Program Overview

Theat Intelligence plays an important role in Attack Hunting. Key DNS attack hunting techniques include examining DNS portrait information, detecting DNS tunneling and Domain Generation Algorithms (DGAs). Logging DNS requests and responses on DNS forwarders is a simple way. DNS logs are one of the most powerful attack hunting resources, but encryption is rapidly changing that equation. In this presentation, I want to share with you how to extract IoC from DNS logs, detecting DNS tunneling and Domain Generation Algorithms (DGAs) with Threat Intelligence of DNS.

Li Pengchao, Ph. D, associate researcher. Received B.S. from Beijing University of Posts and Telecommunications (BUPT); Received MSE from BUPT. Graduated from Tsinghua University, with a Ph. D. Serve as VP of Eversec (Beijing) Technology Co., Ltd. My research interests include cyber security, intelligent information processing and data content security. 12 academic papers have been published and 7 patents have entered the substantive examination stage. I've been engaged in the research of multimedia information hiding theory and method, encrypted communication technology, embedded communication system and computer vision since 2008. I participated in more than 20 ministerial-level scientific research projects, and two projects have won the prize of department-level scientific and technological progress. Editorial board member of the "2020 network information Innovation Research Report".

This presentation will provide an innovative viewpoint on Cyber Resilience, showing how CSIRT teams can contribute to make it "architecturally expensive" for an attacker once your defenses have been breached. The talk will touch base on foundations of Cyber Resilience (NIST 800-160, MITRE CREF) and evolve into practical take-aways. Focusing on TID-level work and day-to-day operations is paramount, but taking a step back and embedding Cyber Resilience concepts into the way how threat management and defense is architected is equally important to be ready against advanced attackers. The talk will go through the concepts of High Value Targets and how the MITRE Impact Tactics (TA0040) can be mapped to the NIST 800-160 guidelines, providing practical ready-to-apply use cases. Feedback from participants on how they understand and approach Cyber Resilience will be appreciated.

Francesco Chiarini joined Standard Chartered Bank (SBC) as global lead over the cyber resilience capability with the aim to evolve SCB's posture and highlight the key strategic capabilities we need, to sustainably stay ahead of the cyber threat. Francesco has 15+ years' experience in IT and cyber security and joined SBC from PepsiCo where he was in charge of one of the two global Cyber Fusion Centers, leading globally incident response, adversary emulation and cyber resilience. Founder of the Consumer Packaged Goods (CPG) Special Interest Group (SIG) at FIRST.org and of the Poland FIRST.org group. 2021 Volunteer of the year award at ISSA.org, global head of the Cyber Resilience ISSA.org SIG and director for International Cooperation at ISSA Poland. Advisor of the FIRST.org Security Metrics SIG.

Calin Gheorghiu joined Standard Chartered Bank (SCB) as cyber resilience architect, with the aspiration of laying the foundations & shaping the vision of an industry leading threat informed risk management strategy, in order to prepare against the threats of tomorrow. Calin has 7+ years' experience in IT and cyber security and joined SBC from Broadcom, where he covered a series of tactical & management roles, ranging from solution architecture, incident response & threat intelligence. He also holds the position of Director of the Community of Practice of the ISSA.org Cyber Resilience SIG.

Explanation of the datasets required for AI technique development in the cybersecurity area established by Korea Internet and Security Agency (KISA), such as purpose, progress, results and future direction of establishment. Sharing 8 Best Practices of verifications using Cybersecurity AI Datasets, cooperated with Private/Public Cybersecurity Organizations.

Jeong Min Lee has a main interesting field of Data-Driven Cyber Security using AI Bigdata analysis. He has received his doctoral degree in Computer Science and Engineering from Inha University in Korea.

SIM3, developed by the OCF, is a CSIRT maturity model consisting of items to be organized and implemented to manage a CSIRT and their maturity levels. It is widely used mainly in the European CSIRT community and has been used as a condition for FIRST membership since 2022. It is also used by Japanese CSIRT community to understand and improve the status of their teams. They have developed and utilized documents for evaluation and their own training.

In this presentation, an overview of SIM3 and its structure will be introduced, followed by examples of use in several CSIRT communities and in Japan. SIM3 is generic so that it can be used by various CSIRTs. By explaining the SIM3 concept and supplementing it with examples, it will be easier to use on building and improving CSIRTs. We have facilitated the spread of SIM3 by developing documents and training that provide examples of descriptions, the concept of level assessment and improvement methods for each item. We will also introduce examples of application in Japan, documents and training for self-checking in SIM3, together with an overview of OCF training.The training we developed to expand the use of SIM3 in Japan introduces SIM3 items with explanations and examples of descriptions, and is designed to make it easy to understand the SIM3 concept. We have also tried to make it possible to discuss the differences and benefits of each level. This section focuses on the content of these areas.

Seiichi "Ich" Komura, Certified SIM3 Auditor, is a Senior manager of NTT Advanced technology corporation, works as a POC of internal CSIRT, a consultant on building and improving CSIRT, and a trainer of information security. He is a lecturer of Tokyo Denki University. He is the leader of CSIRT evaluation maturity model WG of Nippon CSIRT Association(NCA).

Yoshiki Sugiura has 24-year experience on CSIRTs. He used to be a member of JPCERT/CC since 1998. He works for two CSIRTs, IL-CSIRT and NTT-CERT now. He is also a board member of Nippon CSIRT Association. On SIM3 he is a certified trainer and auditor. He is a specialist in management of CSIRT.

The world runs on software, and everything is heavily becoming software-defined. Still, we continue to see the vast number of software vulnerabilities and their associated weakness classes leveraged by threat actors/agents. Security-assured software has become vital for all types of software, whether proprietary, free-open-source, commercial-off-the-shelf, and on the operating environment where the software is built. Established best practices are followed to build-in security controls throughout the software development lifecycle. Still, vulnerabilities are discovered and exploited by adversaries to access systems. If we analyze reported security vulnerabilities and correlate them with major attack campaigns, we can see a few patterns emerge in adversaries modus operandi. Specifically, if we review the MITRE ATT&CK framework, which curates adversarial tactics, techniques & procedures (TTPs), and view it through the widely followed software practices and implemented controls, we can harvest valuable insights. This approach can enable organizations to develop the attacker's mindset through documented public domain knowledge. In this talk, we describe a method for extracting optimal practices and specific controls that software development teams can implement to increase resiliency against primary adversarial TTPs. This is achieved by providing a mapping between two foundational frameworks, viz., NIST SSDF (for secure development practices) and OWASP ASVS (security verification standard for web application software and can be generally extended to other types of software). Insights obtained by mapping between ATT&CK mitigations and SSDF/ASVS help select optimal control verification requirements and can provide increased resiliency to software design, development, and deployment. This can be an impactful way to demonstrate how 'Offense' and 'Defense' can complement each other. Software development teams can hugely benefit if the feedback from attack campaigns is fed into secure software development, thereby enabling significant reduction/elimination of weaknesses and vulnerabilities.

Lokesh Balu currently works with Dell Technologies as technical lead for secure design and development of an 'as-a-service' offer / APEX portfolio. He also leads a program responsible for developing standards and best practices for building 'Trust' controls and requirements into Dell Technologies' as-a-Service offers. His experience includes Secure software development consultancy, Security architecture, Threat modeling, Threat Intelligence, Vulnerability management, Product and Application Security Incidence Response. His prior experience includes security testing enterprise server platforms, systems management software/firmware, and Firewall appliances and service modules. Lokesh has multiple vendor-neutral security certifications from SANS, ISC2, and CSA and has an authorized patent filled with US PTO. He holds a bachelor's degree in Electronics and Communications Engineering and currently pursuing his master's degree in Cybersecurity with IIT Kanpur.

The lateral movement stage of intrusions depends critically on a limited number of techniques and procedures associated with account and service discovery, account compromises, service exploitation and the mapping of internal services and data stores to identify suitable targets for actions on objectives. Microsoft Active Directory plays a key role in many of these steps.

Weaknesses in the configuration of Active Directory make a lot of techniques associated with lateral movement feasible. Yet many organisations fail to discover, monitor and address the attack paths that they offer attackers. In this session, we'll consider how to assess attack paths through Microsoft Active Directory. We'll also discuss some of the most common weaknesses found in enterprise installations of Active Directory.

Hinne Hettema is a practitioner in cybersecurity operations, focusing especially on enabling security capabilities through detection engineering, security monitoring, threat intelligence, incident response, operational technology, and malware research. He works in New Zealand in security operations and the establishment of cybersecurity defensive capabilities in various organizations. He is an adjunct senior fellow at the University of Queensland, researching cybersecurity operations, the security of operational technology, and the philosophy of cybersecurity. He studied theoretical chemistry and philosophy. He is a liaison member of First.

With the growth in IoT devices and connected solutions, effective security approaches must incorporate hardware and software security mechanisms. These mechanisms require strategies for securing devices, and their identities, which use strong cryptographic techniques combined with trusted hardware, such as a hardware security module. Hardware trustworthiness becomes the foundational building block for software features and solutions built on top of the hardware. The supply chain is susceptible to a range of threats, such as counterfeit hardware, IP piracy, overproduction, reverse engineering, cloning, and software-based threats, such as unreliable data and unauthorized manipulation of software and data. Some of the points covered are:

• Approaches to using trusted hardware
• Application of hardware-based security for key management
• Attestation of the hardware and software trustworthiness
• Using secure hardware roots of trust to enable supply chain security
• Providing supply chain confidence throughout the product lifecycle
• Zero Touch Provisioning of the device in the operational environment

This session discusses the challenges and possible solutions in ensuring supply chain security for IoT devices. A few of the industry initiatives for supply chain assurance are also introduced.

Mini TT works with Dell Technologies, Bangalore, in the domain of embedded system security. Before this, she worked in research and development with Philips and ABB producing innovative products, publications, and patents. She has experience in defence, semiconductors, consumer electronics, substation automation and industrial measurements. She had started her career with Bharat Electronics developing command and control systems for Indian Defence. Her specialization is in cybersecurity, embedded systems, and system architecture. She holds an MTech in Embedded Systems from BITS Pilani, and a degree in Computer Science and Engineering from the University of Kerala. Currently, she is pursuing her PhD in embedded system security.