Program Overview

Bangalore 2019 FIRST Technical Colloquium

•  IN

  Advanced exploitation techniques and its defences

  Chirag Ramesh Savla (National Stock Exchange, IN), Udayakumar C (National Stock Exchange, IN)

  Chirag Savla is an infosec enthusiast. His areas of interest include penetration testing, red teaming, defence strategies and post exploitation research. He has 4+ years of experience in Penetration Testing for his clients & organization. He is also a member of Red team and supports the Blue team in building detection strategies in his organization.

  In his spare time, Chirag researches on new attack methodologies.
  He has given multiple talks at null(Open Security Community).

  He blogs at https://3xpl01tc0d3r.blogspot.com/
  Twitter : @chiragsavla94

  This presentation is intended to illustrate a few advanced exploitation techniques and its defence strategies. While organizations have increased focus and resources on preventing and mitigating security threats, most companies continue to be vulnerable to attacks and breaches.

  This is an effort to demonstrate TTP’s that currently in vogue or in the near future and a few unique and creative steps that an organization may take to prevent and detect such attacks and breaches well in time. We will be demonstrating the attack vectors and corresponding detection techniques.

  February 18, 2019 15:00-16:00

•  LU

  An Introduction to MISP in less then 20 minutes

  Steve Clement (SMILE G.i.E, LU)

  Steve Clement is a security engineer working for CIRCL and has been on-staff since 2008.

  Experienced in the security of Unix systems like Open and FreeBSD his passions revolve around sharing knowledge in system integrations and currently with a strong focus on Information Sharing of any kind.

  Further on Steve is a strong advocate for Free and Open Source Soft-/Hard-ware in an open world with less intellectual boundaries.

  In this short talk you will get a primer of what the MISP Information Sharing is capable of achieving in a nutshell.

  MISP is an advanced platform for sharing, storing and correlating Indicators of Compromises from attacks and cyber security threats. Discover how MISP is used today in multiple organisations. Not only to store, share, collaborate on cyber security indicators, but also to use a threat intelligence platform to support analysts, knowledge base and sharing of information.

  You will be presented various use cases and some live examples on what it will eventually look like for your analysts and engineers.

  February 19, 2019 14:15-14:45

• Approaches for optimal ‘Security Verification’ by leveraging key analysis activities performed during Secure System Development Lifecycle

  Lokesh Balu (Dell)

  Lokesh Balu is a Consultant technical program manager in Product Security arm of Dell’s Product and Application Security organization. He has 14+ years of experience in driving proactive / reactive aspects of Secure Software Development Consultancy, Product Security Incident Response, Threat Intelligence Management, Vulnerability management and remediation guidance for products, software & IT systems. He has bachelor’s in Electronics and Communication engineering and has gained CISSP, CSSLP, GCIH, GCTI, (GCFA), CSIRA, CSTE certifications.

  This talk briefly talks about the importance of ‘Security Verification’ and how various activities that get performed throughout the ‘Secure development Lifecycle’ can be leveraged for optimal conduct of Security verification. Through this talk some of the best practices and values that can be derived through Security control’s based mitigation selection, pragmatic risk scoring, Threat library based Threat Modeling will be discussed. Approaches for enabling engineering community with ‘Security Verification’ skill and process institutionalization will be discussed.

  February 18, 2019 14:15-14:45

•  US

  Building Threat Defense for Cloud Workloads

  Vinay Bansal (Cisco Systems, US)

  Vinay K. Bansal is a Principal Engineer in Cisco System's Security and Trust Organization (InfoSec). He leads Infosec's security architecture and strategy for Cloud, IoT and application security strategy. His current focus is securing Cisco's Cloud adoption in public and private clouds (AWS, Azure, GCP..) and working with various Cisco teams building secure cloud products. Previously he was the global security lead for Cisco’s “Web and Application Security Architecture Team”, that focuses on improving the security of Cisco’s 2000+ IT Web Applications, databases, mobile services and perform security assessments of external cloud providers. Vinay has 24+ years of industry experience in successfully leading, securing and architecting innovative technology solutions. Prior to Cisco Vinay has worked at various Fortune 500 companies including IBM, ATT, Nokia, Experian, and Plessey Telecom (UK). Vinay holds a Master's degree in Computer Science from Duke University.

  Enterprise workloads and applications are rapidly moving into public clouds (like AWS, Azure, GCP). Numerous attacks in the cloud and managed service providers show that the cloud introduces new and amplifies traditional threat vectors. This talk will share Cisco’s Infosec team's experiences in developing a threat intelligence capability for cloud environments as well as successes and failures in its implementation.

  Gartner for 2018 called out “Security moves to the cloud”, as one of the top 5 trends. (https://www.gartner.com/smarterwithgartner/gartner-top-5-security-and-risk-management-trends/). With this move, we have seen threats and attacks shift to the cloud. Recent APT reports from PWC (Cloud Hopper) and NCCIC (TA18-276B) confirms this.

  Cisco’s CSIRT team is currently responsible for the security of 1000+ Cloud accounts (AWS, Azure, GCP, ..), ensuring proper protection, logging, monitoring and incidence response mechanisms in place.

  The author will share CSIRT's cloud security journey that started with establishing security guardrails for teams seeking accounts in public clouds. This included strong configurations and identity, enabling proper security logs and network security. Cisco was quickly able to automate most of the guardrails and integrate with the enterprise monitoring tools. CSIRT team established security plays leveraging real-time logs and data for proactive monitoring (like the CloudTrail, SWC, and OSQUERY plays), improving the security posture of Cisco AWS accounts. We also use this telemetry for investigative/forensic capacity.

  In this talk, the audience will learn on how to leap forward with establishing security monitoring and incidence response, as their workloads move into the public cloud.

  February 19, 2019 10:05-10:50

•  LU

  Building threat information sharing communities

  Steve Clement (SMILE G.i.E, LU)

  Steve Clement is a security engineer working for CIRCL and has been on-staff since 2008.

  Experienced in the security of Unix systems like Open and FreeBSD his passions revolve around sharing knowledge in system integrations and currently with a strong focus on Information Sharing of any kind.

  Further on Steve is a strong advocate for Free and Open Source Soft-/Hard-ware in an open world with less intellectual boundaries.

  Most of the more difficult challenges to overcome when trying to bootstrap an information sharing community are in fact not technical challenges, but rather social, legal and procedure related.

  Over the years we were involved in several sharing communities that ended up being more successful and some that ended up crashing and burning, this presentation aims to highlight some of our lessons learnt and hopefully give some useful insight for organisations wishing to start or grow sharing communities out there.

  The talk is not meant to be technical but will rather focus on the high level challenges and some best practices to combat them.

  February 18, 2019 10:15-11:00

•  IN

  Consumer-friendly Security Updates

  Rohit Nambiar (SAP Security Response, IN) (IN)

  Rohit is a security enthusiast working with SAP's Security Response team and specializes in incident response and application security. Working with hackers from around the world, Rohit has been exposed to several areas of security - including web, network and even physical security. He also acts as an mentor/challenge creator for SAP's internal Capture the Flag program to promote security education.

  The easiest part of fixing a security vulnerability is developing the fix. Heavy secure practices are enforced to ensure that fixes are accurate and are delivered quickly. Do you ever wonder whether your fixes are really consumed? A large percentage of security breaches are caused by systems running outdated patches, a universal problem faced by majority software vendors. For reasons beyond our control, unless updates are forced, they will forever be lost with the constant "remind me later"(until hacked of course). At SAP, over the years, we have found ways to make our security fixes more consumable so that consumers doesn't have to think twice when it comes to protecting themselves.

  February 19, 2019 11:45-12:15

•  IN

  From On-Premise to Cloud: SAP's Evolving Security

  Bibin Mathew (SAP Security Response Team — SAP LABS INDIA, IN) (IN)

  Bibin has been working with SAP's Security Response Team for more than 6 years, focusing on incident response and application security. He witnessed over these years how security response evolved in SAP to accommodate cloud products, bug bounty programs etc. He also works on making sure security patches released by SAP are of good quality and how it can be improved further. He has worked with many SAP customers, on various topics related to applying security patches released by SAP.

  Established decades ago, SAP's products have been leaders in the ERP market, with their products powering some of the largest businesses today. In an on-premise world, the security seas were rather calm. When SAP evolved to the cloud, to keep up, our existing security response had to be re-imagined - it had to become faster, better and a whole lot more proactive. Join us as we take you through the evolution of SAP's security response during SAP's change from an on-premise leader to a cloud-based giant.

  February 19, 2019 15:30-16:00

•  IN

  Incident response automation with PowerShell

  Ajay Rajeswaran (World Bank Group, IN)

  Ajay Rajeswaran is an Information Security Analyst for World Bank Group.

  Develops Incident response plans, Malware Analysis. Prior to WBG, worked at K7 security, AXA and Webroot
  https://www.linkedin.com/in/ajay-rajeswaran-217b0917/

  This presentation describes on how to create your own incident response tool kit with PowerShell and to automate the process of log collection from windows endpoints using the script.

  Information security analyst review alerts received from various cyber security solutions and most of the alerts were false positive. The scope of the tool kit is to reduce the time taken to investigate an event and to simplify the task of analyst by automating the collection of various artifacts from Windows endpoint.

  Incident response tool kit with native windows commands collects Volatile information, installed applications, persistence entries, network traces, web browser artifacts, system environment variables from the end point.

  If the system is not live during investigation, the process of collecting evidences can be automated by hosting the IR script in a central repository and a lookup table carries a list of machine which is not live.

  The end results can be emailed in an archive to the analyst or can be saved to a centralized location.

  As a result of these deployment, even if machines comes online during odd hours or for a shorter time the artifacts can be collected immediately. Further scope is to integrate a heuristic file scanner and to collect copy of suspicious files.

  February 19, 2019 11:15-11:45

•  IN

  Mallory in a Modern World: Practical exploitation of IoT systems by attacking Wireless Sensor Networks

  Nitin Lakshmana (Deep Armor, IN), Sunil Kumar S (Deep Armor, IN)

  Sunil Kumar is a Security Analyst at Deep Armor. He has vast experience in pentesting web applications, mobile applications and IoT products. In addition to penetration testing, he has advanced knowledge of AWS and development skills in node.js and python. Sunil has presented his work in FIRST conference and in Bengaluru conferences. Prior to Deep Armor, Sunil worked as a security engineer for Olacabs and Aricent technologies.

  Nitin Lakshmanan is a Security Analyst at Deep Armor. He is skilled in security assessment of IoT products, web applications, mobile solutions and thick client applications. He is an expert in security topics related to modern cloud platforms, primarily AWS. Prior to his job at Deep Armor, Nitin worked for Aricent Technologies and Aujas Networks as a Security Analyst.

  Internet of Things (IoT) products proliferate the market today. They manifest in different forms – right from a pacemaker inside a human body, to an oil and gas rig monitoring device in the remotest locations on the planet. IoT products use small hardware devices and are strict low power consumption requirements. An IoT product should be developed considering these shortcomings.

  The IEEE 802.15.4 is a standard developed for low-rate wireless personal area networks (LR-WPANs). The base specification of the standard does not specify how to secure the traffic between the IoT devices and the backend infrastructure, so there are often vulnerabilities in the design and implementation.

  In this presentation, we show how it is possible to use publicly available hardware and software tools to sniff, capture and inject packets in an IEEE 802.15.4 based wireless sensor network and also the defence mechanism that are effective against these attacks.

  February 19, 2019 13:30-14:15

•  IN

  National Level Cybersecurity Assurance

  Ashutosh bahuguna (Indian Computer Emergency response Team, IN)

  Bahuguna Ashutosh is a scientist at Indian Computer Emergency Response Team (CERT-In). Holding Bachelor of Engineering degree in Computer Science and Engineering and Post Graduate in Information Security, Information security lead auditor, Postgraduate in disaster management. Currently working as, a scientist 'D'/Joint Director in Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics and IT, Government of India.

  Experience of 12 years in field of information security. His area of work is focused on information security assurance, Benchmarking, National cyber security exercises, National Cyber Crisis Management Framework, ICS/OT security, Security assessments and audits and web-application security. He authored several papers and articles and invited speaker at various forums. Currently, he is also pursuing his PhD in Cyber Security.

  Due to continuous surge & innovation in malicious cyber-attacks and possibility of cyber-attacks impacting nation's well-being, nations around the globe came up with the various initiatives to improve their cyber security posture for countering cyber borne threats such as National Cyber Security Strategies ( 73 out of 193 members of International Telecommunication Union (ITU) have made national cyber security strategies publically available), National Computer Security Incident Response Teams (CSIRTs) & sectoral CSIRTs, Legal and Regulatory measures such as Indian Information Technology Act 2000, Critical Information Infrastructure Protection Plans and National Cyber security drills.

  In order to generate assurance on the cyber security posture & progress of a country, it is needed to identify indicators & methods for measuring the cyber security state of country on periodic basis. Cyber Security assessment studies at national level are implemented by some nations and international & regional bodies to assess & measure cyber security preparedness. Countries such as Australia and Austria implemented cyber security audits and cyber security exercises as methods for assessment of cyber security efforts at national level. Similarly, studies & assessment of the cyber security state of a countries was also conducted by International or Regional bodies such as International Telecommunication Union (ITU).

  In India, National Cyber security policy 2013 mention need for creating assurance framework assisted by conformity assessment. One of the key objectives mentioned in the policy is: "To create an assurance framework for design of security policies and for promotion and enabling actions for compliance to global security standards and best practices by way of conformity assessment (product, process, technology & people)". Indian Cyber Crisis Exercises (ICCE), Sector-specific exercises, TableTop Exercises, Moderator driven self-assessment of critical organisations, empanelment of information security auditing organizations, remote profiling are some of the methods implemented at national levels by Indian Computer Emergency Response Team(CERT-In) to assess & improve the cyber security posture of entities in India.

  This paper presents the analysis and comparisons of the indicators and methods adopted by 16 nations for measuring progress & posture of cyber security in the country. The paper also discusses initiatives of CERT-In in assessing cyber security preparedness at sector and national level.

  February 18, 2019 11:15-11:45

•  IN

  Security Log Analytics with the assistance of Deep Learning v. Machine Learning Algorithms

  Prateek Bajaj (SAP Labs, IN)

  Prateek Bajaj is a Software Developer working with SAP Labs India, Bangalore since August 2017, while also pursuing an M. Tech. from BITS Pilani. He is currently working with the Product Security Response Team with SAP Labs India, and also has experience working with technologies such as Machine Learning and Deep Learning. He has a deep interest in Security and likes to read on Security concepts such as Data Privacy, Product Security.

  Amongst all aspects of Security in Applications and Products, Security Log Analytics has taken a priority lower than many other aspects for a plethora of reasons. However, the power it holds over a responsive, as well as a proactive approach towards securing applications, and in lieu products is unmatched. Security Log Analysis almost always would result in evidence of attacks. A lack of such, thus, results in a number of security threats going unnoticed. The issue, though, during log analysis with only human labor and intervention is a longer response time and a lot of manual effort. Thus, automating log-analysis is one way through which the technology of the future is helping out in making the products of today secure.

  Deep learning algorithms, as popular as they are, have for some time now helped in multiple applications for making intelligent decisions with the help of huge amounts of data. This paper provides a look into how security log data has been popularly analyzed through machine learning algorithms and tools, and how the use of deep-learning algorithms in specific use-cases would help in providing better, more relevant results as compared to the popular machine learning approach. Along with this, a look into a comprehensive deep-learning algorithm that would help in security log analysis for the generic use-cases, that can be tweaked according to the particular product’s log-data is elaborated.

  February 19, 2019 15:00-15:30

•  IN

  Threat Hunting Methodology

  Shweta Sundar (The WorldBank, IN)

  Shweta Sundar is Working as a Senior IT Assistant for Security Operations for The World Bank Group, Chennai.

  The session is about our journey of the threat hunting activity. Started hunting as a proactive measure to our detect badness and protect existing Security infrastructure. This is a must needed requirement for an emerging SOC to grow next level. The threat actors are becoming smarter and to cope up with the changing landscape we needed advanced capabilities. Hunt was new, and came with a 'no rules' condition, which made it fun to experiment with. Over a period of time we were able to formulate and stabilize this process, give it a structure. A component of this structure was derived from a project management cycle 'Agile'.

  Our experiments included stimulation of attacks from frameworks/tools like MITRE, Mimikatz, PowerSploits. We did have successful detections, which the conventional tools over looked. The future of threat intelligence is threat hunting & that's what this presentation shares.

  February 18, 2019 11:45-12:15

•  IN

  Understanding Adversary Persistence Techniques

  Monnappa K A (Cisco Systems, IN)

  Monnappa K. A. works for Cisco Systems as an information security investigator focusing on threat intelligence, investigation of advanced cyber attacks, researching on cyber espionage and targeted attacks. He is the author of the best selling book "Learning Malware Analysis" and the member of the Black Hat review board. He is the creator of Limon Linux sandbox and winner of Volatility plugin contest 2016. He is the co-founder of the cyber-security research community "Cysinfo" (https://www.cysinfo.com). He has presented at various security conferences including Black Hat, FIRST, BruCON, SEC-T, DSCI, and Cysinfo on various topics which include memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has conducted training sessions at different security conferences including Black Hat, FIRST (Forum of Incident Response and Security teams), SEC-T, OPCDE, and DSCI. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community in his YouTube channel (http://www.youtube.com/c/MonnappaKA), and he publishes blog posts at https://cysinfo.com.

  The number of cyber attacks is undoubtedly on the rise targeting government, military, public and private sectors. Most of these cyber attacks use malicious programs (called Malware) to infect their targets. Often, adversaries want their malicious program to remain on the compromised computers even after the reboot, to achieve this, adversaries use various persistence methods. The persistence methods allow an attacker to stay on the compromised system without having to re-infect the system. This presentation focuses on common and various uncommon persistence methods used by the attackers in the wild, to execute the malicious code upon system startup. The presentation includes demonstrations of various real-world malware samples (including crimeware and espionage malware samples) and shows how attackers achieve persistence. In addition to that, the presentation also demonstrates how adversaries are using some of these techniques not just to execute malicious code upon system reboot, but also to execute malicious code with the highest privileges. From an security defense standpoint, it is essential to understand these persistence techniques, gaining an understanding of such techniques and where to look for the presence of malware on the system will enable a security defender to better monitor, investigate and detect such attacks.

  February 18, 2019 13:30-14:15

• Bangalore 2019 FIRST Technical Colloquium
  • Program Overview
  • Registration
  • Call for Speakers
  • Venue
  • Hotel Information
  • Travel Information