- US
::1 The Official Home for IPv6 Attacks
Josh Porter (McAfee, US), Marco Figueroa (Intel, US), Ronald Eddings (Intel, US)
Ronald Eddings is a Cyber Fusion Analyst with a diverse background in Network Security, Threat Intelligence, and APT Hunting. Mr. Eddings has created a wide variety of security tools in efforts to automate the identification of malicious activity. Additionally, Mr. Eddings has leveraged user behavior analytics to identify and track anomalous network activity.
Marco Figueroa is a senior security analyst at Intel whose technical expertise includes reverse engineering of malware, incident handling, hacker attacks, tools, techniques, and defenses. He has performed numerous security assessments and responded to computer attacks for clients in various market verticals. A speaker at Defcon, Hope and other Security and Hacker Conference.
Josh Porter is a Software Engineer at McAfee with a specialty in building data-driven threat intelligence applications. He has a passion for Ruby on Rails and has built numerous tools and applications for analysis and consumption of threat intelligence and security data.
Since the exhaustion of public IPv4 address space, the deployment of IPv6 is accelerating at a rapid pace. According to Internet Society, 70% of Verizon Wireless’ mobile network is comprised of IPv6 enabled devices. It is mandatory that organizations develop strategies to adopt IPv6 to create new public content on the Internet. Unfortunately, security is often overlooked when deploying new network technologies such as IPv6. IPv6 provides several options for node and service discovery without employing extensive port scans. Without proper protection, an attacker can trivially enumerate and potentially launch attacks on IPv6 networks.
This talk presents insights into how an attacker may leverage IPv6 to enumerate and attack an IPv6 enabled network. Additionally, a new modular framework will be presented to identify if an IPv6 enabled network is susceptible to be enumerated and attacked.
- FR
Active Directory : How To Change a Weak Point Into a Leverage for Security Monitoring
Vincent Le TouxVincent Le Toux (VINCI, FR)
Vincent Le Toux is the "incident prevention, detection, response manager" at the corporate level of Engie, a large energy company, managing SOC / CSIRT activities. On a personal side, he's the author of the DCSync attack included in Mimikatz and writes many papers in the French review MISC. He designed the PingCastle tool (https://www.pingcastle.com).
There are a lot of scary presentations made by pentesters on security conferences. Some advices are communicated but they are technical ones and CISO, CERT, ...have difficulties to change the situation.
As the author of the DCSync attack (included in Mimikatz & powershell empire) and working at the corporate level of a multinational, I was facing problems nobody could answer. How much domains do we have ? Why auditors were able to list our accounts without any account on our domain ? Are we secure ? (especially with these new attacks)
Asked to solve the "AD situation" I decided to create a methodology that I'm sharing here. The idea is not to focus on the technical side, but to get the management support (and budget) by being able to translate the technical situation into risks. And to make the infrastructure guys aware of their problems so they can solve it (with a lot of management pressure ;-)).
The presentation is in 4 parts:
-
Context. Why this project had to be managed at the corporate level ?
-
General vulnerabilities of the Active Directory. How bad is the situation ?
-
Methodology presented. How to make the link between attacks and risks to get management support?
-
Trying to secure the AD. Are monitoring / hardening tools available on the market efficient ?
- Conclusion
Key findings:
-
You have more AD than you think (multiply by 2 or 3)
-
You have trust with external companies with no protection!
-
You can act right now by discovering many problems even without an account on the domain to audit
- You will show to the management contradictions between local management and corporate management.
Reminder: ALL domain administrators in a forest can own the forest !
- CH
Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)
Tom Ueltschi (Swiss Post, CH)
Tom Ueltschi has been working for Swiss Post CERT (SOC / CSIRT) for over 9 years.
He has presented about Ponmocup botnet at SANS DFIR summit, DeepSec and BotConf twice. He is a proud member of many closed trust groups and communities.
He is active on Twitter (@c_APT_ure) and has been blogging in the past (http://c-apt-ure.blogspot.com/)
Enterprises and organizations of all sizes are struggling to prevent and detect all malware attacks and advanced adversary actions inside their networks in a timely manner. Prevention focused technology hasn’t been good enough to prevent breaches for years and detection has been lacking in many ways.
This presentation will give an overview and detailed examples on how to use the free Sysinternals tool SYSMON to greatly improve host-based incident detection and enable threat hunting approaches.
Splunk is just an example of a SIEM to centralize Sysmon log data and be able to search and correlate large amounts of data to create high-quality alerts with low false-positive rates. The same could likely be done using another free or commercial SIEM.
The main goal is to share an approach, a methodology how to greatly improve host-based detection by using Sysmon and Splunk to create alerts.
One main topic throughout the presentation will be how to find suspicious or malicious behaviors, how to implement search queries and how to reduce or eliminate false-positives. Examples will cover different crimeware malware families as well as tools and TTPs used by Red Teams and advanced adversaries.
For the latter, a commercial tool (Cobalt Strike) was used to test different privilege escalation and lateral movement techniques and develop queries for detection. Sysinternals Process Monitor and Sysmon tools were used to analyze behaviors on the endpoints involved.
Any Blue Team member should be able to take away some ideas and approaches to improve detection and incident response readiness in their organization.
- LU
Alexandre DulaunoyAlexandre Dulaunoy (CIRCL, LU), Steve Clement (CIRCL - Computer Incident Response Center Luxembourg, LU)
Alexandre Dulaunoy works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL in the research and operational fields. He is also lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. Alexandre encountered his first computer in the ’80s—and promptly disassembled it to learn how the thing worked. Previously, Alexandre manager of global information security at SES, a leading international satellite operator, and worked as senior security network consultant at Ubizen (now Cybertrust) and other companies. He also cofounded Conostix, a startup that specialized in information security management. Alexandre enjoys working on projects that blend “free information,” innovation, and direct social improvement. When not gardening binary streams, he likes facing the reality of ecosystems while gardening plants or doing photography. He enjoys it when humans use machines in unexpected ways.
Steve Clement is a security researcher at CIRCL. He is also active in the hackerspace community at large and promoting cyber security worldwide.
AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin, "darkweb" or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine sensitive information.
CIRCL regularly discovers information leaks using AIL. The presentation will include
an overview of the open source framework and its design and implementation.
As the tool can be used by any CSIRT, the integration of the tool within CSIRTs will be explained along with the process of victim notification. The information gathered can be also used for incident response or cyber security exercise, an overview will be given to the audience.
https://github.com/CIRCL/AIL-framework
https://www.circl.lu/pub/tr-46/#reference-of-leaks
AIL – Framework for Analysis of Information Leaks – An Update
Michael Hamm, CIRCL
Since the year 2000 Michael Hamm works for 10 years as Ingenieur-Security in the field of classical Computer- and Network-Security (Firewall, VPN, AntiVirus, …) at the research center “Henry Tudor” in Luxembourg. Since 2010 Michael works as operator for the Computer Incident Response Center Luxembourg. Here he is working on forensic examinations, incident response and analysis.
hamm-michael_slides.pdf
MD5: dafa6a7880ddd0b5a3443fdc3024675f
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.44 Mb
Analytical Results of a Cyber Threat Intelligence Survey
Ryan Trost (ThreatQuotient)
Ryan Trost, co-founder and CTO at ThreatQuotient, has over 15 years of security experience focusing on intrusion detection and cyber intelligence with specialized insights into computer network defense (CND) operations. He is a recognized leader in the cyber industry through conference speaking engagements including BlackHat, DEFCON, SANS, and High Technology Crime Investigation Association (HTCIA), as well as, published author of Practical Intrusion Analysis. He developed one of the first geospatial intrusion detection algorithms used to identify geolocation attack patterns. Ryan has successfully managed several large Federal and Commercial Security Operations Center (SOC) teams by focusing on forward-leaning techniques for detecting and responding to nation-state adversaries; structuring and automating the IOC lifecycle; and fusing Intel from non-traditional sources.
Earlier this year I conducted a cyber threat intelligence industry survey asking security practitioners to rate the value of the 20 most common indicator types, as well as, the 35 most common supporting attributes. The survey was broadcasted to techie friends, colleagues, co-workers, several ‘fight club’ distros, and security students from nearly 10 years of collegiate teaching. After 3 months of collecting responses a total of 565 good Samaritans completed the survey and the results are fascinating!
In this talk I will present:
- the survey methodology
- the rating scales
- the results as several hypotheses are proven and disproven
- an analytical breakdown of the results by industry and participant role
- and finally, lessons learned
Additional information on the presentation:
IOCs will always be a key detection mechanism for obvious reasons, however, because certain IOCs can be easy for the adversary to replenish it forces defenders to look beyond the IOC to focus on the TTPs. But which IOC type and attribute (individually or combined) yield – the best detection rate, maximize adversary attribution, the best deployment capability, advance incident investigations the most, etc.? Survey participants were asked to score each indicator type based on each of the three following categories including Strength, Deployment Versatility, and Burnability.
Why IOC Types and Attributes? The reason is two-fold:
In 2014, I presented research comparing the published feeds of several top commercial threat intelligence providers and was amazed at how each provider leaned on various indicator types and indicator attributes completely different. If top-notch commercial vendors put their faith into various IOC types and attributes I was curious to know how the operators and security practitioners viewed them.
And secondly, because indicator types and attributes are the fundamental entry-point to an adversary’s tactics, techniques, and protocols (TTP) they offer a brief but critical vantage point to an adversary’s attack logic. As threat intelligence teams are finding their intelligence lifecycle cadence teams are looking beyond the granular indicators of compromise and studying the adversary’s methodologies and tools to help strengthen security initiatives, speed up investigations, empower analysts to make more informed decisions, and maximize budgetary investments.
I have managed several medium-to-large SOC teams with vastly different resources, budgets, and capabilities and as a result each team has prioritized indicator types and attributes completely differently. Less mature teams stick to fundamental IOC Types including IPv4, FQDN, URL, and MD5 hashes. Whereas, more mature teams cast their analytical net much further in all directions – trending attacker’s email address syntax, user-agents, import hashes, and even email message-IDs to help identify a potential indicator pivot point or attack pattern. This relatively philosophical fascination drove me to develop the industry survey to gather feedback on how analysts (across job disciplines) approach indicator types and respective TTP attributes.
See if the results align with your own viewpoints!
Applying Key Threat Intelligence Practices to Fight Cybercrime
Dhia Mahjoub (OpenDNS), Sarah Brown (Security Links)
Sarah Brown is a Senior Scientist at the NATO Communications and Information (NCI) Agency in The Hague, NL, where she works on cyber security capability development for NATO. She has a particular interest in cyber threat intelligence. She works on independent research projects under the name Security Links. Prior to NATO, Sarah worked at Fox-IT, delivering threat information to banks globally and leading the transformation of content into the standardized formats such as STIX. Sarah worked for nine years at MITRE. She has spoken at RSA, FIRST, WISCS, CyCON, ACSC, and the NCSC One Conference. She holds a MA in Math from the University of Maryland, College Park.
Dr. Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large scale threat detection and threat intelligence and advises on R&D Strategy. Dhia has a background in networks and security, has co-authored patents with OpenDNS and holds a PhD in graph algorithms applied on Wireless Sensor Networks' problems. He regularly works with prospects and customers and speaks at conferences worldwide including BlackHat, Defcon, Virus Bulletin, BotConf, ShmooCon, FloCon, Kaspersky SAS, Infosecurity Europe, RSA, Usenix Enigma, ACSC, NCSC One Conference, and Les Assises de la securite.
Effective cooperation between governments, industry/private sector and law enforcement agencies/data protection authorities is an essential element to fight cyber crime. Cybersecurity researchers do not always build relationships with counterparts outside of the cybersecurity research community, however, it can be essential to work in a cross-functional team to combat sophisticated threats.
This talk describes our investigation last year looking into rogue hosting activity in The Netherlands using various threat intelligence techniques such as large scale network data mining, OSINT research, and on the ground HUMINT investigative work. Bulletproof hosting providers, a critical part of cybercrime operations, are used to carry out ransomware, phishing, and other attacks. They offer customers reliable infrastructure protected by the complex laws of cyberspace and are able to avoid takedown attempts by law enforcement by leveraging the anonymity of the internet.
We describe the ‘recipe’ that criminal hosting providers often use to enable their operations, and we highlight key threat intelligence best practices that any cybersecurity threat researcher should follow, to include:
- The value in investigating higher level tactics, techniques, and procedures (TTPs) and threat actors as opposed to indicators of specific toxic content
- The possibilities for enriching data through open source material
- The broad community of people that may be necessary to bring together in order to address a cyber threat.
AppSec Behaviors for DevOps Breed Security Culture Change
Chris Romeo (Security Journey)
- JP
Shusei Tomonaga (JPCERT/CC, JP)
Shusei Tomonaga is a member of the Analysis Center of JPCERT/CC. Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. In addition, he has written up several posts on malware analysis and technical findings on JPCERT/CC’s English Blog (http://blog.jpcert.or.jp/).
Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He presented characteristics of major targeted attack operations in Japan at CODE BLUE 2015.
Typical network intrusion in APT is followed by lateral movement. For effective incident response, investigation and detection of the lateral movement phase is critical. However, evidence of tool execution during the phase is not always acquired under default settings of Windows. JPCERT/CC, therefore, conducted a study on the necessary log configurations to acquire evidence of tool execution in the lateral movement phase and closely examined what has been logged.
This presentation will explain some attack patterns and tools which are commonly used for APT. JPCERT/CC analyzed the incidents that they have handled, and discovered that there are common patterns in the use of methods and tools in the lateral movement phase.
It will also introduce techniques to detect or investigate such incidents by using Audit Policy (a Windows function) and Sysmon (a tool provided by Microsoft).
APWG and the eCrime Exchange: A Member Network Providing Collaborative Threat Data Sharing
Foy Shiver, APWG
Foy Shiver is Deputy Secretary-General of the APWG (Anti-Phishing Working Group) and one of the founding directors of APWG.EU, a European foundation headquartered in Barcelona. In 2004 Mr. Shiver assumed management of operations of the nascent non-profit Anti-Phishing Working Group. He has helped develop this organization into a global industry, law enforcement and research group dedicated to countering the growing threat of electronic crime. In 2005, Mr. Shiver accepted the appointment as Deputy Secretary-General of APWG for which he is charged with cultivating the membership base around research, education and policy issues to fight cybercrime and electronically mediated fraud. In this role Mr. Shiver has worked since 2006 to grow APWG’s eCrime Research Summit into an annual event that has published 75+ peer reviewed cybercrime research papers through IEEE. In that brief, he founded its scholarship program that is now funded, in large part, by the IEEE-SA. In 2013 Mr. Shiver worked with APWG and CaixaBank in Spain to found the new European Foundation APWG.EU. This foundation is harnessing resources focused on cybercrime research and education within the European Union and plays a leadership role in inspiring cybercrime research across the globe.
shiver-foy_slides.pdf
MD5: ec7588ef8812824dd0539cd93d090984
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.76 Mb
- LU
Alexandre DulaunoyAlexandre Dulaunoy (CIRCL, LU)
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing worked. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix specialized in information security management, and the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at the national Luxembourgian Computer Security Incident Response Team (CSIRT) in the research and operational fields. He is also lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg.
Common approaches for measuring attacks are honeypots and blackhole networks. Honeypots on one side are resources designed to be attacked, are popular to measure attacks. On the other side there are blackhole networks, which are monitored announced unused IP-address-spaces, which are currently popular for measuring botnet activities as recently, the activities of the Mirai IoT botnet. Other observations on both can be backscatter traffic and misconfigured systems, as for example servers and routers, which often include default routes to the internet and have been forgotten to be removed or reconfigured. Different metrics are discussed in this work to assess misconfigured systems in raw packet captures.
In this experimental research activity, a framework will be presented to measure these misconfigurations in near real time. A survey of information leak categories will be presented, pinpointing the protocols that need special care while being configured. The evaluation of the various detection techniques and heuristics will be presented with major focus on pcap processing tools.
- CA
Building a Product Security Team – The Good, the Bad and the Ugly - Lessons from the Field
Peter Morin (Grant Thornton, CA)
Peter is a frequent speaker on the subject of critical infrastructure protection, risk management, penetration testing, malware analysis and forensics and has presented at numerous events held by the HTCIA, Black Hat, PMI, Computer Security Institute, Interop, SANS, and ISACA. Peter is a frequent guest lecturer at numerous colleges and university throughout North America and has also been featured in numerous newspapers and publications including SC Magazine.
Peter is a Principal Cyber Engineer and Security Evangelist with Forcepoint, a Division of Raytheon where he is responsible for the overall security of their commercial and federal products. Peter is responsible for assisting in the architectural direction of Forcepoint’s products and also manages their Product Security Incident Response Team.
Peter has over 20 years of in-depth information technology experience in the fields of enterprise computing and networking with an emphasis on IT security, application development, business continuity, incident response and forensics and has held senior management positions with Bell Canada (BCE), KPMG LLP and Ernst & Young LLP as well as worked with numerous tech start-up companies and various government and military agencies.
Peter holds numerous security-related designations including the CISSP, CISA, CGEIT, CRISC, and GCFA
Ensuring that the products and services we build and deliver are as threat resistant as possible is extremely important today. Meeting this challenge is not just about building secure applications since we all know that rapid development of software as well as the evolution of threats and vulnerabilities can see our applications as secure today but vulnerable tomorrow. That is why having an established product security team and response capability is extremely important.
During this discussion, I will discuss, using real-world examples, including that of my own, how organizations can meet the demands of product security including:
- Building a culture of security within your organization beyond firewalls and anti-virus
- How to “sell” security to executive management and explaining what product security does and doesn’t do (i.e. staffing, budgets, etc.)
- Building and deploying software using the "DevOps" approach
- The difficulties of wearing multiple hats, with security being one of them
- Embedding “security” in the software development life cycle (SDLC)
- Establishing a proper security “response” program
- Product vulnerability transparency and developing a disclosure policy
- How to measure the success of your program
- Establishing a bug bounty program
- US
Building a Threat Hunting Framework for the Enterprise
Joseph Ten Eyck (Target Company, US)
Joe Ten Eyck is currently a Lead Information Security Analyst in Target CSIRT, where he leads the efforts to build and improve their threat hunting project. Previous to joining Target he spent 15 years in the U.S Army, the first 10 years of which he spent as a physical security expert before transitioning into Information Technology. He currently holds the following certifications, OSCP, GPEN, GWAPT, GCIH, and CISSP.
The raw truth is that our adversaries continually change, grow, and modify their TTPs and with each iteration we have to grow with them. This inherently puts defenders behind the curve in catching our adversaries, we can't catch what we don't know about. This necessitates a way to promote the ability to rapidly modify and adapt our abilities to interact with attackers. Engaging attackers is often an expensive proposition, not only monetarily but also in context to time and resources. With out the ability to quickly iterate, provide lessons learned, and implement detection we will likely remain in a place of being too far behind.
The solution often revolves around building a method for looking at truly unknown IOCs. However if we can take our hunt processes and define a framework around those IOCS that enables rapid adaptions of the knowledge gained then we can quickly close the gaps as attackers pivot.
This talk features a framework for leveraging a Maturity Model focused on building an advanced hunting infrastructure. First it uses existing open source materials that create data sets and utilizes past instances to strengthen hunting procedures while leaving room for analyst growth. Second it defines a process to follow in applying knowledge, real time intelligence, and situational awareness while remaining flexible enough to catch emerging threats. Third it provides metrics and guidelines on how to grow the process in order to scale as the organization changes.
Building and Maturing your PSIRT
Lisa Bradley (NVIDIA), Christopher Robinson (Red Hat)
StartingaPSIRT.pdf
MD5: f8cc3114a51c3e01d66e7c5c1c7a989a
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.66 Mb
C-TAS Ecosystem for Cyber Threat Analysis & Sharing in Korea
Sang Wook Seo (Korea Internet & Security Agency)
In 2009 and 2011, the Korean and American government, media and bank websites were knocked out in two massive DDoS attacks for three days conducted by the same attack group. Several malware used in two different attacks had not only similar code blocks but also the same TTPs (Tactics, Techniques, and Procedures). They spread through similar vulnerabilities from the installation programs provided by webhard websites. The way malware embodied target addresses and attack times not from C2 servers was unusual too. Korea Internet & Security Agency, a Ministry of Science, ICT and Future Planning's sub-organization of South Korea, built a system called Malware Management System to profile the malware collected by incident responses in private sector.
In 2013, the same attack group conducted APT(Advanced Persistent Threat) attacks called DarkSeoul at Korean major banks and media companies at the same time. One of the banks had suffered damage from an APT attack conducted by the same attack group in 2011 too. Since DarkSeoul, the Korean government felt keenly the necessity of sharing cyber threats to prevent and respond advanced cyber attacks efficiently and effectively. KISA developed C-TAS(Cyber Threat Analysis & Sharing) system to profile not only the collected malware but also the hacked hosts, used vulnerabilities and even the attackers as well as to share them. From 2014, C-TAS system has shared more than 170 million cyber threats with about 170 Korean companies and organizations called C-TAS members.
This presentation will focus on how C-TAS system collects, analyzes, and shares Cyber Threat Intelligence (CTI) in C-TAS community. What problems occurred at each step and how we solved them will be described.
The take-aways for attendees are :
- First, how to build your own CTI platform to collect, analyze and share CTI.
- Second, why we have to do it.
- Third, what the challenges are and how to solve them.
Additional information on the presentation:
-
Background & Motivation: This will detail the motivation to develop C-TAS system and its brief historical background.
-
C-TAS Ecosystem & System Architecture Overall: This will detail C-TAS Ecosystem and its components. C-TAS System consists of several big data solutions. In C-TAS, CTI is not stored in RDBMS anymore, but in different NoSQLs (for example, document oriented database, graph database, search engine and so on) are used. Most of them, including mongoDB, Elasticsearch, Spark, are open-source or free software.
-
Introduction to C-TEX (Cyber Threat EXpression) and C-TEXg (C-TEX for graph): This will detail C-TEX and C-TEXg, the language used by C-TAS system to express and share CTI in the community. C-TEX is a structured language for CTI in XML or JSON format. It is similar to MITRE’s STIX/CybOX but so much simpler and much easier to use. C-TEXg, similar to JPCERT’s Hiryu, is a graph language for relationships between indicators in C-TEX. C-TEXg is also can be used to visualize CTI and some examples will be given in a later section. In C-TEX v2.0, it supports different CTI languages like STIX/CybOX and even custom open-source intelligence formats. How C-TEX/C-TEXg v2.0 can be used with STIX/CybOX v2.0 together will be shown in this section.
-
How to collect, analyze and share CTI: C-TAS automatically collects CTI from many systems inside KISA or C-TAS members and shares back in real-time. It is possible by using RESTful API and message queuing techniques. The collected CTI should be validated and enriched to be useful enough before sharing. C-TAS system uses open-source intelligence and other resources to enrich them. Some of CTI can be analyzed automatically or manually by analysts in KISA. What happens to CTI prior to sharing will be shown.
-
CTI Visualization for Cyber Situational Awareness: As already mentioned, C-TEXg is used to store relationships between indicators and to visualize them for cyber situational awareness. There’s never enough time to analyze and response every single threat so we need to know where to start by visualizing them and their relationships.
-
Practical Usages of C-TAS Ecosystem: Today, many Korean companies and organizations utilize CTI from C-TAS system to protect themselves. C-TAS ecosystem provides not only CTI but also some useful tools in a virtual machine image. Of course, it consists of open-source or free software used in C-TAS system. This section will show some practical applications of C-TAS ecosystem and cases of use.
-
Policies & Issues in Sharing: Building C-TAS community was not easy. It takes three years to have about 170 C-TAS members. This section will talk about sharing policies and some issues in sharing. What the biggest challenge of sharing it with other members is and how we solved it will be described.
-
Closing Remarks: C-TAS is still evolving to detect and response the latest advanced cyber attacks from ransomware to nation-sponsored espionages. Finally, this section will talk about what to do for the next version of C-TAS this year.
Thursday-Session-10v2.pdf
MD5: 3408f3e673aeb9c499a5dbbc99753410
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.91 Mb
- CA
Canaries in a Coal Mine…
Peter Morin (Grant Thornton, CA)
Peter is a frequent speaker on the subject of critical infrastructure protection, risk management, penetration testing, malware analysis and forensics and has presented at numerous events held by the HTCIA, Black Hat, PMI, Computer Security Institute, Interop, SANS, and ISACA. Peter is a frequent guest lecturer at numerous colleges and university throughout North America and has also been featured in numerous newspapers and publications including SC Magazine. Peter is a Principal Cyber Engineer and Security Evangelist with Forcepoint, a Division of Raytheon where he is responsible for the overall security of their commercial and federal products. Peter is responsible for assisting in the architectural direction of Forcepoint’s products and also manages their Product Security Incident Response Team. Peter has over 20 years of in-depth information technology experience in the fields of enterprise computing and networking with an emphasis on IT security, application development, business continuity, incident response and forensics and has held senior management positions with Bell Canada (BCE), KPMG LLP and Ernst & Young LLP as well as worked with numerous tech start-up companies and various government and military agencies. Peter holds numerous security-related designations including the CISSP, CISA, CGEIT, CRISC, and GCFA
The same way canaries have been used to detect toxic gases in mines, the cyber-canaries are invaluable in detecting lateral movement on enterprise networks. With the constant barrage of breaches occurring today, organizations must focus on early detection beyond the walls of their network perimeter if they are to stave off attacks and further data loss.
This presentation will discuss the following:
- Provide information on the use of honeypots, specifically Canaries to detect lateral movement on networks following a breach.
- Difference between traditional honeypots such as honeyd and canaries
- Use-cases using OpenCanary with demonstrations and examples of attack scenarios including some well known breaches such as Target or Home Depot.
Cloud Threat Hunting
Jim Reavis, Co-founder & Chief Executive Officer, Cloud Security Alliance (CSA)
- MY
Aswami Ariffin (CyberSecurity Malaysia, MY)
DR. ASWAMI ARIFFIN is a digital forensic scientist with vast experience in security assurance, threat intelligence, incident response and digital forensic investigation. Aswami is active in research and one of his papers was accepted for publication in the Advances in Digital Forensics IX. Currently, Aswami is a VP of CyberSecurity Responsive Services Division at CyberSecurity Malaysia.
In a threat landscape that is evolving rapidly and unpredictably, we recognize that many organizations need to protect their entire ICT environment against both external and internal threats. Cyber criminals utilize various approaches to compromise their targets, such as sophisticated mixes of phishing, social engineering and malware to name a few.
Critical National Information Infrastructure (CNII) is crucial to a nation because the disruption of systems and communication networks could significantly impact the nation's economic, political, strategic and socio-economic activities. Successful cyberattacks on CNII organizations can have serious and cascading effects on others, resulting in potentially catastrophic damage and disruption. For many organizations, CSIRT/CERT is responsible for responding to cyber security incidents in order to minimize the effects of cyberattacks.
In view of this, CSIRT/CERT around the world should collaborate in responding to incidents in a timely and coherent manner. One possible approach is to have a collaborative initiative in malware research and a threat information sharing system. CyberSecurity Malaysia has introduced the Malware Mitigation Project as a joint effort among Asia Pacific CERT (APCERT) and Organization of Islamic Cooperation (OIC) member countries to mitigate malware threats.
This paper presents a case study on collaborative malware research and a threat information sharing initiative amongst APCERT and OIC member countries. The case study presented in this paper highlights a malware threat analysis and findings from the Malware Mitigation Project led by CyberSecurity Malaysia.
Such analysis provides early malware detection, whereby CNII organizations can take appropriate measures to react against malware threats. In addition, a trend landscape report is produced, which provides useful information for relevant stakeholders to protect their countries against the detrimental effects of malware intrusions and attacks.
- DE
Countering Innovative Sandbox Evasion Techniques Used by Malware
Carsten Willems (VMRay, DE), Frederic Besler (VMRay, DE)
Frederic Besler received his MSc in computer science / IT-security at the Ruhr-University of Bochum. Since the formation of VMRay in 2013 he is actively researching sandbox evasion techniques found in-the-wild, novel detection methods, and remedies to prevent detection. His personal interests lie in reverse engineering, vulnerability research, and symbolic execution.
Carsten Willems is the original developer of CWSandbox, a commercial malware analysis suite that was later renamed to GFI Sandbox, and now Threat Analyzer by ThreatTrack Security. He is a pioneer in creating commercial software for dynamic malware analysis, and is one of the experts in this field worldwide. He achieved his Ph.D. in computer science / IT-security at the Ruhr-University of Bochum in 2013 and has more than 15 years of experience in malware research and software design. He already founded several companies, assisted many companies in IT-security related operations and regularly gives presentations at academic and industry conferences.
Automated behavior-based malware analysis is the core function of security solutions defined as “network sandboxing”. It came to the fore for analyzing and detecting advanced threats over a decade ago. Back then, malware authors had already found ways to evade tools like traditional antivirus, which rely on static analysis, by using techniques such as polymorphism, metamorphism, encryption, obfuscation and anti-reversing protection. Malware analysis sandboxes are now considered the last line of defense against advanced threats.
It is important to note, however, that the success of behavior-based malware detection hinges on the behavior exhibited by the file during analysis. If, for some reason, no malicious operations are performed by the file during the analysis, the sandbox concludes that the file under examination is benign. Malware authors are always looking for new, innovative ways to evade sandbox detection by concealing the real behavior of malicious files during analysis.
In order to cope with the omnipresent threat posed by malware, we must upgrade our defensive tools to succeed in the ongoing cat-and-mouse game of evasion and detection. We therefore must understand what evasion techniques are successfully employed in the wild.
This presentation provides an overview of the state-of-the-art evasion approaches used by malware. We divide these approaches into three categories and explore the various evasion techniques associated with each of these:
-
Evasion by detecting the presence of a sandbox: The first approach uses several techniques to detect the existence of a sandbox. Once a malicious file determines that it is being executed in a sandbox, it alters its behavior in an effort to avoid being detected.
-
Evasion by exploiting weaknesses in the underlying sandbox technology: The second approach directly exploits weaknesses in the underlying sandbox technology or in the surrounding ecosystem.
- Evasion using time, event or environment based triggers: The third approach exploits the natural shortcomings arising from the fact that sandboxes are automated systems. In an effort to deal with the sheer volume of malware, sandboxes usually only spend a few minutes analyzing each file. By delaying the execution of a malicious payload by a certain amount of time, only becoming active on certain triggers, etc., malware can remain undetected.
CVE and the CNA Program
Daniel Adinolfi (The MITRE Corporation)
- US
Defensive Evasion: How APT Adversaries Bypass Security Controls
Aaron Shelmire (SecureWorks, US)
Aaron Shelmire began his professional security career when he was pulled into responding to the Stakkato incident. Since then he slapped together some open source IDS stuff, attended graduate school for information security at Carnegie Mellon University, worked at CERT/CC, then SecureWorks, then some startups, and now SecureWorks, again. He is driven by the challenge of computer-to-computer combat, and revels in evicting adversaries.
Counter Threat Unit researcher Phil Burdette showcases the top 5 ways targeted threat actors dodge, dip, duck, dive, and dodge traditional security controls. Participants are exposed to real world examples from incident response engagements where adversaries explicitly try to avoid and hide from network defenders during actions on objective. They do this by “living off the land” using native Windows tools like PowerShell and WMI to move laterally and launch in memory only implants. Threat actors will also operate in blind spots by deploying virtual machines that lack security controls or collection instrumentation. To cover their tracks, adversaries will delete forensic artifacts from the registry and clear web or event logs from the system. Would you detect these defensive evasion and forensic countermeasure tactics in your environment?
Developing and Sharing ATT&CK-based Analytics
John Wunder (The MITRE Organization)
John Wunder, a Principal Cyber Security Engineer at The MITRE Corporation, is a security researcher focusing on cyber threat intelligence and cyber impact assessment. Mr. Wunder is co-chair of the STIX (Structured Threat Information Expression) subcommittee in the OASIS Cyber Threat Intelligence Technical Committee, which defines the STIX standard for sharing cyber threat intelligence. He works across MITRE's U.S. government sponsors to help them use cyber threat intelligence effectively to improve operations, to use MITRE's ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to better detect adversary behavior, and to understand the impact of cyber attacks on their missions.
Mr. Wunder previously worked as a software developer and obtained his Masters in Information Assurance from Northeastern University in Boston, Massachusetts. He holds a Bachelor of Science in Computer Science and English from St. John’s University in Queens, New York.
In January 2017, a working group led by Pfizer began operationally sharing cybersecurity analytics based on MITRE’s ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework. The goal of the effort is to improve the defensive postures of the participating organizations by increasing their collective ability to detect adversary behavior. In the process, the group has learned about what analytics are useful to share and which aren’t, what data is important to include when sharing analytics, and what feedback is useful to include. As a participant in that working group, MITRE has also learned about how our internal processes to develop and share analytics should work to optimize coverage and provide provable defense.
This presentation will focus on new processes MITRE is exploring to develop and test analytics while participating in the working group. These processes start with identifying a good candidate from the ATT&CK model to focus on. We then use a test environment where we can exercise that technique (i.e., carry out the real attacks) to see how it appears in our logs. Based on that data we can develop an initial version of the analytic that testably detects at least some aspects of that technique. While we can do some level of testing in that test environment to iterate on the analytic, the test environment is not good for determining how the analytic works in the real world on real systems doing real work. For that, most testing occurs in a portion of our live network approved for experiments. That live experiment allows us again to exercise the real adversary behavior, but in this case against the background and messiness of a real production environment. That background data allows us to reduce the false positives (cases where the analytics detect things that are not malicious) to a reasonable level while still ensuring that the analytic detects the malicious behavior. Because it’s a smaller environment, we know that moving it to our production systems will require even more tuning. Moving to real production alerting in the SOC requires a further approval process and review by others.
The presentation will also discuss lessons we at MITRE and more broadly the working group have learned in sharing analytics with others and integrating analytics shared by others into our own environments. There are basic challenges like different sensors and big data tools, but also tougher challenges like determining how much of a technique an analytic that was shared actually covers and understanding how false positive rates differ across environments. Over time we’re also hoping to learn what types of feedback are useful and what types aren’t, what types of analytics make sense to share and what types don’t, what information is useful to consumers, and what information is too sensitive to share. For example, several aspects of the analytics tend to be generally applicable (what observables to look for and some false positives) while other aspects tend to be specific to a given environment (thresholds and other types of false positives).
Finally, we’ll also describe aspirational efforts to automate sharing across tools and organizations (e.g., via the development of common data taxonomies and mappings), to use new situational tools to understand defensive coverage using the ATT&CK matrix, and to use threat intelligence aligned to ATT&CK to understand defensive coverage in the context of an organization’s threats.
Wednesday-Session-13.pdf
MD5: 662d37a7596fc48f56ca78d34857ebbc
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.03 Mb
- US
Digital Supply Chain: The Exposed Flank In 2017
Martin McKeay (Akamai, US)
Martin McKeay is a Senior Security Advocate at Akamai, joining the company in 2011. Martin is a senior editor of Akamai’s State of the Internet Security Report, Akamai’s quarterly report on DDoS and other threats. Three years ago Martin moved his family to the UK in order to help Akamai reach the European audience.
With over fifteen years of experience in the security space and five years of direct Payment Card Industry work, Martin has provided expertise to hundreds of companies. He has spoken at events in the US, Europe, Asia and Australia, including RSA, Black Hat, Defcon and FIRST. He is a member of Europol’s European Cybercrime Center Internet Advisory Committee.
This talk will speak to the issues pertaining to supply chain security as is relates to global organizations and the highly interconnected nature of suppliers and corporations. The presenter will pull from personal war stories of incidents that he lived through to help illustrate the need to not just worry about the main corporate security perimeter, but to address the extended perimeter and the exposures and risks that arise from the supply chain. Aspects of an exposed supply chain include trading partner networks, code developed by offshore development centers, and outsourced help desks and the assorted pirates that prowl the digital expanse.
- FI
Disrupting IoT Worms in Finland (2016 Edition)
Markus Lintula (NCSC-FI / FICORA, FI)
Markus Lintula has worked for the past four years as a duty officer and a malware analyst at the National Cyber Security Center of Finland.
This talk presents an inside look of a national CERT team during a widespread IoT worm outbreak leveraging a zero-day vulnerability in DSL modems. On 25th of November 2016 the Mirai botnet started exploiting a zero-day vulnerability in TR-064 implementation on certain CPE-devices. The infection levels of Mirai in Finland went from hundreds to tens of thousands in a matter of days.
- US
DNS is NOT Boring! Using DNS to Expose and Thwart Attacks
Rod Rasmussen (Infoblox, US)
Rod Rasmussen, joined Infoblox in 2016 as Infoblox’s VP of Cybersecurity as part of the acquisition of the cybersecurity company IID. Rod co-founded IID and served for over 10 years as its President & CTO. He is widely recognized as an expert on the abuse of the domain name system by criminals and other malicious actors. Rasmussen is co-chair of the Anti-Phishing Working Group’s (APWG) Internet Policy Committee, and is a member of ICANN's Security and Stability Advisory Committee. Rasmussen is a member of the Online Trust Alliance’s Steering Committee. He is a Steering Committee member, and has served multiple times as a workgroup co-chair on FCC's Communications Security, Reliability and Interoperability Council (CSRIC). Rasmussen is also a member of M3AAWG, DNS-OARC, and serves as IID's FIRST representative. Rasmussen earned an MBA from the Haas School of Business at UC-Berkeley and holds two bachelor's degrees, in Economics and Computer Science, from the University of Rochester.
While almost every major organization in the world is being continuously attacked over the Internet from a wide variety of actors, tools, and methods, the vast majority of them are sitting on a gold mine of data that could expose and thwart those attacks and don’t even know it. That data is in the very mundane task of resolving names to network addresses otherwise known as Domain Name Service (DNS).
This session will explore how to dig data out of your organization’s DNS queries and responses, find activities like data exfiltration using DNS tunnels, malware activities, and other attacks leveraging the DNS, and provide some thoughts on how to use the organization’s DNS infrastructure itself to protect from these threats.
Evolving role of PSIRT in the Cloud
Vic Chung (SAP)
- DE
Experiences and Lessons Learned from a Siemens-Wide Security Patch Management Service for Products
Manuel Ifland (Siemens AG, DE)
Manuel Ifland has been with Siemens since 2008. As an IT Security Consultant Manuel conducted various cyber security assessments and penetration tests for Siemens products and solutions. Manuel used to train IT security experts in awareness workshops and moderated numerous threat and risk analyses. Today, Manuel is a Senior IT Security Consultant in the Siemens ProductCERT. He is responsible for a Siemens-wide service to support product teams in timely patching of security vulnerabilities in third-party components used in Siemens products and solutions. Manuel is doing research in the field of third-party component security and works closely together with product development teams.
In software development, using third-party open-source as well as proprietary software components has become the de-facto standard. These pre-made building blocks enable faster time to market and lower development costs by providing out-of-the box functionality, allowing developers to focus on product-specific customizations and features. However, decision makers and developers must be aware that they possibly inherit the security issues of components they incorporate and that they have to care. Based on experiences from a Siemens-wide self-operated, self-developed security patch management service for products in the critical infrastructure space, the presentation will discuss lessons learned and give insights into pitfalls and how to tackle them.
- DE
Experiences in Threat Data Processing and Analysis Using Open Source Software
Morton Swimmer (Trend Micro, Inc, DE)
Bio for Morton Swimmer
Morton was born in New York City and was raised and educated in New
York, USA, Brighton, UK and Hamburg, Germany. I received my Master's
and Doctor's degree from the University of Hamburg, Germany. In 1996,
Morton joined IBM Research's Massively Distributed Systems Research
department to work on the IBM Digital Immune System and IBM
Antivirus. Previously he had been involved with antivirus research at
the Virus Test Center, University of Hamburg under
Prof. Dr. Brunnstein from it's beginnings in 1988 and was a co-founder
of S&S International Deutschland GmbH, an antivirus and data recovery
company now owned by Intel, Inc. After taking a professorship at
CUNY's John Jay College of Criminal Justice, teaching computer
forensics, he is now working for Trend Micro, GmbH, in Germany.
His Master's thesis was on dynamic virus analysis system, called
VIDES, that became a major component of the Digital Immune System and
is the first known Malware sandbox system. His PhD thesis was on
Malware Intrusion Detection, where the fields of malware detection and
intrusion detection were merged and a new model of Malware and attack
defence was introduced as the advanced autonomic defense
architecture. Recent research at Trend Micro revolves around
processing massive amounts of data to extract threat intelligence.
Bio for Vincenzo Ciancaglini
Dr. Vincenzo Ciancaglini got a M.Sc. in Telecommunications Engineering from the Politecnico of Turin and a M.Sc. in Electrical Engineering, Wireless Systems, from the Royal Institute of Technology in Stockholm, Sweden.
For some years he has worked as a developer in a travel IT company in Sophia Antipolis, France, a period during which he also took part in the foundation of a research and innovation lab within his company, where he was responsible for analysing new upcoming technologies and their potential business developments.
In the period 2009-2013 he obtained his Ph.D. from the National Research Institute in Automation and Computer Science (INRIA) in Sophia Antipolis, with a thesis about peer-to-peer networks interoperability and next-generation internet protocols.
Since 2012 he works in Trend Micro as a research scientist within the Forward-Looking Threat Research team (FTR), a team distributed all over the world, responsible for performing technological scouting and investigation on cyber-criminal activities, and their potential development in the coming years.
His duties in the team go from the development of new data analytics prototypes to identify targeted attacks to the research on new encrypted networks (Darkweb), ad also research on the Internet of Things (IoT).
With the abundance of data feeds from threat research as well as Internet infrastructure telemetry, the threat researcher potentially can understand the context of incidents and attacks much better than ever before. The downside though is that both the hardware requirements for processing such large datasets as well as finding an architecture that supports the researcher's objectives becomes much more challenging. Adding to this problem is the complexity of dealing with diverse types and quality of data so that useful results can be had.
In this presentation, we show how we, the FTR Team in Trend Micro, Inc., processes our data effectively. The most important requirement was that we needed a single platform that was good enough for most datasets, under the added constraint of having to support diverse use cases, from day-to-day actor attribution to one-off extended researches. While there exists proprietary platforms for threat data analysis, we chose to use a stack based on Elasticsearch, itself based on the open source Lucene engine, and this has proven very effective.
Early on, we used traditional databases, but found that they are fairly rigid in structure and require refactoring if new, unanticipated queries pop up or the data structure of the feeds drifts over time. They also don't always scale well without expensive hardware. We also experimented with various NoSQL databases, which are very promising but often lacked the upper layers of the stack that we'll get back to later in the presentation. Graph databases are very tempting as they are often an excellent fit for our data, and essentially provide total indexing, but they don't scale out as advertised and have hefty preprocessing requirements. Some data, for instance, time-series data, does not fit well to the graph model.
The most important principle that guided us was the principle of 'no surprises' and 'good usability' in data labeling, i.e. the field names need to have some consistency and the values need to be always consistent in representation when there exists multiple ways of expressing a value, such as is the case with IP addresses. This guarantees that the experience a researcher gained while working on a given index remains useful when working with other datasets. We define a pipeline that comprises of data acquisition using appropriate scripts and preprocessing in Streamsets, which allows us to define the data mutations needed to homogenize the data and track data drift. The data terminates with Elasticsearch at which point a postprocessing step enriches the data, by, for example, adding geo information to IP addresses.
The beauty of using Elasticsearch as a platform is the community that has sprung up around it and has already provided multiple user interfaces, from Elasticsearch's own Kibana, through Jupyter Notebooks and native scripting. As the use of Elasticsearch grows, we are able to include other Elasticsearch clusters without our organization in our search giving our researchers more reach from the same user interface.
It is important to realise that this is not a solution that will ever be ideal, but it represents a way of handling most datasets we throw at it adequately well. We have been able to use if for a number of papers released in 2016. We've found this setup to be at the very least, a good start to an analysis, and at best fully adequate to all the researcher's needs.
Extracting and Exploring Threat Intelligence on Open Sourced Documents using Natural Language Processing
Mayo Yamasaki (NTT)
Mayo Yamasaki is a research engineer at NTT Secure Platform Laboratories and also a member of NTT-CERT. He studied information science and natural language processing at Nara Institute of Science and Technology.
Since he joined NTT in 2015, he’s been researching and developing software systems for cyber security related information extraction and retrieval with machine learning.
Due to effective incident discovery and response, organizations need to have intelligence about cyber threats and vulnerabilities related themselves. Although documents on the WEB contain various intelligence, these documents are unstructured. Therefore it is difficult to obtain necessary intelligence.
In this presentation, we introduce an automated method to extract structured threat and vulnerability intelligence from unstructured open source documents, and we share experiences and knowledge learned from research and development of our prototype system.
yamasaki.pdf
MD5: 16da8a50b42306e14b396fc1887b25ec
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.76 Mb
Fail frequently to avoid disaster, or how to organically build a threat intel sharing standard
Alexandre Dulaunoy, Andras Iklody (CIRCL)
Alexandre encountered his first computer in the eighties, and he disassembled it to know how the thing worked. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix specialized in information security management, and the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at the national Luxembourgian Computer Security Incident Response Team (CSIRT) in the research and operational fields. He is also lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg.
Andras Iklody is a software developer working for CIRCL and has been the main developer of the Malware Information Sharing Platform since the beginning of 2013.
He is a firm believer that there are no problems that cannot be tackled by building the right tool.
Designing a successful standard for threat intel sharing is a daunting task, with a host of possible pitfalls. This talk aims to describe the journey, challenges and mistakes the MISP Project made while designing the MISP standard as we know it today. There are several paths that can lead to a well defined standard: early and prolonged requirement gathering versus starting small with rapid iterations, democratic and centralised driving forces, inclusive and exclusive ideologies. Our weapon of choice was an implementation driven, rapid iterative and real-world usage centric approach using the PMF methodology, which allowed us to experiment and fail often but also be aware of our failures before they became unrevokable disasters.
The speaker will attempt to compare and contrast the various methodologies and what lessons we've learned.
Firmware over the air, case study of ADUPS Fota
Janis Dzerins, CERT.LV
After the announcement of Kryptowire about the several models of Android mobile devices that contained firmware which collects sensitive personal data about users and transmits the data to third-party servers without users' consent, CERT.LV and CERT-EE conducted a joint research on the Android mobile phones used in the government networks. In this talk we share our experience and discoveries. (TLP:GREEN)
J?nis Džeri?š has been interested in computers since early school years. Since then he has been learning all things computer-related, and working professionally as a programmer. The endless pressure to deliver features at the cost of quality and security has lead him to reevaluate his priorities and join the CERT.LV team at the end of summer of 2016. He assures everybody this has nothing to do with midlife crisis.
dzerins-janis_slides.pdf
MD5: 0e8229e75b2e7aa11b491ded66d8c389
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.12 Mb
Fluffy Forensics 3.0
Andrew Hay (CTO & Co-Founder LEO Cybersecurity)
- FI
From Bullet Journal to Lessons Learned: How to Manage Coordination and Cooperation Development in Ad-hoc Working Environment?
Jarna Hartikainen (NCSC-FI, FI)
Jarna Hartikainen is Head of Cooperation and Coordination in NCSC-FI at FICORA. She has been working for Finnish Communication Regulatory Authority foreht past ten years giving her wide view of Finnish information security environment. Developing coordination has been her main focus for several years. She has experience from several viewpoints: she started as the first situation coordinator at NCSC-FI, moving on to team leader of situation awareness and now managing the function.
In a CERT function and situation awareness cases come and go quickly. Fast reactions and quick decisions are a basic requirement to keep the work going with results. The challenges are how to keep up with the level of cooperation and communications in a level of already met expectations and still develop it further on in an always changing environment?
Our solution is to manage our days in the bullet journal style and wrap the month in the lessons learned session. The calendar style offers a quick way of going through the wide information security phenomenon scheme monthly, still offering freedom for ad-hoc decisions to new incidents coming up daily. Lessons learned sessions are used to go through improvements gathered from the employees' to develop their work. Even mistakes are welcome, cause you can learn from them! The structure is nowadays base of our regular communication of cooperation groups and public bulletin, luckily enabling continuous developing.
The winning party is everyone. It is easy for the management to follow with pre-set deadlines and motivated staff. For coordinators and duty officers structured days, weeks and months balance work load and result expectations, still giving time to react to ad-hoc incidents with passion. Last but not least, the customers know what to expect from our communication and when, yet having trust to our quick reactions.
The presentation shows:
• Monthly, weekly and daily type of bullet journals
• Use of lessons learned session regularly to develop the cooperation and communication
• Results of the used method from over one year of experience
- US
Going Undetected: How Cybercriminals, Hacktivists, and Nation States Misuse Digital Certificates
Kevin Bocek (Venafi, US)
Kevin Bocek is Vice President of Security Strategy & Threat Intelligence at Venafi. He brings more than 16 years of experience in IT security with leading security and privacy leaders including RSA Security, Thales, PGP Corporation, IronKey, CipherCloud, nCipher, and Xcert. He is sought after for comment by the world’s leading media such as Wall Street Journal, New York Times, Washington Post, Forbes, Fortune, BBC, Süddeutsche Zeitung, USA.
Recently, Mr. Bocek led the investigation on Secretary Hillary Clinton’s email server and previously he led Venafi’s investigation into how Edward Snowden used cryptographic keys and digital certificates to breach the NSA. His early success securing critical systems included designing and engineering cutting-edge Java and smart card–based encryption and PKI applications for the U.S. government.
Kevin has authored several books, including PCI Cardholder Data Protection for Dummies and Laptop Encryption for Dummies and co-authored research projects with The Ponemon Institute including the Cost of Data Breach, Cost of Failed Trust, and Worldwide Encryption Trends reports. Mr. Bocek has a B.S. in chemistry from the College of William & Mary and an MBA from Wake Forest University.
Christine Drake has been involved in IT security for over 14 years. She currently works for Venafi, an industry leader in cryptographic key and digital certificate security, and conducts security surveys and research to complement forensic research conducted by the Venafi Labs team. Before Venafi, she worked for Trend Micro and for MailFrontier as a research analyst.
Christine is an author on pending patents, papers accepted at peer-reviewed IT security conferences, and security blogs. She has her B.A in Social Ecology and a J.D. from Hastings College of the Law. She is particularly interested in how IT security overlap with industry regulations and privacy laws.
Experts say the next black market is digital certificates. But most businesses don’t fully understand how these digital assets are used by cyber criminals, hacktivists, and nation states to infiltrate and remain undetected. In addition, expired certificates can also cause outages, negatively impacting reliability and availability. However, Security Operations and Incident Response teams often do not look to cryptographic keys and digital certificates as one of the core instruments for attacks or outages. Or if suspected, a lack of visibility and control delay recovery.
In this presentation, you’ll learn how certificates are misused in attacks and the frequency and impact of certificate-related outages, including guidance on how to use this knowledge to develop an incident response program that enables both preventive and corrective actions.
- GB
Hajime & the Mainline DHT
Kevin O'Sullivan (BT Plc, GB)
Currently a BTCERT Investigator, I have a keen interest in web application security and the Internet of Things. Before working in BTCERT I was on the frontline SOC in BT, and before that spent some time as a web developer creating security systems.
The dawn of the Internet of Things means we are set to see a huge growth in the numbers of internet connected devices. As we all know – where there is use, there is also misuse and our Internet-connected refrigerator bears no exception to this.
These devices are often seen as soft, easily broken targets due to lack of security features enabled by default or simply due to the poor security standard of the embedded software. Their wallet-friendly price-tags however appear to remain an attractive solution for the everyday consumer.
The most common method of compromise for these devices is also the simplest. Manufacturers will often ship a product with an administrative interface that is left open by default. Worse still, the interface is configured with a standard password (something like admin:admin) and is often positioned facing the Internet.
The number of these devices present on the Net, and the simplicity of compromise has given rise to a new kind of botnet – that of which entirely consists of DVRs, CCTV systems and the like. This presentation will look at the make-up of recent Internet of Things (IoT) botnet Hajime.
We will consider the Peer-to-Peer Bit-torrent DHT (Distributed Hash Table) architecture used in this botnet to distribute updates, payloads and configuration files. We will also discuss how we have been using the Bit-torrent network to track the spread and growth of this botnet.
We will discuss the lessons we have learnt from Hajime, as well as sharing key statistics on the area of spread. We will discuss how this intelligence assisted us in responding to protect our customers. We will also explore some theoretical attacks on the botnet's architecture. We will share Indicators of Compromise from these botnets as well as advice on how you can detect the malwares presence on your own networks and how to mitigate the threat of infection altogether.
This talk will be focused on CSIRTs and will be presented at a intermediate technical level.
Handling an Incident in CERT-EU
Emilien Le Jamtel is a security analyst working for CERT-EU.
CERT-EU is the Computer Emergency Response Team (CERT-EU) for the EU institutions, agencies and bodies. It provide support for around 60 organisations regarding targeted cyber threat.
In this presentation we will go through an incident based on real cases and details how the teams in CERT-EU works internally and interact with constituents, peers and partners.
The focus is made on processes, tools and information sharing including:
- Cyber Threat Intelligence database and sharing
- Threat Hunting on constituents networks
- Security Operation Center
- Tools and resources provided to EU institutions, agencies and bodies
- Relations with peers and partners
- Documents and analysis provided by CERT-EU
Heroes, Villains & Simulations of the Adversaries
Itzik Kotler (CTO and Co-founder, SafeBreach Former Blackhat & DEFCON Speaker)
- DE
Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification
Ben Stock (CISPA, DE), Christian Rossow (CISPA, DE)
Ben Stock: PostDoc researcher at CISPA, Saarland University. Graduated at FAU Erlangen, Germany. Expert in Web security.
Christian Rossow: Professor of IT Security at CISPA, Saarland University. Graduated at VU Amsterdam, The Netherlands. Next to Web security also involved in research on Denial-of-Service and malware.
We systematically examine the feasibility and efficacy of large-scale notification campaigns. For this, we comprehensively survey existing communication channels and evaluate their usability in an automated notification process. Using a data set of over 44,000 vulnerable Web sites, we measure success rates, both with respect to the total number of fixed vulnerabilities and to reaching responsible parties, with the following high-level results: Although our campaign had a statistically significant impact compared to a control group, the increase in the fix rate of notified domains is marginal. If a notification report is read by the owner of the vulnerable application, the likelihood of a subsequent resolution of the issues is sufficiently high: about 40%. But, out of 35,832 transmitted vulnerability reports, only 2,064 (5.8%) were actually received successfully, resulting in an unsatisfactory overall fix rate, leaving 74.5% of Web applications exploitable after our month-long experiment. Thus, we conclude that currently no reliable notification channels exist, which significantly inhibits the success and impact of large-scale notification.
How political motivated threat actors attack
Feike Hacquebord (Trend Micro)
Throughout history, politically motivated threat actors have been interested in changing the public opinion. In recent years the popularity of the Internet gave these threat actors new tools that are highly effective and scalable. Not only do they make use of social media to spin the news, spread rumours and fake news, but they also actively hack into political organisations. In this talk we will give an overview of the attack tools that political motivated actors use. We will give explicit examples of advanced credential phishing, leaking sensitive data and attempts to influence what mainstream media publish. We will also discuss networks that are designed to spread rumours and fake news on social media. Cyber attacks against political organisations are not likely to stop anytime soon. Our presentation we will include recommendations for organisations to protect themselves from the most prevalent attacks politically motivated actors use.
- Feike Hacquebord works as a Senior Threat Researcher for the Forward Looking Threat Research team of Trend Micro and has more than 10 years of experience in investigating cybercrime. In recent years he got interested in targeted attacks and he is the author of more than a dozen blog postings on high profile targeted attacks. Prior to joining Trend, Feike was an independent researcher and he holds a PhD degree in Theoretical Physics from University of Amsterdam.
How RIPE NCC Tools and Data Sets Can Help with Online Investigations
Mirjam Kühne & Ivo Dijkhuis, RIPE NCC
RIPEStat is a tool that provides information about any given IP address space, Autonomous System Numbers (ASNs), and related information. It presents registration and routing data, DNS data, geographical information, abuse contacts, blacklists and more from the RIPE NCC's internal datasets as well as from external sources. RIPE Atlas is the largest active Internet measurement network with almost 10,000 probes connected worldwide. The data produced by this infrastructure can be used to understanding of the state of the Internet in real time. We will present the latest developments of these tools and show how they can be used for online investigations.
Mirjam Kühne is the Senior Community Builder at the RIPE NCC, a role she’s held since 2009. She collaborates with various technical, security and academic peers within her extensive professional network to strengthen the Internet community within the RIPE NCC’s service region.
Mirjam also maintains and curates RIPE Labs, a collaborative platform that supports innovative ideas and tools for the Internet.
Prior to her current role with the RIPE NCC, Mirjam worked at the Internet Society as a Senior Program Manager. She was involved in issues related to technology and public policy, bridging the gap between the technical community and a non-technical audience like government representatives. Mirjam also developed and organised technical workshops primarily in developing countries. One of her tasks was to establish and maintain relationships with partner organisations (ICANN, the RIRs, the IETF, NSRC and others) and regional and local operator communities.
The start of Mirjam’s career in the Internet industry actually began with the RIPE NCC. She worked there for nine years, the latter half as part of the senior management team, contributing to the organisation’s strategic and financial planning. She was responsible for external relations and represented the organisation on an international level. Before that, Mirjam was responsible for developing and managing membership as well as public services.
Mirjam obtained a Masters of Computer Science at the Technical University Berlin, Germany.
Ivo Dijkhuis, RIPE NCC
- PL
How To Ruin Your Weekend (And Business) In Few Simple Steps
Przemek Jaroszewski (CERT Polska/NASK, PL)
Przemek Jaroszewski is a member of CERT Polska (part of Research and Academic Computer Network in Poland) since 2001, where his current position is the head of the team. He started his education as a programmer at Warsaw University of Technology, to eventually get his master's degree in Social Psychology from University of Social Sciences and Humanities in Warsaw. Przemek was involved in a number of projects on data exchange and collaboration of incident response teams. He was also a co-author and teacher of trainings for incident responders, including ENISA CERT Exercises and TRANSITS.
The talk is an anonymized story of a real incident investigated by CERT Polska. On one sunny summer weekend, things started to go wrong for FastForward - a major logistic company. An apparent IT security incident led to a complete suspension of the company operations, and consequently ruined chain of supply for dozens of its customers. A thorough investigation revealed a number of minor shortcomings that could have been easily prevented. Combined, they triggered a sequence of events that resulted in a disaster causing major financial and reputational losses. The investigation results raised important questions about management of IT security and incident response in an enterprise that outsourced most of its IT operations, as well as about responsibilities of different business entities who contributed to the incident's root causes. It also demonstrated the often overseen benefits of network monitoring and information exchange.
During the case study I will show steps that led from (scarce) evidence to conclusive opinions. Learning from FastForward's mistakes, security officers and incident responders will learn valuable lessons in the areas of risk assessment, contingency planning, security monitoring and communication.
Proposed structure of the presentation:
- Publicly visible signs of the incident
- Identifying primary cause
- Gathering evidence on contributing factors
- Verifying hypotheses
- Preventive measures that were not there
- Aftermath & Public Communication
- Conclusions
Chris Romeo (Security Journey)
- TW RU
Hunting for Threats in Academic Networks
Fyodor YarochkinFyodor Yarochkin (Trend Micro, TW), Vladimir Kropotov (Trend Micro, RU)
Vladimir recently joined Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at some of Fortune 500 companies, was head of Incident Response Team at Positive Technologies since 2014, and holds a university degree in applied mathematics and information security. He participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, and many others.
Fyodor is a researcher with TrendMicro Taiwan as well as a Ph.D. candidate at EE, National Taiwan University. An early Snort developer, and open source evangelist as well as a "happy" programmer. Prior to that, Fyodor professional experience includes several years as a threat analyst at Armorize and over eight years asa information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organisations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.
In this presentation we will share our experience with analysing a year of academic network flow data. We sampled data from a number of border routers in academic network in Taiwan. An academic network has a particular characteristic of being extremely noisy and detection of malicious activities can be very false-positive prone to due to nature of activities frequently conducted by network users.
In addition to that the sampled network flow data provides only limited information regarding the nature of network traffic that traveled through the network segments. Therefore we had to engineer additional algorithms for anomaly detection, data enrichment and data cross-referencing in order to effectively identify ’true-positives': from denial of service attacks, to malware operations, network scanning and attacker’s lateral movements.
- BR
Implementing a Country-wide Sensor Infrastructure for Proactive Detection of Malicious Activity
Edilson Lima (RNP, BR), Rildo Souza (RNP, BR)
Rildo Souza –
Rildo holds a Bachelor degree in Information Systems and a post graduation title in Computer Networks at UNICAMP (University of Campinas, Brazil). With more than six years in IT and five in security area, Rildo currently acts as a Security Analyst at CAIS/RNP, the Brazilian Academic and Research Network CSIRT. His major interests include Incident Handling, Vulnerability Analysis and Network Monitoring. In the last years, he leaded various security projects in order to facilitate the day-to-day of academic IT staff and to raise the security awareness among this community. Rildo has also delivered lectures and training courses in national and international events.
Edilson Lima -
Edilson holds a Bachelor degree in Information Systems and a MBA in Information Security Management. He is a certified professional in ISO 27002 and COBIT. With 10 years of experience in Information Security area, Edilson has leaded several projects and has coordinated various security teams.
Currently, he acts as the Security MAnager of the Incident Handling team at the Brazilian Academic and Research Network CSIRT
Liliana Solha -
Liliana holds a Bachelor degree in Industrial Engineering at University of Lima (ULima), Peru, and a Post Graduation title in Computer Networks at the University of Campinas (UNICAMP), Brazil. She has been involved in security area since 1996. Working at the RNP, the Brazilian Academic and Research Network since 2000, she currently acts as the General Manager. Liliana also served for three continuous two-year elected position as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST) organization – becoming the first Latin American representative on this board. In the last years, she has actively worked for the security awareness dissemination in Brazilian and Latin American academic networks, impelling the development of CSIRTs in the region. She has acted for four years as the Chair of "RedCLARA - Cooperation of Latin America Research and Academic Network - Security Task Force (GT-Seg)". Liliana has recently assumed the coordination of the FIRST ACAN BoF, a Special Interest Group that brings together all the academic organizations at FIRST community. Currently, she is also a member of the Security Study Group of Global Research and Educational Network CEO Forum, initiative that includes CEO representatives from a group of NRENs (National Research and Educational Network) around the world. Liliana has also participated as a speaker and trainer at several Brazilian and international security events (FIRST, COLARIS, LACNIC, OAS, TICAL, CLARA-TEC, SCI/RNP, etc).
Driven by the need for a greater autonomy in detecting malicious activity at Brazilian academic networks, CAIS/RNP, the Brazilian National Academic and Research Network CSIRT - who serves to a constituency of approximately 600 institutions - developed its own monitoring solution based on an open source Network IDS/IPS (Suricata) using a master-engine model and incorporating additional features and customizations in order to obtain an efficient, easily-managed and complete solution for proactive detection of network security incidents, thus facilitating the day-to-day of incident handlers and strengthening the CSIRT incident handling capability, which is one of the core services of any CSIRT.
This presentation aims to provide details on the implemented solution and challenges, and mainly to share this initiative with FIRST community in order to benefit other CSIRTs.
- US
Samuel PerlMatthew Sisk (The CERT Program in the Software Engineering Institute at Carnegie Mellon University, US), Samuel Perl (CERT/CC, US)
Matthew Sisk is a member of the Situational Awareness group within the
CERT® Program at the Software Engineering Institute (SEI), a unit of
Carnegie Mellon University in Pittsburgh, PA. He has been at CERT since
2007 working as a software engineer and network defense analyst
developing automated solutions across massive data sets. Prior to CERT,
Sisk gained over 10 years experience as a developer specializing in
network security for a major corporation in the oil and gas industry.
Sisk holds a B.E. in Electrical Engineering and Computer Science from
Vanderbilt University.
One of the central services of Computer Security Incident Response Teams (CSIRTs) and Security Operation Centers (SOCs) is the receipt of incident reports from their constituency. Some teams have large constituencies and receive tens of thousands of incident reports per year. Some teams have turned to automation, when dealing with large volumes of incident reports, to assist analysts with incident prioritization, workflow assignment, and more. This is a complex process because incident reports often have a unique 'form.' This ‘Form” is typically a mixture of header/identifying information, structured information, free text narrative, cybersecurity jargon terminology, and uniquely transformed information such as 'defanging' of potentially dangerous information.
Over the past few years we have worked in collaboration with US-CERT on exploratory analysis of incident data and reports. The focus has been on improving the quality and amount of useful information that can be extracted from incident reports and used for correlation, trending, situational awareness, and eventually predictive analysis. A recent part of this work has focused on developing a method for improving the use of regular expression searching for the extraction of indicators and other useful information.
In our method, we first assemble a set of ground truth incident reports with the information manually extracted. We then identify false positives and indicators that were not being extracted. We also developed a framework to measure the improvement that a given extraction method has had using the ground truth data. This allows us to monitor the affect a change in the regular expression has had upon extractions of the larger corpus.
This presentation will discuss our method, challenges teams can expect to encounter when automating extraction from incident reports, our lessons learned during the creation of the ground truth data (such as other useful types of information we noticed in the incident reports and future ideas for extracting it), our testing process, and some initial observations related to our results.
Incident Response Dealing with the Whole Country
Javier Berciano, CERTSI
Javier Berciano works as Head of Incident Response at Spanish National CERT (Security and Industry CERT - CERTSI, formely known as INTECO-CERT). He is focussed on incident response, computer forensics, threat analysis and monitoring, as a team leader.
It takes more than a decade professionally dedicated to computer security. He held some cybersecurity certifications as CISSP, GCFA, GNFA, CISA, etc.
He has also participated as speaker in some international conferences like FIRST Conference and Symposiums, Microsoft DCC, National CSIRT meetings, TF-CSIRT, Trusted Introducer, Microsoft DCU Threat Intelligence, ABUSES forum, ENISE, etc.
Internal Network Monitoring and Anomaly Detection through Host Clustering
Thomas Attema (TNO)
Internal network traffic is an undervalued source of information for detecting targeted attacks. Whereas most systems focus on the external border of the network, we observe that targeted attacks campaigns often involve internal network activity. To this end, we have developed techniques capable of detecting
anomalous internal network behavior. As a second contribution we propose an additional step in the model-based anomaly detection involving host clustering. Through host clustering, individual hosts are grouped together on the basis of their internal network behavior. We argue that a behavioral model for each cluster, compared to a model for each host or a single model for all hosts, performs better in terms of detecting potentially malicious behavior. We show that by applying this concept to internal network traffic, the detection performance for identifying malicious flows and hosts increases.
- Thomas Attema MSc graduated in Mathematics from the University of Utrecht in 2013, after which he started working as a research scientist at TNO in the department Cyber Security & Robustness. One of his main topics of interest is anomaly detection. As such, he has contributed to the development of new network intrusion detection algorithms. Another topic of interest is cryptography in which he is currently working on applying various multi-party computation schemes to the cyber security domain.
Moreover he is involved in various initiatives in the field of quantum and post-quantum cryptography.
Masato Terada (Hitachi Incident Response Team)
Dr. Masato Terada is the Technology and Coordination Designer for Hitachi Incident Response Team (HIRT), the leader in vulnerability handling and vulnerability database throughout their careers. Also he is the Chief Researcher at Yokohama Research Laboratory, Hitachi. After launching HIRT activities in 1998, he launched a research site, a predecessor of JVN: Japan Vulnerability Notes (http://jvn.jp/) in 2002 and acted as a point of contact for HIRT in order to promote external CSIRT activities, including participation in FIRST, an international CSIRT organization in 2005.
After he launched the Nippon CSIRT Association in 2007 with 6 Japanese CSIRT teams and has tackled improving the capability of CSIRT community as Steering Committee Chair of the Nippon CSIRT Association since 2014.
Also he has workd as a visiting researcher at the Information-technology Promotion Agency (IPA)(ipa.go.jp), a senior advisor at JPCERT Coordination Center (jpcert.or.jp), a steering committee member at ICT-ISAC Japan (ict-isac.jp) and a visiting professer at Chuo University.
In Japan, many organizations focus on CSIRT and CSIRT functions as cyber security countermeasure. Also many organizations promote to share the information for establishment of enterprise CSIRT, operate of CSIRT, threat inteligence and so on for cyber security countermeasure. However, in Japan, in order to disseminate information sharing of threat information by machine readable based security automation, we need to respond to requirements such as flow control of information traffic by the scale of CSIRT, group control of information traffic by the purpose, sector, severity and type, distribution control of threat and vulnerability information by same distribution channel and so on.
In this presentation, we will introduce construction situation of CSIRT and ISAC communities, information sharing trial using STIX/TAXII and the information sharing platform prototype for realizing the collaboration via systems and persons.
Keynote: Fail Fast, Fail Often - An Innovative Model to Reduce Risk
My-Ngoc Nguyen (CEO/Principal Consultant for Secured IT Solutions, SANS Institute Facilitator)
- AU
Lean Gains - Small Team Effectiveness
Ben May (AEMO, AU)
Ben is Manager of the Cyber Security Team at the Australian Energy Market Operator (AEMO). Ben has been with AEMO for almost ten years and has had a strong focus on establishing and operating the Threat Detection and Response capability. Ben’s current role has a strong focus on the delivery of key security initiatives along with the operating and maturing the threat detection, intelligence and response function.
Small teams who want to look at ways to deliver effective threat detection and response capabilities. Teams
that want to look at ways to leverage resource constraints to better deliver services and effect change.
Lessons learned in fighting Targeted Bot Attacks
Jose Enrique Hernandez (Zenedge)
The talk aims at first dissecting some recently targeted bot attacks we have faced at Zenedge and walk through the capabilities of a determined threat actor. Expanding upon the chess game of mitigation we pivot into the 5 main mitigation techniques:
- Rate limiting/Delaying
- Javascript Challenges
- CAPTCHA
- Human Interaction Challenges
- Fingerprinting
Then discuss their pros and cons, and what combination is most effective against targeted attacks. In the final section of the talk will discuss how to employ these techniques and have them leverage by
your very own CIRT team. The talk will close off with advice/guidelines to follow in order to detect, mitigate and report on bot attacks using open source software.
- Jose Hernandez is currently the SVP Technology and Engineer at Zenege Inc. He started his professional career at Prolexic Technologies (now Akamai) in DDOS fighting attacks from anonymous and lulzsec against fortune 100 companies. While working at Splunk Inc. as a Security Architect, he built and released an auto-mitigation framework that has been used to automatically fight attacks in large organizations. In the past, he has helped build security operation centers as well as run a public threat intelligence service. Jose is originally from Miami, Florida where he completed his Master’s degree in Information Security from Nova Southeastern University. He also achieved two undergraduate
Bachelor degrees from Florida International University in the field of Management of Information Systems and Information Technologies.
Although security information has been the focus of his career, Jose has found that his true passion is in solving problems and creating solutions. As an example, he built an underwater remote control vehicle called the SensorSub, which was used to test and measure toxicity in Miami’s waterways.
Let your CSIRT do malware analysis, Recruit-CSIRT has done it!
Tatsuya Ichida (Recruit Technologies)
I introduce the deep customized sandbox system for CSIRT. This has some individual functions in order to make forensic easier. We had considered what CSIRT wants via malware analysis. Finally, our CSIRT's dream come true. Our system has the functions below.
- customized dynamic agent for malwares to behave more active in our workplace environment.
- create IOC and auto-analysis the C&C servers
- Real-time Visualization the analyzed behavior on Web UI.
- Post C&C information to FW & Web Proxy in order to block the malicious outbound traffic.
This system help Recruit-CSIRT on the both of Forensic and Prevention. Normal behavior and traffic removing is very tough and still now on going. Our system is a kind of enhanced cuckoo sandboxes.
- Tatsuya Ichida is a security engineer and incident handler in Recruit-CSIRT, especially prefer to analyze malware. He love malware and may be loved by malware. He joined Recruit Technologies; domestic IT company 2 years ago to seek the best method of handling malware incidents for CSIRT. He hold CISSP, GCIH, GPEN.
- CZ
Jan Sirmer (Avast Software, CZ), Jaromir Horejsi (Avast Software, CZ)
Jaromir
Jaromír is a malware researcher at Avast Software. His main specialization is reverse engineering mainstream cyber threats that target Windows and Linux. During the course of his career, he has researched many types of threats, e.g. DDoS botnets, banking Trojans, click fraud and ransomware. In the past, he has successfully presented his research at RSAC, Virus Bulletin, AVAR, Botconf and CARO.
Jan
Jan is a senior malware analyst at Avast Software. His main specialization is analyzing malicious Java threats, Android applications and exploits, macro viruses, web based malware and other non-executable malware. During the course of his career, Jan has authored blog posts about phishing threats, malicious web exploits and Android threats. In the past, he has successfully presented his research at AVAR, Virus Bulletin and WebExpo.
Most media attention is given to imminent and visible threats, like ransomware. Other threats remain under the radar and often go unnoticed. Malicious proxies are one of these threats.
The redirections done via malicious proxies are only activated in certain situations. Internet web browser settings are slightly modified, so that a very small (<1KB), and often obfuscated, proxy auto-config file is queried from the configuration server. If a victim browses particular websites, like banking sites, they are redirected to fake or malicious domains that pretty much look identical to real sites. Other than that, infected computers behave normally and victims usually don’t notice anything. All the credentials victims enter into fake sites are harvested by cybercriminals. This allows for a variety of attacks, including MitM and SSL impersonation, which may later lead to identity theft, unauthorized account access, and financial loss.
In our talk, we will discuss the Retefe banking Trojan, which celebrated its comeback in the summer of 2016. There have been several changes made to Retefe, including, but not limited to, the structure of the delivered payload, geographical distribution, and the online banking systems it is targeting. Spread via malicious email attachments, a few malicious scripts are dropped and executed, and a rogue certificate is installed and the victim’s browser proxy configurations are changed. Retefe traditionally targeted banking users in German-speaking countries, however, we managed to detect completely new waves targeting banking users in the UK. The particular waves differ from one another, for example, Retefe started installing third-party tools and libraries (Tor, Proxifier,...), using different methods of persistence, and began targeting additional financial institutions. The last, and perhaps the most important part of the threat, are the mobile applications for Android, which the fake banking sites encourage victims to download. During our research we managed to collect and analyze hundreds of these apps.
We will show a detailed infection vector, ways of targeting and changing settings of various web browsers, and reverse engineer all the malware components coming from the various waves, and finally show original and fake websites as they would be seen from clean and infected computers. We will also show the statistics and severity of this threat, as seen by our user base. We hope our talk will be beneficial for attendees coming from a DFIR background, because we intend to dive into all aspects of this threat, share interesting IOCs and system settings, which might be modified by Retefe or other similar malicious threats. Although Retefe is simple from a technical point of view, it is very powerful and efficient in reaching its hideous goals.
- DE
Marvin: Automated Incident Handling at DFN-CERT
Eugene Brin (DFN-CERT, DE), Jan Kohlrausch (DFN-CERT, DE)
Jan Kohlrausch received a Diploma in computer science from the University of Hamburg in June 2000. Since July 2000 he works as a Senior member of the research and development team at the DFN-CERT Services GmbH. His research interests include Honeypots, malware analysis, and network forensics.
Eugene Brin is a consultant and engineer with focus on honeypots, mobile security and threat management. After years of entrepreneurial practice he joined DFN-CERT Services GmbH in 2012 and has been involved in numerous security research projects since.
We introduce Marvin (Malicious Activity Refining, Validating, and Integrating), a framework that efficiently automates the handling and coordination of incidents caused by well-known threats. This framework is especially designed to save human resources for incident handling where automated treatment is feasible where technical guidance for specific threats can be provided. Incident handling automation by Marvin integrates data collection, contact management, incident categorization, technical guidance, and reporting. The framework leverages the relationship between a CSIRT or SOC and its customers and end-users. The constituent groups are granted access to a web-based portal where they can maintain their contact and network data. Marvin itself uses supplied data pertaining to security events in order to put together an actionable incident report that enables the affected site to resolve the incident. Furthermore, a web-based front end allows to configure Marvin workflows and displays event information to the internal Incident Response Team (IRT) of DFN-CERT.
Marvin has proven to efficiently reduce manual effort required to handle incidents caused by well-known threats. We strongly believe that other CSIRTs or SOCs would also benefit from this approach to reduce their work load. Even in case the framework cannot be deployed as a whole, components such as the quality control or security event management could prove to be valuable to other teams.
- US
Measuring Similarity Between Cyber Security Incident Reports
Samuel PerlSamuel Perl (CERT/CC, US), Zachary Kurtz (Software Engineering Institute, US)
Zach Kurtz (Statistics Ph.D., CMU 2014) is an applied statistician with experience on projects in fields as diverse as cyber security, public transit, psychology, marketing analytics, ecology, medicine, human rights, and international capital flows. His dissertation built on capture-recapture theory to introduce a new method for estimating the sizes of partially observed populations. At the SEI, Zach has developed cyber incident visualization tools and developed new evaluation methodologies for open-ended cyber warning competitions. Zach began his data science career at the age of 14 with a school project on tagging Monarch butterflies near his childhood home in remote West Virginia.
Samuel J. Perl is a senior member of the CSIRT Development and Training (CDT)Team within the CERT® Division of the Software Engineering Institute (SEI), at Carnegie Mellon University in Pittsburgh, PA. He has been at CERT since 2011 and has worked on a variety of projects areas including insider threat, vulnerability assessment, security incident data analysis, and incident management capacity development. Prior to CERT, Perl gained over 10 years of industry experience working with client organizations to manage their most challenging IT security risk issues. Perl holds a M.S. in Information Security Management from Carnegie Mellon University and a B.S in Information Systems from Carnegie Mellon University.
Most security incident teams work in close real-time communication with each other to ensure that related incidents are grouped together and handled with consistent defensive actions. As the size of the internet has grown and the tactics of attackers has shifted, it is not always obvious what security incidents or events are related to each other. Today's security teams now need to connect security activity that is sometimes months apart, on different partner networks, or across different attacking infrastructure. Additionally, the teams face issues of employee departures, work handoffs, outsourcing, cross border communications, and budget constraints. It is not always practical or even possible to maintain real-time communication with all relevant partner teams.
Our team has been working in collaboration with US-CERT on a variety of automated methods to measure the similarity between incident reports. Measurements can be used to supplement the knowledge that a real-time operations team already has, or it can be helpful in identifying unknown historical information in a large corpus.
For example, in one incident ticket collection database, we examine how to quickly locate the most-closely related historical incidents based upon analyst settings for what they consider to be most important in determining similarity. We also consider identifying and presenting data-driven taxonomies of cyber-attacks based on grouping similar incidents into clusters regardless of human categorical labels which are often under-specified. Finally, we are developing novel ways to take large sets of cyber-attack warnings and compare them against attacks that are actually observed to decide whether any of the warnings had merit.
Our presentation will review multiple approaches to computing similarity of incident reports at multiple levels. One approach involves viewing each incident report as a document containing many terms and analyzing the graph of incidents with linkages determined by shared terms. Another approach involves defining similarities for each kind of detail in an incident and then averaging the similarities across the various details between any pair of incidents. Finally, we'll introduce a new generalization of the Jaccard similarity to account for approximate equality between set elements and demonstrate how this could be used to detect similarity between incidents containing sets of indicators among which exact matches are rare and yet approximate matches are meaningful.
- US
Medical Device Security: A Sucking Chest Wound That Needs Emergency Medicine
Denise Anderson (NH-ISAC, US)
Denise Anderson is President of the National Health Information Sharing and Analysis Center (NH-ISAC), a non-profit organization dedicated to protecting the health sector from physical and cyber attacks and incidents through dissemination of trusted and timely information.
Denise serves as Chair of the National Council of ISACs and participates in a number of industry initiatives. She is a private sector liaison to the National Infrastructure Coordinating Center (NICC) to enhance information sharing between the private sector, and the government. She is a representative to the National Cybersecurity and Communications Integration Center (NCCIC) — a Department of Homeland Security-led watch and warning center and sits on the Cyber Unified Coordination Group, (UCG) - a public/private advisory body that provides guidance during a significant cyber event.
Denise is certified as an EMT (B), Firefighter I/II and Instructor I/II in the state of Virginia, and is an Adjunct Instructor at its Fire and Rescue Academy. She has spoken at events all over the globe.
Denise holds a BA in English, magna cum laude, from Loyola Marymount University and an MBA in International Business from American University. She graduated from the Executive Leaders Program at the Naval Postgraduate School Center for Homeland Defense and Security.
Modern Medicine has evolved dramatically in the last five years enabled by new technologies and data collection/analysis. This is accomplished in many cases by connecting devices, products, systems and networks to the internet. But as is the case with innovation, many medical devices are built without security in mind. Hospitals often have tens of thousands of connected devices in their environments and with estimates of billions of patient exposures per year, the huge vulnerabilities, jurisdictional chasms and evolving threat landscape serve to increase the risks to patient safety and potentially lives. This session will look at the current situation in medical device security, the vast issues, the threat landscape and will look at a cutting edge effort between industry and government to address these challenges by turning the perspective from device security to patient centered security.
Mirai: Chicken, Honey, and Videotapes
Francisco Sucunza, InnoTec System - Entelgy Group
Cyber-security Project Manager at InnoTec (Entelgy group) and passionate about information technologies, Francisco Sucunza has been involved international IT security projects for companies such as Telefónica or Repsol. With a strong background in Sciences he has led his career to project management but still keeping a foot in both camps.
MultiParty Disclosure
Brian Willis (FIRST)
- LV
Svetlana Amberga (CERT.LV, LV)
Svetlana Amberga is working in CERT.LV Latvia, Riga, as Public Relations Team Manager. Previos experience include project management and practical educational work for groups, mostly for youth leaders in Riga City council Wellfare department. Svetlana was involved in non profit organization management as board member of Latvian National Youth Council and European level organization – ACTIVE - Sobriety, Friendship and Peace. Fields of expertise – youth work, organizational development, communication.
Previos experience include project management and practical educational work for groups, mostly for youth leaders in Riga City council Wellfare department. Svetlana was involved in non profit organization management as board member of Latvian National Youth Council and European level organization – ACTIVE - Sobriety, Friendship and Peace.
Fields of expertise – youth work, organizational development, communication.
CSIRT teams in incident response have to work fast and efficient in order to solve incidents timely and keeping high quality. Such performance is very demanding and requires efficient team work and well understood roles for all participants.
Problem: When growing and transforming, CSIRT teams may have to face challenges on how to improve their communication and cooperation. Though such challenges are essential part of the growth, it may be hard to manage changes efficiently and with satisfactory results.
The challenges teams might be facing: • Communication challenges (quality, frequency, low social skills) • Relations and roles in the team (old/new members, unclear roles, who is driving incident handling process, etc.) • Motivation (lack of initiative, lack of feedback, inappropriate reporting, etc.)
Proposed solution: This presentation would explore experience the CERT.LV team gained during a teambuilding activity, using non-formal learning methods and present concept of how to use such experience for other teams. It would to examine how teams can benefit from non -formal learning to improve their internal communication, to raise motivation and clarify the roles internally.
The presentation would focus on the following questions: • What is non-formal learning? Why is it efficient for the team work? • How can structural group work experience improve the team work? • Can non-formal learning improve team members’ motivation? • How to identify important learning needs of the team?
Beneficiaries from the presentation will be CSIRT team members as well as teams’ management.
OpenC2: Protecting our future at machine speed
Mary Mathews (OASIS)
Systems today are subject to different types of attacks from across the world. Cyber-attacks are increasingly sophisticated, automated, stealthy, and can be executed in a matter of seconds. Cyber defense systems are typically statically configured, operate in isolation, and often require a human in the loop for any changes. The use of statically configured point defenses against an automated global attack operating at machine speed will not meet our needs. Future defense will require the integration of new functional blocks, coordination of responses between domains, synchronization of cyber defense mechanisms, and automated actions at machine speed against current and pending attacks.
Standard interfaces and protocols facilitate the integration of components resulting in a more flexible and interoperable cyber defense system. The goal of OpenC2 is to define a language at a level of abstraction that will enable unambiguous command and control of cyber defense technologies. OpenC2 is broad enough to provide flexibility in the implementations of devices and accommodate future products and will have the precision necessary to achieve the desired effect.
During this presentation the speaker will talk about how OpenC2 focuses on the response portion of cyber defense and how it leverages pre-existing standards such as STIX and TAXII for analytics, transport, etc.
Wednesday-Session-5.pdf
MD5: 08026c10d9e0568999b12bf373aa28ab
Format: application/pdf
Last Update: June 7th, 2024
Size: 1010.5 Kb
Operations Technology and IoT
Fred Cohn (Schneider Electric) & Rupert Wimmer (Siemens)
OPSEC. Against APT's reconnaissance phase
Antonio Villalon Huerta, S2 GRUPO CERT
While talking about APT attack mitigation techniques, we usually focus on technological aspects associated with intrusion and persistence phases, but ignoring some critical aspects, those on the reconnaissance phase, that could block (or at least, interfere) the attacker activities. In this sense, we must consider OPSEC as the process that allows us to identify our potentially useful information for the attacker, to know the threats and vulnerabilities it introduces and to define and implement appropiate countermeasures. (TLP:WHITE)
Antonio Villalon is S2 Grupo Chief Security Officer. Computer Engineer (Technical University of Valencia), Security Director (University of Valencia) and CISA (ISACA), he holds more than 20 years of experience in cybersecurity. He has executed and managed many analysis, attack, defence and exploitation projects, including the definition, start up and running of some SOC and CERT. He teaches and speaks about security in different universities and conferences on a regular basis, and has written some books and articles on the subject; his last book (in Spanish) is "Advanced Persistent Threats", published on December, 2016.
- NL
Ozon: Running a Gap Bridging Cybercrisis Exercise
Remon Klein Tank (SURFcert, NL)
Remon Klein Tank (CEH/CISSP) is cyber security specialist at Wageningen University and Research and one of the ten members of SURFcert, the NREN CERT team in the Netherlands.
Remon is in the program comity for SCIRT community, bringing cyber security experts within the SURFnet constituency together and facilitating the sharing of knowledge.
In the morning of October 4th, a large number of public Dutch institutes got a threat mail from an idealistic movement that preach transparency and openness of information. They claimed to have obtained documented proof of malpractices within these organizations concerning mismanagement, questionable research and careless treatment of personal data.
The initial reaction was a call to remain calm and alert. However, quite soon it proved not to be a small incident and board members, communications officers, lawyers and IT staff were mobilized. For over a day crisis management teams worked hard to get a grip on the situation and had to make difficult decisions. Three people were fired on the spot and an entire institution was disconnected from the Internet.
Missed this in the news? That is correct. The above was a part of cybercrisis exercise OZON which was organized by SURFcert for their constituency. In total 27 organizations and over 200 people were participating, from IT to the board of directors. It was a hit.
Crisis exercises outside of the IT department are traditionally focused on physical threats. Now all of our information is digitized, the resiliency of the organization also depends on the ability to handle a crisis that is born out of an IT security breach.
This presentation will take you through the set-up of the OZON exercise, the scenario and the lessons learned. Additionally we can provide a playbook and the infrastructure we build, so you can run this exercise in your own organization.
Panel: Building The Future Cybersecurity Workforce
Dan Manson, Professor, Computer Information Systems Cal Poly Pomona Tobi West, CISSP, GCFE, CCFE, CIS/CST Department Chair, Coastline Community College.Daniel Likarish, Director Center on Information
Featuring a cross-section of Industry Professionals representing a variety of Educational Institutions providing insights, perspectives and paths for building the Future Cyber Security Workforce
- US CA
Panel Topic: Issues Surrounding Internet of Things (IoT) Security Upgradibility and Patching
Allan FriedmanAllan Friedman (NTIA / US Department of Commerce, US), John Banghart (Venable LLP, US), Kent Landfield (McAfee, US), Vic Chung (SAP, CA)
As Director of Standards and Technology Policy at McAfee, Kent is extremely active in the NIST Cybersecurity Framework, participating/presenting in workshops, global outreach, coordinating Intel’s and McAfee’s responses. He co-authored The Cybersecurity Framework in Action: An Intel Use Case and the IETF’s RFC 7203, An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information. He is Chair of the Information Sharing and Analysis Organization (ISAO) Standard Organization’s, Information Sharing Working Group. Previously Kent was the chief McAfee Labs Vulnerability Group Architect and a designated Principal Architect. A founding and current member of the CVE (Common Vulnerabilities and Exposures) Board, an OVAL Board member and active in Security Content Automation Protocol (SCAP), he holds patents in DNS, Email and software patch distribution.
Dr. Allan Friedman is Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA’s multistakeholder processes on cybersecurity, including initiatives on IoT security upgradability and vulnerability disclosure. Prior to joining the Federal government, Dr. Friedman spent over a decade as a noted cybersecurity and technology policy researcher at Harvard’s Computer Science department, the Brookings Institution, and George Washington University’s Engineering School. He has a degree in Computer Science from Swarthmore College, a PhD in Public Policy from Harvard University, and is the coauthor of Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford University Press, 2014).
John Banghart is Venable's Senior Director for Technology Risk Management, with over two decades of federal government and private-sector experience in risk management, government policy, standards and regulatory compliance, and incident management. He currently co-chairs the NTIA Working Group on IoT Barriers and Incentives. As Director of Federal Cybersecurity at the White House National Security Council, he successfully led efforts to address significant and high-profile cybersecurity issues within major government programs and institutions while facing complex legal, technical, and political circumstances. Previously he led security vulnerability and automation research at the National Institute of Standards and Technology, was Senior Director of Trusted Engineering for Azure at Microsoft, and Director of Benchmark Development at the Center for Internet Security.
Vic Chung is a Product Security Architect with SAP Global Security. Vic is responsible for case-management of vulnerabilities reported by hackers and is the lead in Americas. Prior to joining the security team, Vic managed intellectual property compliance for development teams globally and has deep expertise in technical program management. Vic has a Master’s degree in Information Systems from University of Toronto, Canada and a MBA in Technology Management from Open University Business School, UK.
Given the rise of IoT, consumers are now playing an important role in cyber-attacks and defense. Our IoT infrastructure security (or lack thereof) can be instrumental in assisting or defeating efforts to protect consumers. This panel consists of industry practitioners, policy advocates, and security researchers discussing the effect of consumer IoT on incident response and security. The ultimate objective is to foster an ecosystem offering more devices and systems that support security upgrades while increasing consumer awareness and understanding. One idea is to enable a thriving market differentiator for patchable IoT with common definitions for manufacturers and solution providers. Shared visions for security upgradability are needed so consumers know what they are purchasing. No such commonly accepted set of definitions or vision exists. Manufacturers struggle to effectively communicate to consumers the security features of their devices. This panel will explore and map out the many dimensions of security upgradability and patching for the relevant systems and applications. Definitions that are easily understandable, while being backed by technical specifications and organizational practices will be discussed. The panelists hope to share these definitions and ideas throughout the broader IoT development and incident response communities, and ultimately with consumers.
- US CN MY
Panel Topic: Mirai: How Did We Do?
Merike KaeoMerike Kaeo (Farsight Security, US), Yiming Gong (Qihoo 360, CN), Chris Baker (Dyn, US), Martin McKeay (Akamai, US), Megat Muazzam Bin Abdul Mutalib (MyCERT, MY)
Merike Kaeo is the CTO of Farsight Security, where she is responsible for developing the company’s technical strategy and executing its vision. Previously, Merike was CISO for Internet Identity (IID), where she created the strategic direction for improving and evolving the corporate security posture, and founder of Doubleshot Security, where she worked with numerous companies creating strategic operational security and resilient networking architectures. She led the first security initiative for Cisco Systems in the mid 1990s and authored the first Cisco book on security—translated into more than eight languages and leveraged for prominent security accreditation programs such as CISSP. She is on ICANN’s Security and Stability Advisory Council (SSAC) and the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC). Merike earned a MSEE from George Washington University and a BSEE from Rutgers University.
Yiming Gong has been in the security industry for over 19 years, and currently is the Director of the Network Security Research Lab at Qihoo 360, where his team focuses on security data related research, and runs a few big platforms such as PassiveDNS, botnet C2 tracking system, scanmon and ddosmon as well. Check out http://netlab.360.com for more details.
Chris Baker is an Internet cartographer, data analyst, and wanderlust researcher at Dyn / Oracle, where he is responsible for an array of data analysis and research projects ranging from trends in the DNS to Internet measurement and infrastructure profiling. Previously, Chris worked at Fidelity Investments as a senior data analyst. He graduated from Worcester Polytechnic Institute with a master’s degree in system dynamics and a bachelor’s degree in management of information systems and philosophy.
Martin McKeay is a Senior Security Advocate at Akamai, joining the company in 2011. Martin is a senior editor of Akamai’s State of the Internet Security Report, Akamai’s quarterly report on DDoS and other threats. Three years ago Martin moved his family to the UK in order to help Akamai reach the European audience.
With over fifteen years of experience in the security space and five years of direct Payment Card Industry work, Martin has provided expertise to hundreds of companies. He has spoken at events in the US, Europe, Asia and Australia, including RSA, Black Hat, Defcon and FIRST. He is a member of Europol’s European Cybercrime Center Internet Advisory Committee.
The Mirai botnet created global awareness of the increasing impact of IoT device insecurity and the ability to weaponize such devices for DDoS attacks of unprecedented size and impact. This panel will discuss Mirai’s effects and the global CSIRT response to them: Who was affected? What information was available before the more significant attacks happened? Which CSIRTs were able to effectively disseminate remediation information? What could the community have done better?
pcap doesnt scale'| sed 's/doesnt/does/'
Erik Waher & Matt Moran (Facebook)
Incident Responders need reliable packet capture as a source of truth for what happened on their networks. You can’t file carve from netflow records that tarball the attackers exfiltrated from your breached server, and flow isn’t always detailed enough for writing an IDS signature. This leaves incident response teams with conjecture – “we know there was traffic, but we don’t know what it was.” Do you
want to tell your legal team you know exactly what was lost in a breach, or #yolo “We think we only lost half the database”?
Historically, scaling packet capture infrastructure to meet network demands has been a significant challenge. Physical space for infrastructure can be limited, traffic rates can be too high to maintain meaningful retention windows, and costs may be prohibitive. How do you efficiently query petabytes of data in time to resolve an incident? “Capture All the Things!” seems impossible to scale in the real world.
To address these problems, our in-house security team built a scalable, cost-effective, pcap solution backed by Open Compute Project hardware. This presentation will walk you through the architecture and design decisions that enabled us build a high performance packet capture infrastructure capable of
handling tens of Gbps per host and providing retention measured in petabytes. The solution automatically delivers packets to analysts and responders, allowing fast identification and reporting on security incidents.
- Erik is a security engineer with a love of all things on the network.
- Matt hates computers, but he needs money so...
PCAP-Facebook-lowQv2.pdf
MD5: a40991920260e47cb6fc650907b3d9a7
Format: application/pdf
Last Update: June 7th, 2024
Size: 804.86 Kb
- MY
Practical Workflow for Automation and Orchestration of Addressing Cyber. Threat: Case Study of Mirai Botnet in Malaysia
Megat Muazzam Abdul Mutalib (CyberSecurity Malaysia, MY)
Megat Muazzam Abdul Mutalib is Head of the Malaysia Cyber Emergency Response Team or in short, MyCERT – a department within CyberSecurity Malaysia. He is responsible in Cyber999 Incident Handling and Emergency Response daily operation, which primarily focuses on incident alert or threat issue, related to Malaysia constituency and the Malware Research Centre. He has various experiences in IT security field such as network security, penetration testing, web security, malware research and honeypot technology. He is recognised for his capability of conducting numerous training and talks for various organisations locally and internationally on topics ranging from introduction to advanced security courses.
He holds a Degree in Computer Science from University Putra Malaysia (UPM) and has wide experience in IT Security for more than 10 years. Actively involves in Cyber Early Warning System project, focusing in the areas of perimeter defense, detection and intrusion analysis. He is the GIAC Certified Intrusion Analyst (GCIA) and Certified Penetraton Tester (GPEN).
The ever-increasing scale, complexity and globalization of cyber attacks require quick detection and eradication of the attacks based on how the information is disseminated across CSIRTS and PSIRTs globally. Having structured information that can be delivered in quick manner is important for quick eradication and mitigation of cyber attacks. In this way it saves time and effort in incident response and post-mortem analysis.
Traditional way of delivering threat intelligent information has limitations that effects the quick response of incidents that may consequently affect immediate preventions of attacks at global. Thus, the need for automation and orchestration of Threat Intelligent Information is critical for quick remediation and eradication of large-scale attacks, at global level, which will be presented in our presentation.
The key points to highlight in this presentation are:
The important roles of CSIRTs and PSIRTs in eradicating and mitigating large-scale cyber attacks on a global level. Share our workflow that illustrates how Threat Intelligent Information is delivered with automation and orchestration for quick and efficient Incident Response. Share our in-house developed tools and applications that we used for automation and orchestration of Threat Intelligent Information delivery for effective mitigation of large-scale global cyber attacks.
Another important factor to address cyber threats on how we use Threat Intelligent Information process to secure our own environment through various blocking, filtering as well as creating a repository of knowledge base index for research analysis and future reference and as a mean to increase our preparedness in facing new and large-scale cyber attacks. Share the work taken by us to further study the behavioral and anatomy of an incident so as to propagate and reduce the effect of similar type of incident in the future.
To prove that the workflow has worked for us, we will highlight a case study on successful Mirai eradication activities in using automation and orchestration of Threat Intelligent Information. This includes how MyCERT received the Threat Intelligent Information on Mirai botnet infected IPs in Malaysia, identification of the infected devices in our constituency until successful takedown of the botnets in Malaysia, which in overall helped to mitigate Mirai botnet infection at the global level.
The presentation hopes to give new insights into the automation and orchestration of Threat Intelligent Information for a comprehensive and global mitigation of new and large-scale cyber attacks.
Chiljon Janssen (Toolset Project), Gershon Janssen and John Sabo (OASIS)
Gershon Janssen is an independent consultant and member of the OASIS Open Standards Group. Gershon has a background in software and infrastructure architecture, distributed systems and integration technologies. Gershon works predominantly on projects, designing and building complex information technology architectures focusing on architecture, SOA, Cloud, Identity and Privacy.
Gershon is a strong promoter of open standards and believes in broad adoption of these and as such participates actively in standards efforts. In OASIS, he sits on the Steering Committee of the e-Government Member Section, and on the identity and privacy related Technical Committees ‘Identity in the Cloud' and ‘Privacy Management Reference Model'. Gershon also sits on the Coordination Committee of the Internet Technical Advisory Committee to OECD, focusing on Information Security and Privacy.
Chiljon Janssen is an experienced all-round software engineer who has been working on large scale software development projects for over 20 years, mostly involved in designing, writing, reviewing and optimizing systems integrations, core back-end components and high-speed transactional processing.
In recent years Chiljon has been involved in various projects running solely from cloud infrastructures, where specific focus was on designing and implementing identity, access and privacy controls.
Chiljon is an active member of the OASIS Privacy Management Reference Model Technical Committee.
Effective cyber threat intelligence sharing requires not only standardized structured information representation and transport mechanisms, but also actionable content and a context in which that content can be rapidly put to use. This in turn means that organizations considering participation in the CTI infrastructure must have a definitive understanding of the assets (data, people, applications, systems) that they must protect and the levels of risk associated with cyber attacks on particular assets.
From that understanding, business owners can make informed decisions about: the levels of sensitivity and priorities associated with particular assets; the threat landscape impacting those assets; potential vulnerabilities; and the business process and technical controls and associated functionality needed to manage cyber risks. The vendor and internal security analysts supporting these organizations then have information needed to focus on the specific targets of the attacks and take steps to deploy defenses more accurately and quickly.
Such an understanding is mandatory. Without it, organizations cannot adequately assess the costs and benefits of making investments in cyber security eco-systems and will have the information necessary to understand the consequences of attacks on their assets. A key component of this is a rigorous analysis, including the mapping of systems and applications and their data against data protection policies. But in today’s networked, cloud-based, and integrated data environments, and the huge growth of IoT, the work required to conduct and deliver such analysis is an order of magnitude greater than ever undertaken before.
Beyond this challenge, cyber security professionals will have significantly greater regulatory responsibilities beginning in May 2018 when the EU General Data Protection Regulation (GDPR) comes into force. The scope of this regulation is very broad, impacting organizations internationally that hold the personal information of EU residents. This would potentially include personally identifiable information (PII) shared for cyber security purposes. And so with the GDPR’s transition to operational compliance in 2018, cyber security professionals engaged in information/intelligence sharing will need to understand and address data protection policies, requirements and controls required by the GDPR.
Further, effective cyber security threat information sharing, particular with respect to exploit targets, campaigns, and incidents, will require a deeper understanding of data privacy and more attention to “non-traditional” vulnerabilities, threats and risks. For example, the GDPR’s clarification of data controller and data processor responsibilities and introduction of new requirements such as the right of erasure, granular consent management, and data protection by design, enlarge the risk management space for security and privacy officers, practitioners and business owners. An effective cyber threat information ecosystem must incorporate.
This panel will provide practical insights that can assist cyber security practitioners in a model and use case-based analytic methodology developed by the OASIS Privacy Management Reference Model (PMRM) technical committee that makes visible the PII that must be protected in specific systems and applications; the data privacy risks that must be managed; the security and privacy requirements, controls and functionality necessary to deliver compliant data protection; and risks associated with failures and/or attacks on that functionality.
This panel will provide actionable insights into:
- Security - Privacy - Data Protection by Design: why “traditional” security paradigms are not sufficient to ensure effective data protection risk management.
- Data discovery and mapping - bringing PII under control – a methodology for finding and managing the personal data an organization receives, processes, stores shares, transfers and retires
- GDPR –what are its implications for understanding targets of attack and data protection risks?
- How the GDPR’s mandates such as granular consent, the “right of erasure,” and shared responsibility across controller and processor domains, require a new understanding for the effective cyber security information sharing
- How the OASIS Privacy Management Reference Model and Methodology (PMRM) and proposed open source tool can support organizations considering using or participating in cyber threat intelligence sharing
- The PMRM methodology –why a comprehensive use-case data protection/privacy management analysis is essential for cyber security professionals
- Implementation - a practical use case demonstrating the application of the PMRM methodology in a government system and the value of a privacy management analysis for addressing the complexity of networked applications, systems, and technical/regulatory boundaries.
- Tools – an introduction to the OASIS PMRM Open Source Tool project.
Thursday-Session-9.pdf
MD5: 03b795eeaa4ff1fabafad7a1457a9a9f
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.62 Mb
Jassim Happa (University Of Oxford )
PROTECTIVE is a cyber threat intelligence sharing platform being developed by a consortium of ten partners from eight European countries, including: three European National Research Educational Networks (NRENs), three academic and four commercial partners. It is being funded by the European Commission's Horizon2020 programme. The platform is a suite of threat intelligence sharing tools that aim at providing security teams with a greater context, threat and situational awareness, and thus improve an organisation's ongoing awareness of risks posed to it by cyber attacks. Specifically, the platform is designed to provide solutions for public domain CSIRTs outside the mainstream of cyber security solution provision. Public CSIRTs needs arise in part because commercial tools do not address their unique requirements. This has created a shortfall, clearly articulated by ENISA of tools with the required analytical and visualization capabilities to enable public CSIRTs provide optimised services to their constituencies.
In the PROTECTIVE project we investigate the state of the art in threat intelligence generation and sharing, and are developing a solution to:
- enhance security alert correlation and prioritisation,
- link the relevance and criticality of an organisations assets to its business/mission,
- investigate how computational trust can be used in threat intelligence sharing, and finally
- establish a public CSIRT threat intelligence sharing community to leverage these solutions. In order to do so, we are studying the current technological and human factor challenges, and attempt to identify what has limited threat intelligence sharing tools from flourishing in the past.
In this talk, I will outline project activities to date, and present our lessons learnt from the first year. I will cover topics such as requirements gathering and specification, which has involved interviewing key members of staff at three NRENs to date about their current practices and procedures, and identified current challenges and limitations. I will also outline the key new capabilities of the platform, related to: threat intelligence aggregation, enrichment, sharing automation, community creation, trust computation (confidence in quality of the data, as opposed to trust in the transportation layer), and General Data Protection Regulation (GDPR) compliance. We are currently in the process of compiling various tools together to form the unified platform. We are also in the process of identifying how threat intelligence generated at large CSIRTs can be used to help Small-to-Medium size Enterprises (SMEs), who normally do not have the time or resources to assimilate threat intelligence and use it to combat threats and attacks.
Next year, two pilot studies will be conducted to evaluate and validate the PROTECTIVE outcomes with CSIRTs from 3 NRENs and with SMEs via a Managed Security Service Provider (MSSP). In the first pilot, intended participating actors are the NRENs, before evaluating and validating the platform for MSSPs in the second pilot. Towards the end of the project, we finally hope to open up the tool to other CSIRTs/CERTs that may be interested in using the platform.
The key take-away for the audience attending this talk are our findings related to:
- lessons learnt in the project overall
- NREN and SME requirements gathering
- presentation of new capabilities in the threat intelligence aggregation, enrichment, automation, and trust computation
- identification of GDPR challenges and how these can (at least partially) be resolved using compliance monitoring
- US
PyNetSim: A Modern INetSim Replacement
Jason Jones (Arbor Networks ASERT, US)
Jason Jones is the Security Architect for Arbor Networks' ASERT team. His primary role involves reverse engineering malware, development of internal malware processing infrastructure, and other development tasks. Jason has spoken at various industry conferences including BlackHat USA, FIRST, BotConf, REcon, and Ruxcon.
Analyzing malware comes with many challenges, one of the common being dealing with network-related issues. Command and control servers may be non-responsive, domain names may no longer be valid, corporate policy may prohibit direct contact with malicious entities and / or the malware may need to have valid contact to fully unpack itself in memory for further static analysis. In these cases, having a host that can act as a gateway and spoof any address requested becomes necessary to achieve the various goals of analysis and is the reason for PyNetSim's existence.
PyNetSim is intended to a modern replacement for the outdated INetSim and an alternative to the Windows-based FakeNet-NG. PyNetSim will a similar feature-set as these tools as well as dynamic protocol detection to account for protocols on non-standard ports, dynamic TLS/SSL support and also support specific botnet protocols via a pluggable architecture.
- BR
Rio 2016 Olympic CSIRT - Creation, Operation and Lessons Learned
Romulo Rocha (Former Rio2016 Commitee and now Tempest Security Intelligence, BR)
Romulo Rocha was part of Rio 2016 Olympic Committee, being responsible for designing,building and acting as incident response leader in CSIRT during olympic games. Romulo has technical knowledge in incident response, data analysis and architecture of IT environments. Graduated in System analysis and development with post-graduation in information security at UFRJ (Rio Federal University), been part of Information Security market for 10 years, working in multiples companies in Brazil.
This is a talk filled with good stories about our journey to establish a CSIRT team for Rio 2016 Olympic Games. A big and ambitious project, with multiple challenges, and a very limited time to put it alive. The participants will see how was our operations during Olympics, photos from our Technology Operations Center, number of incidents, examples of incidents, threat intel timeline and lessons learned from this athletic journey. This presentation provides insights on:
- How was our strategy to put our team ready for the games;
- CSIRT timeline (creation, important dates, highlights, life cycle);
- Our preparation using Cyber Wargames exercises;
- Challenges when dealing with rapid environment growth, government agencies, and third-party companies;
- Threat intel timeline and importance for our CSIRT;
- Lessons learned;
Security Analytics with Network Flows
Sunil Amin (Cisco Lancope)
This talk is introduction in the use of Network Flow telemetry (NetFlow, sFlow, IPFIX) for advanced analytics for security detection and incident investigation. We will start by covering some of the background and history of the protocols and the information they contain. Next, we will cover the techniques that can be used to pre-process the corpus and illustrate some of the analytic techniques that can be applied with real-world use cases and case studies. Finally, we will talk about the FOSS tool that are available to get you up and running as quickly as possible.
- Sunil leads Research and Development for the Cisco Stealthwatch product line and is responsible for providing the technology direction for the advanced security analytics capabilities of the products. Prior to joining Cisco, Sunil was Chief Scientist at Lancope and drove the innovation behind the Stealthwatch products culminating in its acquisition by Cisco in 2015. He also previously held roles at Mitsubishi Telecommunications, Hitachi Telecommunications and Nortel (UK).
Sunil.pdf
MD5: dba6e8da69e3d2ca4815f7e10ddf2ee2
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.07 Mb
SOC Operations on the Autobahn
Adrian Kelly (LVSC Sands Vulnerability Analyst)
STIX Patterning: Viva la Revolución!
Trey Darley (New Context), Jason Keirstead (IBM)
Trey Darley currently serves as Director of Standards Development at New Context. He's been working in infosec for years, including stints at NATO and Splunk's Security Practice. Trey is actively developing security-focused open standards, serving as a co-chair within the OASIS Cyber Threat Intelligence (CTI) Technical Committee responsible for STIX/TAXII and heavily engaged with the OpenC2 Technical Committee. Trey's articles have been featured in publications such as IEEE Security and Privacy and USENIX ;login:. He has presented at a number of security conferences, including O'Reilly Security, BruCON, USENIX LISA, and various FIRST events. Trey is a FIRST Liaison Member, official liaison between OASIS and FIRST, an long-time member of the BruCON organizing committee, Technical Director of the IoT ISAO, and a CISSP.
Jason Keirstead is an IBM Senior Technical Staff Member and a senior product architect for IBM QRadar. He has over 15 years’ experience in security intelligence, and has been highly involved in the design and development of many of IBM Security's portfolio of security intelligence products. Jason loves to work on challenging problems, and his primary mission is to enable simple, intuitive solutions that help to solve the complex security problems of clients.
STIX Patterning is perhaps the most innovative addition to STIX 2.0, yet it is poorly understood. STIX Patterning is the language in which IOCs are conveyed in STIX 2.0 Indicators. But STIX Patterning targets much more than IOCs.
From the beginning, when STIX Patterning was just an inkling in the minds of a few techies working in the CTI TC, the ultimate vision was to create an open interchange format for analytics, such as SIEM correlation rules. The presenters approached the challenge with strong backgrounds in SIEM technology, but from different angles: Jason eats and breathes QRadar whereas Trey groks Splunk. They share a common vision for how giving information-sharing communities the ability to share analytics at a level beyond mere IOCs will be a powerful catalyst for improving the security posture of organizations large and small. While there is still work needed to fully realize this vision, the foundations laid in STIX 2.0 will hopefully enable a future where searches, rules, and analytics are not locked into a single evaluating platform.
In this talk Jason and Trey will give an overview of STIX Patterning as currently defined in STIX 2.0. Audience members will receive a quick-reference card as a handout. Jason and Trey will show how to define network indicators (à la Snort) and host-based indicators (à la YARA), then progress to demonstrate how to define more sophisticated indicators correlating potentially malicious behavior across both network sensors and endpoints.
They will show where the language is ultimately heading as powerful new capabilities are added in forthcoming STIX releases, including a sneak peek into the work being done to enable an even more ambitious goal - the sharing of advanced analytics across organizations and platforms.
The audience takeaways will be two-fold:
- a better understanding of the power of STIX Patterning, and
- a vision for why they should be demanding adoption by their tool vendors.
Wednesday-Session-3.pdf
MD5: db4fa43222fa1099e0f00252200cfa96
Format: application/pdf
Last Update: June 7th, 2024
Size: 842.09 Kb
STIX: The 'Infinite Coding Possibilities' Problem
Chris O'Brien (EclecticIQ)
A fully qualified SANS Cyber Guardian, STIX geek and all around nerd, Chris has led teams across both public and private sector cybersecurity and intelligence arenas. Chris started out as an Intrusion Analyst in UK Intelligence working in network analysis, forensics and malware analysis. He held the post of Incident Management Team Lead for GovCertUK and was one of the first Technical Analysts to help establish CERT-UK's Incident Management and Response capabilities before becoming part of the newly formed NCSC UK. Before joining EclecticIQ, Chris held a post as Deputy Technical Director in the NCSC specialising in technical knowledge management to support rapid response to cyber incidents, and is now the Fusion Center's Intelligence Lead, specialising in the cross-correlation of a wide range of threat intelligence feeds to produce bespoke structured intelligence product.
Standardised languages such as STIX have taken huge steps forward to facilitate the translation of threat intelligence to network defence, but often leave the interpretation of a threat (how to represent it in STIX) to the analyst to decide. This has lead us to the unenviable position of having a huge range of communities and Intelligence Production outfits delivering 'structured Intelligence', each having unique interpretations of how to structure the data. This issue is often manageable within closed communities where standard 'libraries' can be agreed upon, but we can't always rely on good practices being adopted universally. Complex cyber security incidents depend on our ability to analyse all intelligence signals, evaluate provenance and make objective decisions on the best courses of action. Refusing to incorporate a data source to your knowledge base because "they don't do STIX right" is simply not an option and potentially misses out on that key indicator that can solve all your problems.
Some great work is ongoing in the OASIS CTI Technical Committee to improve the standard against this issue, but the fact remains that ensuring effective communication of understanding across communities is as much about analyst tradecraft in knowledge management as it is technology and standards. Universal adoption of a single standard, with clear implementation guidelines, is a utopia - and whether or not it ever gets truly realised there will inevitably be a period of transition. It is important to establish a set of simple Standard Operating Procedures (SOPs) to tackle this disparity and support decision making in cyber security incidents. When we do this right, we can reduce the time it takes to go from data, to information, to knowledge and, finally, wisdom.
This talk is for all practitioners of structured intelligence production and consumption, as well as those who write tools to support them. It highlights areas of work already being tackled by the CTI TC to address this issue and potential pitfalls for those still using older versions and/or converting. Recommended SOPs (and some bad practices) are explored to identify how to prepare for version transition and continue to facilitate cross-feed data correlation. Finally we will take a look at how this approach can lead to enhanced Intelligence Product delivery by demonstrating 'hybrid' Intelligence Products that bridge the gap between structured, tactical data and strategic reporting so that C-Suite can understand the same concepts as your SIEM.
Key takeaways:
- An understanding of the challenges in universal standardisation of threat intelligence
- Increased awareness of the improvements in STIX through to version 2.1 to help tackle these issues
- Suggested SOPs for use in STIX production that can be used now, regardless of language or version
- Examples of hybrid reporting products representing both sturctured and unstructured Intelligence value
SWITCH DNS Firewall Update
Matthias Seitz (SWITCH-CERT)
An update of the SWITCH DNS Firewall will be presented. This includes the current status, lessons learned and other important points. Also a overview what have changed on the RPZ market will be presented.
- Matthias Seitz, SWITCH-CERT. Working at SWITCH since 4 years for the Universities /Registry Team.
Technical Training Tips: Bridging the Gap from Cybersecurity Policy to Practice
Mari Galloway (LVSC Vulnerability Analyst) , Marcelle Lee (Threat Researcher, CTIG, LookingGlass Cyber Solutions and CEO, Fractal Sec), Lisa Jiggetts (CEO Women's Society of Cyberjutsu)
Bridging-the-Gap.pdf
MD5: 543b7ab6b4c536c804a730cdfbd95427
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.71 Mb
The Arrr in PSIRT
Beverly Finch is the Program Manager and Coordinator for the Lenovo PSIRT. Beverly built the Lenovo PSIRT from the ground up within a few months, obtaining buy in from all business executives and securing incident response support across all brands. With more than 20 years in the PC industry, Beverly has experience in many roles including Critical Situation Management, Software Development, Accessibility Compliance and Lean Six Sigma. A certified Project Management Professional, PMP®, Beverly brings value to Lenovo’s PSIRT by applying project management and Lean Six Sigma methodologies to improve processes and communications across all teams.
Who determines what a reasonable remediation timeline is for an issue? And how does an organization track and enforce it? In this talk, I will explain some issues our PSIRT encountered with respect to time to fix and the resulting SLO (Service Level Objective) and how we are pushing the industry to respond faster. I'll also provide a view of our dashboard template for metrics tracking & reporting explaining how each metric is important to both our customers and what it means to us internally.
The-Arrr-in-PSIRT.pdf
MD5: b5024ce848d623c42e4564d33c4aedc8
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.56 Mb
- US
The Art of the Jedi Mind Trick: Learning Effective Communication Skills
Jeff Man (Cybrary.it, US)
Jeff Man is a respected Information Security expert, adviser, and evangelist. He has over 33 years of experience working in all aspects of computer, network, and information security, including risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Earlier in his career, Jeff held security research, management and product development roles with NSA, the DoD and private-sector enterprises and was part of the first penetration testing "red team" at NSA. For the past twenty years, Jeff has served as a pen tester, security architect, consultant, QSA, and PCI subject matter expert, providing consulting and advisory services to many of the nation's best known brands.
The hacker/security community continues to struggle with how to get our message across to others. We know what’s wrong, what’s insecure, and what needs to be done to fix the problems. BUT…we seem to hear more stories about failure rather than success stories. Maybe WE are part of the problem. It’s easy to give a talk at a conference where you’re “preaching to the choir” and everyone speaks your language, but how do you fare when you are trying to give the message to your boss, or your bosses’ boss, or C-Level management?
This workshop/course will explore a variety of techniques that I’ve learned over my 20+ years of consulting/advising customers about how to get the right message to the right people so real change happen.
Topics will include:
overcoming obstacles, roadblocks and challenges;
getting past bad attitudes and misunderstandings (yours and theirs);
practical methods for getting your point across;
helping others to understand what you are saying;
learning to speak their language (e.g. non-technical);
and helping your audience draw the desired conclusion.
Students will have numerous opportunities to speak – both in small groups and also making a presentation to the entire class. We’ll discuss techniques and methods and then practice them, or we’ll attempt some form of communication and then critique how well we do. Students will be expected to evaluate each other on how well we are communicating or putting the techniques into practice, and will provide constructive feedback, share ideas, and collaboratively work together to make everyone a better communicator.
Effective communication, particularly persuasive speech, is part art and part science – and maybe a little luck. I believe there are skills/techniques you can learn that will make you a successful communicator and help you get your message heard.
- US CR
The Ransomware Odyssey: Their Relevance and Their Kryptonite
Marco Figueroa (Intel, US), Ronald Eddings (Intel, US), Sue Ballestero (Intel, CR)
Marco Figueroa is a senior security analyst at Intel whose technical expertise includes reverse engineering of malware, incident handling, hacker attacks, tools, techniques, and defenses. He has performed numerous security assessments and responded to computer attacks for clients in various market verticals. A speaker at Defcon, Hope and other Security and Hacker Conference.
Ronald Eddings is a Cyber Fusion Analyst at Intel with a diverse background in Network Security, Threat Intelligence, and APT Hunting. Mr. Eddings has created a wide variety of security tools in efforts to automate the identification of malicious activity. Additionally, Mr. Eddings has leveraged user behavior analytics to identify and track anomalous network activity.
If the multiple high profile Ransomware in the last couple of years wasn’t a wake-up call to enterprises that Ransomware can infiltrate enterprise networks and compromise the most secure networks in the world, then certainly the recent string of Ransomware that has hit infrastructures like the SF MTA, Megent System or Methodist Hostpital. Once an enterprise gets infected with Ransomware, the potential of the other organization's system being infected are high. Enterprise admins know that backups of systems are essential to business and productive continuity of employees, but the initial infection is the problem we take aim on preventing the initial infection. This talk aims to describe manners in which we have addressed this issue and how we view these Ransomware threats.
Over the last few years, Intel has built up our threat intelligence tracking of APT campaigns and Ransomware Families. We will conclude with how we are further automating the capabilities and, in an unconstrained world, where the Ransomware authors will be targeting next. We will also discuss the cutting-edge techniques ransomware authors will be using in the future and the crippling effects it will have in different market verticals.
The State of Point of Sale (POS) Security
Glen Jones with Steve Mason (VISA Threat Intelligence)
TheHive: a Scalable, Open Source and Free Incident Platform
Saad Kadhi, CERT-BDF
TheHive is a scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. It allows analysts to:
- Collaborate: collaboration is at the heart of TheHive. Multiple analysts can work on the same case simultaneously,
- Elaborate: within TheHive, every investigation corresponds to a case. Cases can be created from scratch and tasks added on the go and dispatched to (or taken by) available analysts,
- Analyze: TheHive comes also with an analysis engine. Analyzers can be written in any programming language supported by Linux to automate observable analysis: geolocation, VirusTotal lookups, pDNS lookups, Outlook message parsing, threat feed lookups, ...
Further information can be found on the project’s website at:
https://thehive-project.org
kadhi-saad_slides.pdf
MD5: a93a999e06895456681049b06b8e3ea1
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.14 Mb
- FR
Saâd KadhiSaâd Kadhi (Banque de France, FR)
Saâd Kadhi, head of CERT Banque de France, has over 18 years of experience in cybersecurity.
He discovered incident response and digital forensics in early 2008 and has been working exclusively in this fascinating field since then. He built a CSIRT at a French multinational food-products corporation and worked as an analyst at CERT Société Générale before joining the French national central bank where he leads a team of 20 analysts. He frequently writes information security articles in a leading French magazine. He also co-organizes the Botconf security conference.
TheHive is a scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
-
Collaborate -
Collaboration is at the heart of TheHive. Multiple analysts can work on the same case simultaneously. For example, an analyst may deal with malware analysis while another may work on tracking C2 beaconing activity on proxy logs as soon as IOCs have been added by their coworker, thanks to the Flow.
- Elaborate -
Within TheHive, every investigation corresponds to a case. Cases can be created from scratch and tasks added on the go and dispatched to (or taken by) available analysts. They can also be created using templates with corresponding metrics to drive your team's activity, identify the type of investigations that take significant time and seek to automate tedious tasks.
Each task can have multiple work logs where contributing analysts may describe what they are up to, what was the outcome, attach pieces of evidence or noteworthy files, etc. Markdown is supported.
- Analyze -
You can add one or hundreds if not thousands of observables to each case that you create. You can also create a case out of a MISP event since TheHive can be very easily linked to your MISP instance should you have one. TheHive will automatically identify observables that have been already seen in previous cases.
Observables can also be associated with a TLP and their source (using tags). You can also easily mark observables as IOCs and isolate those using a search query and export them for searching in your SIEM or other data stores.
TheHive comes also with an analysis engine. Analyzers can be written in any programming language supported by Linux to automate observable analysis: geolocation, VirusTotal lookups, pDNS lookups, Outlook message parsing, threat feed lookups, ...
Security analysts with a knack for scripting can easily add their own analyzers (and contribute them back to the community since sharing is caring) to automate boring or tedious actions that must be performed on observables or IOCs. They can also decide how analyzers behave according to the TLP.
- US
Things That Make You Go HMM: Using a Simple Hunting Maturity Model to Establish and Improve your Threat Hunting Program
David J. BiancoDavid J. Bianco (Target, US)
David has over 20 years experience in the information security field, with the last 15 focusing on incident detection and response. He is active in the DFIR and Threat Hunting community, speaking and writing on the subjects of detection planning, threat intelligence and threat hunting. He is the principal contributor to The ThreatHunting Project (http://ThreatHunting.net) and a member of the MLSec Project (http://www.mlsecproject.org). You can follow him on Twitter as @DavidJBianco or subscribe to his blog, "Enterprise Detection & Response" (http://detect-respond.blogspot.com).
A CISO that's heard that her organization needs to "get a hunt team" may legitimately be convinced that an active detection strategy is the right move, and yet still be confused about how to describe what the team's capability should actually be. Organizations who are already doing some sort of hunting may be able to describe their current capabilities yet wonder “Where do we go from here?”
This talk first presents a simple Hunting Maturity Model (HMM), discussing the key characteristics and capabilities at each maturity level. Next, we use this model to show an appropriate maturity goal for a brand new capability, and then examine step-by-step what it takes to transition to each of the next levels. We’ll clear up the initial confusion about getting started and offer a roadmap for improvement. At the end of this presentation, attendees will understand what hunting is, what a good hunting capability looks like, and how to move from where they are to where they want to be.
- NO
Threat Ontologies for Cyber Security Analytics
Dr. Martin EianDr. Martin Eian (mnemonic, NO)
Dr. Martin Eian works as a Senior Security Analyst in mnemonic's Threat Intelligence group, and he is the Project Manager for the research project "Semi-Automated Cyber Threat Intelligence". He has more than 15 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is an Adjunct Associate Professor at the Department of Telematics, NTNU. He is also a member of the Europol EC3 Advisory Group on Internet Security. He holds a PhD in Telematics/Information Security from the Norwegian University of Science and Technology (NTNU).
The proposed presentation will give the latest research results from both TOCSA and ACT. We presented the preliminary results from both TOCSA, ACT and Oslo Analytics in the conference STIDS2016 in Washington DC in November 2016. The presentation we propose to FIRST 2017 will contain a detailed description of the threat ontology described as an example in [1], and also present the graph database and the added content. The presentation will go further into detail on the use cases where this ontology will add value. Example use cases including:
- Incident Response (attribution of incidents as guidance to evidence collection)
- Threat Hunting (identify presence of known actors in home environment)
- SOC Analyst (especially to classify incidents as targeted or not targeted)
- Threat intelligence analyst (RFI)
Towards a Mature Cyber Threat Intelligence Practice
Richard Kerkdijk (TNO)
Richard Kerkdijk MSc. is a Senior Security Consultant at TNO. He obtained his masters degree in applied physics in 1997 and has been an active player in cyber security ever since. His present role involves strategic advisory work, technical and non-technical security evaluations and coordination of cyber security research and innovation projects. Richard mostly conducts assignments for (CISOs of) telecoms providers (across Europe) and financial institutions (NL), but he has also done commissions for the Dutch National Cyber Security Center (NCSC), the Dutch Cyber Security Council and the Dutch MoD. In addition he acts as vice-chair of the ETIS Information Security WG, an industry body that facilitates collaboration among the CISOs of European telecoms providers. Richard has been involved in a variety of CTI oriented research and advisory projects. Among other things, he led pan-European trials for automated cyber threat intelligence sharing among telecoms providers. In this particular talk, he will present the outcome of a collaborative project with Dutch financials that explored the capabilities required for establishing a mature CTI practice.
Over the past years, the landscape of cyber threats has greatly evolved. To deal with the sophistication and dynamics of present day cyber attacks, many large organizations (especially those with a heavy dependency on ICT) have fundamentally revised their cyber resilience strategies. Most prominently, it has become common to complement traditional (preventive) security controls with elaborate provisions for security monitoring and incident response. Arguably, the next step in this evolution is to establish Cyber Threat Intelligence (CTI) capabilities. In essence, such capabilities serve to anticipate (imminent or emerging) cyber threats rather than awaiting an actual incident.
Collecting and handling CTI is a relatively new area of work. Correspondingly, practices and solutions in this field are largely in the pioneering stage and there is no commonly acknowledged understanding of what would constitute a “mature” CTI practice. Traditional CSIRT service descriptions such as CERT/CC’s Handbook for Computer Security Incident Response Teams (2003) do not fully capture the CTI working area and MITRE’s Ten Strategies of a World-Class Cybersecurity Operations Center (2014), whilst offering a more contemporary perspective that includes a CTI oriented “Intel and Trending” element, is fairly high level in nature.
In view of the above, TNO and (the CTI and CSIRT teams of) three major Dutch financial institutions jointly developed a CTI Capability Framework that can serve as a foundation for establishing effective CTI provisions. This framework encompasses 12 core capabilities that an organization should have in place to fully exploit the potential of CTI. These capabilities span several categories:
- CTI-01 CTI Collection
- CTI-02 Real-Time CTI Processing
- CTI-03 Periodic CTI processing
- CTI-04 CTI Dissemination
- CTI-05 CTI Infrastructure Management
Notably, some capabilities in the framework are operational in nature (e.g. “ingestion of structured CTI” under CTI-01) whereas others serve a strategic or tactical purpose (e.g. “threat landscaping” under CTI-03). CTI Dissemination is a special and sometimes overlooked category that covers such things as CTI community sharing and CTI dashboarding. For each capability, the framework includes conceptual workflows that comprise a viable mixture of automated actions and manual (expert driven) effort.
This presentation will address:
- the vision on the CTI playing field that formed the basis for the capability framework
- the overall structure of the CTI capability framework and the underlying design choices
- examples of specific capabilities with emphasis on those that might not be immediately obvious.
The presentation will also cover some of the lessons that TNO and the involved financials drew from discussing the “how” of Cyber Threat Intelligence and seeking to apply new insights in their existing CTI operations.
Take-aways for attendees will include:
- a broad overview of what a mature CTI practice entails, both in daily operations and in terms of mid and long term security planning
- triggers to revisit existing (operational) CTI provisions that are believed to be satisfactory but might in fact not suffice in the long run
- pointers for defining appropriate requirements when acquiring a cyber threat intelligence platform.
Thursday-Session-3.pdf
MD5: ddfa29bad21580ef2504192ec8b2bab4
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.2 Mb
Richard Struse (The MITRE Corporation)
Mr. Struse serves as the Chief Advanced Technology Officer for the DHS National Cybersecurity and Communications Integration Center (NCCIC) where he is responsible for technology vision and strategy. Mr. Struse is the creator of the STIX and TAXII automated information sharing initiatives which have been widely adopted across the public and private sectors. In October 2014, Secretary of Homeland Security Jeh Johnson presented Mr. Struse with one of the department’s highest honors, the Secretary’s Award for Excellence, in recognition of his pioneering work on STIX and TAXII. Prior to joining DHS, Mr. Struse was Vice President of Research and Development at VOXEM, Inc., where he was the creator of a high‐performance, extreme high‐reliability communications software platform.
Traditionally, Cyber Threat Intelligence (CTI) has tended to one of two extremes – low-level technical indicators of compromise or very high-level descriptions of adversary groups and their objectives. While both types of information can be extremely useful, there is knowledge that exists in between those two ends of the spectrum that can help organizations improve their defenses against known adversaries. This presentation explores MITRE ATT&CK, a freely-available resource developed by MITRE engineers based on real-world experience in detecting, tracking and interdicting adversary behavior on operational networks.
MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) is a modeling methodology and suite of threat models to represent common adversary tactics, techniques, and procedures (TTPs) used against computer systems. While the specific ATT&CK model can vary based on the platform and technology domain that it targets, each model consists of the following core components:
- Tactics denoting tactical adversary goals during an attack.
- Techniques describing how adversaries achieve tactical goals.
- Documented adversary usage of techniques.
ATT&CK originated out of a project to classify post-compromise adversary techniques against Microsoft Windows systems to improve detection, however it has since grown to include Linux and MacOS, with additional domains including PRE-ATT&CK, covering pre-compromise, and technology-focused domains like ATT&CK for Mobile, covering pre- and post-compromise for mobile devices.
Since its public release, a hallmark of the ATT&CK project has been to collaborate with the cybersecurity community, both red and blue teams, to improve the model. ATT&CK is now in use by over 100 organizations, including government, non-profit, and commercial companies. MITRE’s role as a non-profit operating in the public interest has allowed us to collaborate with all types of organizations on ATT&CK, with a goal of improving the model for everyone’s use. Examples of collaboration have included a joint blog post on detecting cyber threats, incorporation of ATT&CK techniques and methods of detection into commercial software, and inclusion of new ATT&CK techniques that were not previously covered.
This presentation will provide an overview of ATT&CK and describe how to use it in operational contexts to focus and prioritize defenses. Attendees will learn how they can begin to employ ATT&CK within their organization using freely-available resources.
Wednesday-Session-12.pdf
MD5: 511bfe5d9d1d9b24783bae2f132023b4
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.36 Mb
Vaccination: An Anti-Honeypot Approach
Gal Bitensky ( Minerva)
Malware often searches for specific artifacts as part of its “anti-VM\analysis\sandbox\debugging” evasion mechanisms, we will abuse its cleverness against it. The "anti-honeypot" approach is a method to repel (instead of luring) attackers, implemented by creating and modifying those artifacts on the potential victim’s machine. Once the created artifacts are found by the malware – it will terminate.
My session will include motivations for attackers to use evasion techniques, some in-the-wild examples and effective countermeasures against it. I also wish to perform a short DIY-vaccination demo, including the execution and prevention of a live malware. The script I will use in my demo to vaccinate the
potential victim will be uploaded to GitHub and publicly shared.
- Gal "B1t" Bitensky, 29 years old geek from Tel-Aviv Senior analyst and security researcher, currently repelling attackers on enterprise scale at Minerva "Full stack researcher" – experienced in anything from debugging exploit kits to ICS protocols reverse engineering.
Vaccination.pdf
MD5: d1377a47dd234e1156f403032e451af0
Format: application/pdf
Last Update: June 7th, 2024
Size: 16.44 Mb
- TW RU
Web as ongoing threat vector: case studies from Europe and Asia Pacific
Fyodor YarochkinFyodor Yarochkin (Trend Micro, TW), Vladimir Kropotov (Trend Micro, RU)
Fyodor is a researcher with TrendMicro Taiwan as well as a Ph.D. candidate at EE, National Taiwan University. An early Snort developer, and open source evangelist as well as a "happy" programmer. Prior to that, Fyodor professional experience includes several years as a threat analyst at Armorize and over eight years asa information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organisations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.
Vladimir recently joined Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at some of Fortune 500 companies, was head of Incident Response Team at Positive Technologies since 2014, and holds a university degree in applied mathematics and information security. He participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, and many others.
This presentation covers several case studies from incident response sessions in Europe and Asia Pacific region. We analyse attackers tools, exploitation chain, and artefacts discovered on compromised assets in each particular case. We do a comparative case study of several attack attack vectors that leverage web browser components to identify signs of compromise that should be examined by forensic teams to trace such attacks to 'patient-zero' cause of breach.
We demonstrate several cases where attackers used multi-staged exploitation chains and perform fingerprinting of target systems identifying systems suitable for further compromise before serving additional malicious payload.
What are the characteristics of a mature cyber threat intelligence program and how is it measured?
Mark Arena (Intel 471)
Mark Arena founded Intel 471 in 2014 and is the Chief Executive Officer. Intel 471 provides unique and high-value actor-centric cyber threat intelligence collection in support of our customers' information security operations. Mark was previously employed by iSIGHT Partners (now FireEye) as their Chief Researcher. Prior to this, Mark worked at the Australian Federal Police as a technical specialist within the High Tech Crime Operations function. He worked on a number of different crime types when new, unique or emerging technologies were used by criminals that required a solution when no commercial/out of the box solution was available.
This talk is about identifying the characteristics of a mature cyber threat intelligence program and how it can be measured. Traditionally intelligence has been about providing decision support to executives whilst the field of cyber threat intelligence supports this customer type plus also network defenders which have different requirements. By using the intelligence cycle, this talk will seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their cyber threat intelligence program to the next level.
This talk in detail will cover:
- The traditional definition of intelligence.
- How traditional intelligence programs are built to serve consumers who are executives/decision makers.
- An introduction to cyber threat intelligence in that there are now two consumer types.
- How both consumer types need intelligence to support their jobs but that both have different things they need.
- Introduction to the intelligence cycle.
- Finish off the talk with a summary and checkboxes of things which make up a mature intelligence program.
Additional information on the presentation:
-
The traditional definition of intelligence.
-
How traditional intelligence programs are built to serve consumers who are executives/decision makers.
-
An introduction to cyber threat intelligence in that there are now two consumer types: Traditional intelligence consumers (executives/decision makers) and Network defenders (SOC/NOC guys).
-
How both consumer types need intelligence to support their jobs but that both have different things they need. Network defenders are drowning in alerts and need help prioritizing and responding to these. What should they be looking at first? They find some indicators of compromise and is it significant? What technology changes can they make to help prevent/detect high impact events?
Executives need to understand the business impact that cyber threat actors can cause and decisions they could make to reduce risk to the business. What policy or investment decisions can they make that will reduce risk (probability or impact) to their business?
-
Introduction to the intelligence cycle. Talk about each element of the intelligence cycle briefly before covering the following depth:
- Requirements: Walk through a few examples of doing the requirements part of the intelligence cycle. Mentioned that a key part of an intelligence program is having a single prioritized requirements list that reflects your organization’s business risks. These should be strategic goals and updated bi-annually. RFIs/taskings should be sub-sets of these requirements and a key identifier of inadequate requirements is RFIs that fall outside the established requirements.Tie requirements to the intelligence consumer that would need it so when an intelligence report is disseminated, it goes to the correct person or area. Production requirements - What is needed to be delivered to the intelligence customer (the end consumer of the intelligence), for example: What vulnerabilities are being exploited in the world that we can't defend against or detect? Intelligence requirements - What we need to collect to be able to meet our production requirements, for example: What vulnerabilities are currently being exploited in the wild? Collection requirements - The observables/data inputs we need to answer the intelligence requirement, for example: Open source feeds of malicious URLs, exploit packs, etc mapped to vulnerability/vulnerabilities being exploited.
- Collection: Mentioned various intelligence collection sources: open sources, ISACs, security industry mailing lists etc. Mention linking collection sources with pricing/internal resource needs to collection requirements so ultimately an organization can understand the costs associated with fulfilling an intelligence requirement. How to grade intelligence collection, refer to NATO’s admiralty code as a system to evaluating intelligence collection reliability and credibility.
- Processing and Exploitation: Refers to collation of intelligence collection (i.e. in a threat intelligence platform/TIP), automated linking etc.
- Analysis: Talk about intelligence analysis and how this isn’t about reporting facts. Intelligence analysis is about assessing incomplete and disparate pieces of information information to identify patterns that can lead to assessments of what is likely, not likely etc to happen. Introduce words for estimating probability (Kent’s Words of Estimative Probability):
- Certain - 100% - Give or take 0%
- Almost Certain- 93% - Give or take about 6%
- Probable - 75% - Give or take about 12%
- Chances About Even - 50% - Give or take about 10%
- Probably Not - 30% - Give or take about 10%
- Almost Certainly Not- 7% - Give or take about 5%
- Impossible - 0 - Give or take 0%
Ask people if their organizations have intelligence reports that have these words in it? Are they analysing raw collection themselves or copy and pasting reports from intelligence providers? Copying and pasting intelligence reports means you aren’t doing analysis and you are relying on the external vendor to be correct on their assessment and you might not know what collection supported their assessment (unless they provided it). Do you have an intelligence analysis guide for your company? It should cover templates for intelligence reports, style of writing, words to use etc. Also when performing analysis, what information gaps do you have? Identifying these gaps is important so collection can be focused telp fill these.
- Dissemination: Intelligence report is delivered to the intelligence customers. Do you receive feedback from the consumer? Was the report timely? Was it accurate? Was it relevant? What requirements did it meet? Are there any outstanding questions? Feedback is very important as it gives a qualitative metric on the intelligence program. Combined quantitative (i.e. number of intelligence report) and qualitative (consumer feedback) provides the key performance indicators for the intelligence program. Link intelligence reports to the intelligence collection that was used in it so you can effectively identify which sources are valuable and relevant to you and which aren’t.
-
Finish off the talk with a summary and checkboxes of things which make up a mature intelligence program, i.e: A single prioritized requirements list that accurately reflects the organization’s ranked risks. Intelligence collection sources mapped to the requirements they are meeting and their cost. Actual intelligence analysis. Are you producing intelligence or simply consuming others intelligence reporting and pasting it? Is feedback received from intelligence consumers?
Thursday-Session-4.pdf
MD5: b816e63d9e079e4ff70e82ea770b87a6
Format: application/pdf
Last Update: June 7th, 2024
Size: 859.61 Kb
- US
What Metrics Should a CSIRT Collect to Measure Success (Or What Questions Should We Be Asking and How Do We Get the Answers?)
Robin Ruefle (CERT Division, SEI, CMU, US)
Robin Ruefle is the team lead for the CSIRT Development and Training (CDT) team within the CERT® Division at the Software Engineering Institute at Carnegie Mellon University. Her focus is on the development of management, procedural, and technical guidelines and practices for the establishment, maturation, operation, and evaluation of Computer Security Incident Response Teams (CSIRTs), incident management capabilities, and insider threat programs worldwide. A second focus area has been helping organizations build training and mentoring frameworks, competency and curricula guidance, and readiness assessments. As a member of CERT, Ruefle has worked with numerous organizations to help them plan and implement their incident management and insider threat capabilities. Ruefle has co-authored a variety of publications including Handbook for CSIRTs 2nd Edition, CSIRT Services List, Defining Incident Management Processes for CSIRTs: A Work in Progress, and The Competency Lifecycle Roadmap (CLR): Toward Performance Readiness. She also develops and delivers sessions in the CERT CSIRT and Insider Threat suite of courses. She has co-developed two instruments for evaluation of incident management capabilities: the Incident Management Capability Assessment and the Mission Risk Diagnostic for Incident Management Capabilities. She also worked as a co-author to develop the Insider Threat Program Evaluation (ITPE) assessment instrument and supporting courses for building an Insider Threat Program. Ruefle received an MPIA (Master of Public and International Affairs) and a BA in Political Science from the University of Pittsburgh.
Audrey Dorofee is a senior member of the technical staff in the Software Solutions Division at the Software Engineering Institute, Carnegie Mellon. She has worked in the risk management, cybersecurity, insider threat, and process improvement fields for more than 24 years. Her work at the SEI has included development, training, and transition of advanced risk management and cybersecurity methods, tools, and techniques. Her most recent work focuses on identifying security requirements early in the product life cycle and documenting best practices in security incident management. Prior to the SEI, she worked for the MITRE Corporation and the National Aeronautics and Space Administration (NASA). She has co-authored two books, Managing Information Security Risks: The OCTAVESM Approach (Addison-Wesley 2002) and the Continuous Risk Management Guidebook (Software Engineering Institute 1996).
A key struggle for computer security incident response teams (CSIRTs) and incident management organizations today is determining how successfully they meet their mission of managing cybersecurity incidents. As teams become more mature in terms of operational longevity, they are asking the question “How good am I really doing?” Teams are looking for ways to evaluate their operations to not only identify strengths and weaknesses in processes, technologies, and methods, but also to benchmark themselves against other similar teams. They are looking for quantitative evidence and metrics to show if they are effective in their operations. The question heard repeatedly from established teams seeking to show such effectiveness is “What should I be measuring?” This question also applies to the broader goal of measuring success and to the more specific questions about what data should be collected on a regular basis to support the metrics an organization chooses to report.
This presentation will focus on the work done to date through a collaboration between US-CERT and the CSIRT Development and Training Team within the CERT Division of the Software Engineering Institute to try to identify a recommended set of metrics to be collected by CSIRT/incident management organizations. This will include our work to identify
• the type of questions that should be asked
• examples of the types of data and metrics needed to answer the questions
Included in the discussion will be how we consolidated, categorized, and organized the metrics for better understanding and how all of this can be tied to process improvement.
The presentation will also discuss what others are doing in this area including emerging trends and what is getting traction.
Where Is Identity Driven Security Going?"
Javier Dominguez (Engineer, Microsoft)
- US
Windows Credentials, Attacks, and Mitigation Techniques
Chad Tilbury (SANS Institute, US)
Chad Tilbury has been responding to computer intrusions and conducting forensic investigations since 1998. As Technical Director for CrowdStrike, he provides technical leadership for the services team, driving innovation to support customers in a variety of services, including incident response, remediation, forensic support, penetration testing, intelligence operations, and compromise assessment. He has worked with a broad cross-section of Fortune 500 corporations and government agencies around the world, including service as a Special Agent with the US Air Force Office of Special Investigations. Chad is a Senior Instructor at the SANS Institute and co-author of their FOR408 and FOR508 courses.
Windows credentials are arguably the largest vulnerability affecting the modern enterprise. Credential harvesting is goal number one post-exploitation, and hence it provides an appealing funnel point for identifying attacks early in the kill chain. Credentials are diverse and numerous in Windows, and so are the attacks. Older vulnerabilities like pass the hash, token stealing, and cached credentials still plague modern enterprises. Added to these are a seemingly endless supply of new attacks on Kerberos authentication. No network can be secured without strong credential management.
Microsoft released significant credential theft mitigations in Win8.1, Win10 and Server 2012/2016, and both red and blue teams must quickly update their skills accordingly. Red teamers may suddenly find their favorite techniques obsolete, and will need to adapt to ensure new implementations are tested. Even more important, defenders need to take advantage of newly available mitigation techniques and update credential protection processes immediately.
Attendees will leave this workshop with a deep understanding of Windows credential vulnerabilities, along with knowledge of attack tools and techniques currently used to exploit them. Particular attention will be given to mitigating and detecting threats, focusing limited resources, and evaluating new improvements to the Microsoft credential model. Documentation and reference materials will be provided.
- US DE
You Don't Need a Better Car, You Need to Learn How to Drive: On the Importance of Cyber-Defense Line Automation.
Enrico LovatEnrico Lovat (Siemens Corp, US), Florian Hartmann (Siemens CERT, DE), Philipp Lowack (Siemens CERT, DE)
Enrico Lovat recveived his PhD from the Technical Univerity Munich. In 2016 he started at Siemens CERT where he is the team lead of the Cyber Threat Intelligence team.
Florian Hartmann has a MSc. in Computer Science from the TU Munich and started at Siemens CERT in 2014. He works as an Incident Responder and is responsible for the software development at Siemens CERT.
Philipp Lowack has a MSc. in Computer Science from the TU Munich and started at Siemens CERT in 2013. His main tasks at Siemens CERT are Incident Response and the software development of the analysis frameworks.
Thomas Schreck is a Principal Engineer at Siemens CERT and started there in 2007.
In the work of CSIRT, where every incident is different but many incidents
are similar, it is not uncommon to find recurrent patterns and tasks across
different incidents that could be automatically handled in a systematic way.
In a context like incident handling, where timely response can make a huge
difference in the impact, tooling and process automation are the key to
success.
But automation does not come for free: integrating the plethora of different
security solutions that populates the usual ecosystem of a proper IT
infrastructure is a non trivial effort. That's why recently vendors tend to
move in the direction of single overarching products, that cover everything
(endpoint, malware analysis, TI, reporting , etc).
But do you really need to be "only" as good a single specific vendor is,
with all the possible drawbacks (lockin, updates, subscriptions, etc) that this
choice entails? Isn't it possible to leverage open-source tools and the power
of community effort to achieve a comparable, if not better, result?
At Siemens CERT we embraced the UNIX Philosophy of "one tool for one task"
and worked hard in the past years to develop a set of tools that implements it
and automate their connection. In this talk, we want to share with the FIRST
community our vision and our current efforts towards it.
We believe that sharing the challenges we faced in automating the interplay
of our tools is a valuable contribution to the community. At the same time, we
hope to benefit from the feedback of more experienced member of the community
that may have already faced similar issues. For this reason we also set up a BOF
where we can discuss that topic.
- US
You’re Leaking: Incident Response in the World of DevOps
Levi Gundert (Recorded Future, US)
As Vice President of Intelligence & Strategy at Recorded Future, Levi Gundert leads the continuous effort to measurably decrease operational risk for customers. Previous industry roles include VP of Cyber Threat Intelligence at Fidelity Investments, Technical Leader at Cisco Talos, Principal Analyst at Team Cymru, and U.S. Secret Service Special Agent within the Los Angeles Electronic Crimes Task Force (ECTF).
Gundert is a prolific blogger and sought-after author/speaker, writing articles for Dark Reading, InformationWeek, and SC Magazine.
There is a greater push to build software solutions and rush products out the door. Companies are using DevOps or Agile to quickly iterate through solutions including how they collaborate amongst themselves. They use source code repositories like github or sourceforge to share or work on development projects. Often, accidentally or intentionally, leaking account credentials, intellectual property, ssh-keys, digital certificates, network diagrams, and even PII. Everything an attacker needs to penetrate your network.
This creates challenges for security teams especially those charged with defending networks and data. Many companies are not monitoring for sensitive information being leaked on public source code repositories. They often focus on common cloud services or Data Leak Prevention tools that often do not factor in code repo synchronization or manual puts to them.
The purpose of this talk is to provide ways to monitor and detect leaks to source-code repositories, building an IR playbook for detection / response, managing the response, and lessons learned from actual response situations.
Your Workforce is the Key to Cyber Resilience
Dr. Montana Williams – Author, Professor, Former NICE Program Manager
