- USTLP:CLEAR
14 Questions Are All You Need
Carson ZimmermanCarson Zimmerman (Ardalyst, US)
Carson Zimmerman has been working in and around security operations centers (SOCs) and CSIRTs for over 20 years. In his current role at Ardalyst, Carson helps clients transform uncertainty into understanding in their digital landscape. In his previous role at Microsoft, Carson led the investigations team responsible for defending the M365 platform and ecosystem. His experiences as a SOC analyst, engineer, architect, and manager led Carson to author Ten Strategies of a World-Class Cybersecurity Operations Center, and co-authored its second edition, Eleven Strategies… which may be downloaded for free at mitre.org/11Strategies.
How is your SOC or CSIRT doing, really? It’s easy to become lost in compliance and regulatory requirements soup. There are plenty of respected consultancies that will perform multi-month SOC assessments. A quick Internet search yields several SOC capability maturity models. And yet, a one-hour conversation with a SOC veteran will yield a gut sense of how a SOC is doing on its journey, and where investments are needed. What if SOCs had a lighter weight method that identifies key strengths and weaknesses: one can be done in an afternoon, or more than twice a year? In this talk, Carson Zimmerman will challenge your thinking about how to measure and drive SOC effectiveness. He will present 14 key indicators of performance, that survey not only how the SOC is doing at a given point of time, but also how well growth and improvement are baked into the SOC culture.
- USTLP:CLEAR
A Recipe for Improving SecOps Detections: Take Three Security Controls, add a Tablespoon of Threat Intelligence, and Let it Rise
John StonerJohn Stoner (Google Cloud, US)
John Stoner is a Global Principal Security Strategist at Google Cloud and leverages his experience to improve users' capabilities in Security Operations, Threat Hunting, Incident Response, Detection Engineering and Threat Intelligence. He blogs on threat hunting and security operations and has built multiple APT threat emulations for blue team capture the flag events. John has presented and led workshops at various industry symposia including FIRST (CTI, Tech Colloquium), BSides (SF, Las Vegas), SANS Summits (DFIR, Threat Hunting, Cloud and SIEM), WiCyS, Way West Hacking Fest and DefCon Packet Hacking Village. He also enjoys listening to what his former teammates referred to as "80s sad-timey music."
OK, it’s not that simple, but this talk is designed to identify a prescriptive approach to building detections. Purple teaming, adversary simulation/emulation and automated red teaming are all intended to help defenders to be better prepared. The problem is that these are more initiatives that many of us don’t have the time to undergo with all of the other requirements thrown at us.At the heart of these initiatives is the desire to help organizations build better detections that can handle threats more effectively. Rather than tie ourselves into knots around questions like “is it better to emulate or simulate or run an automated red team”, we need to focus on determining the threats that we need to detect in our environments that align with the actors targeting us.This talk provides attendees with a methodology around testing and validating detections to drive rule development in security operations. Testing cannot take place in a vacuum and should be executed in a representative target environment that includes an organization’s telemetry (EDR/sysmon, NDR/Zeek, for example). We will also examine the role that threat intelligence plays in determining how to prioritize and focus our detection development to the most relevant threats for an organization.This methodology should evolve into an on-going cycle and we will discuss how this ensures rules will continue to function with an added bonus of identifying if data is being ingested and normalized as expected. Finally we will walk through an example that applies this methodology.
- AUTLP:CLEAR
AI Security Bootcamp - A Practical Guide On Securing AI Systems
Vishal ThakurVishal Thakur (TikTok USDS, AU)
Vishal Thakur has worked in the information security industry for many years in hands-on technical roles, specializing in Incident Response with a heavy focus on Emerging Threats, Malware Analysis and Research. He has presented his research at international conferences (BlackHat, DEFCON, FIRST, SANS DFIR Summit) and has also run training/workshops at BlackHat and FIRST Conference. Vishal is currently working as Senior Director, Cyber Fusion Center at TikTok USDS. In past roles, Vishal worked as a Senior Researcher at Salesforce, helping their Incident Response Centre with advanced threat analysis and developing DFIR tools and has been a part of the Incident Response team at the Commonwealth Bank of Australia. For past few years, Vishal has been involved in ML and AI security and has been researching this subject.
Join our immersive AI Cybersecurity Workshop where participants will learn to build and secure a virtual lab for hands-on practice in protecting AI systems. Delve into the creation of realistic datasets and AI models, essential for simulating cyber threats. Explore the intricacies of injecting anomalies, introducing adversarial attacks, and labeling data for supervised learning scenarios. Gain insights into leveraging pre-existing models, custom model creation, and developing adversarial models for comprehensive security testing. The workshop guides participants in crafting detailed security scenarios, defining use cases, and understanding data flow to simulate real-world AI cybersecurity challenges. Through practical exercises, attendees will master techniques to safeguard AI systems, evaluate defense measures, and hone incident response skills. Elevate your expertise in AI cybersecurity through this dynamic workshop, equipping you to tackle evolving threats in the rapidly advancing landscape of artificial intelligence.
Attendee Training Requirements:
Hardware Requirements:
-
Computer. Participants should have a personal computer or laptop with sufficient processing power and memory to run virtualization software and AI frameworks.
-
Memory (RAM):
A minimum of 8GB RAM is recommended to ensure smooth operation of virtual machines and AI development environments.
-
Storage:
Adequate free storage space to accommodate virtual machines, datasets, and AI models.
-
Processor:
A multicore processor (dual-core or higher) to handle the computational demands of AI model training and virtualization.
Software Requirements:
-
Virtualization Software:
Participants should install virtualization software such as VirtualBox, VMware (preferred), or Hyper-V before the workshop. This will be used to create and manage virtual machines for the lab exercises.
-
AI Frameworks:
Install TensorFlow (instructions will be provided), as well as any other libraries or tools required for model creation and training.
-
Programming Language:
Proficiency in a programming language commonly used in AI development, such as Python, is essential for working with AI frameworks.
-
Security Tools:
Some tools will be required (details and instructions will be provided)
-
Notebook/IDE:
Participants should have a code editor or integrated development environment (IDE) installed for working on AI model scripts and scenarios.
-
Browser:
An up-to-date web browser for accessing online resources, documentation, and collaborative tools used during the workshop.
-
Administrative Access:
Participants may need administrative access to their computers to install and configure software, especially virtualization tools.
-
Document Viewer:
A PDF viewer or document reader for accessing workshop materials, instructions, and resources.
An awareness of network intrusion aiming VPN router vulnerability
Ryosuke Nomoto (Cyber Emergency Center)
Mr. Ryosuke Nomoto was graduated from Kyushu Institute ofTechnology (Iizuka, Fukuoka) and now is working in Cyber Emergency Center, Forensics/Log analyst at LAC/LACERT team. He is focusing his research into on-going intrusion for systems he monitored in ASPAC area.
Since pandemic era where VPN becomes more in usage, it has been monitored intrusion activities into VPN Router system exploited a specific vulnerability, allowing the attacker to gain root privileges by rewriting the system files to tamper the VPN access to conduct further malicious operation.This presentation is a model to understand such threat that is condensed with information explaining the " how, whom, when and what for" such exploitation has been conducted, for all of us to learn the better way to mitigate such incident to happen in the future.
An awareness of network intrusion aiming VPN router vulnerability
September 16, 2024 09:00-09:30
- PLTLP:CLEAR
Blueprint for Maturity: Crafting a Tailored Cyber Threat Intelligence Maturity Model
Kiraga SlawekKiraga Slawek (Standard Chartered Bank, PL)
Working in various intelligence organizations has allowed me to understand the multitude of factors that influence the final production of intelligence satisfying customer needs. However, are all of them equally important? Which ones should we select and focus on when starting our Cyber Threat Intelligence (CTI) program from scratch? Given the abundance of factors, how can we structure them into an achievable action plan that will enable us to build intelligence optimally aligned with our stakeholders' needs?
For the last 15 years, I’ve worked in the world of intelligence. Thanks to being in different roles as an intelligence collector, intelligence analyst, and program or team leader, I’ve had a chance to understand different aspects of CTI. Being responsible for the design and delivery of intelligence products for various kinds of customers (from governmental to corporate), gave me a unique chance to integrate cyber threat intelligence efforts with customers’ needs in different organizations and cultures.
- USTLP:CLEAR
Building up a PSIRT Team for an Open Source Project: Lessons Learned from Zephyr
Kate StewartKate Stewart (Linux Foundation, US)
Kate Stewart works with the safety, security and license compliance communities to advance the adoption of best practices into embedded open source projects. Kate was one of the founders of SPDX, and is currently one of the technical working group leads. She is also the co-lead for the CISA SBOM tooling working group, and the OpenSSF SBOM everywhere SIG. Since joining The Linux Foundation, she has launched the ELISA and Zephyr Projects, as well as supporting other embedded projects. With over 30 years of experience in the software industry, she has held a variety of roles and worked as a developer in Canada, Australia, and the US. For the last 20 years has worked with software development teams in the US, Canada, UK, India, and China contributing upstream to opensource.
When the Zephyr project (https://zephyrproject.org/) launched in 2016, one of the goals was to apply known security best practices to make the S in IoT actually mean something. This talk will go through the journey of the last 8 years of applying known best security practices to an open source project, including becoming a CVE Numbering Authority, and forming a PSIRT team from volunteers from different companies. Along the way we had to adjust embargo policies due to a bulk vulnerability report, in addition to the occasional vulnerability reported from the community.
- AUTLP:CLEAR
Dave MatthewsDave Matthews (Gen Digital, AU)
After getting his PhD in Mathematics, Dave spent the next 25 years consulting for the Australian Government, primarily working with Defence, Intel and Law Enforcement, before moving to CrowdStrike, and Gen Digital (which is formed from the merger of Avira, Avast and NortonLifelock). He has continually worked in Incident Response and Forensics and has had the privilege of helping people while they are having their worst days at work. He has experience with all flavours of cybersecurity - ranging from attack and defence to incident response as well as security capability development. He is particularly passionate about digital forensics and incident response, helping people prevent and recover from attacks.When he's not working or learning something new, Dave loves spending time with his family and their puppy, Rufus!
This presentation, 'Collaboratively Caring and Securely Sharing', describes situations where sharing Intel would greatly help others. The talk initially discusses forms of Intelligence that are valuable and worth promptly communicating. Examples of how this lack of sharing prevents rapid response to incidents and, in many cases, allows threat actors time to achieve their objectives.Common reasons that prevent sharing are discussed to highlight problems and to show how secure collaboration can help. For example, your organisation might have suffered a breach; you want to share pertinent lessons learned and even Intelligence to help others. However, doing so could expose your reputation. What can you do?Or your organisation might be attacked, and you want to ask for help - anonymously, without divulging where you work.We show how Intel sharing can be achieved in an Incident Responder community and provide step-by-step instructions on implementing with popular team messaging platforms like Slack, Mattermost, Discord and Microsoft Teams. The presentation will demonstrate how this can work in a trusted IR community like FIRST, other CERTs or Incident Response communities.
Digital First Responders: The Role of Computer Security Incident Response Teams (CSIRTS) in Developing Countries
This note intends to provide policy makers in developing countries with a clear understanding of the role and importance of Computer Security Incident Response Teams (CSIRTs) for enhancing cyber resilience. It provides new data and evidence on the status of CSIRT deployment across regions and income groups and outlines practical recommendations on how to establish and operate national CSIRTs, including for costs and staffing.
Built in Partnership with World Bank, read full publication details
- KRTLP:CLEAR
Dissecting the Arsenal of LockBit
HuiSeong YangHuiSeong Yang (S2W inc., KR)
HuiSeong Yang is a researcher in the Threat Analysis Team at S2W in Korea. He is in charge of analyzing various malware, including ransomware, and has recently been working on methodologies to analyze malware written in Go and Rust languages, which are often used to make analysis more difficult. His main research focuses on tracking ransomware groups operating as Ransomware-as-a-Service (RaaS).
While many RaaS groups have come and gone in recent years, the LockBit group has been one of the most active. LockBit operates as a ransomware-as-a-service (RaaS) and employs multiple affiliates, causing far more damage than any other ransomware group. As of 2023, it has inflicted 1,029 ransomware victims out of a total of 4,951 ransomware victims, and is aggressive enough to rank first in the number of victims among RaaS groups, at about 20%.the LockBit group has continued to grow their arsenal (which they refer to as a collection): LockBit Red, a 2.0 version of the original LockBit ransomware they developed in June 2021; LockBit Black, which cribbed code from the BlackMatter ransomware in June 2022; and the Conti-based LockBit Green, released this year... How far is the group willing to go to quote code from other ransomware? And then there's the rumored Babuk. As you can see, we've been tracking the LockBit group since its inception.
- JPTLP:GREEN
Email Breach Analysis and Response Tips to Avoid Risk
Yumi IidaYumi Iida (ITOCHU Cyber & Intelligence Inc., JP)
After working as a customer engineer in the authentication and security field at an IT vendor, I am currently in charge of responding to and analyzing security incidents at ITOCHU Cyber & Intelligence.
Business Email Compromise (BEC) poses a global threat, leading to substantial financial losses. Despite the widespread adoption of multi-factor authentication (MFA), attackers have evolved their tactics, notably through Adversary-in-the-Middle (AiTM) attacks, increasingly prevalent since 2021. The Anti-Phishing Working Group (APWG) reports a doubling of phishing attacks between 2020 and 2022, indicating a persistent rise in BEC phishing.Microsoft 365 (M365), the world's most utilized webmail service, is a prime target for these attacks. However, available information on M365 account breaches lacks detailed insights into attackers' behaviors and intrusion trace deletion. The absence of comprehensive incident data hampers effective analysis and monitoring by company CERT (Computer Emergency Response Team).Current defense recommendations, scattered across various documents for different products (Microsoft Entra ID, Exchange, etc.), are not systematically organized. This complicates the work of CERT staff in investigating and responding to incident-related logs. Inadequate incident data may lead to ineffective responses, allowing intrusion risks to persist and potentially amplify damages.This presentation addresses the identified attacker techniques (email theft, app installation, and intrusion trace deletion) from actual M365 account breaches, offering insights for confirmation and response in case of incidents. Through real incident analyses, practical steps for incident handling will be shared to minimize the risk of account compromise and subsequent damage expansion.The goal is to enhance on-site staff response efficiency, disseminate appropriate countermeasures against intrusions and BEC risks, and ultimately contribute to safeguarding numerous companies.
EMAILB-1.PDF
MD5: d41d8cd98f00b204e9800998ecf8427e
Format: application/pdf
Last Update: July 10th, 2024
Size: 4 Kb
- LU BE BRTLP:CLEAR
Empowering Cybersecurity Outreach and Learning through Collaborative Challenge Building, Sharing, and Execution
Alexandre Dulaunoy
David Durvaux
Renato Otranto Jr.Alexandre Dulaunoy (CIRCL.lu, LU), David Durvaux (European Commission - EC Cybersecurity Operations Centre, BE), Renato Otranto Jr. (CERT.br / NIC.br, BR)
Alexandre Dulaunoy enjoys when humans are using machines in unexpected ways.
I break stuff and I do stuff at CIRCL
David Durvaux is active in the incident response field for more than a decade. He has work on many IT security incidents and especially on computer forensics aspects. Since 2015 he is actively preparing the FIRST CTF. David presented several time at the FIRST annual conference among others.
Renato Otranto Jr. is in IT area for more than 25 years and he has experience with security, network and system administration.
He joined CERT.br in 2013 as an incident handler and also develop other activities with the team. Since 2012 he is involved in
the organization of the Capture the Flag at FIRST Annual Conferences. He is also a former member the of Dragon Research Group.
In the dynamic landscape of cybersecurity, continuous skill development is paramount. This presentation, titled "Empowering Cybersecurity Outreach and Learning through Collaborative Challenge Building, Sharing, and Execution," delves into innovative approaches to enhance outreach and learning in the field.Focused on the creation, sharing, and execution of challenges, particularly through platforms like Capture The Flag (CTF), the session aims to illustrate the transformative impact of hands-on experiences with the FIRST.org challenges.The discussion will also outline how it has grown, offering a wide variety of knowledge fields and strong collaboration between the volunteers and their supporting organization.
- TLP:AMBER
Everyday work with OSINT and Telegram
Philippe Lin (Senior Threat Researcher)
Philippe Lin is a senior threat researcher with Trend Micro. He was into big data analysis, machine learning, NLP, SDR and all sorts of nerdy things.
In this talk Phillipe shares how to setup Telegram in a Docker container and automate channel scraping.
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
Everyday work with OSINT and Telegram
September 16, 2024 09:30-10:00
- IN CZTLP:CLEAR
From Code to Crime: Exploring Threats in GitHub Codespaces
Nitesh Surana
Jaromir HorejsiNitesh Surana (Trend Micro, IN), Jaromir Horejsi (Trend Micro, CZ)
Nitesh Surana is a Senior Threat Researcher with Trend Micro where he specializes in cloud vulnerability & security research. He has been in the top 100 MSRC Most Valuable Security Researchers in 2023 for his submissions to Microsoft via the Zero Day Initiative. He has presented across conferences such as Black Hat USA, HackInTheBox, HackInParis, Nullcon, c0c0n, Security BSides, NDC Oslo and OWASP/Null Bangalore meetups. Apart from playing with packets and syscalls, Nitesh is found attending concerts and writing/playing music.
Jaromir Horejsi is a Senior Threat Researcher for Trend Micro Research. He specializes in tracking and reverse-engineering threats such as APTs, DDoS botnets, banking Trojans, click fraud, and ransomware that target both Windows and Linux. His work has been presented at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf, and CARO.
Cloud-based development environments enable developers to work from any device with internet access. Introduced during the GitHub Universe event in November 2022, Codespaces offers a customizable cloud-based IDE, simplifying project development. However, the openness of this service has been exploited by attackers, leading to in-the-wild campaigns leveraging GitHub Codespaces for developing, hosting, and exfiltrating stolen information.The presentation will showcase GitHub Codespaces' features and explore typical methods of abuse by threat actors, focusing on observed malicious campaigns. Highlighted is DeltaStealer, a credential-stealing malware family with diverse variants, some featuring unique capabilities like persistent Discord authentication compromise and cloud-based data exfiltration.Developed using GitHub Codespaces, these infostealers reveal interesting artifacts, including debug symbols, exposing insights into the developers' identities. The presentation will showcase social media evidence and conclude with practical recommendations on configuring cloud-based IDEs securely, identifying suspicious instances, and proactively addressing similar cyber threats.
- GBTLP:CLEAR
How to Start Using Priority Intelligence Requirements (PIRs) on a Budget
Josh Darby MacLellanJosh Darby MacLellan (Feedly, GB)
Cyber Threat Intelligence (CTI) professionals are increasingly confronted with pressure to deliver more intelligence services and products with fewer resources. Balancing escalating threats against budget cuts and limited tools stretches CTI teams thin, leading to burnout and high turnover. To provide clarity on priorities, the CTI community adopted Priority Intelligence Requirements (PIRs). PIRs are a pivotal method for refocusing efforts and resources, building relationships between CTI and stakeholders, and enabling greater efficiency. But how does one begin collecting PIRs when there is minimal budget in the first place? How do you approach the first 90 days to ensure you implement PIRs without incurring high costs?
This session takes a pragmatic approach to developing PIRs, complementing previous workshops on PIRs (including at this conference) by focusing on the earlier stages and working with a limited budget.
Josh is a Cyber Threat Intelligence (CTI) professional with experience in the financial, tech, and cybersecurity sectors in North America and Europe. He originally started out in physical threat intelligence and has worked in geopolitical risk, protective intelligence, and risk management before pivoting to the CTI. Josh's current job focuses on using Machine Learning Models to collect cyber threat intelligence.
Josh enjoys contributing to the threat intelligence community and mentoring others in the industry. He sits on the Board of Director for TIER (Threat Intelligence Exchange Roundtable) and on the committee for CyberToronto Conference, previously holding directorships with (ISC)2 Toronto Chapter and ASIS.
- TLP:CLEAR
Improving ICS/OT Threat Hunt & Incident Response Capabilities Through Adversary Emulation
Shaun LongShaun Long (Cybersecurity & Infrastructure Security Agenc)
Shaun Long is the Deputy Chief for CISA’s Threat Hunting - Industrial Control System Section (ICSS), with a focus on reducing risk for small-medium sized critical infrastructure partners, building free & open-source community operational technology (OT) cyber tools, and building scalable service offerings using the Control Environment Laboratory Resource (CELR) platform. In addition to enabling internal CISA Threat Hunting teams & established partners, Mr. Long's team prioritizes partnerships with regional critical infrastructure utilities to demystify OT Cyber Security through interactive CELR Threat Hunting exercises, capture the flag events, and technical training modules focused on sector specific challenges.
Prior to joining CISA, Mr. Long spent eight years working at Booz Allen Hamilton -- supporting clients with technical product assessments, security and network architecture assessments, and enterprise level cyber security tool deployments. In addition to client work, Mr. Long helped to stand up an entirely new cross-cutting business unit, targeting the industrial control system security in the Defense & Civilian market by partnering with functional market leaders and leading commercial vendors.
This presentation will delve into the challenges and opportunities involved in upskilling the current workforce and training the future workforce to tackle the emerging field of cybersecurity—cyber-physical systems and operational technology that power our modern world. We will examine how the Cybersecurity & Infrastructure Security Agency (CISA) leverages our Control Environment Laboratory Resource (CELR) to conduct simulated OT threat hunt and incident response exercises. Additionally, we will explore how these systems are used to develop products and services for public and community use, and investigate new use cases and offerings to strengthen critical infrastructure against evolving threat actors.
- TWTLP:GREEN
IoT Hacks - Unexpected Angles of Human Process Compromises
Fyodor YarochkinFyodor Yarochkin (Trend Micro, TW)
Dr. Fyodor Yarochkin is a Senior Researcher, Forward-Looking Threat Research Senior at Trend Micro with a Ph.D. from EE, National Taiwan University. An early Snort Developer and Open Source Evangelist as well as a Programmer, his professional experience includes several years as a threat investigator and over eight years as an Information Security Analyst.
Fyodor explores the evolution of tools designed to influence public opinion, focusing on physical devices that can shape perception, such as IoT cameras, vehicle telematics, and various other systems.
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
IoT Hacks - Unexpected Angles of Human Process Compromises
November 13, 2024 17:20-18:00
- USTLP:CLEAR
KPIs for CSIRTs
Logan WilkinsLogan Wilkins (Cisco, US)
Logan Wilkins has over 25 years of software development and information security experience. He has worked in academic, research, and corporate settings, specializing in DevSecOps management, data science, and information security. In his current role, Logan manages Cisco's CSIRT Engineering Delivery team, which is responsible for Security Monitoring and Incident Response systems development, CI/CD processes, and Data Management. Logan is Co-chair of the FIRST Metrics Special Interest Group (SIG).
In the rapidly evolving landscape of cybersecurity, organizations increasingly rely on effective Cybersecurity Incident Response Teams (CSIRTs) to detect, respond to, and mitigate security incidents. Key Performance Indicators (KPIs) play a crucial role in assessing the efficiency and effectiveness of CSIRT operations. This half-day training class is designed to empower CSIRT professionals with the knowledge and skills to develop, implement, and leverage KPIs for enhanced incident response.
The training will cover essential topics, including:
- Understanding CSIRT Objectives: Participants will gain insights into the core objectives of a CSIRT and how KPIs align with these goals. A comprehensive overview will be provided to establish a foundation for KPI development.
- Identification and Selection of Relevant KPIs: Explore a range of KPIs applicable to CSIRTs, considering factors such as incident detection, response times, and containment effectiveness.
- Metrics and Measurement Techniques: Delve into the methodologies for measuring KPIs accurately. Participants will learn how to define and collect relevant metrics.
- Establishing Baselines and Targets: Understand the significance and pitfall of setting baselines and realistic targets for KPIs. Practical examples and case studies will be discussed to illustrate how organizations can benchmark their CSIRT performance.
- Visualization and Reporting: Learn effective ways to present KPI data through visualizations and reports.
Following this training, participants have additional knowledge and tools to help establish a KPI framework tailored to their CSIRT's objectives. This class provides a opportunity for CSIRT professionals to enhance their skills, optimize their operations, and contribute to the overall security posture of their organizations.
- USTLP:CLEAR
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University, US)
For the past five years Krassimir Tzvetanov has been a graduate student at Purdue University focusing on Homeland Security, Threat Intelligence, Operational Security and Influence Operations, in the cyber domain.
Before that, Krassimir was a security engineer at a small CDN, where he focused on incident response, investigations and threat research.
Previously he worked for companies like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation, product security.
Before that Krassimir held several operational (SRE) and security positions at companies like Google and Yahoo! And Cisco.
Krassimir is very active in the security research and investigation community and has contributed to FIRST SIGs. He is also a co-founder and ran the BayThreat security conference, and has volunteered in different roles at DefCon, ShmooCon, and DC650.
Krassimir holds Bachelors in Electrical Engineering (Communications), Masters in Digital Forensics and Investigations, and Masters in Homeland security.
Overview: In this presentation the author goes over the building blocks of Influence Operations using mass and social media. It covers subjects such as hypodermic needle model, two-step flow of information, gatekeeping, agenda-setting, priming, framing, spiral of silence, echo chambers and cultivation.
In addition, it looks at some of the larger scale operations focused on subversion.
Additional materials
Media Effects Used in Influence Operations (part 1)
October 17, 2024 09:00-09:50
- AT LUTLP:GREEN
NeuroCTI - a Custom Fine-Tuned LLM for CTI - Benchmarking, Successes and Lessons Learned
Aaron KaplanAlexandre Dulaunoy
Jürgen BrandlAaron Kaplan (Independent / EC-DIGIT-CSIRC, AT), Alexandre Dulaunoy (CIRCL.lu, LU), Jürgen Brandl (Federal Ministry of the Interior, Austria, AT)
Aaron is currently working for EC-DIGIT-CSIRC where he focuses on how to leverage the power of Large Language Models (LLMs) for CTI purposes. Prior to joining EC-DIGIT-CSIRC, Aaron was employee #4 of CERT.at. He co-founded intelmq.org.
In the field of AI, Aaron co-founded deep-insights.ai, a medical AI research group focussing on delivering deep learning based classifiers for the rapid detection of lesions in the human body. He also co-chairs the AI Security SIG at FIRST.org. Aaron likes to come up with ideas which have a strong benefit for (digital) society as a whole and which scale up. He loves sharing knowledge and open source tools to automate stuff.
Alexandre Dulaunoy enjoys when humans are using machines in unexpected ways.
I break stuff and I do stuff at CIRCL
Jürgen Brandl is a senior cyber security analyst at the Federal Ministry of the Interior and has 10 years of experience working in incident response, protecting both governmental and critical infrastructure from cyber attacks. In his current role, he is researching and advocating for the need to use AI to face the emerging threat landscape.
Phd. Paolo Di Prodi was a senior data scientist at Microsoft and Fortinet. Since late 2022 he founded a company called Priam Cyber AI ltd that uses virtual agents to automate security operations. He contributes regularly to open source projects from OASIS like STIX2.1,MITRE ATLAS,IOB and various LLM projects such as OLLAMA and LiteLLM. He also a member of the Automation AI SIG in FIRST ORG and contributed to developing EPSS at the RAND ORG.
LLMs turn out to be highly practical for summarising and extracting information from unstructured Cyber Threat Intelligence (CTI) reports. However, most models were not trained specifically for understanding CTI. We will present a custom LLM, fine-tuned for CTI purposes. But of course, that only makes sense with a CTI text benchmark dataset. Creating these two systems is a challenging journey. Set-backs guaranteed. We will share our findings. Comes with batteries and MISP-integration.
- DETLP:CLEAR
Predictive Cyber Defense - Early Warning Intelligence & Forecasting (08:30-12:30)
Robin DimyanogluRobin Dimyanoglu (OC Payment GmbH, DE)
This workshop introduces Early Warning Intelligence (EWI), a predictive approach that orchestrates cyber defense by anticipating threats before they materialize. Incorporating structured analytical techniques, we will explore two distinct methodologies for constructing an EWI system: profile-driven and correlation-guided research approaches, drawing from practical examples and previously published works.
This workshop will not only dissect these methods but will also argue for the integration of temporary countermeasures—a concept introduced to adjust cyber defense dynamically in response to elevated threat levels. Examples include tweaking rate limits and bot scores, configuring increased resources, and temporarily disabling features to mitigate impact, showcasing a shift from static to adaptive security postures.
Robin Dimyanoglu is the Red Team Lead at HelloFresh Global, with extensive experience in Cyber Threat Intelligence and Threat-Informed Defense. Robin is inspired to bring in concepts from war and intelligence studies to the field of cybersecurity. With a passion for staying ahead of the curve, he is committed to developing novel solutions to security problems.
- AUTLP:CLEAR
Processing Threat Reports at Scale Using AI and ML: Expectations and Reality
Yury Sergeev (RST Cloud Pty Ltd, AU)
With an emphasis on leveraging Artificial Intelligence (AI) and Machine Learning (ML), the session demonstrates an automated approach to streamline the collection, processing, and analysis of threat intelligence reports (APT reports, DFIR reports, malware analysis reports, threat reports, etc.) at scale. The proposed methodology focuses on technical insights, spanning the identification and monitoring of relevant resources, automatic classification using ML to filter out irrelevant information, and the preservation and extraction of valuable threat data with conventional and AI techniques. Attendees will gain insights into optimising their workflows, including the extraction of meaningful information from reports, summarisation techniques, and the automated conversion of reports into the STIX format.
As a cybersecurity expert with a profound understanding of enterprise IT and OT infrastructure, they leverage their expertise to audit, plan, design, develop, and implement complex Information Security systems. Their impressive track record, consisting of over 90 successful cybersecurity projects, consistently enhanced the security of enterprises across multiple countries and industries.
After 6 years working for Deloitte Cyber Intelligence Centre as a security engineer and later as a Director, founded a company called RST Cloud that specialises in Threat Intelligence.
Their focus now centres on operationalisation of threat intelligence, staying vigilant against emerging threats, and guiding teams effectively towards project goals and objectives.
- BETLP:CLEAR
Sigma Unleashed: A Realistic Implementation
Mathieu Le CleachMathieu Le Cleach (CERT-EU, BE)
Mathieu is a member of CERT-EU's Digital Forensics and Incident Response team. He has two hats: respond to security incidents, including significant ones, and engineer CERT-EU's detection strategy. Before joining CERT-EU, Mathieu worked as a CSIRT analyst for a French financial institution.
Sigma is a well-known generic detection rule format in the cybersecurity landscape. While this free, open-source project is very active and offers a wide range of features, its implementation is challenging, and especially for MSSPs. At CERT-EU, we serve the 90 European Union institutions, bodies, offices and agencies (Union entities) and we strive to deliver the best possible services to them. This is why we relentlessly try to enhance the detection capabilities of our Security Log Monitoring Service. To this endeavour, we created droid, a tool that we specifically built to introduce Detection-as-Code in our environment. In the spirit of fostering a culture of collective progress, we are very excited to share droid as our take to facilitate the ingestion of Sigma rules for any organisation. The tool unlocks the following use cases: detection content versioning, vendor agnostic approach, cross-tool detection content, testing and validating detection rules, by taking advantage of Atomic Red Team, automation of exporting the rules to multiple SIEMs and EDRs.
- JP ESTLP:CLEAR
So Far and Yet so Close. A Story of Collaboration Between Japan and Spain While Analyzing Simultaneous Infostealers Campaigns
Masato Ikegami
Josep AlborsMasato Ikegami (Canon IT Solutions Inc., JP), Josep Albors (Ontinet.com, ES)
Masato Ikegami is a malware analyst at Canon IT Solutions with 10 years of experience in cybersecurity. His primary focus is on the automated analysis and classification of malware. He currently holds the following certifications: CISSP, GREM, GCTI, GCIH.
Josep Albors is the Head of Awareness & Research at ESET Spain (Operated by Ontinet.com). He has more than 18 years’ experience in cybersecurity and now specializes in security awareness. He is also the editor at the ESET Spain blog and one of the contributors to the international ESET blog WeLiveSecurity.
He participated as a speaker at the AVAR 2019 international conference in Osaka, CARO Workshop 2023 in Bochum (Germany)and at many important local security conferences in Spain. Josep is a teacher in cybersecurity courses at several Spanish universities. He collaborates with the Spanish Guardia Civil, Spanish National Police and the Spanish Army, and teaches their units how to fight cybercrime.
Malware doesn’t know about frontiers but some malicious campaigns are more effective in some countries rather than others. When one of these countries is the one you are living in you might have a seriuos problem, specially if you work in cybersecurity. Luckily for us, we live in a connected world and you can find a colleague that is also facing the same problem in his country and work together with him, even if you are more than 10.000 Km away. This is the story and lessons learned of two researchers working together, facing several infostealer campaigns targeting Japan and Spain and how they started sharing information that helped them understand why the cybercriminals were so focused on their countries. This is also an example on how to create and maintain a collaboration channel between two distant countries that can be used as an example if you are facing similar problems.
- CATLP:CLEAR
Solving CTI Sector Incoherence in a Living Growing OpenCTI Repository: Extend STIX 2.1 FTW
Philippe Lin (Trend Micro, CA)
This talk discusses the challenges and complexities of running OpenCTI with dozens of contributors over a course of three years. We delve into the "organic chaos" caused by label misuse, duplicated entries, missepelling, and the confusion that arises from ingesting many external sources, such as SecureList, Palo Alto Unit42, and Trend Micro Research into OpenCTI. Using concrete examples, we illustrate how data cleansing became mission highly-impossible and hinder threat researchers. We discuss our efforts to standardize sector labels, our consideration on US CISA vs STIX, and the need to extend existing vocabularies like STIX 2.1. In conclusion, we share our best practices, tips, tricks and traps in updating OpenCTI data on a production system.
Philippe Lin is a Senior Threat Researcher at Trend Micro Research. His work revolves around industrial embedded systems, software-defined radio, 4G/5G core network and machine learning. He is an enthusiast of open-source software.
- TW
Use and abuse of residential proxy networks
Fyodor YarochkinFyodor Yarochkin (Trend Micro, TW)
Dr. Fyodor Yarochkin is a Senior Researcher, Forward-Looking Threat Research Senior at Trend Micro with a Ph.D. from EE, National Taiwan University. An early Snort Developer and Open Source Evangelist as well as a Programmer, his professional experience includes several years as a threat investigator and over eight years as an Information Security Analyst.
Fyodor Yarochkin discusses the evolving landscape of cybercrime, particularly the shift from traditional bulletproof hosting services to residential proxies. Researchers, including himself, have noted a growing caution in discussing these entities publicly. Residential proxies are easier and cheaper to maintain and present more complex challenges for defenders because they complicate traffic filtering.
Yarochkin has created a framework, termed a "residential proxy honeypot," to analyze traffic patterns from these proxies. He emphasizes the importance of understanding how these networks operate to effectively monitor and mitigate abuses.
He notes that the residential proxy ecosystem is diverse, featuring numerous small providers alongside larger companies, and highlights the varied marketing strategies used, including black hat forums and Telegram channels. The languages supported by proxy providers often reflect their target customer bases.
Finally, he concludes that there are no truly "good" residential proxy providers, as they all facilitate the bypassing of restrictions, raising ethical concerns about their operations.
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
Use and abuse of residential proxy networks
September 25, 2024 09:00-09:30
- US
What defines the field of Cyber Threat Intelligence and its disciplines?
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University, US)
For the past five years Krassimir Tzvetanov has been a graduate student at Purdue University focusing on Homeland Security, Threat Intelligence, Operational Security and Influence Operations, in the cyber domain.Before that, Krassimir was a security engineer at a small CDN, where he focused on incident response, investigations and threat research.
Previously he worked for companies like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation, product security.
Before that Krassimir held several operational (SRE) and security positions at companies like Google and Yahoo! And Cisco.
Krassimir is very active in the security research and investigation community and has contributed to FIRST SIGs. He is also a co-founder and ran the BayThreat security conference, and has volunteered in different roles at DefCon, ShmooCon, and DC650.
Krassimir holds Bachelors in Electrical Engineering (Communications), Masters in Digital Forensics and Investigations, and Masters in Homeland security.
What defines the field of Cyber Threat Intelligence and its disciplines?
July 1, 2024 08:00-08:30
