Program Overview

Bangalore 2020 FIRST Technical Colloquium

• Armour to Automate PSIRT

  Abhishek Puranam (PSIRT Engineer, NetApp)

  Abhishek Puranam is currently working as a PSIRT engineer at NetApp. He has 10 years of experience in handling Incident response and Security Development Lifecycle.

  His expertise includes developing automation and pipelines for First Security Framework and BMISSM based Security development lifecycle. Prior to NetApp, he has spent most of his career at Cisco systems. He is a certified ethical Hacker and has conducted Workshops on Web application Hacking across the globe.

  The talk is going to primarily educate the attendees on aligning automation against the FIRST PSIRT service framework. With the shift in software engineering from development to a consumption model, there is a need for better vulnerability management across the SIRT’s. This can be achieved only if SIRT’s transform from a traditional reactive based approach, towards becoming proactive via automation.
  
  

  The presentation covers on identifying early detection of software vulnerabilities, triaging and responsible disclosures using the known security automation frameworks. Some of the key takeaways for the audience:

  • Automation checklist for building a level3 PSIRT maturity team.
  • Identifying third-party vulnerability early.
  • Comparison of vulnerability Scanners for identifying CVEs in your product.
  • Vulnerability tracking automation.
  • Providing Disclosure via encrypted channel.
  • Contribution to automation at PSIRT.

  January 22, 2020 11:45-12:15

• Attacking Bluetooth LE Design and Implementation in Mobile and Wearable Ecosystems

  Nitin Lakshmanan (Senior Security Analyst, Deep Armor), Sanjav V. (Security Analyst, Deep Armor)

  Nitin Lakshmanan is a Senior Security Analyst at Deep Armor. He is skilled in SDLC methodologies and security assessment of IoT platforms, web applications, mobile solutions, and thick client applications. He has developed advanced tools for infrastructure security assessment of modern cloud platforms, with a special focus on AWS. Prior to his job at Deep Armor, Nitin worked for Aricent Technologies and Aujas Networks. Nitin regularly speaks at security conferences and conducts trainings/workshops on IoT and Cloud topics. Nitin has conducted training at Black Hat USA.

  Sanjay is a Security Analyst at Deep Armor. He is skilled in vulnerability assessment and penetration testing of web applications and cloud security. He has advanced knowledge of AWS, and has developed advanced tools for security assessment of modern cloud platforms in python. Prior to his current role at Deep Armor, Sanjay worked for Deloitte India. Sanjay regularly speaks at security conferences and conducts trainings/workshops on IoT and Cloud topics.

  Consumer IoT devices manifest in a variety of forms today, including fitness trackers, rings, smart-watches, pacemakers, and so on. The wearable IoT market is dominated by small and medium-sized business, who are often in a rush to hit the shelves before their competitors, and trivialize the need for security in the bargain, citing no “return on investment”. In our presentation, we deep-dive into the wireless protocol of choice for wearables — Bluetooth Low Energy (BLE), and its impact from a security perspective. We use a USB-based Bluetooth hacking hardware board called Ubertooth-One to analyze popular market products, and also perform a live demo on stealing information from a fitness tracker using standard Android app development practices. We wrap up with a discussion on simple cryptographic approaches and BLE-hardening mechanisms to prevent such attacks on wearable and IoT platforms.

  January 22, 2020 10:00-10:45

• Common Mistakes and Their Impact on an Incident Responder's Life

  Arup Kumar De (Information Security Architect, Salesforce)

  Arup Kumar De is a seasoned Incident Responder & Threat Hunter, with over 15 years of experience in IT. He was a Senior member of the Incident Response & Threat hunting team in Yahoo for years. Currently, he is working as an "Information Security Architect" at Salesforce. He holds several security certifications (GCIH, GCFA, GNFA, GWAPT, GCIA). In his free time, he enjoys spending time with his family and photography.

  An Incident Responder has to usually work under time pressure and a small mistake in any stage of the Triage / Analysis can lead the process towards a completely wrong direction. This presentation will talk about the common, basic mistakes for an IR (i.e. to whom to communicate, Communication content, understanding logs, and understanding Alerts) with real-life examples and data which has a bigger impact on response triage & analysis process and how to avoid them. All examples are from real-life situations and as the Presenter noticed them working with different IR teams.

  January 21, 2020 11:45-12:15

• Continuous Security: A Practical Case Study in Implementing Enterprise Product Security

  Jay Kelath (Product Security, Dow Jones, Inc.)

  Jay Kelanth started his career in security setting up honeypots to profile attackers. Many interesting challenges in the field led him to become a penetration tester to help businesses expose their security weaknesses. He found his stride in helping develop and mature information security programs. Jay is passionate about building cross-functional teams between engineering and security and bringing security into every aspect of a company’s culture through a focus on automation, tooling, and processes. Currently, Jay leads the Product Security team at Dow Jones. His team’s focus is to implement security in the agile SDLC and ensure that the products are built securely from the start. Jay has spoken at various public platforms such as DevSecCon, RSA, O’Reilly Security, AllThingsOpen, BSIMM.

  Implementing a Product Security program in a large enterprise is a tricky challenge. This is made more difficult when all aspects of security including tooling, process and people factors.We will begin the discussion with our approach to the DevSecOps model. This includes an open source tool for Cloud Security and a internally developed open sourced solution for continuous security. With the right technology solution in place, how do you scale to hundreds of products and work with thousands of developers scattered across the world? How can we use this tooling to spread the security message to nontech decision makers in the organization?
  
  

  This talk will focus on challenges we encountered as we tried to scale and mature our security services. We will talk about our recently open sourced CI/CD orchestration tool, Reapsaw, and the processes needed to make the technology successful. The tool is an orchestration framework to add/remove security tools as you would lego blocks, scale them to the needs, tune them to the highest efficiencies and provide actionable fixes to developers.
  
  

  We will be previewing the next tool in our toolset that is will be open source soon. This is our vulnerability management platform. This is built in Google cloud to bring together a holistic view of the “Health of a Product”. This includes data from application, cloud and infrastructure vulnerabilities and combined with controls we have in place such as CrowdStrike coverage, Logging, Monitoring, Security incidents related to the product, Bug Bounty reports, etc.
  
  

  We will discuss the different stages of maturity that every organization would go through on their journey into continuous security.

  • Developing a consistent baseline: Defining a consistent baseline across all products to help prioritize initiatives, training, awareness and strategy to tackle security bugs and design flaws.
  • Scalability of security tool stacks: Choosing the tools that are designed and architected to be CI-friendly from the start. Building or Buying fast, automation friendly security tools, deploying them correctly with the needs of on-demand scaling, customizable options to enable filtering of security features are key to providing a valuable service to engineering teams.
  • Reporting: Actionable and precise reporting with steps and examples to mitigate or resolve vulnerabilities.The goal of good reporting to engineers will be to ensure that false positives are kept to a bare minimum.
  • Building a vulnerability management platform: Creating vulnerability “data lake” to mature analytics and visibility security health across all products in an organization. This platform is key to developing maturity level for security at the grass-roots level
  • Bonus: Discuss couple of interesting projects/avenues explored at Dow Jones such as “Security Scorecard” for Products, Agile Threat Modelling, Cloud Security Tooling etc.

  January 22, 2020 14:00-14:30

• Data Analytics for Security

  Shweta Sundar (Senior IT Assistant for Security Operations, The World Bank Group)

  Shweta Sundar is a Senior IT Assistant for Security Operations in The World Bank Group (Chennai) with 6+ years’ experience in Information Security. She has been part of the Threat hunting and Behavior analytics projects, enhancing detection capability of SOC Operations.

  Logs tell us stories. Do we know all of them? During normal DFIR , only a small amount of logs are analyzed either by the SIEM or by a human while investigating an incident. SOCs are great at fighting the known and they can excel if more unknown can be made known. Data analytics in information security is a fairly new area, and complex to build. This complexity is required to fight impending attacks, which have blend in an environment. Converting raw logs and telemetry into statistical models, finding anomaly or predicting behaviors is what we aim at. The quest started with mining data in a simple excel sheet and then elaborated to near real-time processing with complex queries and ML-based tools. This process is quite exhaustive and at the same time exciting, but rewarding when you see the unknown. In this presentation, we want to highlight the journey of creating use cases in ELK framework and reflect on the challenges faced during this process.

  January 21, 2020 14:00-14:30

• Dealing with Changing Threat Landscape

  Anand Tapikar (Product Security Leader, GE Healthcare)

  Anand Tapikar:

  • 20+ years’ experienced Security Leader working as a principal product security leader in GE healthcare
  • Has multiple security certifications that includes CGEIT, CISA, CEH, ISO27001 Lead Auditor and multi products and cloud certifications
  • Earlier worked with Oracle, Genpact, Philips and Ramco systems Worked at global level and handled security of all major Indian banks, financial institutes and currently handling security for healthcare applications
  • Participated in major conferences as Speaker. CIRT, NASSCOM, CISO platform, ISC2, Unicom are some of them

  The presentation will cover the changing business, technology, and human behavior and its impact on users and businesses.
  
  

  Just to give examples some of the changes in business:

  • Small Shops and distributor Model to Online retail
  • Isolated health diagnostics to connected value-based care
  • Disconnected public systems to smart cities with centralized monitoring
  • Branch/ATM based banking to Mobile/Wallet digital payments
    
    

  Each one has an enormous security impact. Security impact needs to thought through while designing applications, deployment and while performing operations. The presentation will discuss the state of the art security solutions available at each layer and how they will add value.
  
  

  Similarly, Technology has also changed over the period of time.

  • From Cloud-based VM to Kubernetes managed Docker containers
  • From monolithic application to REST based microservices
  • Analytics to AI ML based predictions
  • Ecommerce website to API based Mobile commerce
    
    

  For a security solution perspective, these changes demand a more adaptive, integrated and faster security solution to ensure confidentiality, integrity, and availability of these solutions without making them slow or unusable.
  
  

  In security technologies, we are also seeing changes

  • From IDS IPS to next Gen FW and IPS
  • Antivirus to Advance threat protections like APT and Ransomware
  • Security Monitoring to ML based Predictive threat intelligence
    
    

  To conclude I will try to map out some of the common architecture/ security tools used to handle newer threats.

  January 22, 2020 14:45-15:15

• Hunting Threats in Darknet

  Muslim Koser (Head of Technology, Volon Cyber Security)

  Muslim has over 22 years of Information Security Experience with a core focus on Cyber Threat Intelligence, Cyber Risk Management and Cybersecurity consulting. Before Volon, he worked at FireEye, Inc., where he headed one of their Cyber Threat Intelligence Research teams. Muslim set up Cyber Threat Research team for iSIGHT Partners in India, which was one of the first teams that worked in this domain.

  Muslim has also been a member of Honeynet Project, as well as Indian Honeynet Chapter and involved in Detux Sandbox, which was one of the first online Linux sandbox services. As part of the Honeynet project, Muslim was also involved in the design of open source spam Honeypot SHIVA.

  Previously, Muslim was based in Malaysia, where he led the information security consulting practice for Network Security Solutions. Muslim is also credited with involvement in establishing national level CERTs and consulting for various corporate CSIRTs.

  Idea of this topic is to specifically highlight the learning from years of experience where I have with building teams who carry out HUMINT operations in the Darknet. There have been numerous presentations that talk about “findings in the Darknet/cyber underground” but with this presentation, plan is to discuss some real-world examples which we have encountered over a period of the last 10 years in the CTI domain. These examples will include gathering highly sophisticated and actionable information that provide insights that is not possible via many current /automated collection and search solutions in the market today.
  
  

  The talk will also include ways and means to gain access to closed or invite-only communities in order to gain a deeper perspective. High-value personas are always an asset for any such hunting, which helps in creating a reputation. The talk will also provide pointers towards persona development and maintenance over a period of time.
  
  

  Further, As in the current world of AI/ML where such technologies are claimed to be used by variety of organisations in cyber Intelligence solutions, I would take an approach where we discuss best ways to club “collection automation” with AI & ML and fuse with HUMINT where I will explain the ways to work with information overload (data from hundreds of forums) and still identify right information and then fuse it to HUMINT to get context and make the collected information actionable.
  
  

  Real-life examples which will be used in this talk could be but not limited to would include:

  • How APT groups usually known to target nation-state, shifted focus into financial crime
  • Actors/Groups, advance infiltration and TTPs to provide access information for Military/armed forces targets
  • Target of national-level setup by Darknet actors affecting a large number of organisations in a country
  • Targeted attacks towards financial institutions and how actionable insights of SWIFT based attacks were identified which was impossible to get without HUMINT

  January 21, 2020 13:15-14:00

• Identifying Persistent Protection Patterns Through Threat Informed SDL Control Catalog

  Lokesh Balu (Senior Principal Engineer, Dell Product & Application Security)

  Lokesh Balu is a Senior Principal Engineer in the Product Security arm of Dell’s Product and Application Security organization. He has 15+ years of experience in driving proactive/reactive aspects of Secure Software Development Consultancy, Product Security Incident Response, Threat Intelligence Management, Vulnerability management and remediation guidance for products, software & Digital systems. He currently serves as SDL security consultant for Dell Enterprise Servers, Firmware and Networking products. He has a Bachelor’s in Electronics and Communication Engineering and has gained CISSP, CSSLP, CCSP, GCIH, GCTI, (GCFA), CSIRA, CSTE certifications.

  Current approaches to secure software development is based on set of analysis activities and technical controls, generally referred as SDL(Secure Development Lifecycle) practices. These SDL controls need to be updated based on evolving vulnerability and threat landscape. Most of the current approaches for adopting new SDL controls are pre-dominantly vulnerability or attack centric which makes baking SDL controls in software development reactive in nature. In order to make SDL controls pro-active, inclusion of threat centric approaches becomes vital. One of the key theme of this talk is centered around discussion on the current limitations of compliance, vulnerability and attack centric SDL control catalog development and how leveraging frameworks like MITRE’s ATT&CK can enrich current SDL control catalog with threat insights. This talk attempts to discuss opportunities through which security teams in enterprises can develop protection mechanisms for persistent threats by augmenting standard SDL control catalog with threat based knowledge areas. Developing and maintaining threat types and patterns based on PSIRT, CSIRT and IR data sets( industry and organization specific), industry standard frameworks like MITRE’s ATT&CK, there are opportunities to identify and synthesize specific protection (technical) controls for secure software development. This threat informed SDL control catalog development and its usage to engineer secure products for enterprises, can facilitate systematic application of refined SDL control catalog which is enriched with TTPs( Tactics, Techniques and Procedures) of adversary tradecraft. Building and maintaining ‘Organization specific threat patterns based SDL control catalog’ would be a significant enabler to build attack resistant and resilient software that can provide inherent protection capabilities for specific current day persistent threats.

  January 22, 2020 13:15-14:00

• Investigating Malware Using Memory Forensics

  Monnappa K A (Information Security Investigator, Cisco Systems)

  Monnappa K A works for Cisco Systems as an information security investigator focusing on threat intelligence, investigation, and research of cyber espionage and advanced cyber attacks. He is the author of the best-selling book Learning Malware Analysis. He is the review board member for Black Hat Asia, Black Hat USA, Black Hat Europe, and BSides Singapore. He is the creator of Limon Linux sandbox and winner of Volatility plugin contest 2016. He is the co-founder of the cybersecurity research community Cysinfo. His fields of interest include malware analysis, reverse engineering, memory forensics, and threat intelligence. He has presented at various security conferences including Black Hat, FIRST, SEC-T, 4SICSSCADA/ICS summit, DSCI, National Cyber Defence Summit and Cysinfo meetings on various topics which include memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has conducted training sessions at Black Hat, BruCON, FIRST (Forum of Incident Response and Security Teams), SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community on his YouTube channel, and you can read his blog posts at https://cysinfo.com. Twitter: @monnappa22

  The number of cyber-attacks is undoubtedly on the rise targeting government, military, public and private sectors. Most of these cyber attacks make use of malicious programs (Malware) for financial theft, espionage, intellectual property theft, and political motives. These malware programs use various techniques to execute their malicious code and to remain undetected from the security products. With adversaries becoming sophisticated and carrying out advanced malware attacks, it is critical for cybersecurity professionals to detect and respond to such intrusions. This presentation mainly focuses on the concept of memory forensics and shows how to use memory forensics to detect, investigate and understand the capabilities of malicious software. In addition to that, with the help of various demonstrations, the presentation also covers various tricks and techniques used by the malware including some of the stealth and evasive capabilities.

  January 21, 2020 11:00-11:45

• Opening Remarks & Keynote

  Kiran S. Narayan (Asia Pacific SOC Manager, Cisco CSIRT)

  Kiran is an experienced Information Security professional leading Group Information Security Incident Response Team for CISCO Asia Pacific. In a position to enable CISCO's Asia Pacific business to get past the offerings of regular, predictable market to a very informed, innovative and secure environment that supports the most key aspects of Information security.

  To summarise, as a global leader, key strategic goals of his role are: Cyber security, Incident Response, Data Protection, Resilience, Malware / Forensic Investigation, Threat Intelligence & Analytics.

  January 21, 2020 09:30-10:00

• Practical Exploitation of Zigbee-class Networks with USB-based RF Transceivers & Open Source Software

  Sanjay V. (Security Analyst, Deep Armor), Sunil Kumar (Senior Security Analyst, Deep Armor)

  Sunil is an industry expert in security research, product security assessment, and risk management. He has worked extensively on threat modeling and penetration testing of Web applications, IoT products, Cloud infrastructure, and mobile solutions. Sunil is skilled in JavaScript and Python scripting and has developed numerous security tools and applications. He regularly speaks at local and international security conferences. He currently works as a Senior Security Analyst at Deep Armor. Prior to that, Sunil worked as a security engineer for Ola Cabs and Aricent Technologies.

  Sanjay is a Security Analyst at Deep Armor. He is skilled in vulnerability assessment and penetration testing of web applications and cloud security. He has advanced knowledge of AWS and has developed advanced tools for security assessment of modern cloud platforms in python. Prior to his current role at Deep Armor, Sanjay worked for Deloitte India. Sanjay regularly speaks at security conferences and conducts training/workshops on IoT and Cloud topics.

  Internet of Things (IoT) products proliferate the market today. They manifest in different forms – right from a pacemaker inside a human body, to an oil and gas rig monitoring device in the remotest locations on the planet. The hardware form factors in many such IoT solutions use tiny micro-controllers with strict low power consumption requirements. Securing these platforms often pose several security challenges.
  
  

  The IEEE 802.15.4 is a standard developed for low-rate wireless personal area networks (LR-WPANs). The base specification of the standard does not specify how to secure the traffic between the IoT devices and the backend infrastructure, so there are often vulnerabilities in the design and implementation.
  
  

  Penetration testing of zigbee-class wireless sensor networks need specialized hardware and software stacks for packet sniffing and injection. In this presentation, we will talk about various market-available solutions that pentesters can use for debugging and attacking such networks using USB-based dongles. We will demonstrate two custom hardware boards equipped with programmable micro-controllers that work with open source software solutions for performing attacks on an IEEE 802.15.4 based wireless sensor network. After our demos, we will discuss various hardening methodologies to protect IoT systems against such attacks.

  January 22, 2020 15:15-15:45

• Security Hardening of Popular Public Cloud Managed Services

  Runcy Oommen (Principal Software Engineer, SonicWALL)

  Runcy Oommen is an accomplished software engineer with strong SDLC experience and a string of projects primarily in the security domain. Runcy strives constantly to build better software with extra focus on data security that would be kept throughout its life-cycle and not just as an afterthought. He considers himself to be a perfectionist yet remains practical, knowing where to draw the line and stop. Runcy advocates strong data privacy and possessing a natural penchant for security, he began working full time on CloudBrew to minimize data breaches in this mass surveillance world, which continues now as an open source project.

  The default configurations of popular managed services in public cloud like AWS, Azure and GCP may not be fine tuned for best security. In this talk, I will walk through the essential steps required to make them robust yet retain their agility without jumping through multiple hoops.
  
  

  1) Generic intro:
  
  The focus of the talk would be around strengthening/hardening of popular services offered by public cloud providers like AWS, GCP and Azure. I would start by defining what cloud security means, the need to differentiate network security mindset from traditional private cloud to modern day public cloud and understanding of the shared security model emphasized by AWS\GCP.
  
  

  2) Talk agenda (high-level points):

  • Basic intro to security services being offering by AWS, GCP and Azure
  • AWS services hardening - Amazon Linux, Elastic Load Balancer, API Gateway, Route53
  • GCP services hardening - Google Container OS, Cloud Load Balancer, App Engine, Cloud DNS
    
    

  3) Serverless security (AWS Lambda, Google Cloud Functions and Azure Functions):

  • Disable outbound internet connectivity (except for AWS/Google Cloud resources) from the serverless runtime environment, if such connections are not required
  • Disable read/write on the /tmp/ directory, if such operations are not required
  • Disable child process execution, if such execution is not required by the function
  • Disable read access to the function’s handler and prevent source code leakage

  January 22, 2020 11:00-11:45

• The Most Insecure Part of Applications: Third-Party Libraries

  Satheesh P (Software Engineer, Cisco Systems)

  Satheesh's profession mostly revolves around contributing to Networking and Security products for 11+ years. He worked in Web Security product testing for the past 8+ years. Completed CEH and CCNP Certification. Currently doing research on Web Application Vulnerabilities and Mobile Malwares.

  As part of today's digital transformation, organizations have quickly been moving toward Third-Party Software adoption to get software to market faster and gain a competitive edge in today’s fast-paced business environment. Due to this insecure approach, application developers are getting burnt by security vulnerabilities in the open source and third-party frameworks and software components that make up their finished application product. Also, it should not be surprising that Third-Party Software and libraries account for ~80% of the source code in modern web applications. In this session, we will discuss what are costs and risks involved with the Third-Party Software Vulnerabilities. Also how Cisco manages to identify and mitigate Third-party Software vulnerabilities and risks using different methodologies and internal tools.

  January 21, 2020 15:30-16:00

• Threat Actor Groups and Techniques

  Venkatachalabathy S R (Research Lead, McAfee)

  Venkatachalabathy S R:

  • Currently Working as Research Lead at McAfee
  • Over 12 years of work experience in Security Industry and have good knowledge and exposure on Anti-virus and Sandbox Technology
  • Experience on Malware Analysis, Reverse Engineering and Threat Hunting. Work towards prevalent and APT threats, and co-ordinate research team’s efforts to strengthen the sandbox product
  • Speaker at AVAR
  • Prior to McAfee worked for Computer Associate Antivirus and Comodo Antivirus products
  • Hobbies include reading and listing to music.

  In recent years, malware threat landscape grown exponential and employed various evasion techniques to bypassbehavioral analysis and detection. The dominant category of evasion falls on sandbox evasion technique as defendersuse sandboxes as part of the ecosystem to replicate the malicious files in an automated and controlled virtualized environment and gather the behaviour information within a short span of time. Malware authors are aware of the sandbox technologies, they employed malwares with sandbox evasion techniques and mimic malware files to behave as benign files inside sandbox environment and show the malicious payload only in physical machine (ie., non-virtualized environment). As malware authors develop more new evasion techniques to hide from sandbox radar, consequence of it, defenders make various improvements to their sandbox technology to identify the sandbox evasion and defeat it. The improvement cycle done by defenders to protect against malwares and attackers to thwart from sandbox detection is never-ending story that resembles a Cat and Mouse game.
  
  

  In this paper I will explain the improvements done by malware authors towards new sandbox evasion and reuse of old sandbox evasion techniques in recent ransomwares, Banking Trojans, Advanced Persistent Threats and how malware authors use Windows API's, office features and functionalities of virtualized environment to achieve sandbox evasion and defeat detection. I will also include countermeasures to bypass sandbox evasion as a defender.
  
  

  Some of the latest evasion techniques seen in malware families in recent years will be covered in the paper includes as below:

  • How windows WMI query misused by malware authors to gather the system's information?
  • How Thermal zone temperature used to evade from sandbox?
  • How country check evades sandbox detection?
  • How file-less technique employed by malware authors to evade from traditional sandbox product (focus mainly on file, registry and network activities)?
  • Many more.

  January 21, 2020 14:45-15:30

• Threat Intelligence for the Defenders

  Avkash Kathiiya (VP Security Research and Innovation, Cyware Labs)

  Avkash Kathiiya is an information Security professional with overall 10+ years of experience in the defensive side of the Information Security domain. Currently working on security research in the domain of automated Incident Response using orchestration and Threat Intelligence framework for practical implementation. Also, associated with the Mumbai chapter of the Null community (Open security community).

  For defenders in the current situation, Threat Intel is all about IOCs which are more technical in nature and covers aspects that have a very short lifespan. By the time controls are put in place to thwart the technical IOCs, attackers change it and counter with new attacks. So, it becomes essential for defenders to continuously harness the tactical information from available technical Intel to learn the TTPs (Tactics, Techniques, and Procedures) used by attackers and have countermeasures in place. TTPs are crucial and give an edge to defenders over attackers in the long run.
  
  

  I will be discussing different ideas to harness the Tactical Intel from various available sources. This includes not only external threat Intel sources but also internal operational sources which can be used to harness the Tactical Intelligence relevant for the organization. This helps in putting necessary strategic and operational countermeasures in place to restrict the attackers from achieving their goals and securing the organization.
  
  

  MITRE ATT&CK Navigator is one such tool that can be leveraged to achieve this goal. It maps the learnings, Intel, and countermeasures in one place to give a 360-degree view to create a defensive strategy. This harnessed information can be used by the SOC team for their detection use cases, IR team for incident investigations, Threat Hunting team for creating hunt hypothesis, and Threat Intel team for tactical research.
  
  

  Below is the high-level outline of my talk:

  • Types of Threat Intelligence
  • Climbing up the Pyramid of Pain
  • MITRE ATT&CK to rescue
  • Harnessing Tactical Intel from External entities
  • Harnessing Tactical Intel from Internal entities
  • Use cases for Defenders (SOC team, IR Team, Threat Hunters)

  January 21, 2020 10:00-10:45

• Why We Need a Firm Handshake between PSIRT and SDL: A Perspective from SDL Side

  Dr. Soumya Maity (Principal Engineer, Dell Product & Application Security), Juhi Ramani (Program Manager, Dell Product & Application Security)

  Dr. Soumyo Maity is an SDL Consultant to several business units and product teams in Dell Technologies. He has over 6 years of experience in product security including SDL, security architecture, and incidence response. He has a PhD in information security from IIT Kharagpur and has published over twenty peer-reviewed international research articles and book chapters.

  Juhi Ramani is a PSIRT Program Manager at Dell Product and Application Security. She comes with 10 years of experience and believes principles around security remain the same, the approach must change.

  Most of the software manufacturing enterprises have adopted Security Development Lifecycle (SDL) as a standard development practice along with a dedicated incident response team (PSIRT). All the PSIRT related industry standards (ISO 29147, ISO30111, FIRST PSIRT Framework) mentions that PSIRT has a responsibility of maintaining and influencing the internal SDL activities and SDL governance. A sensible collaboration between SDL and PSIRT is an absolute necessity for the SDL side also. This talk explores the expectation, roles, responsibilities, and limitations of the SDL side to have a perfect collaboration between SDL Team and PSIRT to achieve the best standard of product security.
  
  

  The regular practice of retrospective analysis of PSIRT-SDL Interlock is proven to be useful. It is evident to say that such analysis helps to build an efficient incident response framework, as well as works as major feedback for the SDL process and SDL Controls. If the adoption of a security control does not mitigate associated threats, then there must be a problem either with the verification of the control or adoption of the control. So, SDL needs feedback to improve its security controls. This talk also elaborates with case studies on how we manage to improve SDL controls to reduce the number of attacks over time by improving our SDL controls and thus ensure our products to be resilient to known threats using PSIRT data.

  January 22, 2020 15:45-16:15

• Bangalore 2020 FIRST Technical Colloquium
  • Program Overview
  • Registration
  • Call for Speakers
  • Venue