- NL
101 Training Session on Intelligence Direction and Intelligence Production (4 hours)
Andreas SfakianakisAndreas Sfakianakis (threatintel.eu, NL)
Andreas is a Cyber Threat Intelligence professional with over fifteen years of experience in cyber security. He focuses on applying threat intelligence and helping organizations manage threats mostly within the Energy, Technology, and Financial sectors as well as in European Union’s Agencies and Institutions. Andreas has been contributing to the CTI community since 2012 via public reports and presentations, his blog, newsletter, and instructing. His utmost goals are the maturing of threat management programs within organizations as well as the embedding CTI in policy making. Andreas Twitter handle is @asfakian and his website is threatintel.eu.
March 9, 2020 08:30-10:30, March 9, 2020 10:45-12:30
- GB
Analysis of Competing Hypotheses (ACH) for Cyber Warriors (4 hours)
Stewart Bertram (Digital Shadows , GB)
Stewart K. Bertram is the head of Cyber Threat Intelligence at Elemendar, a start-up focusing on producing AI-driven tools for the CTI analyst. Stewart has worked in the field of intelligence and security for the past 18 years, with experience across the private and public sectors. Starting his career in 2004, in the Intelligence Corps of the British Army, Stewart entered the private sector in 2009 and has held several CTI roles since then. His experience includes product development, service delivery, consulting, and, most recently, management of specialist teams researching the cybercriminal underground and nation-state threat actors.
March 9, 2020 15:45-17:30, March 9, 2020 13:30-15:30
- NL
Assessing Value. Beyond Indicator Quality
Xander BouwmanXander Bouwman (Delft University of Technology , NL)
Is commercial threat intelligence worth the investment? We find that current metrics for assessing quality rely on conceptualizations of CTI that are too narrow to answer this question.
Little public information exists about the commercial market for threat intelligence, making it hard for customers to compare services. Recent studies on metrics have mostly focused on indicator feeds and the properties that make these useful for detection.
However, commercial CTI includes also threat reports, web-based portals, and access to vendor analysts. Customer organizations tell us that they use CTI for more than just the SOC. Although these different use-cases are cited by security professionals as being valuable to their organizations, they are not easily measured using quantitative metrics.
This talk presents initial results of ongoing research for which we interviewed >15 security professionals. It provides a quick glance at how customers are using commercial CTI in practice and how it is being appreciated in their organizations. The talk explores the way toward understanding value based on a broader conceptualization of CTI than measuring indicator feeds alone.
Xander (@xbouwman) is a PhD candidate at Delft University of Technology. He studies information security from a socio-technical perspective, taking an economics approach in order to understand the incentives that shape the behaviour of attackers and defenders.
His work is motivated by opportunities for collaborative security, in which defenders work together and share information in order to reduce asymmetries vis-à-vis attackers.
Research topics of interest include: cyber threat intelligence sharing, software vulnerability disclosure, and public-private cooperation for critical infrastructure protection.
March 10, 2020 11:00-11:30
- US
Bringing Intelligence into Cyber Deception with MITRE ATT&CK
Adam PenningtonAdam Pennington (MITRE, US)
Deception has become a popular concept in cybersecurity, but are we really fooling adversaries? Honeypots and other technical solutions often don’t align with what real adversaries do. This presentation will examine how we can successfully deceive adversaries by using threat intelligence mapped to MITRE ATT&CK™.
In classical deception planning, intelligence serves a key role in understanding an adversary’s likely beliefs, expectations, and reactions, but this often hasn’t carried over into the cyber realm. In this talk, I’ll show how to bridge that gap and leverage ATT&CK for cyber deception planning. I’ll present a methodology for making decisions on where to focus deception resources based on adversary techniques and how to align deception capabilities with the expectations and visibility of real cyber threat actors. Attendees will learn how they can leverage cyber threat intelligence to deceive their adversaries and gain valuable new intelligence as they do so.
Adam Pennington (@_whatshisface), Principal Cyber Security Engineer, MITRE
Adam Pennington is a member of the core ATT&CK team, and collected much of the intelligence leveraged in creating its initial techniques. He has spent much of his 10 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon's Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has published in a number of venues including USENIX Security and ACM Transactions on Information and System Security.
March 11, 2020 11:00-11:30
- NL
Building an Intelligence-Driven Organization
Anastasios PingiosAnastasios Pingios (Booking.com, NL)
The talk goes through the journey from having no dedicated threat intelligence resources, to having an intelligence-driven organization. We will go through the different phases, key challenges and how to overcome them, as well as how to measure and demonstrate the value and maturity of intelligence-driven security. The goal of this talk is to help you avoid common mistakes in the process of building a threat intelligence function, and later on maturing and expanding it to more areas within your organization and the community.
Anastasios Pingios is a security professional who started from the exploit development and vulnerability research side around 15 years ago and later on switched to the defensive side. He holds a M.Sc. in Secure Computing Systems from the University of Hertfordshire, numerous certifications on the subject of intelligence collection and intelligence analysis, and has presented a wide variety of topics from unconventional phishing techniques, to secure architecture in the cloud, and building successful intelligence teams. Currently, Anastasios is Principal Security Engineer at Booking.com and for the last few years he has been focusing on threat intelligence from a holistic perspective that takes into account all domains instead of just cyber.
March 10, 2020 10:00-10:30
- US
Kimberly Bucholz (Accenture , US), Simon Warren (Accenture , US)
Cyber threat intelligence (CTI) affords companies the ability to establish a proactive security posture through situational awareness and foresight. When a company can leverage cyber threat intelligence correctly, it can BOTH inform cyber security operations, reducing detection and response times, AND inform the broader business. However, far too often CTI is either buried as an operational support function or becomes reactive to various stakeholders’ requirements.
Two of Accenture’s experts will provide insight in order to demonstrate how to effectively build a CTI program from the bottom up and top down. This insight is based on experience working with clients across a wide range of industries and expertise working as CTI practitioners for companies that have adopted CTI best practices.
This presentation will discuss how to operationalize threat intelligence, by walking through a case study in which both experts participated. This case study involved a company with a complex operating environment and challenging threat landscape where CTI was able to become a key driver in cyber security across the company and its broader ecosystem.
Kimberly Bucholz is a member of the Targeted Attacks team at iDefense with Accenture. Kim has more than 11 years of experience in IT, including a Bachelor of Science in Computer Science and Master of Science in Information Security. Since 2011, she has been focused on incident response, threat intelligence, and malware analysis. This focus has included crimeware, as well as targeted threats. Her main areas of interest are in reverse engineering malware and using the information obtained to pivot and find unknown threats.
Simon is a Cyber Defense Engagement Manager in the Accenture Security UK practice. Simon previously built and managed the CTI capability for Accenture Australia. Prior to this, Simon spent 10 years in the army, including special operations. He worked closely with intelligence specialists to operationalise highly classified intelligence in support of national interests.
March 10, 2020 09:15-10:00
- NL
CTI Collaboration Using STIX and Elasticsearch
Chris O'BrienChris O'Brien (EclecticIQ , NL)
The combined knowledge of the cyber security and intelligence community is vast and yet many teams still work in splendid isolation. This talk will work through an example, active intrusion set - worked on in separate teams - to show the highs and lows of parallel analysis. We investigate how multiple viewpoints increase intelligence quality but also introduce bias and data complexity - and then show how to solve that with (free) technology.
In this talk we explore the concepts that underpin true intelligence collaboration and describe a means to achieve it using STIX and elasticsearch. This method applies the core concepts of search (elasticsearch), provenance (in a git-like way) and data modelling (purist STIX) to produce a truly global and collaborative threat intelligence repository.
Chris is a SANS Cyber Guardian and card-holding structured intelligence diehard. He has worked across public and private sectors as an intrusion analyst, incident responder and CTI specialist. Chris now dedicates his time to enabling practitioners through CTI tooling and structured data modelling.
March 10, 2020 16:45-17:15
CTI SIG Meetings
16:00 – 17:30
James is the Founder and Chief Innovation officer at Digital Shadows and one of the authors of the Bank of England's standards for threat led penetration testing standards CBEST. He is a member of BCS, IISP, CREST and one of the chairs of the FIRST Cyber Threat Intelligence SIG.
Krassimir Tzvetanov is a graduate student at Purdue University focusing his research on Threat Intelligence, Operational Security Research and Counter-intelligence techniques, in the cyber domain.
In the recent past Krassimir was a security architect at Fastly, a content delivery network (CDN) designed to accelerate content delivery as well as serve as a WAF and a shield against DDoS attacks. His current focus is on incident response and investigations, threat intelligence and security systems architecture.
In the past he worked for hardware vendors like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation features, product security and best security software development practices. Before joining Cisco, Krassimir was Dedicated Paranoid (security) at Yahoo!, Inc. where he focused on designing and securing the edge infrastructure of the production network. Part of his duties included dealing with DDoS and abuse. Before Yahoo! Krassimir worked at Google, Inc. as an SRE for two mission critical systems, the ads database supporting all incoming revenue from ads and the global authentication system which served all of the company applications.
Krassimir is very active in the security research and investigation community, has a number of contributions to FIRST SIGs, as well as participates in the Honeynet Project.
In addition, Krassimir ran the BayThreat security conference and has contributed to a number of other events like DefCon, where he ran the Radio Communications group, and ShmooCon and DC650.
Krassimir holds Bachelors in Electrical Engineering (Communications) and Masters in Digital Forensics and Investigations.
March 9, 2020 16:00-17:30
- GB
Deep Derp Web? - Is Criminal Intel from the 'Dark Web' Really Still Effective?
James ChappellJames Chappell (Digital Shadows, GB)
The cybercrime landscape persists, despite now frequent interventions by law enforcement. Still, as markets, forums, and other sources of information continue to persist online, defenders have the ability to use the information being discussed, traded, and harvested to their advantage. How have these interventions from Law Enforcement changed behaviours of criminals and can actionable intelligence still be drawn when the criminal groups exhibit an increased awareness that they are being observed?
Actionable intelligence can be gained by studying these areas.
The goals of this talk are to:
- Understand the cybercriminal forum life cycle and how it continues to evolve
- Understand the persistence of cybercriminal forums and the changes observed in their behaviour
- Explore how actionable intelligence gained from observation of modern cybercriminal forums is changing in light of LE operations.
James is the Co-Founder and Chief Innovation Officer at Digital Shadows. He has led teams in InfoSec and Cybersecurity since 1997, working across the private sector and government organizations helping them to understand the technical aspects of information security.
James spent over ten years of his career as a security architect and deputy head of the Information Security profession at BAE Systems Detica; he previously worked at Nortel Networks in the United States. James has always been fascinated by innovative ways of counteracting the growth of crime and fraud in computer networks and developing effective ways of measuring and managing the security big picture. In 2011 this journey led to an exploration of digital footprints, and their impact on the security of the modern business. James is a regular speaker at technology events and cybersecurity conferences across the globe and is regularly quoted in the press.
March 10, 2020 14:30-15:00
- NL
From Excel to TIP ... and Back: Technology Enablement in the Intelligence Cycle and the Role of TIPs
Andreas SfakianakisAndreas Sfakianakis (threatintel.eu, NL)
During the past years, CTI discipline has been adopted by organisations worldwide. While CTI’s best practices are still developing, there is a growing need for technology that will serve CTI analysts’ workflows and daily activities. This presentation focuses on the technology enablement aspect within the intelligence cycle of CTI teams. We highlight the technology enablement opportunities for each phase of the CTI cycle (which can be helpful for TIP evaluation). Next, we provide an overview of the current TIP landscape and explore the (vendor-agnostic) limitations that have been identified by researchers and practitioners. Finally, we close the presentation with tangible recommendations related to TIPs for different user groups and key takeaways.
Andreas Sfakianakis is a Cyber Threat Intelligence and Incident Response professional and is currently working for Royal Dutch Shell. He is also a member of ENISA’s Threat Landscape Stakeholders’ Group and author of the report on "Exploring the opportunities and limitations of current Threat Intelligence Platforms". He has contributed to a number of ENISA deliverables and he was one of the CTI instructors during ENISA Summer School 2018. In the past, Andreas has been a Senior CTI Analyst at Lloyds Banking Group and an external reviewer for European Commission. Andreas' Twitter handle is @asfakian and his website is www.threatintel.eu .
March 10, 2020 15:30-16:00
- US
How I Became Our Own Worst Enemy, I Mean Adversary
John Stoner (Splunk, US)
No, this isn't a tale about an impending downward spiral or a fictional story with the classic conflict between man versus self, this is an opportunity to share with you how I created an adversary based on CTI and the MITRE ATT&CK framework that we are using to educate blue teamers to be more effective hunting threats and conducting security operations!
During this talk, we will look at why we perform adversary emulations, how our adversary was constructed and how CTI reported TTPs were leveraged to create a realistic scenario for our adversary to carry out their attack. We will look at how a framework like MITRE ATT&CK can be used to help develop the scenario as well as how it can be used post attack to understand technique coverage across an organization. We will also talk about the challenges encountered along the way when constructing the scenario.
Coming out of this talk, you will have a better understanding of what it takes to create your own adversary, a better appreciation around the symbiotic relationship between threat hunting, security operations and threat intelligence as well as a model to create your own APT scenarios if you wish!
John Stoner is a Principal Security Strategist at Splunk. In his current role, he leverages his experience to educate and improve users’ capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He has authored multiple hands-on workshops that focus on enhancing these specific security skills. His writings can be found on Splunk blogs, most notably in the Hunting with Splunk: The Basics and Dear Buttercup: The Security Letters series. John developed and maintains a Splunk application that drives greater situational awareness and streamlines investigations. He enjoys problem solving, writing and educating. When not doing cyber things, John is often found reading or binge-watching TV series that everyone else has already seen. During the fall and winter, you can find him driving his boys to hockey rinks across the northeast part of the United States. John also enjoys listening to as his teammates call it "80s sad-timey music."
March 11, 2020 13:30-14:15
- US
Identifying and Analyzing Adversary Infrastructure and Malware (Full Day)
Michael SchwartzDerek Thomas (Target, US), Michael Schwartz (Target, US)
Derek Thomas is a senior information security analyst on Target Corporation’s Cyber Threat Intelligence (CTI) team in Brooklyn Park, Minnesota. After graduating college, Derek joined the US Army as an active duty intelligence officer where he developed a passion for intelligence analysis. After the military he worked as a contractor in Washington D.C supporting the FBI Cyber Division as a cyber intelligence analyst by producing strategic written products and assisting with law enforcement’s pursuit of financially motivated cybercriminals. Derek has since earned a variety of cybersecurity certifications and his Master’s in homeland security from Penn State, and chose to join Target’s CTI team in March 2018. He currently lives in the suburbs of Minneapolis with his wife and golden retriever.
Michael has nearly 20 years of experience in nearly all aspects of IT and then some. He began his career working Help Desk through High School and College and eventually turned that knowledge into his first full-time position with McKinley Associates in Ann Arbor, MI as a Support Specialist. Later he worked as a Systems Engineer and Field Support Engineer for government contractors. Michael eventually landed his dream job with the FBI as an Intelligence Analyst where he was involved in Counterterrorism and Cybersecurity matters. Michael returned to the public sector with Lookout as an Android malware reverse engineer and figures he has finally settled down in Minneapolis, MN with Target as the Director of Threat Intelligence Detection Engineering.
Michael holds a BA in Political Science from the University of Michigan, an MS in Defense and Strategic Studies from Missouri State, and an MS in Computer Science of the University of Illinois – Springfield.
March 9, 2020 10:45-12:30, March 9, 2020 08:30-10:30, March 9, 2020 13:30-15:30, March 9, 2020 15:45-17:30
- MX US
Latin America Under Siege: A Look at Adversaries Beyond the Wall
Enrique Vaamonde (Tekium , MX), Matt Bromiley (FireEye, US)
Latin America is often overlooked when it comes to all things ""cyber"", as most of the security issues making headlines seem related to drug trafficking and illegal immigration. However, this region is both a hotbed for cybercrime techniques and an attractive (and lucrative!) sandbox for state-nexus groups crafting sophisticated attacks, mostly targeted against financial institutions. This results in a rich landscape for observing and crafting extremely detailed cyber threat intelligence on some of the world’s most pervasive threat actors.
In this talk, we’re going to examine that rich landscape of threat activity, and explore some of the most significant attacks in recent history. Via analysis of hands-on incident response and first-person incident exposure, we’ll take a look at the actors that have plagued this region. Furthermore, we’ll show how many of the TTPs in our incidents are mirrored elsewhere in the world - often amongst higher-profile breaches - proving that threat actors have no qualms about crossing international lines.
March 10, 2020 11:30-12:15
- US
MalDomain ML: A Machine Learning Model to Find Malicious Domains Before They Go Bad
John BambenekJohn Bambenek (Bambenek Consulting, LTD., , US)
Machine learning is touted as a way for security teams to reduce their workload by creating smart systems that can do the work of analysts quickly so humans can focus on those things that truly require human analysis. This talk will cover a new machine learning tool called MalDomainML that uses a machine learning model produced using extracted DNS features to reliably (over 96% accuracy) predict whether an arbitrary domain is malicious.
John Bambenek is VP of Security Research and Intelligence at ThreatSTOP, a lecturer in the Department of Computer Science at the University of Illinois at Urbana-Champaign, and a handler with the SANS Internet Storm Centre. He has over 18 years experience in Information Security and leads several International investigative efforts tracking cybercriminals - some of which have lead to high profile arrests and legal action. He currently tracks neonazi fundraising via cryptocurrency and publishes that online to twitter and has other monitoring solutions for cryptocurrency activity. He specializes in disruptive activities designed to greatly diminish the effectiveness of online criminal operations. He has produced some of the largest bodies of open-source intelligence, used by thousands of entities across the world.
March 11, 2020 10:00-10:30
- NL
Narrator: Generating Intelligence Reports from Structured Data
Jörg Abraham
Sergey PolzunovJörg Abraham (EclecticIQ , NL), Sergey Polzunov (EclecticIQ, NL)
Natural Language Generation (NLG) is the process of transforming structured data into narratives. Contrary to Natural Language Processing (NLP) that reads and analyses textual data to derive analytic insights, NLG composes synthesized text through analysis of pre-defined structured data.
NLG is more than the process of rendering data into a language that sounds natural to humans. It can play a vital role in uncovering valuable insights from massive datasets (big data) through automated forms of analysis.
Adaption of NLG in other verticals has increased in recent years, yet applications of NLG technology in the Cyber Threat Intelligence (CTI) domain are sparse. On one hand, intelligence teams accumulate millions of information generated by security controls or obtained from intelligence source. On the other hand, the intelligence product is often a narrative report written by an analyst. With the influx of data, intelligence teams are confronted with challenges pertaining to data assessment and analysis, (near-) real-time creation of intelligence products targeted at the right audience; all while operating at scale and with accuracy.
We believe that the potential of NLG is vastly unexplored in CTI and want to share our research and a proof-of-concept tool demonstrating the potential value of NLG.
Mr. Jörg Abraham is a Senior Threat Intelligence Analyst in the EclecticIQ Fusion Center. He is responsible for analyzing Cyber Threats and providing accurate, timely and structured intelligence relevant to EclecticIQ's customers. Before joining EclecticIQ he has been working for Royal Dutch Shell for more than 10 years in various Cyber Defense positions. Mr. Jörg Abraham is a Certified Information System Security professional (CISSP) and GIAC Certified Forensic Analyst (GCFA).
Sergey Polzunov is a Senior Software Engineer in the EclecticIQ Intelligence Operations department. He is responsible for prototyping analyst-centric tools and for extending the Fusion Center Threat Intelligence Platform with new features. He is the author of OpenTAXII server and Stixview library, and has more than 10 years of software development experience.
March 11, 2020 09:30-10:00
- NL
Obtaining Cyber Threat Intelligence through Reverse Engineering (4 hours)
Gijs RijndersGijs Rijnders (Tesorion , NL)
Gijs is a malware researcher at Tesorion in the Netherlands. He also works for the Tesorion CERT team, helping to contain cyber security incidents in organizations. His interests are reverse engineering, threat intelligence and network security. Gijs holds a masters degree in computer science from the university of technology in Eindhoven and in his free time he enjoys going to the gym, DIY around the house and traveling.
March 9, 2020 08:30-10:30, March 9, 2020 10:45-12:30
- US
OPSEC for Investigators and Researchers (2.5 hours)
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University , US)
Krassimir Tzvetanov has worked for hardware vendors like Cisco and A10 focusing on threat research, DDoS mitigation features, product security and best security software development practices. Before joining Cisco, Krassimir was Dedicated Paranoid (security) at Yahoo!, Inc. where he focused on designing and securing the edge infrastructure of the production network. Part of his duties included dealing with DDoS and abuse. Before Yahoo! Krassimir worked at Google, Inc. as an SRE for two mission critical systems, the ads database supporting all incoming revenue from ads and the global authentication system which served all of the company applications.
Krassimir has established a couple of Threat Intelligence programs at past employers in the past and has been actively involved in the security community facilitating information exchange in large groups.
Currently Krassimir is a co-chair and co-founder of the FIRST CTI SIG.
Before retiring, he was a department lead for DefCon, and an organizer of the premier BayArea security event BayThreat. In the past he was also an organizer of DC650 - a local BayArea security meetup.
Krassimir holds Bachelors in Electrical Engineering (Communications) and Masters in Digital Forensics and Investigations.
March 9, 2020 13:30-16:00
- NL
rcATT: Retrieving ATT&CK Tactics and Techniques in Cyber Threat Reports
Valentine Legoy (University of Twente, NL)
Threat intelligence sharing has been expanding during the last few years, leading us to have access to a large amount of open data. Unfortunately, this is usually provided as unstructured human-readable cyber threat reports and important information such as attack tactics, techniques and procedures is hidden within the text. Done manually, the analysis of such reports requires time and effort. To support this analysis, we created rcATT, an open-source tool which automatically classifies cyber threat reports according to MITRE’s Enterprise ATT&CK tactics and techniques. In this talk, we present the tool and we show how we were able to solve the challenges of working with hierarchical multi-label text classification of cyber threat reports, having access to a limited amount of labeled data. Finally, we demonstrate how rcATT performs on publicly-available cyber threat reports and how to take advantage of the classification results.
Valentine is a student at the University of Twente. After obtaining a bachelor degree with a focus on artificial intelligence, she joined in 2017 the EIT Digital Master School's Security and Privacy programme. She is particularly interested in automating cybersecurity processes to facilitate the work of security professionals and developing tools to educate people on cybersecurity.
March 11, 2020 11:30-12:00
- JP
Rethinking the Graph Visualization for Threat Reports
Mayo YamasakiMayo Yamasaki (NTT-CERT, JP)
Understanding threat intelligence is not an easy task for threat analysts even if they are structured. Therefore, many methods to automatically visualize the threat intelligence structure have been proposed. However, these methods utilize visualization methods developed for the general domain to support a wide variety of use cases for analyzing threat intelligence. This talk introduces a novel visualization method, for threat reports, based on simple observations obtained by a study of threat diagram characteristics of actual threat reports. Because threat report is a reasonable bundle of intelligence and one of the most common ways to share it, by capturing these characteristics, the method visualizes graph-structured STIX 2 as a concise overview of the threat structure. Also, this talk demonstrates the utility of the method by visualizing actual threat reports gathered from the ATT&CK knowledge base.
Mayo Yamasaki is a researcher at NTT Secure Platform Laboratories and also a member of NTT-CERT in Japan since 2015. He studied information science and natural language processing at NAIST (Nara Institute of Science and Technology). Since he joined NTT he’s been researching and developing software systems for cybersecurity-related information extraction and retrieval with machine learning.
March 11, 2020 12:00-12:30
- GB
Riding xWav: Defending Against a Long Term, Persistent Threat
Jack Simpson (PwC, GB)
While conducting analysis on a malware family called Chinoxy, PwC identified infrastructure that enabled us to discover multiple long term, persistent campaigns. As part of our analysis, we mapped the activity to four separate threat actors, including through their observed use of the following malware families - Chinoxy, Droma/Agent.NJK malware. Our analysis revealed that the attackers were targeting intelligence agencies, governmental organisations and education research institutions.
In this talk, I will examine the campaigns using these shared malware families, which have largely gone unreported, as well as reveal some of the historical victimology and sectors targeted by these campaigns. I will cover some of the changes to the malware over time, likely to evade detection, and show how using a framework like MITRE can be applied to enhance a defender’s ability to still detect the tools, techniques and procedures (TTPs).
This talk will highlight how gaining a deep understanding of threat actors' TTPs can enhance an organisation's ability to better defend against the threats they face. It will provide a practical application of how applying the MITRE ATT&CK framework to a particular set of threat actors TTPs can ensure that even where those threat actors make changes to their approach, having a full understanding of the relevant detection techniques can support defence.
Jack Simpson (@linkcabin) is a senior threat intelligence analyst for PwCs threat intelligence team with a focus on the APAC region. Jack enjoys reverse engineering and malware analysis and is primarily responsible for tracking APTS and reporting on them to PwCs threat intelligence customer base.
March 11, 2020 16:00-16:30
- US
Sighting Use Cases
Sebastien TricaudSebastien Tricaud (Devo Inc., US)
Sighting is a method to keep track of how many times something has been seen.
This is particularly useful for indicators, especially if Sightings are not limited to indicators.
This presentation is very use-case oriented on our own use and feedback of SightingDB in MISP. Do you think TTP always fall in the tough category? Can anyone enrich Threat Data by just counting?
This talk will share our experience as a Vendor, a MISP Standard contributor (sightingdb) and also our integration in the MISP software.
This is also an opportunity to interact and learn from the audience to improve the SightingDB standard (https://www.misp-standard.org/rfc/sightingdb-format.txt).
Sebastien is Director of Security Engineering at Devo. He lives in San Francisco, and when he is not hiking or playing the jazz flute, he loves to work in the Detection field of Computer Science. Lead developer of Faup, the first URL parser (!!), contributor to MISP, former developer of Linux PAM and other tool that can be useful for analysts. Speaker at Usenix, CanSecWest, Hack.lu, FIRST in order to share and learn from amazing people.
March 11, 2020 09:00-09:30
- US
The Men Who Never Were: Assessing Ties Between the Samsam Ransomware Campaign and the IRGC
Charlie CullenCharlie Cullen (CrowdStrike, US)
On November 28th, 2018, the U.S. Justice Department indicted two Iranian nationals for their role in developing and deploying the Samsam ransomware over a 3-year campaign netting over $6 million. Up until now, little reporting or information exists about the origins of these actors nor the motivations behind their attacks. However, research into their backgrounds revealed them to be seasoned threat actors with deep ties to Iran’s national security establishment including personal ties to the Islamic Revolutionary Guard Corps (IRGC) and IRGC-affiliated actors also indicted for their role in disruptive cyber attacks against the U.S.
This presentation will trace the origins of these individuals, their ties to other threat actors, and use of tools, previously employed in disruptive attacks, during the Samsam campaign. It will feature an in-depth review of investigative practices used to trace back the operators’ past activities despite high levels of operational security. Their own commentary on participating in Samsam, military ties, and ideological backgrounds will also be examined in light of what was ostensibly a financially-motivated campaign. Ultimately, this talk also seeks to highlight how deep-dive research into individual actors’ past activities can help unearth involvement in emerging threats.
Charlie Cullen works as an intelligence analyst for CrowdStrike focused on the Middle East. Prior to this, he served as a deputy team lead and head of Middle East research at Dataminr in addition to a variety of past roles focused on the region specializing in threat analysis, translation, and investigations. He is fluent in Arabic and maintains advanced proficiency in Farsi and Spanish.
March 10, 2020 14:00-14:30
- US
The Trouble with Iranian Attribution
Allison WikoffAllison Wikoff (SecureWorks, US)
Recent indictments and public reporting have highlighted the complex organization of Iranian cyber operations. This talk will cover some of the attribution challenges Secureworks has been presented with through case studies of observed Iranian cyber activity.
Allison Wikoff is a senior intelligence analyst and security researcher for the Secureworks Counter Threat Unit (CTU) research team with over 15 years of experience in incident response and threat intelligence. Allison performs focused research with the goal of creating countermeasures and strategic intelligence products for Secureworks clients. Specifically, Allison leads Secureworks research efforts around the cyber threat as it stems from Iran and is widely considered an industry expert on this topic, regularly representing Secureworks’ view of Iranian cyber activity in the media. She holds numerous industry certifications frequently guest lectures for several information security-focused graduate courses.
March 10, 2020 13:30-14:00
- LU
Alexandre DulaunoyAlexandre Dulaunoy (CIRCL, LU), Andras Iklody (CIRCL , LU)
As we, as the CSIRT community, mature, our needs for having the ability to extract more value and context from our data becomes more and more vital. MISP has been gradually expanded to reflect these needs, by incorporating features that ease indicator life cycle management, contextualisation and management of threat intelligence, collaboration and the filtered feeding of our collected data to our various protective tools. This talk aims to highlight some of the techniques we use via the platform.
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.
March 10, 2020 16:00-16:45
- NL
Understanding What's Next; Combining Red Team Findings and Adversary Playbooks
Gert-Jan BrugginkGert-Jan Bruggink (Falconforce, NL)
Have you ever thought about what would happen if you could compare adversaries targeting your organization with how well you are doing? Understanding the objectives of adversaries would certainly help you invest resources in the right controls and counter measures right? In this talk we will break down how you can leverage red teaming to complement your cyber threat intelligence activities.
When developing your adversary tracking mechanism, regardless of your security maturity, one of the most resource effective ways to do so is to focus on the ‘how do they do it’ or in other words their playbooks. Now when combining the trade of cyber threat intelligence with red teaming, we’re getting the opportunity to incorporate red team data into our adversary playbooks.
When a red team is pursuing a certain goal and simulating a specific adversary playbook, an organization can use the data and results to understand how for the real adversary would come and where to increase defences. Armed with these playbooks, your defensive teams can more effectively connect the dots from observed activities in your environment. Your detection and incident response teams can also more efficiently understand what adversaries do and what the TTP’s look like if they are active in their network, or even utilize automated adversary data sets for continuous validation. Finally, one can use this understanding to benchmark their strategic investments of their security program.
There’s just one thing: This is not easy.
Gert-Jan is a security specialist and researcher with over 10 years of information security experience at the crossing of offense, defense & strategic risk management. Gert-Jan’s primary role at FalconForce is to assists leaders in making informed decisions by utilizing cyber threat intelligence. In addition to that he’s helping those leaders implement relevant and sustainable cyber defenses through strategic change. Before co-founding FalconForce, Gert-Jan led a CTI team specialized in strategic & operational intelligence products, cyber-reconnaissance and CTI enablement. If he wasn’t working on that then he probably was supporting organizations in augmenting cyber transformation program or security operations.
March 11, 2020 14:15-14:45
- US
xHunt... An Anime Fan's Attack Campaign in the Middle East
Brittany Ash
Robert FalconeBrittany Ash (Palo Alto Networks, Unit 42, US), Robert Falcone (Palo Alto Networks, Unit 42, US)
In threat research, we rarely get to see the interests of the actors involved come to the surface; however, this past year we observed tools used in targeted attacks that were named after objects and characters from popular anime series. This talk will discuss these targeted attacks that we tracked in what we call the xHunt Campaign, which targeted Kuwaiti organizations in 2018 and 2019 that involved tools that were clearly named after persons and objects from the Hunter x Hunter and Samurai X. We will dive into the attacks they carried out, including the actor's development activities, initial attack vectors, toolset and some novel command and control mechanisms used in these attacks. We will also discuss the threat actor's cheat sheet, which gave us unprecedented insight into the activities the actors would carry out after gaining access to the targeted system and network.
Brittany is a Cyber Threat Intelligence Analyst with Palo Alto Networks' Unit 42 team. She is responsible for the collection, analysis, and production of intelligence on adversaries targeting organizations around the world. Her background spans over 10 years supporting many disciplines in both the private and public sectors including Cyber Threat Intelligence, Network Defense Architecture Engineering, Cyber Operations Planning, Business Continuity, IT Disaster Recovery, and Whole-of-Organization security assessments
Robert is a Threat Researcher on Palo Alto Network's Unit 42 team who has spent over 10 years focusing on malware analysis, reverse engineering and tracking threat actors, primarily those associated with cyber espionage and targeted attacks. He has also worked as a security engineer within an operations center for a managed security service focused on intrusion detection and prevention.
March 11, 2020 15:15-16:00
