Ryosuke Nomoto (Cyber Emergency Center)
Mr. Ryosuke Nomoto was graduated from Kyushu Institute ofTechnology (Iizuka, Fukuoka) and now is working in Cyber Emergency Center, Forensics/Log analyst at LAC/LACERT team. He is focusing his research into on-going intrusion for systems he monitored in ASPAC area.
Since pandemic era where VPN becomes more in usage, it has been monitored intrusion activities into VPN Router system exploited a specific vulnerability, allowing the attacker to gain root privileges by rewriting the system files to tamper the VPN access to conduct further malicious operation.This presentation is a model to understand such threat that is condensed with information explaining the " how, whom, when and what for" such exploitation has been conducted, for all of us to learn the better way to mitigate such incident to happen in the future.
An awareness of network intrusion aiming VPN router vulnerability
September 16, 2024 09:00-09:30
Ryosuke-Nomoto-Webminar-Intrusion-VPN-Router.pdf
MD5: 8f928d018741b93246a3e81bcd9f196a
Format: application/pdf
Last Update: September 16th, 2024
Size: 1.23 Mb
Fyodor YarochkinFyodor Yarochkin (Trend Micro, TW)
Fyodor Yarochkin is a Senior Researcher, Forward-Looking Threat Research Senior at Trend Micro with a Ph.D. from EE, National Taiwan University. An early Snort Developer and Open Source Evangelist as well as a Programmer, his professional experience includes several years as a threat investigator and over eight years as an Information Security Analyst.
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
Attacks On Infrastructure During Cyber Conflicts
February 16, 2024 11:30-17:00
Philippe Lin (Senior Threat Researcher)
Philippe Lin is a senior threat researcher with Trend Micro. He was into big data analysis, machine learning, NLP, SDR and all sorts of nerdy things.
In this talk Phillipe shares how to setup Telegram in a Docker container and automate channel scraping.
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
Everyday work with OSINT and Telegram
September 16, 2024 09:30-10:00
Aaron KaplanAaron Kaplan (EC-DIGIT-CSIRC, AT)
Aaron Kaplan studied computer sciences and mathematics in Vienna, Austria Since 2008 he works at CERT.at. The, he is (next to Tomas Lima (ex-CERT.pt)) one of the main architects of IntelMQ and the whole approach of incident handling automation at CERT.at. Aaron is proud to have served FIRST.org as member of the board of directors between 2014 and 2018. He also is a regular speaker at IT security conferences. He is founder of Funkfeuer.at - a wireless mesh network covering the whole city of Vienna and beyond. Currently he looks at data science driven approaches to IT security.
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
How to summarize CTI reports
July 13, 2023 11:30-18:45
Fyodor YarochkinFyodor Yarochkin (Trend Micro, TW)
Dr. Fyodor Yarochkin is a Senior Researcher, Forward-Looking Threat Research Senior at Trend Micro with a Ph.D. from EE, National Taiwan University. An early Snort Developer and Open Source Evangelist as well as a Programmer, his professional experience includes several years as a threat investigator and over eight years as an Information Security Analyst.
Fyodor explores the evolution of tools designed to influence public opinion, focusing on physical devices that can shape perception, such as IoT cameras, vehicle telematics, and various other systems.
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
IoT Hacks - Unexpected Angles of Human Process Compromises
November 13, 2024 17:20-18:00
Jason LancasterJason Lancaster (SpyCloud)
Jason Lancaster is Senior Vice President, Sales Engineering and Investigations at SpyCloud. He began his career performing pen testing, designing and implementing secure network infrastructures. First as a government contractor and then at a Fortune 500 healthcare company. In 2003, he joined TippingPoint where he held several roles including SE Director. TippingPoint was acquired by 3Com in 2005 and later by HP in 2010.
At HP, Jason ran a cross-functional team as Director with the Office of Advanced Technology. In 2013, Jason co-founded HP Field Intelligence, as part of the Security Research organization, delivering actionable threat intelligence to a wide audience.
Jason spent 15 months at a cloud security start-up CloudPassage prior to joining SpyCloud, where he leads the Investigations and Sales Engineering teams.
This talk introduces Jupyter Notebook as an analytic platform for OSINT investigations. Pandas dataframes and built-in methods allow for importing many data types from many different sources. Methods for cleaning and normalizing data for analysis are discussed. Details of how to analyze, visualize, and develop intelligence from open source data are presented in an easy to consume way. This provides the building blocks to capture investigative methodology and scale for great efficiency. Jupyter notebook allows analysts to capture their methods, document processes, and produce results that are easy to understand.
Jupyter Notebook for Link Analysis in OSINT
September 20, 2023 11:30-17:00
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University, US)
For the past five years Krassimir Tzvetanov has been a graduate student at Purdue University focusing on Homeland Security, Threat Intelligence, Operational Security and Influence Operations, in the cyber domain. Before that, Krassimir was a security engineer at a small CDN, where he focused on incident response, investigations and threat research. Previously he worked for companies like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation, product security. Before that Krassimir held several operational (SRE) and security positions at companies like Google and Yahoo! And Cisco. Krassimir is very active in the security research and investigation community and has contributed to FIRST SIGs. He is also a co-founder and ran the BayThreat security conference, and has volunteered in different roles at DefCon, ShmooCon, and DC650. Krassimir holds Bachelors in Electrical Engineering (Communications), Masters in Digital Forensics and Investigations, and Masters in Homeland security.
Overview: In this presentation the author goes over the building blocks of Influence Operations using mass and social media. It covers subjects such as hypodermic needle model, two-step flow of information, gatekeeping, agenda-setting, priming, framing, spiral of silence, echo chambers and cultivation.
In addition, it looks at some of the larger scale operations focused on subversion.
Media Effects Used in Influence Operations (part 1)
October 17, 2024 09:00-09:50
Fyodor YarochkinFyodor Yarochkin (Trend Micro, TW)
Fyodor Yarochkin is a Senior Researcher, Forward-Looking Threat Research Senior at Trend Micro with a Ph.D. from EE, National Taiwan University. An early Snort Developer and Open Source Evangelist as well as a Programmer, his professional experience includes several years as a threat investigator and over eight years as an Information Security Analyst.
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
Understanding Criminal Business Behind Supply Chain Attacks on Android
February 16, 2024 11:30-17:00
Fyodor YarochkinFyodor Yarochkin (Trend Micro, TW)
Dr. Fyodor Yarochkin is a Senior Researcher, Forward-Looking Threat Research Senior at Trend Micro with a Ph.D. from EE, National Taiwan University. An early Snort Developer and Open Source Evangelist as well as a Programmer, his professional experience includes several years as a threat investigator and over eight years as an Information Security Analyst.
Fyodor Yarochkin discusses the evolving landscape of cybercrime, particularly the shift from traditional bulletproof hosting services to residential proxies. Researchers, including himself, have noted a growing caution in discussing these entities publicly. Residential proxies are easier and cheaper to maintain and present more complex challenges for defenders because they complicate traffic filtering.
Yarochkin has created a framework, termed a "residential proxy honeypot," to analyze traffic patterns from these proxies. He emphasizes the importance of understanding how these networks operate to effectively monitor and mitigate abuses.
He notes that the residential proxy ecosystem is diverse, featuring numerous small providers alongside larger companies, and highlights the varied marketing strategies used, including black hat forums and Telegram channels. The languages supported by proxy providers often reflect their target customer bases.
Finally, he concludes that there are no truly "good" residential proxy providers, as they all facilitate the bypassing of restrictions, raising ethical concerns about their operations.
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
Use and abuse of residential proxy networks
September 25, 2024 09:00-09:30
David DurvauxAaron KaplanEmilien Le Jamtel (CERT-EU, BE), David Durvaux (European Commission, BE), Aaron Kaplan (EC-DIGIT-CSIRC, AT)
Emilien Le Jamtel is a cyber security expert since 15 years. After building its technical skill in offensive security, he joined CERT-EU in 2014 as a Threat Intelligence Analyst before quickly moving to the Digital Forensics and Incident Response team. Since 2021, Emilien is now leading the DevSecOps team responsible for the infrastructure and tooling used by CERT-EU staff. Emilien is a regular speaker at IT Security conferences such as FIRST, hack.lu, Botconf or NorthSec.
David Durvaux owns a master in applied sciences in computer sciences ("Ingénieur Civil informaticien") from the Université Catholique de Louvain (UCL) with an orientation in computer networks, distributed applications and security. David is now working for CERT.be as Security Analyst and is a contributor to the AbuseHelper open-source project.
Aaron Kaplan studied computer sciences and mathematics in Vienna, Austria Since 2008 he works at CERT.at. The, he is (next to Tomas Lima (ex-CERT.pt)) one of the main architects of IntelMQ and the whole approach of incident handling automation at CERT.at. Aaron is proud to have served FIRST.org as member of the board of directors between 2014 and 2018. He also is a regular speaker at IT security conferences. He is founder of Funkfeuer.at - a wireless mesh network covering the whole city of Vienna and beyond. Currently he looks at data science driven approaches to IT security.
Using Apple Sysdiagnose for Forensics and Integrity Check
July 24, 2023 08:30-10:45
Dr. Serge DrozDr. Serge Droz (FIRST / FDFA, CH)
Serge Droz is a senior IT-Security expert and seasoned incident responder. After more than twenty years work in different CSIRTs he now works as a senior adviser for the Swiss FDFA. He studied physics at ETH Zurich and the University of Alberta, Canada and holds a PhD in theoretical astrophysics. He has worked in private industry and academia in Switzerland and Canada in different security roles as well as at the national CERT in Switzerland.
Serge is a member of the board of directors of FIRST (Forum for Incident Response and Security Teams), the premier organisation of recognised global leaders in incident response. In this role he actively participates in discussion relating to cyber security at various policy bodies, in particular related to norm building.
Serge is an active speaker and a regular trainer for CSIRT (Computer Security Incident Response Team) courses around the world.
Today incident response often involves analyzing large amounts of data (think log files, output of forensic analysis). Some of the analysis will be repetitive, some will be specific to the incident.
Modern data analysis tools allow conducting this work efficiently and in a documented manner. Jupyter Notebooks using the pandas framework are popular among data scientists but not so much in the security community. We try to change the latter.
In this talk we present a basic intro into Jupyter and pandas, illustrating this with real live examples.
Links:
Using Jupyter Notebook for Incident Response
August 28, 2023 09:00-10:30
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University, US)
For the past five years Krassimir Tzvetanov has been a graduate student at Purdue University focusing on Homeland Security, Threat Intelligence, Operational Security and Influence Operations, in the cyber domain.Before that, Krassimir was a security engineer at a small CDN, where he focused on incident response, investigations and threat research. Previously he worked for companies like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation, product security. Before that Krassimir held several operational (SRE) and security positions at companies like Google and Yahoo! And Cisco. Krassimir is very active in the security research and investigation community and has contributed to FIRST SIGs. He is also a co-founder and ran the BayThreat security conference, and has volunteered in different roles at DefCon, ShmooCon, and DC650. Krassimir holds Bachelors in Electrical Engineering (Communications), Masters in Digital Forensics and Investigations, and Masters in Homeland security.
What defines the field of Cyber Threat Intelligence and its disciplines?
July 1, 2024 08:00-08:30