Once upon a time, an ogre called “SIEM" was invented…
Today, if your organization does not have a SIEM, you look like the "Little Tom Thumb” among your peers. During infosec meetups, many people like to brag about the power of the monster they deployed: “We can ingest 5K events per second!” or “We index 3TB a day!”. That looks indeed nice but does not impress me so much. Are you sure that you can still find the needle from a haystack? Being involved with such technologies and environments for a while, I had the opportunity to face many situations where the ogre SIEM was not able to return interesting data due to misconfigurations, topology changes, lack (or absence) of logs, wrong normalization and many more... Managing logs and events is not an easy job. This presentation will tell you some nightmare stories that you could also face in your organizations. And, of course, some ideas to prevent them.
ADTimeline - Threathunting with Active Directory Data
Leonard SavinaLeonard Savina (ANSSI, FR)
Léonard Savina has been maintaining, securing, deploying, migrating, automating and designing Active Directory environments for about 10 years in various sectors such as Energy, Hospitals and Government.
You can find some technical articles he wrote between 2010 and 2013 on his blog (www.ldap389.info) about those professional experiences.
In 2013 he joined ANSSI, the french National Cyber Security Center, as Security Systems Engineer.
In 2017 he joined the CERT-FR as a DFIR analyst. CERT-FR is part of ANSSI.
In 2019 he released the ADTimeline tool which was presented at the Amsterdam 2019 FIRST Technical Colloquium.
Active Directory is a prime target in mostly all cyberattacks, and attackers often attempt to gain Domain Admin privileges and maintain their access. It is therefore crucial for security teams to monitor the changes occurring on Active Directory. Those modifications are recorded in the Domain Controllers Windows event logs but its scope/completeness depends on the auditing strategy configured. Moreover, those events are rarely centralized, analysed and archived. As a consequence, replication metadata is sometimes the only artefact left for the DFIR analyst to characterize modifications made on the Active Directory.
ADTimeline is a forensic tool, written in PowerShell, which aims to create a timeline of Active Directory changes with replication metadata. The ADTimeline application for Splunk processes and analyses the data collected by the PowerShell script to help the DFIR analyst perform its investigation. In addition, the Active Directory data indexed in Splunk can be coupled with the analysis of Windows Event logs to perform relevant threat hunting queries.
EE
An Inside View to Domain Typosquatting Operation
Jüri Shamov-LiiverJüri Shamov-Liiver (Spectx, EE)
This talk takes a look at four years of internal processing data retrieved from a typosquatting site.
In total, ~37 GB of records reflecting redirection traffic gives a unique insider view to the whole operation: campaigns, visitors, traffic. What can we learn about the targeted sites, who visited them? Was the operation successful? Is it just about making easy money or is there a more sinister side to it? Let’s take a look at the data.
Augmenting Your Incident Response Capabilities with Memory Analysis
Peter Morin (Grant Thornton, CA)
Analyzing volatile information as part of your incident response capabilities can be the difference between fully understanding the chain of events that have occurred during an incident and merely scratching the surface. Memory forensics aims at extracting artifacts from a system’s memory. Whether it is a Windows server or Linux workstation, a physical system or virtual image, memory can provide key data points such as registers, cache contents, memory contents (passwords) network connections (IP connections), running processes as well as registry items such as shimcache and userassist. Analyzing memory can assist in identifying rogue processes, key network artifacts such as C2 communications, code injection, rootkits and potentially suspicious processes and drivers.
During this presentation, we will:
Discuss how to extract data from memory using free tools such as FTK Imager
Use free tools such as Volatility, Rekall and Redline to analyze memory
Look at a number of interesting use cases involving the analysis of memory (i.e. rogue processes, C2 communications)
Look at user-mode process memory dumps, why they should be used and how they differ to traditional memory analysis
Jessica Butler is a Senior Application Developer and lead for NVIDIA’s Product Security Tools team. Jessica has over 13 years of experience and earned her MS in Computer Engineering from Washington University in St Louis. She has earned certifications in Java, Ruby and Cisco’s CCNA. In her free time, Jessica enjoys gardening, rehabbing her over 100-year-old urban home and traveling with her family, BJ, Sebastian (5) and Eliza (3).
Dee Annachhatre is a Senior Development Leader at NVIDIA’s Security Tools Platform Team. With 14 years of experience in the software industry, she specializes in architecting and delivering reliable and scalable systems in a variety of areas especially, online services. Her area of passion is backend development, which involves designing and implementing services layer along with its interaction with various data stores.
Dee graduated from University of Texas, Arlington, with a Master’s degree in Computer Engineering. Apart from work, she loves hiking and spending time with her family.
Displaying a business's full security risk posture involves more than just tallying up the list of open security bugs. Many teams manually process results from multiple tools and using spreadsheets to map issues to appropriate owners. To drive change, we need to automate mapping the results of these tools to the correct product and, more importantly, the owner that can take action! This session is for you if you are overtaxed by sifting through results to create bugs, checking a spreadsheet to determine who to notify for remediation, or manually calculating risk for reports and dashboards.
Birds of a Feather - Moving the needle on your program's maturity
C Rob (Red Hat Inc, US)
Christopher Robinson (aka CRob) is the Program Architect for the Red Hat Product Security Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals.
CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He’s also been heavily involved in the Forum for Incident Response and Security Teams’ (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework.
He enjoys herding cats and moonlit walks on the beach.
Join CRob and friends to talk about the FIRST PSIRT Maturity Assessment and how you can use it or similar tools to understand your program's strengths and weakness and develop plans to move your team forward.
Dr. Vilius Benetis is from European cyber security company NRD Cyber Security, where his work includes designing CSIRT/SOCs for nations, sectors and organisations, early warning systems and forensics labs, incident response capabilities, development of national methodologies for identification and monitoring of critical infrastructures, national situation awareness in cyberspace. Vilius is active researcher in FIRST.org, GFCE, ITU (at CoE for Cybersecurity and Q3/SG2). He also contributes to ISACA’s existing and to be released publications on cyber security, trains CSX Fundamentals Workshops, CSIRT Manager Trainings and speaks at European, American and African conferences. Dr. Benetis mainly focuses on projects in Sub-Saharan Africa, South Asia and East Europe.
Presentation will present Hierarchical (National-Sectorial-organisational) CSIRT blueprint structures work achieved at GFCE working group by experts, and will gather feedback for improvement to have stronger results for global CSIRT community as additional guidance.
ZA
Boom! Now what??
Jaco CloeteJaco Cloete (Nedbank Ltd, ZA)
Jaco Cloete, CISA, CRISC, CISM, CA(SA), C|CISO, CISSP, CSX-P, has 22 years of experience in cyberrisk management and auditing in the banking sector. He performed audits across all information technology and cyberdomains and served in both an external and internal audit capacity. In his current role as cybersecurity manager, he is responsible for cyberstrategy, cyberpolicy, cyberrisk management, cyberresilience program management, red team testing, cyberscenario analysis, cyber playbooks, cyberthreat identification and modelling, and cybermetrics and reporting.
Cyber professionals spend a lot of effort on technical measures to prevent an attack, detect an attack and recover from an attack. What if an attack leads to a cyberincident (BOOM!) that causes real damage and impact the business including reputational damage, loss of clients and potentially threatens the existence of the organisation? This session is not about technical measures to prevent or recover from an attack, but the business processes and collaboration needed in an organisation to limit the impact to the brand and to restore confidence after the incident while minimizing chaos and loss of precious time. Successfully navigating the aftermath of a cyberincident requires a coherent effort by a multi-functional senior Cyber Crisis Management Team, an effective communication strategy and clear and concise process flows containing well defined inputs and outputs between key stakeholders inside and outside the organisation.
Bridging the Gap on SBOM: Collaborating for Software Component Transparency
Allan FriedmanTomo ItoAllan Friedman (NTIA / US Department of Commerce, US), Tomo Ito (JPCERT/CC, JP)
Dr. Allan Friedman is Director of Cybersecurity at the National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA’s multi-stakeholder processes on cybersecurity, convening cross-sector working groups with a focus on resilience in a vulnerable ecosystem.
Tomo Ito has been working as a vulnerability information coordinator at JPCERT/CC for 4 years. His current focuses include international collaborations regarding vulnerability coordination topics with organizations around the globe.
The value of transparency around third party software component use is becoming increasingly apparent. Understanding what makes up our software can help those who make software, those who buy it, and those who operate it. The increasingly popular idea of a 'software bill of materials' (SBOM) can drive real change. Yet risk aversion, culture, and inertia pose obstacles for broader adoption across the global software ecosystem, in the open source world, and in the commercial world. Government regulation is probably not the answer, but industry-wide and international coordination can play a key role in helping promote transparency. This presentation will share two different perspectives on the gaps for SBOM adoption, and how two very different organizations (NTIA in the US and JPCERT/CC in Japan) are helping to establish transparency. We will highlight the broader social benefits identified from software transparency and SBOM use, and the roles of coordinators in our respective countries. We'll also identify the obstacles and gaps that are common--and different--and the strategies for bridging these gaps.
Bringing Intelligence into Cyber Deception with MITRE ATT&CK
Adam PenningtonAdam Pennington (MITRE, US)
Adam Pennington (@_whatshisface), Principal Cyber Security Engineer, MITRE Adam Pennington is a member of the core ATT&CK team, and collected much of the intelligence leveraged in creating its initial techniques. He has spent much of his 10 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon's Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has published in a number of venues including USENIX Security and ACM Transactions on Information and System Security.
Deception has become a popular concept in cybersecurity, but are we really fooling adversaries? Honeypots and other technical solutions often don’t align with what real adversaries do. This presentation will examine how we can successfully deceive adversaries by using threat intelligence mapped to MITRE ATT&CK™.
In classical deception planning, intelligence serves a key role in understanding an adversary’s likely beliefs, expectations, and reactions, but this often hasn’t carried over into the cyber realm. In this talk, I’ll show how to bridge that gap and leverage ATT&CK for cyber deception planning. I’ll present a methodology for making decisions on where to focus deception resources based on adversary techniques and how to align deception capabilities with the expectations and visibility of real cyber threat actors. Attendees will learn how they can leverage cyber threat intelligence to deceive their adversaries and gain valuable new intelligence as they do so.
Anastasios Pingios is a security professional who started from the exploit development and vulnerability research side around 15 years ago and later on switched to the defensive side. He holds a M.Sc. in Secure Computing Systems from the University of Hertfordshire, numerous certifications on the subject of intelligence collection and intelligence analysis, and has presented a wide variety of topics from unconventional phishing techniques, to secure architecture in the cloud, and building successful intelligence teams. Currently, Anastasios is Principal Security Engineer at Booking.com and for the last few years he has been focusing on threat intelligence from a holistic perspective that takes into account all domains instead of just cyber.
The talk goes through the journey from having no dedicated threat intelligence resources, to having an intelligence-driven organization. We will go through the different phases, key challenges and how to overcome them, as well as how to measure and demonstrate the value and maturity of intelligence-driven security. The goal of this talk is to help you avoid common mistakes in the process of building a threat intelligence function, and later on maturing and expanding it to more areas within your organization and the community.
Chung-Kuan Chen/Bletchley is currently a senior researcher in CyCraft, and responses for organizing their research team. He earned his PHD degree of Computer Science and Engineering from National Chiao-Tung University (NCTU). His research focuses on cyber attack and defense, machine learning, software vulnerability, malware and program analysis. Founding of NCTU hacker research clubs, he trains students to participate in world-class security contests, and has experience of participating DEFCON CTF twice. Besides, he has presented technical presentations in non-academic technique conferences, such as HITCON, RootCon, CodeBlue OpenTalk and VXCON. As an active member in Taiwan security community, he is in the review committee of HITCON conference, and ex-chief of CHROOT - the top private hacker group in Taiwan. He organized BambooFox Team to join some bug bounty projects and discover some CVEs in COTS software and several vulnerabilities in campus websites.
To cope with the exponential growth of security incidents, automatic threat hunting via machine learning (ML) is increasingly being employed. The huge amount of false positive security alerts can thus be more efficiently removed, leaving only the most severe incidents to be analyzed by human analysts. However, the complicated threat hunting process cannot be resolved by one single ML component. A ML pipeline, which consists of several ML components, should be constructed. In this talk, we explain the technical details behind an AI-based threat hunting engine. We will introduce our trial and error procedure during the development of the system, and highlight the mistakes and challenges we encountered. Despite an imbalance in the data size, which makes pure supervised machine learning inefficient, unsupervised learning, graph algorithm and NLP techniques can be utilized. We demonstrate that although a single event cannot fully reveal a threat, by connecting the related events and illustrating the whole cyber storyline, important details of this threat can be uncovered. Additionally, some ML-based methods that can help with the forensic and malware reversing are also introduced.
Building Your Team of Teams: Applying Military Operational and Organizational Methodologies to Defend Large-Scale Enterprises
Nicholas LiuNicholas Liu (Air Force Computer Emergency Response Team, US)
First Lieutenant Nicholas Liu currently serves as the Officer-in-Charge of Current Operations for the Air Force Computer Emergency Response Team (AFCERT). He oversees day-to-day cyberspace security and defense for the enterprise Air Force Information Network. Prior to serving in his current role, he served as Chief of Incident Response and as a Tier 1 network analyst. Lieutenant Liu is a graduate of the Air Force Academy and Columbia University, with a Bachelor of Science in Military and Strategic Studies and a Master of Arts in Regional Studies: East Asia, respectively.
Large-scale entities have a global network presence, requiring the employment of multiple cybersecurity organizations and teams. In entities such as the United States Air Force, these organizations and teams have different maturity levels, responsibilities, and operating procedures. This creates a wicked problem when trying to synchronize disparate organizations toward a common goal of securing an enterprise-level network. The purpose of this presentation is to highlight the Air Force Computer Emergency Response Team (AFCERT)s implementation of military operational and organizational methodologies to overcome this wicked problem. Specifically, this presentation showcases the concept of mission command to build a team of teams, with the ultimate goal of securing a network. By creating an intent-driven environment, the AFCERT was able to synchronize different organizations capabilities in an efficient manner that transcended organizational culture. This will be highlighted in two different case studies: one in which mission command was deliberately planned in support of a threat hunt, and one in which mission command proved critical to incident response
CERT Capacity in the Petroleum Sector of the North Sea
Marie MoeMarie Moe (SINTEF, NO)
Dr. Marie Moe cares about public safety and securing systems that may impact human lives. Marie recently joined mnemonic as a senior consultant in threat intelligence and incident response. Before this she was a senior scientist and research manager for the Infosec research group at SINTEF. She is also an associate professor at the Norwegian University of Science and Technology, where she teaches a class on incident response. She has experience as a team leader at the Norwegian Cyber Security Centre NorCERT, where she did incident handling of cyberattacks against Norway’s critical infrastructure. She is known for doing research on the security of her own personal critical infrastructure, an implanted pacemaker that is generating every single beat of her heart. Marie has been a proud member of the FIRST community since 2011, and this will be her fourth time presenting at the Annual FIRST Conference.
The independent research institute SINTEF has performed an empirical study of cyber incident response readiness in the Norwegian petroleum industry. This talk will present results from the interview study, that included 12 subject area experts in oil and gas companies and drilling operators, plus 8 subject area experts in national and international CERT teams. The study shows that smaller actors suffer from limited collaboration, especially in active incidents or crises. Oil and gas companies and drilling companies share information and experience in various (virtual) meeting places and forums organized by external actors, but there is little focus, especially among the smaller companies, on systematic sharing of information and experiences of cyber incidents. There is a wish for a more proactive CERT function and particularly an information sharing center (ISAC). Not all oil and gas companies or drilling rig operators distinguish between cybersecurity incidents in IT and OT systems, and views vary widely concerning who is responsible for security in and between IT and OT. The results from this study were published in a Norwegian report in 2019 by SINTEF and the Norwegian Petroleum Safety Authority, but it has yet to be presented to a wider, international audience.
Cheaper by the Dozen: application security on a limited budget
Christopher J. Romeo (Security Journey, US)
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. For more information, see https://www.linkedin.com/in/securityjourney/
Everyone wants to improve the application security of their organization, but what if your company does not have a million dollars to spend? How do small/medium organizations and those with limited budget make any progress with application security? What if you could learn which open source projects fit together to solve your application security problems, and receive advice on how to get started?
In this session, explore the various application security open source projects that exist in the OWASP universe. You’ll learn how to choose the right projects to match your organizational needs.
Training/awareness, process/measurement, and tools are the categories of projects explored. Each explanation includes project purpose, a plan for use, a risk rating based on maturity/lifespan, the required number of human resources for success, and a measure of impact.
Advice per project provides an idea for how you can start rolling each of these application security improvements out to your organization. Explore how to engage your organization with a plan, experience enormous advances, and change application security forever.
CiviCERT - Joining Forces to Defend Civil Society Worldwide
Andrej PetrovskiDmitri VitalievHassen SelmiNighat DadAndrej Petrovski (SHARE Foundation), Dmitri Vitaliev (Equalit, CA), Hassen Selmi (Access Now Digital Security Helpline, DE), Nighat Dad (Digital Rights Foundation)
Andrej Petrovski is a Director of Tech/CERT at SHARE Foundation, based in Belgrade, Serbia, with a background of education in Software Engineering and Master Studies in Electronic Crime and Digital Forensics. He works on obtaining and analysis of evidence in cases of cybercrime that occur in the online media sphere. Also, he researches the impact of cyber attacks on the basic human rights in the digital environment, such as freedom of speech, freedom to access to knowledge and information and related rights. In the past year, he started researching Internet Cartography and Data within Share Lab, which is a part of Share Foundation that focuses on multidisciplinary research of metadata and the Internet.
Dmitri is the founder and director of eQualitie with fifteen years experience working on digital security and privacy technology with civil society organizations. He has led and participated in missions to over 40 countries, and is a recognized expert on technology training and organizational security. He is the author of the Digital Security and Privacy for Human Rights Defenders manual and was a founding member and coordinator of the NGO-in-a-Box Security Edition project. Since 2011, Dmitri has lead the eQualitie team and its various projects.
Hassen is the Incident Response Coordinator at Access Now. He graduated at the Tunisian National School Of Computer Science (ENSI) as a software engineer in October 2014 and since then has been part of Access Now Digital Security Helpline. He is a GIAC certified security incident handler until June 2023. His day-to-day work is to oversee the incident response efforts of the Helpline team and be a second level point for incidents such as system and account compromises, phishing, shutdowns, data leaks, and DDoS attacks, among others.
Nighat Dad is the Executive Director of the Digital Rights Foundation. Nighat is one of the pioneer women's rights activists in Pakistan and has played a pivotal role in defining the cyberspace narrative in the country, and has been at the forefront of Pakistani feminist movements. She was recently named a member of the Facebook Oversight Board, an independent and diverse committee that works to keep content on Facebook in check. A lawyer by profession, Nighat has also been listed as the TIME's magazine Next Generation leader back in 2015, and won the Human Rights Tulip Award in 2016. Nighat is also a TED Global Fellow and has used these platforms to create awareness about the patriarchal strongholds in Pakistan, and how they affect the everyday lives of women, online and offline.
Nighat believes in leading by example and has formed her team comprising almost entirely of women, who share her vision and commitment to the cause. She also believes in being an equal opportunity employer.
Members of the CiviCERT initiative will present the global network of rapid responders that is growing around the RaReNet/CiviCERT initiative (https://www.rarenet.org/ - https://www.civicert.org), aimed at networking among grassroots rapid responders and non-profit help desks and service providers to support each other and share information on threats targeting civil society.
Brian English ( SAS Technical Support, US), Sallie Newton (SAS Product Security Office, US), Steve Hart (SAS Institute, US)
Brian English, Product Security Lead, SAS Technical Support
Sallie Newton, PSIRT Lead, SAS Product Security Office
Steve Hart, Head of Product Security, SAS Institute
While product security is not a new topic at SAS Institute, the concept of having a PSIRT was new to SAS just a few years ago. In this presentation we will discuss how the PSIRT was established at SAS using aspects of the FIRST PSIRT Framework, our current mode of operation, and the challenges encountered. As a leading analytics software vendor, we believe that statistics can and should be used to solve hard problems. In the context of PSIRT we have used our own Visual Analytics software to measure and track security defects across R&D. We will discuss the metrics we have found to be most useful to drive change across the organization.
Andras Iklody works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL as a software developer and has been developing the MISP core since early 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.
During his many years working in infosec Trey has instigated constructive mischief across a wide swathe of organizations and sectors. As part of the CERT.be team he leverages his deep background in CTI to build and deploy tools to protect Belgium as well as the wider community.
Trey serves alongside Richard Struse as co-chair of the OASIS Cyber Threat Intelligence (CTI) Technical Committee responsible for the STIX and TAXII standards. His articles have been featured in publications such as IEEE Security and Privacy and USENIX ;login:, and he has presented at a number of security conferences, including O'Reilly Security, BruCON, USENIX LISA, RSAC, and various FIRST events.
Sharing threat information has become commonplace these days, but it typically amounts to little more than sharing raw indicators of compromise, which is of limited utility for most recipients. The information most sought for is the context which explains why it's relevant, how we're supposed to use it, and how it was obtained. Just as the introduction of means of making astronomical observations outside the visual light spectrum advanced our understanding about the cosmos surrounding us by orders of magnitude, so adding currently invisible context to our threat data promises to increase our situational awareness about our risk exposure. Let's bust out a bigger box of crayons and start coloring outside the lines!
Conference Opening & Keynote - Tracking Targeted Digital Threats: A View from the Citizen Lab
Ronald DeibertRonald Deibert (University of Toronto, CA)
Ron Deibert, (OOnt, PhD, University of British Columbia) is Professor of Political Science, and Director of the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto. The Citizen Lab is an interdisciplinary laboratory focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security. He was a co-founder and a principal investigator of the OpenNet Initiative (2003-2014) and Information Warfare Monitor (2003-2012) projects. Deibert was one of the founders and (former) VP of global policy and outreach for Psiphon, one of the world’s leading digital censorship circumvention services.
As Director of the Citizen Lab, Deibert has overseen and been a contributing author to more than 120 reports covering path-breaking research on cyber espionage, commercial spyware, Internet censorship, and human rights. These reports include the landmark Tracking Ghostnet report (which uncovered an espionage operation that infiltrated the computer networks of hundreds of government offices, NGOs, and other organizations, including those of the Dalai Lama), China’s Great Cannon (an offensive tool used to hijack digital traffic through Distributed Denial of Service attacks), the Kingdom Came to Canada (an investigation of a Canadian permanent resident, Saudi dissident, and Khashoggi colleague who was targeted with commercial spyware), and the Reckless Series (an investigation into the abuse of commercial spyware to target journalists, anti-corruption advocates, and public health officials in Mexico). These reports have been cited widely in global media, garnering 25 front-page exclusives in the New York Times, Washington Post, and other leading outlets, and have been cited by policymakers, academics, and civil society as foundational to the understanding of digital technologies, human rights, and global security.
Political struggles in and through the global Internet and related technologies are entering into a particularly dangerous phase for openness, security, and human rights. A growing number of governments and private companies have turned to "offensive" operations, with means ranging from from sophisticated and expensive to home-grown and cheap. A large and largely unregulated market for commercial surveillance technology is finding willing clientele among the world's least accountable regimes. Powerful spyware tools are used to infiltrate civil society networks, targeting the devices of journalists, human rights defenders, minority movements, and political opposition, often with lethal consequences. Meanwhile, numerous disinformation and harassment campaigns are feeding intolerance and even violence, largely without mitigation. Drawing from the last decade of research of the University of Toronto's Citizen Lab, I will provide an overview of these disturbing trends and discuss some pathways to repairing and restoring the Internet as a sphere that supports, rather than diminishes, human rights.
Chris O'Brien is a SANS Cyber Guardian and card-holding structured intelligence diehard. He has worked across public and private sectors as an intrusion analyst, incident responder and CTI specialist. Chris now dedicates his time to enabling practitioners through CTI tooling and structured data modelling.
The combined knowledge of the cyber security and intelligence community is vast and yet many teams still work in splendid isolation. This talk will work through an example, active intrusion set - worked on in separate teams - to show the highs and lows of parallel analysis. We investigate how multiple viewpoints increase intelligence quality but also introduce bias and data complexity - and then show how to solve that with (free) technology.
In this talk we explore the concepts that underpin true intelligence collaboration and describe a means to achieve it using STIX and elasticsearch. This method applies the core concepts of search (elasticsearch), provenance (in a git-like way) and data modelling (purist STIX) to produce a truly global and collaborative threat intelligence repository.
Cyber insurance, Ransomware and Regulation – where do we go from here?
Dr. Jan Lemnitzer (Copenhagen Business School, DK)
The escalating ransomware problem has put a strong focus on existing issues in the cyber insurance sector. After analyzing current trends, this presentation will examine to what extent government regulation of the sector can offer possible solutions for three longstanding issues and foster a more mature industry.
Has the possibility of claiming ransom payments on cyber insurance policies contributed to the current problem, and should regulators ban such coverage?
Are the ways in which the insurance industry measures the cyber risk of companies still appropriate for the current threat environment? How valuable is old data, and will future approaches emphasize automated technical solutions, threat assessments, or ratings provided by external auditing agencies?
While big companies getting hit grab the headlines, ransomware is just as big a problem for small and medium-sized companies. With notoriously low IT security standards and typically no cyber insurance cover or bank credit line to recover from an attack, they are particularly vulnerable. Finding IT certifications designed for more mature companies hard to implement and their budgets stretched, many of them struggle to improve their defences. Could a new minimum IT security standard designed for SME’s combined with compulsory cyber insurance provide meaningful support for this group of companies?
Vincent Le Toux is working in a French utility at the edge of management & blue team. He is the author of Ping Castle, an Active Directory security tool. He has also made many open source contributions in projects such as mimikatz, OpenPGP, OpenSC, GIDS applet, etc. Finally, he already did presentations in security events, mainly FIRST, BlueHat, BlackHat, Troopers and Hack In Paris
With my limited budget and resource, I was already dealing with multiples projects such as SOC, vulnerability scanner, ... and incidents. But new actors such as BitSight, Cyrating, SecurityScorecard are meeting my top management and get their rating solution sold. Now, it's up to me to fix the issues reported by these tools. And I did it ... twice with two different providers. In this talk, I'll detail how cyber rating companies are building their score, and what are computation differences. I'll share also the experience I got in remediation: if you think about having an Excel file to track the issues, or delegate it, you are completly wrong! I'll zoom also into an unexpected benefit: getting management attention and managing shadow IT.
Alice Hutchings is a University Lecturer in the Security Group at the Computer Laboratory, University of Cambridge. She is also Deputy-Director of the
Cambridge Cybercrime Centre, an interdisciplinary initiative combining expertise from computer science, criminology, and law. Specialising in
cybercrime, she bridges the gap between criminology and computer science. Generally, her research interests include understanding cybercrime
offenders, cybercrime events, and the prevention and disruption of online crime.
Every day, hundreds of people fly on airline tickets that have been obtained fraudulently, and much of this is facilitated by cybercrime. I will use this example to explore cybercrime in more depth, and understand its real-world impacts. I will explore the trade in these tickets, drawing on interviews with industry and law enforcement, and an analysis of an online black market. Tickets are purchased by complicit travellers or resellers from the online black market. Victim travellers obtain tickets from fake travel agencies or malicious insiders. Compromised credit cards used to be the main method to purchase tickets illegitimately. However, as fraud detection systems improved, offenders displaced to other methods, including compromised loyalty point accounts, phishing, and compromised business accounts. In addition to complicit and victim travellers, fraudulently obtained tickets are used for transporting mules, and for trafficking and smuggling.
Jaromir Horejsi:
Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.
Daniel Lunghi:
Daniel Lunghi is a threat researcher at Trend Micro. He has been hunting malware and performing incident response investigation for years, and now focuses on tracking advanced threat actors from all over the world.
In order to achieve their espionage goals, threat actors need a mechanism to exfiltrate data from their targets. Malware developers have a multitude of choices to achieve this task, among which are the design and implementation of a custom communication protocol, and the use of an existing protocol offered by various cloud services.
In this presentation, we will first discuss the benefits and limitations of implementing a custom communication protocol. Then, we will explore cases of targeted attacks we investigated thoroughly where the attackers abused third-party cloud services, such as Dropbox, GitHub, Telegram, or Slack. For each case, we will overview the communication protocol and some implementation details, and we will discuss how we, as defenders, can leverage them to our advantage. There will be clear examples of information we obtained using these techniques, highlighting the different opportunities opened by each cloud service for researchers.
Furthermore, the mentioned campaigns involve not only Windows malware but also Android malicious mobile applications, and our research shows cloud service abuse is a worldwide trend. With this presentation, we hope to give valuable inputs to defenders facing such threats.
Stéphane Duguin is CEO of the CyberPeace Institute.
The Cyber Peace Institute is an independent, non-governmental organization focused on peace in cyberspace. We aim to decrease the frequency, impact, and scale of cyber-attacks by sophisticated actors that have significant, direct harm on people. The CyberPeace Institute believes that civilians need to be brought back to the forefront in cybersecurity discussions and be empowered in understanding how their infrastructures are attacked. Through collective analysis of cyberattacks and capacity-building measures grounded in internationally accepted norms, the CyberPeace Institute is confident that positive changes will be made towards the protection of civilians and the overall stability in cyberspace.
Stéphane Duguin will talk on closing the accountability gap: a proposal for an evidence-led accountability framework.
Yang is a Cyber Security Senior Expert at Netlab360 ( Network Security Research Lab - Qihoo 360, http://netlab.360.com/ ) where he focuses on PDNS / Web / Network data process/analysis and threat research like DDoS Monitoring, Threat Hunting.
Before joining NetLab, he was a Security Engineer in NSFOCUS and has been involved in many different projects, like SOC(security operation center) architecture design and implementation, and network traffic anomaly detection.
We run the Chinese biggest PDNS database for over 5 years. combined with other data like URL, OSINT, we've built a comprehensive data anomaly detection system. The data anomaly is our "needles in the haystack", which will trigger our analysis process, then help us hunting the threats fast and full. Data anomaly includes many dimensions, from NOD(newly observed domain) to NAD (newly active domain), from a new URL pattern to new JS keywords, from statistics-based anomaly to relation-based anomaly, etc. With these "data anomaly visibility", we achieved our "threat visibility". Over the last few months?we uses it focusing on web threat discovery. We've hunted over 5M cybercrime resources; more than 10k compromised websites been injected by dozens of new JS scripts; and 30+ credit card leakage IOCs, most of which were never been reported before; and more other threats.
Denise AndersonJeff TroyJim LinnKim MilfordScott AlgeierDenise Anderson (H-ISAC and National Council of ISACs, US), Jeff Troy (Aviation ISAC (A-ISAC), US), Jim Linn (Downstream Natural Gas ISAC (DNG-ISAC), US), Kim Milford (Research and Education ISAC (REN-ISAC), US), Scott Algeier (IT-ISAC and ICASI, US)
Denise Anderson, MBA, is President of the Health Information Sharing and Analysis Center (H-ISAC), a non-profit organization dedicated to protecting the health sector from physical and cyber attacks and incidents through dissemination of trusted and timely information.Denise currently serves as Chair of the National Council of ISACs, sits on the Board of Directors for the Global Resilience Federation (GRF) and participates in a number of industry groups and initiatives. She was recently elected to a 3-year term on the Cyber Working Group Executive Committee for the Health and Public Health Sector Coordinating Council. In addition, she has served on the Board and as Officer and President of an international credit association, and has spoken at events all over the globe.
Denise was certified as an EMT (B), and Firefighter I/II and Instructor I/II in the state of Virginia for twenty years and was an Adjunct Instructor at the Fire and Rescue Academy in Fairfax County, Virginia for ten years.
She is a graduate of the Executive Leaders Program at the Naval Postgraduate School Center for Homeland Defense and Security.
Over the past three years, Jeff developed the A-ISAC comprehensive strategy, led the team’s expansion of the Aviation ISACs services, and tripled membership. He established relationships with global regulators, industry associations, and private sector companies to drive cyber risk reduction across the aviation eco-system. Concurrently, Jeff employed by General Electric and is on the Board of Directors, National Defense ISAC. ND-ISAC provides cutting edge cyber security training, intelligence development and a trusted information sharing environment for US cleared defense contractors.
Jeff spent 25 years as a Special Agent of the FBI. He retired as the Deputy Assistant Director for Cyber National Security and Cyber Criminal Investigations.
Jim has spent the past 30 years of his career in Information Technology and Cybersecurity management with several non-profit organizations in the Washington, DC area. He is currently Chief Information Officer for the American Gas Association (www.aga.org), and has worked there for the past twenty years. Prior to that he spent eight years as IT Director for the Chemical Manufacturers Association. He planned IT projects and set technical direction for both of these organizations. In addition, he is a Certified Chief Information Security Officer, Certified Information Systems Security Professional, Certified Association Executive, Certified Information Systems Auditor, and holds many other industry certifications.
In recent years Jim has split his time between internal IT responsibilities and industry responsibilities. Jim is the information technology cybersecurity subject matter expert for AGA’s Cybersecurity Strategy Task Force. In this capacity he has administered cybersecurity reviews with a number of natural gas utilities and also serves as Executive Director for the Downstream Natural Gas ISAC (https://www.dngisac.com/). He is the staff executive for AGA’s Customer Service Committee and Technology Advisory Council. In these capacities he serves senior leaders in the fields of Customer Service and Information Technology within the natural gas distribution industry. The Customer Service area includes an annual benchmarking effort, two workshops and a large conference. The Information Technology area includes two council meetings annually.
Jim has a B.S. degree in Computer Systems Management from Drexel University and an M.B.A. from Drexel University.
Jim has been married to his wife, Marianne, for the past 30 years and lives in Gaithersburg, Maryland. They have three children, Joanna, 26, James, 22, and Jonathan, 20.
Kim Milford serves as Executive Director of the REN-ISAC, working with research and education institutions, partners, and sponsors to provide services and information that allow member institutions to better defend technical environments from cyberthreats. Ms. Milford oversees administration and operations for the REN-ISAC. Ms. Milford served in several roles leading strategic IT initiatives since 2007 at Indiana University. As Chief Privacy Officer, she coordinated privacy-related efforts, chaired the Committee of Data Stewards, and directed the work of the University Information Policy Office and IU's IT incident response team. Prior to joining Indiana University, Ms. Milford worked as Information Security Officer at the University of Rochester. As Information Security Manager at University of Wisconsin-Madison from 1998 - 2005, she assisted in establishing the university's information security department and co-led in the development of an annual security conference. Ms. Milford provides cybersecurity expertise and presentations at national and regional conferences, seminars and consortia, as well as taught courses on Internet security and authored/co-authored many articles on the subject. Ms. Milford has a B.S. in Accounting from Saint Louis University in St. Louis, Missouri and a J.D. from John Marshall Law School in Chicago, Illinois.
Scott C. Algeier works at the intersection of cybersecurity policy and operations. He is the Founder, President and CEO of cybersecurity consulting firm Conrad, Inc. , Executive Director of the Information Technology – Information Sharing and Analysis Center (IT-ISAC) , and Executive Director of the Industry Consortium for Advancement of Security on the Internet (ICASI ).
The IT-ISAC is a non-profit organization that enables companies to better manage cyber risks to their corporations and the IT infrastructure. As Executive Director, Scott’s responsibilities include the daily management of the organization, developing and implementing enhanced information sharing and analysis capabilities, facilitating cyber incident response across the IT-ISAC member companies, and establishing and maintaining effective partnerships. He is the IT-ISAC’s principal spokesperson, representing the organization to the public, senior leadership at the U.S. Department of Homeland Security (DHS), the U.S. Congress and international organizations.
Scott also is an Officer of the IT Sector Coordinating Council and served as Vice Chair of the National Council of ISACs and as industry Chair of the IT Sector Risk Assessment Committee, which developed the first ever public-private risk assessment of critical IT functions.
Experts in information sharing will discuss how sharing information across the critical infrastructure sectors occurs and will look at challenges faced, benefits received, and the role ISACs and information sharing play in incident response. The session will look at case studies of successful information sharing in cyber and physical incidents including an analysis of case studies of effective sharing and collaboration that mitigated against threats. Discussion will also center on the sharing and collaboration that takes place between the public and private sectors.
Dr. Paul Vixie is an Internet pioneer. Currently, he is the Chairman, CEO and cofounder of Farsight Security, Inc. Dr. Vixie was inducted into the Internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies. He is the author of open source Internet software including BIND 8, and of many Internet standards documents concerning DNS and DNSSEC. In addition, he founded the first commercial anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). In 2018, he cofounded SIE Europe UG, a breakthrough European data sharing collective to fight cybercrime. Dr. Vixie earned his Ph.D. from Keio University for work related to DNS and DNSSEC in 2010.
DNS over HTTPS deliberately redraws the Web's political map in favour of web content publishers and web users -- possibly disenfranchising ISPs, law enforcement, and managed private networks who have legal and/or moral rights to monitor or filter DNS transactions. RFC 8484 states that DNS over HTTPS (DoH) is "designed to prevent on-path interference in DNS operations", which is a confrontational and controversial goal. Mozilla for Firefox has chosen a different deployment strategy than Google for Chrome -- but is that necessary? In this 40-minute presentation, Dr. Vixie will briefly explain how we got here and where we are, and offer some alternative strategies for further deployment.
Design of a Flexible Model for Indicators Life-Cycle Management
Sami MokaddemSami Mokaddem (CIRCL, LU)
Sami Mokaddem is a security software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He graduated from the U. Catholique of Louvain in 2017 as a computer engineer and has been working at CIRCL, the CERT for the private sector in Luxembourg since then. His activities oscillate between software development, giving trainings, publishing papers and playing video games.
Nowadays, sharing information about threats is crucial in cybersecurity incidents to stay on top of the threats and also better protect ourselves. We have observed that organizations regardless of their sector, CERT/CSIRT and alike a sharing more and more leading to significant data increase where issues like data quality, trust and data freshness must be dealt with.
To solve these issues, this presentation introduces a method with a flexible model to score IoCs along with a production-ready implementation in MISP, providing new ways of IoC life-cycle management. Attendees interested in having filtered actionable data or desiring to be able to prioritize IoCs based on their assessed quality and freshness will be presented the key points of our solution with real-life examples illustrating the usefulness of the concept.
ES
Disinformation 2.0
Fabian Elias VroomFrancisco CarcañoFabian Elias Vroom (Ingeniería e Integración Avanzadas (INGENIA) S.A., ES), Francisco Carcaño (Ingeniería e Integración Avanzadas (INGENIA) S.A., ES)
In 2022, more than half of the news we will consume on the network will be false. This was one of the technological predictions that Gartner made for 2018. Two years later, the disinformation scenario is not encouraging.
In this paper, the main characteristics and psychology of disinformation campaigns will be addressed, to detect false news early. In turn, a series of recommendations and good practices for identification are collected.
Several examples are presented (PizzaGate, Veles-Macedonia, WhatsApp-Metro Bank) and statistics, whose purpose is to focus on the magnitude of the problem and the effects and consequences that may result from a disinformation campaign, especially if it is carried out by state actors.
Besides, different research techniques are presented to detect campaigns of this type. Through metadata analysis, ELA error analysis, SNA analysis or reverse image search, it is possible to discern between the veracity of an image that accompanies a particular publication or analyze a disinformation campaign through Social Networks. Use cases are presented (image of immigrant minors in cells blamed on the Trump Administration, creation of a network of bots on Twitter that massively shared content contrary to a particular Spanish political party, or the analysis of the conflict in eastern Ukraine, with the Russian disinformation campaign, through bots on Twitter, viral hashtags, fake news, etc.) where these techniques are applied. In turn, a series of resources (websites, applications or browser extensions) are presented, which make it easier for an average user to identify fake news.
Dr. Paul Vixie ChairmanDr. Paul Vixie Chairman (AWS, US)
The rapid adoption of encrypted DNS and its subsequent impact on the security for enterprise networks has been a prominent discussion for the past year. This presentation will explain the two methods for encrypting DNS (DNS over HTTPS and DNS over
TLS, known as DoH and DoT), and the potential threats and dangers encrypted DNS presents to enterprise networks. We will then examine the publicly-stated implementation strategies of Google, Apple, Microsoft, and Mozilla as it relates to operating system and browser support for encrypted DNS. The presentation will include recommendations and advice for how enterprise networks may adjust to the presence of applications and operating systems with support for encrypted DNS inside their networks.
Presenter’s Bio:
Dr. Paul Vixie is an Internet pioneer. Currently, he is the Chairman, Chief Executive Officer and Cofounder of award-winning Farsight Security, Inc. He was inducted into the Internet Hall of Fame in 2014 for work related to DNS. Dr. Vixie is a prolific
author of open source Internet software including BIND, and of many Internet standards documents concerning DNS and DNSSEC. In addition, he founded the first anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). Dr. Vixie served on the ARIN Board of Trustees from 2005 to 2013, as ARIN Chairman in 2008 and 2009, and was a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He operated the ISC's F-Root name server for many years, and is a member of Cogent's C-Root team. Dr. Vixie is a sysadmin for Op-Sec-Trust. He earned his Ph.D. from Keio University for work related to DNS and DNSSEC in 2010. Dr. Vixie is a highly sought-after keynote speaker and has spoken at conferences around the world.
Doing More with Less: Detecting Malicious Activity through Responsible and Privacy-Preserving AI
Anna BertigerHolly StewartSharada AcharyaAnna Bertiger (Microsoft, US), Holly Stewart (Microsoft, US), Sharada Acharya (Microsoft, US)
Anna Bertiger is a Senior Data and Applied Scientist at Microsoft Defender Advanced Threat Protection. She focuses on lateral movement detection for the EDR product and also works on cross product responsible AI efforts. Before becoming a data scientist, Anna was an academic mathematician, receiving a PhD in mathematics from Cornell University in 2013 and holding a postdoctoral fellowship in the Department of Combinatorics and Optimization at the University of Waterloo.
Holly has been in the security industry since 1997. She’s held roles in many types of disciplines, such as product and program management, incident response, communications, and data science. She started working for Microsoft in 2010. Currently, she is a Principal Research Manager for the Windows Defender Advanced Threat Protection team. Her team of researchers and data scientists use machine learning, automation, and other next generation capabilities to protect people from malware.
Sharada is a Senior Applied Scientist at Microsoft Information Protection team. The focus of her work is building solutions that facilitates Microsoft customers with their Compliance requirements such as GDPR, HIPPA which gives her an opportunity to wear the customer hat and make privacy and compliance practically possible at scale. Before joining Microsoft in 2015, she was a graduate student at Columbia University, New York studying Machine Learning and Natural Language Processing.
Defenders and security vendors have turned to AI to scale defenses and identify targeted attacks. AI at this scale requires data, lots and lots of it. Any AI practitioner will tell you that the more data you feed the system, the better it will perform, especially when it comes to deep learning approaches. As defenders, we strive to collect the best information to train our AI to help the people that matter. Does it come at the cost of privacy? What do you do when these two things are at odds? Do you sacrifice data collection and privacy knowing detection and protection will suffer? Do you fight for the data you know you need, but risk a backlash on privacy and trust? At Microsoft, we have an internal saying, "Microsoft runs on trust". We have to be trusted by our customers, by our partners, and by the governments and the institutions that we work with globally. Yes still, we are enlisted to keep them safe - over a billion of them! In this session, we will discuss the challenges we face, the lessons we've learned, and the techniques of today and the future that can deliver on both promises: privacy AND security.
Shawn Richardson (nVIDIA) & Jeroen van der Ham (NCSC-NL)
Jeroen van der Ham is associate professor of Cyber Security Incident Response at the University of Twente and combines this with his work at the National Cyber Security Centre in The Netherlands (NCSC-NL).
Chieh-Fang Lai:
• Security Analyst in Panasonic (2019-now)
• Security Analyst in ForceShield Inc. (2017-2019)
• Embedded Engineer in Ruckus (2016-2017)
• Security Engineer in ICST (2014-2016)
• Co-founder of HITCON GIRLS
• CyberSec Speaker in 2017,2019
• HITCON Speaker in 2015
• Certification : CEH, GREM, ISO 27001, ISO 20000
Satoru Higuchi:
Satoru Higuchi is a member of the Product Security Global Strategy Department in the Product Security Center at Panasonic. He started his career at JPCERT/CC. He worked for several companies as a managed network service provider, SOC vendor, etc. After joining Panasonic in 2018, he has focused on improving security for IoT systems by delivering Product security training for internal developers, and collecting/analyzing threat intelligence related to IoT.
Whether at home or at the workplace, we are increasingly becoming reliant on various devices that have the ability to connect to the internet or more commonly referred to as the Internet of Things (IoT). As a product manufacturer, Panasonic strives to place secure products on the market for our users.
As IoT has become more and more popular, Panasonic has devoted time into understanding the threats against IoT and its associated risk. One such project aimed at this is a threat intelligence system, made from a physical honeypot, software honeypot and a sandbox. Software honeypots are commonly used by security teams, but at Panasonic, we have been able to take advantage of the devices we manufacture and are using not only real appliances in the market but also unreleased products as physical honeypot.
As such, we have been able to collect information on attacks targeting our devices. To date, our system has detected over 179 million attacks and collected over 25,000 malware samples. Of the collected malware samples, about 4,800 targeted IoT devices of which over 20% were not in VirusTotal at the time of collection.
In this session, we will talk about the architecture of our honeypot, and then go on to discuss the types of malware that we have seen through our physical honeypot as well as sharing some data on our analysis of the attacks. With our ultimate goal being able to manufacture cyber resilient IoT devices, we will discuss ideas on how our findings can be utilized by product development teams and any other findings through this project.
LU
Forensics Lessons II
Michael HammMichael Hamm (CIRCL, LU)
New lessons learned in a forensic lab based on real cases.
From ‘Fog of War’ to Reducing Noise in Daily Operations
Graham WestbrookGraham Westbrook (Living Security , US), Wilson Bautista (Jün Cyber, US)
Graham J. Westbrook, Dir. of Intelligence & Content, Living Security. Graham is an intelligence analyst by training, cybersecurity analyst by trade and creative at heart. He is responsible for managing Living Security's threat intelligence program and content strategy for the Living Security (SaaS) platform. A writer with bylines at top cybersecurity firms, Graham holds a B.A. in Intelligence studies and Russian from Mercyhurst University and an M.S. in Criminal Justice and Forensic Psychology from Liberty University. Speaker at InfoSecWorld 2019, RMISC 2019, Toronto RiskSec 2017 & SANS Security Awareness Summit 2017.
Wilson Bautista, Jr. is a retired US military officer who is currently the founder of the consulting firm Jün Cyber. His expertise is in the domains of InfoSec leadership, policy, architecture, compliance, and risk. He holds multiple InfoSec and IT certifications as well as a Masters Degree in Information Systems from Boston University. He is an INTP on the Myers-Brigg Type Indicator test with a Driver-Driver personality. As a practitioner of Agile and SecDevOps, he develops innovative, integrated, enterprise-scale cyber security solutions that provide high value to businesses.
The fog of war is an old metaphor to describe uncertainty and fatigue during war-time. New research suggests that noise is a more accurate metaphor to describe the deafening uncertainty and alert fatigue we experience in daily operations. Cyber threat intelligence (CTI) is no exception. Our goal is to reduce uncertainty for decision-makers (human and machine) in combating cyber threats. But what if, before all else, that decision-maker is you?
We need to rethink what ""intelligence"" really means and how it is applied across our organizations. This session will zoom out from the CTI front-lines to help analysts and leaders alike understand the relationship between mind and machine, the necessity of separating noise from signal and the tools for acting with confidence. We will reimagine how we can develop priority intelligence requirements (PIRs) to address business risk, explore a new framework for reducing decision fatigue and understand how to use principles of intelligence analysis to achieve our mission. From hardware to end user, this is one discussion you don’t want to miss.
A researcher at heart, Jean-Robert Hountomey's research focuses on law, technology, and Internet governance issues. An Internet pioneer in West Africa, he is also a founding member of the Africa Forum of computer security and incident response team (AfricaCERT) and the African Anti Abuse Working Group. He has worked with government officials, industry, and academia on Internet policy issues, capacity building, information security, product security, secure software development life cycle, and privacy risk management for two decades. He has contributed to the PSIRT and the Multi-Vendor Coordination frameworks from the Forum of Incident Security Response Teams (FIRST), the CVE outreach and Communications Working Group (OCWG), the African Union Cybersecurity Expert Group, the Interpol Africa Working Group, the UN open-Ended Working Group (OEWG), ICANN, ISOC, AfriNIC, AfNOG, AfrISPA.
Yukako Uchida is the Leader of Global Coordination Division at Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). She is responsible for international collaboration activities with overseas Cyber Security Incident Response Teams (CSIRTs), mainly in the Asia Pacific region. She acts as the point of contact for Asia Pacific Computer Emergency Response Team (APCERT), for which JPCERT/CC serves as the Secretariat, and is in charge of administrative duties.
She also contributes to JPCERT/CC’s English Blog both as an author and a translator, which provides updates about its latest international activities, cyber security trends and technical observations (https://blogs.jpcert.or.jp/).
The essence of cyber security is defending a wide range of stakeholders, hence the importance of information sharing with peers. In parallel to FIRST's global approach to bring CSIRTs from all over the world together, there are also regional CSIRT communities, such as APCERT in the Asia-Pacific region and AfricaCERT in Africa. Each regional body makes efforts to raise CSIRTs' capability in the area and bolster the collaboration among its members. It also aims to work as a bridge to international fora such as FIRST and other regional CSIRT communities. This session invites panellists from different regional CSIRT communities to discuss what current practices in each regional body exist, how they aim to improve their capability respectively and how these activities can potentially improve the cyber security posture in the global context.
Has EDR Made Host Forensics Artifact Analysis Obsolete? How to Combine them Effectively for Investigations
Yu kai tanYu kai tan (SG)
Yu Kai Tan is a Senior Incident Responder at gojek. Prior to that, he spent 1 year and 5 years respectively at VMware and a Singapore Government agency performing computer forensics and IR. He believes in contributing back to the community and has released multiple open-source scripts such as ArtifactExtractor, evtx2json, autoripy, and registryFlush.
Endpoint Detection and Response (EDR) solutions have brought unprecedented visibility to events occurring on network hosts. Incident Responders are now increasingly reliant on it to complete their investigations, and they can often do so without collecting forensic artefacts from these hosts for further analysis. On the other hand, forensic artefacts have often been the bane of responders or analysts. Its availability and value can differ over different versions of Operating Systems, and there is often a need to validate and compare the parsed output of different tools to ensure accuracy. Given this situation, can Incident Responders finally stop the never-ending race of keeping themselves updated on forensic artefacts and become fully reliant on the detection and response capabilities of EDR? This is what the presentation seeks to address and it would bring forward the view that knowledge and analysis of forensic artefacts are still necessary. Comparisons would be made between the value provided by EDR events and forensic artefacts, and self-created open-source scripts would be introduced that brings the best of both worlds.
How I Became Our Own Worst Enemy, I Mean Adversary
John Stoner (Splunk, US)
John Stoner is a Principal Security Strategist at Splunk. In his current role, he leverages his experience to educate and improve users’ capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He has authored multiple hands-on workshops that focus on enhancing these specific security skills. His writings can be found on Splunk blogs, most notably in the Hunting with Splunk: The Basics and Dear Buttercup: The Security Letters series. John developed and maintains a Splunk application that drives greater situational awareness and streamlines investigations. He enjoys problem solving, writing and educating. When not doing cyber things, John is often found reading or binge-watching TV series that everyone else has already seen. During the fall and winter, you can find him driving his boys to hockey rinks across the northeast part of the United States. John also enjoys listening to as his teammates call it "80s sad-timey music."
No, this isn't a tale about an impending downward spiral or a fictional story with the classic conflict between man versus self, this is an opportunity to share with you how I created an adversary based on CTI and the MITRE ATT&CK framework that we are using to educate blue teamers to be more effective hunting threats and conducting security operations!
During this talk, we will look at why we perform adversary emulations, how our adversary was constructed and how CTI reported TTPs were leveraged to create a realistic scenario for our adversary to carry out their attack. We will look at how a framework like MITRE ATT&CK can be used to help develop the scenario as well as how it can be used post attack to understand technique coverage across an organization. We will also talk about the challenges encountered along the way when constructing the scenario.
Coming out of this talk, you will have a better understanding of what it takes to create your own adversary, a better appreciation around the symbiotic relationship between threat hunting, security operations and threat intelligence as well as a model to create your own APT scenarios if you wish!
How to add security vulnerability detection to a build pipeline
Adam Wallis (NVIDIA, US), Jessica Butler (NVIDIA, US)
Jessica Butler is a Senior Application Developer and lead for NVIDIA’s Product Security Tools team. Jessica has over 13 years of experience and earned her MS in Computer Engineering from Washington University in St Louis. She has earned certifications in Java, Ruby and Cisco’s CCNA. In her free time Jessica enjoys gardening, rehabbing her 100+ year old urban home and traveling with her family, BJ, Sebastian (5) and Eliza (3).
Adam Wallis is a Senior Application Developer for NVIDIA’s Security Tools team operating in a security devops role in addition to providing custom software security solutions to product teams at NVIDIA. Adam has over 13 years of software and security experience and earned a BS in Electrical Engineering from Virginia Tech and MS in Electrical and Computer Engineering from Johns Hopkins University. Outside of work, Adam enjoys the sport of lock-picking and smart-home integration/hacking.
Often, security bolts on at release phase. This causes risk triage to happen at the most stressful part of the development cycle. And, can cause one-off scans which are neither effective nor sustainable.
Shift security left by integrating security services into build pipelines! It’s important to collaborate with product teams by helping with integration. This helps security tools developers spread best practices and become a friendly face!
Security doesn’t have to be the foe! We’ll demo how to add security vulnerability detection to a build pipeline in a few lines. Session attendees will benefit by leaving with a solution they can try now!
How to Improve and Accelerate Detection Rule Development using Continuous Integration and Continuous Delivery (CI/CD)
Jose HernandezPatrick BareissJose Hernandez (Splunk, US), Patrick Bareiss (Splunk, DE)
José is a Principal Security Researcher at Splunk. He started his professional career at Prolexic Technologies (now Akamai), fighting DDOS attacks from “anonymous” and “lulzsec” against Fortune 100 companies. As a engineering co-founder of Zenedge Inc. (acquired by Oracle Inc.), José helped build technologies to fight bots and web-application attacks. While working at Splunk as a Security Architect, he built and released an auto-mitigation framework that has been used to automatically fight attacks in large organizations. He has also built security operation centers and run a public threat-intelligence service. Although security information has been the focus of his career, José has found that his true passion is in solving problems and creating solutions. As an example, he built an underwater remote-control vehicle called the SensorSub, which was used to test and measure toxicity in Miami's waterways.
Patrick Bareiss, Senior Security Researcher at Splunk, is a passionate security researcher in the field of detection engineering. He combines his knowledge of IT security with his coding skills to develop powerful open source tools, such as Attack Range. Before Splunk, Bareiss developed the detection framework for the SOC of Airbus Defence and Space. He is a frequent speaker at security conferences.
Well developed detection rules provide strong signals into anomalous and potentially malicious activity. Poorly developed detection rules flood the analysts with low-level alerts and are the cause of alert fatigue. This talk will introduce detection rule development using Continuous Integration and Continuous Delivery (CI/CD) to improve the quality of rules created and accelerates the rule development process.
The later you find a bug in your detections, the more expensive it is to solve it! Therefore, the presenter will introduce CI pipelines using CircleCI in order to proactively find bugs on detection rules, before they are deployed in production. In order to successfully test the effectiveness of your detection you need a lab and an attack simulation engine. The attack range combines both a lab and attack simulation into an easy to use tool. The presenters will introduce the attack range tool and show how you can integrate it into your CI/CD pipeline to automatically test your detections.
Lastly, the presenters will share how CD can automatically deliver the detection rules to the SIEM via either a package or over an API.
I2HOP: Canadian Maple Syrup, French Fries and German Sausages: Cyber Potluck Parties or Lessons Learned from Cross-Border Incident Handling
Letitia KernschmidtMichael DwucetLetitia Kernschmidt (BSI, DE), Michael Dwucet (BSI, DE)
Letitia Kernschmidt has a Master's Degree in Information Systems from the Vienna University of Economics and Business (WU). During her studies, she worked as a Cyber-Security Researcher at sba research, an Austrian research center for Information Security and received a scholarship to spend one semester at Carnegie Mellon University's Heinz College in Pittsburgh, USA. After graduation in 2017, she worked one year as a Freelance Software Engineer in the field of the Industrial Internet of Things until she became an Incident Handler at CERT-Bund, a section of the Federal Office for Information Security (BSI) in Germany.
Michael Dwucet graduated as a Diplom-Informatiker in Computer Science at the University of Bonn in 2008. After his graduation, he worked as an officer for the Federal Office for Information Security (BSI) in Germany. Beginning as an Incident Responder and later as an Incident Manager for the Computer Emergency Response Team for the Federal Government (CERT-Bund), he handled many high profile cases in the Government and in Critical Infrastructures. In addition, he was one of the main relation officers for the CERT and cooperated with many national and international bodies and communities. He is the FIRST representative for CERT-Bund and a regular conference attendee.
Since 2019, he is the head of the section "Mobile Incident Response Team" (MIRT) in the BSI. The MIRT is a dedicated team of senior incident response experts that can be rapidly deployed on site during major incidents in the Government and in Critical Infrastructures.
When a CSIRT encounters a large cross-border cyber security incident, e.g., a breach, ransomware, or APT campaign affecting several organisations/institutions in multiple countries, it might require the collaboration with other foreign parties (CSIRTs, law enforcement, etc.) to respond appropriately to the incident and to offer suitable help to the victims. Over the last years, CERT-Bund, the German National and Governmental CERT, has been involved in numerous cross-border cases of different scales, thereby experiencing the great benefits accompanying these cooperations, but facing also significant challenges, ranging from technical obstacles to cultural, legal, and team issues. Based on these experiences, CERT-Bund presented a document called "International Incident Handling Operating Procedures" (I2HOP), which is meant to be a comprehensive guideline for future cross-border cases, in which the national CSIRTs are the key players. This talk will give insights into the benefits and the challenges inherent in cross-border incident handling, the main lessons learned from CERT-Bund's past cases and how I2HOP ties it all together. It will focus on the five main phases illustrated by I2HOP and will showcase, inter alia, possible solutions, remaining challenges, ongoing work, and real life examples.
Daniel researches the economics of security and privacy with recent research on risk quantification, cyber insurance and online consent. He is currently a post-doctoral fellow at the University of Innsbruck, Austria. He received his PhD "The Economics of Cyber Risk Transfer" from the University of Oxford's Computer Science Department.
Thousands of incidents each year are now managed by external law firms. Victim firms can call a hotline and delegate incident response to external counsel without a pre-existing relationship. We draw on expert interviews and industry reports to describe how this model breaks from conventional incident response, the role of cyber insurance and outline questions for future research. Preliminary evidence suggests this form of IR is less responsive and less efficient, cyber insurers control who gets work, and that litigation risk is prioritized over technical risk. This is a work in progress, so audience participation is encouraged.
Cyber Insurance SIG Webinars
January 28, 2021 13:00-14:00
EE
Incident Response C-101: Challenges and Shifting Priorities in Incident Response During COVID-19
Sille LaksSille Laks (Cyber4Dev, EE)
Having spent most of last decade working on the defensive side, responding to cyber incidents and organizing awareness raising campaigns at national CERT team and preventing online fraudsters stealing corporate and customers’ money in private sector, Sille is now working in an Estonian company Clarified Security that is focused on the offensive side of security. In her daily job she is responsible for organizing cyber exercises, operational side of incident response, and awareness raising lectures. She is quite often also doing awaraness raising training for the voluntary members of Estonian Defence League and it’s subunits being a member of the organization herself for soon 20 years. Sille holds an MSc degree in Cybersecurity and a BA degree in Business and Public Management and is a guest lecturer of Foundations of Cyber Security in Tallinn Technical University.
Many organizations have been struggling very hard when it comes to incident response decades before C19 already. The amount of data collected is growing each year and more data and tools also means more security alerts to analyze. And this was already an issue before all employees moved to home offices and turned to online solutions to replace their physical contacts and activities and are now spread across the city (or even a country) and you can’t physically go and unplug the machine any longer when there is a threat of losing acess to business critical systems. Or when you are even unable to triage the incident in real time because the user is currently in the middle of their kid’s violin lesson? And who can guarantee that the user’s home network or personal computer (which they are now allowed to use as the company does not have the budget for corporate laptops or VPN solutions) is not compromised and someone is not following every move they make online?
In 2014, several CERTs joined their resources to start an open source toolbox solution for automated incident handling with the goals of simplicity, adaptability, and extensibility. The outcome of their efforts is the IntelMQ software, which is subsequently being used by a great number of CERTs worldwide.
This workshop will show you how the tool works and how you can implement your own workflows. After an introduction about the concepts and the architecture of the tool, we start with hands-on exercises in a virtual machine. The appliance with a pre-installed toolset is provided in advance.
Is Incident Response or Cybersecurity work a profession?
Jeroen van der HamJeroen van der Ham (NCSC-NL, NL)
Jeroen van der Ham is associate professor of Cyber Security Incident Response at the University of Twente and combines this with his work at the National Cyber Security Centre in The Netherlands (NCSC-NL).
In this presentation and discussion Jeroen explores this question, and describes current efforts and developments towards creating a "profession". Along the way we'll be exploring all kinds of topics like technology, ethics, governance and societal implications.
Jeroen has been in the practical business of cybersecurity for several years, working at the national CSIRT in The Netherlands. He is also a researcher who likes to bridge practice and theory. For incident response he's found that theory to be mostly lacking, and is actively working to fill that gap.
Cyber Insurance SIG Webinars
September 16, 2021 13:49-15:00
NZ
Keynote - Project Zero's Disclosure Philosophy
Ben HawkesBen Hawkes (Google, NZ)
Ben Hawkes is a founding member and technical lead of Google's 'Project Zero' security research team, where he helped develop the team's mission, strategy, and vulnerability disclosure policies. As a researcher, Ben discovered many vulnerabilities across a range of different software platforms (including Android, Linux, and Windows), and published research focused on vulnerability analysis and software exploitation. Prior to Project Zero, Ben worked on the security of Google's product launches, with a particular focus on virtualization and cloud security.
You've found a critical security vulnerability that affects hundreds of millions of users. How best can you protect the vulnerable population? Who should you tell, and how much should you tell them?
This is the central policy problem that Google's Project Zero security research team faces every day: vulnerability disclosure.
In this presentation Ben Hawkes will untangle the vulnerability disclosure debate, provide insights based on Project Zero's experience from disclosing thousands of vulnerabilities, and share a path forward for improving vulnerability disclosure policy.
Know Your Audience: Using Personas for Better PSIRT Outcomes
Mark StanislavMark Stanislav (Cisco (Duo Security), US)
Mark Stanislav is a Technical Leader in the Advanced Security Initiatives Group for Cisco. Stanislav has spoken internationally at over 100 events, including Black Hat, RSA, DEF CON, SOURCE Boston, Codegate, SecTor and THOTCON. His security research and initiatives have been featured by news outlets such as the Wall Street Journal, the Associated Press, CNET, Good Morning America and Forbes. Stanislav is the Author of the book Two-Factor Authentication. Stanislav holds a BS in networking and IT administration and an MS in technology studies focused on information assurance, both from Eastern Michigan University. During his time at EMU, Stanislav built the curriculum for two courses focused on Linux administration and taught as an adjunct lecturer for two years. Stanislav is currently pursuing his PhD in cybersecurity from Dakota State University. He holds CISSP, Security+, Linux+, and CCSK certifications.
Running a successful PSIRT often has much more to do with the human relationships involved -- internally & externally -- than the technical issues you're trying to address. Whether working with a security researcher, bug bounty hunter, IT admin, or end-user, knowing about your stakeholder is critical to a great outcome. This presentation dives into common personas -- archetypes, not stereotypes -- that a PSIRT will interact on a long-enough timeline. With an associated interaction framework, we explore how more-desirable outcomes can be achieved by placing our stakeholder's motivations & needs at the forefront of the actions we consider. Using real-world examples and sharing perspective from nearly two decades in the information security community, the basis of this presentation is rooted in practical awareness that any PSIRT can take into account the next time they receive an email from a person they don't quite understand how to work with. Incident response is hard enough without compounding issues stemming from poor interactions with third parties. Come hear how one PSIRT manages this interpersonal risk and what strategies your team can take to find a better way forward, too.
Yoshihiro Ishikawa is a member of the Cyber Emergency Center of LAC., he has engaged in malware analysis and cyber threat intelligence. esp. Advanced Persistent Threat (APT) attacks.
He was a speaker at APCERT, AVAR, botconf, HITCON.
He is also currently positioned as the Program Committee member of Japan Security Analyst Conference hosted by JPCERT/CC in Japan
Nowadays, with the growing interest in cryptocurrency (Crypto Asset), cyber attacks targeting this vector are taking place actively. The cryptocurrency stealing scheme by directly compromising its entities infrastructure has been increased, with reported damage of US$882 million, it’s a huge amount of money that has been illegally stolen, a fact that can not be ignored in our history of cyber security industry. This adversary's attack is keep on occurring.
We will explain our published research*1 about the techniques used by adversary dubbed as "HYDSEVEN", an alleged group behind these attacks, that is under our investigation among several incidents reported since 2016. The steps of investigation described its intrusion chains, from several spear phishing with VBA macro tricks, the usage of downloaders and fake software installers, exploitation on vulnerabilities and even 0-days, up to the usage of RAT malware variants known as HYDSEVEN's NetWire and Ekoms/Mokes. This report is bottom-lining the TTP (Tools, Techniques, Procedures) and MITRE ATT&CK formulation from the threat sequence that can be used to mitigate this threat.
Additionally, we will disclose several new contents that are not covered in our previously published report, which are marked with NEW tags in the outline.
Narrator: Generating Intelligence Reports from Structured Data
Jörg AbrahamSergey PolzunovJörg Abraham (EclecticIQ, NL), Sergey Polzunov (EclecticIQ, NL)
Mr. Jörg Abraham is a Senior Threat Intelligence Analyst in the EclecticIQ Fusion Center. He is responsible for analyzing Cyber Threats and providing accurate, timely and structured intelligence relevant to EclecticIQ's customers. Before joining EclecticIQ he has been working for Royal Dutch Shell for more than 10 years in various Cyber Defense positions. Mr. Jörg Abraham is a Certified Information System Security professional (CISSP) and GIAC Certified Forensic Analyst (GCFA).
Sergey Polzunov is a Senior Software Engineer in the EclecticIQ Intelligence Operations department. He is responsible for prototyping analyst-centric tools and for extending the Fusion Center Threat Intelligence Platform with new features. He is the author of OpenTAXII server and Stixview library, and has more than 10 years of software development experience.
Natural Language Generation (NLG) is the process of transforming structured data into narratives. Contrary to Natural Language Processing (NLP) that reads and analyses textual data to derive analytic insights, NLG composes synthesized text through analysis of pre-defined structured data. NLG is more than the process of rendering data into a language that sounds natural to humans. It can play a vital role in uncovering valuable insights from massive datasets (big data) through automated forms of analysis.
Adaption of NLG in other verticals has increased in recent years, yet applications of NLG technology in the Cyber Threat Intelligence (CTI) domain are sparse. On one hand, intelligence teams accumulate millions of information generated by security controls or obtained from intelligence source. On the other hand, the intelligence product is often a narrative report written by an analyst. With the influx of data, intelligence teams are confronted with challenges pertaining to data assessment and analysis, (near-) real-time creation of intelligence products targeted at the right audience; all while operating at scale and with accuracy.
We believe that the potential of NLG is vastly unexplored in CTI and want to share our research and a proof-of-concept tool demonstrating the potential value of NLG.
Maarten Van HorenbeeckDr. Sherif HashemMaarten Van Horenbeeck (Zendesk, US), Dr. Sherif Hashem (FIRST, EG)
Maarten Van Horenbeeck is Chief Information Security Officer at Zendesk and a Board Member of the Forum of Incident Response and Security Teams (FIRST). Prior to Zendesk, Maarten was Vice President of Security Engineering at Fastly and worked on the security teams at Amazon, Google and Microsoft. He holds a Masters Degree in Information Security from Edith Cowan University and a Masters Degree in International Relations from the Freie Universität Berlin. He is a fellow in New America's Cybersecurity Initiative, and lead expert to the IGF's Best Practices Forum on Cybersecurity.
Dr. Hashem is a Visiting Professor of Computer and Information Sciences at the SUNY Polytechnic Institute (SUNY Poly), New York-USA. Dr Hashem is a Senior IEEE member and an ISACA Certified Information Security Manager (CISM). Prior to joining SUNY Poly in 2019, Dr Hashem was the Chair Professor of Engineering Mathematics and Computer Science at the Faculty of Engineering, Cairo University, Egypt. Dr Hashem also held a joint appointment as the Vice President of the National Telecom Regulatory Authority (2013-18). Dr Hashem's professional and research interest includes Cybersecurity, Artificial Intelligence, Information Technology, and Management of Information Security. Dr Hashem is currently a member of the African Union’s Cybersecurity Expert Group (AUCSEG).
In this talk, we will discuss recent international efforts towards the creation of internationally recognized rules for a safer and more secure cyber space, with a special focus on the United Nations efforts through the newly established groups: 1) Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security; and 2) the Open-Ended Working Group (UN OEWG). We discuss the outcome of previous UN-GGE's reports that were adopted by the UN General Assembly, since 2010. We highlight the relevance of these reports and of the on-going efforts, to the FIRST community. We summarize the key issues that may affect the Incident Response teams. We emphasize the opportunities for an active role that FIRST.org and its membership can play to further support the process of creating and implementing the new rules, towards a safer and more secure cyber space.
Kevin Meynell works at the Internet Society as the Manager of Technical and Operational Engagement supporting the deployment of key Internet technologies including Routing Security. He previously worked for JANET, the UK NREN, before joining TERENA (now the GÉANT Association) where he worked for the next 16 years on activities including the 6NET and 6DISS IPv6 deployment projects, eduroam, the Global Lambda Interconnect Facility, the TERENA Certificate Service and TF-CSIRT, as well having responsibilities for NREN Development Support in Eastern and Southern Europe, and Central Asia. After leaving TERENA, he worked as the Manager of the Shibboleth Consortium that develops the widely used Shibboleth web single sign-on software, before moving to APNIC as its Head of Training in 2014. He joined the Internet Society in October 2015.
There are over 65,000 networks comprising the Internet that exchange reachability information using the Border Gateway Protocol (BGP), but the problem is that BGP is almost entirely based on trust with no built-in validation of the legitimacy of routing updates. This causes many problems such as IP prefix hijacking, route leaks, and IP address spoofing, and there have been a growing number of major incidents in the past few years. There are solutions to address these issues, but securing one's own network does not necessarily make it more secure as it remains reliant on other operators also implementing these solutions too. The Mutually Assured Norms for Routing Security (MANRS) initiative https://www.manrs.org) therefore tries to address these problems by encouraging network operators, content providers and IXPs to subscribe to four actions including filtering, anti-spoofing, coordination and address prefix validation, and has developed resources to help them implement these. The MANRS Observatory has recently been developed to help network operators to view routing incidents that affect their networks, to check the general routing health of networks, countries and regions, and to provide a longer-term overview on whether routing incidents are getting better or worse.
Off Label Use of DNS- Is DNS Providing Domain Name Service Only?
Chase CottonFatema Bannat WalaChase Cotton (University of Delaware, US), Fatema Bannat Wala (University of Delaware, US)
Chase Cotton (Ph.D. EE, UD, 1984; BS ME, UT Austin, 1975) is a successful researcher, carrier executive, product manager, consultant, and educator for the technologies used in Internet and data services in the carrier environment for over 30 years.
Beginning in the mid-80’s Dr. Cotton’s communications research in Bellcore’s Applied Research Area involved creating new algorithms and methods in bridging, multicast, many forms of packet-based applications including voice & video, traffic monitoring, transport protocols, custom VLSI for communications (protocol engines and Content Addressable Memories), and Gigabit networking. In the mid-90’s as the commercial Internet began to blossom, he transitioned to assist carriers worldwide as they started their Internet businesses including Internet Service Providers (ISPs), hosting and web services, and the first large scale commercial deployment of Digital Subscriber Line (DSL) for consumer broadband services. In 2000, Dr. Cotton assumed research, planning, and engineering for Sprint’s global Tier 1 Internet provider, SprintLink, expanding and evolving the network significantly during his 8 year tenure. At Sprint his activities include leading a team that enabled infrastructure for the first large scale collection and analysis of Tier 1 backbone traffic, and twice set the Internet 2 Land Speed World Record on a commercial production network.
Since 2008, Dr. Cotton has been at the University of Delaware in the Department of Electrical and Computer Engineering, initially as a visiting scholar, and later as a Senior Scientist, Professor of Practice, and Director of Delaware’s Center for Information and Communications Sciences (CICS). His research interests include cybersecurity and high-availability software systems with funding drawn from the NSF, ARL, CERDEC, JPMorgan Chase, and other industrial sponsors. He currently is involved in the educational launch of a multi-faceted Cybersecurity initiative at UD where he is developing new security courses and degree programs including a minor and MS in Cybersecurity.
Dr. Cotton currently consults on communications and Internet architectures for many carriers and equipment vendors worldwide.
Fatema is a Security Engineer at the University of Delaware, where her responsibilities include monitoring network traffic for intrusions, incident response, threat hunting, and deploying and managing SIEM for the University. She has held prior roles in security research and software engineering and she holds CISSP certification together with GCIA, GPEN, GCIH, GCDA GIAC certifications. Fatema has given multiple talks internationally at CERN Geneva’19, EDUCAUSE SPC’19, Internet2 TechEX’19, BSidesDE'16,17,18,19, RIMM'17, BroCon'17,18,19". She also is a member of SANS/GIAC Advisory Board.
DNS is known to be one of the most widely abused protocols by the threat actors to use in unconventional ways to hide under normal traffic. Apart from threat actors DNS is being actively used or rather misused by many other service providers, vendors etc. to provide the intended services. An in depth research of the DNS logs collected over a long period of time revealed some very interesting legit use-cases of DNS protocol by the industry, apart from its normal resolution service. We coined the term “Off label use of DNS” to represent those use-cases. One of the main reasons DNS is been used or rather misused for these off-label use-cases is the speed of data transfer and less overhead in terms of bandwidth. These off-label use cases of DNS leaks very important information about the clients and software they are running, and can be leveraged in variety of ways by the network security defenders/analysts to improve the detection on the network. This presentation will go over some of those legit off-label use-cases and how they can be leveraged by the analysts to detect malware trends in the network and much more just by analyzing DNS logs.
Open is the Default: a year in the life of commercial open source
C Rob (Red Hat Inc, US)
Christopher Robinson (aka CRob) is the Program Architect for the Red Hat Product Security Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals.
CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He’s also been heavily involved in the Forum for Incident Response and Security Teams’ (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework.
He enjoys herding cats and moonlit walks on the beach.
Join Red Hat Product Security with an overview of the data around security vulnerabilities in open source.
Opening Remarks & Keynote - Transforming Security: Optimizing Five Trends to Enable Security for Businesses of all Sizes
Kathleen MoriartyKathleen Moriarty (Dell EMC, US)
Kathleen Moriarty, Chief Technology Officer, Center for Internet Security has over two decades of experience. Formerly as the Security Innovations Principal in Dell Technologies Office of the CTO, Kathleen worked on ecosystems, standards, and strategy. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honor of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS.
Kathleen achieved over twenty years of experience driving positive outcomes across Information Technology Leadership, IT Strategy and Vision, Information Security, Risk Management, Incident Handling, Project Management, Large Teams, Process Improvement, and Operations Management in multiple roles with MIT Lincoln Laboratory, Hudson Williams, FactSet Research Systems, and PSINet. Kathleen holds a Master of Science Degree in Computer Science from Rensselaer Polytechnic Institute, as well as, a Bachelor of Science Degree in Mathematics from Siena College.
Kathleen authored "Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain", published July 2020.
Choolwe Nalubamba is currently the Head of Telecommunications, SCADA, and Information
Systems at one of the Power Companies in Zambia called Copperbelt Energy Corporation PLC. He has over 20 years of multi-disciplinary experience in the ICT industry (with a strong bias to Cybersecurity). He has consulted and or spoken at Cybersecurity workshops organised by COMESA, the International Telecommunications Union (ITU), African Top Level Domain (AfTLD), Forum for Incident Responders and Security Teams (FIRST), and the African Union. While working for the Government of Zambia; he spearheaded the implementation of the Zambia Computer Incident Response Team (ZmCIRT) in 2012; facilitated the implementation of a Computer Forensic Lab at the Zambia Police Headquarters in June 2014; and was strategic in the organization of the first-ever African Cyber drill that was held in Livingstone-Zambia in 2014. He has also facilitated many cybersecurity related training programs primarily for Law Enforcement Agencies in Zambia. He holds an MSc in Operational Communications from Coventry University (UK), a Bachelor's of Engineering degree in Electronics and Telecommunications from the University of Zambia, and several professional cybersecurity certifications.
Guéric Gonçalves is a Senior Analyst at bjCSIRT under the National Information Systems’ Security Agency of Benin (ANSSI: Agence Nationale de la Sécurité des Systèmes d'Information).
Prior to joining bjCSIRT, he was a Cybersecurity Expert Consultant working in France and the West African region. The earlier part of the last decade, before getting in the cybersecurity field, he worked as Network Engineer at a major Internet Service Provider in Benin.
Guéric earned a Master of Science degree in Network Computing and a Bachelor of Science degree in Information Technology both from Coventry University, United Kingdom. He also holds a Certified Title as a Cyber Security Expert Consultant (RNCP Niv 1/CEC Niv 7) from M2i Paris, France.
A researcher at heart, Jean-Robert Hountomey's research focuses on law, technology, and Internet governance issues. An Internet pioneer in West Africa, he is also a founding member of the Africa Forum of computer security and incident response team (AfricaCERT) and the African Anti Abuse Working Group. He has worked with government officials, industry, and academia on Internet policy issues, capacity building, information security, product security, secure software development life cycle, and privacy risk management for two decades. He has contributed to the PSIRT and the Multi-Vendor Coordination frameworks from the Forum of Incident Security Response Teams (FIRST), the CVE outreach and Communications Working Group (OCWG), the African Union Cybersecurity Expert Group, the Interpol Africa Working Group, the UN open-Ended Working Group (OEWG), ICANN, ISOC, AfriNIC, AfNOG, AfrISPA
Koichiro Sparky Komiyama is the Director of the Global Coordination Division at JPCERT/CC, the Japanese Computer Emergency Response Team. His current focus are norms in cyberspace, confidence building and capacity building in developing countries.
He has worked as a security analyst and led the gathering of security information and publishing multiple security alerts and advisories at JPCERT/CC. Prior to joining JPCERT/CC, he worked as a systems engineer for Internet Security Systems (IBM ISS), where he was in charge of enterprise IDS/IPS system operations.
In 2014-2018, he served as a member of the Board of Directors of FIRST, the global Forum for Incident Response and Security Teams. From 2017, he also works for the Global Commission on the Stability of Cyberspace, a multi-stakeholder forum aims to propose norms and policies to enhance international security and stability. He holds a Ph.D. in Media ang Governance from Keio University.
Louis Rouxel is in charge of Internal Cooperations for CERT-FR at ANSSI, the French national cybersecurity agency.
Louis was previously chairman of Signal Spam, the national email abuse reporting platform in France. He has 20 years of experience in the IT industry, as former co-founder and CTO of Splio, a SaaS software editor.
I am SMII Mondher, a Cyber Security Analyst, at the National Agency for Computer Security NACS / Tunisian CERT, with expertise in threat analysis and intrusion detection systems. Performed dynamic analysis of malware and its delivery mechanism (malicious documents e.g. pdf, doc, etc.). Utilized custom sandbox environments such as Joe Sandbox, ANY.RUN and Hybrid Analysis to isolate malware and identifying malware C2 communication channels. Used MISP (Malware information sharing platform) to track, correlate and share the collected IOC's.
I am in charge of Information Sharing and Analysis Center ISAC.
I hold a professional master’s degree in Cyber Security and I am also certified ISO 27001 and ISO 22301.
Fingerprinting, tracing and tracking SSH network activities is a key functionality in network forensic and incident response. In the past years, Passive DNS and SSL have been a cornerstone for efficient incident handling at CIRCL. SSH connectivity is used to manage various devices from IoT up to network equipment or even critical devices. Passive SSH goal is to provide a fast-lookup database with the history of all the SSH keys seen per IPv4/IPv6 address on the global Internet. We developed an open source software toolkit to gather, analyse and store SSH key materials and provide an access to members of the CSIRT community.
This presentation highlights a tool developed by CERT.LV in the framework of the CEF project "Improving Cyber Security Capacities in Latvia" named Pastelyzer. The purpose of the tool is to detect leaks of sensitive data (credentials, bank card numbers, etc.) in text documents, but it can also detect and automatically process encoded and/or compressed (e.g., base64, gzip) content. The tool can be used as a command-line utility, or a background service receiving documents from a feed or using HTTP requests.
Currently (in January 2020), the tool is in the beta stage with the source code available. During the presentation, we will give a general overview of the tool, and a few example use cases as well as encourage other CSIRTs to start using Pastelyzer. We're already using Pastelyzer at CERT.LV and hope it will be useful for the wider TF-CSIRT/FIRST community.
Council of Anti Phishing Japan(CAPJ) aims to curb phishing scams in Japan by collecting and providing case studies and technical information on phishing scams. We'll show the recent phishing cases, statistics from CAPJ's data and a comparison of
the situation in LACNIC and Japan will be helpful in examining countermeasures against phishing scams.
Brandon Grimes is a member of the Industrial Controls Systems group under CISA's Hunt and Incident Response Team providing incident response services to critical infrastructure on behalf of the US government.
Derek Meyer is a member of the Industrial Controls Systems group under CISA's Hunt and Incident Response Team providing incident response services to critical infrastructure on behalf of the US government.
The world of technology we live in today is significantly different than what it was over 40 years ago, when computers were first becoming more prevalent. There was no Internet, and with that, no real worries that someone on the other side of the world could steal your data or mess with your HMI. Nowadays, cybercriminals are getting smarter, APTs are treading into increasingly worrying territory, and even script kiddies have access to powerful exploits and malware that can potentially cause significant physical impacts and disruptions. While the overall possible threat will remain for the foreseeable future, having knowledge about what's out there can make a world of difference when making informed decisions and staying safe. This presentation will peel back the covers on what CISA is seeing at the forefront of the ICS cyber battle. We will cover recent trends in the ICS cyber threat landscape along with a discussion of what we need to be prepared for in the future.
Product Security: Education and Prevention through Root Cause Analysis in Secure Software Development Lifecycle
Shipra AggarwalStuart ShortShipra Aggarwal (SAP Product Security Response Team, IN), Stuart Short (SAP Product Security Response Team, DE)
Shipra started her security career with SAP in 2007, as a fresh engineering graduate. Since then she is on her journey to be a passionate cybersecurity professional, helping developers and customers to secure SAP products.
Shipra has held diverse roles in securing product development like pen testing, security validating products across multiple SAP line of business solutions, vulnerability assessment, security communications, security incident handling and response, external hacker collaboration, managing bug bounty programs, handling zero days, leading SAP’s monthly security patch Tuesdays, leading customer engagement initiatives on SAP’s security patching strategy and so on.
In addition, Shipra has been a trainer for Security Expert Curriculum internal training, a regular speaker, and track lead at various SAP TechEd and DKOM events. You can often find her participating in various security conferences and forums on current cybersecurity trends, cloud security, DevSecOps, AWS, Azure and GCP security, Data Privacy, and the likes.
Stuart started with SAP in 2006, working for the SAP Business ByDesign team in Galway, Ireland. He then worked for 10 years at SAP Labs France in Mougins as part of the Security Research team. His main tasks were contributing to and successfully managing European funded research projects, communications team lead and helping to build the research strategy. He has numerous academic publications and two patents. He is working in SAP PSRT since June 2017. Prior to joining SAP, Stuart has ten years experience with web-based/IT start-ups, including his own.
Current responsibilities include: Security vulnerability reports from external sources Lead for SAP as a CNA and co-leading the topic of CVE (Common Vulnerability Enumeration) which is assigning CVE entries to all Patch Day security notes Customer Engagement Initiative project Co-leading the monthly Root Cause Analysis of selected vulnerabilities Customer pentests reports secure@sap.com hotliner.
The SAP Product Security Response is within the Utilization phase of the SAP Secure Software Development Lifecycle and its process is activated as a result of a vulnerability reported either by external researchers or customers. As outlined in the FIRST PSIRT Service Framework, it is good practice to carry out a root cause analysis in order to educate stakeholders and prevent the recurrence of similar vulnerabilities. In this context the Product Security Response team was mandated to regularly assess completed cases (i.e. On-Premise, Mobile and Cloud) that have a high severity or selected based on the judgement of nominated experts. This type of activity cannot be wholly done by one team but must involve different stakeholders such as the concerned teams in development, standards, testing and validation. This presentation is aimed at sharing with response teams that already go through this exercise or are contemplating it and will outline learnings from our efforts so far, including methodology, problems faced and proposed solutions. As this is a fairly recent activity (started beginning 2018) we would also like to use the Q&A session to hear from our peers on their experiences so we can improve our process.
Pwning Password Complexity: Simple, Long-Lived Passphrases in the Real World
Seth HanfordSeth Hanford (Proofpoint, US)
Seth Hanford is a Principal Engineer at Proofpoint. In his role, he serves as security architect, and as an advisor to the enterprise CSIRT, PSIRT, and other Global Information Security functions responsible for designing secure architectures and protecting customer and enterprise data for the company. He has previously worked as Sr. Manager for Detection & Response for a Fortune 100 financial services firm, as well as various vulnerability & threat intelligence roles, and as a PSIRT incident manager for a Fortune 100 network technology company. He has been active in the FIRST community over the past decade, including service on the CVSS SIG during v2, and as SIG chair for the development of CVSS v3.
Complex passwords harm user security when they must be frequently changed and are little defense against credential stuffing and phishing. Standards like NIST SP800-63b show organizations how to remove password complexity and periodic rotation but require additional controls, including checking candidate passwords against lists of known-compromised credentials. Operating under these new controls is harder still: Have you been ""pwned""? How can a CSIRT ensure that compromised user passwords are appropriately revoked in a compromised password store?
A successful implementation will be a rare win-win: a security control that will improve both security posture and user experience. The author will describe implementing this in the real world: compliance with NIST SP800-63b; maintaining a local compromised password store; answering queries about password compromises; and identifying several lessons learned from the cross-platform implementation project.
rcATT: Retrieving ATT&CK Tactics and Techniques in Cyber Threat Reports
Marco CaselliMarco Caselli (Siemens, DE)
Marco Caselli joined Siemens in 2017 and he is the Senior Key Expert of the “Monitoring & Attack Detection” topic. He received his Ph.D. in computer security at the University of Twente with a thesis titled “Intrusion Detection in Networked Control Systems: From System Knowledge to Network Security”. His research interests focus on security of industrial control systems and building automation with a special focus on critical infrastructures. Before starting his Ph.D. he worked for GCSEC, a not-for-profit organization created to advance cyber security in Italy, and Engineering S.p.A., an international company for software development.
Threat intelligence sharing has been expanding during the last few years, leading us to have access to a large amount of open data. Unfortunately, this is usually provided as unstructured human-readable cyber threat reports and important information such as attack tactics, techniques and procedures is hidden within the text. Done manually, the analysis of such reports requires time and effort. To support this analysis, we created rcATT, an open-source tool which automatically classifies cyber threat reports according to MITRE’s Enterprise ATT&CK tactics and techniques. In this talk, we present the tool and we show how we were able to solve the challenges of working with hierarchical multi-label text classification of cyber threat reports, having access to a limited amount of labeled data. Finally, we demonstrate how rcATT performs on publicly-available cyber threat reports and how to take advantage of the classification results.
Rethinking the Graph Visualization for Threat Reports
Mayo YamasakiMayo Yamasaki (NTT-CERT, JP)
Mayo Yamasaki is a researcher at NTT Secure Platform Laboratories and also a member of NTT-CERT in Japan since 2015. He studied information science and natural language processing at NAIST (Nara Institute of Science and Technology). Since he joined NTT he’s been researching and developing software systems for cybersecurity-related information extraction and retrieval with machine learning.
Understanding threat intelligence is not an easy task for threat analysts even if they are structured. Therefore, many methods to automatically visualize the threat intelligence structure have been proposed. However, these methods utilize visualization methods developed for the general domain to support a wide variety of use cases for analyzing threat intelligence. This talk introduces a novel visualization method, for threat reports, based on simple observations obtained by a study of threat diagram characteristics of actual threat reports. Because threat report is a reasonable bundle of intelligence and one of the most common ways to share it, by capturing these characteristics, the method visualizes graph-structured STIX 2 as a concise overview of the threat structure. Also, this talk demonstrates the utility of the method by visualizing actual threat reports gathered from the ATT&CK knowledge base.
Francis hails from Québec’s region of Lac-St-Jean, Canada. As a McGill alumni in Mathematics, Computer Sciences and Cognitive Science, he lucked out and joined Google in 2007 in Site Reliability Engineering. From then on he ended up responding to availability incidents across the Google production environment. He then moved to a full-time DFIR role in 2017, where he likes to spend his time around teaching incident management, and responding to incidents. He also enjoys dabbling around the casual offensive security exercises once in a while. He would like to be good at twitter, but cannot seem to get his act together about it: @u269C
Remediating a single vulnerability in a single product can be a daunting task. Remediating large, complex, time-critical vulnerabilities across many different products, teams and vendors can be nearly impossible. This talk discusses what has worked and what has not worked so well in a fast changing organization with a plethora of software and hardware products. We discuss an approach to scaling the vulnerability response to the ever evolving demands of internal reports, information embargo restrictions, open-source vulnerabilities and other beasts reported via bug bounty programs or third parties.
Dee Annachhatre is a Senior Development Leader at NVIDIA’s Security Tools Platform Team. With 14 years of experience in the software industry she specializes in architecting and delivering reliable and scalable systems in a variety of areas especially, online services. Dee graduated from University of Texas, Arlington with a Masters degree in Computer Engineering. Apart from work, she loves hiking and spending time with her family.
Jessica Butler is a Senior Application Developer and lead for NVIDIA’s Product Security Tools team. Jessica has over 13 years of experience and earned her MS in Computer Engineering from Washington University in St Louis. She has earned certifications in Java, Ruby and Cisco’s CCNA. In her free time Jessica enjoys gardening, rehabbing her 100+ year old urban home and traveling with her family, BJ, Sebastian (5) and Eliza (3).
Displaying a business's full security risk posture involves more than just tallying up the list of open security bugs. Many teams manually process results from multiple tools and using spreadsheets to map issues to appropriate owners. To drive change, we need to automate mapping the results of these tools to the correct product and, more importantly, the owner that can take action! This session is for you if you are overtaxed by sifting through results to create bugs, checking a spreadsheet to determine who to notify for remediation, or manually calculating risk for reports and dashboards. We'll discuss common pitfalls of organizing data from multiple tools. We will walk through how to develop quick and portable microservices that automate pulling results from any tool, prioritizing bugs and mapping data to create actionable metrics. Our goal is to enable efficient, data-driven decisions by showing the fullest picture possible.
The information security threats currently faced by the research community are not only sophisticated but also in many instances highly profitable for the actors involved. Evidence suggests that targeted organisations take on average more than six months to detect a cyber attack; the more sophisticated the attack, the more likely it is that it will pass undetected for longer.
One means by which to mount an appropriate response is through the use of a Security Operations Centre (SOC). A SOC can provide detailed traceability information along with the capability to quickly detect malicious activity. The core building blocks of such a SOC are an Intrusion Detection System and a mechanism to work with the threat intelligence, shared within a particular community, that is required for spotting potential cybersecurity threats. In this context, the Worldwide LHC Compute Grid (WLCG) Security Operations Centre Working Group has produced a reference design for a minimally viable Security Operations Centre, applicable at a range of scientific computing sites of varying sizes. The initial design developed by this group uses data sources including the Zeek IDS and netflow/sflow, as well as the MISP threat intelligence sharing platform, and the Elastic stack for data ingestion, storage and visualisation.
We propose a workshop focusing on the tools and processes used in this design, as well as the MISP topology and access methods employed by the working group. The agenda for a half-day workshop would include:
design requirements
demonstration of Dockerised version of the initial model (PocketSOC)
choice of data sources and pipelines
MISP access methods
alerting methods
A full-day workshop would include these elements with the addition of:
additional deployment discussion
data source tuning
extended discussion of enrichment techniques
The audience for this workshop would be teams interested in deploying a SOC at their own facility, or those with an interest in the technology and techniques used. The design is in principle designed to be applicable to a wide range of organisations; these include sites with a few nodes, large scale organisations such as CERN (whose work in this area laid a foundation for the work of the group) with tens of thousands of nodes, and NRENs.
Sebastien Tricaud is Director of Security Engineering at Devo. When he is not playing the jazz flute, he loves sharing and testing thoughts by making them publicly available in liberal licenses.
Sighting is a method to keep track of how many times something has been seen. This is particularly useful for indicators, especially if Sightings are not limited to indicators.
This presentation is very use-case oriented on our own use and feedback of SightingDB in MISP. Do you think TTP always fall in the tough category? Can anyone enrich Threat Data by just counting?
This talk will share our experience as a Vendor, a MISP Standard contributor (sightingdb) and also our integration in the MISP software.
Silent or non-affirmative cyber across traditional insurance policies - not so silent anymore
Kara C. Owens (Markel Corporation, US)
Kara C. Owens, CPCU, RPLU, ARe Managing Director, Global Cyber Underwriting Executive – Markel Corporation (USA) Kara graduated magna cum laude from Temple University where she majored in risk management, insurance and marketing. She holds her RPLU, CPCU, ARe and ARM designations. Kara has more than 10 years in the insurance industry and her most recent position was at TransRe where she was the Global Head of Cyber Risk. In this role, she was responsible for underwriting, risk management, communication and new product development. Prior to TransRe, Kara was a broker at Guy Carpenter. Kara is active in the Advancement of Professional Insurance Women (APIW) where she serves on the membership committee and founded TransRe’s women’s group, WiRe. She also serves as a mentor for St. John’s University and Temple University risk management students. Kara joined Markel in March of 2018 and serves as the Managing Director for Global Cyber Underwriting. In this role, Kara is responsible for establishing and leading Markel’s cyber market strategy and working with cyber underwriters across the company to achieve growth and profit initiatives. She will also develop best practices for cyber underwriting and reinsurance strategies worldwide in all Markel divisions.
Silent or non-affirmative cyber across traditional insurance policies within the insurance industry is not so silent anymore. Regulators, rating agencies, and Lloyd's are asking insurers more and more questions and, in some cases, are enforcing eradication of silent cyber. The industry is seeing more cyber security and privacy related claims being notified on property and casualty policies. Exposures continue to show themselves as the Internet of Things and Internet of Bodies expand. This webinar will discuss exposures across insurance product lines, from cyber security and privacy risk, as well as how the industry is reacting to these exposures.
Art Manion is the Vulnerability Analysis Technical Manager at the CERT Coordination Center (CERT/CC), part of the Software Engineering Institute at Carnegie Mellon University. He and his team coordinate complex vulnerability disclosures, automate the discovery of new vulnerabilities, and influence practice and policy. Art has said things like "Don't Use IE," "Replace CPU hardware," and "CVSS is inadequate."
Many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This includes PSIRTs, who may use CVSS directly and also provide it to their users. This talk presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some of the problems with CVSS. SSVC delves in to risk assessment territory and takes the form of decision trees for different vulnerability management communities, one of which is patch developers (i.e., vendors and PSIRTs). We seek feedback on the ideas behind SSVC, particularly the patch developer decision process.
Targeted Attacks in Kazakhstan: An Attempt to Thieve All They Can Steal!
Oleg BilOleg Bil (State Technical Service (host company for KZ-CERT), KZ)
Graduated from Kostanay State University (Kazakhstan). Chief Architect and Head of Kazakhstan State Technical Service's Malicious Code Research Lab. Spoke at different forums. Train students in giving presentations at information security conferences. Main field of interest - research of targeted attacks.
In this presentation I will tell about some real incidents which were happen in Kazakhstan. There were some anti-defense methods used by attackers, in particular, sandbox detection, intentional damage of PE header – to prevent the execution in sandbox and use of complicated address resolution system to accomplish the malicious modules download. Besides, the approach related to compilation of malicious object at the victim’s machine as well as the attackers’ mistakes when using good PE protector that allow easily bypass defense, successfully dump and analyze malicious code will be considered. Then I will discuss the method that helps me to decode keylogger’s logs of PlugX backdoor in case when I have no malicious object in hand and, correspondingly, I have no chance to analyze the encryption code. Besides, I will tell about curious situation that gave me opportunity to find the mailbox that used for distribution of emails with attached backdoor. Most intriguing part of the presentation will be devoted to the story about object aimed to control and steal the data from air-gapped networks. This malware has a number of characteristics that we have not faced before and have not seen the descriptions in research articles. In particular, it uses vulnerability CVE-2015-6128 in non-standard ways to distribute through USBs and uniquely hide own files within removable media.
The Craft of Cyber-Resilience: Lessons from the Trenches
Benoit DupontBenoit Dupont (University of Montreal, CA)
Dr Benoît Dupont is a Professor of Criminology at the Université de Montréal and the Scientific Director of the Smart Cybersecurity Network (SERENE-RISC), which he founded in 2014. He also holds the Canada Research Chair in Cybersecurity, as well as the Research Chair in the Prevention of Cybercrime, both at the Université de Montréal. He sits as an observer representing the research community on the Board of Directors of the Canadian Cyber Threat Exchange (CCTX). His main research interests include the co-evolution of crime and technology, the social organization of malicious hackers, the governance of cybersecurity (and in particular public-private partnerships that achieve the common good), and the use of AI by law enforcement agencies.
The growing sophistication, frequency and severity of cyberattacks targeting financial sector institutions (but also many other sectors) highlight their inevitability and the impossibility of completely protecting the integrity of critical computer systems. In this context, cyber-resilience offers an attractive complementary alternative to the existing cybersecurity paradigm. Cyber-resilience is defined here as the capacity to withstand, recover from and adapt to the external shocks caused by cyber risks. Resilience has a long and rich history in a number of scientific disciplines, including in engineering and disaster management. There is a growing number of reports from vendors and consulting firms claiming to reveal what makes organizations cyber-resilient. The scientific literature, standard-setting bodies and regulators are also paying closer attention to the concept of cyber-resilience and embedding it in their frameworks. But most of this work remains theoretical and there is very limited empirical research on how organizations that experience high rates of cyberattacks (such as financial institutions) develop their cyber-resilience. This presentation will outline the results of a two-year research project that sought to understand how cyber-resilience is understood and practiced by cybersecurity experts in the financial sector.
Desiree is a Security Architect for a Security Operation Center in the financial industry. Her goal is to create intelligent processes and she does this by utilising all of her experience from various engineering and analyst positions she held for the last 15 years. Desiree is also a certified GCIA Forensic Analyst, Network Forensic, Cyber Threat Intelligence Analyst and GIAC Penetration Tester.
Eireann Leverett is a Senior Scientist at Airbus Operations, co-author of Solving Cyber Risk, and Founder of Concinnity Risks. He is co-chair of the Cyber Insurance SIG, and the EPSS SIG.
Last year, Desiree presented her taxonomy for documenting and improving SOC Use Case quality. This year she explains how to bring back intelligence to more first level security tasks. Usually all alerts reviewed are classified as either true positive or false positive or sent to other teams where they only say if it was a problem (patch is installed or configuration is adjusted) or not a problem (vulnerability is down rated and configuration alerts are clicked away). The structured approach applied for security monitoring use cases has been adopted to compliance configuration monitoring, integrity monitoring and vulnerability scanning and again reflects the different states an upcoming alert can be caused by. By extending the concept to more 1st level security verification disciplines, we again get new ways for documenting the company's security state that will than help you to initiate improvement steps, without the need to buy yet another product. By updating your analysis process, you will not only improve your company's security efficiency, but also make a difference in analyst motivation by eliminating false alarms in a structured approach and identifying quality gaps. The categorization help in documenting reoccuring policy, configuration and architecture problems and therefore help in calculating or estimating improvement actions in your company. Understanding your company's security state is not only important for traditional protection architecture, it becomes especially important when more data is moved to the cloud and less monitoring use cases can be configured.
The Nightmare of Tracking Open-Source Malware: Five Years of Ursnif
Tamas BoczanTamas Boczan (VMRay, HU)
Tamas Boczan is a Senior Threat Analyst at VMRay. He is responsible for finding and analyzing relevant malware samples and improving VMRay's detection capabilities. He is mostly interested in evasive in-the-wild samples, and exploitation. He presents his research at conferences, and is a regular contributor of deep technical blog posts in VMRay's technical blog.
Ursnif is a relatively complex and full-featured malware family frequently used for both large-scale and targeted attacks. Five years ago, this malware's source code leaked. Since then, different criminal groups have created a swarm of variants forked from the leaked code, many of them still actively developed today. Free access to the source code of high-quality malware has created a dangerous, asymmetric situation where development of complex malware is insignificantly cheap compared to the cost of building a successful defense against it. Tracking the development of these many parallel malware projects based on the same source code is an inherently challenging, but also worthwhile effort. The in-depth analysis of recent Ursnif variants enabled a case study that answers questions about open-source malware which would otherwise be subject to speculation. What are the long-term effects of complex and easily reusable malware source code becoming available to anyone? How do attackers use this source code long-term? What is different in recent variants compared to the leaked code? What defensive techniques are efficient against most variants of the malware? What methodology can malware analysts use to identify the subtle differences between malware variants which are based on the same code?
The Phish Pandemonium: The Value of Machine Learning to Extract Insights from Phishing URLs
Joy Nathalie AvelinoKarla AgregadoJoy Nathalie Avelino (Trend Micro Incorporated, PH), Karla Agregado (Trend Micro, PH)
Joy Avelino is a Threat Research Engineer at TrendMicro. Her work mainly focuses on practical applications of data science and machine learning for malware and threat security research. In the recent years, she has regularly presented use cases of machine learning in the threat security industry based from actual results of machine learning POC projects, one of which is machine learning clustering of in-the-wild network traffic aiming to augment threat intelligence for threat family correlation and analysis. She has presented in previous academic conferences such as IEEE IISA 2014 and IEEE TENCON 2018.
Karla Agregado is a Senior Threat Researcher at Trend Micro based in the Philippines and currently working with Machine Learning team. She's been working in Trend Micro for 10 years and used to work for Web Reputation team before she became part of Machine Learning. She's an expert in web analysis and has an in-depth understanding in web threat landscape. In line with this knowledge, she applies different machine learning applications like feature creation based on the latest web threat techniques as a result of her continuous research. Today, she is currently working in Trend Micro at Texas, USA for project assignment will go back to Philippines early next year.
The world is becoming hyper-connected, with everyday objects connecting to the internet to send and receive data. Although technology innovations are becoming fast-paced (IoT, cloud technology), threats and risks to information in devices and systems are also adapting . Phishing has been becoming more practical in terms of propagation and persistence. With Phishing-as-a-Service (PhaaS) and botnet, attacks are automated and produced at a larger scale in terms of volume. This presentation will tackle the role of big data and machine learning to address phishing threats using features found in the URL construction, history, and content. Through machine learning, the model can infer similar structure across a large dataset. A demonstration on Natural Language Processing on Web content is examined to bring about the current trends in the Web threat landscape.
The State of Third-Party Software Security in 2020
Omar Santos (Cisco)
Omar Santos is an active member of the security community, where he leads several industry-wide initiatives and standards bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure. Omar is the author of over 20 books and video courses; numerous white papers, articles, and security configuration guidelines and best practices. Omar is a Principal Engineer of Cisco’s Product Security Incident Response Team (PSIRT) where he mentors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities.
It's 2020. Are we doing better now than the previous decade with respect to open source and third-party software security? Do we have better tools, disclosure procedures, and multi-party coordination? Do we have a software bill of materials? What about hardware vulnerabilities? This session will be an active discussion on the current state of open source and third-party security in the industry and in relation to a Product Security Incident Response Team (PSIRT). In addition, we will discuss what should be the next steps to address current issues and challenges.
Threat Landscape - C19 Edition: COVID-19 Cyber Threat Landscape from the Attacker's Perspective
Sille LaksSille Laks (Cyber4Dev, EE)
Having spent most of last decade working on the defensive side, responding to cyber incidents and organizing awareness raising campaigns at national CERT team and preventing online fraudsters stealing corporate and customers’ money in private sector, Sille is now working in an Estonian company Clarified Security that is focused on the offensive side of security. In her daily job she is responsible for organizing cyber exercises, operational side of incident response, and awareness raising lectures. She is quite often also doing awaraness raising training for the voluntary members of Estonian Defence League and it’s subunits being a member of the organization herself for soon 20 years. Sille holds an MSc degree in Cybersecurity and a BA degree in Business and Public Management and is a guest lecturer of Foundations of Cyber Security in Tallinn Technical University.
A massive amount of daily work and studies moved online in 2020. It has become a new reality that a lot of daily communication is now done only online or via phone. Criminals have always evolved and adapted to new changes very fast and cybercrime is no exception. The more users you have online who are trying to cope with the growing e-mail flood and phone calls from their internal helpdesks - the easier it is to conduct even the most trivial cyber attacks. Whether someone is impersonating IT-helpdesk or sending you a “Mailbox full, please insert password to get more space” e-mail. And how easy it is to get money from an organization when you are.
Désirée SacherFrancesco ChiariniMark ZajicekDésirée Sacher (Finanz Informatik, DE), Francesco Chiarini (Standard Chartered Bank, PL), Logan Wilkins (Cisco), Mark Zajicek (Carnegie Mellon University, US)
Désirée Sacher - SOC Security Architect at Finanz Informatik.
Experienced Security Architect with a demonstrated history of working in the information technology and services industry. Skilled in Security Analysis, Threat Intelligence, Network Forensics, Networking, and Security Systems Products. Strong information technology professional with a Bachelor focused in Science ZFH in Information Technology from ZHAW (eh. HSZ-T).
Francesco Chiarini - Global Threat Management, Incident Response & Cyber Resilience Director at PepsiCo. Passionate about CSIRT processes and everything involving security incidents, 15 years’ experience in IT and information security. Prior to PepsiCo, has worked at Symantec and Hewlett-Packard and is actively engaged with international and local communities promoting incident response and leadership (ISSA Poland, CSO Council Poland, EC-Council). Francesco leads the FIRST Retail members group as well as FIRST Poland members group.
Logan Wilkins - Engineering Manager Computer Security Incident Response Team (CSIRT).
Logan Wilkins has over 25 years of software development and information security experience. He has worked in academic, research and corporate settings, specializing in DevSecOps management, data science and information security. Logan currently manages Cisco's CSIRT Engineering Delivery team, which is responsible for Security Monitoring and Incident Response systems development and deployment.
Mark Zajicek is a Member of the Technical Staff in the CERT Division at the Software Engineering Institute, located at Carnegie Mellon University (Pittsburgh, Pennsylvania, USA). Mark’s current work is focused on helping other organizations to build and assess their own computer security incident response team (CSIRT) or incident management capability. As a member of the CERT CSIRT Development and Training team, Mark is responsible for providing guidance to new and existing CSIRTs, worldwide. Mark has co-developed a variety of documents and training materials, and he is an instructor for a suite of several courses that provide training for CSIRT managers and technical staff and for organizations that are building or evaluating an insider threat program. Previously, Mark was the Daily Operations team leader for the CERT Coordination Center (CERT/CC), after having joined the CERT/CC’s incident handling staff in 1992. Prior to joining the CERT/CC, he also helped support the CERT/CC during its initial start-up in 1988.
During this session, you will receive an overview of the proposal for new FIRST guidelines related to security incident timeline and timing metrics. Measuring efficacy of an incident response team, as well as the extended IT team’s performance, is perceived as a key factor for many CSIRT leaders. At the same time, there seem to be no shared consensus within the community on what security incident timing framework to use. This lack, ultimately hinders CSIRT teams to align to a well-reputed community guideline as well as benchmarking within trusted peer groups. This work tries to mitigate this gap and sets a roadmap for future improvements.
NO
TIP of the Iceberg: Lessons Learned from Building a Threat Intelligence Platform
Dr. Martin EianDr. Martin Eian (mnemonic, NO)
Dr. Martin Eian is the Head of Research at mnemonic, and he is the Project Manager for the research projects "Semi-Automated Cyber Threat Intelligence (ACT)" and "Threat Ontologies for CyberSecurity Analytics (TOCSA)". He has more than 15 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is a member of the Europol EC3 Advisory Group on Internet Security. He has previously presented ACT workshops at the FIRST Conference and at the FIRST CTI Symposium.
For the past three years, we have been busy building a new threat intelligence platform tailored for analysis and automation: ACT. During our work, we have made observations on the state of the art in threat intelligence platforms, threat sharing, and in the field of threat intelligence in general. We have made mistakes, identified both obvious and subtle issues with how we as a community approach threat intelligence, and we have tried to find solutions that work in the real world. In other words, we have learned lessons that we think will be useful to incident response and security teams, and we want to share what we have learned.
The global workforce may be predominately working from home during the pandemic, but that’s not stopped malicious actors from heavily targeting remote workers. Multistaged Trojan attacks hit many enterprises hard in the first half of 2020 and have become very sophisticated attacks that are being used as delivery vehicles for follow on attacks like ransomware and other malware to maximize revenue. Join us for a dive into the business impact of such malware at scale based on global DNS data with real world examples. We will discuss the similarities and differences between successful campaigns and common TTPs, showcase the distribution of victims and attackers from geographical and industry-based stand points, shed light on newly discovered techniques used by malicious actors, and outline the best approaches to protect enterprises and individuals from infection and data exfiltration.
Presenter's Bio:
Austin McBride is a Threat Analytics Researcher at Cisco Umbrella who analyzes and evaluates the impact of security threats on customers, identifies unclassified threat vectors and discovers emerging trends in malware distribution. His current research
focuses on the significance of cryptocurrency in the ever-evolving threat landscape, which abets malicious actors to remain anonymous while buying infrastructure and avariciously amassing profit that has been unprecedented in traditional financial markets in recent history. His background is in data mining, analytics, security research and data visualization. McBride regularly speaks at international and national security conferences like BlackHat, RSAC, and THEFirst. He lives in San Francisco with his wife, son and their dog Spock.
Artsiom Holub is a Senior Security Analyst on the Cisco Umbrella Research team. Throughout the course of the day, he works on Security Threat Reports for existing and potential clients, finds new threats and attacks by analyzing global DNS data coming from Cisco Umbrella resolvers, and designs tactics to track down and identify malicious actors and domains. Holding AS degree from City College of San Francisco in Computer Networking and Information Security with completed Network Security and Advanced Cybersecurity certificates. Frequent presenter at major cybersecurity conferences including Black Hat and THEFirst. Currently focused on analysis and research of various cybercrime campaigns, and building defensive mechanisms applying OSIT and HUMINT approaches powered with ML.
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.
As we, as the CSIRT community, mature, our needs for having the ability to extract more value and context from our data becomes more and more vital. MISP has been gradually expanded to reflect these needs, by incorporating features that ease indicator life cycle management, contextualisation and management of threat intelligence, collaboration and the filtered feeding of our collected data to our various protective tools. This talk aims to highlight some of the techniques we use via the platform.
ULTRARANK: The Unexpected Twist of a JS-Sniffer Triple Threat
Alexander Kalinin (CERT-GIB, RU), Gleb Martyanov (CERT-GIB, RU)
Group-IB Threat Intelligence experts provide evidence linking three campaigns with the use of various JavaScript-sniffer families – an instrument used by cybercriminals to steal text bank card data – previously wrongly attributed by cybersecurity researchers to
various Magecart groups, to the same hacker group. This group was dubbed UltraRank by Group-IB.
Presenter's short Bio:
Alexander Kalinin, Head of CERT-GIB. Group-IB’s Computer Emergency Response Team (CERT-GIB) CERT-GIB leads the way in security event and incident management, being the first such team in Eastern Europe and providing round-the-clock assistance.
DNS(Domain Name System) is the critical & ubiquitous fabric of the Internet and it is used for legitimate purposes and also abused by bad actors for malicious purposes. Statistically, based on a number of research papers, the majority of the newly registered
domains are used for malice (phishing, ransomware, malware etc). Passive DNS technique provides an option to Security professionals( Incident Responders, SOC Analysts, Malware Researchers ) and Law enforcement to dive into mapping the DNS infrastructure of the bad actors and facilitate takedowns. In this talk, I will share,
Domain hijacking at GoDaddy - Since the early part of last year, there have been multiple incidents of domain hijacking at GoDaddy on a very large scale. I will present the modus operandi of the incident using Passive DNS
As a security practitioner, I will present and share my experiences of utilizing Passive DNS to map the DNS infrastructure of bad actors and report for takedown Note - As a bonus for Star Wars fans, the talk has a few references to Droids
Swapneel is network engineer & researcher working in. DNS, DNSSEC, BGP, Unix systems and security. As a technical trainer, he regularly conducts workshops on DNS, DNSSEC, Routing, Unix etc. He is also an APNIC Community Trainer & a RIPE Atlas Ambassador. He is also the Managing Director of Shreshta IT Technologies Pvt. Ltd, a company based out of Belgaum, building & securing networks of micro, small & medium enterprises & network operators in Tier-II and Tier-III cities.
Gert-Jan Bruggink is a security specialist and researcher with over 10 years of information security experience at the crossing of offense, defense & strategic risk management. Gert-Jan’s primary role at FalconForce is to assists leaders in making informed decisions by utilizing cyber threat intelligence. In addition to that he’s helping those leaders implement relevant and sustainable cyber defences through strategic change. Before co-founding FalconForce, Gert-Jan led a CTI team specialized in strategic & operational intelligence products, cyber-reconnaissance and CTI enablement. If he wasn’t working on that then he probably was supporting organizations in augmenting cyber transformation program or security operations.
Have you ever thought about what would happen if you could compare adversaries targeting your organization with how well you are doing? Understanding the objectives of adversaries would certainly help you invest resources in the right controls and counter measures right? In this talk we will break down how you can leverage red teaming to complement your cyber threat intelligence activities.
When developing your adversary tracking mechanism, regardless of your security maturity, one of the most resource effective ways to do so is to focus on the ‘how do they do it’ or in other words their playbooks. Now when combining the trade of cyber threat intelligence with red teaming, we’re getting the opportunity to incorporate red team data into our adversary playbooks.
When a red team is pursuing a certain goal and simulating a specific adversary playbook, an organization can use the data and results to understand how for the real adversary would come and where to increase defences. Armed with these playbooks, your defensive teams can more effectively connect the dots from observed activities in your environment. Your detection and incident response teams can also more efficiently understand what adversaries do and what the TTP’s look like if they are active in their network, or even utilize automated adversary data sets for continuous validation. Finally, one can use this understanding to benchmark their strategic investments of their security program.
Wait, ICS Doesn’t Stand for "Internet-Connected Systems"?
Jan KoprivaJan Kopriva (ALEF, CZ)
Although most of us are aware that not all Industrial Control Systems (ICS) are well-protected, it can be quite startling to actually take a look at how many of these systems are accessible on the Internet. A couple of months back, ALEF CSIRT started to monitor the number of internet-connected ICS devices, both on a global scale as well as in specific countries. In this presentation, we will go over the data we've gathered and we will take a look at a couple of the Industrial Control Systems which are/were out there.
Fyodor Yarochkin is a Senior Researcher, Forward-Looking Threat Research Senior at Trend Micro with a Ph.D. from EE, National Taiwan University. An early Snort Developer and Open Source Evangelist as well as a Programmer, his professional experience includes several years as a threat investigator, and over eight years as an Information Security Analyst, performing penetration tests in Asia-Pacific region.
Vladimir Kropotov is a researcher with Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, BHEU and many others Fyodor Yarochkin is a researcher at Trend Micro, incident investigation volunteer at Academia Sinica and a Ph.D. candidate at EE, National Taiwan University. An early Snort developer, and open source evangelist as well as a “happy” programmer. Prior to that, Fyodor professional experience includes over eight years as an information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organizations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.
This presentation dives into underground hosting ecosystem. Through the prism of our telemetry we examine infrastructure of underground hosting and the economical ecosystem beyond that. We go deep and try to understand how the infrastructure is acquired, maintained and provisioned by criminals and which parts of the global Internet are likely to be hosters of malicious content: from APT groups to online phishing and spam campaigns, malware distribution, financial data exfiltration: we understand how different type of criminal activities are provisioned with network infrastructure. Further, we examine means of attackers accessing and controlling their systems. This presentation examines such following underground infrastructure providers and provides an in-depth case study for one such provider. We will cover major market places, offered services, prices and tricks used by hosting services providers to maintain their infrastructure alive and bulletproof.
When HTTP is Not Enough: A Review of Stealthy Command and Control Protocols
Matthieu FaouMatthieu Faou (ESET, CA)
Matthieu Faou is a malware researcher at ESET where he specializes in targeted attacks. His main duties include threat hunting and reverse engineering of APTs. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has spoken at multiple conferences including BlueHat, REcon, Virus Bulletin, or Botconf.
At the beginning of the malware era, IRC was the main Command & Control channel used by threat actors. Then, over the last decade, HTTP(s) has become the go-to protocol for malware C&C communications for crimeware and APT groups. It led to major improvements in the monitoring of the HTTP(s) traffic. Thus, threats actors had to shift their strategy again in order to remain under the radar. In this presentation, we will explore a few cases of stealthy communication channels we encountered during our last investigations. In the first case, we will show how threat actors are able to make HTTP communications blend in by mimicking legitimate traffic. In the second case, we will use Turla, a long-lived threat actor focusing on espionage operations, as an example for mail-based C&C communications. This communication channel was abused in three different ways: by compromising the mail client or server and by interacting directly with webmail services. In the third case, we will review the usage of a very common protocol, DNS, for transmitting commands and exfiltrating data. Finally, we will propose some countermeasures to increase protection for users.
Where Human and System Defenders Share - Seamless CTI Sharing and Utilization
Koji YamadaRyusuke MasuokaToshitaka SatomiKoji Yamada (Fujitsu System Integration Laboratories, JP), Ryusuke Masuoka (Fujitsu System Integration Laboratories, JP), Toshitaka Satomi (Fujitsu System Integration Laboratories LTD (FSI), JP)
Koji Yamada is a cybersecurity researcher with Fujitsu System Integration Laboratories LTD (FSI). He has had engaged in CSIRT activities at FJC-CERT for over two years to protect Fujitsu’s cloud offerings. His interests include cyber threat intelligence, machine learning, and deception technologies.
Dr. Ryusuke Masuoka is a research principal at Fujitsu System Integration Laboratories LTD (FSI), working on Cyber Security. Over 30 years, he has conducted research in neural networks, simulated annealing, agent system, pervasive/ubiquitous computing, Semantic Web, bioinformatics, Trusted Computing, Software/Security Validation, Cloud Computing, Smart Grid, the Internet of Things, Cyber Security Policy, and Cyber Security. He also led numerous standardization activities and collaborations with universities, national and private research institutes, and startups. He is an ACM senior member and an IEEE senior member.
Toshitaka Satomi is a researcher with Fujitsu System Integration Laboratories LTD (FSI). He joined Fujitsu PC Systems in 1997 after graduating from the Tokyo Institute of Technology. He worked on the development of an F-BASIC compiler and insurance business systems. After that, he became interested in cybersecurity research and he developed various cybersecurity PoC systems. Since he moved to FSI in 2017, he has been conducting research on Cyber Threat Intelligence (CTI) and has developed a Cyber Threat Intelligence Platform, "S-TIP," which is now available as OSS.
We have a better and stronger defense when defenders share. There are a variety of defenders in this age of diversity and digital society - people with different backgrounds/roles and also systems like security appliances/solutions/services as well as CTI feeds integral to analyses and responses. When CTI is shared and utilized seamlessly among them, analysts, incident responders, and systems can receive the maximum benefits. Seamless CTI sharing and utilization do not happen automatically. There exist many obstacles, both visible and invisible. We have created a platform, which we named "Seamless Threat Intelligence Platform (S-TIP)," and implemented many functionalities to overcome such obstacles. We have built the platform around the core concept of "everything gets captured and stored in a single structured CTI format, and the platform represents the CTI to the entities according to its needs/preferences." After giving the background and introducing S-TIP and its core concept, we present the framework to organize functionalities to overcome sharing/utilization obstacles, and then some of those functionalities through demonstrations. S-TIP has been made available as open-source software at https://github.com/s-tip. We finish by pointing out challenges and future work to further seamless CTI sharing and utilization.
