Leonard SavinaLeonard Savina (ANSSI, FR)
Léonard Savina has been maintaining, securing, deploying, migrating, automating and designing Active Directory environments for about 10 years in various sectors such as Energy, Hospitals and Government.
You can find some technical articles he wrote between 2010 and 2013 on his blog (www.ldap389.info) about those professional experiences.
In 2013 he joined ANSSI, the french National Cyber Security Center, as Security Systems Engineer.
In 2017 he joined the CERT-FR as a DFIR analyst. CERT-FR is part of ANSSI.
In 2019 he released the ADTimeline tool which was presented at the Amsterdam 2019 FIRST Technical Colloquium.
Active Directory is a prime target in mostly all cyberattacks, and attackers often attempt to gain Domain Admin privileges and maintain their access. It is therefore crucial for security teams to monitor the changes occurring on Active Directory. Those modifications are recorded in the Domain Controllers Windows event logs but its scope/completeness depends on the auditing strategy configured. Moreover, those events are rarely centralized, analysed and archived. As a consequence, replication metadata is sometimes the only artefact left for the DFIR analyst to characterize modifications made on the Active Directory.
ADTimeline is a forensic tool, written in PowerShell, which aims to create a timeline of Active Directory changes with replication metadata. The ADTimeline application for Splunk processes and analyses the data collected by the PowerShell script to help the DFIR analyst perform its investigation. In addition, the Active Directory data indexed in Splunk can be coupled with the analysis of Windows Event logs to perform relevant threat hunting queries.
June 24, 2020 14:45-15:15
Vilius BenetisVilius Benetis (NRD Cyber Security, LT)
Dr. Vilius Benetis is from European cyber security company NRD Cyber Security, where his work includes designing CSIRT/SOCs for nations, sectors and organisations, early warning systems and forensics labs, incident response capabilities, development of national methodologies for identification and monitoring of critical infrastructures, national situation awareness in cyberspace. Vilius is active researcher in FIRST.org, GFCE, ITU (at CoE for Cybersecurity and Q3/SG2). He also contributes to ISACA’s existing and to be released publications on cyber security, trains CSX Fundamentals Workshops, CSIRT Manager Trainings and speaks at European, American and African conferences. Dr. Benetis mainly focuses on projects in Sub-Saharan Africa, South Asia and East Europe.
Presentation will present Hierarchical (National-Sectorial-organisational) CSIRT blueprint structures work achieved at GFCE working group by experts, and will gather feedback for improvement to have stronger results for global CSIRT community as additional guidance.
June 22, 2020 17:15-17:45
Jaco CloeteJaco Cloete (Nedbank Ltd, ZA)
Jaco Cloete, CISA, CRISC, CISM, CA(SA), C|CISO, CISSP, CSX-P, has 22 years of experience in cyberrisk management and auditing in the banking sector. He performed audits across all information technology and cyberdomains and served in both an external and internal audit capacity. In his current role as cybersecurity manager, he is responsible for cyberstrategy, cyberpolicy, cyberrisk management, cyberresilience program management, red team testing, cyberscenario analysis, cyber playbooks, cyberthreat identification and modelling, and cybermetrics and reporting.
Cyber professionals spend a lot of effort on technical measures to prevent an attack, detect an attack and recover from an attack. What if an attack leads to a cyberincident (BOOM!) that causes real damage and impact the business including reputational damage, loss of clients and potentially threatens the existence of the organisation? This session is not about technical measures to prevent or recover from an attack, but the business processes and collaboration needed in an organisation to limit the impact to the brand and to restore confidence after the incident while minimizing chaos and loss of precious time. Successfully navigating the aftermath of a cyberincident requires a coherent effort by a multi-functional senior Cyber Crisis Management Team, an effective communication strategy and clear and concise process flows containing well defined inputs and outputs between key stakeholders inside and outside the organisation.
Allan FriedmanTomo ItoAllan Friedman (NTIA / US Department of Commerce, UM), Tomo Ito (JPCERT/CC, JP)
Dr. Allan Friedman is Director of Cybersecurity at the National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA’s multi-stakeholder processes on cybersecurity, convening cross-sector working groups with a focus on resilience in a vulnerable ecosystem.
Tomo Ito has been working as a vulnerability information coordinator at JPCERT/CC for 4 years. His current focuses include international collaborations regarding vulnerability coordination topics with organizations around the globe.
Tomo Ito has been working as a vulnerability information coordinator at JPCERT/CC for 4 years. His current focuses include international collaborations regarding vulnerability coordination topics with organizations around the globe.
The value of transparency around third party software component use is becoming increasingly apparent. Understanding what makes up our software can help those who make software, those who buy it, and those who operate it. The increasingly popular idea of a 'software bill of materials' (SBOM) can drive real change. Yet risk aversion, culture, and inertia pose obstacles for broader adoption across the global software ecosystem, in the open source world, and in the commercial world. Government regulation is probably not the answer, but industry-wide and international coordination can play a key role in helping promote transparency. This presentation will share two different perspectives on the gaps for SBOM adoption, and how two very different organizations (NTIA in the US and JPCERT/CC in Japan) are helping to establish transparency. We will highlight the broader social benefits identified from software transparency and SBOM use, and the roles of coordinators in our respective countries. We'll also identify the obstacles and gaps that are common--and different--and the strategies for bridging these gaps.
Chung Kuan ChenChung Kuan Chen (CyCraft Technology, TW)
Chung-Kuan Chen/Bletchley is currently a senior researcher in CyCraft, and responses for organizing their research team. He earned his PHD degree of Computer Science and Engineering from National Chiao-Tung University (NCTU). His research focuses on cyber attack and defense, machine learning, software vulnerability, malware and program analysis. Founding of NCTU hacker research clubs, he trains students to participate in world-class security contests, and has experience of participating DEFCON CTF twice. Besides, he has presented technical presentations in non-academic technique conferences, such as HITCON, RootCon, CodeBlue OpenTalk and VXCON. As an active member in Taiwan security community, he is in the review committee of HITCON conference, and ex-chief of CHROOT - the top private hacker group in Taiwan. He organized BambooFox Team to join some bug bounty projects and discover some CVEs in COTS software and several vulnerabilities in campus websites.
To cope with the exponential growth of security incidents, automatic threat hunting via machine learning (ML) is increasingly being employed. The huge amount of false positive security alerts can thus be more efficiently removed, leaving only the most severe incidents to be analyzed by human analysts. However, the complicated threat hunting process cannot be resolved by one single ML component. A ML pipeline, which consists of several ML components, should be constructed. In this talk, we explain the technical details behind an AI-based threat hunting engine. We will introduce our trial and error procedure during the development of the system, and highlight the mistakes and challenges we encountered. Despite an imbalance in the data size, which makes pure supervised machine learning inefficient, unsupervised learning, graph algorithm and NLP techniques can be utilized. We demonstrate that although a single event cannot fully reveal a threat, by connecting the related events and illustrating the whole cyber storyline, important details of this threat can be uncovered. Additionally, some ML-based methods that can help with the forensic and malware reversing are also introduced.
Nicholas LiuNicholas Liu (Air Force Computer Emergency Response Team, US)
First Lieutenant Nicholas Liu currently serves as the Officer-in-Charge of Current Operations for the Air Force Computer Emergency Response Team (AFCERT). He oversees day-to-day cyberspace security and defense for the enterprise Air Force Information Network. Prior to serving in his current role, he served as Chief of Incident Response and as a Tier 1 network analyst. Lieutenant Liu is a graduate of the Air Force Academy and Columbia University, with a Bachelor of Science in Military and Strategic Studies and a Master of Arts in Regional Studies: East Asia, respectively.
Large-scale entities have a global network presence, requiring the employment of multiple cybersecurity organizations and teams. In entities such as the United States Air Force, these organizations and teams have different maturity levels, responsibilities, and operating procedures. This creates a wicked problem when trying to synchronize disparate organizations toward a common goal of securing an enterprise-level network. The purpose of this presentation is to highlight the Air Force Computer Emergency Response Team (AFCERT)s implementation of military operational and organizational methodologies to overcome this wicked problem. Specifically, this presentation showcases the concept of mission command to build a team of teams, with the ultimate goal of securing a network. By creating an intent-driven environment, the AFCERT was able to synchronize different organizations capabilities in an efficient manner that transcended organizational culture. This will be highlighted in two different case studies: one in which mission command was deliberately planned in support of a threat hunt, and one in which mission command proved critical to incident response
Marie MoeMarie Moe (SINTEF, NO)
Dr. Marie Moe cares about public safety and securing systems that may impact human lives. Marie recently joined mnemonic as a senior consultant in threat intelligence and incident response. Before this she was a senior scientist and research manager for the Infosec research group at SINTEF. She is also an associate professor at the Norwegian University of Science and Technology, where she teaches a class on incident response. She has experience as a team leader at the Norwegian Cyber Security Centre NorCERT, where she did incident handling of cyberattacks against Norway’s critical infrastructure. She is known for doing research on the security of her own personal critical infrastructure, an implanted pacemaker that is generating every single beat of her heart. Marie has been a proud member of the FIRST community since 2011, and this will be her fourth time presenting at the Annual FIRST Conference.
The independent research institute SINTEF has performed an empirical study of cyber incident response readiness in the Norwegian petroleum industry. This talk will present results from the interview study, that included 12 subject area experts in oil and gas companies and drilling operators, plus 8 subject area experts in national and international CERT teams. The study shows that smaller actors suffer from limited collaboration, especially in active incidents or crises. Oil and gas companies and drilling companies share information and experience in various (virtual) meeting places and forums organized by external actors, but there is little focus, especially among the smaller companies, on systematic sharing of information and experiences of cyber incidents. There is a wish for a more proactive CERT function and particularly an information sharing center (ISAC). Not all oil and gas companies or drilling rig operators distinguish between cybersecurity incidents in IT and OT systems, and views vary widely concerning who is responsible for security in and between IT and OT. The results from this study were published in a Norwegian report in 2019 by SINTEF and the Norwegian Petroleum Safety Authority, but it has yet to be presented to a wider, international audience.
November 18, 2020 13:55-14:10
Trey DarleyAndras Iklody (CIRCL, LU), Trey Darley (CERT.be, BE)
Andras Iklody works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL as a software developer and has been developing the MISP core since early 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.
During his many years working in infosec Trey has instigated constructive mischief across a wide swathe of organizations and sectors. As part of the CERT.be team he leverages his deep background in CTI to build and deploy tools to protect Belgium as well as the wider community.
Trey serves alongside Richard Struse as co-chair of the OASIS Cyber Threat Intelligence (CTI) Technical Committee responsible for the STIX and TAXII standards. His articles have been featured in publications such as IEEE Security and Privacy and USENIX ;login:, and he has presented at a number of security conferences, including O'Reilly Security, BruCON, USENIX LISA, RSAC, and various FIRST events.
Sharing threat information has become commonplace these days, but it typically amounts to little more than sharing raw indicators of compromise, which is of limited utility for most recipients. The information most sought for is the context which explains why it's relevant, how we're supposed to use it, and how it was obtained. Just as the introduction of means of making astronomical observations outside the visual light spectrum advanced our understanding about the cosmos surrounding us by orders of magnitude, so adding currently invisible context to our threat data promises to increase our situational awareness about our risk exposure. Let's bust out a bigger box of crayons and start coloring outside the lines!
Ronald DeibertRonald Deibert (University of Toronto, CA)
Ron Deibert, (OOnt, PhD, University of British Columbia) is Professor of Political Science, and Director of the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto. The Citizen Lab is an interdisciplinary laboratory focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security. He was a co-founder and a principal investigator of the OpenNet Initiative (2003-2014) and Information Warfare Monitor (2003-2012) projects. Deibert was one of the founders and (former) VP of global policy and outreach for Psiphon, one of the world’s leading digital censorship circumvention services.
As Director of the Citizen Lab, Deibert has overseen and been a contributing author to more than 120 reports covering path-breaking research on cyber espionage, commercial spyware, Internet censorship, and human rights. These reports include the landmark Tracking Ghostnet report (which uncovered an espionage operation that infiltrated the computer networks of hundreds of government offices, NGOs, and other organizations, including those of the Dalai Lama), China’s Great Cannon (an offensive tool used to hijack digital traffic through Distributed Denial of Service attacks), the Kingdom Came to Canada (an investigation of a Canadian permanent resident, Saudi dissident, and Khashoggi colleague who was targeted with commercial spyware), and the Reckless Series (an investigation into the abuse of commercial spyware to target journalists, anti-corruption advocates, and public health officials in Mexico). These reports have been cited widely in global media, garnering 25 front-page exclusives in the New York Times, Washington Post, and other leading outlets, and have been cited by policymakers, academics, and civil society as foundational to the understanding of digital technologies, human rights, and global security.
Political struggles in and through the global Internet and related technologies are entering into a particularly dangerous phase for openness, security, and human rights. A growing number of governments and private companies have turned to "offensive" operations, with means ranging from from sophisticated and expensive to home-grown and cheap. A large and largely unregulated market for commercial surveillance technology is finding willing clientele among the world's least accountable regimes. Powerful spyware tools are used to infiltrate civil society networks, targeting the devices of journalists, human rights defenders, minority movements, and political opposition, often with lethal consequences. Meanwhile, numerous disinformation and harassment campaigns are feeding intolerance and even violence, largely without mitigation. Drawing from the last decade of research of the University of Toronto's Citizen Lab, I will provide an overview of these disturbing trends and discuss some pathways to repairing and restoring the Internet as a sphere that supports, rather than diminishes, human rights.
November 16, 2020 10:00-11:00
Vincent Le TouxVincent Le Toux (VINCI, FR)
Vincent Le Toux is working in a French utility at the edge of management & blue team. He is the author of Ping Castle, an Active Directory security tool. He has also made many open source contributions in projects such as mimikatz, OpenPGP, OpenSC, GIDS applet, etc. Finally, he already did presentations in security events, mainly FIRST, BlueHat, BlackHat, Troopers and Hack In Paris
With my limited budget and resource, I was already dealing with multiples projects such as SOC, vulnerability scanner, ... and incidents. But new actors such as BitSight, Cyrating, SecurityScorecard are meeting my top management and get their rating solution sold. Now, it's up to me to fix the issues reported by these tools. And I did it ... twice with two different providers. In this talk, I'll detail how cyber rating companies are building their score, and what are computation differences. I'll share also the experience I got in remediation: if you think about having an Excel file to track the issues, or delegate it, you are completly wrong! I'll zoom also into an unexpected benefit: getting management attention and managing shadow IT.
November 16, 2020 11:20-11:50
Daniel LunghiJaromir HorejsiDaniel Lunghi (Trend Micro, FR), Jaromir Horejsi (Trend Micro, CZ)
Jaromir Horejsi: Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.
Daniel Lunghi: Daniel Lunghi is a threat researcher at Trend Micro. He has been hunting malware and performing incident response investigation for years, and now focuses on tracking advanced threat actors from all over the world.
In order to achieve their espionage goals, threat actors need a mechanism to exfiltrate data from their targets. Malware developers have a multitude of choices to achieve this task, among which are the design and implementation of a custom communication protocol, and the use of an existing protocol offered by various cloud services.
In this presentation, we will first discuss the benefits and limitations of implementing a custom communication protocol. Then, we will explore cases of targeted attacks we investigated thoroughly where the attackers abused third-party cloud services, such as Dropbox, GitHub, Telegram, or Slack. For each case, we will overview the communication protocol and some implementation details, and we will discuss how we, as defenders, can leverage them to our advantage. There will be clear examples of information we obtained using these techniques, highlighting the different opportunities opened by each cloud service for researchers.
Furthermore, the mentioned campaigns involve not only Windows malware but also Android malicious mobile applications, and our research shows cloud service abuse is a worldwide trend. With this presentation, we hope to give valuable inputs to defenders facing such threats.
June 22, 2020 14:30-15:00
Yang XuYang Xu (QIHOO 360, CN)
Yang is a Cyber Security Senior Expert at Netlab360 ( Network Security Research Lab - Qihoo 360, http://netlab.360.com/ ) where he focuses on PDNS / Web / Network data process/analysis and threat research like DDoS Monitoring, Threat Hunting.
Before joining NetLab, he was a Security Engineer in NSFOCUS and has been involved in many different projects, like SOC(security operation center) architecture design and implementation, and network traffic anomaly detection.
We run the Chinese biggest PDNS database for over 5 years. combined with other data like URL, OSINT, we've built a comprehensive data anomaly detection system. The data anomaly is our "needles in the haystack", which will trigger our analysis process, then help us hunting the threats fast and full. Data anomaly includes many dimensions, from NOD(newly observed domain) to NAD (newly active domain), from a new URL pattern to new JS keywords, from statistics-based anomaly to relation-based anomaly, etc. With these "data anomaly visibility", we achieved our "threat visibility". Over the last few months?we uses it focusing on web threat discovery. We've hunted over 5M cybercrime resources; more than 10k compromised websites been injected by dozens of new JS scripts; and 30+ credit card leakage IOCs, most of which were never been reported before; and more other threats.
Denise AndersonJeff TroyJim LinnKim MilfordScott AlgeierDenise Anderson (H-ISAC and National Council of ISACs, US), Jeff Troy (Aviation ISAC (A-ISAC), US), Jim Linn (Downstream Natural Gas ISAC (DNG-ISAC), US), Kim Milford (Research and Education ISAC (REN-ISAC), US), Scott Algeier (IT-ISAC and ICASI, US)
Denise Anderson, MBA, is President of the Health Information Sharing and Analysis Center (H-ISAC), a non-profit organization dedicated to protecting the health sector from physical and cyber attacks and incidents through dissemination of trusted and timely information.Denise currently serves as Chair of the National Council of ISACs, sits on the Board of Directors for the Global Resilience Federation (GRF) and participates in a number of industry groups and initiatives. She was recently elected to a 3-year term on the Cyber Working Group Executive Committee for the Health and Public Health Sector Coordinating Council. In addition, she has served on the Board and as Officer and President of an international credit association, and has spoken at events all over the globe.
Denise was certified as an EMT (B), and Firefighter I/II and Instructor I/II in the state of Virginia for twenty years and was an Adjunct Instructor at the Fire and Rescue Academy in Fairfax County, Virginia for ten years.
She is a graduate of the Executive Leaders Program at the Naval Postgraduate School Center for Homeland Defense and Security.
Over the past three years, Jeff developed the A-ISAC comprehensive strategy, led the team’s expansion of the Aviation ISACs services, and tripled membership. He established relationships with global regulators, industry associations, and private sector companies to drive cyber risk reduction across the aviation eco-system. Concurrently, Jeff employed by General Electric and is on the Board of Directors, National Defense ISAC. ND-ISAC provides cutting edge cyber security training, intelligence development and a trusted information sharing environment for US cleared defense contractors.
Jeff spent 25 years as a Special Agent of the FBI. He retired as the Deputy Assistant Director for Cyber National Security and Cyber Criminal Investigations.
Jim has spent the past 30 years of his career in Information Technology and Cybersecurity management with several non-profit organizations in the Washington, DC area. He is currently Chief Information Officer for the American Gas Association (www.aga.org), and has worked there for the past twenty years. Prior to that he spent eight years as IT Director for the Chemical Manufacturers Association. He planned IT projects and set technical direction for both of these organizations. In addition, he is a Certified Chief Information Security Officer, Certified Information Systems Security Professional, Certified Association Executive, Certified Information Systems Auditor, and holds many other industry certifications.
In recent years Jim has split his time between internal IT responsibilities and industry responsibilities. Jim is the information technology cybersecurity subject matter expert for AGA’s Cybersecurity Strategy Task Force. In this capacity he has administered cybersecurity reviews with a number of natural gas utilities and also serves as Executive Director for the Downstream Natural Gas ISAC (https://www.dngisac.com/). He is the staff executive for AGA’s Customer Service Committee and Technology Advisory Council. In these capacities he serves senior leaders in the fields of Customer Service and Information Technology within the natural gas distribution industry. The Customer Service area includes an annual benchmarking effort, two workshops and a large conference. The Information Technology area includes two council meetings annually.
Jim has a B.S. degree in Computer Systems Management from Drexel University and an M.B.A. from Drexel University.
Jim has been married to his wife, Marianne, for the past 30 years and lives in Gaithersburg, Maryland. They have three children, Joanna, 26, James, 22, and Jonathan, 20.
Kim Milford serves as Executive Director of the REN-ISAC, working with research and education institutions, partners, and sponsors to provide services and information that allow member institutions to better defend technical environments from cyberthreats. Ms. Milford oversees administration and operations for the REN-ISAC. Ms. Milford served in several roles leading strategic IT initiatives since 2007 at Indiana University. As Chief Privacy Officer, she coordinated privacy-related efforts, chaired the Committee of Data Stewards, and directed the work of the University Information Policy Office and IU's IT incident response team. Prior to joining Indiana University, Ms. Milford worked as Information Security Officer at the University of Rochester. As Information Security Manager at University of Wisconsin-Madison from 1998 - 2005, she assisted in establishing the university's information security department and co-led in the development of an annual security conference. Ms. Milford provides cybersecurity expertise and presentations at national and regional conferences, seminars and consortia, as well as taught courses on Internet security and authored/co-authored many articles on the subject. Ms. Milford has a B.S. in Accounting from Saint Louis University in St. Louis, Missouri and a J.D. from John Marshall Law School in Chicago, Illinois.
Scott C. Algeier works at the intersection of cybersecurity policy and operations. He is the Founder, President and CEO of cybersecurity consulting firm Conrad, Inc. , Executive Director of the Information Technology – Information Sharing and Analysis Center (IT-ISAC) , and Executive Director of the Industry Consortium for Advancement of Security on the Internet (ICASI ).
The IT-ISAC is a non-profit organization that enables companies to better manage cyber risks to their corporations and the IT infrastructure. As Executive Director, Scott’s responsibilities include the daily management of the organization, developing and implementing enhanced information sharing and analysis capabilities, facilitating cyber incident response across the IT-ISAC member companies, and establishing and maintaining effective partnerships. He is the IT-ISAC’s principal spokesperson, representing the organization to the public, senior leadership at the U.S. Department of Homeland Security (DHS), the U.S. Congress and international organizations.
Scott also is an Officer of the IT Sector Coordinating Council and served as Vice Chair of the National Council of ISACs and as industry Chair of the IT Sector Risk Assessment Committee, which developed the first ever public-private risk assessment of critical IT functions.
Experts in information sharing will discuss how sharing information across the critical infrastructure sectors occurs and will look at challenges faced, benefits received, and the role ISACs and information sharing play in incident response. The session will look at case studies of successful information sharing in cyber and physical incidents including an analysis of case studies of effective sharing and collaboration that mitigated against threats. Discussion will also center on the sharing and collaboration that takes place between the public and private sectors.
Dr. Paul VixieDr. Paul Vixie (Farsight Security, US)
Dr. Paul Vixie is an Internet pioneer. Currently, he is the Chairman, CEO and cofounder of Farsight Security, Inc. Dr. Vixie was inducted into the Internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies. He is the author of open source Internet software including BIND 8, and of many Internet standards documents concerning DNS and DNSSEC. In addition, he founded the first commercial anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). In 2018, he cofounded SIE Europe UG, a breakthrough European data sharing collective to fight cybercrime. Dr. Vixie earned his Ph.D. from Keio University for work related to DNS and DNSSEC in 2010.
DNS over HTTPS deliberately redraws the Web's political map in favour of web content publishers and web users -- possibly disenfranchising ISPs, law enforcement, and managed private networks who have legal and/or moral rights to monitor or filter DNS transactions. RFC 8484 states that DNS over HTTPS (DoH) is "designed to prevent on-path interference in DNS operations", which is a confrontational and controversial goal. Mozilla for Firefox has chosen a different deployment strategy than Google for Chrome -- but is that necessary? In this 40-minute presentation, Dr. Vixie will briefly explain how we got here and where we are, and offer some alternative strategies for further deployment.
Sami MokaddemSami Mokaddem (CIRCL, LU)
Sami Mokaddem is a security software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He graduated from the U. Catholique of Louvain in 2017 as a computer engineer and has been working at CIRCL, the CERT for the private sector in Luxembourg since then. His activities oscillate between software development, giving trainings, publishing papers and playing video games.
Nowadays, sharing information about threats is crucial in cybersecurity incidents to stay on top of the threats and also better protect ourselves. We have observed that organizations regardless of their sector, CERT/CSIRT and alike a sharing more and more leading to significant data increase where issues like data quality, trust and data freshness must be dealt with. To solve these issues, this presentation introduces a method with a flexible model to score IoCs along with a production-ready implementation in MISP, providing new ways of IoC life-cycle management. Attendees interested in having filtered actionable data or desiring to be able to prioritize IoCs based on their assessed quality and freshness will be presented the key points of our solution with real-life examples illustrating the usefulness of the concept.
June 25, 2020 10:00-10:30
Anna BertigerHolly StewartSharada AcharyaAnna Bertiger (Microsoft, US), Holly Stewart (Microsoft, US), Sharada Acharya (Microsoft, US)
Anna Bertiger is a Senior Data and Applied Scientist at Microsoft Defender Advanced Threat Protection. She focuses on lateral movement detection for the EDR product and also works on cross product responsible AI efforts. Before becoming a data scientist, Anna was an academic mathematician, receiving a PhD in mathematics from Cornell University in 2013 and holding a postdoctoral fellowship in the Department of Combinatorics and Optimization at the University of Waterloo.
Holly has been in the security industry since 1997. She’s held roles in many types of disciplines, such as product and program management, incident response, communications, and data science. She started working for Microsoft in 2010. Currently, she is a Principal Research Manager for the Windows Defender Advanced Threat Protection team. Her team of researchers and data scientists use machine learning, automation, and other next generation capabilities to protect people from malware.
Sharada is a Senior Applied Scientist at Microsoft Information Protection team. The focus of her work is building solutions that facilitates Microsoft customers with their Compliance requirements such as GDPR, HIPPA which gives her an opportunity to wear the customer hat and make privacy and compliance practically possible at scale. Before joining Microsoft in 2015, she was a graduate student at Columbia University, New York studying Machine Learning and Natural Language Processing.
Defenders and security vendors have turned to AI to scale defenses and identify targeted attacks. AI at this scale requires data, lots and lots of it. Any AI practitioner will tell you that the more data you feed the system, the better it will perform, especially when it comes to deep learning approaches. As defenders, we strive to collect the best information to train our AI to help the people that matter. Does it come at the cost of privacy? What do you do when these two things are at odds? Do you sacrifice data collection and privacy knowing detection and protection will suffer? Do you fight for the data you know you need, but risk a backlash on privacy and trust? At Microsoft, we have an internal saying, "Microsoft runs on trust". We have to be trusted by our customers, by our partners, and by the governments and the institutions that we work with globally. Yes still, we are enlisted to keep them safe - over a billion of them! In this session, we will discuss the challenges we face, the lessons we've learned, and the techniques of today and the future that can deliver on both promises: privacy AND security.
November 16, 2020 13:30-14:00
Chieh-Fang LaiSatoru HiguchiChieh-Fang Lai (Panasonic corporation, TW), Satoru Higuchi (Panasonic corporation, JP)
Chieh-Fang Lai: • Security Analyst in Panasonic (2019-now) • Security Analyst in ForceShield Inc. (2017-2019) • Embedded Engineer in Ruckus (2016-2017) • Security Engineer in ICST (2014-2016) • Co-founder of HITCON GIRLS • CyberSec Speaker in 2017,2019 • HITCON Speaker in 2015 • Certification : CEH, GREM, ISO 27001, ISO 20000
Satoru Higuchi: Satoru Higuchi is a member of the Product Security Global Strategy Department in the Product Security Center at Panasonic. He started his career at JPCERT/CC. He worked for several companies as a managed network service provider, SOC vendor, etc. After joining Panasonic in 2018, he has focused on improving security for IoT systems by delivering Product security training for internal developers, and collecting/analyzing threat intelligence related to IoT.
Whether at home or at the workplace, we are increasingly becoming reliant on various devices that have the ability to connect to the internet or more commonly referred to as the Internet of Things (IoT). As a product manufacturer, Panasonic strives to place secure products on the market for our users.
As IoT has become more and more popular, Panasonic has devoted time into understanding the threats against IoT and its associated risk. One such project aimed at this is a threat intelligence system, made from a physical honeypot, software honeypot and a sandbox. Software honeypots are commonly used by security teams, but at Panasonic, we have been able to take advantage of the devices we manufacture and are using not only real appliances in the market but also unreleased products as physical honeypot.
As such, we have been able to collect information on attacks targeting our devices. To date, our system has detected over 179 million attacks and collected over 25,000 malware samples. Of the collected malware samples, about 4,800 targeted IoT devices of which over 20% were not in VirusTotal at the time of collection.
In this session, we will talk about the architecture of our honeypot, and then go on to discuss the types of malware that we have seen through our physical honeypot as well as sharing some data on our analysis of the attacks. With our ultimate goal being able to manufacture cyber resilient IoT devices, we will discuss ideas on how our findings can be utilized by product development teams and any other findings through this project.
Jean-Robert HountomeyYukako UchidaJean-Robert Hountomey (AfricaCERT), Yukako Uchida (JPCERT/CC, JP)
A researcher at heart, Jean-Robert Hountomey's research focuses on law, technology, and Internet governance issues. An Internet pioneer in West Africa, he is also a founding member of the Africa Forum of computer security and incident response team (AfricaCERT) and the African Anti Abuse Working Group. He has worked with government officials, industry, and academia on Internet policy issues, capacity building, information security, product security, secure software development life cycle, and privacy risk management for two decades. He has contributed to the PSIRT and the Multi-Vendor Coordination frameworks from the Forum of Incident Security Response Teams (FIRST), the CVE outreach and Communications Working Group (OCWG), the African Union Cybersecurity Expert Group, the Interpol Africa Working Group, the UN open-Ended Working Group (OEWG), ICANN, ISOC, AfriNIC, AfNOG, AfrISPA.
Yukako Uchida is the Leader of Global Coordination Division at Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). She is responsible for international collaboration activities with overseas Cyber Security Incident Response Teams (CSIRTs), mainly in the Asia Pacific region. She acts as the point of contact for Asia Pacific Computer Emergency Response Team (APCERT), for which JPCERT/CC serves as the Secretariat, and is in charge of administrative duties.
She also contributes to JPCERT/CC’s English Blog both as an author and a translator, which provides updates about its latest international activities, cyber security trends and technical observations (https://blogs.jpcert.or.jp/).
The essence of cyber security is defending a wide range of stakeholders, hence the importance of information sharing with peers. In parallel to FIRST's global approach to bring CSIRTs from all over the world together, there are also regional CSIRT communities, such as APCERT in the Asia-Pacific region and AfricaCERT in Africa. Each regional body makes efforts to raise CSIRTs' capability in the area and bolster the collaboration among its members. It also aims to work as a bridge to international fora such as FIRST and other regional CSIRT communities. This session invites panellists from different regional CSIRT communities to discuss what current practices in each regional body exist, how they aim to improve their capability respectively and how these activities can potentially improve the cyber security posture in the global context.
Yu kai tanYu kai tan (SG)
Yu Kai Tan is a Senior Incident Responder at gojek. Prior to that, he spent 1 year and 5 years respectively at VMware and a Singapore Government agency performing computer forensics and IR. He believes in contributing back to the community and has released multiple open-source scripts such as ArtifactExtractor, evtx2json, autoripy, and registryFlush.
Endpoint Detection and Response (EDR) solutions have brought unprecedented visibility to events occurring on network hosts. Incident Responders are now increasingly reliant on it to complete their investigations, and they can often do so without collecting forensic artefacts from these hosts for further analysis. On the other hand, forensic artefacts have often been the bane of responders or analysts. Its availability and value can differ over different versions of Operating Systems, and there is often a need to validate and compare the parsed output of different tools to ensure accuracy. Given this situation, can Incident Responders finally stop the never-ending race of keeping themselves updated on forensic artefacts and become fully reliant on the detection and response capabilities of EDR? This is what the presentation seeks to address and it would bring forward the view that knowledge and analysis of forensic artefacts are still necessary. Comparisons would be made between the value provided by EDR events and forensic artefacts, and self-created open-source scripts would be introduced that brings the best of both worlds.
Jose HernandezPatrick BareissJose Hernandez (Splunk, UM), Patrick Bareiss (Splunk, DE)
José is a Principal Security Researcher at Splunk. He started his professional career at Prolexic Technologies (now Akamai), fighting DDOS attacks from “anonymous” and “lulzsec” against Fortune 100 companies. As a engineering co-founder of Zenedge Inc. (acquired by Oracle Inc.), José helped build technologies to fight bots and web-application attacks. While working at Splunk as a Security Architect, he built and released an auto-mitigation framework that has been used to automatically fight attacks in large organizations. He has also built security operation centers and run a public threat-intelligence service. Although security information has been the focus of his career, José has found that his true passion is in solving problems and creating solutions. As an example, he built an underwater remote-control vehicle called the SensorSub, which was used to test and measure toxicity in Miami's waterways.
Patrick Bareiss, Senior Security Researcher at Splunk, is a passionate security researcher in the field of detection engineering. He combines his knowledge of IT security with his coding skills to develop powerful open source tools, such as Attack Range. Before Splunk, Bareiss developed the detection framework for the SOC of Airbus Defence and Space. He is a frequent speaker at security conferences.
Well developed detection rules provide strong signals into anomalous and potentially malicious activity. Poorly developed detection rules flood the analysts with low-level alerts and are the cause of alert fatigue. This talk will introduce detection rule development using Continuous Integration and Continuous Delivery (CI/CD) to improve the quality of rules created and accelerates the rule development process.
The later you find a bug in your detections, the more expensive it is to solve it! Therefore, the presenter will introduce CI pipelines using CircleCI in order to proactively find bugs on detection rules, before they are deployed in production. In order to successfully test the effectiveness of your detection you need a lab and an attack simulation engine. The attack range combines both a lab and attack simulation into an easy to use tool. The presenters will introduce the attack range tool and show how you can integrate it into your CI/CD pipeline to automatically test your detections.
Lastly, the presenters will share how CD can automatically deliver the detection rules to the SIEM via either a package or over an API.
Letitia KernschmidtMichael DwucetLetitia Kernschmidt (BSI, DE), Michael Dwucet (BSI, DE)
Letitia Kernschmidt has a Master's Degree in Information Systems from the Vienna University of Economics and Business (WU). During her studies, she worked as a Cyber-Security Researcher at sba research, an Austrian research center for Information Security and received a scholarship to spend one semester at Carnegie Mellon University's Heinz College in Pittsburgh, USA. After graduation in 2017, she worked one year as a Freelance Software Engineer in the field of the Industrial Internet of Things until she became an Incident Handler at CERT-Bund, a section of the Federal Office for Information Security (BSI) in Germany.
Michael Dwucet graduated as a Diplom-Informatiker in Computer Science at the University of Bonn in 2008. After his graduation, he worked as an officer for the Federal Office for Information Security (BSI) in Germany. Beginning as an Incident Responder and later as an Incident Manager for the Computer Emergency Response Team for the Federal Government (CERT-Bund), he handled many high profile cases in the Government and in Critical Infrastructures. In addition, he was one of the main relation officers for the CERT and cooperated with many national and international bodies and communities. He is the FIRST representative for CERT-Bund and a regular conference attendee.
Since 2019, he is the head of the section "Mobile Incident Response Team" (MIRT) in the BSI. The MIRT is a dedicated team of senior incident response experts that can be rapidly deployed on site during major incidents in the Government and in Critical Infrastructures.
When a CSIRT encounters a large cross-border cyber security incident, e.g., a breach, ransomware, or APT campaign affecting several organisations/institutions in multiple countries, it might require the collaboration with other foreign parties (CSIRTs, law enforcement, etc.) to respond appropriately to the incident and to offer suitable help to the victims. Over the last years, CERT-Bund, the German National and Governmental CERT, has been involved in numerous cross-border cases of different scales, thereby experiencing the great benefits accompanying these cooperations, but facing also significant challenges, ranging from technical obstacles to cultural, legal, and team issues. Based on these experiences, CERT-Bund presented a document called "International Incident Handling Operating Procedures" (I2HOP), which is meant to be a comprehensive guideline for future cross-border cases, in which the national CSIRTs are the key players. This talk will give insights into the benefits and the challenges inherent in cross-border incident handling, the main lessons learned from CERT-Bund's past cases and how I2HOP ties it all together. It will focus on the five main phases illustrated by I2HOP and will showcase, inter alia, possible solutions, remaining challenges, ongoing work, and real life examples.
Ben HawkesBen Hawkes (Google, NZ)
Ben Hawkes is a founding member and technical lead of Google's 'Project Zero' security research team, where he helped develop the team's mission, strategy, and vulnerability disclosure policies. As a researcher, Ben discovered many vulnerabilities across a range of different software platforms (including Android, Linux, and Windows), and published research focused on vulnerability analysis and software exploitation. Prior to Project Zero, Ben worked on the security of Google's product launches, with a particular focus on virtualization and cloud security.
You've found a critical security vulnerability that affects hundreds of millions of users. How best can you protect the vulnerable population? Who should you tell, and how much should you tell them? This is the central policy problem that Google's Project Zero security research team faces every day: vulnerability disclosure.
In this presentation Ben Hawkes will untangle the vulnerability disclosure debate, provide insights based on Project Zero's experience from disclosing thousands of vulnerabilities, and share a path forward for improving vulnerability disclosure policy.
November 17, 2020 13:00-13:45
Mark StanislavMark Stanislav (Cisco (Duo Security), US)
Mark Stanislav is a Technical Leader in the Advanced Security Initiatives Group for Cisco. Stanislav has spoken internationally at over 100 events, including Black Hat, RSA, DEF CON, SOURCE Boston, Codegate, SecTor and THOTCON. His security research and initiatives have been featured by news outlets such as the Wall Street Journal, the Associated Press, CNET, Good Morning America and Forbes. Stanislav is the Author of the book Two-Factor Authentication. Stanislav holds a BS in networking and IT administration and an MS in technology studies focused on information assurance, both from Eastern Michigan University. During his time at EMU, Stanislav built the curriculum for two courses focused on Linux administration and taught as an adjunct lecturer for two years. Stanislav is currently pursuing his PhD in cybersecurity from Dakota State University. He holds CISSP, Security+, Linux+, and CCSK certifications.
Running a successful PSIRT often has much more to do with the human relationships involved -- internally & externally -- than the technical issues you're trying to address. Whether working with a security researcher, bug bounty hunter, IT admin, or end-user, knowing about your stakeholder is critical to a great outcome. This presentation dives into common personas -- archetypes, not stereotypes -- that a PSIRT will interact on a long-enough timeline. With an associated interaction framework, we explore how more-desirable outcomes can be achieved by placing our stakeholder's motivations & needs at the forefront of the actions we consider. Using real-world examples and sharing perspective from nearly two decades in the information security community, the basis of this presentation is rooted in practical awareness that any PSIRT can take into account the next time they receive an email from a person they don't quite understand how to work with. Incident response is hard enough without compounding issues stemming from poor interactions with third parties. Come hear how one PSIRT manages this interpersonal risk and what strategies your team can take to find a better way forward, too.
Yoshihiro IshikawaYoshihiro Ishikawa (LAC Co., Ltd, JP)
Yoshihiro Ishikawa is a member of the Cyber Emergency Center of LAC., he has engaged in malware analysis and cyber threat intelligence. esp. Advanced Persistent Threat (APT) attacks. He was a speaker at APCERT, AVAR, botconf, HITCON. He is also currently positioned as the Program Committee member of Japan Security Analyst Conference hosted by JPCERT/CC in Japan
Nowadays, with the growing interest in cryptocurrency (Crypto Asset), cyber attacks targeting this vector are taking place actively. The cryptocurrency stealing scheme by directly compromising its entities infrastructure has been increased, with reported damage of US$882 million, it’s a huge amount of money that has been illegally stolen, a fact that can not be ignored in our history of cyber security industry. This adversary's attack is keep on occurring.
We will explain our published research*1 about the techniques used by adversary dubbed as "HYDSEVEN", an alleged group behind these attacks, that is under our investigation among several incidents reported since 2016. The steps of investigation described its intrusion chains, from several spear phishing with VBA macro tricks, the usage of downloaders and fake software installers, exploitation on vulnerabilities and even 0-days, up to the usage of RAT malware variants known as HYDSEVEN's NetWire and Ekoms/Mokes. This report is bottom-lining the TTP (Tools, Techniques, Procedures) and MITRE ATT&CK formulation from the threat sequence that can be used to mitigate this threat.
Additionally, we will disclose several new contents that are not covered in our previously published report, which are marked with NEW tags in the outline.
References: *1 https://www.lac.co.jp/english/report/2019/07/19_cec_01.html
June 25, 2020 11:15-11:45
Maarten Van HorenbeeckSherif HashemMaarten Van Horenbeeck (Zendesk, US), Sherif Hashem (SUNY Polytechnic Institute, US)
Maarten Van Horenbeeck is Chief Information Security Officer at Zendesk and a Board Member of the Forum of Incident Response and Security Teams (FIRST). Prior to Zendesk, Maarten was Vice President of Security Engineering at Fastly and worked on the security teams at Amazon, Google and Microsoft. He holds a Masters Degree in Information Security from Edith Cowan University and a Masters Degree in International Relations from the Freie Universität Berlin. He is a fellow in New America's Cybersecurity Initiative, and lead expert to the IGF's Best Practices Forum on Cybersecurity.
Dr. Hashem is a Visiting Professor of Computer and Information Sciences at the SUNY Polytechnic Institute (SUNY Poly), New York-USA. Dr Hashem is a Senior IEEE member and an ISACA Certified Information Security Manager (CISM). Prior to joining SUNY Poly in 2019, Dr Hashem was the Chair Professor of Engineering Mathematics and Computer Science at the Faculty of Engineering, Cairo University, Egypt. Dr Hashem also held a joint appointment as the Vice President of the National Telecom Regulatory Authority (2013-18). Dr Hashem's professional and research interest includes Cybersecurity, Artificial Intelligence, Information Technology, and Management of Information Security. Dr Hashem is currently a member of the African Union’s Cybersecurity Expert Group (AUCSEG).
In this talk, we will discuss recent international efforts towards the creation of internationally recognized rules for a safer and more secure cyber space, with a special focus on the United Nations efforts through the newly established groups: 1) Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security; and 2) the Open-Ended Working Group (UN OEWG). We discuss the outcome of previous UN-GGE's reports that were adopted by the UN General Assembly, since 2010. We highlight the relevance of these reports and of the on-going efforts, to the FIRST community. We summarize the key issues that may affect the Incident Response teams. We emphasize the opportunities for an active role that FIRST.org and its membership can play to further support the process of creating and implementing the new rules, towards a safer and more secure cyber space.
November 16, 2020 13:30-14:00
Kevin MeynellKevin Meynell (Internet Society, NL)
Kevin Meynell works at the Internet Society as the Manager of Technical and Operational Engagement supporting the deployment of key Internet technologies including Routing Security. He previously worked for JANET, the UK NREN, before joining TERENA (now the GÉANT Association) where he worked for the next 16 years on activities including the 6NET and 6DISS IPv6 deployment projects, eduroam, the Global Lambda Interconnect Facility, the TERENA Certificate Service and TF-CSIRT, as well having responsibilities for NREN Development Support in Eastern and Southern Europe, and Central Asia. After leaving TERENA, he worked as the Manager of the Shibboleth Consortium that develops the widely used Shibboleth web single sign-on software, before moving to APNIC as its Head of Training in 2014. He joined the Internet Society in October 2015.
There are over 65,000 networks comprising the Internet that exchange reachability information using the Border Gateway Protocol (BGP), but the problem is that BGP is almost entirely based on trust with no built-in validation of the legitimacy of routing updates. This causes many problems such as IP prefix hijacking, route leaks, and IP address spoofing, and there have been a growing number of major incidents in the past few years. There are solutions to address these issues, but securing one's own network does not necessarily make it more secure as it remains reliant on other operators also implementing these solutions too. The Mutually Assured Norms for Routing Security (MANRS) initiative https://www.manrs.org) therefore tries to address these problems by encouraging network operators, content providers and IXPs to subscribe to four actions including filtering, anti-spoofing, coordination and address prefix validation, and has developed resources to help them implement these. The MANRS Observatory has recently been developed to help network operators to view routing incidents that affect their networks, to check the general routing health of networks, countries and regions, and to provide a longer-term overview on whether routing incidents are getting better or worse.
Chase CottonFatema Bannat WalaChase Cotton (University of Delaware, US), Fatema Bannat Wala (University of Delaware, US)
Chase Cotton (Ph.D. EE, UD, 1984; BS ME, UT Austin, 1975) is a successful researcher, carrier executive, product manager, consultant, and educator for the technologies used in Internet and data services in the carrier environment for over 30 years.
Beginning in the mid-80’s Dr. Cotton’s communications research in Bellcore’s Applied Research Area involved creating new algorithms and methods in bridging, multicast, many forms of packet-based applications including voice & video, traffic monitoring, transport protocols, custom VLSI for communications (protocol engines and Content Addressable Memories), and Gigabit networking. In the mid-90’s as the commercial Internet began to blossom, he transitioned to assist carriers worldwide as they started their Internet businesses including Internet Service Providers (ISPs), hosting and web services, and the first large scale commercial deployment of Digital Subscriber Line (DSL) for consumer broadband services.Â In 2000, Dr. Cotton assumed research, planning, and engineering for Sprint’s global Tier 1 Internet provider, SprintLink, expanding and evolving the network significantly during his 8 year tenure. At Sprint his activities include leading a team that enabled infrastructure for the first large scale collection and analysis of Tier 1 backbone traffic, and twice set the Internet 2 Land Speed World Record on a commercial production network.
Since 2008, Dr. Cotton has been at the University of Delaware in the Department of Electrical and Computer Engineering, initially as a visiting scholar, and later as a Senior Scientist, Professor of Practice, and Director of Delaware’s Center for Information and Communications Sciences (CICS). His research interests include cybersecurity and high-availability software systems with funding drawn from the NSF, ARL, CERDEC, JPMorgan Chase, and other industrial sponsors.Â He currently is involved in the educational launch of a multi-faceted Cybersecurity initiative at UD where he is developing new security courses and degree programs including a minor and MS in Cybersecurity.
Dr. Cotton currently consults on communications and Internet architectures for many carriers and equipment vendors worldwide.
Fatema is a Security Engineer at the University of Delaware, where her responsibilities include monitoring network traffic for intrusions, incident response, threat hunting, and deploying and managing SIEM for the University. She has held prior roles in security research and software engineering and she holds CISSP certification together with GCIA, GPEN, GCIH, GCDA GIAC certifications. Fatema has given multiple talks internationally at CERN Geneva’19, EDUCAUSE SPC’19, Internet2 TechEX’19, BSidesDE'16,17,18,19, RIMM'17, BroCon'17,18,19". She also is a member of SANS/GIAC Advisory Board.
DNS is known to be one of the most widely abused protocols by the threat actors to use in unconventional ways to hide under normal traffic. Apart from threat actors DNS is being actively used or rather misused by many other service providers, vendors etc. to provide the intended services. An in depth research of the DNS logs collected over a long period of time revealed some very interesting legit use-cases of DNS protocol by the industry, apart from its normal resolution service. We coined the term “Off label use of DNS” to represent those use-cases. One of the main reasons DNS is been used or rather misused for these off-label use-cases is the speed of data transfer and less overhead in terms of bandwidth. These off-label use cases of DNS leaks very important information about the clients and software they are running, and can be leveraged in variety of ways by the network security defenders/analysts to improve the detection on the network. This presentation will go over some of those legit off-label use-cases and how they can be leveraged by the analysts to detect malware trends in the network and much more just by analyzing DNS logs.
Kathleen MoriartyKathleen Moriarty (Dell EMC, US)
Kathleen Moriarty, Chief Technology Officer, Center for Internet Security has over two decades of experience. Formerly as the Security Innovations Principal in Dell Technologies Office of the CTO, Kathleen worked on ecosystems, standards, and strategy. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honor of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS.
Kathleen achieved over twenty years of experience driving positive outcomes across Information Technology Leadership, IT Strategy and Vision, Information Security, Risk Management, Incident Handling, Project Management, Large Teams, Process Improvement, and Operations Management in multiple roles with MIT Lincoln Laboratory, Hudson Williams, FactSet Research Systems, and PSINet. Kathleen holds a Master of Science Degree in Computer Science from Rensselaer Polytechnic Institute, as well as, a Bachelor of Science Degree in Mathematics from Siena College.
Kathleen authored "Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain", published July 2020.
November 18, 2020 10:00-11:00
Alexandre DulaunoyAlexandre Dulaunoy (CIRCL - Computer Incident Response Center Luxembourg, LU), Aurelien Thirion (CIRCL, LU)
Fingerprinting, tracing and tracking SSH network activities is a key functionality in network forensic and incident response. In the past years, Passive DNS and SSL have been a cornerstone for efficient incident handling at CIRCL. SSH connectivity is used to manage various devices from IoT up to network equipment or even critical devices. Passive SSH goal is to provide a fast-lookup database with the history of all the SSH keys seen per IPv4/IPv6 address on the global Internet. We developed an open source software toolkit to gather, analyse and store SSH key materials and provide an access to members of the CSIRT community.
Brandon GrimesDerek MeyerBrandon Grimes (CISA, US), Derek Meyer (CISA, US)
Brandon Grimes is a member of the Industrial Controls Systems group under CISA's Hunt and Incident Response Team providing incident response services to critical infrastructure on behalf of the US government.
Derek Meyer is a member of the Industrial Controls Systems group under CISA's Hunt and Incident Response Team providing incident response services to critical infrastructure on behalf of the US government.
The world of technology we live in today is significantly different than what it was over 40 years ago, when computers were first becoming more prevalent. There was no Internet, and with that, no real worries that someone on the other side of the world could steal your data or mess with your HMI. Nowadays, cybercriminals are getting smarter, APTs are treading into increasingly worrying territory, and even script kiddies have access to powerful exploits and malware that can potentially cause significant physical impacts and disruptions. While the overall possible threat will remain for the foreseeable future, having knowledge about what's out there can make a world of difference when making informed decisions and staying safe. This presentation will peel back the covers on what CISA is seeing at the forefront of the ICS cyber battle. We will cover recent trends in the ICS cyber threat landscape along with a discussion of what we need to be prepared for in the future.
Shipra AggarwalStuart ShortShipra Aggarwal (SAP Product Security Response Team, IN), Stuart Short (SAP Product Security Response Team, DE)
Shipra started her security career with SAP in 2007, as a fresh engineering graduate. Since then she is on her journey to be a passionate cybersecurity professional, helping developers and customers to secure SAP products. Shipra has held diverse roles in securing product development like pen testing, security validating products across multiple SAP line of business solutions, vulnerability assessment, security communications, security incident handling and response, external hacker collaboration, managing bug bounty programs, handling zero days, leading SAP’s monthly security patch Tuesdays, leading customer engagement initiatives on SAP’s security patching strategy and so on.
In addition, Shipra has been a trainer for Security Expert Curriculum internal training, a regular speaker, and track lead at various SAP TechEd and DKOM events. You can often find her participating in various security conferences and forums on current cybersecurity trends, cloud security, DevSecOps, AWS, Azure and GCP security, Data Privacy, and the likes.
Stuart started with SAP in 2006, working for the SAP Business ByDesign team in Galway, Ireland. He then worked for 10 years at SAP Labs France in Mougins as part of the Security Research team. His main tasks were contributing to and successfully managing European funded research projects, communications team lead and helping to build the research strategy. He has numerous academic publications and two patents. He is working in SAP PSRT since June 2017. Prior to joining SAP, Stuart has ten years experience with web-based/IT start-ups, including his own.
Current responsibilities include: Security vulnerability reports from external sources Lead for SAP as a CNA and co-leading the topic of CVE (Common Vulnerability Enumeration) which is assigning CVE entries to all Patch Day security notes Customer Engagement Initiative project Co-leading the monthly Root Cause Analysis of selected vulnerabilities Customer pentests reports email@example.com hotliner.
The SAP Product Security Response is within the Utilization phase of the SAP Secure Software Development Lifecycle and its process is activated as a result of a vulnerability reported either by external researchers or customers. As outlined in the FIRST PSIRT Service Framework, it is good practice to carry out a root cause analysis in order to educate stakeholders and prevent the recurrence of similar vulnerabilities. In this context the Product Security Response team was mandated to regularly assess completed cases (i.e. On-Premise, Mobile and Cloud) that have a high severity or selected based on the judgement of nominated experts. This type of activity cannot be wholly done by one team but must involve different stakeholders such as the concerned teams in development, standards, testing and validation. This presentation is aimed at sharing with response teams that already go through this exercise or are contemplating it and will outline learnings from our efforts so far, including methodology, problems faced and proposed solutions. As this is a fairly recent activity (started beginning 2018) we would also like to use the Q&A session to hear from our peers on their experiences so we can improve our process.
Seth HanfordSeth Hanford (Proofpoint, US)
Seth Hanford is a Principal Engineer at Proofpoint. In his role, he serves as security architect, and as an advisor to the enterprise CSIRT, PSIRT, and other Global Information Security functions responsible for designing secure architectures and protecting customer and enterprise data for the company. He has previously worked as Sr. Manager for Detection & Response for a Fortune 100 financial services firm, as well as various vulnerability & threat intelligence roles, and as a PSIRT incident manager for a Fortune 100 network technology company. He has been active in the FIRST community over the past decade, including service on the CVSS SIG during v2, and as SIG chair for the development of CVSS v3.
Complex passwords harm user security when they must be frequently changed and are little defense against credential stuffing and phishing. Standards like NIST SP800-63b show organizations how to remove password complexity and periodic rotation but require additional controls, including checking candidate passwords against lists of known-compromised credentials. Operating under these new controls is harder still: Have you been ""pwned""? How can a CSIRT ensure that compromised user passwords are appropriately revoked in a compromised password store?
A successful implementation will be a rare win-win: a security control that will improve both security posture and user experience. The author will describe implementing this in the real world: compliance with NIST SP800-63b; maintaining a local compromised password store; answering queries about password compromises; and identifying several lessons learned from the cross-platform implementation project.
Francis PerronFrancis Perron (Google, CH)
Francis hails from Québec’s region of Lac-St-Jean, Canada. As a McGill alumni in Mathematics, Computer Sciences and Cognitive Science, he lucked out and joined Google in 2007 in Site Reliability Engineering. From then on he ended up responding to availability incidents across the Google production environment. He then moved to a full-time DFIR role in 2017, where he likes to spend his time around teaching incident management, and responding to incidents. He also enjoys dabbling around the casual offensive security exercises once in a while. He would like to be good at twitter, but cannot seem to get his act together about it: @u269C
Remediating a single vulnerability in a single product can be a daunting task. Remediating large, complex, time-critical vulnerabilities across many different products, teams and vendors can be nearly impossible. This talk discusses what has worked and what has not worked so well in a fast changing organization with a plethora of software and hardware products. We discuss an approach to scaling the vulnerability response to the ever evolving demands of internal reports, information embargo restrictions, open-source vulnerabilities and other beasts reported via bug bounty programs or third parties.
Dnyanada AnnachhatreDnyanada Annachhatre (NVIDIA, UM), Jessica Butler (NVIDIA, UM)
Dee Annachhatre is a Senior Development Leader at NVIDIA’s Security Tools Platform Team. With 14 years of experience in the software industry she specializes in architecting and delivering reliable and scalable systems in a variety of areas especially, online services. Dee graduated from University of Texas, Arlington with a Masters degree in Computer Engineering. Apart from work, she loves hiking and spending time with her family.
Jessica Butler is a Senior Application Developer and lead for NVIDIA’s Product Security Tools team. Jessica has over 13 years of experience and earned her MS in Computer Engineering from Washington University in St Louis. She has earned certifications in Java, Ruby and Cisco’s CCNA. In her free time Jessica enjoys gardening, rehabbing her 100+ year old urban home and traveling with her family, BJ, Sebastian (5) and Eliza (3).
Displaying a business's full security risk posture involves more than just tallying up the list of open security bugs. Many teams manually process results from multiple tools and using spreadsheets to map issues to appropriate owners. To drive change, we need to automate mapping the results of these tools to the correct product and, more importantly, the owner that can take action! This session is for you if you are overtaxed by sifting through results to create bugs, checking a spreadsheet to determine who to notify for remediation, or manually calculating risk for reports and dashboards. We'll discuss common pitfalls of organizing data from multiple tools. We will walk through how to develop quick and portable microservices that automate pulling results from any tool, prioritizing bugs and mapping data to create actionable metrics. Our goal is to enable efficient, data-driven decisions by showing the fullest picture possible.
Oleg BilOleg Bil (State Technical Service (host company for KZ-CERT), KZ)
Graduated from Kostanay State University (Kazakhstan). Chief Architect and Head of Kazakhstan State Technical Service's Malicious Code Research Lab. Spoke at different forums. Train students in giving presentations at information security conferences. Main field of interest - research of targeted attacks.
In this presentation I will tell about some real incidents which were happen in Kazakhstan. There were some anti-defense methods used by attackers, in particular, sandbox detection, intentional damage of PE header – to prevent the execution in sandbox and use of complicated address resolution system to accomplish the malicious modules download. Besides, the approach related to compilation of malicious object at the victim’s machine as well as the attackers’ mistakes when using good PE protector that allow easily bypass defense, successfully dump and analyze malicious code will be considered. Then I will discuss the method that helps me to decode keylogger’s logs of PlugX backdoor in case when I have no malicious object in hand and, correspondingly, I have no chance to analyze the encryption code. Besides, I will tell about curious situation that gave me opportunity to find the mailbox that used for distribution of emails with attached backdoor. Most intriguing part of the presentation will be devoted to the story about object aimed to control and steal the data from air-gapped networks. This malware has a number of characteristics that we have not faced before and have not seen the descriptions in research articles. In particular, it uses vulnerability CVE-2015-6128 in non-standard ways to distribute through USBs and uniquely hide own files within removable media.
Benoit DupontBenoit Dupont (University of Montreal, CA)
Dr Benoît Dupont is a Professor of Criminology at the Université de Montréal and the Scientific Director of the Smart Cybersecurity Network (SERENE-RISC), which he founded in 2014. He also holds the Canada Research Chair in Cybersecurity, as well as the Research Chair in the Prevention of Cybercrime, both at the Université de Montréal. He sits as an observer representing the research community on the Board of Directors of the Canadian Cyber Threat Exchange (CCTX). His main research interests include the co-evolution of crime and technology, the social organization of malicious hackers, the governance of cybersecurity (and in particular public-private partnerships that achieve the common good), and the use of AI by law enforcement agencies.
The growing sophistication, frequency and severity of cyberattacks targeting financial sector institutions (but also many other sectors) highlight their inevitability and the impossibility of completely protecting the integrity of critical computer systems. In this context, cyber-resilience offers an attractive complementary alternative to the existing cybersecurity paradigm. Cyber-resilience is defined here as the capacity to withstand, recover from and adapt to the external shocks caused by cyber risks. Resilience has a long and rich history in a number of scientific disciplines, including in engineering and disaster management. There is a growing number of reports from vendors and consulting firms claiming to reveal what makes organizations cyber-resilient. The scientific literature, standard-setting bodies and regulators are also paying closer attention to the concept of cyber-resilience and embedding it in their frameworks. But most of this work remains theoretical and there is very limited empirical research on how organizations that experience high rates of cyberattacks (such as financial institutions) develop their cyber-resilience. This presentation will outline the results of a two-year research project that sought to understand how cyber-resilience is understood and practiced by cybersecurity experts in the financial sector.
Desiree SacherÉireann LeverettDesiree Sacher (Finanz Informatik, DE), Éireann Leverett (Conconnity Risks, GB)
Desiree is a Security Architect for a Security Operation Center in the financial industry. Her goal is to create intelligent processes and she does this by utilising all of her experience from various engineering and analyst positions she held for the last 15 years. Desiree is also a certified GCIA Forensic Analyst, Network Forensic, Cyber Threat Intelligence Analyst and GIAC Penetration Tester.
Eireann Leverett is a Senior Scientist at Airbus Operations, co-author of Solving Cyber Risk, and Founder of Concinnity Risks. He is co-chair of the Cyber Insurance SIG, and the EPSS SIG.
Last year, Desiree presented her taxonomy for documenting and improving SOC Use Case quality. This year she explains how to bring back intelligence to more first level security tasks. Usually all alerts reviewed are classified as either true positive or false positive or sent to other teams where they only say if it was a problem (patch is installed or configuration is adjusted) or not a problem (vulnerability is down rated and configuration alerts are clicked away). The structured approach applied for security monitoring use cases has been adopted to compliance configuration monitoring, integrity monitoring and vulnerability scanning and again reflects the different states an upcoming alert can be caused by. By extending the concept to more 1st level security verification disciplines, we again get new ways for documenting the company's security state that will than help you to initiate improvement steps, without the need to buy yet another product. By updating your analysis process, you will not only improve your company's security efficiency, but also make a difference in analyst motivation by eliminating false alarms in a structured approach and identifying quality gaps. The categorization help in documenting reoccuring policy, configuration and architecture problems and therefore help in calculating or estimating improvement actions in your company. Understanding your company's security state is not only important for traditional protection architecture, it becomes especially important when more data is moved to the cloud and less monitoring use cases can be configured.
Tamas BoczanTamas Boczan (VMRay, HU)
Tamas Boczan is a Senior Threat Analyst at VMRay. He is responsible for finding and analyzing relevant malware samples and improving VMRay's detection capabilities. He is mostly interested in evasive in-the-wild samples, and exploitation. He presents his research at conferences, and is a regular contributor of deep technical blog posts in VMRay's technical blog.
Ursnif is a relatively complex and full-featured malware family frequently used for both large-scale and targeted attacks. Five years ago, this malware's source code leaked. Since then, different criminal groups have created a swarm of variants forked from the leaked code, many of them still actively developed today. Free access to the source code of high-quality malware has created a dangerous, asymmetric situation where development of complex malware is insignificantly cheap compared to the cost of building a successful defense against it. Tracking the development of these many parallel malware projects based on the same source code is an inherently challenging, but also worthwhile effort. The in-depth analysis of recent Ursnif variants enabled a case study that answers questions about open-source malware which would otherwise be subject to speculation. What are the long-term effects of complex and easily reusable malware source code becoming available to anyone? How do attackers use this source code long-term? What is different in recent variants compared to the leaked code? What defensive techniques are efficient against most variants of the malware? What methodology can malware analysts use to identify the subtle differences between malware variants which are based on the same code?
Joy Nathalie AvelinoKarla AgregadoJoy Nathalie Avelino (Trend Micro Incorporated, PH), Karla Agregado (Trend Micro, PH)
Joy Avelino is a Threat Research Engineer at TrendMicro. Her work mainly focuses on practical applications of data science and machine learning for malware and threat security research. In the recent years, she has regularly presented use cases of machine learning in the threat security industry based from actual results of machine learning POC projects, one of which is machine learning clustering of in-the-wild network traffic aiming to augment threat intelligence for threat family correlation and analysis. She has presented in previous academic conferences such as IEEE IISA 2014 and IEEE TENCON 2018.
Karla Agregado is a Senior Threat Researcher at Trend Micro based in the Philippines and currently working with Machine Learning team. She's been working in Trend Micro for 10 years and used to work for Web Reputation team before she became part of Machine Learning. She's an expert in web analysis and has an in-depth understanding in web threat landscape. In line with this knowledge, she applies different machine learning applications like feature creation based on the latest web threat techniques as a result of her continuous research. Today, she is currently working in Trend Micro at Texas, USA for project assignment will go back to Philippines early next year.
The world is becoming hyper-connected, with everyday objects connecting to the internet to send and receive data. Although technology innovations are becoming fast-paced (IoT, cloud technology), threats and risks to information in devices and systems are also adapting . Phishing has been becoming more practical in terms of propagation and persistence. With Phishing-as-a-Service (PhaaS) and botnet, attacks are automated and produced at a larger scale in terms of volume. This presentation will tackle the role of big data and machine learning to address phishing threats using features found in the URL construction, history, and content. Through machine learning, the model can infer similar structure across a large dataset. A demonstration on Natural Language Processing on Web content is examined to bring about the current trends in the Web threat landscape.
Dr. Martin EianDr. Martin Eian (mnemonic, NO)
Dr. Martin Eian is the Head of Research at mnemonic, and he is the Project Manager for the research projects "Semi-Automated Cyber Threat Intelligence (ACT)" and "Threat Ontologies for CyberSecurity Analytics (TOCSA)". He has more than 15 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is a member of the Europol EC3 Advisory Group on Internet Security. He has previously presented ACT workshops at the FIRST Conference and at the FIRST CTI Symposium.
For the past three years, we have been busy building a new threat intelligence platform tailored for analysis and automation: ACT. During our work, we have made observations on the state of the art in threat intelligence platforms, threat sharing, and in the field of threat intelligence in general. We have made mistakes, identified both obvious and subtle issues with how we as a community approach threat intelligence, and we have tried to find solutions that work in the real world. In other words, we have learned lessons that we think will be useful to incident response and security teams, and we want to share what we have learned.
November 16, 2020 11:20-11:50
Fyodor KropotovVladimir KropotovFyodor Kropotov (Trend Micro), Vladimir Kropotov (Trend Micro, DE)
Fyodor Yarochkin is a Senior Researcher, Forward-Looking Threat Research Senior at Trend Micro with a Ph.D. from EE, National Taiwan University. An early Snort Developer and Open Source Evangelist as well as a Programmer, his professional experience includes several years as a threat investigator, and over eight years as an Information Security Analyst, performing penetration tests in Asia-Pacific region.
Vladimir Kropotov is a researcher with Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, BHEU and many others Fyodor Yarochkin is a researcher at Trend Micro, incident investigation volunteer at Academia Sinica and a Ph.D. candidate at EE, National Taiwan University. An early Snort developer, and open source evangelist as well as a “happy” programmer. Prior to that, Fyodor professional experience includes over eight years as an information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organizations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.
This presentation dives into underground hosting ecosystem. Through the prism of our telemetry we examine infrastructure of underground hosting and the economical ecosystem beyond that. We go deep and try to understand how the infrastructure is acquired, maintained and provisioned by criminals and which parts of the global Internet are likely to be hosters of malicious content: from APT groups to online phishing and spam campaigns, malware distribution, financial data exfiltration: we understand how different type of criminal activities are provisioned with network infrastructure. Further, we examine means of attackers accessing and controlling their systems. This presentation examines such following underground infrastructure providers and provides an in-depth case study for one such provider. We will cover major market places, offered services, prices and tricks used by hosting services providers to maintain their infrastructure alive and bulletproof.
Matthieu FaouMatthieu Faou (ESET, CA)
Matthieu Faou is a malware researcher at ESET where he specializes in targeted attacks. His main duties include threat hunting and reverse engineering of APTs. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has spoken at multiple conferences including BlueHat, REcon, Virus Bulletin, or Botconf.
At the beginning of the malware era, IRC was the main Command & Control channel used by threat actors. Then, over the last decade, HTTP(s) has become the go-to protocol for malware C&C communications for crimeware and APT groups. It led to major improvements in the monitoring of the HTTP(s) traffic. Thus, threats actors had to shift their strategy again in order to remain under the radar. In this presentation, we will explore a few cases of stealthy communication channels we encountered during our last investigations. In the first case, we will show how threat actors are able to make HTTP communications blend in by mimicking legitimate traffic. In the second case, we will use Turla, a long-lived threat actor focusing on espionage operations, as an example for mail-based C&C communications. This communication channel was abused in three different ways: by compromising the mail client or server and by interacting directly with webmail services. In the third case, we will review the usage of a very common protocol, DNS, for transmitting commands and exfiltrating data. Finally, we will propose some countermeasures to increase protection for users.
Koji YamadaRyusuke MasuokaToshitaka SatomiKoji Yamada (Fujitsu System Integration Laboratories, JP), Ryusuke Masuoka (Fujitsu System Integration Laboratories, JP), Toshitaka Satomi (Fujitsu System Integration Laboratories LTD (FSI), JP)
Koji Yamada is a cybersecurity researcher with Fujitsu System Integration Laboratories LTD (FSI). He has had engaged in CSIRT activities at FJC-CERT for over two years to protect Fujitsu’s cloud offerings. His interests include cyber threat intelligence, machine learning, and deception technologies.
Dr. Ryusuke Masuoka is a research principal at Fujitsu System Integration Laboratories LTD (FSI), working on Cyber Security. Over 30 years, he has conducted research in neural networks, simulated annealing, agent system, pervasive/ubiquitous computing, Semantic Web, bioinformatics, Trusted Computing, Software/Security Validation, Cloud Computing, Smart Grid, the Internet of Things, Cyber Security Policy, and Cyber Security. He also led numerous standardization activities and collaborations with universities, national and private research institutes, and startups. He is an ACM senior member and an IEEE senior member.
Toshitaka Satomi is a researcher with Fujitsu System Integration Laboratories LTD (FSI). He joined Fujitsu PC Systems in 1997 after graduating from the Tokyo Institute of Technology. He worked on the development of an F-BASIC compiler and insurance business systems. After that, he became interested in cybersecurity research and he developed various cybersecurity PoC systems. Since he moved to FSI in 2017, he has been conducting research on Cyber Threat Intelligence (CTI) and has developed a Cyber Threat Intelligence Platform, "S-TIP," which is now available as OSS.
We have a better and stronger defense when defenders share. There are a variety of defenders in this age of diversity and digital society - people with different backgrounds/roles and also systems like security appliances/solutions/services as well as CTI feeds integral to analyses and responses. When CTI is shared and utilized seamlessly among them, analysts, incident responders, and systems can receive the maximum benefits. Seamless CTI sharing and utilization do not happen automatically. There exist many obstacles, both visible and invisible. We have created a platform, which we named "Seamless Threat Intelligence Platform (S-TIP)," and implemented many functionalities to overcome such obstacles. We have built the platform around the core concept of "everything gets captured and stored in a single structured CTI format, and the platform represents the CTI to the entities according to its needs/preferences." After giving the background and introducing S-TIP and its core concept, we present the framework to organize functionalities to overcome sharing/utilization obstacles, and then some of those functionalities through demonstrations. S-TIP has been made available as open-source software at https://github.com/s-tip. We finish by pointing out challenges and future work to further seamless CTI sharing and utilization.