Forensics
Silvio Oertli (SWITCH)
Course level: Beginner in IT-Forensics. The Train the Trainer session is Intermediate.
Intended Audience: People from CSIRTs who might do data seizing or forensic analysis on devices.
Pre-requisites: Attendees should bring a laptop which can boot a linux from a usb or cd drive.
Abstract:
As a Member of a CSIRT it might be that you will be asked to do forensic analysis on devices. Most of the Time the first step will be a seizure of the device.
In this training, you will gain a high level basic overview over the field of digital forensics and learn a way to properly acquire data of a device.
part1_intro.pdf
MD5: 029bf44e384330eb932e0252b2b1fcf5
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.51 Mb
part4_summary.pdf
MD5: 172595ec6e24ccc47332a17c30b01fe9
Format: application/pdf
Last Update: June 7th, 2024
Size: 16.49 Mb
- GB
5 years in adversary emulation
James ChappellJames Chappell (Digital Shadows, GB)
James is the Founder and Chief Innovation officer at Digital Shadows and one of the authors of the Bank of England's standards for threat led penetration testing standards CBEST. He is a member of BCS, IISP, CREST and one of the chairs of the FIRST Cyber Threat Intelligence SIG.
5 years ago I was asked to participate in a pilot study organised by the bank of England to explore how threat intelligence could be used in a security test. What followed was a fascinating journey collaborating with penetration testing companies, professional bodies, other threat intelligence companies and financial institutions seeking to understand the effectiveness of threat led security testing. Today these standards exist as CBEST, TIBER-EU and Asian regulatory testing frameworks.
The pilot programmes were created in collaboration with institutions to respond to criticism of the sector not taking the results of red team exercises seriously and viewing them as compliance driven exercises. Similarly, testing teams were following well trodden paths, but sometimes without justification for why the particular testing path had been chosen. Businesses also sometimes struggled to justify the investment required to address the findings without really understanding how likely a risk would be to come to pass.
This talk explores what went well, the opportunities for improvement and how that market has evolved since. We also look to the future of the discipline with MITRE recently introducing the concept of adversary emulation profiles as part of the work on ATT&CK, this talk also explores the opportunities this creates in threat led security testing and vulnerability management and how related disciplines .
Participants will learn:
- An understanding of how adversary emulation is applied in red team security tests.
- Lessons learned from practical experience in Threat Led Penetration Testing: the good, the bad, the ugly.
- How to apply Cyber Threat Intelligence to a security test.
- Where CTI for adversary emulation in testing is heading.
- Why teams should be purple.
james-cha.pdf
MD5: 1e3daa2bb0797166f4fcb85d4e02f344
Format: application/pdf
Last Update: June 7th, 2024
Size: 20.78 Mb
- GR
5 years of applied CTI discipline: where should organisations put focus on?
Andreas SfakianakisAndreas Sfakianakis (Royal Dutch Shell, GR)
Andreas Sfakianakis is a Cyber Threat Intelligence and Incident Response professional. Andreas is currently a CTI Analyst of Royal Dutch Shell based in Netherlands. He is also a member of European Network and Information Security Agency’s Threat Landscape Stakeholders’ Group and an external expert for ENISA and European Commission. He is a former CTI Analyst at Lloyds Banking Group and Network Information Security Expert at ENISA. He has more than 5 years of experience on Cyber Threat Intelligence field working and engaging with organizations from the banking and Oil & Gas sectors, European agencies, CERTs/CSIRTs, law-enforcement, intelligence professionals and researchers.
Andreas has been the co-author of a number of reports, namely: WEF's Global Risks 2013: "Digital Wildfires in a Hyperconnected World", ENISA's Threat Landscape 2012, ENISA's report on "Exploring the opportunities and limitations of current Threat Intelligence Platforms". He has also participated in the reviewing of ENISA CERT exercises as well as in various research and innovation proposals for European Commission. Finally, Andreas has been the Editor-in-chief of the "Threat Intel Weekend Reads" newsletter for 3 years.
Andreas' Twitter handle is @asfakian!
Since the publication of Mandiant’s APT1 report in 2013, cyber threat intelligence discipline has been widely adopted by organisations globally. We have observed success stories as well as fails of organisations trying to develop CTI capabilities or, in other words, adding value to business. As a community, it is critical to capture the relevant lessons learned and conduct a status check for these 5 years of applied CTI discipline.
The utmost goal of this presentation is to identify the areas that organisations should put more focus on. Based on our assessment, we identify and deep dive into the three major areas where most current CTI teams struggle: 1) intelligence direction (such as stakeholder identification and collection of intelligence requirements), 2) intelligence reporting and dissemination and 3) CTI analyst's skill set.
Key takeaways of this presentation include:
- the realization of the significance of intelligence requirements for the intelligence cycle
- how proper stakeholder identification increase situational awareness
- how classic intelligence approaches can be applied to CTI production
- success stories on disseminating intelligence products and capturing feedback
- understanding the variety of competencies of CTI teams and ways of baselining analysis process within CTI teams.
- USTLP:CLEAR
A Design Thinking Facilitation Workshop
Doug Wilson (Self, US), Nguyet Vuong (Civil / Consensys, US)
Doug Wilson (Ex-Mandiant, FireEye, Uptycs) has almost 20 years in security, but if you look way back, his college degree is actually in design! When not doing security, he has spent a fair bit of the past 15 years attending events that focus on design, and believes that design elements are critical to success in security pursuits. He has presented at numerous security conferences over his career, as well as talks and a workshop at FIRST.
Nguyet Vuong has 16 years of experience as digital designer, and is currently a Co-Founder and Design Lead for Civil (www.civil.co). She has won design industry awards, given numerous presentations, and facilitated workshops on design. She believes in honest and transparent design patterns that respect people’s time and intelligence. She regularly tries to spread the word of how design thinking and processes can make other fields better, including security.
Security practitioners often struggle with collaboration, especially on projects where there are competing or contentious points of view. Design Thinking is a set of tools coming from the world of user experience design that allow for facilitation of discussion so that groups have a more equitable exchange of ideas, and come up with outcomes that more accurately represent a wide variety of views compared to traditional discussion forums.
By participating in a demonstration of a facilitated workshop, participants will realize the benefits of design thinking. This will include how to properly frame problems, ask the right questions, uncover unrealized components of both problems and solutions, and maintain empathy throughout the process so that diverse views are included in all parts of the process. We will attempt to keep the workshop pertinent by tackling a current concern in the security industry today.
- JP
A Lightweight Markup Language for Graph-Structured Threat Sharing
Mayo YamasakiMayo Yamasaki (NTT-CERT, JP)
Mayo Yamasaki is a researcher at NTT Secure Platform Laboratories and also a member of NTT-CERT in Japan since 2015. He studied information science and natural language processing at NAIST (Nara Institute of Science and Technology). Since he joined NTT he’s been researching and developing software systems for cybersecurity-related information extraction and retrieval with machine learning.
Sharing of structured threat intelligence is essential to address increasing and complicating cyberattacks. However, 60% of practitioners use unstructured data expression in daily operations because existing structured expressions designed for inter-system communications are complex to describe. To tackle this problem, NTT-CERT is developing a lightweight markup language for graph-structured threat intelligence that is easy for both humans and machines to read and write like Markdown. In this talk, first, I introduce a novel lightweight markup language which can easily describe STIX 2.0 compatible graph data with an editing cost of 2 compared with JSON format STIX and 19% compared with the DOT language. By integrating the language into existing threat intelligence platforms as a new interface, creating and enriching intelligence become more efficient. Second, I experimentally demonstrate capabilities and limitations of the proposed language. Finally, I also demonstrate a system to create threat intelligence by using the proposed language with practical examples.
- NL
A Place for Analysis of Competing Hypothesis (ACH) in CTI: Applications and Evolution of ACH in CTI
Caitlin HueyCaitlin Huey (EclecticIQ, NL)
Caitlin Huey is a Senior Threat Intelligence analyst at EclecticIQ Fusion Center. She has been working as an analyst since 2013 and has been involved in various information sharing communities. Prior to that, Caitlin received her Master’s in Security and Intelligence Studies at the University of Pittsburgh.
Within the intelligence community, analyst tradecraft is referred to as a method or a portfolio of known structured techniques, methods, and skills that aid an analyst in doing their job. Analysis of Competing Hypotheses (ACH) is commonly cited as a method used to evaluate hypotheses against a set of evidence. Analysts operating over several “INTs” have relied on a way to effectively test data coming from multiple sources and producers in order to measure evidence against them. During the course of an investigation, analysts may need to evaluate what is consistent and inconsistent across a set of hypotheses (H1, H2, H3). ACH improves an analyst’s ability to assess and validate an issue with a tested confidence assertion. In CTI, producers and consumers of cyber threat intelligence have largely relied on ACH to evaluate data and analyze it on the basis of identifying attribution, patterns, motivations, and more. As ACH in CTI is evolving, it is leading analysts to find innovative ways to represent and structure this process so that it is scalable to produce and consume.
Audience takeaways include:
- Analysis of Competing Hypothesis (ACH) has been done and is still being done by analysts operating in the private and public spheres. Not only has it been done in traditional intelligence communities, but has also been conducted by cyber threat intelligence (CTI) vendors who use ACH to evaluate an incident/emerging threat.
- Learn how ACH has been used and how to apply it to the current threat landscape.
- Understand ACH as a method used to allow producers/vendors of threat intelligence to map and structure a higher confidence in one hypothesis (H1) over a tested set of other hypotheses (H2, H3, H4).
- See how and when producers conduct ACH, it gives consumers of threat intelligence a more complete picture of an emerging threat. It also enables a consumer to see the evidence weighed against each Hypothesis and to come to a more informed decision based on the evidence available to them.
- Evolution of ACH in CTI - see how analysts can better represent this tradecraft by applying structure to the ACH process
- NO
Dr. Martin EianDr. Martin Eian (mnemonic, NO)
Course Level: Beginner – Intermediate
Intended Audience: Threat analysts/researchers/hunters, SOC analysts, Incident responders
Pre-requisites: Laptop with Linux VM
Hardware requirements Standard laptop, Virtual Machine sufficient. Participants do not need a virtual machine to participate in the ACT training. Everything is set up in AWS, so only an Internet connection is needed. Advanced participants that want to use the API and create workers for the platform will need a Python environment; any vanilla Linux distro (either VM or installed as the laptop OS) should be more than enough.
Abstract:
ACT: The Open Threat Intelligence Platform
The ACT platform is an open source, scalable graph database with support for granular access control and workflow management. ACT enables advanced threat enrichment, threat analysis, visualization, process automation, information sharing, and powerful graph analytics. Its modular design and APIs facilitate implementing new workers for enrichment, analysis, information sharing, and countermeasures.
Key takeaways for the ACT training participants:
- The ACT platform design and technical implementation choices
- The ACT data model, an ontology of threat information
- Analysis techniques using simple queries and graph interaction (drill-down, filtering, layouts)
- Advanced analysis using graph queries
- The ACT REST API with the Python API wrapper
- How to implement a simple ACT worker
The ACT platform source code is available on Github, ISC license (BSD compatible): https://github.com/mnemonic-no
A read-only platform instance pre-loaded with OSINT is available on AWS:
https://act-eu1.mnemonic.no
https://act-eu1.mnemonic.no/examples/
Topics:
- Threat intelligence
- Correlating indicators, artifacts, tools, procedures, techniques, tactics, campaigns, threat actors
- OSINT
- Data enrichment
- Analysis
- Information sharing
- Countermeasures
- Automation
FIRST Training @ 2019 Conference
Edinburgh, GB
June 16, 2019 09:00-10:30, June 16, 2019 10:45-13:00, June 16, 2019 14:00-15:30, June 16, 2019 15:45-18:00
Hosted by FIRST
- FR
Leonard SavinaLeonard Savina (ANSSI, FR)
Savina has a Masters of Engineering degree in telecommunications and digital signal processing and started working in 2003 in IT support. He specializes in Microsoft infrastructures as a system administrator and IT Architect and has been maintaining, securing, deploying, migrating, automating and designing Active Directory environments for about 10 years in various sectors such as Energy, Hospitals and Government. Savina is active on Twitter (@ldap389) and has writes blogs at https://ldap389.info/en. In 2017 he joined the CERT-FR as a DFIR analyst, where he applies his previously acquired knowledge, handling and investigating cybersecurity incidents.
AD_Timeline_FIRST_TC.pdf
MD5: c18c3bfc3b011ce398ad0fa3dc787ed2
Format: application/pdf
Last Update: June 7th, 2024
Size: 954.83 Kb
- FRTLP:CLEAR
Analyze & Detect WebAssembly Cryptominer
Patrick VentuzeloPatrick Ventuzelo (QuoScient, FR)
Patrick Ventuzelo is a French security researcher working for Quoscient GmbH. Previously, he worked for P1 Security, the French Department of Defense (DoD) and Airbus Defense & Space Cybersecurity.
He is mainly focused on Reverse Engineering and Vulnerability Research on various platforms with a strong interest on new research areas such as WebAssembly, Smart Contracts and Blockchain.
Patrick has been speaker and trainer multiple time at various international security conferences such as BlackAlps, hack.lu, Toorcon, REcon Montreal, SSTIC, REcon Brussels.
Patrick is the creator of Octopus (https://github.com/quoscient/octopus), an open-source security analysis tool that support WebAssembly to help researchers/analysts.
WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C.
More than one year after the “official” release, it’s heavily used in the wild to perform Cryptojacking (illegitimate in-browser mining) using online services, like Coinhive, that provides simple Javascript API and uses WebAssembly module to make mining even more efficient and profitable than using pure JavaScript.
First, I will introduce WebAssembly concepts and how it is currently used. Secondly, I will analyze some Cryptominer module using static and dynamic analysis (reversing, decompilation, DBI, ...) applied on WebAssembly. Finally, I will expose some techniques to detect and mitigate them.
Along the talk, I will used multiple open source tools but also Octopus, a Security Analysis tool for WebAssembly module, that I have developed and already available on Github (https://github.com/quoscient/octopus).
Analyzing Malware Evasion Trend: Bypassing User-Mode Hooks
Ensilo Omri Misgav & Udi Yavo
At the beginning of 2018 the security community started experiencing a rapidly increasing trend of malware employing techniques for evading and bypassing defensive solutions. In this talk, we cover the fundamental concepts of hooking, dissect malware samples found in the wild that bypass user-mode hooks and demonstrate why their techniques are so effective. Additionally, we’ll discuss possible adaptations to tactics when conducting malware detection research and performing IR.
APIs are critical to security people - what I learned trying to discover useful APIs
FIRST.org, Alexander Jager
More and more security tools are introduced in the cyber eco system which increases the complexity dramatically. To combat that - there are basically two ways to scale:
a. go for a “one tool to rule them all” approach
b. make use of APIs and connect them
For the option b the first step is to collect all tools that are available and discover if and what APIs these tools have. During a period of several months, I did that and open sources that list to github (https://github.com/deralexxx/security-apis).
Weaponized with that list, it is easier for security folks to do an inventory of their capabilities as well as requirements for future security tools to
I) Require them to provide an public API documentation
II) Integrate with tools on that list
To utilize the available APIs you have access to a so called security orchestrator might come in that connects all those APIs and enables you to create workflows over different tools.
Another ancle of the scenario is that some of the audience are developers themselves, for those I will give some advice for good practice of APIs.
- DETLP:CLEAR
Applying Security Metrics for Quality Control and Situational Awareness
Jan Kohlrausch (DFN-CERT, DE)
Jan Kohlrausch received a Diploma in computer science from the
University of Hamburg in June 2000. Since July 2000 he works as a
Senior member of the development and research team at the DFN-CERT
Services GmbH. His research interests include Honeypots, malware
analysis, and network forensics.
Security metrics allow to quantify information in order to support
threat intelligence processes. In this contribution we propose to
apply metrics to security data of a clearing house in order to provide
quality feedback and situational awareness to the user group as well
as to the general CSIRT community. The clearing house collects events
submitted by the user group (ISPs and CSIRTs) whereas the data is
gathered by a combination of honeypots, IDS, and other sensors such as
AV software. Our aim is to advise and to motivate other teams in
application of security metrics and to promote information sharing.
- GB
Richard GoldRichard Gold (Digital Shadows, GB)
Richard Gold is an information security professional experienced in both offensive and defensive security, as well as security engineering. He has worked for Cisco on web proxies and Secure Development Lifecycles (SDLs), AGT International on Internet of Things/SCADA and, currently, Digital Shadows as Director of Security Engineering. He is particularly interested in open source intelligence (OSINT) reconnaissance, Advanced Persistent Threat (APT) campaigns, and offensive security techniques. He is a Certified SCADA Security Architect and holds a PhD in Computer Networking.
Building effective and appropriate threat models for your organization isn’t easy. At its most basic level, threat modelling is a way of structuring thinking around what critical assets an organization has, and which are the likely threats to that organization. However, a company’s own measure of criticality may not match the thought process of an attacker, which means that it can be tricky to understand what constitutes a “critical asset”. Likewise, comprehending what an attacker wants might not be immediately obvious as your organization may only be appealing as a stepping stone in a much larger operation.
This is where MITRE’s PRE-ATT&CK framework comes into its own. Digital Shadows draws on its analysis of US Department of Justice (DOJ) indictments and its collaboration with the MITRE corporation to demonstrate why organizations need to update their threat models now. This session will show how sophisticated adversaries use the files and output of one intrusion (ATT&CK) as reconnaissance for their next attack (PRE-ATT&CK); in other words, ATT&CK often refers to the PRE-ATT&CK phase of a much larger operation. You may assume that your organization is of no interest to a large criminal outfit or sophisticated adversary, but in reality, these attackers may use you as a crucial pivot point to achieve their loftier objectives.
Outlining campaigns in this way has several advantages for defenders. It provides a useful way to identify an adversary’s goals, allowing you to focus on improving the areas most relevant to the risks you face. Using PRE-ATT&CK will also help you determine appropriate mitigation steps for each distinct phase of an attack, based on the actual tactics and techniques being used by threat actors today.
Attendees will learn:
- How to use public indictments to map real-world campaigns against MITRE ATT&CK and PRE-ATT&CK
- How to identify an adversary’s goals and relevant mitigation by using the PRE-ATT&CK framework
- Why you should update your threat model as you may be used as a pivot-point in a broader campaign
rich-gold.pdf
MD5: 1c536c261e9a707e64faecff3edd5124
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.81 Mb
- USTLP:GREEN
ATT&CKing the Castle
Chip Greene (GE, US), Conrad Layne (GE, US)
Chip Greene
A leader in the GE CIRT, Threat Management Team responsible for the Operational Readiness of all analysts, technology and processes within Incident Response. The GE CIRT provides monitoring, detection and response services for all environments including enterprise, cloud and operational technology, across multiple businesses. Chip holds a Bachelor of Science Degree from Virginia Commonwealth University in Information Systems, and a Master’s Degree from the University of Richmond in Disaster Science, along with IT and Security industry certifications.
Conrad Layne
Conrad Layne is a senior cyber intelligence analyst with General Electric since 2013. In this role, Conrad tracks more than 50 Nation-state actors, their attacks, and TTPs with efforts focused on cyber-attacks affecting industrial control systems. Conrad holds a Bachelor of Science Degree in Digital Forensic Science from Defiance College and a Masters Degree in Cyber Security Intelligence from Utica College.
As industrial systems become increasingly cloud connected, threat actors are developing more sophisticated attacks against the IT/OT space. Unlike enterprise level attacks that have often targeted intellectual property or sought financial gain, the IT/OT space is particularly at risk for critical and destructive attacks by these threat actors. New defenses are needed. In this talk, GE CIRT will propose new strategies to track and respond to threat actors using frameworks like the Lockheed Martin Kill Chain and the MITRE ICS/SCADA ATT&CK framework. The presentation will also demo how these frameworks have been used to track, simulate, and stop malicious activity.
- US
Attack Patterns for Analytics and Machine Learning Applications
Shane McElligott (Cisco, US)
Shane has nearly 20 years of experience, with the majority of it being at IBM and Cisco Systems. He is a seasoned Data Scientist and AI Developer with a background in network and cloud security. He has experience consulting for businesses of diverse scope and scale; governments and NGOs; health care, academia and scientific research initiatives. Shane is a holder of several patents in the AI, robotics, cloud and security domains. A dual-citizen of the Republic of Ireland and the US, Shane is passionate about creating data privacy-enhancement technology as well as building and advocating for foundational security and ethics solutions within the data science and AI domains.
Privacy Attacks and Differential Privacy, Machine Learning Attacks and Defenses, Challenges, Exploring CVSS Interpretations for ML Vulnerabilities, Where to Learn More
- USTLP:CLEAR
Attack the News Cycle Before it Attacks You
Jerry BryantJerry Bryant (Intel, US)
Jerry Bryant is the Director of Security Communications for the Intel Product Assurance and Security team (IPAS). Before joining Intel in 2019, he worked in the Microsoft Security Response Center where he was involved in almost every major security/product vulnerability incident since 2001. Jerry is a co-author of the PSIRT Services Framework and of the PSIRT Maturity Profiles companion document. He is also the producer of the PSIRT Services Framework video training hosted by FIRST.org.
Jerry has been a regular speaker at the Microsoft Executive Briefing Center where he educates customers on vulnerability handling, incident response, crisis management, and threat intelligence sharing. When not working or traveling, he is an avid dirt and adventure bike rider with a passion for European motorcycles.
Containment. That is the job of the incident responder once an issue is known but what happens when news of that vulnerability or breach become public? Too often an organization let’s a third-party voice become the authority, and then becomes reactive which only makes bad news worse. In a world where headlines are built on Fear, Uncertainty, and Doubt (FUD), responders must be proactive and earn the right to tell their own story and control the narrative. It takes purpose, preparation, and influence to make awful news just bad and turn bad news into good news.
FIRST2019-JerryBryant.pdf
MD5: 0fef31c9f24b45456957c7e4493a376d
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.57 Mb
- JP DETLP:CLEAR
Attacks on Industrial and Manufacturing Networks
Vladimir KropotovBakuei Matsukawa (Trend Micro FTR Team, JP), Vladimir Kropotov (Trend Micro FTR Team, DE)
Bakuei is a researcher with Trend Micro FTR team. He has been with Trend Micro since 1997, and worked as Japan product technical support team leader, malware analysis team leader of Japan Regional TrendLabs before he joined Forward-looking Threat Research (FTR) team in 2012. He was seconded to INTERPOL Global Complex for Innovation (IGCI) in Singapore from October 2014 to September 2017 to work for INTERPOL as Cyber Researcher under strategic partnership agreement between INTERPOL and Trend Micro, and was involved on the SIMDA botnet takedown, BEC investigations, a joint research paper on West African Underground, and more. He returned to FTR team in October 2017 as a Senior Threat researcher. Currently, he is actively working based in Japan, and cybercrime and Industry 4.0/Manufacturing are his current specialized areas for research.
Vladimir Kropotov is a researcher with Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, Black Hat EU and many others
The presentation examines vulnerabilities and attack vectors in Industrial and Manufacturing Environment. The attack vectors are illustrated with detailed case studies of the past incidents. Initial detection of incidents, forensic examination and lessons learned are discussed in each case. We examine several industry-specific attack surfaces and then further dive into incidents where cyberciminals and sophisticated malicious actors targeted industrial environments. These attackers have different objectives, from ransomware attacks to blackmail and industrial espionage, but all ended up being detected in industrial environment. We will identify several groups and organized criminal gangs, which focus on industrial targets end elaborate how they use industry specific attack vectors, lures, and malware in their actions. We will demonstrate modern trends in attacks on industrial environments, highlight the scale of attack campaigns along with attacker objectives depending on the targets, their geo-locations and geo-political context.
- CN
Automatic discovery of malicious websites in NOD
Jingyu Bao
Litao Wu
Yang XuJingyu Bao (Netlab, CN), Litao Wu (Netlab, CN), Yang Xu (NetLab, CN)
JINGYU BAO is a security engineer. He currently working in passive DNS team of Netlab, focussing on cyber threat discovery, intelligence traceability and data analysis.
LITAO WU is a software engineer with a passion for back-end program development. He has a wealth of experience in WEB development and data analysis. Now he works in Netlab where he attempts to build large-scale
data stream systems to capture popular attacks in cyber space.
YANG XU is a cyber security analyst since 2010 and currently a member of Network Security Research Lab at Qihoo 360 (Netlab) where he focus on net-traffic/DNS data process/analysis and threat research. Before joining NetLab, he was a security engineer in NSFOCUS and has been involved in many different projects, like SoC architecture design and implementation, and intranet-traffic anomaly detection.
Aviation Cyber Threats
INCD, Tom Alexandrovich
- US
Beginner Tracking Adversary Infrastructure
Michael SchwartzMichael Schwartz (Target, US), Tim Helming (DomainTools, US)
Michael has nearly 20 years of experience in nearly all aspects of IT and then some. He began his career working Help Desk through High School and College and eventually turned that knowledge into his first full-time position with McKinley Associates in Ann Arbor, MI as a Support Specialist. Later he worked as a Systems Engineer and Field Support Engineer for government contractors. Michael eventually landed his dream job with the FBI as an Intelligence Analyst where he was involved in Counterterrorism and Cybersecurity matters. Michael returned to the public sector with Lookout as an Android malware reverse engineer and figures he has finally settled down in Minneapolis, MN with Target as the Director of Threat Intelligence Detection Engineering. Michael holds a BA in Political Science from the University of Michigan, an MS in Defense and Strategic Studies from Missouri State, and an MS in Computer Science of the University of Illinois – Springfield.
Virtually every organisation’s network is targeted at one time or another--in some cases continuously--by threat actors seeking to gain privileged access to protected resources. Many of the stages of an attack, as described in popular frameworks such as the Cyber Kill Chain or MITRE’s ATT&CK, depend on various kinds of infrastructure controlled by the adversary. Blue teams, however, often see only a small glimpse of this infrastructure, and in some cases only see it after much damage has been done. Moreover, threat intelligence feeds almost always have blind spots which prevent network defenders from seeing the components of the attack network.
However, more and more organisations are learning the value of profiling and mapping adversaries through analysis of connected infrastructure. This analysis helps blue teams shift their focus to earlier stages of attacks, which in turn can often thwart a campaign before it can cause damage.
In this workshop, presenters Mike Schwartz (Target Corporation) and Tim Helming (DomainTools) will teach key methods of infrastructure analysis, moving from concept to real-world case study to hands-on training.
Part 1 of the workshop will encompass the following stages and concepts:
- Description of the problem space: Gaps we are seeing in threat intelligence coverage--what the threat feeds miss (and why it isn’t their fault)
- Basic adversary investigation concepts including how to enumerate and map attack infrastructure, and more importantly, how to use that data to inform your security posture
- Tools of the trade: a review of various open-source and commercial tools, what each offers, and how to use them in concert with one another
- Resource considerations including how to make the most of a limited budget, and how to set the stage today for success tomorrow
- Walkthrough of several actual historical cases, describing how the scenario and subsequent investigation--and defence--unfolded
Part 2 is devoted to hands-on training. Attendees will split into small groups and work cooperatively on exercises specifically developed for this workshop.
- Scenario-based exercises present the team with a set of data, from which they are expected to develop a more complete picture of the incipient attack
- Each team will present their findings to the other teams
- The presenters will give feedback on the exercises, both along the way as well as in a concluding section at the end of the workshop.
Janis Džerins, CERT.LV
It is a well-known fact in the InfoSec community that paste sites are used to anonymously share information that can be (and is) used for illegal and/or unethical activities on the internet (unauthorized access, hacking, DOXing). Static patterns (character and byte sequences, regular expressions) are quite commonly used for information leak detection. The objective of this presentation is to highlight deficiencies of using such patterns as the sole method of information leak detection, and propose complimentary techniques to increase the usefulness of such applications. We also present a proof-of-concept application where these techniques are being implemented which is being developed in the framework of CEF project "Improving Cyber Security Capacities in Latvia".
Beyond whitelisting: fileless attacks against Linux
Rezilion, Ex-Paypal, Shlomi Boutnaru
- LUTLP:CLEAR
BGP Ranking & IP-ASN History: Making Something Useful Out of Old Massive Datasets
Raphael VinotRaphael Vinot (CIRCL, LU)
Raphaël is a CERT operator at CIRCL, the CERT for the private sector, communes and non-governmental entities in Luxembourg. His main activity is developing or participating to the development of tools to improve and ease the day-to-day incident response capabilities of the CSIRT he works for but also for other teams doing similar activities.
We all receive massive amount of notifications about compromised/malicious/weird IPs and it is pretty difficult to keep track of all them on the long term.
Most of the time, they will be ingested by the SIEM, discarded after a while and that's it.
This talk will swho a method and an open source software that can be used to aggregate them by autonomous system (AS) and see the evolution of the maliciousness of a specific AS over time.
ipasn_bgpranking.pdf
MD5: fc615dfca0af3c4cf539b31b9495f707
Format: application/pdf
Last Update: June 7th, 2024
Size: 133.8 Kb
- JPTLP:CLEAR
Blue-team vs. Red-team Tabletop Exercise to Train the Process of Attack Investigation
Yoshihiro Masuda (Fuji Xerox Co., Ltd., JP), Chiyuki Matsuda (DeNA Co., Ltd., JP), Yusuke Kon (Trend Micro Inc., JP), Keisuke Ito (NTT DATA INTELLILINK Corporation, JP), Fumie Watanabe (DeNA Co., Ltd., JP), Hajime Ishizuka (NTT Security Japan KK, JP), Toshiaki Ohta (Yahoo Japan Corporation, JP)
Yoshihiro Masuda (CISSP, CISM, CRISC) Yoshihiro Masuda, CISSP, CISM, CRISC is a manager for Fuji Xerox Co., Ltd. He has led launch of Fuji Xerox CERT, and is currently engaged in cyber security management of software products and cloud services Fuji Xerox offers. Also, he is devoted to development and dissemination of tabletop exercise method as a chief of Incident Simulation Exercise working group of Nippon CSIRT Association, Japan.
Chiyuki Matsuda is currently studying Finance at UC Berkeley after engaging in cyber security at an IT company in Japan for 5 years, where one of her main missions was incident handling. She has also contributed to CSIRT community in Japan (called NCA; Nippon CSIRT Association) by joining several working groups. This is second time speaking at FIRST Annual Conference as showing an accomplishment of a working group in NCA on incident handling exercises.
Yusuke Kon (CEH,CHFI,ECSA,CISSP) Yusuke Kon is a security analyst for Trend Micro Inc., and his current work is threat information sharing and product support. He has an experience on developing incident response exercising kits for eight years. Also, he is a member of TM-SIRT, a CSIRT of Trend Micro Japan.
Keisuke Ito Keisuke Ito is a member of IL-CSIRT, a CSIRT of NTT DATA INTELLILINK Corporation. Since 2014, he has been engaged in security incident handling in his company and customers. Also his another mission is support of CSIRT construction and application at customers.
Fumie Watanabe has been engaged in cyber security at IT company in Japan for 6 years. As a member of DeNA CERT, one of her main missions is cyber security training for employees. For her recent activity, she runs table-top workshops for employees. She is also actively running several CSIRT workshops of Nippon CSIRT Association, and contributing to activation of communication among CSIRTs in Japan.
Hajime Ishizuka is a senior consultant for NTT Security Japan KK, and his main work involves security planning, security assessment, support of setting up CSIRT, and CSIRT maturity assessment. He is also an expert advisor of Nippon CSIRT Association.
Toshiaki Ohta is an engineer for Yahoo Japan Corporation. He has experience in developing telephone exchanges for five years. After joined Yahoo! Japan in 2000, he has been responsible for the production of web content for entertainment (comics, music, and fashion). He is working as a project manager for cyber-range project "Yahoo! JAPAN Hardening" from 2016.
Tabletop exercise is an effective way to improve the capability of resiliency on incident response. Last year, we conducted a hands-on demonstration of our tabletop exercise method which provides two features: red team vs. blue team interaction, and random scenario creation using condition cards at the workshop in FIRST conference 2018. From the experience of the tabletop exercise done so far, we recognized the need to include the process of investigating cause of attack in the training so that a more realistic incident response training to be implemented.
We will conduct a hands-on demonstration of our tabletop exercise method which introduced investigation steps such as checking logs on a network architecture diagram. Basically, no prior knowledge/skills that attendees will be assumed, and hopefully it is desirable to have basic knowledge about network and system architecture.
- EUTLP:CLEAR
Building a Common Language to Face Future Incidents
Rossella Mattioli (ENISA - European Union Agency for Network and Information Security, EU)
Reference Security Incident Taxonomy Working Group – RSIT WG was created by ENISA and TF-CSIRT. The aim of this working group is to enable the CSIRT community in reaching a consensus on a reference taxonomy and improve incident classification https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force
Rossella Mattioli joined ENISA, the EU Cybersecurity Agency, in 2013. Over the years she has worked on threat modelling and security measures for Internet infrastructure, ICS/SCADA, smart grids, Internet of Things, smart cars and aviation. She is currently focusing on supporting European CSIRTs communities to build and advance their incident response capabilities, the “CSIRTs Network” and the Reference Security Incident Taxonomy Working Group.
As the need for information exchange and incident reporting increases, together with the use of automation, it is becoming evident that there is need for a common language to support incident response. Following a discussion among the CSIRT community @ 51st TF-CSIRT meeting, it was concluded that there is an urgent need for a taxonomy that serves as a fixed reference for everyone. This is why ENISA and TF-CSIRT created ‘‘Reference Security Incident Taxonomy – RSIT WG". This talk will present the latest version of the taxonomy, how the WG works and how this makes incident classification easier and more effective. All info at https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force
- US
Building, Running, and Maintaining a CTI Program
Michael J. Schwartz
Ryan MillerMichael J. Schwartz (Target, US), Ryan Miller (Target Corporation )
Michael has nearly 20 years of experience in nearly all aspects of IT and then some. He began his career working Help Desk through High School and College and eventually turned that knowledge into his first full-time position with McKinley Associates in Ann Arbor, MI as a Support Specialist. Later he worked as a Systems Engineer and Field Support Engineer for government contractors. Michael eventually landed his dream job with the FBI as an Intelligence Analyst where he was involved in Counterterrorism and Cybersecurity matters. Michael returned to the public sector with Lookout as an Android malware reverse engineer and figures he has finally settled down in Minneapolis, MN with Target as the Director of Threat Intelligence Detection Engineering. Michael holds a BA in Political Science from the University of Michigan, an MS in Defense and Strategic Studies from Missouri State, and an MS in Computer Science of the University of Illinois – Springfield.
Ryan is a Cyber Intelligence Manager with over 16 years of operational intelligence experience in commercial, military and US government environments. Currently working at Target Corporation managing an intel team providing strategic and operational analysis, proactively tracking cyber threat actors’ capabilities, methodologies and tactics and operations. Ryan also has industry experience with developing and advancing cyber threat intelligence programs - including strategy, operations, processes and capabilities. Plus, he knows Kyle Davis.
Learn the nuts and bolts from the Target CTI program managers. Ryan and Michael have been building, running, and maintaining their CTI program for the last three years and they're here to share a wealth of information on what's worked right, and what's gone horribly wrong. Need to start a program? Need to find a way to measure the performance of your CTI program? Want to avoid some common pitfalls that plague the CTI industry? Then you have no choice to attend because we'll put it all on the line for you.
- US
Building STINGAR to enable large scale data sharing in near real-time
Jesse BowlingJesse Bowling (Duke University, US)
Jesse Bowling is the Security Architect and CSIRT Program Manager for Duke University. He has spent over 20 years on staff at academic institutions, public and private, large and small. Professionally, his interests lie primarily in detection and response. In his personal time, Jesse enjoys cooking, spending time with his family, and grumbling nearly inaudibly as he wanders behind his family, turning off lights throughout the house.
Duke University has embarked on a multi-year mission to help lower the difficulty on automated threat intelligence sharing across higher education institutions under the umbrella project STINGAR (Shared Threat Intelligence for Network Gatekeeping and Automated Response). The overarching goals of STINGAR are to enable organizations (especially higher education) across a wide range of technical, operational maturity, and budget resources to collect, analyze, action, and share threat intelligence.
Duke began moving to an “active defense” or “automated response” model for blocking attackers in 2014. Around this same time, we began exploring the use of honeypots for detecting attackers, and found that honeypots provided a very effective way to identify external attackers of common services quickly with low false positive rates. We quickly realized that the data we generated locally could easily be shared to others, and we began making our data available to other schools and organizations.
Based on our experiences, Duke created the STINGAR project with the goals of:
- Simple, low-friction deployment of intelligence collection sensors (honeypots initially)
- Central collection of intelligence from sensors and outside sources, for analysis
- Simple methods for sharing data to peers
- A variety of methods and guidance for feeding threat intelligence to protection devices
In this presentation we will provide additional background and details on Duke’s experiences with integrating threat intelligence into the overall security program, discuss existing and future features of the CHN system, models of data sharing, and evaluation methods and metrics on effectiveness. We hope to encourage discussion around the general approach, as well as discussions on how others are generating and using threat intelligence, with the hope of identifying new ways that the data we’re collecting can be shared with the community for the benefit of defenders.
1730-1800-Building-STINGAR-Bowling.pptx
MD5: 5cb11f3a14d683fd5115c50dda5a3d2f
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 5.92 Mb
- US
Cloudy with low confidence of Threat Intelligence: How to use and create Threat Intelligence in an Office365 Environment
Dave HerraldDave Herrald (Splunk, US), Ryan Kovar (Splunk, US)
Dave is a technical information security professional currently working as a staff security strategist for Splunk. He’s currently focused on the Splunk Boss of the SOC(BOTS), performing research into adversary simulation for blue teams, training technical security teams around the globe, and helping Splunk customers implement advanced security use cases. Dave has worked in various information security roles including pre-sales engineer, strategic security consultant, penetration tester, hands-on security architect/engineer/analyst, and chief information security officer. He’s a regular speaker at Information Security conferences and holds a number of security certifications including GIAC Security Expert (GSE) #79.
Ryan Kovar fought in the cyberwars and has been doing cybery things for almost 20 years. Now he is a Principal Security Strategist at Splunk building cool stuff, talking about security thingies, and helping other people fight their battles. He hates printers.
Is your organization using cloud email or considering migrating to the cloud? Chances are the answer to that question is yes! Your end users, IT admins, and management stand to benefit from the benefits and cost savings that cloud email brings with it. However, whether you know it yet not, this move will very likely introduce a rather large blind spot into your security visibility. Capabilities that security analysts and incident responders have come to depend on in their on-prem solutions often work very differently or are gone altogether, in popular cloud email offerings. In this talk, we will describe the current state of cloud email visibility for security teams and offer practical, hands-on solutions for Microsoft Office 365 utilizing open source tools like (stoQ and LAIKAboss) to regain visibility to email headers and analyze attachments.
- US
Shaul Holtzman (Intezer, US)
Genetic Malware Analysis leverages binary code reuse in order to automate malware analysis and accelerate incident response. Intezer’s technology tracks the evolution of software and provides a platform that empowers existing sensors with unique capabilities. Learn how Genetic Malware Analysis can be used at every level of incident response, from detection to containment and remediation.
- USTLP:CLEAR
CSIRT Schiltron: Training, Techniques, and Talent
Jeff BollingerJames Sheppard (Cisco Systems, Inc., US), Jeff Bollinger (Cisco Systems, Inc., US)
Jeff Bollinger joined Cisco Systems in 2002 supporting Cisco's security technologies and solutions in Cisco's global technical support organization. Jeff later moved to the Computer Security Incident Response Team (CSIRT) and rapidly developed its global security monitoring and incident response capabilities.
Jeff helped build and operate one of the world's largest corporate security monitoring infrastructures. Jeff regularly speaks at international FIRST conferences, and occasionally writes for the Cisco Security Blog. He is also the co-author of "Crafting the InfoSec Playbook". Jeff's recent work includes log mining, search optimization, cloud threat research, and security investigations.
James Sheppard is an Information Security Investigator for Cisco's CSIRT team. His primary focus involves data analysis, tool development, and building novel detection techniques to find bad guys. James is also passionate about developing public tools, most notably Malspider, and hopes to share more security research with the community in the near future.
One of the most famous battles in Scottish history was the Battle of Bannockburn in 1314. Outnumbered Scottish soldiers defeated the cavalry of Edward II of England and forced the remaining English army to retreat 140km back to safety. A large part of their success was credited to a specialized defensive formation called the schiltron that foiled attacks from mounted riders and eventually pinned the retreating English against a river and thick marshland.
Their strategic planning and innovative defense techniques led to a major victory.
With the Scottish schiltron as our inspiration, this talk will demonstrate how Cisco’s security team practices their own schiltron drills by arming its analysts and investigators with the training, tools, and the preparation necessary to defend castles in new places, detect advanced marauders, and mend walls. Learn how we use internal "Capture the Flag" programs as training, and how we encourage development with an internal "IR Bounty Program"
CSIRTs in Europe and current trends
ENISA, Andrea Dufkova
The incident response has changed a lot in the last 5 years and probably even bigger changes can be anticipated in the next 5-7 years. One of the major changes in Europe is caused by adoption of the EU NIS (Network and Information Security) Directive in 2016. In 2018, ENISA is concentrating its efforts on assisting Member States with their incident response capabilities by providing a state-of-the-art view of the CSIRT landscape and development in Europe.
- MYTLP:CLEAR
Cyber Threats Incident Response Model for CNII Organizations
Aswami Ariffin (CyberSecurity Malaysia, MY), Megat Mutalib (CyberSecurity Malaysia, MY)
MEGAT MUAZZAM BIN ABDUL MUTALIB is the Head of Malaysia Computer Emergency Response Team or in short, MyCERT - a department within CyberSecurity Malaysia. He is responsible in Cyber999 Incident Handling and Emergency Response daily operation, which primarily focuses on incident alert or threat issue, related to Malaysia constituency and the Malware Research Centre. Has experience in IT Security for more than 10 years such as network security, penetration testing, web security, malware research and honeypot technology
DR. ASWAMI ARIFFIN is a digital forensic scientist with vast experience in security assurance, threat intelligence, incident response and digital forensic investigation. Aswami is active in research and one of his papers was accepted for publication in the Advances in Digital Forensics IX. Currently, Aswami is a Senior Vice President of CyberSecurity Responsive Services Division at CyberSecurity Malaysia.
The nation needs to develop a cyber-protective strategy that is able to provide adequate protection and response mechanisms at the national level and across CNII sectors. Computer Emergency Response Team (CERT) / Computer Security Incident Response Team (CSIRT) manage the organization's information security risk management to an acceptable level. The capability to have a functional CERT/CSIRT is seen as closely connected to the concept of CNII protection.
In addressing cyber threats at national level, several services that provide proactive response to malware threats are proposed. This presentation discusses reported cyber security incidents focusing on APTs and malware threats in Malaysia. The presentation further highlights several case studies on services being implemented in Malaysia, namely CyberDEF (Detection, Eradication, Forensic) and CMERP (Coordinated Malware Eradication & Remediation Project). The objective of these services is to reduce the number of malware infection in Malaysia. The presentation highlights the importance of having these services to ensure a secure, resilient and sustainable CNII.
Data, Machine Learning and Security
Alan Saied (Visma)
Alan is passionate about Security in the context of Machine Learning and Artificial Intelligence. He spends most of his time learning about different data behavioral cases where Machine Learning can be applied. Alan holds a PhD in Computer Security from King's College in London.
Data is the fundamental backbone of any business and the ability to mathematically "use data to protect data" is going to be the core focus of the talk. In this presentation, we explain how Machine Learning algorithms and data analytics can be used to identify abnormal patterns within complex environments. This will further be followed by its complications in terms of false positives, accuracy of detection and its validity.
- NLTLP:GREEN
Defending the Dutch Healthcare Sector
Jasper Hupkens (Z-CERT, NL)
Jasper currently works for Z-CERT as a Security Specialist. Jasper has been involved in security for some years now and likes to think that he brings the other view to the table. In his own time he likes to tinker with all sorts of technologies from analogue to digital ones and also plays the trumpet.
The healthcare sector is complex, consisting of a lot of different parties, standards and products. All of these parties have different threats. Attendees will be presented with an overview of the threat landscape for the Dutch healthcare sector including examples of responsible disclosures or incidents. One of the new threats is medical devices moving into patients’ homes. This change brings new risks, often overlooked by manufacturers. With this presentation Z-CERT hopes start new international collaborations within the FIRST community.
- USTLP:CLEAR
Effective Victim Interview Techniques for Incident Responders
Alison NaylorAlison Naylor (Red Hat, Inc., US)
Alison Naylor is a Principal Information Security Analyst at Red Hat, Inc. based in Raleigh, North Carolina, USA.
As Incident Responders, we sometimes overlook the importance of conducting effective, compassionate victim interviews. Simply asking a standard list of technical questions isn’t enough! Victims often approach interviews in a heightened emotional state: afraid of possible disciplinary action, embarrassed that they made a mistake, or angry at the attacker that duped them. By exploring active-listening techniques and improving our emotional intelligence, we can elevate our IR-specific interviewing skills. This allows us to collect higher-quality and more consistent data, provide education and reassurance, and ultimately leave our victims with a positive impression of their friendly neighborhood Infosec team.
- US
Enriching Feature Sets With Layered Microservices -- a Passive DNS Workbench
Paul VixiePaul Vixie (Farsight Security, US)
Paul Vixie serves as VP and Distinguished Engineer at AWS Security, and is a Director at SIE Europe U.G. He was previously the founder and CEO of Farsight Security (2013-2021). In addition, he founded and operated the first anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). Vixie was inducted into the Internet Hall of Fame in 2014 for work related to DNS, and is a prolific author of open source Internet software including Cron and BIND, and of many Internet standards concerning DNS and DNSSEC. He was CTO at Abovenet/MFN (1999-2001) and worked at DEC Western Research Lab (1988-1993) after dropping out of school in 1980. Vixie earned his Ph.D. in Computer Science from Keio University in 2011.
- NL
EVALUATE OR DIE TRYING - A Methodology for Qualitative Evaluation of Cyber Threat Intelligence Feeds
Sergey Polzunov
Jörg AbrahamSergey Polzunov (EclecticIQ, NL), Jörg Abraham (EclecticIQ, NL)
Mr. Sergey Polzunov is a Senior Software Engineer in the EclecticIQ Fusion Center. He is responsible for prototyping analyst-centric tools and for technical support of the Fusion Center Threat Intelligence Platform. He is the author of OpenTAXII and has more than 10 years of software development experience.
Mr. Jörg Abraham is a Senior Threat Intelligence Analyst in the EclecticIQ Fusion Center. He is responsible for analyzing Cyber Threats and providing accurate, timely and structured intelligence relevant to EclecticIQ's customers. Before joining EclecticIQ he has been working for Royal Dutch Shell for more than 10 years in various Cyber Defense positions. Mr. Jörg Abraham is a Certified Information System Security professional (CISSP) and GIAC Certified Forensic Analyst (GCFA).
CTI as a practice is getting more traction in recent years. Organizations begin to understand how threat intelligence plays in context with their existing security operations.
At the same time, they face difficulties to judge the quality of sources, eventually failing to assess the return on investments.
In this talk, Sergey Polzunov and Jörg Abraham will present how organizations can evaluate the quality of an intelligence source and how structured intelligence aids in making a qualitative statement about the value of an intelligence feed.
The talk will conclude with a PoC demonstrating feed assessment in an automated way.
Attendees will learn:
- About a methodology to relate information from an intelligence source back to the intelligence requirements.
- How to measure the feed quality in an automated way.
- Why structured threat intelligence (STIX) plays an important role in feed assessment.
- US
File-Centric Analysis through the Use of Recursive Scanning Frameworks
David Zawdie (US)
David is an analyst working in private industry focusing on defending organizations against malicious threats. With over 10 years experience in information security and computer network defense, David is a passionate blue-team defender and strong advocate of open source software.
Defenders encounter a myriad of ways in which threat actors operate to deliver, exploit and install payloads in order to achieve their objective. Regardless of methods employed, the needs of an attacker frequently requires the use of an object contained in a particular file format. Analyzing various file types requires knowledge of numerous specifications and disparate tools to parse data structures. In addition, there is a need to identify interesting observations from metadata, as well as techniques and embedded objects contained inside bespoke files.
This session will provide background regarding the needs for and requirements of file-centric analysis, demonstrate the effectiveness of popular open source frameworks, and highlight opportunities for extending detection and response efforts. The discussion will include an overview of the frameworks, their approach for presenting a unified system for analysis, and details on how to actively participate in the respective open source projects through contributions that further extend capabilities via new modules and integrations.
At the conclusion of this session, attendees will be able to:
- Define the intent, purpose and scope of file-centric analysis
- List and describe capabilities from several open source recursive scanning frameworks
- Determine potential opportunities to improve existing analysis workflows
- Identify opportunities to further extend the existing frameworks by contributing to open source projects
- USTLP:CLEAR
Finding Dependencies Between Adversary Techniques
Andy Applebaum (The MITRE Corporation, US)
Andy Applebaum is a Lead Cyber Security Engineer at The MITRE Corporation, where he works on applied and theoretical security research problems. Most of Andy’s work is in MITRE’s internal research and development portfolio on projects at the intersection of security, automation, and reasoning, including as one of the lead researchers on the CALDERA automated adversary emulation project. Outside of research, Andy is a member of MITRE’s ATT&CK team, where his current focus is on using ATT&CK for SOC assessments. Prior to working at MITRE, Andy received his PhD in computer science from the University of California Davis, where his dissertation topic was using argumentation logic for reasoning in security. Andy’s work has been published in multiple conferences and workshops and he has spoken at various industry and academic conferences. In addition to his PhD, Andy holds a BA in computer science from Grinnell College and the OSCP certification.
Adversaries rarely do things in a vacuum: many adversary techniques are stepping-stones that open doors to further execution opportunities, and not ends-in-themselves. Indeed, most techniques have functional requirements that must be met before execution; e.g., to use remote desktop protocol, an adversary must first have access to valid credentials. Understanding these relationships is important for defenders, as it can enable them to hunt more effectively and write better detections.
In this talk, we’ll present three studies we’ve conducted to find dependencies between adversary techniques. Our approaches include a data-driven approach that leverages the MITRE ATT&CK framework and a logical approach that shows how some techniques explicitly enable others. We’ll also present experimental results where we leveraged an automated adversary (CALDERA) to observe how techniques are interleaved in practice. Our results have wide applicability for defenders, and attendees should leave with a better understanding of the importance of technique dependencies.
1100-Applebaum.pdf
MD5: f70f15595382cab75ec501c29d3f5843
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.53 Mb
- DETLP:CLEAR
Fingerpointing False Positives: How to Better Integrate Continuous Improvement into Security Monitoring
Desiree Sacher (Finanz Informatik, DE)
Desiree is a Security Architect for a Security Operation Center in the financial industry. But through her career she worked in engineering positions for different security vendors and products, until in 2014 she finally became a Security Analyst. She now draws all of her experience from these jobs and her connection into the Infosec scene into creating efficient SOCs. Desiree is also a certified GCIA Forensic Analyst, Network Forensic and Cyber Threat Intelligence Analyst.
Have you ever wondered how to get a good sense about your security monitoring rules, but you didn't want to invest in yet another tool? Sometimes, we have all the solutions laying right in front of us and all we need is a different perspective. This talk is about giving this new perspective of the data you are already commulating, by making a small change to your security monitoring process. With a potential huge change in your workflow, and improved results.
Free Fish Aren't Free...and other stories about working with OSS
Christopher Robinson, RedHat
Christopher Robinson (aka CRob) is the Lead for the Red Hat Product Security Assurance Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals.
CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He enjoys herding cats and moonlit walks on the beach.
Avast ye scurvy dogs! Set sail to ADVENTURE with a recap of the year's Open Source security as shared by Red Hat Product Security. Don't walk the plank of jumping into OSS without understanding what ye'er in for!
Free-Fish-Aren-t-Free.pdf
MD5: 3c370d5716b314b494fee39ece2ecafc
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.18 Mb
Ghost robbers in the cloud – Finding crypto miners
Shira Shamban
Account hijacking is today’s bank robbers. These robbers don’t have to come with their pistols up in the air and shout “this is a robbery!” they just take over the account and happily mine cryptocurrency until the user pays attention. You might never know this is even happening, but you will be paying the price to your cloud service provider. In this talk I will present a few ways you can easily detect and block such activity in your cloud environment.
- USTLP:CLEAR
Hands-on: Practical tabletop drills for CSIRTS
Kenneth van WykKenneth van Wyk (KRvW Associates, LLC, US)
Ken is an internationally recognized information security expert and author of three popular books, including Enterprise Security: A Confluence of Disciplines (Pearson, 2014), Secure Coding: Principles and Practices (O’Reilly, 2003), and Incident Response (O’Reilly, 2001). He is also a monthly columnist for Computerworld. Among his numerous professional roles, Ken is a Visiting Scientist at the Software Engineering Institute at Carnegie Mellon University, where he is a course instructor and consultant to the CERT® Coordination Center.
Ken also served for 11 years on the Board of Directors for the Forum of Incident Response and Security Teams (FIRST), a non-profit professional organization supporting the incident response community. He holds a mechanical engineering degree and is a distinguished alumnus from Lehigh University and is a frequent speaker at technical conferences.
You’ve built your CSIRT and planned for every conceivable situation, right? How do you know they’ll succeed when pushed to the breaking point? In a prior FIRST session, Ken van Wyk presented a practical session on how to design and deliver tabletop drills to test your incident response capabilities. This proposal takes that to the next level in a hands-on role play session to spotlight the practical aspects of running a tabletop session. The session will use audience volunteers to take key roles in a fictional company and CSIRT. The team will include key stakeholders in the fictional CSIRT’s general counsel, human resources, media communications, and executive decision team. Van Wyk will then run a tabletop drill with the fictional CSIRT. Following the drill, the audience will then critique the fictional CSIRT’s performance. Attendees will gain practical guidance on how to deliver meaningful tabletop drills that test their CSIRT’s capabilities under fire.
- US
Toni GidwaniMarika Chauvin (ThreatConnect, US), Toni Gidwani (ThreatConnect, US)
Toni Gidwani is the Director of Research at ThreatConnect and leads ThreatConnect’s research team, an elite group of globally-acknowledged cybersecurity experts dedicated to tracking down existing and emerging cyber threats. Her team routinely publishes research pertaining to cybercrime and nation-state attacks and actors, including a body of work surrounding Russian efforts to hack the 2016 U.S. presidential election. Toni has presented at security conferences worldwide and has appeared in many top journalistic outlets including The Economist, CNN, the Financial Times, and the New Yorker. Prior to joining ThreatConnect, Toni led analytic teams in the U.S. Department of Defense. She also teaches a graduate cybersecurity course at Georgetown University. You can follow her on Twitter @t_gidwani where she tweets about bad puns and cybersecurity.
Marika Chauvin is a Senior Threat Intelligence Researcher at ThreatConnect. Prior to ThreatConnect, Marika helped develop Chevron’s Cyber Intelligence Center, and worked as a contractor with the U.S. Department of State’s Cyber Threat Analysis Division. Marika is a non-state threat actor subject matter expert and has done extensive research focusing on hacktivist and independent hacker groups. Marika lives in New Orleans with her husband, cats, and puppy.
Many teams across the maturity spectrum struggle to show the return on investment for threat intelligence. This talk will focus on developing measures of effectiveness, independent of what tools or vendors you use. Based on multiple surveys, we’ll show where the disconnects are between threat intelligence practitioners, directors, and cybersecurity decision makers and how to focus on the most useful metrics when explaining the value of threat intelligence to your boss.
- USTLP:CLEAR
How to Manage the Tangled Web of Dependencies
Jessica Butler (NVIDIA, US), Lisa Bradley (NVIDIA, US)
Dr. Lisa Bradley is the Senior Manager for NVIDIA’s PSIRT. Her responsibilities include the management and resolution of product security vulnerabilities involving all NVIDIA products. Lisa has 20 years of Enterprise-class engineering and leadership experience including 6+ years of experience leading PSIRT programs as she previously ran IBM’s. Lisa is part of FIRST’s PSIRT committee and contributed to the FIRST PSIRT Services Framework and training and PSIRT Maturity document. Lisa has spoke at many tech-related events including FIRST, BSIMM, DerbyCon, ISACA and Security Journey White Belt modules. *****
Jessica Butler is a Senior Application Developer for NVIDIA’s Security Tools team and is the lead developer for NVIDIA’s Portfolio Manager Tool. Jessica has over 12 years experience and earned her MS in Computer Engineering from Washington University in St Louis. She has certifications in Java, Ruby and a CCNA. In her free time Jessica enjoys gardening, kiteboarding and traveling with her family, BJ, Sebastian (4) and Eliza (2).
Did you know a software product is only as strong as what it consumes? The internal components, Open Source Software (OSS), and vendor products that your product relies on can leave you at risk if they do not have a strong security posture and vulnerability management process. We will cover NVIDIA’s path to better dependency management by integrating security into the design of internal components, putting together vendor/OSS questionnaires, creating a product profile tool to map dependencies, utilizing an OSS scanning system, and automatically creating bugs when a dependency has a vulnerability or update. A demo of NVIDIA’s product profile tool will be included.
- USTLP:CLEAR
Brian Baskin (Carbon Black, US), John Holowczak (Carbon Black, US)
John Holowczak began his cyber security career in Carbon Black's Security Operations Center (SOC), focusing on defense. With his domain knowledge, John moved onto Carbon Black's Threat Analysis Unit to focus on automation of threat detection and building out infrastructure for large scale malware analysis. Within the field of threat detection and analysis, John focuses on binary classification, dynamic analysis and Threat Hunting. He maintains an interest in tool development, both for CarbonBlack's SOC and for threat research.
Brian Baskin is a Threat Researcher with Carbon Black’s Threat Analysis Unit with a specialty in digital forensics, incident response and malware analysis. Baskin was previously an intrusions analyst for the US Defense Cyber Crime Center. For over 15 years he has researched responses to cyber threats. He has authored multiple security books and develops software for more efficient malware analysis.
Visibility is the core component in any SOC, from continual monitoring to incident response. While having a simple interface helps to display data, sometimes advanced hunting requires moving beyond the interface and delving into data that’s likely never been documented. This presentation focuses on building a better understanding of your environment and hunting for unknown threats that lie within.
"Hunting the Hunters": Active Cyber HUMINT Defense Operations. Winning the war on cybercrime
Cyber Cupula, David Barkay
Cyber-Cupula-20.2.19.pdf
MD5: ea335fb9607fa0f8f64b5d31fdec20f4
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.61 Mb
- US
Hunting with Passive DNS
Benjamin April (Farsight Security, US) (US)
Los indicadores de compromiso (IoC), las listas negras y las listas blancas proporcionan apenas una vista parcial de un ataque cibernético. Dado que cada transacción en Internet —buena o mala— involucra al sistema de nombres de dominio (DNS), los equipos de búsqueda utilizan cada vez más la recolección pasiva de datos de DNS para obtener nueva información y establecer conexiones entre estos IoC estáticos y para obtener nuevos artefactos digitales para sus investigaciones. En esta charla discutiremos la recopilación pasiva de datos de DNS y presentaremos ejemplos del mundo real, desde phishing malicioso hasta campañas de productos farmacéuticos ilegales y mercadería falsificada, para mostrar cómo los equipos de búsqueda utilizan datos históricos de DNS recolectados de forma pasiva para avanzar en sus investigaciones y mejorar significativamente su postura de riesgo. Aprenda a utilizar datos de DNS recolectados en forma pasiva (Passive DNS) para encontrar conexiones entre activos del DNS, desde direcciones IP hasta nombres de dominio y servidores de nombres.
Indicators of Compromise (IoC)s, blacklists and whitelists provide only a partial view of a cyberattack. Since every transaction on the Internet – good or bad – involves the Domain Name System (DNS), hunt teams are increasingly using Passive DNS to gain new information and draw connections among these static IoCs as well as gain new digital artifacts for their investigations. We will discuss Passive DNS collection and provide real-world examples, from malicious phishing to illegal pharmaceutical and counterfeit merchandise campaigns, to show how hunt teams use historical passive DNS data to advance their investigations and significantly improve their risk posture. Learn how to use passive DNS to find connections among DNS assets, from IP addresses to domain names and name servers.
FIRST_DR.pdf
MD5: 9e688c8f919f4e39e956f345aae586c9
Format: application/pdf
Last Update: June 7th, 2024
Size: 10.07 Mb
ICS/OT devices and assets management using Splunk
Israel Ministry of Energy's Cyber Center, Efi Kaufman
In order to provide the most accurate risk management score for the Energy sector as a whole and for different facilities in specific, a very fundamental requirement exists : to know our systems, devices and assets. What is it that we are protecting ?
This presentation will review the technical aspects of the work done in the CSC. Beginning with the process of ingesting extremely heterogeneous data sources to the Big-Data application, characterizing and normalizing the information and the way we are using to extract devices information and the relationship between them using the various event types that are logged
- US
Identifying Internet Bad Neighborhoods at Scale
John Bambenek (ThreatSTOP, US) (US)
Todo ciberdelito comienza con una persona que toma decisiones. Y las personas son animales de costumbre. Eligen ir a los mismos lugares, eligen los mismos platos del menú... Esto también es cierto en el caso de los criminales, que tienen los mismos patrones de comportamiento. Esta charla presentará diferentes esfuerzos por crear reputación en los proveedores para determinar la prevalencia criminal por ASN, registrador y TLD. Esto permitirá contar con datos que los defensores podrán usar simplemente para bloquear los malos vecindarios de Internet y concentrar sus esfuerzo en los ataques que se producen desde otras ubicaciones. Como parte de la presentación se proporcionarán datos open source y se ofrecerán herramientas gratuitas para los CERT nacionales.
Every cybercrime starts with a person making decisions and people are creatures of habit. They pick the same places to go to, order the same foods, and the same is true for criminals, they have patterns of behavior. This talk will cover several efforts to create reputation on providers to determine criminal prevalence by ASN, Registrar, and TLD. This will provide actionable data so defenders can simply opt to block the Internet bad neighborhoods and focus effort on those attacks that occur from other locations. Open source data will be provided as part of this presentation and free tools for national CERTs will be offered.
FirstPC-BadNeighbors.pptx
MD5: 879df7f92dfe651dbde83a663fc01304
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 1.04 Mb
- TWTLP:GREEN
Improving the Efficiency of Dynamic Malware Analysis with Temporal Syscall Measure
Dr. Chih-Hung Lin (Taiwan Network Information Center (TWNIC), TW)
Dr. Chih-Hung Lin has been in the ICT industry for over 20 years and focused on cyber security in the latest 15 years. His research covers Threat Hunting, Malware Analysis, Penetration Testing, and Digital Forensics. He is currently the director of TWCERT/CC at TWNIC in Taiwan. He previously led ICS security teams at Institute for Information Industry and was the head of Research and Development Team at National Center for Cyber Security Technology in Taiwan. He has been in close collaboration over years with universities, national and private research institutes and industries. He received Ph.D. in Computer Science from National Taiwan University of Science and Technology (NTUST) in Taiwan. He is the certificate holder of GCFA, GPEN and CHFI.
As the number of malware continues to increase rapidly, waiting two or three minutes for a sandbox to analyze a piece of malware has become intolerable. To improve detection efficiency, several sandboxes with multiple virtual machines (VMs) simultaneously to perform parallel computation have been developed. However, a few moments is still needed to perform dynamic malware analysis using the sandbox. This talk aims to reduce the latency of dynamic analysis by using temporal syscall measure for early stopping technology. This makes the proposed Sandbox consume less time performing dynamic analysis than the usual wait time needed for timeout. This solution does not serve as a substitution technology, but an augmentation.
- US
Insights and Challenges to Automated Collaborative Courses of Action
Allan Thomson
Bret JordanAllan Thomson (LookingGlass, US), Bret Jordan (Symantec, US)
As LookingGlass Chief Technology Officer, Allan Thomson has more than three decades of experience across network, security, and distributed systems technologies. Allan leads technical and architecture strategy across the LookingGlass solutions portfolio.
Allan is also co-chair of OASIS CTI Interoperability Sub-committee that is introducing STIXPreferred certification program for the new STIX/TAXII version 2 standards.
Prior to LookingGlass, Allan served as Principal Engineer at Cisco Systems, Inc., where he led the software architecture and design of the company’s Cyber Threat Defense System and Platform Exchange Grid. He was responsible for overall systems management and security telemetry collection/aggregation, as well as distributed threat analysis/intelligence services in multi-tenant public and private cloud deployments.
Before joining Cisco, Allan oversaw the technology growth initiatives of several start-up companies, including Airespace, where he was a Software Architect responsible for the design, development and network management/location tracking of the company’s wireless local area network (WLAN) system.
Bret Jordan is a seasoned business leader and Cybersecurity Architect with over 20 years of experience in cybersecurity. He has worked with an eclectic mix of global enterprise companies, startups, nonprofits, academic institutions. He currently works at Symantec where he heads security architecture and standards in the Office of the CTO and at Carden Memorial School as a pro bono CIO. Bret is currently serving as Chair of the TAXII subcommittee and editor of the STIX and TAXII specifications for the Cyber Threat Intelligence Technical Committee at OASIS and Co-Chair of the Implementation Considerations sub-committee for the OpenC2 Technical Committee at OASIS. Bret also contributes to several IETF working groups and to several Questions in ITU-T Study Group 17.
Today, cyber defenders typically have to manually identify and process prevention, mitigation, and remediation steps in order to protect their systems and networks and address and contain problems identified during and after an incident response.
Due to the increase and sophistication of cyber attacks from Threat Actors and Intrusion Sets the need for a secure mechanism that would enable system and network operators to respond to incidents in machine relevant time has raised significantly. While some attacks may be well known to certain security experts and cyber researchers they are often not documented in a way that would enable automated mitigation or remediation. A documented way of describing prevention, mitigation, and remediation actions is critical for cyber defenders to respond more quickly and reduce the exposure from an attack.
This talk will focus on a new technology standard that works with STIX 2.x and TAXII 2.x for creating playbooks and collaborative automated course of action operations for cyber security. This standard combines CTI with the ability to define preventive, mitigative, and remediate steps for effective deployment of security.
- CH
Introduction to Incident Response and Welcome Remarks
Dr. Serge DrozDr. Serge Droz (FIRST / FDFA, CH)
Serge Droz is the Vice President OS-CERT at Open Systems, one of the leading managed security service providers in Europe. He studied physics at ETH Zurich and the University of Alberta, Canada and holds a PhD in theoretical astrophysics. Before joining Open Systems, he worked in academia in Switzerland and Canada, later as a Chief Security Officer of Paul Scherrer Institute, as well as in different security roles at SWITCH for more than 15 years. Serge is a member of the board of directors of FIRST. He also served for 2 years in the ENISA (European Union Agency for Network and Information Security) permanent stakeholder group. Serge is an active speaker and a regular trainer for CSIRT (Computer Security Incident Response Team) courses around the world.
OCFSIM3.pdf
MD5: 36e34c4c175ee5fa7642cbf1d245ce77
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.56 Mb
- AU
Keynote: Developing a Conceptual Model for Insider Threat
Monica WhittyMonica Whitty (University of Melbourne, AU)
Professor Monica Whitty holds a Chair in Human Factors in Cyber Security at the University of Melbourne, in Australia. She is a member of the Global Futures Communities for Cyber Security for the World Economic Forum and the World Economic Forum Cyber Security Centre. She is also a visiting Professor in Cyber Security at Royal Holloway, University of London. Her work, in particular, examines identities created in cyberspace, online security risks, behaviour in cyberspace, insider threat, as well as detecting and preventing cyberscams. Monica is the author of over 100 articles and 5 books, the latest being: 'Cyberpsychology: The study of individuals, society and digital technologies' (Wiley, 2017, with Garry Young). She has lead research projects for both government and industry amounting to over $10 million AUD. More recent projects include the psychology of cyberscams – with an emphasis on how to protect citizens from becoming victimized by these crimes, cultural enablers of cyberscams, protecting privacy in online spaces, educational and training methods in cybersecurity, and developing a conceptual model for insider threat. Prof Whitty is also developing courses for industry, at the University of Melbourne, on how to train employees to act more safely online, and how to develop cybersecurity training courses for the public. She welcomes opportunities to work with new partners.
Insiders can be malicious or non-malicious (e.g., accidently clicking on a link or leaking a password). This talk, however, focuses on the malicious insider. I will be discussing case studies of insider attacks that took place in the UK to develop a conceptual model for insider threat. The case studies involved interviewing investigators, heads of security, information technologists, law enforcement, security officers, human resource managers, line managers and co-workers who knew the insider. The talk will outline some of the archetypal insiders identified in the research, such as ‘the disgruntle employee’ (often found in studies on insider threat), the show off, the career criminal, and the addict. The work highlights the multiple pathways to an attack, demonstrating the various types of insiders and methods they employed to attack the organization. I conclude by setting out a conceptual model for insider threat, which stressors the need to continuously seek out methods to close down opportunities as well as to monitor behavior change. It also elucidates potential deterrence and prevention strategies and how these might be ethically and legally applied.
- GB
Keynote: Things That Go Bump in the Night: Detecting Problems in the Internet of Things
Miranda MowbrayMiranda Mowbray (University of Bristol, GB)
Miranda Mowbray is a lecturer at the University of Bristol, where her research interests include data science for cyber security, and big data ethics. Before moving to the University she did industrial research at HP Labs. She was an invited panellist at the 2017 Global Cybersecurity Summit. In 2018 she did a research project with two postgrad students on subverting the security of a swarm of a hundred small autonomous robots. Miranda is a Fellow of the British Computer Society. Her PhD is in Algebra, from London University.
The Internet of Things is growing fast, and it's not secure. I'll describe some attacks on Things, and discuss how they might have been detected. Analysis of Internet of Things data can detect misconfigurations and other unwanted behaviour as well as attacks: I'll give examples. I'll end by discussing why some Things are so insecure, and what might be done to improve the situation.
Keynote will be held on Pentland Auditorium – Level 3
Mowbray-FIRST.pdf
MD5: 0379017b146808d3cda64cc453b263f4
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.43 Mb
- US
Keynote: Waking Up The Guards - Renewed Vigilance Is Needed To Regain Trust In Fundamental Building Blocks
Merike KaeoMerike Kaeo (Double Shot Security, US)
Merike Kaeo is CEO and founder of Double Shot Security. She has over 25 years of experience in pioneering Internet technology deployments and developing strategic security initiatives. Her passion for building cooperation and collaboration between operational, technical, law enforcement and policy sectors in all things related to ‘information security’ has led to many unofficial global liaison roles. In 2007, Merike was instrumental in fostering cooperation and trust among the global operational security community and the Estonian National CERT during the cyber attacks against Estonia.
Merike instigated and led the first security initiative for Cisco Systems in the mid 1990s and authored the first Cisco book on security, Designing Network Security, which was translated into multiple languages and widely used in security accreditation programs. She has held a variety of executive leadership positions and has a deep rooted history in the global Internet community.
Merike is a member of the IEEE, a pioneer member of ISOC and has been an active contributor in the IETF since 1992. She was named an IPv6 Forum Fellow in 2007 for her continued efforts to raise awareness of IPv6 related security paradigms. She is on ICANN’s Security and Stability Advisory Council (SSAC) and the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC).
In recent years Merike has led and contributed to several global threat intelligence sharing initiatives. In 2014 she was part of the EU Network and Information Security (NIS) Working Group 2 that created guidelines and recommendations to promote the sharing of cyber threat information and incident coordination in both the public and private sectors in the EU. She is also the co-chair of the FIRST Information Exchange Policy SIG.
Merike earned a MSEE from George Washington University and a BSEE from Rutgers University.
@estodoubleshot
In the last year we’ve seen more sophisticated attacks exploiting the fundamentally trusted building blockes of the Internet - routing, the domain name system and even digital certificates. How can we regain trust and control of where our data goes and by whom it is seen? This talk focuses on causes of broken trust relationships between protocol developers, software implementers, network operators, corporate executives, security researchers and legal compliance teams. It is time to start renewed vigilance and create effective feedback loops to have continued forward momentum in a chaotic environment that inherently must deal with unverified trust. Which will ironically enable renewed trust for the evolving digital society we are creating.
- GB
Keynote: Who's Afraid of the Big Bad Smart Fridge: Governance Challenges of the Internet of Things
Leonie TanczerLeonie Tanczer (University College London, GB)
Dr Leonie Maria Tanczer is Lecturer in International Security and Emerging Technologies at University College London’s (UCL) Department of Science, Technology, Engineering and Public Policy (STEaPP). She is member of the Advisory Council of the Open Rights Group (ORG), affiliated with UCL's Academic Centre of Excellence in Cyber Security Research (ACE-CSR), and former Fellow at the Alexander von Humboldt Institute for Internet and Society (HIIG) in Berlin. Her research focuses on questions related to Internet security and she is specifically interested in the intersection points of technology, security and gender.
Prior to her lectureship appointment, Tanczer was Postdoctoral Research Associate for the EPSRC-funded PETRAS Internet of Things (IoT) Research Hub, where she was part of its "Standards, Governance and Policy" research team. She holds a PhD from the School of History, Anthropology, Philosophy and Politics (HAPP) at Queen's University Belfast (QUB). Her interdisciplinary PhD project included supervision from both social sciences and engineering (ECIT) and focused on hacking and hacktivism. More about her work and current research projects can be found on her website.
@leotanczt
The “Internet of Things” (IoT) is creating a range of uncertainties, opportunities, and risks which stretch across technical, economic, and societal domains. As the scale and scope of IoT is meant to drastically increase over the next decades (i.e., 25 Billion connected devices by 2020), it is important to consider “smart” technologies privacy, security, as well as safety implications at an early stage. Drawing on Dr Leonie Tanczer’s extensive research experience as part of the UK-wide PETRAS IoT Research Hub as well as her ongoing work on IoT’s implications for domestic violence and abuse victims and survivors, this talk will cover the ongoing governance challenges that characterise the IoT environment as well as the human factors that need to be considered when developing both technical as well as regulatory measures to secure the evolving IoT ecosystem.
930-Tanczer-FIRST-5.pdf
MD5: 79342ea23d6f062b03a5baeac861988b
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.44 Mb
League of Nations
McAfee, Raj Samani
Nation-state attacks, is it always the same countries? Or are we witnessing the capability of many nations increasing due to the support of the private sector?"
Lessons learned in a forensic lab based on real cases
Michael Hamm (CIRCL)
Lessons learned in a forensic lab based on real cases.
forensics.pdf
MD5: 5fb1a532e3f594e38e4b3f78beecebc0
Format: application/pdf
Last Update: June 7th, 2024
Size: 535.6 Kb
Lightning Talks
WannaCry_wont_die.pdf
MD5: 676182a08089a425165e7075be22d3cb
Format: application/pdf
Last Update: June 7th, 2024
Size: 970.1 Kb
Linking cyberespionage groups targeting victims in South Asia
Daniel Lunghi and Jaromir Horejsi, TrendMicro
Over the last few years, the security industry has tracked multiple threat actors targeting victims in South Asia. This started in 2013 with the "Hangover" report, and was followed by researches including "Snake in the Grass" in 2014, "Patchwork" and "Confucius" in 2016, "Bahamut" and "EHDevel" in 2017 and "Donot" in 2018. Some of these reports suggest that these attacks originate from India.
The targets of these different threat actors are high-profile individuals from various mass media, retail, military, aerospace, banking and diplomatic organizations in the Middle East and South Asian region. The modus operandi of these groups, as well as their infrastructure, might seem unrelated at first, but we have been able to notice some connections after further analysis of the malicious documents, malware samples, phishing pages and other tools used by these groups. These connections may include the backend infrastructure, source code sharing, similar encryption keys and algorithms.
In our research we will present some of these similarities, which let us think that these groups are somehow related, even being part of a larger structure.
- GB
Logistical Budget
Éireann LeverettÉireann Leverett (Concinnity Risks, GB)
Éireann Leverett once found 10,000 vulnerable industrial systems on the internet.
He then worked with Computer Emergency Response Teams around the world for cyber risk reduction.
He likes teaching the basics, and learning the obscure.
He continually studies computer science, cryptography, networks, information theory, economics, and magic history.
He is also fascinated by zero knowledge proofs, firmware and malware reverse engineering, and complicated network effects such as Braess' and Jevon's Paradoxes. He has worked in quality assurance on software that runs the electric grid, penetration testing, and academia. He likes long binwalks by the hexdumps with his friends.
Éireann Leverett is a regular speaker at computer security conferences such as FIRST, BlackHat, Defcon, Brucon, Hack.lu, RSA, and CCC; and also a regular speaker at insurance and risk conferences such as Society of Information Risk Analysts, Onshore Energy Conference, International Association of Engineering Insurers, International Risk Governance Council, and the Reinsurance Association of America. He has been featured by the BBC, The Washington Post, The Chicago Tribune, The Register, The Christian Science Monitor, Popular Mechanics, and Wired magazine.
He was part of a multidisciplinary team that built the first cyber risk models for insurance with Cambridge University Centre for Risk Studies and RMS.
Can we quantitatively compare eagles to bears or snakes to pandas? Is the infrastructure a threat group uses against us not just for qualitative study, but also for quantitative? If you ever wondered what Cryptowalls ROI compared to cryptolocker, this talk is for you!
Our development goal is to understand who burns more infrastructure against us, who has more coders, who uses more domains. We can (and do!) visually represent operational patterns and the amount of infrastructure thrown against us. When managers as you for your gut feel about different threats, why not paint them a picture with data visualisation and quantitative analysis?
https://github.com/Concinnity-Risks/LogisticalBudget
Got a MISP instance? Go home with strategic analysis of your specific threat landscape.
- Quantitative Analysis
- Threat Actors
- Money, Peoplepower, Time
- Attacker infrastructures
- MISP
- PyMISP
- Data visualisation
1430-Logistical-Budget-Leverett.pptx
MD5: 4129b30d77579665c35278c03f980237
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 1.31 Mb
MalDoc Evolution – from ShellExecute to ^LL^ehs^reWO^p
Minerva labs, Asaf Aprozper & Gal Bitensky
In this talk we will provide historic background about “traditional” malicious documents, using nothing else but ShellExecute to launch a malicious executable directly.Then, we will proceed and enumerate modern techniques employed by malicious documents to avoid countermeasures successfully. After the techniques are known to all, we will present for the first time our research which maps malware families and tactics over time.
- BR
MANRS & CSIRTS
Christian O´Flaherty (ISOC, UY), Lucimara Desiderá (CERT.br, BR) (BR)
How can MANRS actions prevent incidents:
Cómo puede MANRS prevenir incidentes:
-
What problems are we trying to mitigate (description of routing security issues).
-
How users are affected (real-life example).
-
How MANRS actions contribute to mitigate those problems (Description of MANRS actions).
-
Where are those actions configured and how users are protected (example)
-
¿Qué problemas estamos tratando de mitigar? (Descripción de problemas de seguridad de enrutamiento)
-
¿Cómo se ven afectados los usuarios? (Ejemplo de la vida real)
-
¿Cómo contribuyen las acciones MANRS a mitigar esos problemas? (Descripción de las acciones MANRS)
-
¿Dónde se configuran estas acciones y cómo se protege a los usuarios? (Ejemplo)
How to use MANRS information in a CSIRT:
Cómo usar información de MANRS en un CSIRT:
-
Where is the information available (MANRS observatory overview)
-
How can MANRS reduce the diagnosis and troubleshooting time (how to use the Information in the observatory)
-
MANRS lab (hands on trainings)
-
¿Dónde está disponible esta información? (Descripción general del Observatorio MANRS)
-
¿Cómo puede MANRS reducir el tiempo de diagnóstico y resolución de problemas? (Cómo usar la información del Observatorio)
-
MANRS Lab (capacitación práctica)
How to contribute to MANRS from your CSIRT:
Cómo contribuir a MANRS desde su CSIRT:
-
Local Actions (Promoting MANRS)
-
Observatory (Use it, provide feedback, notify issues, suggest improvements)
-
Local Trainings (MANRS LAB)
-
MANRS IXPP
-
Acciones locales (promoción de MANRS)
-
El Observatorio (usarlo, enviar comentarios, informar cualquier problema detectado, sugerir mejoras)
-
Capacitaciones locales (MANRS LAB)
-
MANRS IXPP
MANRS-FIRST.pptx
MD5: 563db9aca8496f60e3a4ffff3274677a
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 4.87 Mb
- NL
Metrics and ATT&CK. Or how I failed to measure everything.
Francesco BigarellaFrancesco Bigarella (ING Bank, NL)
Francesco is a threat intelligence analyst at ING Bank. He started as forensic analyst and soon transitioned to the intelligence world. While learning the craft, he has been looking into way to support the bank intelligence program and ended up being a firm promoter of the STIX framework. He holds a masters degree in computer science from the university Leiden.
Measuring the value of threat intelligence output isn't easy: How do we identify our intelligence gaps? Where should we focus our resources? Did it our intelligence output have an impact? Popular frameworks like ATT&CK can be used to establish standardized metrics to map to the intelligence cycle. Join me in exploring how the MITRE ATT&CK™ framework provides the building blocks to gain insights with a measurable business impact. And we will also explore how ATT&CK can be extended to provide insights outside its original scope. Because metrics can be fun!
- EC
NXDOMAIN, Let Them Do Their Job!
Paul Bernal (CSIRT CEDIA, EC) (EC)
NXDOMAIN is one of the answers typically ignored or forgotten in the DNS system. This presentation will focus on analyzing the dangers of attempting to modify responses to queries on non-existing domains, how this can affect us as CSIRTs. It will also present a case handled by CEDIA CSIRT and proposals we have prepared for detecting this behavior.
NXDOMAIN es una de las respuestas típicamente ignoradas u olvidadas en el sistema de DNS. En esta exposición nos centramos en analizar los peligros que existen en caso de que se intente modificar las respuestas a queries sobre dominios inexistentes, en qué nos puede afectar como CSIRT, así como exponer una experiencia sobre un caso atendido por CSIRT CEDIA al respecto y propuestas que hemos elaborado para detectar este comportamiento.
- USTLP:CLEAR
Optimized Playbook, Roll out! How an Optimized Playbook can Reduce Time-to-Detect
Christopher Merida (Cisco Systems Inc, US), Jason Kmack (Cisco Systems Inc, US)
Chris Merida is an InfoSec Engineer for Cisco's CSIRT team. Before making a transition to Cisco, Chris was the founder of the InfoSec program at a health organization in Maryland where he participated in several local, state, and Federal events to shape the future of information security for healthcare in the region. After joining Cisco, Chris was assigned to the team that deploys, maintains, and optimizes CSIRT's SIEM on which the playbook is executed. He enjoys making "good" processes "better" and finding ways to utilize an organization's existing technology to improve security. In his free time, Chris enjoys music, organic coffee, and fine liquor (occasionally at the same time).
Jason Kmack is a an InfoSec engineer that works for Cisco's CSIRT team. His main focus is on developing software tools for security analysts to more efficiently do their jobs. Additionally, he works on improving backend processes and creating and improving data models for security reporting. In his spare time, Jason tries as often as possible to get lost in video games, television, and pints of micro brews.
Optimize Prime demonstrates how a CSIRT team can improve the efficiency of their SIEM to run plays faster and near real-time.. The tool receives a query from a user or playbook management tool, optimizes it, and provides feedback on how the user can restructure the query to be more effective. In this case, we use Splunk's built in optimizer, best practices for query structure from query experts, data source analytics (size of data being searched, measure of entropy for frequently used fields), and deployment benchmarking to provide the user with a faster query execution time. Operation of this tool reduced time-to-detect across all plays by 20 days over a year.
- US
Practical SOC Metrics
Carson ZimmermanCarson Zimmerman (Microsoft, US)
Carson Zimmerman is currently a Cyber Security Operations Center (CSOC) engineering team lead with Microsoft. He has worked in and around CSOCs for about 15 years, holding roles in the CSOC ranging from tier 1 analyst to architect. Previously with MITRE, Carson wrote "Ten Strategies of a World-Class Cybersecurity Operations Center," which can be downloaded for free at http://bit.ly/1sKCOH9. He received a BS in Computer Engineering from Purdue University and an MS in Information Systems from George Mason University.
In this talk, Carson will decompose key metrics for the CSOC, with three consumers in mind: the CSOC itself, executives above the CSOC, and CSOC customers. The presenter will provide example metrics used by leading, mature CSOCs, and point out along the way where those metrics can boost positive outcomes when used wisely, or drive negative outcomes when used poorly. The audience will be able to directly apply these metrics and methods presented in this talk to their own shops. By measuring and reporting in this manner, overall CSOC performance, executive engagement, and customer engagement should improve.
- AT US
Manfred Erjak
Matthew McWhirtManfred Erjak (Mandiant, AT), Matthew McWhirt (Mandiant, US)
Manfred Erjak is a principal consultant within Mandiant's Security Transformation Services (STS) team and is based in Austria. He is a trusted information security expert and distinguished IT network architect with over 20 years of experience working with utilities, manufacturing, technology, pharmaceutical and Fortune 500 companies. His primary focus is on leading and executing remediation activities, but he also provides expertise with incident response.
Prior to joining Mandiant, Manfred served various information security expert and system architect roles at Infineon Technologies and Cisco Systems. Manfred holds a bachelor’s in network engineering and master’s degrees in communication engineering from the Carinthia University of Applied Sciences.
Matthew McWhirt is a Manager within Mandiant’s Security Transformation Services (STS) team – specializing in remediation and enterprise architecture assessments and hardening. Matthew has over 12 years of experience specializing in security architecture, Active Directory security, and enterprise incident response. Prior to joining Mandiant, Matthew worked as a unit chief within DHS ICS-CERT, specializing in SCADA system security, ICS architecture reviews, and network device security.
- CNTLP:CLEAR
Protect Enterprise Against Cryptojacking: Lessons From Tracing 8220 Miner Group
Lion Gu (360 Enterprise Security Group, CN)
Lion Gu is security analyst of 360 Enterprise Security Group. He has been a security professional over 15 years. He graduated with a B.A. in Electrical Engineering, and holds several security certificates, including CISSP, CEH, CCNP. His interests covers all aspect of cyber security, especially malware analysis, cybercrime in general, and web security. He is an active member of local security community, where he helps businesses, academic institutions, and governments to improve security. He also has presented at conferences, including BlackHat, RSA, AVAR, CNCERT Annual, and so on. He was formerly with Forward-looking Threat Research Team of Trend Micro.
Driven by the increased value of cryptocurrency, cybercriminals are hijacking millions devices to mine cryptocurrencies by using cryptojacking malware. Unlike common malware which target small consumer devices, modern cryptojacking malware is designed to go after enterprise networks. Critical business can be impacted as a consequence of crashing application and even damaging hardware. This new kind of malware is one of major concerns of incident response teams.
Our talk attempts to bridge knowledge gap about cryptojacking malware and shed light on threat actors behind the malware. We will illustrate tactics, techniques and procedures of 8220 Miner Group which has been conducting cryptojacking attack for one year, and still active. We also give protection measures which derive from our comprehensive survey on 9 cryptomining malware families, including WannaMiner, MsraMiner, ZombieboyMiner, etc.
- NLTLP:GREEN
Protect your Castle by ‘Poldering’: Create a Network of Cybersecurity Clans
Gijs Peeters (National Cyber Security Centre the Netherlands (NCSC-NL), NL)
Gijs Peeters works as an senior advisor on public-private cooperation and international relations at the National Cyber Security Centre the Netherlands (NCSC-NL). Gijs has been working for some years now on stimulating different forms of public-private cooperation in the Netherlands and is one of the authors of different NCSC guides on how to set up your own cooperation in your sector (ISAC), region or supply chain (https://www.ncsc.nl/english/cooperation).
The Netherlands has a history of active public-private cooperation in different forms. This talk will present our long-term vision. We want share our journey of getting to where we are now, how we initially set up these different forms of cooperation and where we will go in the future. We’ll share our lessons-learned so that others can benefit from our positive and negative experiences and also create a network of clans in their country.
NCSC-NL has been working closely together with private companies for many years now — bottom-up and by ‘poldering’. We have learned a lot in setting-up sixteen sectoral Information Sharing and Analysis Centres (ISACs). This has worked well, but we want to keep improving. As cybersecurity is gaining importance and permeating our society, we believe central coordination is no longer possible. Thus we are striving towards creating a nationwide network of cybersecurity partnerships, including ISACs but also collective CSIRTs and regional forms of cooperation.
- CA
PSIRT New Experience Managing Cloud Vulnerabilities
Angela LindbergAngela Lindberg (SAP Global Security, CA)
Angela Lindberg is a Security Response Analyst working for SAP, who joined the Product Security Response Team (PSRT) in February 2018. The PSRT manages the responsible disclosure of vulnerabilities reported by security researches and hackers. In addition, the team facilitates the release of quality security fixes, monthly, for SAP’s Security Patch Day. Angela’s main responsibility is to oversee the handling of the reported cloud vulnerabilities and to provide a leadership role to the team members in Vancouver and Bangalore. Prior to joining SAP, Angela worked for a Global Banking and Financial Institution in an IT Risk Management role overseeing information security, technology and operational risk.
In 2018, the SAP Product Security Response Team, took over the responsibility of handling the reported cloud vulnerabilities by our customers. This was a new experience for the team moving from traditionally supporting an on-premise environment dealing with external researchers, to moving to the cloud environment supporting our customers. SAP would like to share our experience and the challenges associated with taking over the responsibility of supporting the cloud.
- US
Quality Over Quantity: Determining Your CTI Detection Efficacy
David J. BiancoDavid J. Bianco (SURGE / Cisco, US)
David has more than 20 years of experience in the information security field, with a particular focus on incident detection and response. He is active in the DFIR and Threat Hunting community, speaking and writing on the subjects of detection planning, threat intelligence and threat hunting. He is the principal contributor to The ThreatHunting Project (http://ThreatHunting.net). You can follow him on Twitter as @DavidJBianco or subscribe to his blog, "Enterprise Detection & Response" (http://detect-respond.blogspot.com).
You’ve collected a lot of IOCs, but is your Cyber Threat Intelligence (CTI) process serving you well? Quantity alone doesn’t tell the whole story. What kinds of intel are you collecting and how useful is it for identifying incidents? What are your strongest areas and where are your gaps? Do you know enough about your priority threats to feel confident in your detection stance against them? These are hard questions to answer, and there’s little existing guidance for answering them.
Taking a case study approach, this session will teach attendees how to use models such as the MITRE ATT&CK framework and the Pyramid of Pain to analyze and visualize the quality of their collected CTI information, not just it’s quantity.
Attendees will learn:
- How to load, normalize, and merge IOC data from disparate sources in your environment to make it ready for analysis
- How to enrich the data with information from the Pyramid of Pain and the ATT&CK framework
- How to visualize your collected threat intel to validate your collection strategy, to identify CTI strengths, and to prioritize closing collection gaps
- Why you should do these things on a regular basis
11-Quality-over-Quantity-Bianco.pptx
MD5: 63a06001c7a7edb36259c24e7e24c3ab
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 2.29 Mb
- USTLP:CLEAR
Real-World SOC Metrics
Carson ZimmermanCarson Zimmerman (Microsoft, US)
Carson Zimmerman is a veteran cybersecurity specialist, author, and speaker. In his current role at Microsoft, Carson leads the integration and deployment of next generation cybersecurity monitoring platforms for key Microsoft environments. In his previous role, at The MITRE Corporation, Carson specialized in cybersecurity operations center (CSOC) architecture and CSOC consulting. His experiences over 15 years as a CSOC analyst and engineer led Carson to author Ten Strategies of a World-Class Cybersecurity Operations Center, which can be downloaded for free at http://bit.ly/1sKCOH9. He received a BS in Computer Engineering from Purdue University and an MS in Information Systems from George Mason University.
Co-Author:
Christopher Crowley has 15 years of industry experience managing and securing networks. He currently works as an independent consultant in the Washington, DC area focusing on effective computer network defense. His work experience includes penetration testing, security operations, incident response, and forensic analysis. Customers include large and small companies in varying industries: cyber security, defense, education, energy, and finance.
Mr. Crowley is a Senior Instructor with the SANS Institute, and the course author for for SANS Management 517 - Managing Security Operations and SANS Management 535 - Incident Response Team Management.
Metrics are intended to demonstrate performance, and change in performance, over time. However, there are few global standards which allow Security Operations Center (SOC) teams to compare performance across organizations and industries.
This talk will first explore the existing systems of metrics for security operations, then select a triad of metrics to report to different groups within a canonical organization. These groups represent the executive concerns of the organization and the constituents who are protected by the SOC, the management responsible for overseeing the SOC, and the internal staff of the SOC. The intention of this separation is to provide measures relevant to the parties concerned.
The final portion of this talk will attempt to provide data on application of these metrics to sample institutions to help to provide movement toward comparative analytical capability to judge performance relative to peer SOCs.
- US
Remediation Ballet: Choreographing Your Team To Victory
Simon Freiberg & Jason Solomon (Google, US) (US)
The security industry focuses a great deal on defense against advanced threats, but security incidents are inevitable. Once an attacker is on your network, it’s imperative to be able to detect them and quickly kick them back out! This talk explores how Google performs incident management and remediation at scale, adapting the techniques of disaster management professionals and modern open source tools to achieve lightning-fast, efficient response cycles and push the envelope in the field of Incident Response.
- NZ
Responding to Incidents in Industrial Environments
Hinne HettemaHinne Hettema (NZ)
Hinne Hettema is the tactical security operations leader at Ports of Auckland.
His strengths are in SOC enablement, intelligence and incident response, as well as intelligence driven security operations and security architecture.
In a previous role, he led the security operations at the University of Auckland and has also worked as security architect. He has experience working in security operations in both ICT and ICS environments, setting and driving strategy and incident response. He studied Theoretical Chemistry (PhD 1993) and Philosophy (PhD 2012). As a theoretical chemist, he played with the supercomputers of the time. His first computer was hacked in 1991, after which he developed an enduring interest in cyber security. He is a blogger for APNIC, and maintains a security blog on his LinkedIn page.
RIPE Atlas: legal, security and ethical aspects of running an IoT network
Mirjam Kühne and Ivo Dijkhuis, RIPE NCC
RIPE Atlas is a global active measurement infrastructure, maintained by the RIPE NCC. It is based on the voluntary contributions of thousands of probe hosts worldwide. In essence those RIPE Atlas probes are IoT devices that people place in their homes. We made some conscious ethical considerations in order to protect these probe hosts and we are strictly following certain design and security principles and best current practices. In this presentation we will present the ethical, security and legal aspects that are put in place in order to support and protect this shared responsibility between the RIPE NCC as the provider or the platform and the users.
- DE
RoAMer: The Robust Automated Malware Unpacker
Thorsten JenkeThorsten Jenke (Fraunhofer, DE)
Thorsten started working full time at Fraunhofer FKIE. Among his tasks as a research assistant are reverse engineering malware and implementing software for automating malware analysis.
Roamer_first.pdf
MD5: a45341cae6984147652d1cdfd9b19c70
Format: application/pdf
Last Update: June 7th, 2024
Size: 227.71 Kb
- GBTLP:CLEAR
Seeing Clearly and Communicating Effectively to Address Event Overload
Thomas FischerThomas Fischer (FVT SecOps Consulting, GB)
Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated.
Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.
SOC Analysts and Incident Responders are faced with a mounting increase in events generated by the tools we keep adding to “defend” our systems, in some conditions event collectors are consuming 10s of millions of events per day. The tendency is to look for new technologies like automation to help. Is technology the only answer? Criminal forensics in the initial investigation phases relies heavily on the ability to visual identify artefacts. For the past few years, I’ve been looking at improving the processing of events for SOCs, incident response and threat hunting through better visualisation and communications. The conclusion is that there is nothing better than a pair of eyes to identify things. In this talk, we will examine how we can apply better seeing and proper communications to facilitate identification of incidents and their artefacts into reports and IOCs despite the flood of events being generated by the tools.
1100-Fischer.pdf
MD5: 2c613236d64aa4909c15bef6c6830ff3
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.38 Mb
- NL
Rob van OsRob van Os (Volksbank, NL)
Rob van Os, MSc., CISSP, ISSAP is a cyber defense specialist and the Product Owner of the Cyber Defense Center of the Volksbank. As such, he is responsible for cyber security operations. Rob has over a decade of practical experience in security monitoring, security incident response and security operations centers. He is also the chairman of the SOC/CSIRT working group of the Dutch FI-ISAC. Rob has obtained a Bachelor's degree in Computer Science in 2009 and a Master's degree in Information Security in 2016. Rob is the author of the SOC-CMM and MaGMa use case framework.
With DDoS attacks becoming ‘business as usual’, and widespread ransomware outbreaks such as WannaCry wreaking havoc across the globe, organisations face a challenging and dynamic threat landscape. This is why Security Operations Centers (SOCs) are becoming increasingly common. A SOC provides capabilities to protect against cyber threats, detect attacks and intrusion attempts and respond to such threats to limit their impact. To objectively evaluate if security operations are functioning effectively and maturing over time, measurement tools are required. The SOC-CMM and MaGMa Use Case Framework (MaGMa UCF) are such tools, and aim to enhance cyber defense. Both tools can be used freely.
The SOC-CMM is a model and self-assessment tool that is used to measure SOC capability maturity across 5 domains: business, people, process, technology and services. Each of these domains is assessed in detail using questions that can be scored on a 5-point scale. Using the SOC-CMM, the SOC team can identify strong and weak aspects, and determine next steps for improvement and growth.
The MaGMa UCF is a framework for use case management. This framework is supported by a tool that allows for registration, classification and measurement of use case effectiveness. The MaGMa UCF provides the capability to be in control over the security monitoring process and the alignment of security monitoring to business and compliance needs. With the MaGMa UCF, it is possible to prove to stakeholders that the SOC is in control and adequately managing and decreasing risk in the enterprise.
- USTLP:CLEAR
Software Bill of Materials: Progress toward transparency of 3rd party code
Allan FriedmanAllan Friedman (NTIA / US Department of Commerce, US), Art Manion (CERT/CC, US)
Dr. Allan Friedman is Director of Cybersecurity at the National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA’s multi-stakeholder processes on cybersecurity, convening cross-sector working groups with a focus on resilience in a vulnerable ecosystem. This has included pioneering government engagement on coordinated vulnerability disclosure, IoT security, and software component transparency. Prior to joining the Federal government, Friedman spent over 15 years as a noted cybersecurity and tech policy scholar at Harvard’s Computer Science Department, the Brookings Institution and George Washington University’s Engineering School. He is the co-author of the popular text Cybersecurity and Cyberwar: What Everyone Needs to Know, has a degree in computer science from Swarthmore College and a PhD in public policy from Harvard University.
Art Manion is a senior member of the Vulnerability Analysis team in the CERT Program at the Software Engineering Institute (SEI), Carnegie Mellon University. Since joining CERT in 2001, Manion has studied vulnerabilities, coordinated disclosure efforts, and published advisories, alerts, and vulnerability notes for CERT/CC and US-CERT. Manion currently focuses on vulnerability discovery and other areas of applied research, including ways to automate and improve operational vulnerability response. Prior to joining the SEI, Manion was the Director of Network Infrastructure at Juniata College.
A “software bill of materials” that lists third party components can help the open source community, software vendors, and enterprise customers address security risks, vulnerabilities, and supply chain concerns. In 2018, NTIA launched an open process of experts from many sectors to identify challenges in assembling, sharing, and using data on third party components. This talk will present on the substantial progress made, sharing draft best practices, and highlighting use cases and use of existing standards. We will map out the work that remains to be done, and how the FIRST community can play an important role.
- US
Spamhaus' 2019 Botnet Threat Report
Matthew Stith (Industry Liaison for Spamhaus Technology, US) (US)
This presentation will go over the trends that the Spamhaus Malware Labs team saw and analyzed in 2018. There will also be a comparison of data from the previous report regarding the data from 2018 as well. Finally there will be recommendations on sets that can be taken by users, companies, and organizations to mitigate and prevent botnets from infiltrating their networks.
Esta presentación repasará las tendencias observadas y analizadas por el equipo de Spamhaus Malware Labs en 2018. También incluirá una comparación de los datos del informe anterior con los datos de 2018. Por último, incluirá recomendaciones sobre qué pueden hacer los usuarios, las empresas y las organizaciones para mitigar y evitar que sus redes sean infiltradas por botnets.
Stack overflow: The Vulnerability Market Place
Snyk, Danny Grander
Supporting EU incident response capabilities
Rossella Mattioli, ENISA
- JPTLP:CLEAR
TBD: To Block Connection to Malicious Host by Using “DQB” and "Shutdowner"
Kunio MiyamotoKunio Miyamoto (NTT DATA Corporation, JP)
Dr. Miyamoto is a member of NTTDATA-CERT since 2010 and works as
incident responder, and researcher of preventing incidents and reducing
damage.
He received Ph.D. in Informatics(INSTITUTE of INFORMATION SECURITY,
Yokohama, Japan) degree in 2011, and he registered as Professional
Engineer Japan(Information Engineering) in 2014.
To prevent accessing to malicious hosts, many solutions have been
released and operated. Many of these solutions work effectively, but if
these solutions have poor useability or complex UI, it's difficult for
operators to use such solutions.
For example, if URL filtering solutions has poor useability or complex
UI, registering malicious URLs to such systems will make operators work
harder.
We developed "DQB"(DNS Query Blocker) to decept DNS reply ,"Shutdowner"
to decept TCP SYN-ACK reply, and operation application of these systems
to simplify operations. These systems have been working for 3 years.
In our presentation, we will talk about design and implementation of
"DQB","Shutdowner", and operation application. Also knowledge obtained
in daily operation, and "rapid incident response case detected by DQB
will be described.
- IDTLP:CLEAR
The Asian Games 2018 Cyber Security, A Lessons Learned
Andika Triwidada (Indonesia Computer Emergency Response Team (IDCERT), ID), Bisyron Wahyudi Masduki (Indonesia Security Incident Response Team on Internet Infrastructure (Id-SIRTI/CC), ID)
Bisyron Wahyudi is the Vice Chairman of ID-SIRTII/CC (Indonesia Security Incident Response Team on Internet Infrastructure/Coordination Center) for Data Center Application and Database. He pursued his postgraduate study in Software Engineering from Institute of Technology Bandung and Université Thomson, France. Now he is a doctoral student at Universitas Indonesia in the field of network security. He is a computer scientist with over twenty years of professional experience in Software Application development. Broad range Solution Architect with various exposures on enterprise solution development, solution architecture design and solution delivery. He's also been working for more than ten years in the field of network and information security. He is actively involved in several information and network security working groups, workshops, and trainings in the area of cyber security collaboration, capacity building, critical information infrastructure protection, information security standard and compliance, incident handling and CERT/CSIRT establishment & management.
Asian Games is the type of high-profile event where every operational mistake can get blown up into a global incident and national crisis. The Asian Games is the biggest multi-sport games after the Olympic Games, the most prestigious event organized by the Olympic Council of Asia (OCA).
Every four years, the Asian Games capture the world’s attention as thousands of top athletes of Asia compete for medals, glory and national pride. As this mega event become further digitized, turning physical event into the most computer connected games, event organizers and sport officials are ever more concerned about cyber threats looming over the games.
Indonesia Asian Games 2018 Organizing Committee (INASGOC) is an official committee formed by the Indonesian government after Indonesia's appointment as the host of the 18th Asian Games. Id-SIRTII/CC as the national CSIRT of Indonesia together with IDCERT as the national CERT community were assigned by the government to assist INASGOC to guarantee IT (cyber) security during the holding of ASIAN GAMES 2018. The goal of IT security is to ensure that Asian Games Information System (AGIS) and the related working staff are protected from any uncontrolled issues, problems or risks that could compromise the performance and/or the usability of the AGIS services.
The implementation of the Asian Games requires very complex IT system support. All sport games cannot be run without IT. Organizing the IT Asian Games is equivalent to an IT service for companies with more than 50,000 employees and serves millions of customers and operates 24/7, with a variety of systems involving many multinational vendors. Given the criticality of IT to both event organizers and attendees, one area of critical concern was cyber security. Disruption to the digital side of the game can interrupt the overall implementation of sports games.
Turning the strategy and policies into an operational security program required us to develop measurements and associated infrastructure to provide a continuous view of its security posture, a data collection and analysis platform that could evaluate the millions of security alerts and telemetry to assess risk, design and build the network infrastructure to provide the appropriate security domains and control points and create an operations center to run the whole thing and respond to incidents. Integrated monitoring system was created to help collect, collate, sift, analyze and share vast amounts of information being collected by various sensors.
In this presentation, we intend to share our experience and describe the integrated monitoring system was provided to get end to end visibility and centrally manages all the sensor data collected and log elements of the network, server, application and endpoint device. This system’s ability to quickly analyze, adapt, and respond to threats at tactical speeds can mean the difference between success and failure. Additionally, this offers analysts and security officials the ability to detect and act early. Furthermore, we will also share the process of risk identification and assessment. This element is essential to developing the appropriate controls and the subsequent process of identifying potential threats and risks, developing mitigation plans, building audit processes, putting it into operation and optimizing operational efficiency.
AsianGames-first2019.pdf
MD5: 6c214e37d91342c9e5bb5e2905791579
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.47 Mb
- HUTLP:CLEAR
The Evolution of GandCrab Ransomware
Tamas Boczan (VMRay, HU)
Tamas is a Senior Threat Analyst at VMRay. He is responsible for finding and analyzing relevant malware samples and improving VMRay's detection capabilities. He is mostly interested in evasive in-the-wild samples, and exploitation. He is a regular contributor of deep technical blog posts in VMRay's technical blog.
In 2018 the ransomware-as-a-service black market has been taken over by a single malware family, Gandcrab. Besides its prevalence and rapid development, the family is also notable for burning a zero-day exploit of an antivirus software – something we expect from APTs, but is unique in commercial non-targeted malware of recent years. We tracked and analyzed each version of the malware from the start.
In this talk we present the various delivery methods used to spread the ransomware, and show how agile development allowed it to rapidly evolve and react to countermeasures. Based on our analysis of the malware variants and the zero-day, we also present upper and lower bounds of the capabilities of the adversary.
GandCrab_FIRST.pdf
MD5: 15405a712c5e8f95859c51d1b05bb4d9
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.62 Mb
- US
The Hitchhiker's Guide to Threat Research
Bryan LeeBryan Lee (Palo Alto Networks , US)
Bryan Lee is a Principal Researcher with Unit 42 at Palo Alto Networks with a focus on espionage motivated adversaries. He has published extensive research into the Sofacy group in addition to discovering and (poorly) naming several other groups such as OilRig and DarkHydrus. Prior to joining Palo Alto Networks, Bryan spent nearly a decade at NASA working on projects in the advanced supercomputing division as well as the Security Operations Center. His diverse set of experiences provides a unique perspective of melding threat intelligence with security operations to provide actionable and operationally relevant research to the world.
DarkHydrus. OilRig. MagicHound. Ever wonder how Unit 42 or other research teams regularly produce threat intelligence and come up with those crazy names?
As an industry, we tend to revel in the mystique of threat intelligence, instead of readily explaining the mechanics of how we conduct our research. Continuous and active sharing of both threat data in addition to tracking and hunting techniques is absolutely pivotal to achieve positive outcomes as a community. Hiding behind the proverbial curtain and obfuscating the approaches of adversary tracking and hunting only benefits the adversaries. Though it may at times seem like voodoo, the truth is that the methodology for adversary tracking and hunting is actually not an overly complex task. Join Bryan in pulling the curtain back and learn about techniques and tools used on a daily basis for threat hunting and clustering. Understand how you can use the observed data points to generate actionable threat intelligence, enhancing your existing threat data as well as preparing for potential future threats.
Remember, don't panic, and always carry a towel.
1530-Hitchhikers-Guide-Lee.pptx
MD5: 32058875260003401bcc0f7d16bea891
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 8.24 Mb
- TLP:CLEAR
The Past, Present, and Future of DNS Resolution
Paul Vixie (Farsight Security, Inc.)
Paul Vixie was responsible for BIND from 1989 to 1999, and is the author of a dozen or so IETF RFC documents about DNS. He also started the first anti-spam company (MAPS) where he co-invented the DNS RBL (Realtime Blackhole List) that now protects all e-mail planet-wide, and was the founder and later president of the first U.S.-based commercial Internet Exchange (PAIX). Today he serves as CEO of Farsight Security, home of the Security Information Exchange (SIE) and the world's leading Passive DNS database (DNSDB). He managed the F-root DNS server from 1996 to 2012, and wrote the Cron software used on all UNIX-type computers today. He is also co-inventor of the DNS Response Rate Limiting (RRL) and Response Policy Zone (RPZ) feature-sets now in wide use to protect the operational Internet Domain Name System against online attacks. He received his Ph.D. from Keio University in 2011, and was inducted into the Internet Hall of Fame in 2014.
The Domain Name System has been a critical enabler of Internet growth since its inception in 1987. In the decades since then, the DNS resolution process has evolved from the LAN to the WAN, and to Anycast; it now includes DNSSEC validation, Extended DNS (EDNS) Client Subnet, larger message sizes, and I18N. The resolution processs has also been abused for surveillance, advertising insertion, and exfiltration. Today the DNS resolution process is poorly understood, and yet under forced revision. The trend is for DNS to be carried inside HTTPS where it cannot be monitored or controlled except by servers and clients themselves, and the dangers this will yield must be studied and discussed while the future remains flexible. Dr. Vixie will describe the past and present of DNS, and discuss its likely near term future.
- US CH
The Policy Implications of Incident Response
Maarten Van HorenbeeckDr. Serge DrozMaarten Van Horenbeeck (Zendesk, US), Dr. Serge Droz (FIRST / FDFA, CH)
Maarten Van Horenbeeck is a Board member, and former Chairman, of the Forum of Incident Response and Security Teams (FIRST. Maarten is also Chief Information Security Officer with Zendesk. Prior to this role, he was Vice President, Security Engineering at edge cloud network Fastly and managed the Threat Intelligence team at Amazon. Maarten has a master's degree in Information Security from Edith Cowan University, and a Masters degree in International Relations from the Freie Universitat Berlin. He is also Lead Expert to the Internet Governance Forum’s Best Practices Forum on Cybersecurity.
Serge Droz is the Vice President OS-CERT at Open Systems, one of the leading managed security service providers in Europe. He studied physics at ETH Zurich and the University of Alberta, Canada and holds a PhD in theoretical astrophysics. Before joining Open Systems, he worked in academia in Switzerland and Canada, later as a Chief Security Officer of Paul Scherrer Institute, as well as in different security roles at SWITCH for more than 15 years. Serge is a member of the board of directors of FIRST. He also served for 2 years in the ENISA (European Union Agency for Network and Information Security) permanent stakeholder group. Serge is an active speaker and a regular trainer for CSIRT (Computer Security Incident Response Team) courses around the world.
- DETLP:CLEAR
Threat Detection based on Deep Learning at Scale
Jan Pospisil (Siemens, DE), Karl Peter Fuchs (Siemens, DE)
Jan Pospisil: Jan is Senior Data Scientist at the Siemens Cyber Defense Center. He has a background in Artificial Intelligence and Machine Learning. Currently his focus is on building a Siemens-wide cyber defense platform based on AI. Before joining the Cyber Defense Center, Jan was Head of Data Science at Siemens MindSphere IoT platform. There, his focus was on manufacturing optimization, predictive maintenance, and digital twin.
Karl Peter Fuchs: Karl is Functional Lead for Security Monitoring at Siemens’ Cyber Defense Center. His focus is on improving the threat detection capabilities of Siemens and on automating related processes to prevent Security Analysts from repetitive work. Karl has a strong passion for trying out and applying new technologies and approaches. Before joining Siemens, he worked for several R&D facilities on Security, Privacy, Usability, Machine Learning, and Big Data.
Deep Learning has become practical in many domains, including Self-Driving Cars, Language Translation, Healthcare, and IT Security. Yet, the actual use cases in those domains where Deep Learning and AI can add real value are still eminently limited. Especially in Threat Detection it is a big challenge to design approaches that introduce an acceptable number of false positives when applied to large networks. In this talk, we show how we solved this challenge for a concrete use case: the detection of domain names generated by Domain Generation Algorithms utilized by malware to obfuscate communication. We give insights on the design and capabilities of the threat detection model and the underlying Big Data platform that enables continuous threat detection across more than 500.000 hosts on the Siemens corporate network.
- JPTLP:CLEAR
Threat Hunting with SysmonSearch - Sysmon Log Aggregation, Visualization and Investigation
Wataru TakahashiWataru Takahashi (Japan Computer Emergency Response Team Coordination Center, JP)
Wataru was previously engaged in security system integration and service development at an IT vendor where he learned expertise in securing servers and access controls against servers. He joined JPCERT/CC in October 2016 and ever since he has been committed to malware analysis and forensics, especially dealing with ever-evolving malware and attack techniques with his persevering attitude.
Sysmon log is important in incident investigation. Sysmon records various Windows OS events in the logs such as running applications, created registry entries and network communication. Most commonly, many analysts convert Sysmon logs into text format and search for specific events, however, it is difficult to conduct investigation on multiple devices simultaneously. Also, SIEM products can be applied for this analysis, which on the other hand are often expensive and not a feasible option for all the analysts.
As an alternative, we considered about a new method for Sysmon log analysis and identified that it can be conducted more smoothly by aggregating the logs and showing it in a visual image. For this purpose, we developed and released an open source tool which is freely available on the Internet.
In this presentation, we will propose a method to visualise and analyse Sysmon logs and introduce the tool “SysmonSearch”. We will also demonstrate how the visualised image of event correlation makes it easier to analyse logs, and how this tool can help in identifying suspicious behavior based on monitoring rules.
JPCERTCC/SysmonSearch: Investigate suspicious activity by visualizing Sysmon's event log
https://github.com/JPCERTCC/SysmonSearch
Visualise Sysmon Logs and Detect Suspicious Device Behaviour -SysmonSearch- - JPCERT/CC Eyes | JPCERT Coordination Center official Blog
https://blogs.jpcert.or.jp/en/2018/09/visualise-sysmon-logs-and-detect-suspicious-device-behaviour--sysmonsearch.html
- FITLP:CLEAR
Three Circles to Improve Health Care Cyber Security - This is How We do it in Finland
Perttu Halonen (National Cyber Security Centre Finland, Finnish Communications Regulatory Authority, FI)
Mr. Perttu Halonen works as information security specialist at the National Cyber Security Centre Finland where he is one of the responsibles for cooperation with social welfare and health care sector. In addition, he contributes to the national CERT function as a situation awareness coordinator. Prior to joining the NCSC-FI, he worked as research specialist at Nokia Corporation.
Health care sector cyber security is a hot topic. Improving the sector's cyber security is challenging: educating the large health care personnel that traditionally is not very inclined to security; protecting various connected medical devices from misuse; managing the cyber security in collaboration networks. Finland has taken an approach to develop the sector's cyber security with multiple concurrent actions with stakeholders on regional and national levels and influence on all levels. This presentation describes the goals and results of health ISAC, Cyber-Health development project and national cyber preparedness guidelines on health care sector.
- NL
TIBER: connecting threat intelligence and red teaming
Marc Smeets
Stan HegtMarc Smeets (Outflank, NL), Stan Hegt (Outflank, NL)
Marc is a senior IT security specialist, red teamer and consultant. He started his professional IT security career in 2006. Prior to that he has worked in IT operations for 3 years. His main areas of expertise are adversary simulation/red teaming, network security, Windows and Active Directory security and detection of Blue Team activities.
Stan has more than a decade of experience in offensive security, with a strong focus on red teaming and attack simulations. His passion is to analyse and adopt the tradecraft of the bad guys in order to emulate their techniques in attack simulations for Outflank's clients. Stan loves developing malware for red teaming purposes (WinAPI <3) and exploring opportunities for abuse in Windows components such as MS Office, COM, .NET and PowerShell.
TIBER (Threat Intelligence Based Ethical Red Teaming) is a framework that aims to deliver attack simulations of the highest quality in order to test the financial sector’s resilience to cyber attacks. Since May 2018, it is accepted by the European Central Bank as the go-to cyber resilience testing framework for national and European authorities within the Euro zone. The framework has big aspirations, including the ambition to test TTPs employed by nation state actors in operations that run for multiple months. But is this even possible, and how?
In this talk we will deep dive into the TIBER framework and our hands-on experiences with it, sharing best practices on how to connect threat intelligence with red teaming. Amongst others, the following topics will be addressed:
- How is TIBER different from other red teaming and threat intelligence frameworks (such as CBEST)?
- What threat intelligence does a red team need to perform a top notch test?
- Threat actor modelling in red teaming.
- Common OPSEC mistakes by blue teams during operational TI collection.
- RedELK: open source tooling for offensive TI during red teams operations.
- NLTLP:CLEAR
TIDE -- Proactive Threat Detection Using Active DNS Measurements
Olivier van der Toorn (University of Twente, NL)
Olivier is a Ph.D. student from the Design and Analysis of Communication
Systems (DACS) group at the University of Twente. As a Ph.D. student he is
working on malicious domain detection through active DNS measurements, for the
last two years. Next to his Ph.D., Olivier is a voluntary system administrator
at two study associations since the last five years. Because of his Ph.D. work
he is closely involved with the OpenINTEL measurement project. This project is
well established within the academic community, OpenINTEL data has been used in
more than 20 academic published papers and helped in establishing academic
collaboration worldwide.
In this talk (long presentation) we introduce the idea of pro-active threat
detection using active DNS data. We give examples on how pro-active detection
approaches can be applied to different types of attacks. We will detail the
case of snowshoe spam, for which we have developed an pro-active detection
approach, currently in use in the mail filter of a large Dutch operator.
Snowshoe spam is a hard to detect type of spam based on a large number of
low-volume spammers, which typically evade traditional spam detection methods.
We uncovered that domains set-up for snowshoe spam differ significantly from
regular, benign, domains. We are not only able to detect those domains, but we
show that we can do that considerably earlier than regular spam detection
methods.
Our intuition is that predicting if a domain will be used for malicious intent
might reduce the damage done by attackers. CERT teams may configure their
systems to be extra vigilant towards domains predicted to be malicious. Our
ultimate goal is to make the Internet a safer place by making an early
prediction to the nature of a domain via pro-active blacklists.
- US
Beverly MillerBeverly Miller (Lenovo, US)
Beverly Miller has been the program manager for Lenovo's PSIRT since its inception over 4 years ago, leads FIRST's Vendor SIG, serves on MITRE’s CVE Board and was involved in the PSIRT Framework effort last year.
Scott Kelso currently manages Lenovo's Corporate Product Security Office. Prior to this, Scott was responsible for triage of new vulnerability reports, authored our security advisories and was heavily engaged in our tools development.
There is a common problem across many PSIRTs that Lenovo has struggled with since day one: Linking software/firmware vulnerabilities to hardware products.
Our PSIRT supports hardware products that are made up of firmware and software components. Each of these components include 3rd party components and open source code where the vulnerabilities actually occur. How can we match the reported vulnerability to the software package and then to the hardware product so we know what to communicate to our customers?
We tried managing our inventory through spreadsheets…BUT it aged quickly as new products were launched and old products went end of support.
AND it was time-consuming to maintain across multiple business units which are segmented into many brands and development teams.
Not scalable or sustainable!
Thanks to new skills on the team, we took another stab at solving the problem. We call it the Product Attribute Database, or PAD for short.
PAD links with Lenovo Support’s knowledge management database and allows us to view all Lenovo supported products as well as the supported firmware and software components for each of those products.
A large part of the problem is solved with this step!
To resolve the issue of which 3rd party components and open source code are included in each firmware and software component, we took it a step further.
Development scans their components and reports the 3rd party components and open source used. We call these ‘attributes’ and load them into PAD.
The attributes are then linked to the applicable hardware or software component.
What all this means is that when we receive a vulnerability report for glibc, for instance, we don’t have to scrub spreadsheets trying to determine what products may be affected. Instead, we create a case and PAD returns a list of products and their supported components which include glibc. Each product + component combination becomes a task that is assigned to an owner.
Because we track and assign this way, we know who we need responses from and can follow up as needed.
The end result is streamlined case creation, accurate assignment, product inventory management including 3rd party components/open source software, reduced time in preparing security advisories and improved SLA metric reporting.
- USTLP:CLEAR
Top Common Tabletop Exercise Failures
Michael Murray
Robert LelewskiMichael Murray (Secureworks, US), Robert Lelewski (Secureworks, US)
Robert Lelewski is a cybersecurity leader with fifteen years of experience providing computer forensic, incident response, and affiliated consulting services with a specific focus on proactive cybersecurity consulting services. In his position at Secureworks as the Senior Manager for Secureworks proactive incident response consulting services, Robert is continually helping clients prepare for the inevitable via tabletops, technical trainings, development of incident response plans, and other proactive services, while working with both technical teams as well as Board of Directors for large and small organizations. Prior to joining Secureworks, Robert functioned as an expert witness on computer forensic legal matters in both civil and criminal courts and taught collegiate courses on information security topics.
Robert holds the following degrees and certifications: MBA, MS, GCIH, CISM, CISA, CRISC, CISSP-ISSMP, EnCE, ACE, CCE, CASP
Michael Murray serves as a Senior Manager for the Secureworks Security and Risk Consulting - Incident Response (SRC-IR) team, focused on delivering proactive incident response services that prepare our clients to act when an incident strikes by ensuring that they have defined, implemented, and exercised the necessary plans and processes, and by augmenting client incident management capabilities during an incident response event. Prior to joining the Secureworks team, Michael was a member of the technical staff at the CERT Coordination Center (CERT/CC), and previously served on the Board of Directors of the Forum of Incident Response and Security Teams (FIRST).
Increasingly, organizations are performing tabletop exercises to help gauge and increase their overall readiness for a cybersecurity event. These exercises range from short lunch time event to multi-day affairs. Unfortunately, these exercises are often stymied by very simple shortcomings, which causes diminished value to the exercise.
Through their experience in conducting hundreds of tabletops, the presenters have recognized a variety of trends that continually repeat themselves regardless of the organization’s vertical or maturity level, and ultimately impact the efficacy of the tabletop exercise. The presenters will describe each of these common failures, which range from the simple to complex, and present strategies to avoid said failures when planning your next tabletop exercise.
- NO
Dr. Martin EianDr. Martin Eian (mnemonic, NO)
Dr. Martin Eian is the Head of Research at mnemonic, and he is the Project Manager for the research projects "Semi-Automated Cyber Threat Intelligence (ACT)" and "Threat Ontologies for CyberSecurity Analytics (TOCSA)". He has more than 15 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is a member of the Europol EC3 Advisory Group on Internet Security.
The ACT platform is an open source, scalable graph database with support for granular access control and workflow management. ACT enables advanced threat enrichment, threat analysis, visualization, process automation, information sharing, and powerful graph analytics. Its modular design and APIs facilitate implementing new workers for enrichment, analysis, information sharing, and countermeasures.
Key takeaways for the ACT workshop participants:
- The ACT platform design and technical implementation choices
- Analysis techniques using simple queries and graph interaction (drill-down, filtering, layouts)
- Advanced analysis using graph queries
The ACT platform source code is available on Github: https://github.com/mnemonic-no
A read-only platform instance pre-loaded with OSINT is available on AWS:
https://act-eu1.mnemonic.no
https://act-eu1.mnemonic.no/examples/
- BE
Trick or treat? Unveil the "Stratum" of the mining pools
Emilien Le Jamtel (CERT-EU, BE), Ioana Todirica (BE)
Emilien Le Jamtel is a security analyst working for CERT-EU.
FIRST-TC-pres-v1.1.pdf
MD5: 690e5b523ad5ca75736aa90bec9e2a0e
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.54 Mb
Trusted and anonymized threat sharing using Blockchain technology
IBM Cyber Security of Excellent, Dr. Yair Allouche
There are two common models for establishing trust in threat intelligence sharing communities today. The first is based on a trusted third party, and the second is point to point based on trust established through personal relationships. In this talk we will present a blockchain-based threat sharing solution which aims to mimic the peer-to-peer trust model, but without coverage gaps or delays.
- LU
Andras IklodyAndras Iklody (CIRCL, LU)
Andras Iklody is a software developer working for CIRCL and has been the main developer of the MISP core since the beginning of 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool. He did the overall development governance in the MISP core project especially to ensure external contributions are inline with the overall objective of the MISP core functionalities.
As we, as the CSIRT community, mature, our needs for having the ability to extract more value and context from our data becomes more and more vital. MISP has been gradually expanded to reflect these needs, by incorporating features that ease indicator life cycle management, contextualisation and management of threat intelligence, collaboration and the filtered feeding of our collected data to our various protective tools. This talk aims to highlight some of the techniques we use via the platform
- US
Using MITRE ATT&CK, Threat Profiling and Adversary Simulation to Improve Our Hunts and Contextualize Security Operations
John Stoner (US)
FIRST_TC-attack.pdf
MD5: 7426cb41fabc8c7622e509d7eded8a6e
Format: application/pdf
Last Update: June 7th, 2024
Size: 73.25 Mb
- GBTLP:CLEAR
We Know Where You Live: Systematically Fingerprinting Low- and Medium-Interaction Honeypots at Internet Scale
Alexander VetterlAlexander Vetterl (University of Cambridge, GB)
Alexander Vetterl is a PhD student at the University of Cambridge where he is part of the Security Group and the Cambridge Cybercrime Centre. His research interests include honeypot architectures, intrusion detection systems and cybercrime, with a particular focus on the Internet of Things (IoT).
He has been working on techniques to fingerprint low- and medium interaction honeypots at Internet scale and providing insights into how honeypots are configured and deployed in practice. Recognizing the need for better honeypots to combat cybercrime, Alexander is currently developing a new "IoT honeypot" that can accommodate various devices and emulate their functionality within a virtual environment.
Honeypots are intended to be covert and therefore little is known about how many are deployed or who is using them. I present a generic technique for systematically fingerprinting low- and medium interaction honeypots at Internet scale with just one packet. I conduct Internet-wide scans and identify 7,605 honeypot instances across nine different honeypot implementations for the most important network protocols SSH, Telnet, and HTTP. Since the probes do not leave meaningful log entries in any of our tested honeypots, operators will not be aware that their honeypot has been detected.
I further show that these deployments are not kept up to date – 27% of the honeypots have not been updated within the last 31 months and only 39% incorporate improvements from 7 months ago. I believe the findings to be a ‘class break’ in that trivial patches to the current generation of honeypots cannot address the issue.
"We're no longer in Kansas, IR Team": Bypassing perimeters & why SOCs matter
CyberArt Security, Yossi Sassi
In the 'living of the land' reality where any admin tool can be used as an attack tool, bypassing EPP/EDR is a norm, which is why SIEM/SOC is the final frontier against adversaries today. We will demonstrate our latest research with Shell bypass in creative ways, show-casing Post-Exploitation techniques, APTs etc, as well as another IR/Research tool - saying goodbye to the bad guys' Obfuscation efforts and transparently exposing every command.
- USTLP:CLEAR
Douglas Wilson (Self, US), Nguyet Vuong (Civil / Consensys, US)
Doug Wilson (Ex-Mandiant, FireEye, Uptycs) has almost 20 years in security, but if you look way back, his college degree is actually in design! When not doing security, he has spent a fair bit of the past 15 years attending events that focus on design, and believes that design elements are critical to success in security pursuits. He has presented at numerous security conferences over his career, as well as talks and a workshop at FIRST.
Nguyet Vuong has 16 years of experience as digital designer, and is currently a Co-Founder and Design Lead for Civil (www.civil.co). She has won design industry awards, given numerous presentations, and facilitated workshops on design. She believes in honest and transparent design patterns that respect people’s time and intelligence. She regularly tries to spread the word of how design thinking and processes can make other fields better, including security.
The fields of security and design are eerily similar. Both are interested in challenging the status quo for processes, products and applications. Both spend a lot of time examining unusual and unplanned behaviors from both users and applications. And both are fields where success or failure tends to come down to the humans involved, despite amazing technical innovation
Security practitioners, however, are sometimes overly focused on the negative. This may cause them to lose track of some ideals that are core to design, and can lead to problems in communication, inclusiveness, and the creation of equitable solutions.
By adopting practices that come from the positive side of the equation in the design field, security practitioners can improve their communication and solve problems at different levels. This talk will introduce several tools that designers use in their work on a daily basis, and propose how they can help security practitioners.
- CH
Your Requirements are not my Requirements
Pasquale StirparoPasquale Stirparo (Google, CH)
Pasquale Stirparo is currently working as Incident Manager at Google. Prior to this, he worked as part of the Digital Forensics, Incident Response and Threat Intelligence teams in the Financial sector, the Joint Research Centre (JRC) of European Commission and at consulting firms. In 2016 he was appointed at the Advisory Group on Internet Security at the European Cyber Crime Center (EC3) of Europol and he is currently Incident Handler with the SANS Internet Storm Center (ISC). Pasquale has also been involved in the development of the Digital Forensics standard “ISO/IEC 27037: Guidelines for identification, collection and/or acquisition and preservation of digital evidence”, for which he led the WG ISO27037 for the Italian National Body in 2010. Pasquale holds a Ph.D. in Computer Security from the Royal Institute of Technology (KTH) of Stockholm and a M.Sc. in Computer Engineering from Polytechnic of Torino, and is certified GCFA, GREM, OPST, OWSE, ECCE. He is also the co-author of the book “Learning iOS Forensics” edited by PacktPub, awarded as "Best Forensics Book of the Year 2015" by Forensics 4:cast Awards.
One would expect setting up the requirements to be the first task completed before investing time in researching and collecting any type of intelligence. However, intelligence requirements are still too often overlooked and organisations jump immediately to the collection phase which, sadly, often translates into buying and ingesting as many feeds as possible, everybody looking for “APTs”. The main goal of properly setting the requirements is to understand which type of information is of primary interest for your organization, and be sure that the most relevant and critical one is processed and not lost into the noise.
In this talk, we will give the audience an understanding of what “intelligence requirements” really are and why they are such an important component of the intelligence cycle. Finally, we will give initial practical guidelines on how to start setting up and defining them.
