Alan Neville (Symantec)
In March 2013, three South Korean television stations and a bank suffered an attack in a suspected act of cyberwarfare that coincided with the 63rd anniversary of the Korean War. At the time, this attack was attributed to North Korea and dubbed "DarkSeoul". These attacks continued until 2015 and appeared to have ceased.. until now. This presentation provides a walk-through of an investigation into the recent activities of this attack group detailing a coordinated espionage operation to steal nation-state secrets.
April 7, 2020 12:30-13:15
Lórien Doménech Ruiz
An introduction to Threat Hunting will be made as a new line of cybersecurity and job research, referring to good practices, methodologies and framworks (Mitre Att&ck, TaHiTI, Sigma) that are used on a daily basis by the "hunters of threats." The problems we face in the search for TTP's (techniques, tactics and procedures) of cybercriminals and how to automate our work with tools under standards will be exposed. There will be a demonstration on how to fortify a business environment and then make a use case on it. It will show how to use the application Caldera (Miter), making some proofs of concept that will contemplate the tactic of "Discovery" and later that of "Exploitation". Another important practical part is the research process and the conduct of searches in the Siem. To conclude, a recap of what was seen in the workshop will be done and a series of extra resources will be offered.
April 8, 2020 15:15-16:00
Olaf Hartong (Falconforce)
Azure Sentinel has been release on the SIEM market for almost a year and the platform has been consistently improved ever since. Moreover, even though Sentinel offers limited threat hunting capabilities out of the box, with some expert tuning it can be turned into an effective and efficient hunting platform able to cover both on-premise and cloud assets. However, efforts at automating the threat hunting experience within Azure Sentinel have been far and few between. This talk will condense and share a year’s worth of lessons learnt from building Sentinel ATT&CK, a GitHub project designed to make it easy to deploy an ATT&CK-driven hunting solution within Sentinel. The talk will discuss how to deploy an effective threat hunting capability. It will then delve into specific aspects of the threat hunting process that can be automated within the platform, covering in particular the automation of use case deployment, log whitelisting, threat hunting processes via workbooks and alert response through Logic Apps. It will then conclude with a demonstration of how the updated Sentinel ATT&CK repository can help with leveraging the automation techniques outlined in the talk.
April 8, 2020 10:30-11:15
Cincan (Kemppainen Karoliina, Erno Kuusela)
What? This hands-on workshop is about digital forensics tools and how to create repeatable semi-automatic analysis workflows with devops tools. In this workshop we will be:
For Whom? People who are doing digital threat analysis at their work, incident response teams, people who are interested about the subject.
Required tools To attend, bring a laptop running a Ubuntu 18.04 (VM or native).
Background This workshop leverages work done in the CinCan project (cincan.io), which is about building shareable, repeatable & history preserving analysis pipelines using your favourite tools + CI + git + containers. (INEA/CEF funded project worked on by NCSC-FI, Jyväskylä University of Applied Sciences & University of Oulu)
April 6, 2020 10:00-14:00
Splunk (Richard Hensen, Filip Wijnholds)
Join us our most recent version of Boss of the SOC (BOTS), a blue-team, capture the flag-esque competition hosted by Splunk. During the BOTS competition, teams will use Splunk and their security knowledge to compete against their peers for respect, bragging rights and the title of BOSS of the SOC. Attendees will gain a stronger and more realistic understanding of their strengths regarding incident investigations.
You will take on the role of a Security Analyst, Alice Bluebird, to protect Frothly, a thriving home brewing supply company. Thanks to Alice, Frothly continues to thrive in spite of constant nation-state attacks and has big plans to innovate and expand, which they’ll quickly learn comes with a whole new set of challenges.
Alice must continue to expand her knowledge of cloud, as well as on-premises windows/Linux hosts, firewalls and even ICS/SCADA data. Contestants will pivot through realistic data using Splunk’s analytics-driven security platform. All this while racing the clock to identify the who, how and where through a full forensic investigation.
You will be given a series of questions of varying types and difficulties, with scoring based on timeliness and difficulty.
BOTS can help you learn how to investigate real-world incidents in a safe, fun, and competitive environment. The event is open to all levels of users.
April 6, 2020 10:00-14:00
Steve McKinney & Matt McNiece (CISCO)
Passive DNS data has immense value for incident detection and response, providing both current and retrospective visibility into the benign and malicious domains that endpoints query.
Cisco is a global company that sees upward of nine billion internal DNS queries daily which equates to about three petabytes of raw data each year.
Given the size and value of the dataset, having a system that can manage and analyze it at scale is critical.
In this talk, we’ll discuss how we built a low-latency pipeline which makes the time from DNS query to records being API-accessible by investigators less than five minutes.
We’ll also discuss case studies where Cisco’s CSIRT is using pDNS to detect DDoS activity, monitor DNS hygiene, and evaluate IoCs before integrating them into blocking capabilities.
April 7, 2020 16:00-16:45
Lindsay KayeLindsay Kaye (Recorded Future, US)
In this talk, we will provide current, real-world examples of malware employing obfuscation techniques and the approach we’ve taken to detection and deobfuscation, including Zebrocy, Sodinokibi, Taj Mahal, Maze, PowerDuke and Dark Universe. Malware authors aim to complicate the job of analysts, and the employment of obfuscation techniques works to take away many of the utilities at the disposal of reverse engineers that would help answer the questions above. However, the addition of obfuscation to malware does not signal that all hope is lost for analysts by virtue of its existence. Malware that uses obfuscation techniques ranges in complexity, for example a simple XOR cipher may require little effort to reverse engineer, but custom encryption techniques will present more of a challenge. Additionally, while custom encryption or novel obfuscations may complicate analysis, they may present an area of opportunity for detection of the malware. We will present examples of malware across the complexity spectrum and demonstrate how we were able to develop YARA rule detections for the malware, deconstructing it to reveal its functionality and finding related samples that bring to light additional IOCs.
April 8, 2020 16:00-16:45
Takaya Kawasaki, Masaki Yoshikawa & Sosuke Tokuda (Recruit)
Many forensic analysts are not familiar with investigation techniques of Macintosh, and it is supposed that they are still seeking and trying out different ways. This is partly because they usually deal with less forensic cases of Mac than those of Windows and Linux. However, there has been a certain number of Mac investigation cases in the field of fraud investigation for many years, and the techniques acquired in the field can also be helpful in the field of cyber security. Another reason why many analysts are not familiar with Mac forensics is that not all organizations can afford to purchase investigation tools even though many parts of current forensic methods are dependent on commercial software. Many organizations seem to be short of human and financial resources. To improve such situation, the speakers developed a free tool based on their experience in the field of DFIR. The speakers developed this tool, aiming at simplifying the forensic process and introducing it to other analysts.
The tool consists of three components: data acquisition tool, mounting tool, and analysis tool. These components are created assuming the following steps: first, files are acquired in the triage phase, or E01 image is acquired through other methods. After that, these files or images are mounted, and then finally they are analyzed. Each component had GUI and can support the users’ investigation easily. The triage tool can keep the file directory structure, and thus the acquired files can be parsed with existing free tools such as mac_apt. Run together with such tools, the analysis component can improve the efficiency of analysis.
April 8, 2020 12:30-13:15
Vanja Svajcer (Talos)
Windows desktop and servers contain a large number of legitimate tools which can also be used by attackers, once they obtain initial access.
April 7, 2020 10:30-11:15
John Stoner (Splunk, US), Ryan Kovar (Splunk, US)
John Stoner is a Principal Security Strategist at Splunk. During his career, he has worked for ISPs, MSSPs and SIEM providers in operations, consulting and solutions engineering. In his current role, he educates and advises users to improve their capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He has developed multiple hands-on workshops that focus on enhancing analysts security skills. He is a frequent blogger, most recently as a co-editor and contributor to the Hunting with Splunk: The Basics and Dear Buttercup: The Security Letters series, which focuses on techniques to improve hunting and security operations. He has built applications that drive greater situational awareness and streamline investigations for the defender. He enjoys solving problems and assists in steering the Boss of the SOC (BOTS) ship. John has presented at various industry symposia and has briefed members of the US Congress and other senior government leaders on the threat landscape.
Ryan Kovar fought in the cyberwars and has been doing cybery things for almost 20 years. Now he is a Principal Security Strategist at Splunk building cool stuff, talking about security thingies, and helping other people fight their battles. He hates printers.
April 8, 2020 11:45-12:30
Dr. Paul VixieDr. Paul Vixie (Farsight Security, UM)
With Resolverless DNS, and before that DNS over HTTPS, and soon HTTP/3 (QUIC), the web industry is making a very strong attempt to completely control the DNS metadata required for web browsers to reach web services. While there are some political aspects to this redrawing of the DNS resolution path, there are also security implications for operators of managed private networks which are not public, are not regulated, and have no "customers". These operators have reasons they consider important for keeping DNS resolution out of the hands of device, browser, and other app makers. In this presentation, Dr. Vixie will enumerate the DNS-related risks posed to operators of managed private networks by the increasing dominance of DNS-related web industry ambitions. Some proposals will be described as to the costs and benefits of absolute insistence upon local network control over DNS resolution.
April 8, 2020 09:45-10:30
Nicolas Mattiocco (Greenlock)
To efficiently support this strategy, we developed PatrOwl, an Open Source, Free and Scalable Security Operations Orchestration Platform. Technically, PatrOwl is a solution for automating calls to commercial or open source tools that perform checks. To date, more than 140 tools or online services are supported. Beyond centralizing the results (vulnerabilities, meta-data, asset metadata) obtained, the PatrOwl analysis engine compares these results with its knowledge base and other third-party services to determine scenarios of attacks (predictive analysis) or to trigger actions (alerting, program calls, ...).
Largely customizable, PatrOwl is suitable for supporting penetration testing, vulnerability audit and compliance, static source audit, threat research (CTI) and security incident response activities (SOC / DFIR).
April 8, 2020 14:15-15:00
Julian SmithJulian Smith (Focal Point Academy, NL)
In recent years, the use of encryption in network data has gone from rarity to ubiquity. In particular, web traffic that was once largely plaintext is now almost entirely protected with strong encryption. This use of cryptography has brought enhanced security and privacy for organizations, but it has also led to limitations in visibility that hamper or thwart security analysis. The castle may be well built and guarded, but there are now tunnels under the walls. There are three principle ways in which security teams typically address this challenge – increased reliance on endpoint protection, the use of intercepting proxies, and traffic analysis of encrypted data. In isolation, the first of these reduces defense-in-depth to a single layer, and the second often incurs a performance impact. In this workshop we will explore the last of the three, developing analytic methodology to detect and respond to anomalies in encrypted traffic, without seeing the underlying content. The workshop includes lecture time, practical lab exercises and group discussions.
This workshop is intended for security team members with an existing understanding of TCP/IP networking, and common network security practices and tools.
April 6, 2020 10:00-14:00
Brier Creek Carolina Ale House
7981 Skyland Ridge Pkwy.
Raleigh, NC 27617
April 7, 2020 17:15-19:30
Christian Burrows & Ashley Blackmore (Atlassian)
Do you have a birds-eye view of your alert coverage? Do you know if your alerts are all actually firing? What about documentation? Atlassian Security Intelligence has built a tool that enables rapid development and testing of alerts, with minimal fuss and optimal output. By laying out a simple set of rules, leveraging already available tools, and linking them together with code, we have established a scalable pipeline for producing alerts and outcomes that can be easily conveyed across various facets of the business. From capturing the spark of an idea in an analyst’s workflow, to the surfacing of coverage gaps across your infrastructure: our pipeline can produce entire arrays of correct, consistent, and beautiful results. In this session, we’re going to walk you through what we built, and how you can also dramatically accelerate your alert lifecycle.
April 7, 2020 15:15-16:00
Levi Gundert (Recorded Future)
How to narrow the scope of intelligence goals (aka PIRs - priority intelligence requirements)
The challenges in creating intelligence to feed threat hunting
Potential solutions to increase the chances of detecting adversary TTPs in the network
April 7, 2020 09:45-10:30