Program Overview

Rossella Mattioli joined ENISA, the European Cybersecurity Agency, in 2013. Over the years she worked on threat modelling and security measures for Internet infrastructure, ICS/SCADA, smart grids, Internet of Things, smart cars and aviation. She is currently focusing on supporting European CSIRTs communities and the newly established “CSIRTs Network” to build and advance their incident response capabilities to face future cyber-attacks. Along with other efforts, at the moment, ENISA and the European CSIRTs community are working together in the Reference Security Incident Taxonomy Working group to improve incident data exchange in Europe and the agency will organize next month the "2018 CTI-EU | Bonding EU Cyber Threat Intelligence" event.

Abstract; For more than ten years ENISA has been supporting Member States and CSIRT communities in EU https://www.enisa.europa.eu/topics/csirts-in-europe/csirt-inventory/certs-by-country-interactive-map to build and advance their incident response capabilities with handbooks, online & onsite training https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists and dedicated projects. This talk will give an overview of ENISA efforts regarding proactive detection, threat intelligence and the recent developments of the Reference Security Incident Taxonomy Working group https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force

Eleanor Saitta is an independent security architecture and strategy consultant with media, finance, healthcare, infrastructure, and software clients across the US and Europe. She was previously the security architect for Etsy.com, and has worked for a number of commercial consultancies (Bishop Fox, IOACtive, and others) over the past fifteen years. Her work has encompassed everything from core security engineering and architecture work for Fortune 50 software firms to cross-domain security for news organizations and NGOs targeted by nation states. Her focus is on the ways task and experience design, system architecture, development process change, and operational changes can shift the balance of power between adversaries to bring better outcomes to users.

Saitta is a co-founder and developer for Trike (http://octotrike.org/), an open source threat modeling methodology and tool which partially automates the art of security analysis and has contributed to the Briar (https://briarproject.org) and Mailpile (https://mailpile.is) secure messaging projects. She's on the advisory boards of the Freedom of the Press Foundation (https://pressfreedomfoundation.org), the International Modern Media Institute (https://immi.is), and the Calyx Institute (https://calyxinstitute.org), all organizations that look at freedom in the media and security online. Saitta is a regular speaker at industry conferences; past venues include O'Reilly Velocity, KiwiCon, ToorCon, CCC, Hack in The Box, and HOPE, among others. You can find her on twitter as @dymaxion, and at https://dymaxion.org

In this presentation I'll detail some interesting investigations the PwC threat intelligence team have done in the past 12 months. I'll take you on a journey from China to Iran, jump over to India and finally Mother Russia, covering new techniques and tactics we've seen new and old actors use.

Jason leads the PwC technical threat intelligence team responsible for the collection and analysis of intelligence as well as leading PwC's global intel subscription service. Jason spent 7 years as an intelligence analyst in both government and industry, investigating some of the biggest intrusions known to date with a primary focus on Russia-based threat actors. He supports PwC members firms in all their threat intelligence consulting and incident response investigations.

Karl Bernhard Gudmundsen has 20+ years of experience from various part of IT Security. He has been part of Sykehuspartner CERT for 4 years doing incident response and security monitoring. Previously, he worked with an MSSP. He has worked with IT security in the financial industry for several years.

An overview of key aspects and lessons learned related to DNBs implementation of security monitoring in AWS. The presentation will describe how to obtain sufficient visibility for detection and incident response. Security monitoring utilizing a multi-account strategy. Automating security services and logging as part of account creation. Aspects to consider when moving from security monitoring of traditional IT services to security monitoring of container-based and serverless services.

Lars Arne Sand is the subject lead for security incident detection at DNB. Lars Arne has worked with security monitoring and incident response since 2012 and has during the past year been responsible for implementing security monitoring in DNB's new cloud-based platform.

Frode Hommedal is a senior incident responder and CSIRT leader. He is currently head of incident response and security analytics at Telenor CERT, and part of the team that is establishing the global CERT/SOC capability of Telenor. He previously worked seven years for the Norwegian national CSIRT, NorCERT, and he has extensive experience with countering digital espionage. One of Frode’s goals is to contribute to the infosec curriculum, hoping it will help more CSIRTs to find, face and fight the ever growing number of advanced threats.

A look at how OceanLotus conducts its tracking, exploitation, and command and control operations around the world. Chances are that you have encountered their digital surveillance dragnet without even knowing it. Learn how OceanLotus has become one of the most advanced and pervasive groups in operation today.

Bio: Steven Adair is the founder and President of Volexity, Inc, an information security firm specializing in assisting organizations with incident response, digital forensics, threat intelligence, network security monitoring, and trusted security advisory. Steven currently leads a team of experts that frequently deal with advanced and complex cyber intrusions from nation-state level intruders targeting everyone from small think tanks to large global defense contractors.

Prior to Volexity, Steven was the Director of Cyber Intelligence at Verizon Terremark, where he built and lead their external incident response services and efforts to track emerging and advanced threats with a core focus on activity related to cyber espionage. Prior to working at Verizon Terremark, Steven ran the Cyber Threat Analysis Program within the Office of the CIO at NASA. The goal of this program was to provide computer network defense (CND) by proactively detecting, mitigating, and preventing advanced targeted attacks and cyber-intrusions across the Agency.

In April 2010, Steven along with researchers and professors from the University of Toronto released a report titled "Shadows in the Cloud: Investigating Cyber Espionage 2.0." The report detailed a deliberate and successful cyber espionage campaign against the Indian Government and Tibetan interests to include systems belonging to the Dalai Lama and his colleagues. Steven is also a co-author of the book "Malware Analyst's Cookbook”

In 2018 Telenor hosted their largest APT focused cyber exercise to date - "Øvelse Bukkesprang". The exercise challenged Norway's best Incident Responders in a large, simulated environment that contained production systems as well as users (and advesaries) who were actively using the resources. In addition to the technical investigation, participants were also required to report to management regarding the status of the incident, and advise on how the company best should move forward.

An active Red Team playing the APT made sure that the participants never had a dull moment. "Øvelse Bukkesprang" had 40 participents and took place over 3 days at Telenor in Oslo.

Frode and Lars Erik will be talking about how they went from planning to success. They will delve into the details on how the advesary was played as well as the infrastructure and tools needed to achieve their goals. Last but not least, they will also share the feedback and "teachable moments" from the participants, talking about what worked well and what will be improved in future exercises.

Lars Erik Braatveit is a Senior Security Engineer at Telenor CERT, working daily on protecting the infrastructure of Telenor Norway from advanced threat actors. He has over 20 years of experience with security, both from the red and blue side. He is passionate about technology and much of his spare time is used to disassemble/reassemble devices, when not indulging his other passion, computer games.

Frode Hommedal is a senior incident responder and CSIRT leader. He is currently head of incident response and security analytics at Telenor CERT, and part of the team that is establishing the global CERT/SOC capability of Telenor. He previously worked seven years for the Norwegian national CSIRT, NorCERT, and he has extensive experience with countering digital espionage. One of Frode’s goals is to contribute to the infosec curriculum, hoping it will help more CSIRTs to find, face and fight the ever growing number of advanced threats.

Security Monitoring requires processing of vast amounts of data, and security monitoring solutions have to be able to pick a very small needle out of a very large haystack. Storing, indexing and searching every last piece of data becomes a scaling problem as data volumes grow, and Event Stream Processing is a popular approach to overcome this issue. However, Event Stream Processing raises a number of challenges compared to batch processing.

This talk goes through our approach to Security Monitoring using Event Stream Processing, as we have implemented in mnemonics security monitoring platform, Argus. The focus is on methods used for data collection, normalisation, reference data lookup, data correlation, aggregation and reduction, and how to make this work at scale.

Bio: Joakim von Brandis is the architect and lead developer of Argus, and has worked with security monitoring in mnemonic since 2004. Today he is Head of Development in mnemonic, responsible for further developing the Argus Platform used to deliver mnemonics security monitoring services worldwide.

During an incident response case in 2017, Mandiant stumbled on a fairly silent, but very capable, threat group known as Platinum. Starting from scratch, the investigators uncovered a complex web of unique new malware and brought to light a breach that had been underway for years. This technical talk will cover some of the malware encountered during this engagement, Platinum’s capabilities and weaknesses with a focus on some of the techniques used to hunt for this threat actor.

Mr. Bevilacqua is a Principal Incident Response Consultant at Mandiant based in Barcelona. As part of the Incident Response Team, he provides emergency services to clients when an elevated security breach occurs. He also helps clients create Incident Response management programs, analyzes and tests existing Incident Response plans, conducts forensic investigations, and provides Incident Response and forensics training. Mr.Bevilacqua has extensive computer forensics background and has provided expert witness testimony on hundreds of investigations over the last decade.

Raymond Lund, Incident Response Manager in Nordic Financial CERT has 12 years’ experience as member and manager of SIRT teams.

Join this session to learn how the Nordic Financial CERT (NFCERT) works with threat intelligence and tracks threats to prepare members for an eventual attack. Explore technical tracking of IOCs and the threat actor, preparing the detection and testing that detection works and working with law enforcement to ensure they understand the scenario when the victims start to file the complaints.

In short, an ontology is describing the data and relationships between data within a domain. It takes into account the semantics and gives benefits like a defined vocabulary, analysis and reasoning capabilities and the possibility to share knowledge.

The use of ontologies within cyber threat intelligence (CTI) is emerging, and this presentation will explain what, why and how. Examples will be given and some of the challenges we are facing will be discussed.

Bio: Siri Bromander (mnemonic): Siri Bromander works as part of the Threat Intelligence and Incident Response group at mnemonic, while pursuing her PhD at the University of Oslo with her PhD project “Threat Ontologies for CyberSecurity Analytics (TOCSA)” and contributing to the research project “Semi-Automated Cyber Threat Intelligence (ACT)”.

She has more than 10 years of work experience in IT security and information security research roles, including serving as Security Manager at mnemonic for five years.

VDI detects and responds to serious cyberattacks against critical infrastructure and Information. VDI is based on a trusted partnership between private enterprises, government agencies and authorities and the secret services in Norway. VDI has been operational for more than 18 years. The technology used in VDI is continuously developed to meet changes in the threat landscape.

Bio: NorCERT is a part of the Norwegian Security Authority (NSM). NorCERT acts as Norway's national cyber security centre and national CERT, handling severe computer attacks against critical infrastructure and information. Their mission is to enhance Norway's resilience in the digital domain.

Dr. Martin Eian works as a Senior Security Analyst in mnemonic CERT's Threat Intelligence group, and he is the Project Manager for the research project "Semi-Automated Cyber Threat Intelligence". He has more than 15 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic CERT, he is an Adjunct Associate Professor at the Department of Telematics, NTNU. He is also a member of the Europol EC3 Advisory Group on Internet Security. He holds a PhD in Telematics/Information Security from the Norwegian University of Science and Technology (NTNU).

In 2016, mnemonic CERT launched the research project "Semi-Automated Cyber Threat Intelligence (ACT)". The project partners are the University of Oslo (UiO), the Norwegian University of Science and Technology (NTNU), the Norwegian National Security Authority (NSM), the Nordic Financial CERT (NFCERT) and KraftCERT.

The ACT project develops an Open Source platform for threat intelligence. The project researches new methods for data enrichment and data analysis to identify threat agents, their motives, resources and attack methodologies. In addition, the project will develop new methods, work processes and mechanisms for creating and distributing threat intelligence and countermeasures, to stop ongoing and prevent future attacks.

Our primary motives for launching the ACT project were to provide a holistic workspace for analysts, automate repetitive tasks, facilitate advanced automated analysis, improve our knowledge of threat agents, facilitate efficient and accurate manual analysis, automate sharing of threat information and countermeasures, and automate the processing of unstructured data.

Threat intelligence analysts use numerous different systems for their daily tasks. They copy and paste data from system to system, then manually try to collate the results. The ACT platform aims to automate such processes, to provide a holistic view of the collated information, and to retain the information for future use.

The ACT project will facilitate sophisticated enrichment of data and the application of artificial intelligence techniques for automated analysis of data and information. These two research areas are the main responsibility of the universities participating in the project.

Automated threat information sharing and countermeasures can significantly improve detection and prevention capabilities. The ACT project has reviewed existing standards and protocols for information sharing and countermeasures. The project also closely monitors standards that are under development.

Finally, masses of data relevant to threat intelligence are available in unstructured formats. Examples include threat reports, academic papers, news articles, blogs, e-mail lists, and wiki pages. The ACT project has implemented and tested prototypes based on natural language processing (NLP) techniques for the extraction of structured data from unstructured sources.

Since the project started we have developed the core platform with API and graphical user interface. We have also developed new NLP techniques and applied these to extract structured data from relevant sources. The project partners and other interested organizations are currently testing the platform. The platform has also been used in live incident response cases, and has proven itself as a useful addition to our arsenal.

Our aim is to make the ACT platform a useful tool for the following roles:

• Incident Responders
• Penetration Testers
• Risk Analysts
• Signature Developers
• SOC Analysts
• Threat Hunters
• Threat Intelligence Analysts
• Threat Researchers

We have created a GitHub repository for the project, where we have published platform documentation and code under the ISC Open Source license.

We have also presented the project in several relevant conferences, including a presentation of preliminary results at the FIRST Conference 2017, a project presentation at the FIRST Technical Colloquium Oslo 2017, and a keynote at NIKT 2017.

The workshop will be an extended version of the workshop presented at the 30th annual FIRST Conference.