Program Overview

In March 2013, three South Korean television stations and a bank suffered an attack in a suspected act of cyberwarfare that coincided with the 63rd anniversary of the Korean War. At the time, this attack was attributed to North Korea and dubbed "DarkSeoul". These attacks continued until 2015 and appeared to have ceased.. until now. This presentation provides a walk-through of an investigation into the recent activities of this attack group detailing a coordinated espionage operation to steal nation-state secrets.

An introduction to Threat Hunting will be made as a new line of cybersecurity and job research, referring to good practices, methodologies and framworks (Mitre Att&ck, TaHiTI, Sigma) that are used on a daily basis by the "hunters of threats." The problems we face in the search for TTP's (techniques, tactics and procedures) of cybercriminals and how to automate our work with tools under standards will be exposed. There will be a demonstration on how to fortify a business environment and then make a use case on it. It will show how to use the application Caldera (Miter), making some proofs of concept that will contemplate the tactic of "Discovery" and later that of "Exploitation". Another important practical part is the research process and the conduct of searches in the Siem. To conclude, a recap of what was seen in the workshop will be done and a series of extra resources will be offered.

Azure Sentinel has been release on the SIEM market for almost a year and the platform has been consistently improved ever since. Moreover, even though Sentinel offers limited threat hunting capabilities out of the box, with some expert tuning it can be turned into an effective and efficient hunting platform able to cover both on-premise and cloud assets. However, efforts at automating the threat hunting experience within Azure Sentinel have been far and few between. This talk will condense and share a year’s worth of lessons learnt from building Sentinel ATT&CK, a GitHub project designed to make it easy to deploy an ATT&CK-driven hunting solution within Sentinel. The talk will discuss how to deploy an effective threat hunting capability. It will then delve into specific aspects of the threat hunting process that can be automated within the platform, covering in particular the automation of use case deployment, log whitelisting, threat hunting processes via workbooks and alert response through Logic Apps. It will then conclude with a demonstration of how the updated Sentinel ATT&CK repository can help with leveraging the automation techniques outlined in the talk.

What? This hands-on workshop is about digital forensics tools and how to create repeatable semi-automatic analysis workflows with devops tools. In this workshop we will be:

• Introducing set of open source tools which are useful and easy to use for analysis work
• Thinking together how to find better and easier ways to do analysis
• Hands on exercises how to create and automatize analysis pipelines
• How to create robust and repeatable analysis pipelines

For Whom? People who are doing digital threat analysis at their work, incident response teams, people who are interested about the subject.

Required tools To attend, bring a laptop running a Ubuntu 18.04 (VM or native).

Background This workshop leverages work done in the CinCan project (cincan.io), which is about building shareable, repeatable & history preserving analysis pipelines using your favourite tools + CI + git + containers. (INEA/CEF funded project worked on by NCSC-FI, Jyväskylä University of Applied Sciences & University of Oulu)

Join us our most recent version of Boss of the SOC (BOTS), a blue-team, capture the flag-esque competition hosted by Splunk. During the BOTS competition, teams will use Splunk and their security knowledge to compete against their peers for respect, bragging rights and the title of BOSS of the SOC. Attendees will gain a stronger and more realistic understanding of their strengths regarding incident investigations.

You will take on the role of a Security Analyst, Alice Bluebird, to protect Frothly, a thriving home brewing supply company. Thanks to Alice, Frothly continues to thrive in spite of constant nation-state attacks and has big plans to innovate and expand, which they’ll quickly learn comes with a whole new set of challenges.

Alice must continue to expand her knowledge of cloud, as well as on-premises windows/Linux hosts, firewalls and even ICS/SCADA data. Contestants will pivot through realistic data using Splunk’s analytics-driven security platform. All this while racing the clock to identify the who, how and where through a full forensic investigation.

You will be given a series of questions of varying types and difficulties, with scoring based on timeliness and difficulty.

BOTS can help you learn how to investigate real-world incidents in a safe, fun, and competitive environment. The event is open to all levels of users.

Passive DNS data has immense value for incident detection and response, providing both current and retrospective visibility into the benign and malicious domains that endpoints query.

Cisco is a global company that sees upward of nine billion internal DNS queries daily which equates to about three petabytes of raw data each year.

Given the size and value of the dataset, having a system that can manage and analyze it at scale is critical.

In this talk, we’ll discuss how we built a low-latency pipeline which makes the time from DNS query to records being API-accessible by investigators less than five minutes.

We’ll also discuss case studies where Cisco’s CSIRT is using pDNS to detect DDoS activity, monitor DNS hygiene, and evaluate IoCs before integrating them into blocking capabilities.

Many forensic analysts are not familiar with investigation techniques of Macintosh, and it is supposed that they are still seeking and trying out different ways. This is partly because they usually deal with less forensic cases of Mac than those of Windows and Linux. However, there has been a certain number of Mac investigation cases in the field of fraud investigation for many years, and the techniques acquired in the field can also be helpful in the field of cyber security. Another reason why many analysts are not familiar with Mac forensics is that not all organizations can afford to purchase investigation tools even though many parts of current forensic methods are dependent on commercial software. Many organizations seem to be short of human and financial resources. To improve such situation, the speakers developed a free tool based on their experience in the field of DFIR. The speakers developed this tool, aiming at simplifying the forensic process and introducing it to other analysts.

The tool consists of three components: data acquisition tool, mounting tool, and analysis tool. These components are created assuming the following steps: first, files are acquired in the triage phase, or E01 image is acquired through other methods. After that, these files or images are mounted, and then finally they are analyzed. Each component had GUI and can support the users’ investigation easily. The triage tool can keep the file directory structure, and thus the acquired files can be parsed with existing free tools such as mac_apt. Run together with such tools, the analysis component can improve the efficiency of analysis.

Windows desktop and servers contain a large number of legitimate tools which can also be used by attackers, once they obtain initial access.

John Stoner is a Principal Security Strategist at Splunk. During his career, he has worked for ISPs, MSSPs and SIEM providers in operations, consulting and solutions engineering. In his current role, he educates and advises users to improve their capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He has developed multiple hands-on workshops that focus on enhancing analysts security skills. He is a frequent blogger, most recently as a co-editor and contributor to the Hunting with Splunk: The Basics and Dear Buttercup: The Security Letters series, which focuses on techniques to improve hunting and security operations. He has built applications that drive greater situational awareness and streamline investigations for the defender. He enjoys solving problems and assists in steering the Boss of the SOC (BOTS) ship. John has presented at various industry symposia and has briefed members of the US Congress and other senior government leaders on the threat landscape.

Ryan Kovar fought in the cyberwars and has been doing cybery things for almost 20 years. Now he is a Principal Security Strategist at Splunk building cool stuff, talking about security thingies, and helping other people fight their battles. He hates printers.

To efficiently support this strategy, we developed PatrOwl, an Open Source, Free and Scalable Security Operations Orchestration Platform. Technically, PatrOwl is a solution for automating calls to commercial or open source tools that perform checks. To date, more than 140 tools or online services are supported. Beyond centralizing the results (vulnerabilities, meta-data, asset metadata) obtained, the PatrOwl analysis engine compares these results with its knowledge base and other third-party services to determine scenarios of attacks (predictive analysis) or to trigger actions (alerting, program calls, ...).

Largely customizable, PatrOwl is suitable for supporting penetration testing, vulnerability audit and compliance, static source audit, threat research (CTI) and security incident response activities (SOC / DFIR).

Brier Creek Carolina Ale House
7981 Skyland Ridge Pkwy.
Raleigh, NC 27617

Do you have a birds-eye view of your alert coverage? Do you know if your alerts are all actually firing? What about documentation? Atlassian Security Intelligence has built a tool that enables rapid development and testing of alerts, with minimal fuss and optimal output. By laying out a simple set of rules, leveraging already available tools, and linking them together with code, we have established a scalable pipeline for producing alerts and outcomes that can be easily conveyed across various facets of the business. From capturing the spark of an idea in an analyst’s workflow, to the surfacing of coverage gaps across your infrastructure: our pipeline can produce entire arrays of correct, consistent, and beautiful results. In this session, we’re going to walk you through what we built, and how you can also dramatically accelerate your alert lifecycle.

1. How to narrow the scope of intelligence goals (aka PIRs - priority intelligence requirements)

   • KISS
   • Understanding the difference between a threat and a risk
   • Avoid the stakeholder’s input trap

2. The challenges in creating intelligence to feed threat hunting

   • Correctly allocating resources
   • Adversary awareness/visibility
   • General attribution
   • The curse of cataloguing
   • Lack of internal lateral team cooperation
   • examples

3. Potential solutions to increase the chances of detecting adversary TTPs in the network

   • Acquiring targeted data
   • Building coalitions
   • Measuring and communicating the value of the intelligence/hunting actions
   • examples