec

  Fastly: Krassimir Tzvetanov

  "Investigator Opsec" The talk goes through, techniques that can be used against the investigator to fingerprint, target, as well as exploit them. The exploitation can be either direct attack against their computer or supporting infrastructure, their person or their investigation, which includes steering the investigation in the wrong direction as well as figuring out what the investigator is working on.

  April 17, 2018 14:15-15:15

• Its a trap

  Cisco : Jaeson Schultz

  "Its a trap!" Back in 2004, Bill Gates predicted that the spam problem would be solved by the year 2006. Of course, spam didn’t go away. Instead, we have witnessed the rise and fall (and rise again) of several spam botnets. We have borne the costs sophisticated phishing and Business Email Compromise attacks. We have regularly weathered massive, email-based malware attachment spam campaigns. Contrary to Mr. Gates famous prediction, spam has remained a constant threat to every Internet-connected organization. One of the ways to hinder spam attacks is by cultivating spam traps. Spam traps are email addresses or even whole domains that are put into the wild for the express purpose of detecting and responding to spam attacks. Spam traps can provide an early warning system to helps guard against email-based threats. In this presentation we will discuss the defensive benefits provided by spam traps. We will also discuss current, successful techniques for identifying, procuring and deploying new spam traps.

  April 18, 2018 10:45-11:45

• Penetrating the highest accuracy detection using Splunk and OSINT

  Recruit Technologies: Tatsuya Ichida and Mitsuhiro Nakamura

  We are fighting 'unintended access' to our web services every day. Those access includes that of bot, crawler, attacks , internal criminal and something except for non suspicious customers. Our automatic detection logic using Splunk is based on risk-base and have many behavior logic. The information of Src IPv4 address from OSINT is important. However we noticed it is sometimes doubtful.

  We achieved making the high quality real-registered IPv4, it's Country and Whois list and updating. In this presentation, we mainly talk about 3 things: ・What is doubtful of the IPv4's info ・The fact we noticed by this attempt ・The risk-base suspicious detection logics and visualization

  April 18, 2018 14:15-15:15

• Pentesting ChatOps

  Radically Open Security: Melanie Rieback

  "In this talk Melanie Rieback will introduce the basics of Pentesting ChatOps, and will discuss the processes and open-source tools available to enable Pentesting ChatOps .

  ChatOps, a concept originating from Github, is chatroom-driven DevOps for distributed teams, using chatbots (like Hubot) to execute custom scripts and plugins. Theconcept of ChatOps can be applied to the penetration testing workflow, and it can fits outstandingly from routine scanning to spearphishing to pentest gamification. This talk discusses the tools that can be used (RocketChat, Hubot, Gitlab, pentesting tools), and provides battle stories of actually using Pentesting ChatOps in practice."

  April 17, 2018 15:45-16:45

• Planning and Conducting Cyber Exercises

  Luc Dandurand, Guardtime

  During this training, participants will cover the following topics:

  • The benefits of cyber exercises: why do it?
  • Roles and responsibilities
  • Define the key parameters of an exercise: training audience, objectives and modalities
  • Understanding the different types of exercises
  • Coordination and logistics
  • How to prepare a background scenario and storylines
  • Key documents required to plan an exercise
  • Conducting an exercise: communication, coordination, user experience, and keeping it moving towards the objectives
  • Evaluating an exercise and measuring success

  Following the lesson, there will be a short lab in which the students will go through the planning of an exercise.

  April 16, 2018 09:00-12:00

• Red Team SIG - Closed Meeting (Invite Only)

  For the closed session, a Call for Presentations is open until 16 March 2018. The topics of interest are experiences, lessons learned, Tools, Techniques and Procedures (TTPs) used in red team activities. Interested participants must submit a short abstract of their presentation before 16 March. Participants will be notified of acceptance by 23 March. All participants must provide a presentation. Email presentations to first-sec@first.org.

  April 16, 2018 14:30-18:00

• Taking the Attacker Eviction Red Pill

  Telenor: Frode Hommedal

  This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.

  April 18, 2018 12:15-13:15

• The (makes me) Wannacry investigation

  Symantec: Alan Neville

  "The (makes me) Wannacry investigation" On May 12, 2017 a virulent new strain of ransomware known as Wannacry hit hundreds of thousands of computers affecting all types of organisations across the globe. While it is well understand how Wannacry spread using EternalBlue, there was little information on how the attack initially began. It is often the case that tracking the activity of an attacker back in time can be invaluable for learning more about how the attacker operates, and potentially identifying any mistakes made. This proved true with WannaCry 1.0. It is often the case that tracking the activity of an attacker back in time can be invaluable for learning more about how the attacker operates, and potentially identifying any mistakes made. This proved true with WannaCry 1.0. This talk aims to present a walk-through of Symantec’s investigation into Wannacry and how we were able to identify links to previously identified malware families and tools used in attacks against Sony Pictures Entertainment in November, 2014 to ultimately identify who was behind the attack. This talk aims to present a walk-through of Symantec’s investigation into Wannacry and how we were able to identify links to previously identified malware families and tools used in attacks against Sony Pictures Entertainment in November, 2014 to ultimately identify who was behind the attack.

  April 17, 2018 09:45-10:45

• Training: Practical Threat Hunting

  Daniel Hatheway, Recorded Future

  This course covers open source threat intelligence collection principles and tools. Starting with the internet architecture and the OSI model, this practical course covers the basics of internet exploration tools using common tools like wget, cUrl, telnet, nmap, dig, and more. Great primer for investigators who want to gain practical knowledge in how to use the internet to hunt.

  April 16, 2018 09:00-12:00

• Using DNS to your Advantage

  Irena Damsky

  DNS is the one of the basic layers that holds the Internet together. Without it, not much else works... even malware. This three-hour presentation is focused on how to use DNS to the advantage of defending networks. With good techniques it is possible to find a great deal of misuse based on DNS such as DGAs, fast/double flux networks, phishing, and brand impersonation. Tools like passive DNS, whois, and active probing allow defenders to proactively search for malicious indicators before they are operationalized so defenders can get ahead of the attack cycle.

  April 16, 2018 13:00-16:00