- USTLP:CLEAR
A Diamond is an Analyst's Best Friend: Introducing the Diamond Model for Influence Operations Analysis
Charity WrightCharity Wright (Recorded Future, US)
Charity Wright is a threat intelligence analyst with over 15 years of experience in the US Army and the National Security Agency, where she translated Mandarin Chinese. She has spent over six years analyzing cyber threats in the private sector, with a focus on China state-sponsored threats and dark web cybercrime. Charity now researches cyber threat intelligence, influence operations, and strategic intelligence at Recorded Future.
Malign influence is one of the greatest challenges the world faces today. State-sponsored threat actors, criminals, and political actors alike are weaponizing information in online spaces to thwart elections, incite social disruptions, disrupt supply chains, and manipulate markets. Due to the inherent overlaps in modern day digital influence campaigns and cyber intrusion campaigns, information security teams have been enlisted to contribute their skills, experience, and education to help detect, analyze, and defend against malign influence, but current analytic frameworks are either oversimplified or overcomplicated. In this presentation, Charity Wright presents the Diamond Model for Influence Operations, a holistic and familiar method for researchers and cybersecurity analysts to identify, track, analyze, and report on malign influence operations. This framework addresses both the technical axis and the socio-political axis, which are familiar from previous diamond models, and adds the core aspect of narrative warfare to the center of the diamond, the anchor to every effective influence operation. With the Diamond Model for Influence Operations, analysts will discover what malign information is being spread, how it is disseminated, for what purpose, and which influence actors are behind each operation, enabling faster defense and more informed security decisions.
- DETLP: GREEN
Adapting PSIRT Processes for the Automotive B2B World
Hans UlmerHans Ulmer (Bosch, DE)
Hans has 20 years experience in Security. Before joining the Bosch PSIRT in 2016, he held various IT and Information Security and Business Continuity roles at SAP and BNP Paribas Cardif.
Hans took over the lead of the Bosch PSIRT in 2018 and, as part of a great team of dedicated professionals, has overseen the continuous development of PSIRT processes and tools, always with a tight focus on automation and ease of management.
The Bosch PSIRT was established in 2016 to coordinate Incident Response and Vulnerability Management across Bosch's wide range of products and solutions for consumers, industry, building management and the automotive industry. Over the years, it has become clear that each market domain has its own specific requirements; this is not the least true for Automotive. We want to share some of these specific requirements and the processes and tools we are continuing to develop with a focus on this domain, along with key learnings for other B2B business areas.
- DE
Advanced Use of Bug Bounty Programs to Improve Vulnerability Response
François AmbrosiniFrançois Ambrosini (Huawei Technologies Duesseldorf GmbH, DE)
Huawei PSIRT handles vulnerabilities affecting Huawei products. In addition, Huawei runs a bug bounty program for its mobile phone business. Taking the examples of variant analysis and fuzzing as used at Huawei, this talk will present how a bug bounty program can be used to further improve the overall vulnerability response of an organization. Organizations running such program are not limited to passively receive and handle vulnerability disclosures. They can also take a more active role by leveraging knowledge acquired from disclosures, in order to proactively look for similar vulnerabilities, and report these into usual PSIRT processes. A short presentation of Huawei PSIRT and of the bug bounty program will serve as introduction before moving to the technical aspects.
François Ambrosini is Responsible Disclosure and Vulnerability Management Evangelist at Huawei and represents Huawei PSIRT in Europe. He obtained his engineering degree in electronics and signal processing combined with a master's degree in computer networks and telecommunications from ENSEEIHT, Toulouse, France, in 2003.
He was involved with radio technology development at Sagem Défence & Sécurité and later in the standardisation of mobile TV systems at Motorola, and consulted on security both independently and for umlaut communications. His activities have spanned several domains including IoT security, reconfigurable radio systems security, practical use of attribute-based cryptography and of language-theoretic security, and the development of several standards serving the private and public sectors as well as the EU legislation.
- BETLP:CLEAR
Analyzing Cobalt Strike Beacons, Servers and Traffic
Didier StevensDidier Stevens (NVISO, BE)
Didier Stevens (SANS ISC Handler, Microsoft MVP) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier is a pioneer in malicious document research and analysis, and has developed several tools to help with the analysis of Cobalt Strike artifacts. You can find his open source security tools on his IT security related blog. http://blog.DidierStevens.com
In this workshop, Didier Stevens will guide you through exercises that will familiarize you with his tools to analyze Cobalt Strike beacons, fingerprint team servers
- EE US MU
Approaches and Practices for Increasing the Maturity and Capabilities for CSIRTs in Emerging Economies
Prof. Hayretdin Bahsi
Dr. Sherif Hashem
Jean-Robert Hountomey
Dr. Unal Tatar
Dr. Kaleem Ahmed UsmaniProf. Hayretdin Bahsi (Tallinn University of Technology in Estonia, EE), Dr. Sherif Hashem (Information Sciences and Technology College of Engineering and Computing George Mason University, US), Jean-Robert Hountomey (AfricaCERT, US), Dr. Unal Tatar (University at Albany, US), Dr. Kaleem Ahmed Usmani (CERT-MU, MU)
The research explores approaches and practices to provide low-income countries with a practical, affordable, flexible, and achievable workforce training and development methods including a menu of resources mapped to CSIRT organizational, technical, and operational service requirements.
https://cybilportal.org/publications/cyber-incident-management-in-low-income-countries-part-2-a-guideline-for-development/
https://cybilportal.org/publications/cyber-incident-management-in-low-income-countries-part-1-a-holistic-view-on-csirt-development/
-
Prof. Hayretdin Bahsi is a research professor at the Centre for Digital Forensics and Cyber Security at Tallinn University of Technology in Estonia. He received his PhD and MSc degrees in Computer Engineering from Sabanci University and Bilkent University respectively. He was involved in many R&D and consultancy projects on cyber security as a researcher, consultant, and program coordinator at the Information Security Research Centre of the Scientific and Technological Research Council of Turkey between 2000 and 2014. He acted as the founding director of the National Cyber Security Research Institute. His research interests include cyber-physical system security and the application of machine learning methods to cyber security problems.
-
Dr. Sherif Hashem is a Full Professor of Information Sciences and Technology at George Mason University-USA. Dr Hashem is a Senior IEEE member and an ISACA Certified Information Security Manager (CISM). Dr Hashem is currently a member of the Board of Directors of FIRST (Forum of Incident Response and Security Teams), and a member of the African Union’s Cybersecurity Expert Group (AUCSEG).
Over the last two decades, Dr. Hashem led several key cybersecurity efforts at the national level, and setting up the framework for further developing the Egyptian Computer Emergency Readiness Team (EG-CERT). In 2015, Dr Hashem became a member of Egypt’s Supreme Cybersecurity Council (ESCC), which is affiliated with the Cabinet of Ministers. As the Chairman of the Executive Bureau of the ESCC, Dr Hashem led the team that drafted Egypt’s first National Cybersecurity Strategy (2017-2021). Successful cybersecurity initiatives and activities led by Dr Hashem have contributed to Egypt’s advanced cybersecurity rank: 14th among 193 countries, as reported by the International Telecommunications Union (ITU) Global Cybersecurity Index in July 2017.
At the international level, Dr Hashem was an expert member of the United Nations Group of Government Experts (UN GGE) on the Developments In The Field Of Information And Telecommunications In The Context Of International Security (Aug 2012 - June 2013), a 15-members high-level group of experts that developed strategic cybersecurity reports to be endorsed by the UN General Assembly. He has been invited to give cybersecurity and ICT professional and strategic keynote speeches by numerous leading international organizations including: UN, ITU, Interpol, NATO, OSCE, OECD, African Union, the League of Arab States, as well as by the US Department of Defense and US Department of State.
-
Jean-Robert Hountomey works as a researcher for a global technology leader. His expertise includes Product Security, Privacy Engineering, Secure Software Development Life Cycle, incident management, vulnerability research, maturity frameworks, drafting of policy, guidelines, and best practices.
Mr. Hountomey is a Founder and Director of the Africa Forum of Incident response and security teams(AfricaCERT), the African Anti Abuse Working Group. He is a SIM3 auditor, a Member of the African Union Cybersecurity Expert Group, the FIRST Membership committee, the PSIRT SIG, the Vulnerability Coordination SIG, the CVE outreach, and Communication Working Group (OCWG), ISACA (GOLD), OWASP (LIFETIME), IAPP.
He has contributed to cybersecurity frameworks, articles, ICANN, ISOC, AfriNIC, AfNOG, AfrISPA, the GFCE, and the UN OEWG. His research includes issues and opportunities related to law, technology, and Internet Governance.
-
Kaleem Ahmed Usmani: I am heading the Computer Emergency Response Team of Mauritius (CERT-MU), a national CERT since May 2010. It operates under the umbrella of the National Computer Board, an autonomous body under the Ministry of Information Technology Communication and Innovation, Republic of Mauritius.
My experience of 18 years in the ICT industry spans over cybersecurity , network engineering, system administration, IT management and project implementation. Currently, I am involved in implementing the national level cybersecurity projects for Mauritius and also involved in initiating regional cybersecurity projects for IOC, SADC and COMESA region. I am the Mauritian representative to UN Group of Governmental Experts (UNGGE) on Cyber for the period 2019-2021.
-
Dr. Unal Tatar is an assistant professor of cybersecurity in the College of Emergency Preparedness, Homeland Security, and Cybersecurity at the University at Albany. Dr. Tatar worked as a principal cybersecurity researcher in government, industry, and academia for over 17 years. He is the former coordinator of the National Computer Emergency Response Team of Turkey. Dr. Tatar’s research is funded by the National Science Foundation, National Security Agency, Department of Defense, Air Force Research Laboratory, NATO, and Society of Actuaries. His main topics of interest are cybersecurity risk management, economics of cybersecurity, cyber insurance, privacy, cybersecurity education and capacity building. Dr. Tatar holds a BS in Computer Engineering, an MS in Cryptography, and a Ph.D. in Engineering Management and Systems Engineering.
- US JPTLP:CLEAR
Attack Flow - Beyond Atomic Behaviors
Desiree Beck
Gabriel Bassett
Ryusuke MasuokaDesiree Beck (The MITRE Corporation, US), Gabriel Bassett (Verizon, US), Ryusuke Masuoka (Fujitsu System Integration Laboratories Limited, JP)
Desiree Beck is a principal cybersecurity engineer at the MITRE Corporation and is the project leader for the Attack Flow project within the Center for Threat Informed Defense, a non-profit, privately funded research and development organization operated by MITRE Engenuity. She also leads the Malware Behavior Catalog (MBC) project, a malware-centric supplement to MITRE ATT&CK, and supports the Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII) efforts. Dez lives in Northern California and holds a PhD in mathematics from the University of California, San Diego.
Gabriel Bassett is the lead data scientist and a contributing author on the Data Breach Investigations Report team at Verizon Enterprise Solutions specializing in data science and graph theory applications to cyber security. He supports several information security data science conferences, is game architect for the Pros vs Joes Capture the Flag series and has previously held cyber security risk management, testing, intelligence, architect, and program management positions at the Missile Defense Agency and Hospital Corporation of America.
Dr. Ryusuke Masuoka is a Fujitsu Distinguished Engineer and a research principal at Fujitsu System Integration Laboratories Limited (FSI), working on Cyber Security. Over 30 years, he has conducted research in neural networks, simulated annealing, agent system, pervasive/ubiquitous computing, Semantic Web, bioinformatics, Trusted Computing, Software/Security Validation, Cloud Computing, Smart Grid, the Internet of Things, Cyber Security Policy, and Cyber Security. He also led numerous standardization activities and collaborations with universities, national and private research institutes, and startups. He is an ACM senior member and an IEEE senior member.
Defenders typically track adversary behaviors atomically, focusing on one specific action at a time. This is a good first step toward adopting a threat-informed defense. However, adversaries use multiple actions in sequence. We call these sequences attack flows, and understanding adversary behavior in terms of attack flows, rather than considering only individual indicators, significantly improves defensive capabilities. For example, red teamers can use attack flows to emulate adversaries or replay an incident; defenders can use attack flows to understand lessons learned during an incident or to explain defensive posture to executives.To enable the community to visualize, analyze, and share attack flows, we have developed a publicly available data format for describing sequences of adversary behaviors, as well as an attack flow builder tool. In this presentation, we will present the attack flow format, provide an example flow, and discuss the most common use cases, such as those above. Our presentation will also show how the attack flow format can enable defensive resource prioritization, rapid analytic development, and complex machine-to-machine automation workflows. Attendees will be invited to provide feedback after the talk to make attack flows as useful as possible to the community.
- CN
Attack hunting with Threat Intelligence of DNS
Pengchao LiPengchao Li (Eversec (Beijing) Technology Co., Ltd., CN)
Theat Intelligence plays an important role in Attack Hunting. Key DNS attack hunting techniques include examining DNS portrait information, detecting DNS tunneling and Domain Generation Algorithms (DGAs). Logging DNS requests and responses on DNS forwarders is a simple way. DNS logs are one of the most powerful attack hunting resources, but encryption is rapidly changing that equation. In this presentation, I want to share with you how to extract IoC from DNS logs, detecting DNS tunneling and Domain Generation Algorithms (DGAs) with Threat Intelligence of DNS.
Li Pengchao, Ph. D, associate researcher. Received B.S. from Beijing University of Posts and Telecommunications (BUPT); Received MSE from BUPT. Graduated from Tsinghua University, with a Ph. D. Serve as VP of Eversec (Beijing) Technology Co., Ltd. My research interests include cyber security, intelligent information processing and data content security. 12 academic papers have been published and 7 patents have entered the substantive examination stage. I've been engaged in the research of multimedia information hiding theory and method, encrypted communication technology, embedded communication system and computer vision since 2008. I participated in more than 20 ministerial-level scientific research projects, and two projects have won the prize of department-level scientific and technological progress. Editorial board member of the "2020 network information Innovation Research Report".
Pengchao-Li-Slides.pdf
MD5: f7224471374d6afc2b6d84e503f88508
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.25 Mb
- TLP:CLEAR
AWS Jam Lounge
The Jam Lounge is a activity based event that can last from one day to a few weeks and allow you to register at any time while the event is on. You can choose to register with colleagues, join an existing team, or as an individual. The lounge has a long duration; feel free to get in and out and workout challenges in a self-paced manner and work at any time of convenience. In the Jam lounge, you can choose to learn best practices and new AWS features and explore the challenges and learn something new on the way. The lounge typically has 14 challenges, including various AWS services and domains like Security, DevOps, and Analytics or any other AWS service. To keep fun going, work at your own pace , 24/7, in-person or virtually anywhere. Work Alone or with your team. To sign-up, head to the 5th level foyer and talk to an AWS team member to get started. An informational PDF flyer will be available in the conference mobile app with more information on the Jam.
aws-jam-flyer.pdf
MD5: 2207e5dc31b5baaf643fc05df3ee1313
Format: application/pdf
Last Update: June 7th, 2024
Size: 157.56 Kb
- DETLP:CLEAR
Beyond Incident Reporting - An Analysis of Structured Representations for Incident Response
Daniel Schlette
Marco CaselliDaniel Schlette (University of Regensburg, DE), Marco Caselli (Siemens AG, DE)
Daniel Schlette is a third-year Ph.D. candidate and research assistant at the Chair of Information Systems, University of Regensburg. He received his Master's Degree (Hons.) in management information systems from the Elite Graduate Program at the University of Regensburg in 2019. His research interests focus on cyber threat intelligence and incident response. While examining structured data formats, core research results indicate the importance of data quality and collaborative cyber defense.
Marco Caselli joined Siemens in 2017 and he is the Senior Key Expert of the "Attack Detection" topic. He received his Ph.D. in computer security at the University of Twente with a thesis titled "Intrusion Detection in Networked Control Systems: From System Knowledge to Network Security". His research interests focus on security of industrial control systems and building automation with a special focus on critical infrastructures. Before starting his Ph.D. he worked at GCSEC, a not-for-profit organization created to advance cyber security in Italy, and Engineering S.p.A., an international company for software development.
Novel approaches to structure and represent incident response are broadening the scope of threat intelligence. In this presentation, we describe different representation options by defining key aspects of incident response formats. Our in-depth analysis shows the differences and similarities between formats and allows organizations to understand individual benefits and shortcomings. We find a consistent focus on incident response actions within all formats and the importance of both playbooks and frameworks. Additionally, we outline how to apply the key aspects to drive the selection of incident response formats based on a given use case (e.g., automation, sharing, or reporting).
- JPTLP:CLEAR
Bridging Together Independent Islands - STIX Custom Objects and Matching Mechanisms to Correlate Cyberspace and Real-World Data
Toshitaka SatomiRyusuke MasuokaToshitaka Satomi (Fujitsu System Integration Laboratories Limited, JP), Ryusuke Masuoka (Fujitsu System Integration Laboratories Limited, JP)
Toshitaka Satomi is a researcher with Fujitsu System Integration Laboratories LTD (FSI). He joined Fujitsu PC Systems in 1997 after graduating from the Tokyo Institute of Technology. He worked on the development of an F-BASIC compiler and insurance business systems. After that, he became interested in cybersecurity research and he developed various cybersecurity PoC systems. Since he moved to FSI in 2017, he has been conducting research on Cyber Threat Intelligence (CTI) and has developed a Cyber Threat Intelligence Platform, "S-TIP" which is now available as OSS.
Dr. Ryusuke Masuoka is a Fujitsu Distinguished Engineer and a research principal at Fujitsu System Integration Laboratories Limited (FSI), working on Cyber Security. Over 30 years, he has conducted research in neural networks, simulated annealing, agent system, pervasive/ubiquitous computing, Semantic Web, bioinformatics, Trusted Computing, Software/Security Validation, Cloud Computing, Smart Grid, the Internet of Things, Cyber Security Policy, and Cyber Security. He also led numerous standardization activities and collaborations with universities, national and private research institutes, and startups. He is an ACM senior member and an IEEE senior member.
"Toshi" and "Ryu" present and demonstrate how to correlate cyberspace and real-world data, using STIX custom objects and new matching mechanisms. After presenting bridging CTI sharing between humans and systems at FIRST2020, we continued our journey to widen CTI applications. Toshi was asked to correlate bank accounts and IP addresses during discussions with law enforcement (LE) practitioners. He thought he could use "bank-account" and "person" objects in MISP Standard. However, Ryu, having recently created his bank account in Japan, found the "person" object an inadequate model to represent a Japanese bank account owner and issues matching a Japanese person and a "person" object. For cyberspace data like IP addresses, exact matching would suffice, but not for real-world data. It is like many independent islands.To bridge those islands, we propose STIX Customizer and new matching mechanisms. STIX Customizer helps users easily create STIX custom objects to model real-world data."Fuzzy Matching" absorbs notation fluctuations. "Ryuusuke" is the phonetically correct representation of Ryu's given name, but he used "Ryusuke" for his bank accounts in the US. "Fuzzy Matching" is required to match them."Explicit Matching" limits matching among specific properties of different models. "Satomi" is Toshi's family name, but also a female given name in Japan. It is no use to match "Satomi" as a family name and "Satomi" as a given name. We have implemented the above mechanisms in S-TIP, an OSS Threat Intelligence Platform, available in GitHub. We will demonstrate those mechanisms and explain its LE use case.
- PLTLP:CLEAR
Build Automated Malware Lab with CERT.pl Open-Source Software
Paweł Srokosz
Paweł PawlińskiPaweł Srokosz (CERT Polska / NASK, PL), Paweł Pawliński (CERT Polska / NASK, PL)
Pawel Srokosz is a security researcher and a malware analyst at CERT.PL, constantly digging for fire and doing reverse engineering of ransomware and botnet malware. Core developer of MWDB Core and Karton projects. Free-time spends on playing CTFs as a p4 team member.
Pawel Pawlinski is a principal specialist at CERT.PL. His job experience includes data analysis, threat tracking and automation. In his current role, Pawel leads a R&D team and manages projects in the area of information exchange and threat monitoring.
Malware analysis is one of the most common challenges facing almost any organization dealing with cybersecurity. From year to year, it becomes a harder nut to crack, because of the growing scale of activities undertaken by criminals and their increasing sophistication.Most organizations are trying to automate malware analysis processes using various loosely-connected scripts, toolkits and sandboxes to extract actionable information like indicators of compromise, dropped files, static configurations and webinjects. As our in-house setup became increasingly complex and other solutions on the market did not meet our needs, we decided to create a central system to provide a convenient storage for this data and to share it with the wider security community.The resulting platform is called MWDB. It is not just a repository but a complete modular malware analysis framework and is freely available for white-hat analysts as a service via mwdb.cert.pl. All core parts of the platform are released as open-source so other teams can build their own self-hosted malware repositories and automate analysis workflows. During the presentation we will explain features and the architecture of the system. We will also show how it is used in practice to support analysis at scale with examples of recent malware campaigns.
- DETLP:CLEAR
Building an effective ICS/OT Security Monitoring and Defense Program
Kai ThomsenKai Thomsen (Dragos, Inc. , DE)
Building an effective security program for ICS/OT is different to IT. OT has a different mission and this needs to be reflected in the way we secure and defend our ICS/OT environments. In this workshop, we will cover the five key security controls that matter for OT and discuss the foundational requirements for establishing Security Monitoring and integrating with IT Security and other teams required to effectively respond to industrial incidents.
Some familiarity with ICS/OT terminology (Purdue Model, SCADA, DCS, PLC, RTU, etc.) helps, but not required. Participants will be asked to conduct a few pen and paper exercises
Kai Thomsen is Director of Global Incident Response Services at the Industrial cyber security company Dragos, Inc. where he leads a team of analysts in responding to or proactively hunting for threats in customers’ ICS environments. Prior to his role at Dragos, Inc. Kai was the lead Incident Responder at the German car manufacturer AUDI AG where played a key role in establishing an integrated IT defense team responsible for enterprise IT, ICS, and connected car infrastructure. Before Audi, Kai worked for 14 years in the steel industry for the engineering company SMS group, where he was responsible for internal IT defense as well as responding to threats at customers’ sites. Kai is also a Certified SANS Instructor in the ICS curriculum. In 2019, Kai received the SANS ICS Cybersecurity Difference Maker Award for the EMEA region
Kai_Thomsen.pdf
MD5: 366573afa779ca981fe6485d851e677e
Format: application/pdf
Last Update: June 7th, 2024
Size: 25.32 Mb
- PE
Casos de Ciberataques Tipo Ransomware en Perú y Medidas Preventivas (presented in Spanish)
Ing. César Farro (Telefónica Tech, PE) (PE)
Debido a los diferentes casos de ciberataques internacionales y tambien ocurridos en diferentes empresas en Perú como el ciberataque de tipo ransomware generando perdida de datos, filtración de datos e interrupción de los servicios de TI en las empresas. Los grupos de Ransomware internacional tienen un alto conocimiento técnico bajo modelos RaaS (Ransomware as a Service) donde tienen individuos de todo el mundo que constantemente están buscando ingresar a las redes aprovechando vulnerabilidades de los sistemas de TI de las empresas, como también estos ciber delincuentes se aprovechan de los usuarios finales enviandoles correos, enlaces falsos con malware sofisticado para luego ingresar a la red y extorcionar a las empresas con sus propios datos. El ramsoware es un tema complejo por ello se necesita un conocimiento técnico, social para conocer a los usuarios finales, los terceros/proveedores que se conectan a la red , para ello es necesario la cooperación y colaboración técnica local como internacional entre Csirts, SOCs, fabricantes de seguridad, policia cibernética y organizaciones de seguridad independientes para intercambio de conocimiento técnico.
Por lo anterior, propongo el siguiente contenido:
Parte 1: Vectores de infección y ejecución:
Se explicarán casos reales de ransomware, vectores iniciales de infección frecuentes, movimiento lateral, hacking de servidores críticos DB, AD, fuga de información, ejecución de ransomware, estadísticas en base a observación en el sector público y privado.
Parte 2: Hallazgos:
-Cantidad de Servicios RDP 3389/tcp, SMB 445/tcp en los rangos públicos.
-Cantidad de Servicios VPN Server Vulnerability en los rangos públicos.
Parte 3: Recomendaciones: Basado en Defense in depth
César tiene más de 21 años de experiencia en ciberseguridad, actualmente trabajo en Telefónica Tech como Cyber Security Advisor donde ha desarrollado proyectos en Perú y Brasil para Bancos, Mineras, Gobierno, Grupos Empresariales y Pymes, frecuentemente es speaker en eventos de seguridad en Perú y en el extranjero.
- LUTLP:CLEAR
Andras Iklody
Sami MokaddemAndras Iklody (CIRCL - Computer Incident Response Center Luxembourg, LU), Sami Mokaddem (CIRCL - Computer Incident Response Center Luxembourg, LU)
Andras Iklody works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL as a software developer and has been leading the development the MISP core since early 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.
Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools
The Cerebrate Platform is a new open source project, built to allow organisations to manage trusted communities and orchestrate the tooling between its constituentsManage contact information of your community members, open dialogues to interconnect various security tools within the network or simply manage a fleet of your internal security tools. Cerebrate handles a host of day-to-day tasks for automation and trust building within security communities.This talk aims to introduce the issues we are trying to tackle with Cerebrate and how the platform can assist CSIRTs and SOCs in managing their community and tools.
slides.pdf
MD5: df0799f0c0a8f54cdd20f75e141cb93f
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.2 Mb
- USTLP:CLEAR
Kenneth GrossmanKenneth Grossman (HHS/National Institutes of Health, US)
Ken Grossman has worked in the information security field for over 20 years and has been instrumental in various major security initiatives. He was a founding member of the Department of Homeland Security's National Cyber Security Division/United States Computer Emergency Readiness Team after establishing an Information Security Program at the US General Services Administration/ Federal Supply Service. Ken joined the National Institutes of Health/National Institute of Allergy and Infectious Diseases (NIH/NIAID) in 2006 where he manages the NIAID Cyber Security Program. Ken oversees the handling and mitigation of NIAID information security events. He also ensures that NIAID adheres to Federal security policies/guidelines and ensures that security audits are performed on covered information systems. He develops NIAID information security policies and training programs and is the liaison with the NIH and other Institutes security programs. Mr. Grossman has an M.S. in Computer Systems Management from the UMUC and a B.S. in Aerospace Engineering from Virginia Tech. His certifications include Certified|Chief Information Security Officer, Certified Information Systems Security Professional, Heathcare Information Security and Privac Practitioner, Certified Information Security Manager, GIAC Certified Incident Handler, GIAC Continuous Monitoring Certification and GIAC Cyber Threat Intelligence.
The presentation will discuss the lessons learned from creating an Information Security/Information Assurance program from scratch. Some of the issues that needed to be considered were organization's mission and nature, scope and structure of IS/IA organization (formal vs. virtual, core vs. adhoc), the customer base, organizational politics, regulatory requirements, and organizational dependencies (internal and external). I will also discuss the capabilities, proactive and reactive, that an IS/IA program requires.
- DETLP:CLEAR
CSAF - the Magic Potion for Vulnerability Handling in Industrial Environments
Tobias Limmer
Thomas PröllTobias Limmer (Siemens, DE), Thomas Pröll (Siemens ProductCERT, DE)
Being involved in the field of security since 20 years ago, Tobi has been focusing on the industrial side of IT infrastructures for over 10 years now. Starting with vulnerability handling in Siemens ProductCERT, he was very involved into the automation of security tests. Now one of his research areas is tool-based vulnerability management & risk-based mitigation decisions. And he likes French comics.
Tom is working for Siemens in product security since 15 years. After five years of penetration testing he changed sides and is leading the incident handling and vulnerability response team for Siemens ProductCERT.
Vulnerability management for operators of segmented networks such as industrial environments and software suppliers still largely relies on manual processes. This results in high efforts and has tremendous impact on mitigative actions such as patching.Siemens has ramped up its vulnerability handling efforts in the last decade which resulted in publishing over 250 CVEs in 150 advisories in 2021. This amount of information can hardly be handled in the manual way for even moderately complex environments.By supporting the Common Security Advisory Format (CSAF), standardized by OASIS end of 2021, Siemens helps automatable vulnerability management in industrial environments, our Gallic villages.This talk will give an overview of the new CSAF 2.0 release and our experience implementing it. We need a community to support this effort and to improve the situation of vulnerability management, both on the side of publishing vendors and consuming operators. Especially tools are needed that support and automate this process. We will sketch a possible way forward for the whole community, also including SBOMs and VEX in the discussion.
- TLP:CLEAR
CSAF, VEX, and SBOMs a Today's Cybersecurity Acronym Soup (In-person)
Omar Santos (Cisco)
Omar Santos is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure.
Omar is the author of over 20 books and video courses; numerous white papers, articles, and security configuration guidelines and best practices. Omar is a Principal Engineer of Cisco’s Product Security Incident Response Team (PSIRT) where he mentors and lead engineers and incident managers during the investigation and resolution of security vulnerabilities.
- LTTLP:CLEAR
CSIRT and SOC Modernization Practices
Vilius BenetisVilius Benetis (NRD Cyber Security, LT)
Dr. Vilius Benetis is member of NRD CIRT (in NRD Cyber Security), where he leads a team of experts to consult, establish and modernize CSIRT/SOCs for sectors, governments and organizations in Africa, Asia, Europe, and Latin America. He is an active contributor and speaker for ISACA's cybersecurity research and contributes to development of CSIRT methodologies for ENISA, FIRST.org and ITU. He is an industry professor in Cybersecurity at Kaunas Technology University (ktu.edu).
CSIRTs and SOCs are increasingly expected to work as professional and effective organizations, reflecting on own performance and able to self-improve. Such expectations are challenging to meet for many teams around the world. Presentation is geared to support listeners in this path by providing practical tips, tricks, and demonstrations on different methods for improvements. Speaker's knowledge is based on broad experience in modernizations of national, sectorial and organization CSIRT/SOCs. Talk will touch practical maturity models, mandate review, service model tuning, operational KPI updates, focusing on state-of-the-art competence models.
- IETLP:CLEAR
Cyber Ireland - Addressing Cyber Crime Through Industry-Academia-Government Collaboration
Eoin ByrneEoin Byrne (Cyber Ireland, IE)
Dr Eoin Byrne is Cluster Manager at Cyber Ireland, he has led the establishment and management of the cluster since 2018. His PhD research of ICT clusters across Europe produced a cluster development model applied in Ireland for the first time through the establishment of Cyber Ireland.
With the increasing cost of cyber crime we must not only address the technical cyber security challenges, but also the political, economic and societal aspects.In 2019, Ireland established a cyber security cluster with the aim of bringing Industry, Academia and Government together to support collaboration and address key challenges for the sector: from skills shortages, to the low-level of industry-academic research and innovation, lack of education and awareness, and need for greater co-ordination of organisations at a national level.The cluster now represents over 130 organisations, with 110 companies, 11 universities and several government agencies including the National Cyber Security Centre. It has a wide range of collaborative activities including meet-ups, events and a Threat Intelligence Special Interest Group. The Talent & Skills Working Group has published a cyber skills survey leading to a national training programme to address the critical skills shortage. The cluster has built stronger ties with government and assisted in the response to the cyber attack on the National Health Service in May 2021.There are learnings for industry professionals, academia and policy makers from the Cyber Ireland cluster model of collaboration that can be applied to other regions.
03-CyberIreland-Byrne.pdf
MD5: 23c9af3193033225ea8e70f2df3ccb41
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.33 Mb
- USTLP:CLEAR
Cyber Threat Intelligence Analysts and You: Understanding the Discipline to Optimize Cyber Defense Collaboration
John DoyleJohn Doyle (Mandiant, US)
The cyber threat intelligence (CTI) analyst role is arguably the most recent entrant to emerge under the cyber security career tracks with the job role, responsibilities, and skill requirements wide ranging and not well understood by organization leadership or cyber security peers. During this talk, we introduce the newly developed, Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework.
We unpack the significant overlaps that exist between those in a cyber threat analyst's role and the other cyber security disciplines defined by NIST SP 800-181 to provide the groundwork for threat hunters, incident responders, red teamers, and others to understand how to optimize collaboration with CTI analysts. We highlight the overlaps by examining the Framework's identifies 4 underpinning pillars--Problem Solving, Professional Effectiveness, Technical Literacy, and Cyber Threat Proficiency--with a distinct focus on how acute knowledge of cyber adversary operations can empower hunters and red teams to properly perform adversary emulation when testing the security posture of an organization.
We conclude by discussing how organizations can use this framework as a guidepost to recruit, grow, develop, mature, and retain CTI talent.
John Doyle has over fifteen years of experience working in Cyber Threat Intelligence, Digital Forensics, Cyber Policy, and Security Awareness and Education. He has spent over a decade tracking multiple state-sponsored cyber actors (APTs) to support strategic, operational, and tactical intelligence requirements.
John-Doyle.pdf
MD5: 346f199dce0eced3a44c93d72af26960
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.2 Mb
- ATTLP:AMBER
Clemens SauerweinClemens Sauerwein ( University of Innsbruck, Department of Computer Science, AT)
The increasingly persistent and sophisticated threat actors along with the sheer speed at which cyber-attacks unfold, have made timely decision-making imperative for an organization's security. Therefore, security professionals employ a large variety of data sources concerning, emerging attacks, attackers’ course of actions or indicators of compromise, in order to promptly put appropriate countermeasures in place. In response to this trend, many vendors have launched appropriate cyber threat intelligence sharing platforms that support the cross-organizational exchange of the required threat intelligence. However, the comparability of these platforms is limited due to a lack of evaluation criteria and accordingly research and practice lack comprehensive analysis and comparisons of the offered platforms on the market. In order to address these gaps, we present an evaluation framework for cyber threat sharing platforms and a corresponding analysis of 13 platforms on the market. Last but not least, we outline our main findings and discuss the resulting implications for research and practice.
Clemens Sauerwein is Assistant Professor at the Department of Computer Science at the University of Innsbruck, Austria. His research interests include information security risk management, cyber threat intelligence sharing, empirical studies in the field of information security risk management and information systems. He works in close collaboration with industry and transfers his results into practice as a consultant and a member of various security interest groups.
Clemens-Sauerwein.pdf
MD5: 8df10cddfb3c1714790c3462971e85b9
Format: application/pdf
Last Update: June 7th, 2024
Size: 816.83 Kb
- ES
Cybersecurity Emergency Action Plan for Local Entities in Comunitat Valenciana, Spain
Jose VilaJose Vila (CSIRT-CV, ES)
With the rise of ransomware attacks against municipalities in Comunitat Valenciana (Spain) in the first half of 2021, Generalitat Valenciana (the Regional Government) has put together an Emergency Action Plan focused on providing a solid Cybersecurity ground to all of its municipalities, so they can better face future threats and comply with the applicable legislations (ENS, Esquema Nacional de Seguridad, mandatory for all public sector organizations in Spain).
The plan, which was awarded to S2 Grupo and has the collaboration of CCN-CERT, started in July and has so far provided common tools to better fight and prevent ransomware attacks in every municipality, is starting to provide more advanced sensors in some of them to enable better threat detection, and will help municipalities minimize impact when a successful cyberattack occurs.
The early stages of the plan have been a real challenge in terms of expanding the current structures of CSIRT-CV and creating procedures for all of the new services being provided. It has also been a challenge in terms of tools, because a new focus to microCLAUDIA, one of the main tools used, had to be done.
- Jose Vila - Jose Vila is a Senior Cybersecurity Analyst with more than 12 years of experience in the sector. He has been mainly focused in cyberdefense and incident management. He is part of the technical coordination team of CSIRT-CV.
- AUTLP:CLEAR
Cybersecurity Maturity in the Pacific Islands - Integrating CERT Services in a Regional Framework
Anthony AdamsAnthony Adams (Monash University, AU)
Tony Adams is a PhD student at Monash University, with research interests centering on the development of cybersecurity threat detection and response capabilities. Tony's Master thesis (Monash University) developed a conceptual model for a Pacific Islands regional cybersecurity framework. Tony has worked as a Project and Program Manager for almost 30 years, with a particular focus over the last 7 years on delivering strategic cybersecurity capabilities in Australia, USA, England, Austria, South Africa, Singapore, Malaysia, Hong Kong and Thailand.
Cybersecurity acts as a driver for national economic, social and defence interests. A common policy goal of national governments is to protect their respective interests by developing cybersecurity threat and attack response capabilities that allow their businesses, communities, partners and visitors to use the internet, safely and securely. Contemporary research confirms the importance of nations working with partners within multinational, regional frameworks to improve their national cybersecurity capability maturity and resilience, however relatively little research has been conducted into the efficacy of such frameworks within the Pacific Islands region.In 2020, this research examined the factors that influence the purpose, form and function of a regional threat response capability, and proposed a conceptual Pacific Islands regional cybersecurity framework. The framework included a network of affiliated national CERTs that operate independently and reflect their respective national interests while collaborating on matters of shared interest, supported by regional partners who provide targeted and measured support to build national cybersecurity capability and resilience. In 2021, we are extending the conceptual framework by working with regional cybersecurity participants and partners to examine how Pacific Island nations integrate their cybersecurity threat response capabilities. This research is examining how national and sectoral CERTs build capabilities that align with their national governments, policy directions, and collaborate with regional CERTs to develop a suite of complementary capabilities.
- EU
Data Driven APT Attribution and AI/ML Research
Patrick Mana
Bahtiar MustafaPatrick Mana (EUROCONTROL / EATM-CERT, EU), Bahtiar Mustafa (EUROCONTROL / EATM-CERT, EU)
In this talk we will present a data driven methodology to attribute TTPs to APT groups. To better analyse attackers behaviours we developed a tool that utilizes MITRE ATT&CK framework. This tool can be used to better analyse TTPs and attribute to certain APT groups based to data models. Further usage of tool will utilize AI/ML to extract TTPs from non-structured data and use it in attribution models. Analysis tool and methodology will be shared with participants.
-
Patrick Mana is the EUROCONTROL Cyber Security Program Manager and EATM-CERT Manager (European Air Traffic Management Computer Emergency Response Team).
He has spent his entire career working in air traffic management (ATM). He started 35 years ago working with Thales on aviation software development and project/product management. In 1999, he joined EUROCONTROL, where he led the safety assessment activities. In 2008, he moved to the Single European Sky Air Traffic Management Research Joint Undertaking (SESAR JU), where he was the Head of the development framework and SJU Programme Manager for all transverse activities including security for six years.
-
Bahtiar Mustafa - Bahtiar MUSTAFA is cyber security expert at EATM-CERT. He is working in cybersecurity for more than 20 years. Before EATM-CERT he worked for national CERTs, government/military organizations and private sector. He holds several certificate like CISSP, GXPN, CEH, GWEB, PMP and has expertise in cybersecurity areas like red teaming, penetration testing, cyber defence, secure system design, incident response, digital forensics, network security. He is also a part time instructor delivering cybersecurity lectures in universities.
- US
Dealing with Blockchain Technology for Incident Responders (Virtual)
Samuel PerlSamuel Perl (CERT/CC, US)
This talk will seek to first cover the fundamentals of Blockchain technology for Incident Responders and show examples of blockchain based technology projects such as Smart Contracts. Then the talk will cover how to think about approaching incident response activities for blockchain based activity, and to speculate (a little) on how the projects that use this technology may affect the future workload of Incident Responders and Coordination Centers.
Incident Response and Incident Coordination teams have begun seeing an ever increasing share of incidents involving blockchain and cryptocurrency technologies. These types of incidents include Ransomware Payments, Money Laundering, Theft, Financial Transactions for : Criminal Activity, Sanctions Avoidance, and much more. In order to combat illegal activity, and to continue to respond to increasingly financially oriented incidents, these teams will need to develop increasing skill in Blockchain Technology, how it works, and how to approach Incident Response for blockchain related events.
The technology involved in cryptocurrencies (generally P2P networks, PKI, and Hash Functions) will be familiar to many Incident Responders but the ways in which they are being applied such as to create distributed networks, Smart Contracts, NFTs, Governance or Utility tokens, and other coins, and the sizable sums involved may be quite new. IR teams might need to understand blockchain ecosystems, culture, ethos, and activities to deal with current and future incidents. Practices may include: Cryptocurrency Forensics Investigations, Exchange Investigations, Tracking or Recovering Stolen Funds, Frauds, Digital Asset (NFT) Scams, Anonymization Tracking, Client Code Vulnerability Coordination, Smart Contract Vulnerability Coordination, Secure Coding, Bug Bounty Programs and more.
Samuel has been at CERT since 2011 and has performed research in a variety of areas including insider threat, vulnerability assessment, security incident and threat data analysis, threat modeling, information sharing, artificial intelligence, cognitive processes, formal methods, and incident management team development. Prior to CERT, Perl gained over 10 years of industry experience working with client organizations to manage their most challenging IT security risk issues. Perl holds a M.S. in Information Security Management from Carnegie Mellon University and a B.S in Information Systems from Carnegie Mellon University. He has also held appointments as an adjunct instructor in the Carnegie Mellon University's Information Systems (IS) program, Heinz College of Information Systems Policy and Management, and in the West Virginia University Honors College. He is also a member of the graduate faculty at the Florida Institute of Technology where he serves as a cybersecurity advisor on thesis and project committees.
- GBTLP:CLEAR
Decoding the Diversity Discussion
Emma JonesEmma Jones (CrowdStrike, GB)
Emma is a multi-disciplinary leader who is passionate about cyber incident readiness and specialises in executive engagements. She unexpectedly embarked upon a cyber security career during her former occupation in national law enforcement. Now, as a Senior Consultant, she has a strong focus on consequence management and works with a variety of organisations to enhance their response readiness.
Emma is a multi-disciplinary leader who is passionate about cyber incident readiness and specialises in executive engagements. She unexpectedly embarked upon a cyber security career during her former occupation in national law enforcement. Now, as a Senior Consultant, she has a strong focus on consequence management and works with a variety of organisations to enhance their response readiness. Emma continues to be deeply committed to fostering inclusion and championing diversity. She has led, advised, and implemented multiple initiatives in both her professional and voluntary positions. Using her personal insights and broad knowledge, she positively advocates for everyday inclusion as a benefit to all.
Undoubtedly, the cyber community is dedicated to increasing diversity and fostering inclusion. However, the conversation can be largely focused on strategic, long-term initiatives. This often leaves individuals within the sector wondering if they play a part, at all, in achieving this industry-wide objective.
This session will reference typical actions carried out during the incident response lifecycle and highlight how responders can practice active inclusion. With a focus on how these behaviours can directly enhance the effectiveness of the response, it will also generate thinking about the small but profound actions which will bring significant and long-lasting benefits to everyone.
- PLTLP:CLEAR
Diamonds are a Forensicator's Best Friend - Intelligence Support for DFIR
Kamil BojarskiKamil Bojarski (Standard Chartered Bank, PL)
CTI is most often understood in the context of detection and prevention actions such as network security monitoring and threat hunting. This is not surprising as incident response activities which analyze the threat actors' activities are a source of CTI generation. Let's however turn the table and look at how intelligence analysis can support DFIR efforts in thwarting defence evasion, decreasing responders’ workload, and leading to more comprehensive remediation of the effects of an incident.
We will look at methods of guiding the response and forensics efforts to extend the scope of investigations. In addition, we will explore how to ensure that eradication of malicious activity from the environment is supported by intelligence on possible further vectors of attack and alternative kill-chains. Given the importance of integrity of incident response data we will also focus on thwarting defense evasion through identification of visibility gaps and analysis of adversarial tradecraft.
The presentation aims to provide CTI and DFIR professionals alike methodology of effective cooperation in terms of intelligence support for ensuring that IR investigation is as comprehensive and effective as possible.
Kamil Bojarski works as a Principal Cyber Threat Intelligence Analyst at QuoIntelligence where he provides tailored intelligence products to customers, informing their decision making and thus reducing risks to organisations. Kamil is also a teaching assistant at SANS Institute where he supports students during FOR578 Cyber Threat Intelligence course, and a member of GIAC Advisory Board. You can read his musings on threat intelligence, OSINT and national security at counterintelligence.pl. His research interests are focused on counterintelligence aspects of information security, activity of eastern APT groups and cross-section of technical and political aspects of cyber operations.
Kamil-Bojarski.pdf
MD5: ea342f771242d86c7d19528f08fe42d8
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.22 Mb
DNS Abuse Techniques Matrix
Peter Lowe
The advice currently takes the form of a matrix indicating whether a specific stakeholder can directly help with a specific technique. By “help”, we mean whether the stakeholder is in a position to detect, mitigate, or prevent the abuse technique. We have organized this information under three spreadsheets covering these incident response actions. For example, during an incident involving DNS cache poisoning, the team can go to the mitigation tab and look at the row for DNS cache poisoning, to find which stakeholders they might be able to contact to help mitigate the incident.
Thanks is given in the document, which is the result of collaboration between many people representing a wide of range roles in the DNS industry.
- USTLP:CLEAR
DNS as Added Security Against Ransomware Attacks
Artsiom HolubArtsiom Holub (Cisco, US)
Artsiom Holub is a Senior Security Analyst on the Cisco Umbrella Threat Intelligence team. Throughout the course of the day, he works on Security Threat Reports for existing and potential clients, finds new threats and attacks by analyzing global DNS data coming from Cisco Umbrella resolvers, and designs tactics to track down and identify malicious actors and domains. Frequent presenter at major cybersecurity conferences including Black Hat, RSA and THEFirst. Currently focused on analysis and research of various cybercrime campaigns, and building defensive mechanisms powered with ML.
Cyber criminals have gotten highly sophisticated in how they attack networks today, but one thing remains the same: Both detection and mitigation start at the DNS layer. In this presentation, Cisco’s Artsiom Holub, senior security research analyst, will explore the fundamentals of modern attacks and discuss the early detection and defensive tactics needed to stop them using DNS-layer security. From tagging domains with specific features to exploring post-exploitation frameworks that use DNS as covert channel for command and control, this comprehensive defense oriented workshop will cover every important angle.
03-DNSSecurity-Holub.pdf
MD5: a9553d66288f7fbf2a2adb3b2193d5b3
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.76 Mb
- NLTLP:CLEAR
EDR Internals From a Defenders Perspective
Olaf HartongOlaf Hartong (FalconForce, NL)
Olaf Hartong is a Defensive Specialist and security researcher at FalconForce. He is a Microsoft MVP and specialises in understanding the attacker tradecraft and thereby improving detection. He has a varied background in blue and purple team operations, network engineering, and security transformation projects. Olaf is the author of various tools including ThreatHunting for Splunk, ATTACKdatamap and Sysmon-modular.
Companies often put a high level of trust on their tools to support them in their quest to protect them from harm. But is that trust warranted? What are the out of the box capabilities and what can be gained from the telemetry that they produce in terms of custom detections.
MDEInternals-FIRST.pdf
MD5: 353f379215f415e4b6d62bb5c05daa28
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.93 Mb
- ILTLP:CLEAR
ELF Malware Analysis 101
Avigayil Mechtinger
Nicole FishbeinAvigayil Mechtinger (Intezer, IL), Nicole Fishbein (Intezer, IL)
Avigayil is a security researcher at Intezer specializing in malware analysis and threat hunting. During her time at Intezer, she has uncovered and documented different malware targeting both Linux and Windows platforms. As part of her ongoing work she has initiated the ELF Malware Analysis 101 series, to make ELF analysis approachable for beginners. Prior to joining Intezer, Avigayil was a cyber analyst in Check Point's mobile threat detection group.
Nicole Fishbein is a security researcher and malware analyst. Prior to Intezer she was an embedded researcher in the Israel Defense Forces (IDF) Intelligence Corps. Nicole has been part of research that led to discovery of phishing campaigns, undetected malware and attacks on Linux-based cloud environments.
With the industry's migration to cloud, Linux is practically everywhere, encouraging attackers to target this operating system aggressively in recent years. Researchers have disclosed different malware families, including highly sophisticated ELF malware, proving attackers are increasingly adding Linux malware to their arsenal. As Linux continues to gain popularity, more threats are expected to be exposed over time. It's critical that security researchers have the ability to analyze and understand Linux malware as part of their evolving skillset. This hands-on workshop will provide practical knowledge and tools for effective ELF malware analysis. Attendees will gain a better understanding of the ELF format and learn how to analyze ELF files using static and dynamic methods.This workshop is most suitable for attendees with a basic understanding of malware analysis and some technical background. Attendees must have a Linux-based virtual machine where they can run malware.
In order to gain the maximum from the workshop, attendees should prepare:
1.) Ubuntu 64 bit based Virtual machine (preferable) or Docker with access to the internet. For those who use Docker - use the docker image from the workshop's git repository at: https://github.com/intezer/ELF-Malware-Analysis-101/blob/master/workshop/dockerfile (the image has all of the tools)
2.) Tools that should be installed on the Virtual Machine/docker : tcpdump (or Wireshark), upx, strace, elfutils, gcc, git
3.) Pull the ELF Malware Analysis 101 repository from: https://github.com/intezer/ELF-Malware-Analysis-101
- USTLP:CLEAR
Endorsing the New Rules
Sherif HashemSherif Hashem (George Mason University, US)
Dr. Sherif Hashem is a Professor of Information Sciences and Technology at George Mason-USA. He is a member of the Board of Directors of FIRST, a Senior IEEE member and an ISACA Certified Information Security Manager. Dr Hashem was a member of the UN Group of Government Experts (UN GGE) on the Developments In The Field Of Information And Telecommunications In The Context Of International Security, (2012-13). Dr. Hashem led key national cybersecurity efforts in Egypt, especially establishing EG-CERT (2009). In 2015, Dr Hashem became the Chairman of the Executive Bureau of Egypt's Supreme Cybersecurity Council (ESCC), and led efforts to draft Egypt's first National Cybersecurity Strategy. Successful initiatives led by Dr. Hashem contributed to Egypt's advanced cybersecurity rank: 14th among 194 countries, as reported by the ITU in 2017. Dr. Hashem received a B.Sc. in Communication and Electronic Engineering and a M.Sc. in Engineering Mathematics from Cairo University-Egypt, and a Ph.D. in Industrial Engineering from Purdue University-USA. He completed the Senior Executive Program at Harvard Business School-USA. He received several awards including: the Global Bangemann Challenge Award from the King of Sweden (1999).
In this talk, we will discuss recent efforts towards the creation of internationally recognized rules for a safer and more secure and stable cyber space, with a special focus on the United Nations efforts in view of the reports of both: 1) the Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security; and 2) the Open-Ended Working Group (UN OEWG). The remarkable process of developing the recent reports and their endorsement by consensus, has been a significant highlight of cyber diplomacy in 2021.
We here discuss the outcomes of the UN-GGE and UN OEWG reports and focus on the relevance of those reports to the FIRST community. We summarize the key issues that may affect the Incident Response teams. We emphasize the opportunities for vital roles that FIRST.org and its membership can play to further support the process of implementing the new rules, towards a safer and more secure cyber space.
- ES CHTLP:CLEAR
Enhancing CTI Processes with Code Search Technology
Carlos Rubio
Jonas WagnerCarlos Rubio (Threatray, ES), Jonas Wagner (Threatray, CH)
Many types of IOCs are searchable and a range of technologies exist to do so. Its benefits are to support rapid incident response, confirm or exclude breaches, detection and identification of attacks, amongst others.
The types of IOCs that are searchable are usually textual data, like application logs, network/host indicators, file hashes.
In this talk we are going to explore the question of: what if binary code is a searchable IOC?
We will present use cases where code search technologies enhances existing CTI processes and makes entirely new ones possible.
More concretely, we will show how code search technology can:
- Increase detection and identification resilience by focusing on fine-grained code similarities of changing malware threats
- Given a binary file, hunt through millions of binaries for similar files, as you would with log lines, IPs, hashes, etc.
- Track the evolution of malware families at large scale and identify changes over time in an automated manner
- Provide contextual information by uncovering relations between unknown binary files and known binaries files from intelligence sources
We will support all of these use cases with research on recent threats and their evolution to show the real-world applicability of code search technology.
Carlos Rubio is a malware researcher at Threatray, where he is mainly responsible for reverse engineering malware to automate the detection process of new threats. In addition to researching new applications for code reuse technology that can help in different areas such as threat hunting, incident response, tracking the evolution of malware families, among others. He previously worked on reverse-engineering malware at Blueliv, S21sec Counter Threat Intelligence Unit and in the Panda Security Adaptive Defense team. He has previously spoken at Botconf (2022, 2019), Virus Bulletin localhost 2020, as well as many closed-door private conferences.
Jonas Wagner is the co-founder and CTO of Threatray and has built the technological foundation of its code search engine based on years of research and development. He holds a Masters Degree in Cybersecurity from the Bern University of Applied Sciences. He has previously spoken at BSides Zürich (2019), DFRWS (2017) and many private events.
- US GBTLP:CLEAR
Enhancing Operations Through the Tracking of Interactive Linux-based Intrusion Campaigns
Justin Swisher
Ami HolestonJustin Swisher (CrowdStrike, US), Ami Holeston (CrowdStrike, GB)
Justin Swisher has over a decade of experience in cybersecurity, including network security monitoring, endpoint threat hunting, and threat intelligence. Justin started his career as an Intelligence Analyst with the US Air Force, reporting on adversary C4ISR networks and malware operations aimed at air and space systems. After leaving the intelligence community, Justin brought his government experience to several cybersecurity vendors, supporting customers' development of threat intelligence programs. He currently works as a Senior Security Researcher with the CrowdStrike OverWatch team.
Ami Holeston is a Tactical Intelligence Researcher helping to track adversary tradecraft and trends as part of the CrowdStrike OverWatch team. She has five plus years experience in threat-intelligence led incident response and threat hunting against both nation state and eCrime adversaries. She is also a CREST registered Threat Intelligence analyst, who has produced and supported the creation of intelligence products across a range of industry verticals.
This presentation will give attendees an understanding of adversary trends in the Linux space, empowering them to build proactive hunting capabilities specifically targeted towards Linux operating systems. Hear from our full-time threat hunters on how they see today's sophisticated adversaries conduct hands-on attacks on Linux operating systems. Learn how systematic hunting methodologies like SEARCH, and established adversary behavior frameworks such as MITRE ATT&CK are foundational to comprehensive day-to-day hunting operations.
- GRTLP: GREEN
EU Cyber Crisis Management - How to Help with Maturity?
Andrea DufkovaAndrea Dufkova (ENISA, GR)
Ms Andrea Dufkova is a senior cyber security expert in the Operational Cooperation Unit at ENISA. She joined ENISA in 2008 and since than she supports development of CSIRT teams and Incident Response capabilities in Europe. Between 2017 and 2020, she lead a dedicated team of cyber security professionals at ENISA with focus on operational security, EU CSIRTs Network secretariat, technical trainings, CSIRT development and maturity. Among all the activity portfolio, the Reference Incident Classification Taxonomy (RSIT WG) and CSIRT maturity framework are some of examples of successful projects that are being currently run on EU scale. Before joining ENISA Andrea was a member of the military CIRC in the Czech Republic. Andrea joined TF-CSIRT in 2009 and is listed as TI Associate since 2017. She holds FIRST liaison status since 2011 and served in Board of Directors in 2019-2020. Andrea is also SIM3 certified auditor for assessing maturity of CSIRTs.
Despite the importance of effectively preparing and responding to large scale cyber incidents or crises, there is no currently available cyber crisis management maturity framework that allows an assessment or evaluation of the maturity of EU institutions, bodies and agencies (EUIBA) participating in the execution of its function during different stages of the EU cyber crisis management phases. ENISA aims to lay out the key elements of the proposed maturity model for EU cyber crisis management stakeholders which are involved at the technical and operational level of the <2017 Blueprint>.
- BR
Every Attitude Matters: Good Safety Behaviors Generate Rewards (Virtual)
Leticia Freitas (Globo Comunicação e Participações S.A, BR) (BR)
When a media company positions itself as a "mediatech", its exposure also increases, driving a change in security culture. In this session, the guests will get to know the awareness campaign "Every attitude matters" from the largest Latin American company in its market (Globo): conception, actions and formats used; furthermore, one support plan - a rewards program. The rewards program generates "points" based on positive behaviors: reporting incidents and piracy, participating in workshops, webinars… As well as the loss of points in phishing simulations, building weak passwords or other risks behaviors.
Leticia has been working in Information Security area for 8 years, focused on governance and awareness. She has knowledge of standards, controls and information security frameworks. At Globo Comunicação e Participações S.A, she is a technical leader in the Security Awareness Team, working on actions to improve the security culture. Leticia also supports strategies and security projects. She is a content creation volunteer at Womcy (LATAM Women in Cybersecurity).
- CHTLP: GREEN
FIRST Financial & Business Review
Michael Hausding (SWITCH, CH)
FIRST.Org Inc. is recognized by the US IRS as a not-for-profit, 501(c)(3) organization.
FIRST is incorporated in North Carolina, USA.
The exempt purposes set forth in section 501(c)(3) are charitable, religious, educational, scientific, literary, testing for public safety, fostering national or international amateur sports competition, and preventing cruelty to children or animals.
- TLP:CLEAR
FIRST SIG Updates
Attending SIG chairs will share brief updates on their SIG. Participating SIGs include:
CVSS SIG Update – presented by Dave Dugal
CTI SIG Update – presented by Rick Adrian
Academic Security SIG Update – presented by Nina Solha and Roderick Mooi
Metrics SIG Update – presented by Mark Zajicek
Malware Analysis SIG Update – presented by Andreas Mühlemann and Olivier Caleff
Ethics SIG Update – presented by Jeroen van der Hamm
IEP SIG Update – presented by Merike Kaeo
Vul Co and VDRX SIG Updates – presented by Art Manion
Automation SIG Update – presented by Aaron Kaplan
Passive DNS SIG Update – presented by Aaron Kaplan
Sec Lounge SIG Update – presented by David Durvaux
TLP-SIG Update – presented by Tom Millar
The following SIGs have provided recorded updates which will be available in app: EPSS SIG and WoF SIG.
70_AutomationSIG.pdf
MD5: 66676ec0ead56190f6eba97ad9e41812
Format: application/pdf
Last Update: June 7th, 2024
Size: 162.95 Kb
AcademicSecuritySIG.pdf
MD5: d7a85b980ff1fade240a90b97de2a10a
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.07 Mb
CTISIG.pdf
MD5: 2eb1e9f6c87d80f93600509e9052a1f6
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.64 Mb
CVSSSIG.pdf
MD5: ee4a2ece8bfe92082912b0759f00aa00
Format: application/pdf
Last Update: June 7th, 2024
Size: 817.65 Kb
IEPSIG.pdf
MD5: e251c996ac90cf60198cafdbc7fc77d1
Format: application/pdf
Last Update: June 7th, 2024
Size: 390.64 Kb
MalwareAnalysisSIG.pdf
MD5: 5ababef5b7bd4697aef16999f46557ba
Format: application/pdf
Last Update: June 7th, 2024
Size: 230.54 Kb
MetricsSIG.pdf
MD5: 732e7f60c6c7c3fd7345c0d4b2f3a8d3
Format: application/pdf
Last Update: June 7th, 2024
Size: 496.13 Kb
MSRSIG.pdf
MD5: 98d31f2cda84c11c8bdff5e46d17ca39
Format: application/pdf
Last Update: June 7th, 2024
Size: 333.58 Kb
PassiveDNS.pdf
MD5: ad29aa3568bd68a94a5dbf255f6b2717
Format: application/pdf
Last Update: June 7th, 2024
Size: 234.13 Kb
- MX
FLOOD DDoS en Servicios Globales (presented in Spanish)
Jorge VarelaJorge Varela (Truxgo, MX)
Las direcciones IP normalmente utilizadas por Botnets para realizar un ataque DDoS actualmente carecen de una sintomatología de detección previa, ya que no tienen historial negativo, no están en blacklist y no están reportadas en alguna otra plataforma de detección, esto solo deja a las organizaciones mitigar y analizar peticiones confusas que se pueden convertir en falsos positivos.
Se presentarán de 2 diversos casos de Flood DDoS; HTTPS y UDP
En cada caso se presentará una situación muy peculiar que sucede en los servicios que requieren tener un puerto abierto en especifico, dejando la opción de bloquear el puerto atacado como no válida, en este tipo de ataques DDoS mitigar las direcciones IP por tráfico enviado o por número de conexiones tampoco son una opción, ya que el Flood es muy avanzado.
También se hablará del comportamiento, alcance, motivo del ataque, direcciones IP utilizadas por los botnets, afectación que realizó en el momento del ataque, mitigación y solución.
Jorge Varela - Desarrollador empresario mexicano, socio fundador y CEO de Truxgo con más de 10 años de experiencia en programación. Implementó la mayor parte de las bases estructurales de Truxgo para su funcionamiento y creó el proyecto de ciberseguridad CERT TRUXGO desde su formación hasta obtener el nombramiento ante Carnegie Mellon University. Actualmente dirige Truxgo en las relaciones de negocios, estableciendo y formando un Internet Exchange Point (IXP), búsqueda y desarrollo de peering, políticas de ruteo, implementación a MANRS, soluciones avanzadas de IPv4-IPv6, así como la creación de nuevas tecnologías y soluciones de ciberseguridad.
- FI
Flubot - Pandemic in Our Pockets
Juho JauhiainenJuho Jauhiainen (Accenture, FI)
Flubot banking malware has been tormenting Android users phones in the past year. In fall 2021, Flubot adopted DNS over HTTPS C2 infrastructure and hit Finland and some other countries very hard. This technical presentation will go through how Flubot works, what capabilities the current version of the malware has, and how we can fight it!
- Juho Jauhiainen - is currently working for Accenture as a Lead Security Incident Investigator. In addition to his current position, he has DFIR and malware analysis experience from various private and public sector organizations, like The National Cyber Security Centre Finland (NCSC-FI). In his freetime, he co-hosts Finnish podcast Turvakäräjät, runs Helsinki security meetup group HelSec, and teaches forensics at National Defence Training Association of Finland. Juho is CISSP, GCFA, GMON, GREM and OSCP certified.
- IL IETLP:CLEAR
Follow the Dynamite: Commemorating TeamTNT's Cloud Attacks
Nicole Fishbein
Joakim KennedyNicole Fishbein (Intezer, IL), Joakim Kennedy (Intezer, IE)
Nicole Fishbein is a security researcher and malware analyst. Prior to Intezer she was an embedded researcher in the Israel Defense Forces (IDF) Intelligence Corps. Nicole has been part of research that led to discovery of phishing campaigns, undetected malware and attacks on Linux-based cloud environments.
Dr. Joakim Kennedy is a Security Researcher for Intezer. On a daily basis he analyzes malware, tracks threat actors, and solves security problems. His work is mainly focused on threats that target Linux systems and Cloud environments. Dr. Kennedy began in the industry as a security researcher at Rapid7 where he got his start in vulnerability research. Following his time with Rapid7, he joined Anomali. While there, he managed Anomali's Threat Research Team, where they focused on creating threat intelligence. Dr. Kennedy has been a featured speaker at multiple BSides and at the CCB's Quarterly Cyber Threat Report Event. He has also presented at various other industry events. For the last few years, Dr. Kennedy has been researching malware written in Go. To make the analysis easier he has written the Go Reverse Engineering Toolkit (github.com/goretk), an open-source toolkit for analysis of Go binaries.
Cloud computing is growing swiftly and misconfigured cloud services can be low-hanging fruit for an attacker. Misconfigured cloud services are swiftly compromised by threat actors, recent studies found that 80% of honeypots were infected within a day and all the honeypots within seven days. Most of these misconfigurations are exploited to engage in cryptojacking, with TeamTNT being one of the most active threat actors in this field. TeamTNT is a well known threat actor group that systematically targets Linux servers and also compromises Kubernetes clusters and servers running Docker. This presentation will cover the evolution of TeamTNT's activity, including TTPs throughout the various campaigns and services they targeted, such as Redis and Windows servers. The scripts and tools used in each of their campaigns will be presented, along with TeamTNT's uniqueness when it comes to targeting cloud and ways you can identify their tools in your environment.
- AUTLP:CLEAR
Forensics and Malware Analysis in Linux Environments
Vishal Thakur
John LopesVishal Thakur (Ankura, AU), John Lopes (Ankura, AU)
Vishal Thakur has worked in the information security industry for many years in hands-on technical roles, specialising in Incident Response with a heavy focus on Emerging Threats, Malware Analysis and Research. Vishal regularly conducts training sessions and presents research at international security conferences. Vishal also regularly publishes his research; some of the links have been included in this document. Other research teams have used Vishal's publications to carry out further work in malware analysis. Vishal is currently Director of DFIR at Ankura Consulting. Before joining Ankura, Vishal worked as a Senior Researcher at Salesforce, helping their Incident Response Center with advanced threat analysis and developing DFIR tools. Vishal has also worked as a member of the CSIRT at the Commonwealth Bank of Australia and in the consulting industry in the past.
John is a passionate information security professional with specialist knowledge in digital forensics and incident response (DFIR), cyber threat intelligence and offensive security practices. He has over 20 years industry experience with a proven ability to help organisations defend and protect against cyber threats. John is a member of Institute of Electronic and Electrical Engineers (IEEE), International Information System Security Certification Consortium Inc. (ISC2) and a member of the Information Systems Audit and Control Association (ISACA). He also provides pro-bono information security consulting for one of Australia's largest not-for-profit organisations. John Lopes is currently Director of DFIR at Ankura Consulting. Before joining Ankura, John was a part of the Global Incident Response Team at Salesforce, Cyber Security Manager at Insurance Australia Group, Macquarie Bank and BAE Systems Australia.
This workshop teaches students Linux-based digital forensics and malware reverse engineering techniques used in responding to real-world incidents. The instructors are incident response Directors in Ankura Consulting's DFIR team and will go through techniques, tools and analysis steps involved in responding to a security incident in Linux environments and how to analyse malware that targets Linux systems. The workshop relies heavily on "hands-on" labs to teach the practical skills of how to set-up and use the tools and techniques necessary to get started performing incident response on Linux-based systems. It covers Linux memory forensics, all the way to conducting reverse engineering of Linux-based malware. The labs will utilise systems and digital artefacts based on a simulated security incident.
Pre_Workshop_Lab.pdf
MD5: 14a879aee09c3fbc41f3329cb5c623b1
Format: application/pdf
Last Update: June 7th, 2024
Size: 214.39 Kb
- USTLP:CLEAR
Joe SlowikJoe Slowik (Gigamon, US)
Joe Slowik has over 10 years experience in various roles within information security, spanning offensive and defensive perspectives. Following several years in the US Navy, Joe led the incident response team at Los Alamos National Laboratory, where he integrated threat intelligence perspectives into operational defense to improve defensive outcomes. After this period, Joe researched ICS threats for several years at Dragos and conducted wide-ranging intelligence analysis for DomainTools. Currently, Joe leads threat intelligence and detection engineering functions for Gigamon where he is able to apply insights into the threat landscape directly to customer-facing applications.
Consultants and marketing departments refer to "threat hunting" as a desired position for network defenders. By adopting this mindset, defenders can take a an active role pursuing intrusions. Yet precise methodologies for threat hunting are hard to come by, making the concept something amorphous. In this discussion, we will explore a methodology to standardize the threat hunting process, using an intelligence-driven, adversary-aware approach to drive investigation. This discussion will reveal a series of concrete steps or operational techniques that defenders can leverage to produce a measurable, repeatable, sustainable hunting process. To illustrate the concept, we will also look at several recent examples of malicious activity where an intelligence-driven hunting process allows defenders to defeat fundamental aspects of adversary tradecraft. Audiences will emerge with a roadmap for building a robust threat hunting program to improve the defensive posture of their organizations.
FIRST2022_Slowik_6.pdf
MD5: c1cbc14a313f15abebfaef2e4dd51e18
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.81 Mb
- SK
Milan KyselicaMilan Kyselica (IstroCSIRT , SK)
In detail look at how fuzzing research was carried out against one of Microsoft's products. Why we were able to identify multiple critical risk issues that other researchers had overlooked. Takeaways and lessons learned.
- Milan Kyselica - Milan works as a lead penetration tester and currently serves as Head of Offensive security in IstroSec. He focuses on red teaming, social engineering and application testing. Previously he worked as penetration tester in CSIRT.SK and then as Head of offensive department in a private company.
He is also interested in Bug Bounty and Responsible Disclosure where he found multiple CVEs in Web Applications, Mobile Applications, IoT systems and automotive. Milan Currently held multiple certifications such as GIAC Cloud Penetration Tester (GCPN), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP), Certified Red Team Professional (CRTP) and Certified Red Team Expert (CRTE).
- BRTLP:CLEAR
How I Handled One of the Biggest Banking Fraud Incidents of 2020 - The Importance of CSIRT and Going Further in Threat Investigations
Daniel Oliveira De Lima
Thales CyrinoDaniel Oliveira De Lima (NTT, BR), Thales Cyrino (NTT Ltd Brazil, BR)
Daniel Lima holds a bachelor's degree in Technology Management, has been working in the Information Security area for over 9 years, and is a specialist in Incident Response and Encryption. Currently SOC manager for at least 4 years.
Thales Cyrino is the Cybersecurity Sales Director for NTT Ltd Brazil. He is a member of Cisco Secure Partner Advisory Council and has more than 20 years of experience in IT and Cybersecurity. The last 4 years his work has been focused on cybersecurity and developing cybersecurity business at LATAM market. He understands the customers' challenges and aims to offer the best solution to solve them. Thales works creating a cybersecurity go-to-market strategy and specific offers to LATAM market.
Thales Cyrino is the Cybersecurity Sales Director for NTT Ltd Brazil. He is a member of Cisco Secure Partner Advisory Council and has more than 20 years of experience in IT and Cybersecurity. The last 4 years his work has been focused on cybersecurity and developing cybersecurity business at LATAM market. He understands the customers' challenges and aims to offer the best solution to solve them. Thales works creating a cybersecurity go-to-market strategy and specific offers to LATAM market. Thales received a certificate in data processing from Unicamp, a BS in business administration from Anhembi Morumbi, and an MBA in Marketing from FGV.
Through a real use case, I'm sharing how the incident response team was able to identify and contain one of the biggest gangs that operated defrauding financial institutions through a combination of attacks.
- NLTLP:CLEAR
How to Create Effective Structured Intelligence Extensions for TIPs
Peter FergusonPeter Ferguson (EclecticIQ, NL)
As the amount of data observed and shared by the security community and industry increases the ability to effectively manage and leverage this data has become more difficult. Both the community and private industry have attempted to solve these problems. Multiple Threat Intelligence Platforms (TIPs) have become available, both open-source and paid. The platforms provide a centralised place where data can be normalised, searched, enriched, analysed, and disseminated. Open-source frameworks designed to standardize the sharing of threat information such as STIX having also come out. These look to solve the problem of each system or source using their own data model, requiring custom transformation and normalisation to be able to use with the teams existing dataset. Although STIX has added a lot to the CTI community, platforms and sources still heavily use their own data models requiring teams to create custom data feeds or extensions.
This paper will dive into the key concepts of creating effective structured intelligence extensions for ingesting data into TIPs and the lessons learned from multiple years of designing open source and vendor extensions for a commercial threat intelligence platform.
Peter Ferguson is currently a Cyber Threat Intelligence Specialist at EclecticIQ, working within their threat research team to deliver intelligence products. Peter started his career in security operations but moved into cyber threat intelligence designing extensions for the EclecticIQ Intelligence Centre. Peter has extensive experience designing and incorporating structured intelligence extensions for threat intelligence platforms. He currently holds a bachelor’s degree in Cybersecurity and Computer Forensics with Business from Kingston University.
Peter-Ferguson.pdf
MD5: 49409ee372239c59320bfcf285433150
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.63 Mb
- CZTLP:GREEN
How to Develop Priority Intelligence Requirements for YOUR Organization
Ondrej RojčíkOndrej Rojčík (Red Hat, CZ)
The number of requests for the internal CTI team of any organization can be overwhelming. We need to prioritize. Most good guides on “How to set up a CTI program” have a paragraph or two on the importance of Priority Intelligence Requirements (PIRs) that should do the job. Unfortunately, these guides and established (military) intelligence processes are not readily transferable to the cyber realm. To find the right process that fits YOUR organization is crucial. Most of the existing processes for establishing PIRs focus heavily on threat actors. When considering these approaches, we soon realized that this is not enough and we need to take into account the specificities of our organization's environment. We considered the strategy, values, and other intangible aspects of the organization and mapped them to supporting assets. At the same time we used the more traditional approach and assessed the potential threat actors targeting Red Hat. As a next step, we mapped them to our strategy and supporting assets. The presentation will introduce the whole process, do a walk through the individual steps of developing the PIRs, discuss the challenges that come with it and suggest ways to integrate the PIRs into the CTI lifecycle.
Ondrej Rojčík is a Senior Threat Intelligence Analyst at Red Hat CTI team. He is responsible for providing strategic perspective to the threat intelligence program and its analytical production. Previously he worked for the Czech National Cyber and Information Security Agency (NUKIB) as a Deputy-Director of Department and Head of the Strategic Analysis Unit which he co-founded."
Ondra-Rojcik.pdf
MD5: 7105f5d331912c533938ab15a7eef3dd
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.18 Mb
- USTLP:CLEAR
How to Talk to a Board so the Board Will Talk Back
Helen PattonHelen Patton (Cisco, US)
Helen Patton is an Advisory CISO at Cisco. Previously she spent eight years as the CISO at The Ohio State University and before joining Ohio State she spent ten years in risk and resiliency at JPMorganChase. Helen has a Master's Degree in Public Policy and has earned various industry certifications. She serves on multiple boards and is a faculty member for the Digital Director's Network, and the Educause Leadership Institute. Helen advocates for more naps and is anti-bagpipes. She is the author of "Navigating the Cybersecurity Career Path".
There is a disconnect between people who run security programs, and board members whose job it is to oversee the security of an organization. On the one hand, most security leaders are unaware of how boards work, and how to present information using the language of boards. On the other hand, board members don't understand security, or the systemic risks of technology. It's like people lobbing tennis balls at one another, but from the ends of different tennis courts. Both have a responsibility to engage, but neither really understands how to make that work. In this session, we will talk about what boards care about, and how to present security information to them. We will suggest ways to help security people foster productive board engagement in their security program. Attendees will receive ideas and resources to help them take action upon leaving the talk.
- ES
Hunting for log4shell Compromises
José Ángel García GuijarroJosé Ángel García Guijarro (SIA CERT, ES)
The revelation on December 9th of the CVE-2021-44228 Apache log4j vulnerability (log4shell) has heavily impacted IT-teams worldwide, due to how widespread the library is, how easy is to exploit the vulnerability and the fact that public exploits where available. However, the main problem for some organizations is the fact that the exploits may have been used as early as December 1st as a 0-Day exploit by state or criminal actors.
As a result of these concerns, SIA IRT team conducted two compromise assessments in different organizations, requiring tailored approaches for each one. For this task we had to developed a custom approach that involved close collaboration with the onsite security and networking staff in order to overcome the challenges of detecting a compromise in the entire organization.
This presentation intends to provide an adequate representation of the issues and solutions adopted in order to scale up the retroactive detection of a successful log4shell exploitation using the tools available on each organization and how to overcome previously undetected monitoring gaps.
- José Ángel García Guijarro - Jose Angel has been working in cybersecurity since 2013 as part of CERT for entities in the financial, health and energy sectors as malware analyst and senior incident responder. Also, since 2021 as a certified forensic specialist. In his duties he has collaborated in efforts oriented towards protecting critical infrastructure collaborating with Incibe, CCN-CERT and EDA.
Currently working as part of a multidisciplinary incident response team within SIA CERT (ES), helping organizations to respond and to prepare for cybersecurity incidents. Our competencies range from forensic analysis, creation of policies and procedures for incident response, compromise assessment, design training exercises to evaluate readiness of our partners. During the last two years SIA CERT (ES) has acquired extensive experience responding to company-wide incidents involving ransomware and data breaches.
- USTLP:CLEAR
Improving Sector Based Incident Response: A New Framework for Developing Sector CSIRTs and Integrating with National Cybersecurity Ecosystems
Justin NovakJustin Novak (CERT/CC, US)
Justin Novak is a Senior Security Operations Researcher at the CERT Division of the Software Engineering Institute, a Federally Funded Research and Development Center hosted at Carnegie Mellon University. At the SEI, he is involved in research on the operation of CSIRTs, Sector CSIRTs, and Security Operations Centers, focusing on incident response and incident management. Prior to the SEI, Justin worked in a variety of government roles, including with the federal government at the Department of Defense, and in state government. Justin holds a bachelor’s degree in Physics from the University of Pittsburgh, a master’s degree in Security Studies from the University of Pittsburgh, and a PhD in Public Policy from George Mason University. Justin is an active member of the FIRST community and serves on the FIRST membership committee.
The development of computer security incident response teams (CSIRTs) has followed a trend of growth and increased specialization, including the establishment of sector CSIRTs responsible for facilitating incident response and management for a particular sector of a country or economy. Yet little guidance exists to enable public and private sector stakeholders to come together to address the challenges that are unique to the organizations in a particular sector.
The Sector CSIRT Framework provides guidance to interested parties for (1) developing a sector-based computer security incident response and coordination capability and (2) integrating this capability into a larger, national cybersecurity ecosystem.
- GBTLP:CLEAR
Incident Response Investigations in the Age of the Cloud
Mehmet SurmeliMehmet Surmeli (WithSecure Limited, GB)
Mehmet Surmeli is a Senior Incident Response Consultant at WithSecure™, a research-led cyber security consultancy.
Mehmet initially started his cyber security career in the telecommunications industry as an incident responder, specialising in forensic investigations and malware reverse engineering. Since joining WithSecure™, he has undertaken several research projects including a Linux Triage Collection project called “Linux CatScale” and Microsoft Azure and M365 Investigation scripts. He has led multiple major investigations at multi-national organizations involving advanced threat actors. Mehmet has also authored several blog posts on WithSecure’s website and Labs portal, and has presented at CRESTCon UK 2021.
With the increase in organisations transitioning to the cloud and making more use of SaaS and Container technology, attackers have had to adapt their techniques. How have organisations and incident responders had to adapt to the changing landscape? The talk will cover the trends WithSecure's blue team has observed in cloud-centric attacks affecting multinational organisations, as well as provide insight into the tools and techniques used for cloud forensic investigations.
- US AE
Inside the Hive. Deep Dive into Hive RaaS, Analysis of Latest Samples (Virtual)
Jesper Jurcenoks
Svetlana OstrovskayaJesper Jurcenoks (Group-IB, US), Svetlana Ostrovskaya (Group-IB, AE)
The Hive Ransomware-as-a-Service (RaaS) is aggressively expanding its operations, and has targeted hundreds of organizations since its first appearance in June.
Threat analysts determined that as of mid-October, 355 companies had fallen victim to the ransomware as a service (RaaS) operation, which was first detected in June. From September to October, the number of victims grew by 72%, from 181 organizations to 312. Group-IB analysts attributed the "main factors of the rise of the ransomware empire" to the use of double-extortion tactics and data leak sites (DLS), as well as the "active development of the RaaS program market," both of which apply to Hive. The efforts made by the developers of Hive indicate that they are planning to take this threat further. Moreover, the accelerated growth of the RaaS-based model—and threat actors’ new franchise model within—is a further indication of a maturing enterprise-like business.
-
Jesper Jurcenoks - First XOR Encryption in 1983, first reverse engineering of a Virus in 1988, Programmer, Network Admin, Systems integrator, ISP (1995-2001), DIFO/DK-Hostmaster Board (~2000-01), Discovered 27 CVE (2006-2007), SC Magazine innovator of the Year (2010), FIRST CVSS SIG. Founder of Several CyberSecurity companies. Country Manager for Alert Logic Colombia - Cali (2019-2020), Head of CyberSecurity Division for Group-IB (2021- )
-
Svetlana Ostrovskaya is a Principal DFIR Analyst at Group-IB. Besides active involvement in incident response engagements, Svetlana has co-authored articles on information security and computer forensics as well as a book dedicated to practical memory forensics.
- PL USTLP:CLEAR
Internet Spelunking: IPv6 Scanning and Device Fingerprinting
Piotr Kijewski
Dave De CosterPiotr Kijewski (The Shadowserver Foundation, PL), Dave De Coster (The Shadowserver Foundation, US)
Piotr makes things happen as the Shadowserver Foundation CEO, and also coordinates large-scale data collection, analysis projects, and Shadowserver's CSIRT relationships. He has a strong CSIRT background, working at NASK in Poland for 14 years at the CERT Polska (CERT.PL) team. He was the Head of the CERT Polska team from 2010 - 2016, where he expanded the sensor projects, malware analysis and malware disruption capability. Piotr's interests include threat intelligence, incident response, honeypot technologies (he is a member and ex-Director of the Honeynet Project) as well as botnets/malware networks (which he likes to disrupt).
Dave De Coster is the Internet Spelunker for The Shadowserver Foundation and has been involved in internet security for over 20 years. When he is not scanning the internet, you can find him doing things not online.
Ever wonder what it takes to scan the entire IPv4 Internet dozens of times a day and get that data (for free) into the hands of people that need it? This talk will discuss how Shadowserver scans the Internet many dozens of times per day (68 different protocols and constantly increasing) and how our scanning cluster operates. We will explain the rationale behind our scanning decisions. We will also go into recent developments: how we have recently started to expand into the realm of IPv6 scanning, and the huge challenges faced there due to the seemingly near infinite address space. We will show how our scanning benefits the Internet defender community, and how we additionally began to use it to fingerprint remote devices at scale by type/vendor/model, enabling defenders to better understand their exposed attack surface. The presentation will also include snapshots of our scanning and device identification results.
- KR
Introduction of Cybersecurity AI Dataset
Jeong Min LeeJeong Min Lee (Korea Internet and Security Agency, KR)
Explanation of the datasets required for AI technique development in the cybersecurity area established by Korea Internet and Security Agency (KISA), such as purpose, progress, results and future direction of establishment. Sharing 8 Best Practices of verifications using Cybersecurity AI Datasets, cooperated with Private/Public Cybersecurity Organizations.
Jeong Min Lee has a main interesting field of Data-Driven Cyber Security using AI Bigdata analysis. He has received his doctoral degree in Computer Science and Engineering from Inha University in Korea.
Jeong_Min-Lee.pdf
MD5: 0a0d173cea69b0219aa3a38451d529fe
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.03 Mb
- JP
Introduction of SIM3 Training in Japan
Seiichi Komura
Yoshiki SugiuraSeiichi Komura (Chair of SIM3 Promotion Committee, Nippon CSIRT Association, JP), Yoshiki Sugiura (JP)
SIM3, developed by the OCF, is a CSIRT maturity model consisting of items to be organized and implemented to manage a CSIRT and their maturity levels. It is widely used mainly in the European CSIRT community and has been used as a condition for FIRST membership since 2022. It is also used by Japanese CSIRT community to understand and improve the status of their teams. They have developed and utilized documents for evaluation and their own training.
In this presentation, an overview of SIM3 and its structure will be introduced, followed by examples of use in several CSIRT communities and in Japan. SIM3 is generic so that it can be used by various CSIRTs. By explaining the SIM3 concept and supplementing it with examples, it will be easier to use on building and improving CSIRTs. We have facilitated the spread of SIM3 by developing documents and training that provide examples of descriptions, the concept of level assessment and improvement methods for each item. We will also introduce examples of application in Japan, documents and training for self-checking in SIM3, together with an overview of OCF training.The training we developed to expand the use of SIM3 in Japan introduces SIM3 items with explanations and examples of descriptions, and is designed to make it easy to understand the SIM3 concept. We have also tried to make it possible to discuss the differences and benefits of each level. This section focuses on the content of these areas.
Seiichi "Ich" Komura, Certified SIM3 Auditor, is a Senior manager of NTT Advanced technology corporation, works as a POC of internal CSIRT, a consultant on building and improving CSIRT, and a trainer of information security. He is a lecturer of Tokyo Denki University. He is the leader of CSIRT evaluation maturity model WG of Nippon CSIRT Association(NCA).
Yoshiki Sugiura has 24-year experience on CSIRTs. He used to be a member of JPCERT/CC since 1998. He works for two CSIRTs, IL-CSIRT and NTT-CERT now. He is also a board member of Nippon CSIRT Association. On SIM3 he is a certified trainer and auditor. He is a specialist in management of CSIRT.
- USTLP:CLEAR
It's Just a Jump To The Left (of Boom): Prioritizing Detection Implementation With Intelligence and ATT&CK
Lindsay Kaye
Scott SmallLindsay Kaye (Recorded Future, US), Scott Small (Recorded Future, US)
Lindsay Kaye (Recorded Future, US)
Lindsay Kaye is the Senior Director of Operational Outcomes for Insikt Group at Recorded Future. Her primary focus is driving the creation of actionable technical intelligence - providing endpoint, network and other detections that can be used to detect technical threats to organizational systems. Lindsay's technical specialty and passion is malware analysis and reverse engineering. She received a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.
Scott Small (Major retailer, US)
Scott Small is a security & intelligence practitioner and expert in open source research, investigations, and analysis. He is currently a senior analyst supporting adversary emulation and threat modeling efforts at a major U.S. retailer. Scott’s prior roles focused on advising clients on technical and strategic applications of intelligence and using technology to help identify and mitigate supply chain and cyber risk. His favorite ATT&CK technique is T1027.
Many organizations ask: "Where do I start, and where do I go next" when prioritizing behavior-based detections. We often hear "use threat intelligence!", but goals must be qualified & quantified in order to properly prioritize relevant TTPs. A wealth of open-source resources now exists, giving teams greater access to detections & red team tests, but intelligence is essential to ensure that efforts are focused. This session covers a new prioritization approach, starting with an analysis of the current defensive landscape (measured by ATT&CK coverage for more than a dozen repos and technologies) and guidance on sourcing TTP intelligence. We then show how defensive strategies can be strengthened by encompassing a full-spectrum view of threat detection. Alignment of intelligence and defenses enables defenders to move the focus of detection to malicious activity before the final payload is deployed, where controls are most effective at preventing serious damage to an organization.
- GBTLP:CLEAR
Keynote: Cybersecurity's Image Problem and What We Can All Do About It
Dr. Victoria BainesDr. Victoria Baines (Bournemouth University, GB)
Victoria Baines frequently contributes to major broadcast media outlets on digital ethics, cybercrime and the misuse of emerging technologies. Her areas of research include electronic surveillance, cybercrime futures, and the politics of security. She also provides research expertise to a number of international organisations.
Victoria Baines frequently contributes to major broadcast media outlets on digital ethics, cybercrime and the misuse of emerging technologies. Her areas of research include electronic surveillance, cybercrime futures, and the politics of security. She also provides research expertise to a number of international organisations.For several years Victoria was Facebook’s Trust & Safety Manager for EMEA. Prior to this, Victoria led the Strategy team at Europol’s EC3, where she was responsible for the EU’s cyber threat analysis.
Victoria Baines frequently contributes to major broadcast media outlets on digital ethics, cybercrime and the misuse of emerging technologies. Her areas of research include electronic surveillance, cybercrime futures, and the politics of security. She also provides research expertise to a number of international organisations.For several years Victoria was Facebook’s Trust & Safety Manager for EMEA. Prior to this, Victoria led the Strategy team at Europol’s EC3, where she was responsible for the EU’s cyber threat analysis.Victoria chairs the Security Panel of the Worshipful Company of Information Technologists. She has an MA from Oxford and a doctorate from Nottingham.
Those of us who work in cybersecurity have become immune to the ways we tend to represent threats: military and fantasy imagery, acronyms, and fancy animals among them. How do these representations play out for so-called 'ordinary' people who don't share our specialist knowledge? Based on new research into the rhetoric of cybersecurity, this talk combines a light-hearted critique of security jargon with serious analysis of its impact on protection from threats, and even who gets to work in cybersecurity. It doesn't have to be this way, and Victoria has ideas for how we might empower people to protect themselves and help solve our recruitment issues.
- USTLP:CLEAR
Keynote: What Do We Owe One Another In Cybersecurity?
Wendy NatherWendy Nather (Cisco, US)
Wendy Nather leads the Advisory CISO team at Cisco. She was previously the Research Director at the Retail ISAC, and Research Director of the Information Security Practice at 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation (now UBS), and served as CISO of the Texas Education Agency. She was inducted into the Infosecurity Europe Hall of Fame in 2021. Wendy serves on the advisory board for Sightline Security. She is a Senior Fellow at the Atlantic Council's Cyber Statecraft Initiative, as well as a Senior Cybersecurity Fellow at the Robert Strauss Center for International Security and Law at the University of Texas at Austin.
As the cybersecurity ecosystem evolves, we understand more about how interconnected we are: the ripple effects from breaches, the fact that supply chains aren’t discrete lines but rather a web, and that mapping our vulnerabilities is harder than we thought. In this session, Wendy Nather will talk about the concept of civic duty on the Internet — not just sporadic charity efforts or “nice to have” information sharing, but the social norms and obligations we should face together if we want a sustainable world of technology. Shared risk requires shared defence.
WendyKeynote(1).pdf
MD5: b5b2597510b51dff1f8993c1a97c92ad
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.26 Mb
- GBTLP:CLEAR
Knowledge Management - Nourishing and Enhancing Your Communication and Intelligence
Rebecca TaylorRebecca Taylor (Secureworks, GB)
Rebecca joined Secureworks in 2014, where she developed an immediate passion for cybersecurity. Rebecca quickly expanded her cyber acumen, moving into Secureworks Incident Command’s first Knowledge Manager role in 2020. Rebecca coordinates the smooth delivery of Secureworks largest and most challenging incidents, ensuring victims receive the best possible support during their time of crisis. Furthermore, she leads the ingestion, management and subsequent sharing of intelligence and knowledge gleaned as part of Incident Response delivery.
This session will share tips and tricks on knowledge management during a reactive incident. We will look at how to collect and manage the influx of new data and potential intelligence, as well as how to align your workstreams. We will discuss how to handle communications across the organization, and how to get the best out of your staff, customers, Insurers and Regulators during a crisis. Finally we will discuss toolkits, procedures and other "spin ups" which could be put into place once an incident is declared, to best preserve and support data gathering, and how this information can then be nourished and ingested into the organization post-incident.
- SK PL US CZ CH
Lightning Talks
Henrich Slezak
Aleksander Pawlicki
Shannon Sabens
Martin Laštovička
Jan Kopřiva
Christos ArvanitisHenrich Slezak (IstroCSIRT, SK), Aleksander Pawlicki (Atos, PL), Shannon Sabens (Crowdstrike, US), Martin Laštovička (CSIRT-MU, Masaryk University, CZ), Jan Kopřiva (Nettles Consulting, CZ), Christos Arvanitis (CERN, CH)
- Introduction of a New Team: IstroCSIRT (Henrich Slezak)
- Introduction of a New Team: Atos CERT (Aleksander Pawlicki)
- CVE Lightning Talk (Shannon Sabens)
- Malware Analysis Automation Platform (Martin Laštovička)
- Couple of Interesting Trends Seen in Log4shell Exploitation Attempts (Jan Kopriva)
- Leveraging MISP Intel via a pDNS-based Infrastructure as a Poor Man’s SOC (Christos Arvanitis)
Christos Arvanitis is a Computer Security Fellow at the European Organization for Nuclear Research (CERN). Coming from a software engineering background, his main activities lie in supporting the CERN Computer Security Team and the Security Operations Centre by maintaining and developing tools and automated solutions. He is also actively supporting the incident response infrastructure as well as various monitoring and analysis solutions used at CERN.
Jan Kopřiva is a Security Manager at Accenture and one of the “Handlers” at the renowned SANS Internet Storm Center. He has an extensive professional experience – over his career, Jan worked on projects ranging from implementation of security monitoring and incident response processes and technologies to conducting penetration tests and red team exercises and from performing security audits to teaching different aspects of application security to developers. He has authored numerous research papers and articles focused on different aspects of cyber security and he regularly speaks at security conferences, both local and international.
Martin Laštovička is the head of the cybersecurity operations group in CSIRT-MU team and also a Ph.D. candidate at the Faculty of Informatics, Masaryk University. His research topic lies in network traffic analysis and practical applications of machine learning to build Cyber Situational Awareness. He focuses on applying research outputs to real-world data and enhance the operations of the CSIRT-MU team.
Aleksander Pawlicki Global CERT Incident Response Lead, Senior Atos Expert, Security Enthusiast In charge for technical leadership of Atos Global CERT, which provides services of Digital Security and Incident Response (DFIR), Threat Intelligence (TI) and Threat Hunting (TH) to Atos and its customers. Responsible for leading incident response for large investigation or crisis. Security enthusiast, who strongly believes in purple team philosophy.
Shannon Sabens has 20+ years of program management experience in security, anti-malware and software vulnerability research and response coordination. Shannon is a board member on the CVE Program Board and the chair of the CVE Outreach Working Group. Currently, she is the Director for Threat Response at CrowdStrike.
Henrich Slezák, CISA is focused on GRC, information security management, security auditing, training and awareness and consultation on information security with more than 10 years of experience in governmental and private sector.
Henrich also participated in various incident response engagements as team member, incident response manager and incident response facilitator. He also represented Slovak governmental CSIRT in expert groups in Europe including CSIRTs Network, ENISA Cyber Exercises planners, and many working groups.
- AUTLP:CLEAR
Living with Ransomware - The New Normal in Cyber Security
Vishal ThakurJohn LopesVishal Thakur (Ankura, AU), John Lopes (Ankura, AU)
Vishal Thakur has worked in the information security industry for many years in hands-on technical roles, specialising in Incident Response with a heavy focus on Emerging Threats, Malware Analysis and Research. Vishal regularly conducts training sessions and presents research at international security conferences. Vishal also regularly publishes his research; some of the links have been included in this document. Other research teams have used Vishal's publications to carry out further work in malware analysis. Vishal is currently Director of DFIR at Ankura Consulting. Before joining Ankura, Vishal worked as a Senior Researcher at Salesforce, helping their Incident Response Center with advanced threat analysis and developing DFIR tools. Vishal has also worked as a member of the CSIRT at the Commonwealth Bank of Australia and in the consulting industry in the past.
John is a passionate information security professional with specialist knowledge in digital forensics and incident response (DFIR), cyber threat intelligence and offensive security practices. He has over 20 years industry experience with a proven ability to help organisations defend and protect against cyber threats. John is a member of Institute of Electronic and Electrical Engineers (IEEE), International Information System Security Certification Consortium Inc. (ISC2) and a member of the Information Systems Audit and Control Association (ISACA). He also provides pro-bono information security consulting for one of Australia's largest not-for-profit organisations. John Lopes is currently Director of DFIR at Ankura Consulting. Before joining Ankura, John was a part of the Global Incident Response Team at Salesforce, Cyber Security Manager at Insurance Australia Group, Macquarie Bank and BAE Systems Australia.
Not unlike the Corona Virus and its variants, the infosec community need to accept the fact that Ransomware is not going away anytime soon. This talk focuses on how busines can move away from the elimination approach towards a managed prevention approach. This is a presentation that covers everything you need to know to get started towards transforming your organisation to be ransomware resilient. Ransomware has been around for quite some time now and the good thing about that is that we have learnt a lot about this threat in that time. We dig deep into our past experiences from responding to security incidents involving ransomware and share our learnings with the audience. We discuss what to focus on while analysing ransomware and how to create effective detections for ransomware, based on core components of the malware and its behaviour. We share our ideas on how to create an environment within organisations that is ransomware aware and ready for response when an attack involving ransomware eventuates. From our experiences across industries spanning healthcare, technology, finance, manufacturing and commerce, we share knowledge that can be used to build a ransomware-resilient infrastructure. We cover topics such as what to look for when taking out a cyber insurance policy, along with strategies on how to handle communications during and after the incident. Let's face it, ransomware is a threat that is here to stay, we need to adapt to living with it and best preparing organisations to manage it when it strikes.
- EC
Los Retos de la Automatización del Threat Hunting (presented in Spanish)
Ramiro Pulgar (Blue Hat CERT, EC) (EC)
Se habla, sobre todo por fabricantes de soluciones de software, de la automatización de la detección y respuesta de amenazas, pero al no tener claridad sobre cuales son las amenazas comunes y avanzadas que enfrentan los activos de información de la Organización, no se podrá automatizar, y en peores escenarios se llenarán de falsos positivos, saturando y decepcionando al CSIRT. Se analizará una metodología de definición de Casos de Uso para manejar incidentes basado en Ciber-Riesgos.
Master en Ciberseguridad, director del Blue Hat CERT en Ecuador, y posee 30 certificaciones internacionales vigentes relacionadas a Ciberseguridad.
- USTLP:CLEAR
More Than a CSIRT: Lessons Learned from Supporting a National Response to COVID-19
Tom Millar
Joshua CormanTom Millar (CISA, US), Joshua Corman (IamTheCavalry.org, US)
Mr. Millar has been apart of the US Cybersecurity and Infrastructure Security Agency (CISA) for 12 years working to strengthen the agency's information sharing capabilities, increasing the level of public, private and international partner engagement, and supporting initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar holds a Master's of Science from the George Washington University and is a Distinguished Graduate of the National Defense University's College of Information and Cyberspace.
JOSHUA CORMAN is a Founder of I am The Cavalry and the former Chief Strategist of the CISA COVID Task Force. He has previously served in CSO, CTO, and other senior roles. He co-founded RuggedSoftware and IamTheCavalry.org to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure. He is a member of the Adjunct Faculty for Carnegie Mellon’s Heinz College, and was a member of the Congressional Task Force for Healthcare Industry Cybersecurity.
To respond to the COVID-19 pandemic, The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the agency tasked with National CSIRT functions for the US, established a COVID Task Force, bringing in experienced experts from outside the agency to work alongside career analysts and advisors. Early on, it became apparent that to rapidly secure the pandemic response against cyber threats, it would take more than just threat tracking and incident response. CISA drew on its cybersecurity assessments capabilities to help secure critical organizations in the vaccine supply chain, rapidly worked to strengthen relationships with the healthcare sector, and began analyzing data on the progress of the pandemic to help inform strategic decisions about the whole-of-government response. This presentation will describe CISA's response and explain how other security teams can be prepared to creatively deal with sudden changes in mission sets and priorities.
- CHTLP:CLEAR
Never Walk Alone: Inspirations From a Growing OWASP Project
Christian FoliniChristian Folini (OWASP ModSecurity Core Rule Set, CH)
Christian Folini is the author of the second edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the "Swiss Cyber Storm" conference. In 2020, the Swiss government invited him to moderate a dialogue with 25 scientists on questions of online voting security. Christian Folini is a frequent speaker at conferences, where he tries to use his background in the humanities to explain hardcore technical topics to audiences of different backgrounds.
The OWASP ModSecurity Core Rule Set (CRS) was a dormant project, when a group of three developers picked it up in 2016. Today, this open source web application firewall project counts 14 active developers, annual sponsoring of over 40K USD and the rules run on over 100Tbit/s. This presentation explains how the new management took over the project and developed it in three key areas: (1) the code, (2) the developers and (3) the users and partners. The growth of OWASP CRS serves as an example how you can grow and mature your project too.
- FR CZTLP:CLEAR
Daniel Lunghi
Jaromir HorejsiDaniel Lunghi (Trend Micro, FR), Jaromir Horejsi (Trend Micro, CZ)
Daniel Lunghi is a threat researcher at Trend Micro. He has been hunting malware and performing incident response investigations for years. Now he focuses on long-term monitoring of advanced threat actors from all over the world, exploring new ways of tracking them, and enjoying their mistakes. The result of such investigations are shared through blogposts, whitepapers, and conference talks.
Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.
Despite being illegal in some countries, global online gambling industry growths steadily year after year, flourishing in current environment dominated by the global pandemic. This trend was not surprisingly noticed by advanced threat actors as we observed and analyzed campaigns targeting online gambling platforms.In this research, we will focus on a multiplatform (Windows and Linux) campaign involving known espionage tools as well as new malware families. Operated by individuals with knowledge of Chinese language, the victims of this campaign are mostly online gambling customers in South East Asia.We noticed some interesting infection vectors, such as backdoored or fake installers for popular applications, or even for a custom chat application, suggesting a very targeted campaign.The delivered malware families are well known espionage tools such as PlugX and Gh0stRAT, or lesser known XNote and HelloBot. Some of these Linux malwares were previously reported for their cybercrime usage, but never for espionage purposes. We also found some previously unreported malware families dubbed GoRAT and PuppetRAT, one of which uses images for payload storage. After carefully analyzing their unique features, we will highlight one interesting case where a flawed cipher implementation led us to the discovery of an additional malware likely implemented by the same threat actor.As a conclusion, we will discuss the multiple links we found with known advanced threat actors and older investigations.
- DETLP:CLEAR
ORKL: Building an Archive for Threat Intelligence History
Robert HaistRobert Haist (TeamViewer, DE)
Since the APT-1 report was released in 2013 there has been a steady and increasing stream of public, long-form reporting on cyber security threats. Those finished intelligence reports contain a mix of explanatory texts and technical hints to improve network defenses. The ORKL project tries to accumulate every publicly released threat intelligence report and make the knowledge available to defenders as a public archive through an interactive UI and an API for automated inter-machine exchanges as a free web based service. The data-set normalizes searches for different threat actors and malicious tool naming schemes while remaining source references. The archive is the first building block towards a cyber threat intelligence focused natural language processing (NLP) pipeline to filter current news items to create customizable reports. This project will be released at the FIRST Cyber Threat Intelligence Symposium.
Robert Haist is the CISO at TeamViewer with more than 10 years’ experience in incident response, digital forensics, and threat intelligence. He holds a MSc. with distinction in Advanced Security and Digital Forensics from Edinburgh Napier University and is interested in research around threat intelligence and open-source software to help defenders watch over their networks.
Robert-Haist.pdf
MD5: e5847d19de7bd03f344730b1ca17a798
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.54 Mb
- USTLP:CLEAR
Prioritizing Vulnerability Response with a Stakeholder Specific Vulnerability Categorization
Jonathan SpringJonathan Spring (Carnegie Mellon University, US)
Jonathan Spring is a senior member of the technical staff in the CERT division of the Software Engineering Institute at Carnegie Mellon University. Dr. Spring's work focuses on producing reliable evidence in support of crafting effective cybersecurity policies at the operational, organizational, national, and Internet levels. Jono's research and practice interests include incident response, vulnerability management, machine learning, and threat intelligence.
SSVC can help organizations prioritize vulnerabilities consistently and communicate priorities between management and analysts. The problem SSVC helps solve is vulnerability triage. The focus of the solution is to take in the appropriate amount of context about the system, organization, and vul, without taking in more detail than is relevant. This talk will help you learn how to ask no more questions than is necessary to reach an adequate vulnerability management decision.
- GB RUTLP:AMBER
RaaS: Ransomware as a Science (Chan eil tuil air nach tig traoghadh)
Eireann Leverett
Vladimir KropotovEireann Leverett (Waratah Analytics, GB), Vladimir Kropotov (Trend Micro, RU)
Eireann Leverett is a humble hacker lucky enough to hang out with the rest of these epic nerds. He is a co-chair of the Mutli Stakeholder Ransomware Special Interest Group with Barry Greene.
Vladimir Kropotov is a researcher with Trend Micro Forward-Looking Threat Research team. Active for over 20 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, BHEU and many others.
Ransomware metrics require collaboration. We have used time series analysis to innovate ways to syntheise data from multiple sources (endpoint sightings and ransoms in the BTC blockkchain). This gives us a perspective on the effectiveness of different ransomware groups operations, their capacity, and their methods. We also look into CVE data and measure those CVEs according to impact. From binary analysis to sightings, from ransoms to operating frequency, from comparative analysis of groups to an insurers view of the effectiveness of incident responders, we aim to give you methods and tools to strategically prepare for ransomware in your teams. How many incidents have we seen hsitorically? How many might we see next year? Which groups are doing the most damage, and how do we move beyond endlessly reverse engineering the next binary sample towards effective collaborative response?
- IT
Ransomware Attack: Lessons Learned
Paolo Cravero
Francesco De LucaPaolo Cravero (CSI-RT, IT), Francesco De Luca (CSI-RT, IT)
We will talk about an attack we suffered recently, which we managed successfully and from which we learned a lot on several aspects.
-
Paolo Cravero - Paolo Cravero is an "all around" Senior Cybersecurity Analyst and Blue Teamer with a strong background on networking and email systems. He has a special attitude towards specifications adherence and enjoys extracting valuable information from machine generated data.
Paolo holds a M.Sc. degree in Telecommunications Engineering from the Politecnico di Torino and has been part of CSI-RT since its foundation.
-
Francesco De Luca - Francesco De Luca is a Security Professional with more than 30 years of experience in IT, Services Industry and Security.
As a Certified Information Security System Professional (CISSP) he contributed to the creation of the regional CSIRT.
Security is not only an exciting job, but also a keen and personal interest.
- USTLP:CLEAR
Ransomware Stages of Grief
Tony KirtleyTony Kirtley (Dell SecureWorks, US)
Tony Kirtley joined Secureworks in 2015 as a Senior Consultant focusing on incident response planning and testing for our customers. In 2018, he became Secureworks' first Incident Commander, focused on managing major cybersecurity incidents for our customers. Tony has since led the response to many data breach and ransomware incidents for large and small customers. Tony has more than 21 years of experience in information security. He has built and led cybersecurity incident response teams for Fortune 500 companies and has a wide breadth of experience and knowledge in many aspects of information security in the private sector and the U.S. Military. He retired from the Missouri Army National Guard in 2014 at the rank of Lieutenant Colonel after building and leading the nationally recognized Missouri National Guard Cyber Team.
Secureworks conducts over 1000 incident response engagements a year and has done more than 600 post detonation ransomware engagements since 2018. These engagements provide us an incredibly wide aperture on threat behaviors and their respective tradecraft, but it also provides us a very wide aperture of victim behaviors. We have observed a commonality of victim behaviors that nearly every one of our client victims go through, so much so that we began calling our observations the stages of ransomware grief.In much the same way as the Kubler-Ross Grief Cycle illustrates the emotional journey people go through with the loss of a loved one, business leaders and their key personnel go through a similar emotional journey when faced the crippling business impacts from a ransomware attack. The sooner business leaders can recognize objectively that their emotional response is normal, expected, and can be managed, the sooner leaders and their respective teams can reach acceptance of their situation and make more rational and pragmatic decisions that lead to a quicker recovery.
- HUTLP:CLEAR
Reversing Golang Binaries with Ghidra
Dorka PalotayDorka Palotay (Palotay Dorka, HU)
Dorka has a Bachelor's degree in applied mathematics. She continued her studies in the field of security and privacy, where she gained her Master's degree in computer science specializing in advanced cryptography. She started her career at Sophos, mainly focusing on ransomware analysis, but as a member of the Emerging Threats team, she had the opportunity to gain experience in reverse engineering a wide range of malware attacks. Before joining CUJO AI she was working in the financial industry as an IT security analyst, focusing on threat hunting and forensics investigations. Currently, she is working at CUJO AI as a senior threat researcher focusing on reverse engineering IoT malware.
Golang is Google's open-source programming language, which in recent years has gained attention among developers. It is not only used for good purposes but, in a developing trend, it is a popular choice of malware authors as well. The fact that Golang supports cross-compiling makes it a tempting option for IoT malware attacks. This has resulted in a proliferation of IoT malware written in Go. For this reason, we decided to dive deeper and develop our own toolset to become more effective at combating Go malware. When it came to dissecting Go malware, reverse engineers found themselves faced with a hurdle. Go presents new challenges that make binary analysis more difficult. In order to aid and automate this process, we have created custom scripts for Ghidra. The talk will consist of:
- Introduction to IoT malware families written in Go.
- Discussion of the unique features and hurdles of Go binaries.
- Tackling common problems when reverse engineering Go malware in general and specifically with Ghidra.
- Sharing our Ghidra scripts that we use during reverse engineering.
Palotay_53.pdf
MD5: 216a4302abd461def88dad506c42da14
Format: application/pdf
Last Update: June 7th, 2024
Size: 11.58 Mb
- IE ILTLP:CLEAR
Ryan RobinsonAvigayil MechtingerRyan Robinson (Intezer, IE), Avigayil Mechtinger (Intezer, IL)
Ryan Robinson is a security researcher for Intezer. He specializes in malware reverse engineering and incident response. In previous roles, Ryan has worked as a Security Engineer securing cloud applications and as an analyst in Anomali's Threat Research team.
Avigayil is a security researcher at Intezer specializing in malware analysis and threat hunting. During her time at Intezer, she has uncovered and documented different malware targeting both Linux and Windows platforms. As part of her ongoing work she has initiated the ELF Malware Analysis 101 series, to make ELF analysis approachable for beginners. Prior to joining Intezer, Avigayil was a cyber analyst in Check Point's mobile threat detection group.
As one of the most heavily used tools by threat actors, Cobalt Strike is an integral part of many attack chains targeting Windows environments. It was used as a post exploitation tool in high-profile breaches including the infamous SolarWinds and Colonial Pipeline. Until recently, Cobalt Strike was not documented targeting Linux systems in the wild, which makes sense as there is no official Cobalt Strike version for Linux. Recently, we discovered a fully undetected ELF implementation of Cobalt Strike's Beacon, which we named Vermilion Strike. After further analysis, Windows versions were found sharing the same functionalities with the Linux version, contacting the same C2. Based on telemetry, this threat has been active in the wild targeting high profile entities in multiple industries. This talk will discuss Cobalt Strike and it's popularity, provide an in-depth analysis of Vermilion Strike including its TTPs, and suggest methods for detection and response to these threats.
- DETLP:CLEAR
Securing the Supply Chain Together - Through Automation of Advisories and Vulnerability Management
Thomas Schmidt
Jens WiesnerThomas Schmidt (BSI, DE), Jens Wiesner (BSI, DE)
Thomas Schmidt works in the 'Industrial Automation and Control Systems' section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM work. Prior to this, Schmidt was BSI's lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric's TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).
Jens Wiesner heads the section 'Cyber Security in Industrial Control Systems' of the German Federal Office for Information Security (BSI). To increase security of critical infrastructures he and his team cover many areas starting with establishing trust and good relations with vendors and asset owners over committee work, baseline security documents over supporting standardization efforts (ISA99 and DKE 62443) to working with academia to improve research and education.
He started his career in times of NCSA Mosaic and administrating DEC Alphas while studying physics. He advanced in digital and analog measurement technology and programmed EIB (nowadays known as KNX) to finance his studies. After graduating he set up and ran a computing lab at the University of Stuttgart for several years. For some years he programmed risk management (Sarbanes Oxley 404) for a German car manufacturer. Since 2013 he works for BSI and since 2016 he is responsible for 'Cyber Security in Industrial Automation and Control Systems' and technical aspects of critical infrastructure protection in Germany.
In his spare time he is cycling and rowing all over the world. (Mostly quad sculls)
Securing the supply chain is a complex task. However, the current threat landscape makes it clear that this has to be tackled immediately. As vulnerabilities are frequently (ab)used by adversaries, one step to a more secure supply chain is the downstream propagation of vulnerability and remediation related information. This includes not only remediation measures, as mitigations and updates, but also the information if a product is not affected. The workshop gives an overview of the current situation of human-readable security advisories and the problems, which arise here. It will introduce the Common Security Advisory Framework (CSAF) as a solution, which provides not only a machine-readable format for security advisories but also covers the distribution and discovery part. CSAF was developed as an industry-led effort by the international community at the standardization organization OASIS Open. In the first part, the workshop will illustrate the eco-system including live demos of available open source tools. In the second part, it will give a step-by-step guidance how to become a part of that eco-system: starting with writing and publishing security advisories as CSAF documents over consuming them up to matching them against an asset database or SBOM. The second part will provide hands-on experience.
- EC
SIM3 Maturity Model and How to Apply it to CSIRTs (in Spanish only)
Ing. Paul F. BernalErnesto Pérez EstévezIng. Paul F. Bernal (CSIRT CEDIA, EC), Ernesto Pérez Estévez (CSIRT CEDIA, EC)
Overview of the Security Incident Management Maturity Model (SIM3). How to understand SIM3, and how to use it in real life to measure CSIRT maturity, target improvements based on the results, and keep a check on progress. Important applications of SIM3 like FIRST's new membership application program, and the GCMF approach for national teams, will also be explained, including the use of free online tools.
During the second part of the activity, the participants will have time to test the tool through an auto-evaluation, review the results and clear up doubts with the instructors."
- Both Paul and Ernesto, run CEDIA's Incident Response Team and have many years of experience in the deployment of solutions based on Free Software, including several security related tools. They enjoy being able to exchange experiences and knowledge in the technical and cybersecurity area, with other teams and individuals of the area.
- DETLP:CLEAR
Speed is key: Leveraging the Cloud for Forensic Artifact Collection & Processing
Lukas KleinChristian KoeppLukas Klein (SAP, DE), Christian Koepp (SAP, DE)
Lukas Klein is an Incident Response Analyst at SAP. In his two years at SAP, he’s been working on various topics ranging from improved visibility to forensic artifact collection and processing. Before joining SAP, he earned a Master’s degree in Security and Cloud Computing.
Christian Koepp is the Head of Incident Response EMEA at SAP. He previously worked in Cybersecurity R&D and was part of Siemens Corporate Technology where he worked in the Computer Emergency Response Team for five years. Before joining SAP, Christian ramped up a Security Operation Center to protect critical infrastructure in the utilities sector in Canada.
79_slides.pdf
MD5: 97038bcf107a5dfcd01c4678e19dbf9a
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.21 Mb
- BR US
Jacques Coelho
Lorena MillerJacques Coelho (FS-ISAC USA, BR), Lorena Miller (FS-ISAC, US)
How companies in the financial sector can expand their network of contacts with sources of information about attacks, cyber threats and systemic vulnerabilities. How to work together in communities of interest to anticipate cyber risks. How to ensure that best practices applied to cyber defenses reach security teams faster.
Cómo las empresas del sector financiero pueden ampliar su red de contactos con fuentes de información sobre ataques, ciberamenazas y vulnerabilidades sistémicas. Cómo trabajar juntos en comunidades de interés para anticipar los riesgos cibernéticos. Cómo garantizar que las mejores prácticas aplicadas a las defensas cibernéticas lleguen más rápido a los equipos de seguridad.
Jacques Coelho is an administrator and specialist in finance, graduated from the University of the City of São Paulo. He is the current FS-ISAC Regional Director for Latin America and the Caribbean. He served as Director of Strategy and Risk at ALIVI Corporate and as Director of Risk at HCAS in the US. He was Minister and Trainer of Compliance and Regulatory Adequacy at GE Bank. Specialist in the assessment of behavioral trends of fraudsters, he has 24 years of experience in the Financial Sector, 18 of which are dedicated to risk areas
Additional co-speaker support provided by Anne Meriwether, Lorena Miller, and Teresa Walsh.
- JPTLP:CLEAR
Targeted Web Skimming on E-Commerce Sites
Hendrik AdrianHendrik Adrian (LACERT/LAC Tokyo, JP), Takehiko Kogen (LAC/LACERT Tokyo, JP)
We would like to share the cyber threat report about the activity of a recent on-going web skimming threat that has been systematically aiming vulnerable E-commerce sites to steal the credit cards and personal information/PII of affected site’s customers. We call this cyber threat as web skimming as a metaphor to the credit card physical skimming crime, but has been done in the online environment. Differ to the phishing scheme, the web skimming bad actors are actually performing cyber attacks to specific E-commerce sites with new vulnerabilities, tampering and implanting the malicious codes to after what they are aiming for, and this case's adversaries have cleverly hidden their malicious traffic under the legitimate cloud services and protections which is making the threat was not easy to noticed, detect and investigate. In this presentation we will disclose in very details on how the adversaries work with their tools, what kind of E-commerce sites are being aimed and how the credit cards and customer information are accessed by the adversaries, along with methods to mitigate the similar attacks in the future that will help E-commerce sites, tools and customers. For the cyber threat intelligence purpose we will add the information about the adversaries source.
Hendrik Adrian is the representative of FIRST Team LACERT and FIRST CTI SIG and FIRST NETSEC co-chair, he is working as cyber threat intrusion senior analyst at Cyber Emergency Center. Hendrik works as Japan government support for various educational security lecture activities in IPA i.e. Security Camp, CyberCREST, and he is putting more efforts in national and international security communities as an active lecturer and speaker in various conferences. His known malware analysis contributed to the security community is listed in the Wikipedia at https://en.wikipedia.org/wiki/MalwareMustDie
Takehiko Kogen Takehiko Kogen has started to engage in security from JSOC as analyst who was in-charge to analyze malicious traffic from proxies and firewalls, he was writing threat detection signatures for ArcSight and Splunk systems. Since 2018 Takehiko has been supporting the malware analysis team and SOC operation from the Cyber Emergency Center in LAC/LACERT. He works on threat intelligence to disseminate and to share malvertisement information. His contribution threat analysis is recorded in LAC Watch at https://www.lac.co.jp/lacwatch/
- BETLP:CLEAR
The Blue Side of Documentation
Nicholas DhaeyerNicholas Dhaeyer (NVISO Security, BE)
Nicholas is a SOC analyst at NVISO and self-proclaimed data hoarder. His hoarding skills have been valuable in creating and maintaining the documentation and training program of the NVISO SOC team. His day-to-day activity involves analysing security threats, looking for Indicators Of Compromise, writing allow-lists. Within the SOC team, Nicholas is responsible for standardizing and structuring daily operational workflows. Next to his professional work, Nicholas has interests in a number of other activities, like setting up a home lab and troubleshooting all problems that come with it. Nicholas hosts a community for students where they can collaborate, ask questions to other students and alumni and share their knowledge of experience and job offers/internships with each other. Nicholas is also familiar with hackerspaces to teach kids the wonders of cybersecurity, ranging from broad topics like lock picking to forensically analysing a USB disk.
Missing documentation, processes or resources? With this presentation we want to give you some insights on how to improve your documentations skills. In current remote-working times its crucial to be organized and to structure your day. No matter what your position in the company is, everyone needs to take notes of something or has to document something. In this presentation you'll learn tips & tricks to keeps your notes and documentation short, simple and usable. As an added bonus we'll be going over maintaining and managing this knowledgebase in a live environment.
- NLTLP:CLEAR
The Joy of Threat Landscaping
Gert-Jan BrugginkGert-Jan Bruggink (Venation, NL)
Bob Ross once said, “I think there’s an artist hidden at the bottom of every single one of us”. When you are ‘painting’ a company’s threat landscape, you try to convey answers to intelligence requirements as effective way as possible. Channel your inner artist if you will. This could for example be building a periodic briefing or yearly write up. Still, what makes a good threat landscape? What essential information should it contain? What works?
In this talk, I will share best practices, tips, tricks and my happy accidents when creating a threat landscape intelligence product. This is based on years of building these products, in different formats and for different stakeholders.
This talk provides cyber threat intelligence teams the canvas, paint, brushes, and techniques needed to successfully create (recurring) threat landscape products. In addition, creating a larger narrative around cyber threats to support both business and senior stakeholder decision making and drive security investment.
Gert-Jan Bruggink specializes in helping leaders make informed decisions on risk to prioritise security investment. He supports teams in understanding adversary tradecraft through threat-informed security programs and providing leaders actionable threat intelligence products. Gert-Jan founded boutique firm ‘Venation’ to pioneer the field of structured threat content through cyber threat intelligence subscription and advisory services. Previously, Gert-Jan co-founded innovative start-ups, fulfilled a cyber threat intelligence leadership role at a Big Four accounting firm, and held security engineering roles at a security integrator.
- SETLP:CLEAR
The SolarWinds Supply Chain Compromise
Erik HjelmvikErik Hjelmvik (Netresec, SE)
Erik Hjelmvik is an incident responder and software developer who has spent most of his career analyzing network traffic from malware and intrusions. He started analyzing network traffic from a security perspective while working at the R&D department a major energy company, where he focused on SCADA and industrial control system security. Erik has also worked as an incident responder at the Swedish Armed Forces CERT, where he got the chance to focus even more on network forensics and network security monitoring. Nowadays Erik runs the company Netresec where he develops software, such as NetworkMiner and PolarProxy, for doing network forensics.
Software supply chain attacks have received a great deal of attention after the SolarWinds hack was discovered in December 2020. In this presentation Erik dives deep into the functionality of the malicious SolarWinds Orion update in order to explain how the attackers managed to avoid detection for so long as well as to show how the attackers leveraged DNS based command-and-control traffic to their advantage. The talk also provides guidance on what can be done to protect against supply chain attacks, such as the SolarWinds hack.
- NOTLP:CLEAR
There is No TTP
Martin EianMartin Eian (mnemonic, NO)
Dr. Martin Eian is a Researcher at mnemonic. He has more than 20 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is a member of the Europol EC3 Advisory Group on Internet Security.
Do not try and detect the TTP. That's impossible. Instead, only try to realize the truth.There is no TTP. It is either a tactic, a technique, or a procedure. The MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) knowledge base has become the de facto industry standard for tactical threat intelligence. But if we look closely, it only covers one of the Ts in TTPs: techniques. This presentation challenges some common "known truths" about tactics, techniques and procedures, and suggests steps to improve detection, response and attribution. The aim is to trigger discussion and highlight what we don't know.
01-ThereisnoTTP-Eian.pdf
MD5: d45f2c7f09e3483a8056c51f55af503e
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.67 Mb
- IETLP:CLEAR
Threats versus Capabilities - Building Better Detect and Respond Capabilities
Thomas FischerThomas Fischer (Riot Games, IE)
Thomas has over 35 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. While currently focused on SecOps, Thomas continues as a security advocate and threat researcher focused on understanding data protection activities against malicious parties and continuous improvement in the incident response process. Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, and regular shares at events like SANS DFIR EMEA, DeepSec, Shmoocon, ISSA, and various BSides events.
CERT and IR teams keep adding tools to their portfolios and are pushed by vendors to adopt new technologies or the latest buzzword. Teams adopt frameworks like MITRE ATT&CK which provide TTPs; but are these relevant to what you need to actually detect? All this is very generic and may or may not help teams defend their organizations; as defenders a key to success needs to be our capability to defend against threats that target our organizations. Can we do things better? This session will introduce a methodology and process to help teams build better detect and response based on mapping required data points, creating a gap analysis and prioritizing requirements independently of tooling. Teams will then be able to use this analysis to identify the right tools needed to defend their organization and implement a process of continuous improvement and tool alignment.
- NOTLP:AMBER
Vanity Metrics - The BS of Cybersecurity
Freddy MurstadFreddy Murstad (Nordic Financial CERT, NO)
This talk aims to demonstrate that "vanity metrics", such as showcasing how many alerts the team has dealt with have no actual value for management other than to dazzle the unwitting stakeholders and to wrongly show how "effective" the cybersecurity program is.
Through this talk I will try to shine a light on the vanity of measuring for show rather than for value. And I will try and illustrate what to measure, why we measure it (value), where we can get to those essential metrics and possible suggestions on how to present them. And lastly, I will try and illustrate that having a good plan and structure from the get-go, by using the intelligence cycle, is instrumental in achieving a good starting point for doing metrics well.
Freddy Murstad is the senior threat intelligence analyst at the Nordic Financial CERT (NFCERT) in Norway and works serving 200+ financial institutions in the Nordics with threat intelligence, reports, and analysis on threat actors. He shares his knowledge on intelligence analysis and intelligence processes and focus on bridging the gap between Strategic and Tactical analysis for his stakeholders. Currently, Freddy is doing basic research in preparation for a PhD in the cross-section of intelligence analysis and cybersecurity. Freddy is currently doing basic research in preparation for a PhD in the cross-section of intelligence analysis and cybersecurity.
Freddy-Murstad.pdf
MD5: 76c797b6930f236ba5862c41d0813f4e
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.67 Mb
- US DETLP:CLEAR
VEXed by Vulnerabilities That Don't Affect Your Product? Try This!
Allan FriedmanThomas SchmidtAllan Friedman (CISA, US), Thomas Schmidt (BSI, DE)
Allan Friedman is the guy who won't shut up about SBOM at the Cybersecurity and Infrastructure Security Administration. He coordinates the global cross-sector community efforts around software bill of materials (SBOM), and works to advance its adoption inside the US government. He was previously the Director of Cybersecurity Initiatives at NTIA, leading pioneering work on vulnerability disclosure, SBOM, and other security topics. Prior to joining the Federal government, Friedman spent over a decade as a noted information security and technology policy scholar at Harvard's Computer Science department, the Brookings Institution, and George Washington University's Engineering School. He is the co-author of the popular text "Cybersecurity and Cyberwar: What Everyone Needs to Know", has a degree in computer science from Swarthmore college, and a PhD in public policy from Harvard University. He is quite friendly for a failed-professor-turned-technocrat.
Thomas Schmidt works in the 'Industrial Automation and Control Systems' section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM work. Prior to this, Schmidt was BSI's lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric's TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).
Vulnerabilities in soft- and hardware have become a growing concern in the supply chain. Therefore, organisations developing products invest into new security programs, doing security assessments of their products, analysing the results and publishing security advisories. Also the community of security researchers contributes to this process by actively searching for vulnerabilities in widely used components.
However, as SBOMs become more widespread, many of the results can be “false positives,” as the underlying component vulnerability isn’t actually exploitable. Vendors and users will have to prioritize and process this information.
This talk gives an overview of the Vulnerability Exploitability eXchange (VEX). VEX allows software providers and PSIRTs to explicitly communicate that their software is *not* affected by a vulnerability. Built on the OASIS Common Security Advisory Framework (CSAF), VEX will increase SBOM adoption. It also helps in propagating information faster through the supply chain.
FIRSTfriedmanschmidtvexcsafemail.pptx
MD5: 0049f4710879db87c275d7f08f0d7280
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 3.19 Mb
- GBTLP:CLEAR
Who Do You Think You Are?
Stuart MurdochStuart Murdoch (Surevine, GB)
Stuart Murdoch is Founder and CEO of Surevine, one of the UK's leading Cyber security companies. Surevine specialises in smart and secure collaboration technology for the National, Homeland and Cyber Security domain, and is relied on by the UK Government to keep them one step ahead of the cyber threat. Stuart is a Chartered Engineer with a BSc in Computer Science from Royal Holloway, home of the world-leading Information Security Group, and an advanced MSc in Computing from Imperial College, London. He is a guest lecturer at the University of Surrey, a professional member of the BCS (British Computer Society), a member of the IoD (Institute of Directors) and a Liveryman at the Worshipful Company of Information Technologists. He is a published author in the field of cyber security, most recently as a contributor to The Oxford Handbook of Cyber Security (Oxford University Press, 2021)
“Who do you think you are?” is a popular TV series, franchised globally, in which celebrities trace their family trees, often uncovering unsavoury ancestors. This session, will stretch the analogy to its breaking point, using the format of that engaging TV programme to dig up the “family trees” of information sharing:
• Tracing the links between the standards used in information sharing and their evolution and adoption
• Super-imposing the growth of information sharing organisations and the historical events and legislation which has often led to their creation
Along the way, we will hope to uncover some “skeletons in the closet” and won’t shy away from airing our dirty laundry.
- NLTLP:CLEAR
Who Shares Wins
Jaap van OssJaap van Oss (Citi Cyber Intelligence Centre (CIC), NL)
Jaap van Oss (Dutch, 19-11-1964) recently joined Citi's Cyber Intelligence Center (CIC) as the Cyber Intelligence Lead for EMEA. He is responsible for the Partnership & Engagement in the EMEA region, with particular focus on keeping the European Cyber Threat Picture up to date. Jaap van Oss gained his Cyber-experience in a substantial career in Law Enforcement; as a Chief Inspector at the Dutch High Tech Crime Unit and as a Senior Specialist at the European Cybercrime Centre (EC3) at Europol. For EC3 he also drafted the Darkweb strategy. Previous to his jump to private industry, Jaap was the Chairman of the Joint Cybercrime Action Taskforce (J-CAT), an international group of Cyber investigators developing and coordinating cross-border Cyber operations and investigations. In 2016 Jaap graduated from the FBI National Academy where he honed his leadership skills. Furthermore, he holds a degree in Technology Assessment at the Technical University Eindhoven (NL) and he obtained his Masters in Computer Forensics and Cybercrime Investigations at the UCD in Dublin (IE). The topic of his dissertation, "Cybercriminal Organisation", is still a very present-day topic in the fight against cybercrime.
Sharing threat intelligence, information, analysis and other insight in our possession, and collaborating with our peers and other external contacts who may be facing the same threats are a key aspect of a dynamic, intelligence-driven cybersecurity and information security program. Intelligence sharing and collaboration help peer financial institutions and other external partners to prevent, detect and respond to cyber incidents and threats, strengthening our joint defenses and strengthening the broader financial and cyber ecosystems.
However, whilst many organizations firmly support intelligence sharing, and aspire to become good citizens and to actively share with others - there are often internal, organizational barriers, perceived barriers and limiting factors, and very few organizations achieve an effective and efficient level and consistency, of sharing and collaboration. This, we argue, is limiting the amount of valuable insight being shared directly between peers, and via existing sharing groups and communities; and this in turn is slowing the development of cross-sector, multi-agency, multi-disciplinary collaboration.
Through our Cyber Intelligence Centre Partnership and Engagement team, we made a determined effort to examine and address the internal barriers and to create a program, policies and processes to facilitate efficient, effective, safe and scalable external intelligence-sharing, with legal, regulatory and supervisory oversight. We call our program ‘Who Shares Wins’ and we’d like to present some of the details.
- IETLP:CLEAR
Why Your Security Analysts Are Leaving and What You Can Do to Retain Them
Thomas KinsellaThomas Kinsella (Tines, IE)
Security teams are being prevented from doing their best work. While understaffing and low budgets have always been challenges for any type of team, security teams are uniquely affected by repetitive, manual tasks, which in turn keep them from working on higher-impact projects that contribute to their organization’s overall security posture. This presentation will share the data from an in-depth survey of the day-to-day struggles of security analysts, as well as greater context on groups surveyed and the methodology used. It’s no surprise to learn that 71% of analysts are experiencing some level of burnout and 64% say they’re likely to switch jobs in the next year. Our research goes further to breakdown causes of burnout and how to alleviate it to improve employee retention. Our research shows that while most security personnel love their jobs and feel respected and valued, turnover in these roles continues to be very high. While there are obvious factors such as understaffing, this presentation will focus more on the specific work factors analysts say cause them to lose their zeal and motivation.
Thomas Kinsella is Co-founder and COO of Tines, a no-code automation platform for security teams. Before Tines, Thomas Kinsella led security teams in companies like Deloitte, eBay and DocuSign. As COO, Thomas is responsible for customer success, professional services and more. Thomas has a degree in Management Science and Information Systems Studies from Trinity College in Dublin.
Thomas-Kinsella.pdf
MD5: b3d99f543be527ea366fb2b47bdfe6b1
Format: application/pdf
Last Update: June 7th, 2024
Size: 13.14 Mb
- RUTLP:CLEAR
Your Phone is Not Your Phone: A Dive Into SMS PVA Fraud
Vladimir KropotovVladimir Kropotov (Trend Micro, RU)
Vladimir Kropotov is a researcher with Trend Micro Forward-Looking Threat Research team. Active for over 20 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, BHEU and many others.
Mobile phones are the inseparable part of our lives. Mobile phone numbers are often used in place of user identity on many online services, from e-commerce to online banking and government portals. Mobile phone numbers in many countries are required to be verified through national identity documents and often used in place of a national identity token. Many of the social media and online messaging rely on accounts to be verified through user phone - so called phone verified accounts (PVA). But can they be trusted? We analyzed a number of PVA provision services and uncovered the whole flow of operation of such services - from sourcing the messages via pre-infected phones, to how those devices are "horded" and sold in bulk via online portals. The fraud group that we investigated claims to control over 20M devices distributed across 180 countries and monetizes their "farm" of infected devices through ad fraud and SMS access sale. Further, we also investigated the criminal use of disposable SMS services and identified a number of fraudulent campaigns including romance scams, stock and brand manipulation and inauthentic online behavior. The presentation covers a number of use cases detailing these incidents.
