Program Overview

Tentative Agenda (subject to change)

• A Glimpse into The Underground Criminal Forums

  Trustwave Spiderlabs, Ziv Mador

  This talk is going to cover recent research that shows the dynamics of the cybercriminal communities on the darkweb, as well as the underground’s unique job market. Additionally, the talk will discuss some of the malware-as-a-service and machine laundering schemes that are being offered and used on the dark web.

  February 19, 2019 10:20-10:50

• Analyzing Malware Evasion Trend: Bypassing User-Mode Hooks

  Ensilo Omri Misgav & Udi Yavo

  At the beginning of 2018 the security community started experiencing a rapidly increasing trend of malware employing techniques for evading and bypassing defensive solutions. In this talk, we cover the fundamental concepts of hooking, dissect malware samples found in the wild that bypass user-mode hooks and demonstrate why their techniques are so effective. Additionally, we’ll discuss possible adaptations to tactics when conducting malware detection research and performing IR.

  February 20, 2019 09:40-10:10

  Ensilo-Omri-Misgav-Udi-Yavo-Analyzing-Malware-Evasion-Trend-Bypassing-User-Mode-Hooks.pdf

  MD5: 238ba8fcc2288bf4fe236c61840c5835

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 791.01 Kb

• APIs are critical to security people - what I learned trying to discover useful APIs

  FIRST.org, Alexander Jager

  More and more security tools are introduced in the cyber eco system which increases the complexity dramatically. To combat that - there are basically two ways to scale: a. go for a “one tool to rule them all” approach b. make use of APIs and connect them For the option b the first step is to collect all tools that are available and discover if and what APIs these tools have. During a period of several months, I did that and open sources that list to github (https://github.com/deralexxx/security-apis). Weaponized with that list, it is easier for security folks to do an inventory of their capabilities as well as requirements for future security tools to I) Require them to provide an public API documentation II) Integrate with tools on that list To utilize the available APIs you have access to a so called security orchestrator might come in that connects all those APIs and enables you to create workflows over different tools. Another ancle of the scenario is that some of the audience are developers themselves, for those I will give some advice for good practice of APIs.

  February 19, 2019 11:40-12:10

  FIRST.org-Alexander-JA-ger-APIs-are-critical-to-security-people.pdf

  MD5: 76ccfc7a3d53be6b0cd39d6951929109

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.8 Mb

• APT hunting with open source data

  Clearsky, Eyal Sela & Or Blat

  Over the past 5 years we have been monitoring and investigating multiple APTs and have publicly exposed several threat groups, their infrastructure, malware and targeting. In this talk, we will share tools and softer aspects of threat intelligence in the form of trust based information sharing, as well as teach methods to find and monitor advanced threats on the internet.

  February 19, 2019 09:50-10:20

• Aviation Cyber Threats

  INCD, Tom Alexandrovich

  February 20, 2019 16:10-16:40

  INCD-Tom-Alexandrovich-Civil-aviation-cyber-security-threats.pdf

  MD5: 0112ebb4334c3354f691a90fb7216742

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 4.6 Mb

• Beyond whitelisting: fileless attacks against Linux

  Rezilion, Ex-Paypal, Shlomi Boutnaru

  February 20, 2019 11:55-12:40

  Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf

  MD5: 1f6986c3519767ca953491ef3c19905f

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.09 Mb

• CSIRTs in Europe and current trends

  ENISA, Andrea Dufkova

  The incident response has changed a lot in the last 5 years and probably even bigger changes can be anticipated in the next 5-7 years. One of the major changes in Europe is caused by adoption of the EU NIS (Network and Information Security) Directive in 2016. In 2018, ENISA is concentrating its efforts on assisting Member States with their incident response capabilities by providing a state-of-the-art view of the CSIRT landscape and development in Europe.

  February 20, 2019 11:25-11:55

  ENISA-Andrea-Dufkova-CSIRTs-in-Europe-and-current-trends.pdf

  MD5: e311ca369af0b4f69e5d62d099009003

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.3 Mb

• Cyber Range workshop (limited numbers of participants)

  Cyber Range Workshop For the first time in a FIRST-TC event, the participants will be challenged in a cutting edge Israeli cyber simulator.

  About the Cyber Range Workshop The training environment consists of a virtual SOC/CERT and a virtual network. You will experience a simulated, multi-stage cyberattack that was designed by some of Israel’s best threat researchers, incident response experts and cybersecurity training experts, based on real-world attacks. You will use market-standard security tools such as a firewall, SIEM, endpoint security, network analysis and reverse engineering tools to name a few. You will work as part of an incident response team and will use the tools at your disposal to detect a threat, investigate, mitigate, and remediate it before damage is inflicted.

  Target Audience The workshop is designed for a broad set of roles and skill levels, so that each trainee can best utilize his/her role and skill level. The session is appropriate for CSIRT team members, tier 3, 2 and 1 SOC analysts, system admins, network administrators as well as management-level participants.

  What You will Practice The training session will address multiple aspects of the incident response process, starting with the challenges of detecting an evasive attack, to investigation, response and remediation. Sample skills and tools that will be practiced are: Windows forensics, firewall management, network forensics, endpoint security and Sysinternals Suite, process investigation, traffic investigation, and .NET reverse engineering. You are not required to be experienced with all these skills and to utilize them during training. Rather, you will have the opportunity to practice the ones that are most appropriate for you. In addition to technical skills you will practice and learn about various aspects of teamwork and communications during an incident response process. The workshop will be hosted by experienced cybersecurity instructors, who will guide you throughout the session and provide real-time feedback, tips and insights.

  What You Should Provide: Nothing! We will provide you with a workstation that will connect to the Cyber Range environment.

  Space is limited and demand is high – reserve your seat today!

  February 19, 2019 14:10-16:30

• Ghost robbers in the cloud – Finding crypto miners

  Shira Shamban

  Account hijacking is today’s bank robbers. These robbers don’t have to come with their pistols up in the air and shout “this is a robbery!” they just take over the account and happily mine cryptocurrency until the user pays attention. You might never know this is even happening, but you will be paying the price to your cloud service provider. In this talk I will present a few ways you can easily detect and block such activity in your cloud environment.

  February 20, 2019 14:40-15:10

  Shira-Dome9-aq.-by-check-Point-20.2.19.pdf

  MD5: 3f413798ac289b6b1b188dab0e140006

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.77 Mb

• Hunt and Incident Response Considerations in the Cloud

  NCCIC, Matthew Rohring

  Cloud is changing the way IR professionals do business. Numerous cloud service providers mean that we must now reverse engineer the services themselves and tease out their interoperability to thoroughly understand an organization's unique landscape. This talk is intended to provoke thought and provide a baseline of questions and considerations to aid incident responders in properly scoping their work.

  February 20, 2019 14:10-14:40

• "Hunting the Hunters": Active Cyber HUMINT Defense Operations. Winning the war on cybercrime

  Cyber Cupula, David Barkay

  February 20, 2019 15:40-16:10

  Cyber-Cupula-20.2.19.pdf

  MD5: ea335fb9607fa0f8f64b5d31fdec20f4

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.61 Mb

• Ice Breaker Reception for International Attendees

  Hosted reception for our international attendees at the Whiskey Bar in Sarona Market, Tel Aviv; transportation will be provided by INCD (details to be provided onsite).

  February 19, 2019 19:00-21:00

• ICS/OT devices and assets management using Splunk

  Israel Ministry of Energy's Cyber Center, Efi Kaufman

  In order to provide the most accurate risk management score for the Energy sector as a whole and for different facilities in specific, a very fundamental requirement exists : to know our systems, devices and assets. What is it that we are protecting ?

  This presentation will review the technical aspects of the work done in the CSC. Beginning with the process of ingesting extremely heterogeneous data sources to the Big-Data application, characterizing and normalizing the information and the way we are using to extract devices information and the relationship between them using the various event types that are logged

  February 20, 2019 15:10-15:40

  Ministry-of-Energya-s-Cyber-Security-Center-Eli-Kaufman-ICS-OT-devices-....pdf

  MD5: 483402af02b3d95e4480cfb60764da13

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.43 Mb

• Incident response from the eyes of the attacker

  Reut Menashe

  My role as an incident response team manager during the years involved a lot of "role-playing": I always need to rethink my role and my point of view - first from the organizational "blue team" defender perspective - and then as the "attacker".

  Then the final step - as a red team member - I use my experience to understand what the attacker is thinking so that I can identify the adversary's vulnerabilities and stop the attack ASAP. Surprisingly, one of my biggest conclusions from years of IR engagements is using my FEAR as my BENEFIT! How? In this talk, I’ll walk through examples and share my ideas and insights for incident responders, so that we can all learn how to think like an attacker - more than just a cliche.

  February 19, 2019 14:40-15:10

• Increasing Efficiencies by Attacking Target Rich Environments: Attacker Perceived Cyber Wally World

  NCCIC, Jermaine Roebuck

  Attacks against target rich environments have been on the rise in recent years. In this talk, we will explore that attacks against managed service providers and cloud infrastructure in general, the potential impacts on critical infrastructure, and begin the discussion on what can we do from a cyber-defense/response perspective.

  February 19, 2019 09:20-09:50

• League of Nations

  McAfee, Raj Samani

  Nation-state attacks, is it always the same countries? Or are we witnessing the capability of many nations increasing due to the support of the private sector?"

  February 20, 2019 10:10-10:40

  McAfee-Raj-Samani-League-of-Nations.pdf

  MD5: 27176fe8d72dcd5919940fb21ea43417

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.62 Mb

• MalDoc Evolution – from ShellExecute to ^LL^ehs^reWO^p

  Minerva labs, Asaf Aprozper & Gal Bitensky

  In this talk we will provide historic background about “traditional” malicious documents, using nothing else but ShellExecute to launch a malicious executable directly.Then, we will proceed and enumerate modern techniques employed by malicious documents to avoid countermeasures successfully. After the techniques are known to all, we will present for the first time our research which maps malware families and tactics over time.

  February 19, 2019 15:10-15:40

  Minerva-Labs-Gal-Bitensky-Asaf-Aprozper-MalDoc-Evolution.pdf

  MD5: 270ca62ef5c45995d5719b6633371562

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.98 Mb

• Simple analysis using pDNS

  Damsky.tech, Irena Damsky

  In this talk, we will have a closer look at passive DNS (pDNS), a powerful tool which allows historical analysis of DNS data. First, we will quickly recap DNS followed by outlining the concept and capabilities of pDNS finishing up with some concrete use cases and how it can be applied e.g. when investigating phishing or lighting up malicious infrastructure.

  February 19, 2019 11:10-11:40

• Stack overflow: The Vulnerability Market Place

  Snyk, Danny Grander

  February 20, 2019 12:40-13:10

  Snyk-Danny-Grander-The-vulnerability-marketplace.pdf

  MD5: b0ffb20cb7bd8de1604c0685df74a89a

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 8.47 Mb

• The dynamic world of supply chain cyber risk management

  BITSIGHT, Stephen Boyer

  In an ever evolving, dynamic and complex threat environment, the old school of thought around how to secure the enterprise is no longer relevant.

  Business leaders remain responsible for the security of critical information assets, yet are quickly losing control as the walls of the enterprise expand to include third and fourth parties and even the internet of things. As such, static, point in time assessments, one-time pen tests, annual audits and subjective maturity models are no longer sufficient measures of the effectiveness of an organization’s cybersecurity controls. Security and risk leaders need new and better strategies to assess, measure, track and communicate cyber risk and security performance to key stakeholders both inside and outside the walls of their company.

  February 19, 2019 12:10-12:40

• The Zero-Trust Approach for Your Alert Haystack

  Intezer, Ari Eitan

  A significant challenge posed to incident response and SOC teams is the high number of alerts received on a daily basis. This presentation will cover how the evolutionary nature of software can enable a zero-trust approach to a large volume of alerts, and how the Genetic Malware Analysis approach helps prioritize files according to risk and severity, and accelerates all stages of the incident response cycle.

  February 20, 2019 09:10-09:40

• Trusted and anonymized threat sharing using Blockchain technology

  IBM Cyber Security of Excellent, Dr. Yair Allouche

  There are two common models for establishing trust in threat intelligence sharing communities today. The first is based on a trusted third party, and the second is point to point based on trust established through personal relationships. In this talk we will present a blockchain-based threat sharing solution which aims to mimic the peer-to-peer trust model, but without coverage gaps or delays.

  February 19, 2019 15:40-16:10

  IBM-Dr.-Yair-Allouche-Trusted-and-Anonymized-Threat-Sharing-Using-Blockchain-Technology.pdf

  MD5: 67521cbe5797219cdb090dfadce8e3dc

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1 Mb

• "We're no longer in Kansas, IR Team": Bypassing perimeters & why SOCs matter

  CyberArt Security, Yossi Sassi

  In the 'living of the land' reality where any admin tool can be used as an attack tool, bypassing EPP/EDR is a norm, which is why SIEM/SOC is the final frontier against adversaries today. We will demonstrate our latest research with Shell bypass in creative ways, show-casing Post-Exploitation techniques, APTs etc, as well as another IR/Research tool - saying goodbye to the bad guys' Obfuscation efforts and transparently exposing every command.

  February 20, 2019 10:40-11:10

  CyberArt-security-Yossi-Sassi-Bypassing-perimeters-why-SOCs-matter.pdf

  MD5: 6135939a0931d030946b9be662bdd06c

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.78 Mb

• Tel Aviv 2019 FIRST Technical Colloquium
  • Program Overview
  • Call for Speakers
  • Registration
  • Venue