Program Overview

Mr. Frankie Li is an independent researcher specializing in computer forensics and malware analysis. His current research is APT Malware Attribution and making use of OSINT to identify possible malicious adversaries. He is a member of International High Technology Crime Investigation Association (HTCIA) and a member of Honeynet Project, Hong Kong Chapter. He is a lecturer of Malware Analysis classes offered by HKU, digital forensics classes offered by HKU SPACE and a mentor of SANS Institute's malware and forensics classes offered in Hong Kong. He is also a speaker at Blackhat USA 2014, HITCON 2014, ISSummit 2014 and Suits & Spooks Singapore 2014. In December 2014, he set up Dragon Threat Labs with @int0x00 and ipine[*]. Mr. Li holds several industry destinations, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA) and GIAC Reverse Engineering Malware (GREM).

In today’s cyber world, most security vendors are offering what is supposed to be “threat intelligence” which often actually offering a kind of “big data” on the security solution on the Cloud. Everyone talks about the term of “Cyber Threat Intelligence” or try to add “intelligence” in front of their security products, like: intelligence-led security, intelligence-led penetration testing, intelligence-led cyber defense or intelligence-led Incident Response. In this presentation, I am trying to find out how this term was developed and give a summary of many of the basic concepts and frameworks that constitute the main parts of the foundation for understanding of Cyber Threat Intelligence today.

Lenart Bermejo is a senior Threat Analyst with Trend Micro/Taiwan where he is mainly involved with APT investigations as well as cyber threat reverse engineering. His research focuses both on targeted attack intelligence and threat solutions.

Middle East has been an intense spot for emerging cyber security activities. In this presentation Lenart will explore the Middle Eastern Threat Actors, discuss common tools and techniques these actors utilize. Discuss why some of these actors are often classified as different groups and analyze the differences in their targets and attacker tactics. The presentation includes a number of real-life case studies detailing the methods used to identify and mitigate presence of these actors in the compromised networks.

Adnan Baykal is the Chief Technical Advisor for the Global Cyber Alliance, a not-for-profit organization whose mission is to eliminate cyber risks around the globe. Before taking this role, Mr. Baykal served as Vice President of Operations at the Center for Internet Security (CIS), an internationally recognized not-for-profit organization that provides cybersecurity services and support to state, local, tribal, and territorial governments throughout the United States. Mr. Baykal oversaw all technical incident response and forensic analysis activities for CIS and for the Multi-State Information-Sharing and Analysis Center (MS-ISAC). Prior to this role, Mr. Baykal served as the Vice President of Security Services as well as the Director of the CIS Cybersecurity Emergency Response Team (CERT). As the Director of CIS CERT, he managed a highly select group of expertly skilled individuals responsible for providing rapid cybersecurity and incident response services to all state and local governments across the United States.

Mr. Baykal is acknowledged internationally as a technical expert in cybersecurity. With over a decade of experience leading complex operations in large-scale network monitoring, incident response, computer forensics and malware analysis, Mr. Baykal has become a global resource for detecting, identifying, analyzing and combatting cyber threats on enterprise systems and networks. Over the course of his career, Mr. Baykal has supported public and private sector enterprises in increasing their cybersecurity posture and in improving their practice. With academic degrees in both applied mathematics and in Computer science, he worked closely with the FBI, the United States Secret Service, and other federal, state, and local law enforcement agencies using his cybersecurity expertise and operational experience. His engaging ability to clearly explain complex technical subjects has made him a much sought-after subject matter expert.

Global Cyber Alliance (GCA) is a strategic action-oriented not-for-profit entity dedicating to improving cyber security for the greater good of the public. GCA tackles the top cyber risks that are negatively impacting the world’s cyber security posture by acting as a solution farm and using a cross-disciplinary approach to attack cyber risks. GCA collaborates with the community to identify top cyber risks, collects data on the risks, develops or identifies solutions to confront the risks, builds teams to execute the solutions, and then measures success. On this talk, Adnan Baykal, Chief Technical Advisor to GCA, will talk about the current initiatives GCA has underway for bettering the Internet for everyone around the globe and how you can take advantage of these free solutions to significantly improve your security posture without spending a dime.

Edward Lewis is a Senior Technologist in the Office of the CTO. Prior to joining ICANN he worked 11 years inside Internet registries of many types - gTLD, ccTLD, sTLD and RIR. He worked for a DNS Hosting company. He co-chaired the original IETF WG that developed EPP. He developed some of the first DNSSEC codebases under the original DARPA contract in the 1990's. Before that, he worked building research networks attached to the NASA Science Internet (one of the three original backbones

In October 2017, ICANN is planning to roll, or change, the “top” pair of cryptographic keys used in the DNSSEC protocol, commonly known as the Root Zone KSK (Key Signing Key). This will be the first time the KSK has been changed since it was initially generated in 2010.

Changing the key involves generating a new cryptographic key pair and distributing the new public component to all DNSSEC-validating resolvers globally. This will be a significant change as every Internet query using DNSSEC depends on the root zone KSK to validate the destination.

Network operators using DNSSEC-validating resolvers must update their systems with the new KSK to help ensure trouble-free Internet access for users. This session will explore the KSK rollover in detail and provide guidance to network operators about the changes they will need to make to their systems.

This presentation covers our case studies of banking malware forensics and mitigation and gives a retrospective analysis of malicious software that targets banks with the goal to defraud banking customers.

The presentation will cover several stories of success and unsuccessful malware shutdown operations and the malware reincarnations. We will walk into historical process of cat & mouse games with a number of well-known banking malware instances: Shylock, Dyreza, Ramnit and share our war stories with the actors as well as cover their current status using the newest intelligence sources. We also trace the evolution of banking malware criminal structure over the time.

Koichiro Komiyama, CISSP, is the manager of the Global Coordination Division at JPCERT/CC, the Japanese Computer Emergency Response Team. He has worked as a security analyst and led the gathering of security information and publishing multiple security alerts and advisories. His current focus is related to research on phishing, insider threats, and targeted attacks.

Prior to joining JPCERT/CC, he worked for ISS (IBM ISS), where he was in charge of large IDS/IPS system designs and operations.

Mr. Yuuki Shimizu joined Watch and Warning Group, JPCERT/CC in April, 2016. As Information Security Analyst, he has been engaged in information gathering and analysis regarding cyber attacks targeting Japanese local organisations, as well as providing early warning and alerts to constituencies. Previously, as a system engineer, he was in charge of designing and structuring servers and storage systems at Fujitsu Fsas Inc.

This workshop will provide incident responders hands-on training to analyze network traffic using Wireshark. Attendees will be asked to solve questions by examining PCAP files that are seen in actual incidents like DDoS, drive-by-download, SQL Injection.

Attendees are kindly requested to prepare Microsoft Windows 7(64bit) or higher for hands-on.

Mac and Linux are fine, but instructors are not able to support OS specific issues.

Prerequisite knowledge:

• Basic knowledge on TCP/IP protocol
• Basic knowledge on security (including attack methods and vulnerabilities)

Chi-en Shen (Ashley) is currently working as a senior cyber threat analyst at Team T5 Inc., where she focuses on tracking and monitoring advanced persistent threat actors. Her major areas of research include malware analysis, cyber threat intelligence and the tracking of emerging threats. Ashley started to serve in the Black Hat review board since 2016. She is also a member and frequent speaker of “Hacks in Taiwan Conference” community. For supporting women in InfoSec, Ashley is a co-founder of “HITCON GIRLS” – the first security community for women in Taiwan. She is also a regular speaker at security conferences, including Taiwan security submit, CODE BLUE, Troopers, HITCON, and VXCON.

Sung-Ting Tsai is (TT) is the leader of Team T5 Research. They monitor, analyze, and track cyber threats throughout the Asia Pacific region. His major areas of interest include document exploit, malware detection, sandbox technologies, system vulnerability and protection, web security, cloud, and virtualization technology. He especially is interested in new vulnerabilities in new technologies, and frequently presents the team's research at security conferences, such as Black Hat, HITCON, and Syscan. He and Ming-chieh are members of CHROOT security group in Taiwan. Sung-ting (TT) is also the organizer of HITCON -the largest technical security conference in Taiwan.

Chen-yu Dai (GD) is CTO at Team T5 Research, providing Digital Forensics & Incident Response services, developing Threat Intelligence Program and Platforms, consulting enterprise cyber defenses. He is studying at the graduate school of Department of Information Management in the National Taiwan University of Science and Technology. He also volunteered as deputy coordinator of HITCON, the largest hacker community and security conference in Taiwan. He has received many prizes from domestic and international CTFs, as well as bug bounty programs. He has been speaker at several conferences: HITCON, BOTNET TW, CODE BLUE, IEEE GCCE, etc.

Historically, incident response has long been considered as an approach to managing the aftermath of security breaches when the incident occurs. Many organizations develop an IR process in the hopes of nothing will ever happens. However, while the tactics and procedures of threat attackers have evolved rapidly, and cost of conducting attacks has become much lower nowadays, it is time to realize that “You Will be Compromised”.

In this talk, we aim to discuss the question “Why traditional incident response is not enough?” We will present a real-world case study showing how we helped an organization in Taiwan to mitigate the severe APT attacks from 4 attacker groups they were facing in the past 2 years. With this case, we will explain how we transform defense mode from passive to proactive, and share the methodology of threat hunting and elimination.

Jeremy Chiu (aka Birdman) has more than fifteen years of experience with Malware analysis, Machine Learning, CTI research and focusing on kernel technologies for both the Win32 and Linux platforms. In Taiwan, he is recognized as a very senior anti-malware programmer and early pioneer in APT research. He and Benson founded Xecure Lab in 2011 providing digital forensics and APT detection solution, then in 2014, Xecure Lab was acquired by Israeli-American Company Verint Systems. For many years, he was a contracted law enforcement instructor at intelligence agencies in Taiwan, and frequently gave talks at security conferences like DEFCON, SyScan, HITCON, AVTokyo, HTICA and OWASP Asia.

We live in a cyber era that no matter how secure the defenses are, breaches will occur from time to time. All too often, organizations are thrown into panic, fail to look beneath the surface, ho ping that a simple security review will fix the problem, and evidence is lost with root causes undetected. A number of questions need to be addressed asap when discovering a breach: 1) when did the breach occur? 2) what data was compromised? 3) who was involved? and lastly 4) how did they do it? The talk would share the common limitations of today’s approaches (overwhelming leads, labor-intensive investigations, inappropriate remediation, never-learnt lessons) and what advances shall be made to enable IR professions ready for the future cyber warfare and espionage.