Agenda is subject to change. Times are reflected in UTC +1 (CET). Training sessions have limited seating and are first-come, first-served. Please select your training options during registration. Plenary sessions are open to all registered delegates.
Virtual Attendance: All TLP:CLEAR plenary presentations will be streamed live (2-3 November). Training will not be streamed. Virtual registration is available within the registration form. Streaming will be delivered over Zoom.
Training: Analytical | Level 2, Rm MOA 15
Training: Technical | Level 2, Rm MOA 14
Plenary Sessions Day 1 | Level 1, Rm MOA 6-9
Plenary Sessions Day 2 | Level 1, Rm MOA 6-9
Training: Analytical Level 2, Rm MOA 15 | Training: Technical Level 2, Rm MOA 14 | |
---|---|---|
08:00 – 09:00 | Registration (All Day) | Level 2 Atrium (next to training rooms) | |
09:00 – 11:15 | NL US ‘Build Your Own Threat Landscape’ Workshop Gert-Jan Bruggink (Venation, NL); Roman Sannikov (Constellation Cyber LLC, US); Brian Mohr (Reqfast, US) TLP:CLEAR | LU Building Your Own Workflows in MISP: Tutorial and Hands-on Alexandre Dulaunoy, Andras Iklody, Sami Mokaddem (CIRCL, LU) TLP:CLEAR |
11:15 – 11:30 | Coffee Break | Level 2, Outside of Training Rooms | |
11:30 – 13:00 | NL US ‘Build Your Own Threat Landscape’ Workshop Gert-Jan Bruggink (Venation, NL); Roman Sannikov (Constellation Cyber LLC, US); Brian Mohr (Reqfast, US) TLP:CLEAR | LU Building Your Own Workflows in MISP: Tutorial and Hands-on Alexandre Dulaunoy, Andras Iklody, Sami Mokaddem (CIRCL, LU) TLP:CLEAR |
13:00 – 14:00 | Lunch Break | Level 1, MOA EAT | |
14:00 – 16:00 | GB NO Joseph Harris, Brad Crompton (Intel 471, GB); Freddy Murstad (Nordic Financial CERT, NO) TLP:AMBER | DE Building an effective ICS/OT Security Monitoring and Defense Program Kai Thomsen (Dragos, Inc. , DE) TLP:CLEAR |
16:00 – 16:15 | Coffee Break | Level 2, Outside of Training Rooms | |
16:15 – 18:00 | GB NO Joseph Harris, Brad Crompton (Intel 471, GB); Freddy Murstad (Nordic Financial CERT, NO) TLP:AMBER | DE Building an effective ICS/OT Security Monitoring and Defense Program Kai Thomsen (Dragos, Inc. , DE) TLP:CLEAR |
Plenary Sessions Day 1 Level 1, Rm MOA 6-9 | |
---|---|
08:00 – 09:00 | Registration (All Day) | Level 1 Foyer |
09:00 – 09:10 | Welcome Remarks |
09:10 – 09:45 | GB Ten Years of Cyber Threat Intelligence: Retrospectives James Chappell (Digital Shadows, GB) TLP:CLEAR |
09:45 – 10:15 | US Jake Nicastro (Mandiant, US) TLP:GREEN |
10:15 – 10:45 | Networking Break with Exhibits | Level 1, Rm MOA 10+11 |
10:45 – 11:15 | AT Clemens Sauerwein ( University of Innsbruck, Department of Computer Science, AT) TLP:AMBER |
11:15 – 11:45 | NL Gert-Jan Bruggink (Venation, NL) TLP:CLEAR |
11:45 – 12:15 | DE All the Unstructured Data! Using NLP to Process Threat Reports Patrick Grau (Bosch, DE) TLP:AMBER |
12:15 – 13:30 | Lunch Break with Exhibits | Level 1, MOA 10+11 |
13:30 – 14:00 | US John Doyle (Mandiant, US) TLP:CLEAR |
14:00 – 14:30 | LU Community Management and Tool Orchestration the Open-source Way via Cerebrate Andras Iklody, Sami Mokaddem (CIRCL, LU) TLP:CLEAR |
14:30 – 15:00 | CH Let's Make Needles Glow in Timesketch Thomas Chopitea, Alexander Jäger (Google, CH) TLP:CLEAR |
15:00 – 15:30 | Networking Break with Exhibits | Level 1, Rm MOA 10+11 |
15:30 – 16:00 | CZ SOC Buddies - Bridging the Gap Between IR and CTI Ilin Petkovski (Red Hat, CZ) TLP:GREEN |
16:00 – 16:30 | NO Vanity Metrics - The BS of Cybersecurity Freddy Murstad (Nordic Financial CERT, NO) TLP:AMBER |
16:30 – 17:30 | NL How to Create Effective Structured Intelligence Extensions for TIPs Peter Ferguson (EclecticIQ, NL) TLP:CLEAR |
17:30 – 18:30 |
Plenary Sessions Day 2 Level 1, Rm MOA 6-9 | |
---|---|
08:00 – 09:00 | Registration (All Day) | Level 1 Foyer |
09:00 – 09:10 | Opening Remarks |
09:10 – 09:40 | IE Why Your Security Analysts Are Leaving and What You Can Do to Retain Them Thomas Kinsella (Tines, IE) TLP:CLEAR |
09:40 – 10:10 | US CTI Bake-Off: A Recipe for Measuring, Integrating, and Prioritizing a CTI Program Kellyn Wagner Ramsdell (MITRE Engenuity, US) TLP:CLEAR |
10:10 – 10:40 | ES CH Enhancing CTI Processes with Code Search Technology Carlos Rubio (Threatray, ES); Jonas Wagner (Threatray, CH) TLP:CLEAR |
10:40 – 11:00 | Networking Break with Exhibits | Level 1, Rm MOA 10+11 |
11:00 – 11:30 | JP Targeted Web Skimming on E-Commerce Sites Hendrik Adrian (LACERT/LAC Tokyo, JP); Takehiko Kogen (LAC/LACERT Tokyo, JP) TLP:CLEAR |
11:30 – 12:00 | KR Gwisin: A Spooky Ransomware Only Targets South Korea Hyeok-Ju Gwon, Kyoung-Ju Kwak, Jungyun Lim, Sojun Ryu (S2W Inc., KR) TLP:GREEN |
12:00 – 13:30 | Lunch Break with Exhibits | Level 1, MOA 10+11 |
13:30 – 14:00 | DE ORKL: Building an Archive for Threat Intelligence History Robert Haist (TeamViewer, DE) TLP:CLEAR |
14:00 – 14:30 | US Lessons from the Trenches – What I Wish I’d Known About Threat Intel Platforms Lincoln Kaffenberger (Deloitte Global, US) TLP:GREEN |
14:30 – 14:45 | Networking Break with Exhibits | Level 1, Rm MOA 10+11 |
14:45 – 15:15 | PL Diamonds are a Forensicator's Best Friend - Intelligence Support for DFIR Kamil Bojarski (Standard Chartered Bank, PL) TLP:CLEAR |
15:15 – 15:45 | CZ How to Develop Priority Intelligence Requirements for YOUR Organization Ondrej Rojčík (Red Hat, CZ) TLP:GREEN |
15:45 – 16:00 | Closing Remarks |
Patrick GrauPatrick Grau (Bosch, DE)
The daily volume of cyber security information and intelligence is growing disproportionately. For 2021, we have curated more than 2300 reports from original sources and a hand full analyst cannot go through them to extract valuable information by any means. That's why we teamed up with a research team from the Bosch Center for Artificial Intelligence (BCAI) to find a way to process automatically all reports with Natural Language Processing (NLP) and it turned out that the integration of domain knowledge (e.g. cyber) is a current research field. In this presentation I would like to show you our journey from the very beginning until the research results. The research is focused on the detection of implicit mentioned TTPs and the MITRE ATT&CK framework serves as a basis. Reports were annotated manually in order to have an annotated dataset for the experiments. By combining the general world knowledge (Wikidata) with the cyber domain (MITRE ATT&CK), semantic searches such as "Please give me all reports related to state-sponsored activity from country XYZ in the context of German Automotive Industry with the keyword powershe*" are possible as well.
Patrick Grau is the Cyber Threat Intelligence Lead at Bosch Group where he's hands-on managing and coordinating the CTI program. Prior to that, he was part of the Bosch CERT as an incident manager with a preference for analysis and digital forensics. In addition, he graduated somewhere, holds a degree in something, has some expired certificates and owns more than one computer.
November 2, 2022 11:45-12:15
Gert-Jan BrugginkRoman SannikovBrian MohrGert-Jan Bruggink (Venation, NL), Roman Sannikov (Constellation Cyber LLC, US), Brian Mohr (Reqfast, US)
Bob Ross once said, “I think there’s an artist hidden at the bottom of every single one of us”. When you are ‘painting’ a company’s threat landscape, you try to convey answers to intelligence requirements as effective way as possible. Channel your inner artist if you will. This could for example be building a periodic briefing or yearly write up. Still, what makes a good threat landscape? What essential information should it contain? What works?
This workshop follows a detailed walkthrough in producing such a deliverable. Recognised by combining hands-on examples and audience interaction. Several formats will be discussed, and templates made available. In addition, the facilitator will share practical tips, tricks, and happy accidents after years of creating threat landscape deliverables.
After following this workshop, participants have built a first version of your team’s threat landscape deliverable or understand where you should adjust your existing deliverable. This workshop also recognises the sensitivity of threat landscape contents.
This workshop is meant to provide cyber threat intelligence teams the canvas, paint, brushes, and techniques needed to successfully create (recurring) threat landscape deliverables. Enabling them to create a larger narrative around cyber threats to support stakeholder decision making and drive security investment.
Gert-Jan Bruggink specializes in helping leaders make informed decisions on risk to prioritise security investment. He supports teams in understanding adversary tradecraft through threat-informed security programs and providing leaders actionable threat intelligence products. Gert-Jan founded boutique firm ‘Venation’ to pioneer the field of structured threat content through cyber threat intelligence subscription and advisory services. Previously, Gert-Jan co-founded innovative start-ups, fulfilled a cyber threat intelligence leadership role at a Big Four accounting firm, and held security engineering roles at a security integrator.
Roman Sannikov supports companies building out and expanding their cyber threat intelligence teams, content, and operations. Roman currently applies this expertise as an advisor to Venation Digital and various other start-ups. Working in cyber-threat intelligence for over 20 years, Roman previously covered both the public and private sector. As a contractor for the US DOJ, he spent years doing undercover work on Russian and Eastern European dark web forums and markets. Subsequently, heading cyber-threat intelligence teams at leading private sector intelligence providers. His teams covered various topics such as dark web and cybercrime, disinformation and hacktivism, and nation-state and geopolitical threats.
Brian Mohr helps intelligence teams of all sizes and industries provide excellent service to their decision-makers using intelligence requirements. Brian believes that intelligence work comes down to two core tenets: the purpose of intelligence is providing decision support to leadership and providing intelligence is a customer service. To support these tenets within intelligence teams, Brian co-founded the SaaS company 'ReqFast' providing intelligence requirements and workflow management for intelligence teams. Improving the efficiency & efficacy of teams and enabling them to demonstrate value with actual metrics. Previously, Brian worked in both the private and public intelligence community for over twenty years.
November 1, 2022 09:00-11:15, November 1, 2022 11:30-13:00
Kai ThomsenKai Thomsen (Dragos, Inc. , DE)
Building an effective security program for ICS/OT is different to IT. OT has a different mission and this needs to be reflected in the way we secure and defend our ICS/OT environments. In this workshop, we will cover the five key security controls that matter for OT and discuss the foundational requirements for establishing Security Monitoring and integrating with IT Security and other teams required to effectively respond to industrial incidents.
Some familiarity with ICS/OT terminology (Purdue Model, SCADA, DCS, PLC, RTU, etc.) helps, but not required. Participants will be asked to conduct a few pen and paper exercises
Kai Thomsen is Director of Global Incident Response Services at the Industrial cyber security company Dragos, Inc. where he leads a team of analysts in responding to or proactively hunting for threats in customers’ ICS environments. Prior to his role at Dragos, Inc. Kai was the lead Incident Responder at the German car manufacturer AUDI AG where played a key role in establishing an integrated IT defense team responsible for enterprise IT, ICS, and connected car infrastructure. Before Audi, Kai worked for 14 years in the steel industry for the engineering company SMS group, where he was responsible for internal IT defense as well as responding to threats at customers’ sites. Kai is also a Certified SANS Instructor in the ICS curriculum. In 2019, Kai received the SANS ICS Cybersecurity Difference Maker Award for the EMEA region
November 1, 2022 14:00-16:00, November 1, 2022 16:15-18:00
MD5: 366573afa779ca981fe6485d851e677e
Format: application/pdf
Last Update: June 7th, 2024
Size: 25.32 Mb
Alexandre DulaunoyAndras IklodySami MokaddemAlexandre Dulaunoy (CIRCL, LU), Andras Iklody (CIRCL, LU), Sami Mokaddem (CIRCL, LU)
MISP has been a widely used open source CTI platform for the past decade, with a long list of tools that allow users to customise the data models and contextualisation of the platform, yet true customisation of the actual workflows and processes had to be done externally using custom scripts.
With the introduction of MISP workflows, this has changed and the workshop aims to walk the audience through some of the potential ideas of how one could adapt the tool to their own CSIRT’s or SOC’s workflows by using some hands-on examples during the session.
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.
Andras Iklody works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL as a software developer and has been developing the MISP core since early 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.
Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools.
November 1, 2022 09:00-11:15, November 1, 2022 11:30-13:00
Andras IklodySami MokaddemAndras Iklody (CIRCL, LU), Sami Mokaddem (CIRCL, LU)
The Cerebrate Platform is a new open source project, built to allow organisations to manage trusted communities and orchestrate the tooling between its constituents
Manage contact information of your community members, open dialogues to interconnect various security tools within the network or simply manage a fleet of your internal security tools. Cerebrate handles a host of day-to-day tasks for automation and trust building within security communities.
This talk aims to introduce the issues we are trying to tackle with Cerebrate and how the platform can assist CSIRTs and SOCs in managing their community and tools.
Andras Iklody works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL as a software developer and has been developing the MISP core since early 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.
Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools.
November 2, 2022 14:00-14:30
Jake NicastroJake Nicastro (Mandiant, US)
Another day, another critical, massively impactful cyber event. Each of these arriving with a tidal wave of RFIs, news articles, tweets, and more. It's overwhelming! Mandiant is in a unique position to respond to each of these events on multiple fronts: incident response engagements, managed detection and response, and intelligence requests. How does an intelligence team prioritize and digest information to make it actionable for stakeholders when everything seems critical? In an insightful crossover of mental health, crisis management, and threat intelligence, Jake and Kirstie, of Mandiant Intelligence’s Advanced Practices team, will examine that feeling of drowning in an ocean of crises, and pull lessons learned from major cyber events that they lived firsthand, managing crisis after crisis within Mandiant Intelligence, to provide the means to stay afloat and weather the storm.
Jake Nicastro is a Principal Threat Analyst on Mandiant Intelligence’s Advanced Practices team, supporting Mandiant incident response investigations with intelligence and attribution. Previously, Jake was an IR consultant with Mandiant, a Cyber Operations NCO with the US Army National Guard, and graduated from Champlain College with a degree in Digital Forensics.
November 2, 2022 09:45-10:15
Kellyn Wagner RamsdellKellyn Wagner Ramsdell (MITRE Engenuity, US)
Cyber threat intelligence programs must constantly prove their value. Building a measurable CTI program and integrating that program with diverse activities in your organization are two ways to show leadership the value of a CTI program. However, measuring CTI is notoriously difficult and analysts overwhelmed with threats may struggle to add support to additional business units to their workflows. This presentation will show analysts how to leverage Center for Threat-Informed Defense (Center) projects like ATT&CK Workbench and ATT&CK mappings to NIST 800-53 to directly tie their analysis to their organization’s security program. Analysts will then learn how to use ATT&CK mappings to Common Vulnerabilities and Exposures, the Insider Threat Knowledge Base, and adversary emulation plans to integrate CTI with various other security operations. Integrating and measuring effectiveness alone is not enough, though, so this presentation will close by discussing how to begin prioritizing threats using work like the Sightings Ecosystem and the Top Attack Techniques projects. By leveraging the Center’s suite of open-source tools, CTI analysts can build a well-organized CTI program with clear value.
Kellyn Wagner Ramsdell is a Cyber Threat Intelligence Analyst at MITRE where she works on a variety of projects supporting and advancing CTI, including supporting the Center for Threat-Informed Defense. She began her career at the Arizona Counter Terrorism Information Center (ACTIC) and the Northern California Regional Intelligence Center (NCRIC) where she produced CTI for critical infrastructure providers and supported criminal investigations for over 100 law enforcement agencies. In that role, she also coordinated a national network of cyber analysts in the United States. Kellyn has a Masters in Security and Intelligence Studies and a Bachelors in Global Security and Intelligence Studies, Security Operations Management track from Embry-Riddle Aeronautical University, Prescott.
November 3, 2022 09:40-10:10
John DoyleJohn Doyle (Mandiant, US)
The cyber threat intelligence (CTI) analyst role is arguably the most recent entrant to emerge under the cyber security career tracks with the job role, responsibilities, and skill requirements wide ranging and not well understood by organization leadership or cyber security peers. During this talk, we introduce the newly developed, Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework.
We unpack the significant overlaps that exist between those in a cyber threat analyst's role and the other cyber security disciplines defined by NIST SP 800-181 to provide the groundwork for threat hunters, incident responders, red teamers, and others to understand how to optimize collaboration with CTI analysts. We highlight the overlaps by examining the Framework's identifies 4 underpinning pillars--Problem Solving, Professional Effectiveness, Technical Literacy, and Cyber Threat Proficiency--with a distinct focus on how acute knowledge of cyber adversary operations can empower hunters and red teams to properly perform adversary emulation when testing the security posture of an organization.
We conclude by discussing how organizations can use this framework as a guidepost to recruit, grow, develop, mature, and retain CTI talent.
John Doyle has over fifteen years of experience working in Cyber Threat Intelligence, Digital Forensics, Cyber Policy, and Security Awareness and Education. He has spent over a decade tracking multiple state-sponsored cyber actors (APTs) to support strategic, operational, and tactical intelligence requirements.
November 2, 2022 13:30-14:00
MD5: 346f199dce0eced3a44c93d72af26960
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.2 Mb
Clemens SauerweinClemens Sauerwein ( University of Innsbruck, Department of Computer Science, AT)
The increasingly persistent and sophisticated threat actors along with the sheer speed at which cyber-attacks unfold, have made timely decision-making imperative for an organization's security. Therefore, security professionals employ a large variety of data sources concerning, emerging attacks, attackers’ course of actions or indicators of compromise, in order to promptly put appropriate countermeasures in place. In response to this trend, many vendors have launched appropriate cyber threat intelligence sharing platforms that support the cross-organizational exchange of the required threat intelligence. However, the comparability of these platforms is limited due to a lack of evaluation criteria and accordingly research and practice lack comprehensive analysis and comparisons of the offered platforms on the market. In order to address these gaps, we present an evaluation framework for cyber threat sharing platforms and a corresponding analysis of 13 platforms on the market. Last but not least, we outline our main findings and discuss the resulting implications for research and practice.
Clemens Sauerwein is Assistant Professor at the Department of Computer Science at the University of Innsbruck, Austria. His research interests include information security risk management, cyber threat intelligence sharing, empirical studies in the field of information security risk management and information systems. He works in close collaboration with industry and transfers his results into practice as a consultant and a member of various security interest groups.
November 2, 2022 10:45-11:15
MD5: 8df10cddfb3c1714790c3462971e85b9
Format: application/pdf
Last Update: June 7th, 2024
Size: 816.83 Kb
Kamil BojarskiKamil Bojarski (Standard Chartered Bank, PL)
CTI is most often understood in the context of detection and prevention actions such as network security monitoring and threat hunting. This is not surprising as incident response activities which analyze the threat actors' activities are a source of CTI generation. Let's however turn the table and look at how intelligence analysis can support DFIR efforts in thwarting defence evasion, decreasing responders’ workload, and leading to more comprehensive remediation of the effects of an incident. We will look at methods of guiding the response and forensics efforts to extend the scope of investigations. In addition, we will explore how to ensure that eradication of malicious activity from the environment is supported by intelligence on possible further vectors of attack and alternative kill-chains. Given the importance of integrity of incident response data we will also focus on thwarting defense evasion through identification of visibility gaps and analysis of adversarial tradecraft. The presentation aims to provide CTI and DFIR professionals alike methodology of effective cooperation in terms of intelligence support for ensuring that IR investigation is as comprehensive and effective as possible.
Kamil Bojarski works as a Principal Cyber Threat Intelligence Analyst at QuoIntelligence where he provides tailored intelligence products to customers, informing their decision making and thus reducing risks to organisations. Kamil is also a teaching assistant at SANS Institute where he supports students during FOR578 Cyber Threat Intelligence course, and a member of GIAC Advisory Board. You can read his musings on threat intelligence, OSINT and national security at counterintelligence.pl. His research interests are focused on counterintelligence aspects of information security, activity of eastern APT groups and cross-section of technical and political aspects of cyber operations.
November 3, 2022 14:45-15:15
MD5: ea342f771242d86c7d19528f08fe42d8
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.22 Mb
Carlos RubioJonas WagnerCarlos Rubio (Threatray, ES), Jonas Wagner (Threatray, CH)
Many types of IOCs are searchable and a range of technologies exist to do so. Its benefits are to support rapid incident response, confirm or exclude breaches, detection and identification of attacks, amongst others.
The types of IOCs that are searchable are usually textual data, like application logs, network/host indicators, file hashes.
In this talk we are going to explore the question of: what if binary code is a searchable IOC?
We will present use cases where code search technologies enhances existing CTI processes and makes entirely new ones possible.
More concretely, we will show how code search technology can:
We will support all of these use cases with research on recent threats and their evolution to show the real-world applicability of code search technology.
Carlos Rubio is a malware researcher at Threatray, where he is mainly responsible for reverse engineering malware to automate the detection process of new threats. In addition to researching new applications for code reuse technology that can help in different areas such as threat hunting, incident response, tracking the evolution of malware families, among others. He previously worked on reverse-engineering malware at Blueliv, S21sec Counter Threat Intelligence Unit and in the Panda Security Adaptive Defense team. He has previously spoken at Botconf (2022, 2019), Virus Bulletin localhost 2020, as well as many closed-door private conferences.
Jonas Wagner is the co-founder and CTO of Threatray and has built the technological foundation of its code search engine based on years of research and development. He holds a Masters Degree in Cybersecurity from the Bern University of Applied Sciences. He has previously spoken at BSides Zürich (2019), DFRWS (2017) and many private events.
November 3, 2022 10:10-10:40
Jonas-Wagner-and-Carlos-Rubio.pdf
MD5: cee0dc678f4fed100d41623a98a099de
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.9 Mb
Hyeok-Ju GwonKyoung-Ju KwakJungyun LimSojun RyuHyeok-Ju Gwon (S2W Inc., KR), Kyoung-Ju Kwak (S2W Inc., KR), Jungyun Lim (S2W Inc., KR), Sojun Ryu (S2W Inc., KR)
October 2021, the ‘GWISIN’ ransomware group exclusively targets Korean companies emerged. The ‘GWISIN’ group is a sort of ghost in Korean folklore, and very different from the existing RaaS-type ransomware groups.
The group understands the Korean system well, and points out law enforcement, government agencies, and security companies, and warns not to contact them, explaining that they are not helpful and will in fact interfere with payments.
We have confirmed, through a recent incident, that they have also released a Linux version to target ESXI as well as the Windows version. Furthermore, it has been able to support execution options, allowing one to set the execution time and self-deletion function.
The most interesting point is that the program was written in Go to automate the distribution of ransomware to the victim environment after infiltrating it. This program attempts an SSH connection to the server through the collected credentials and distributes ransomware. This program can also be run in a new environment at any time by setting information.
South Korea has so far been a low-profile target for RaaS attack groups. That's why the ‘GWISIN’ ransomware group raises a lot of questions. Several companies have already been affected by GWISIN ransomware.
Kyoung-Ju Kwak - Currently, Head of Center for Threat Research and Intelligence, Talon at S2W. Formerly Threat Researcher at Computer Emergency Analysis Team of Government-backed company FSI (Financial Security Institute in South Korea). I am analyzing malware and potential threats against the various industries. I am a member of the National Police Agency Cyber-crime Advisory Committee and the main author of the threat intelligence report “Campaign Rifle: Andariel, the Maiden of Anguish” published by FSI in 2017 and presented at many international conferences including Blackhat Europe&Asia, PACSEC, HITCON, Hackcon, Kaspersky SAS, Etc.
Jungyun Lim - Currently, Senior Researcher of Threat Research and Intelligence, Talon at S2W. After working at the Digital Forensics Center of the National Police Agency of Korea, I became interested in the cyber security and threat intelligence. I have a lot of forensic experience, such as Nth Room and IoT devices. I’m analyzing money flow in the blockchain of ransomware threat actors, correlation analysis between users of Deep Dark Web forums. Recently, I analyzed the address of the Conti ransomware’s Operator/Affliate and the clay swap hacking incident.
Sojun Ryu graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree in information security from Sungkyunkwan University in Korea. Sojun worked at KrCERT/CC for seven years, analysing malware and responding to incidents, and is one of the authors of "Operation Bookcodes" published by KrCERT/CC in 2020. Recently, Sojun has been focusing on threat intelligence by expanding to DDW and cybercrime as well as APT at TALON, S2W.
Hyeok-Ju has graduated from the Department of Cyber Security at Ajou University and currently attending the same graduate school. He have entered the finals in international CTF such as Defcon, Trendmicro CTF, CodeGate. While working at Stealian and Enki, he performed various tasks such as vulnerability analysis, pentesting, malware analysis, and operating CTF. Currently, as a senior researcher in the BLKSMITH team of TALON, the CTI Center of S2W, he is conducting malware analysis such as ransomware, botnets, and stealers, and vulnerability analysis used in the distribution of malware.
November 3, 2022 11:30-12:00
Peter FergusonPeter Ferguson (EclecticIQ, NL)
As the amount of data observed and shared by the security community and industry increases the ability to effectively manage and leverage this data has become more difficult. Both the community and private industry have attempted to solve these problems. Multiple Threat Intelligence Platforms (TIPs) have become available, both open-source and paid. The platforms provide a centralised place where data can be normalised, searched, enriched, analysed, and disseminated. Open-source frameworks designed to standardize the sharing of threat information such as STIX having also come out. These look to solve the problem of each system or source using their own data model, requiring custom transformation and normalisation to be able to use with the teams existing dataset. Although STIX has added a lot to the CTI community, platforms and sources still heavily use their own data models requiring teams to create custom data feeds or extensions.
This paper will dive into the key concepts of creating effective structured intelligence extensions for ingesting data into TIPs and the lessons learned from multiple years of designing open source and vendor extensions for a commercial threat intelligence platform.
Peter Ferguson is currently a Cyber Threat Intelligence Specialist at EclecticIQ, working within their threat research team to deliver intelligence products. Peter started his career in security operations but moved into cyber threat intelligence designing extensions for the EclecticIQ Intelligence Centre. Peter has extensive experience designing and incorporating structured intelligence extensions for threat intelligence platforms. He currently holds a bachelor’s degree in Cybersecurity and Computer Forensics with Business from Kingston University.
November 2, 2022 16:30-17:30
MD5: 49409ee372239c59320bfcf285433150
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.63 Mb
Ondrej RojčíkOndrej Rojčík (Red Hat, CZ)
The number of requests for the internal CTI team of any organization can be overwhelming. We need to prioritize. Most good guides on “How to set up a CTI program” have a paragraph or two on the importance of Priority Intelligence Requirements (PIRs) that should do the job. Unfortunately, these guides and established (military) intelligence processes are not readily transferable to the cyber realm. To find the right process that fits YOUR organization is crucial. Most of the existing processes for establishing PIRs focus heavily on threat actors. When considering these approaches, we soon realized that this is not enough and we need to take into account the specificities of our organization's environment. We considered the strategy, values, and other intangible aspects of the organization and mapped them to supporting assets. At the same time we used the more traditional approach and assessed the potential threat actors targeting Red Hat. As a next step, we mapped them to our strategy and supporting assets. The presentation will introduce the whole process, do a walk through the individual steps of developing the PIRs, discuss the challenges that come with it and suggest ways to integrate the PIRs into the CTI lifecycle.
Ondrej Rojčík is a Senior Threat Intelligence Analyst at Red Hat CTI team. He is responsible for providing strategic perspective to the threat intelligence program and its analytical production. Previously he worked for the Czech National Cyber and Information Security Agency (NUKIB) as a Deputy-Director of Department and Head of the Strategic Analysis Unit which he co-founded."
November 3, 2022 15:15-15:45
MD5: 7105f5d331912c533938ab15a7eef3dd
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.18 Mb
Joseph HarrisBrad CromptonFreddy MurstadJoseph Harris (Intel 471, GB), Brad Crompton (Intel 471, GB), Freddy Murstad (Nordic Financial CERT, NO)
This engaging half-day workshop introduces the core fundamentals of building an intelligence plan that aligns to stakeholder needs - individually and at scale - and creates a foundation for measuring success of your CTI team.
Participants will gain hands-on experience building their own plan from scratch using a scenario-based practical exercise, non-proprietary tools, and a catalog of "take home" resources including training videos, fillable templates and worksheets that are provided free of charge for use in their own environments.
Brad Comptom is an Intelligence Director at Intel 471, working closely with Intel 471’s Intelligence Analysts, Customer Managers and Sales Teams alongside multiple other parts of the business. Brad's focus is tracking and reporting threats observed throughout the Cyber Underground (inc. deep and dark web) to help prevent cyber attacks, as well as tracking threat actors and their operations. Prior to joining Intel 471 Brad worked as the Global Intelligence Team Lead for Crisp, establishing, managing and providing an Intelligence Risk Management capability for some of the world's leading brands across multiple business sectors. Brad started his career in the British Army as an Intelligence Operator working alongside multiple specialist units and Five Eyes nations within the UK and Overseas, with a significant focus on Eurasia and MENA regions
Michael DeBolt: Biography coming soon.
As Vice President of Intelligence Collection Management, Joseph Harris oversees Intel 471’s globally diverse team of subject matter experts working directly with clients to ensure their intelligence needs are met proactively and assisting them in actioning high-fidelity information from the criminal underground. Joseph’s focus is on continuing to build a best-in-class team based on Intel 471’s “practitioner-to-practitioner engagement model” which generates long-lasting, value-driven relationships between his team and those they work with. With a background as Head of Cyber Threat Intelligence for a UK high street retail bank and years of experience working closely with law enforcement and government agencies, he is able to use this experience to achieve effective outcomes in mitigating harm and assisting organisations in optimising their cyber security strategies.
Freddy Murstad is the senior threat intelligence analyst at the Nordic Financial CERT (NFCERT) in Norway and works serving 200+ financial institutions in the Nordics with threat intelligence, reports, and analysis on threat actors. He shares his knowledge on intelligence analysis and intelligence processes and focus on bridging the gap between Strategic and Tactical analysis for his stakeholders. Currently, Freddy is doing basic research in preparation for a PhD in the cross-section of intelligence analysis and cybersecurity.
November 1, 2022 14:00-16:00, November 1, 2022 16:15-18:00
Lincoln KaffenbergerLincoln Kaffenberger (Deloitte Global, US)
Are you thinking about getting a threat intel platform or have recently got one? Or have you had one and found yourself frustrated or disillusioned by it not living up to the promises of solving threat intelligence problems? You’re not alone. This talk will share 10 lessons learned the hard way from years of using various threat intel platforms. Whether its dealing with various engineering challenges, difficulties in conducting analysis in a TIP, or getting people to actually use it the troubles that can come with TIPs have made us at times question ‘why do we bother’. BUT! With these challenges (and enough persistence) came to a place where we no longer hate our TIP and have hope we may even like someday. After this talk, you will be better positioned to actually get real value out of whatever TIP you choose…and probably not hate it.
Lincoln Kaffenberger Lincoln works as the CTI lead for Deloitte Global. He formerly led the CTI team at the International Monetary Fund and spent a decade in the US Army as a Military Intelligence officer. He has over a decade of experience helping organizations understand the threats they face and make informed, risk based decisions.
November 3, 2022 14:00-14:30
Thomas ChopiteaAlexander JägerThomas Chopitea (Google, CH), Alexander Jäger (Google, CH)
Timesketch is an open source forensic tool focused around analyzing timeline data. With more and more data sources available, it gets harder for analysts to focus on the relevant pieces. This talk will give practical examples and tools to automate some aspects and support analysts in their day to day job.
Timesketch is an open source platform focused on analyzing timeline-formatted forensic data. The increasing number of data sources available means modern timelines may contain millions of events, and it has become increasingly difficult for an analyst to reduce that information and extract the dozens of events that will ultimately be relevant to their investigation. This talk will showcase some new Timesketch features that aim to help an analyst make sense of the data and filter out the noise in large timelines - most notably through the integration of various sources of threat intelligence and collective knowledge by the means of dfTimewolf, Sigma rules, and integration with third party threat intelligence platforms such as Yeti and MISP (tbd).
Alexander Jäger is a Senior Security Engineer working in the Incident Management and Digital Forensics team at Google. He is active in various open source projects. He studied technical computer science at the University of applied sciences in Mannheim and holds a Dipl.-Ing (FH). Alexander is the former Chair of the board of directors and CFO of FIRST (Forum for Incident Response and Security Teams). If not in front of a computer you might find him doing a swim bike run.
Thomas Chopitea is a forensics investigator and engineer at Google (he used to do work at the CERT of a big financial institution, but he’s fine now). When he’s not writing open source code or hunting down bad actors, he enjoys poking at malware with a long stick and reading up on threat intelligence processes. His long-term professional goal is to automate himself out of a job.
November 2, 2022 14:30-15:00
Robert HaistRobert Haist (TeamViewer, DE)
Since the APT-1 report was released in 2013 there has been a steady and increasing stream of public, long-form reporting on cyber security threats. Those finished intelligence reports contain a mix of explanatory texts and technical hints to improve network defenses. The ORKL project tries to accumulate every publicly released threat intelligence report and make the knowledge available to defenders as a public archive through an interactive UI and an API for automated inter-machine exchanges as a free web based service. The data-set normalizes searches for different threat actors and malicious tool naming schemes while remaining source references. The archive is the first building block towards a cyber threat intelligence focused natural language processing (NLP) pipeline to filter current news items to create customizable reports. This project will be released at the FIRST Cyber Threat Intelligence Symposium.
Robert Haist is the CISO at TeamViewer with more than 10 years’ experience in incident response, digital forensics, and threat intelligence. He holds a MSc. with distinction in Advanced Security and Digital Forensics from Edinburgh Napier University and is interested in research around threat intelligence and open-source software to help defenders watch over their networks.
November 3, 2022 13:30-14:00
MD5: e5847d19de7bd03f344730b1ca17a798
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.54 Mb
Ilin PetkovskiIlin Petkovski (Red Hat, CZ)
So your organization has a cyber threat intelligence program and you are disseminating intelligence products to your teams, great! But how effectively does your Incident Response team harness your intelligence insight, indicator enrichment, integrations, tactical or finished intelligence products?
In this presentation we are going to talk about some technical and organizational challenges that CTI teams commonly face in their attempt to deliver consistent threat intelligence wins to Incident Responders. Going beyond these challenges, we are going to demonstrate approaches on how CTI teams can create partnerships and an engaging environment with Incident Response teams, such as establishing a Threat Hunting program, fostering collaboration for RFIs, improving indicator enrichment processes and other joint projects which improve visibility into the CTI process.
We are strong believers that the success of threat intelligence is not just around the finished intelligence product, but also in enabling Incident Responders to effectively leverage threat intelligence outcomes.
Ilin Petkovski is a manager of the Red Hat CTI team. In the past 10 years he held roles within cyber threat intelligence, incident response and digital forensics, focusing on threat research, threat hunting, malware analysis and incident detection
November 2, 2022 15:30-16:00
Hendrik AdrianHendrik Adrian (LACERT/LAC Tokyo, JP), Takehiko Kogen (LAC/LACERT Tokyo, JP)
We would like to share the cyber threat report about the activity of a recent on-going web skimming threat that has been systematically aiming vulnerable E-commerce sites to steal the credit cards and personal information/PII of affected site’s customers. We call this cyber threat as web skimming as a metaphor to the credit card physical skimming crime, but has been done in the online environment. Differ to the phishing scheme, the web skimming bad actors are actually performing cyber attacks to specific E-commerce sites with new vulnerabilities, tampering and implanting the malicious codes to after what they are aiming for, and this case's adversaries have cleverly hidden their malicious traffic under the legitimate cloud services and protections which is making the threat was not easy to noticed, detect and investigate. In this presentation we will disclose in very details on how the adversaries work with their tools, what kind of E-commerce sites are being aimed and how the credit cards and customer information are accessed by the adversaries, along with methods to mitigate the similar attacks in the future that will help E-commerce sites, tools and customers. For the cyber threat intelligence purpose we will add the information about the adversaries source.
Hendrik Adrian is the representative of FIRST Team LACERT and FIRST CTI SIG and FIRST NETSEC co-chair, he is working as cyber threat intrusion senior analyst at Cyber Emergency Center. Hendrik works as Japan government support for various educational security lecture activities in IPA i.e. Security Camp, CyberCREST, and he is putting more efforts in national and international security communities as an active lecturer and speaker in various conferences. His known malware analysis contributed to the security community is listed in the Wikipedia at https://en.wikipedia.org/wiki/MalwareMustDie
Takehiko Kogen Takehiko Kogen has started to engage in security from JSOC as analyst who was in-charge to analyze malicious traffic from proxies and firewalls, he was writing threat detection signatures for ArcSight and Splunk systems. Since 2018 Takehiko has been supporting the malware analysis team and SOC operation from the Cyber Emergency Center in LAC/LACERT. He works on threat intelligence to disseminate and to share malvertisement information. His contribution threat analysis is recorded in LAC Watch at https://www.lac.co.jp/lacwatch/
November 3, 2022 11:00-11:30
MD5: 539223f8f2853616686a27fb469c195a
Format: application/pdf
Last Update: June 7th, 2024
Size: 12.78 Mb
James ChappellJames Chappell (Digital Shadows, GB)
Cyber Threat Intelligence has existed as a concept for long time. Publicly discussed at First.org in 2004 (https://www.first.org/resources/papers/conference2004/c14.pdf) with the last 10 seeing a vigorous discussion on the benefits, disadvantages, application, and practical implementation of the term. Many saw it's introduction as an unhelpful marketing buzzword, yet today we have a healthy community of practitioners all working to ensure that organisations can benefit from these capabilities. Having spent the last couple of decades working in information security and the most recent one working in the commercial sector, I've collected together some observations about the journey we've been on. This is also a good time to check in on where we think our industries capabilities are heading and what we could we expect for the next decade, or at least try to forecast it.
James Chappell has led teams in InfoSec and Cybersecurity since 1997 working across commercial and government organisations, helping them to understand the threat and technical aspects of securing modern digital business. James spent 10 years of his career as a security architect as the head of profession at a UK consulting firm. He’s previously worked in roles across the telecommunication sector in the USA. Throughout James has been fascinated by the innovative ways of counteracting the growth of espionage, crime and fraud in computer networks and developing effective ways of managing the security big picture. In 2011, this journey led to the founding of Digital Shadows a specialist in threat intelligence and digital risk. James is the co-chair for FIRST’s Cyber Threat Intelligence SIG, where he is a regular speaker at conferences, and regularly quoted in the press.
November 2, 2022 09:10-09:45
Gert-Jan BrugginkGert-Jan Bruggink (Venation, NL)
Bob Ross once said, “I think there’s an artist hidden at the bottom of every single one of us”. When you are ‘painting’ a company’s threat landscape, you try to convey answers to intelligence requirements as effective way as possible. Channel your inner artist if you will. This could for example be building a periodic briefing or yearly write up. Still, what makes a good threat landscape? What essential information should it contain? What works?
In this talk, I will share best practices, tips, tricks and my happy accidents when creating a threat landscape intelligence product. This is based on years of building these products, in different formats and for different stakeholders.
This talk provides cyber threat intelligence teams the canvas, paint, brushes, and techniques needed to successfully create (recurring) threat landscape products. In addition, creating a larger narrative around cyber threats to support both business and senior stakeholder decision making and drive security investment.
Gert-Jan Bruggink specializes in helping leaders make informed decisions on risk to prioritise security investment. He supports teams in understanding adversary tradecraft through threat-informed security programs and providing leaders actionable threat intelligence products. Gert-Jan founded boutique firm ‘Venation’ to pioneer the field of structured threat content through cyber threat intelligence subscription and advisory services. Previously, Gert-Jan co-founded innovative start-ups, fulfilled a cyber threat intelligence leadership role at a Big Four accounting firm, and held security engineering roles at a security integrator.
November 2, 2022 11:15-11:45
MD5: cd761e10c796d040088ab12551957462
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.14 Mb
Freddy MurstadFreddy Murstad (Nordic Financial CERT, NO)
This talk aims to demonstrate that "vanity metrics", such as showcasing how many alerts the team has dealt with have no actual value for management other than to dazzle the unwitting stakeholders and to wrongly show how "effective" the cybersecurity program is.
Through this talk I will try to shine a light on the vanity of measuring for show rather than for value. And I will try and illustrate what to measure, why we measure it (value), where we can get to those essential metrics and possible suggestions on how to present them. And lastly, I will try and illustrate that having a good plan and structure from the get-go, by using the intelligence cycle, is instrumental in achieving a good starting point for doing metrics well.
Freddy Murstad is the senior threat intelligence analyst at the Nordic Financial CERT (NFCERT) in Norway and works serving 200+ financial institutions in the Nordics with threat intelligence, reports, and analysis on threat actors. He shares his knowledge on intelligence analysis and intelligence processes and focus on bridging the gap between Strategic and Tactical analysis for his stakeholders. Currently, Freddy is doing basic research in preparation for a PhD in the cross-section of intelligence analysis and cybersecurity. Freddy is currently doing basic research in preparation for a PhD in the cross-section of intelligence analysis and cybersecurity.
November 2, 2022 16:00-16:30
MD5: 76c797b6930f236ba5862c41d0813f4e
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.67 Mb
Thomas KinsellaThomas Kinsella (Tines, IE)
Security teams are being prevented from doing their best work. While understaffing and low budgets have always been challenges for any type of team, security teams are uniquely affected by repetitive, manual tasks, which in turn keep them from working on higher-impact projects that contribute to their organization’s overall security posture. This presentation will share the data from an in-depth survey of the day-to-day struggles of security analysts, as well as greater context on groups surveyed and the methodology used. It’s no surprise to learn that 71% of analysts are experiencing some level of burnout and 64% say they’re likely to switch jobs in the next year. Our research goes further to breakdown causes of burnout and how to alleviate it to improve employee retention. Our research shows that while most security personnel love their jobs and feel respected and valued, turnover in these roles continues to be very high. While there are obvious factors such as understaffing, this presentation will focus more on the specific work factors analysts say cause them to lose their zeal and motivation.
Thomas Kinsella is Co-founder and COO of Tines, a no-code automation platform for security teams. Before Tines, Thomas Kinsella led security teams in companies like Deloitte, eBay and DocuSign. As COO, Thomas is responsible for customer success, professional services and more. Thomas has a degree in Management Science and Information Systems Studies from Trinity College in Dublin.
November 3, 2022 09:10-09:40
MD5: b3d99f543be527ea366fb2b47bdfe6b1
Format: application/pdf
Last Update: June 7th, 2024
Size: 13.14 Mb