FIRST Regional Symposium
Training 1
Training 2
FIRST Regional Symposium | |
---|---|
08:00 – 17:00 | Registration – Diamond Ballroom Foyer (level 3) |
09:00 – 09:30 | Opening Remarks |
09:30 – 10:00 | CN Yan Hanbing (CNCERT, CN) |
10:00 – 10:30 | Vicky Ray (Unit 42) |
10:30 – 11:00 | Coffee & Networking Break – Diamond Ballroom Foyer |
11:00 – 11:30 | JP Sysmon Log Analysis Tool -Sysmon Search Wataru Takahashi (JPCERT/CC, JP) |
11:30 – 12:00 | Case Study on IoT Botnet in Post-Mirai Era Wan Li (Hikvision Network and Information Security Laboratory) |
12:00 – 14:00 | Lunch Break |
14:00 – 14:30 | Threat Intelligence Application for Fighting Against Black Industry Chain Mantai A. (Eversec) |
14:30 – 15:00 | Wei-Chea Ang, In-Ming Loh (MWR InforSecurity) |
15:00 – 15:30 | Unknown Threat Detection - The Key Ability of APT Defense Tian Tian (ZTE) |
15:30 – 16:00 | Coffee & Networking Break – Diamond Ballroom Foyer |
16:00 – 16:30 | Leverage OSINT to Trace APT Group Bowen Pan (360 Enterprise Security Group) |
16:30 – 17:00 | FIRST Membership Information and Update Martijn van der Heide (ThaiCERT) |
17:00 – 17:05 | Closing Remarks |
18:00 – 20:00 |
Training 1 | Training 2 | |
---|---|---|
09:00 – 17:00 | Toomas Lepik | Malware Analysis When You're In A Hurry Hinne Hettema |
Vicky Ray (Unit 42)
Vicky is a Principal Researcher in the Unit 42, Threat Intelligence Team of Palo Alto Networks where his focus of research is on cybercrime and cyber espionage campaigns. Vicky is also assigned to INTERPOL IGCI as a cybercrime expert to collaborate on investigations coordinated by INTERPOL.
Prior to joining Palo Alto Networks, he was leading the APAC Cyber Incident Response team in Barclays where he was actively involved in identifying and responding to targeted attacks, analyzing unknown malware and attributing the attacks to the threat actors.
Vicky has assisted law enforcements globally in providing actionable intelligence on threat campaigns that were key in identifying cyber criminals, and has extensive experience in building and managing CERT and SOC teams. He is also a member of the global Honeynet Project.
Vicky holds a Masters degree in Information Systems from Nanyang Technological University, a Bachelor's degree in Computer Applications from Bangalore University and various SANS GIAC certifications.
Starting in Mid-2016 and continuing through today, law enforcement organizations continue to shine a spotlight on these types of attacks. In May 2017, the FBI released a public service announcement identifying an increase of 2,370% over a 2 year period, with exposed loses for the same period estimated between $3 and $5 billion. In this talk, we propose to discuss the processes and results of applying advanced analytics to a dataset of more than 30,000 malware samples, over a period of three years. This analysis enabled us to attribute over 300 actors or groups associated with nearly half a million attacks against our customers.
We observed actors using 15 separate commodity malware tools in support of modern BEC schemes. In the past year alone, they conducted an average of 17,600 attacks per month, demonstrating a 45 percent increase from 2016. Said attacks span all major industry verticals and target businesses, rather than individuals. These actors have learned how to successfully employ commodity malware tools to realize lucrative returns. Given the size and complexity of this data set, we will present techniques which can be applied to enable large-scale, low-resource attribution efforts. In practice these techniques have proven to be successful in identifying SilverTerrier infrastructure and proactively informing network defence postures.
October 25, 2018 10:00-10:30
Wan Li (Hikvision Network and Information Security Laboratory)
Few sophisticated attack methods were utilized in most botnets during Mirai outbreak period, instead, attackers preferred to perform attacks by brute force.
However, new botnets in post-Mirai era take on some different characteristics. Attackers will swiftly take good advantage of various disclosed vulnerabilities to perform attacks, gradually abandoning single attack pattern of exploiting Telnet passwords. Due to the Long Tail Effect, joint efforts should be made by manufactures, security communities and supervisors, so as to deal with the challenges from changing IoT botnets threats.
October 25, 2018 11:30-12:00
Toomas Lepik
Course Level: Intermediate Intended Audience: CSIRT team members, SOC analysts , network enginers , ipv6 enthusiast ... Pre-requisites: A laptop with atleast 8GB or RAM and Virtualbox installed.
For this course you should know: -IPv4 and IPv6 networking basics -Basic security concepts -For the labs: CLI and Linux commandline tools
This one-day course provides overview of the most relevant IPv6 security and dual stack security topics You will gain insight into best practice and gain a high-level understanding of the most pressing IPv6 security concerns today. The course includes theory and hands-on exercises. Course is mainly based on RIPE IPv6 security course.
October 26, 2018 09:00-17:00
Bowen Pan (360 Enterprise Security Group)
Bowen is Senior Threat Analyst at 360 Enterprise Security Group. He has been a security professional over 5 years. His researches focus on APT investigation and threat intelligence. He is the first finder of PoisonCake which is a famous Trojan. He is author of "Underground Economy of DarkMobileBank".
APT attack is a major security concern for private organizations and states, since it could gain access to sensitive data and cause other unpredictable consequence. For security analyst, APT attacks are not easy to be detected and traced due to limited threat intelligence.
This presentation will introduce our practical methods of tracing APT groups by leveraging Open Source Threat Intelligence (OSINT), as well as summary of common APT attack vectors and trends in 2018 1H.
Presentation Outline
An introduction of useful OSINT for APT research
OSINT is always a good friend for security analyst. Some OSINT sources could benefit APT research like collecting IOC, tracing actors, and so on. We will share our 'secret recipe' from OSINT practice.
Practical threat hunting skills of tracing APT groups.
First, We will go through several theories of threat intelligence and threat hunting which are guidelines for analyst. Then we will share our several hunting or tracing skills which are based on our hands-on experience.
Landscape summary of APT attacks in 2018 1H
We conducted a study for 6-month (2018 1H) APT attack data which is from 360 Threat Intelligence Center. Our study aims to illustrate evolution of Tactics, Techniques, Procedures (TTP) of active APT groups, attacked targets, and so on.
October 25, 2018 16:00-16:30
FIRST-Shanghai-Leverage-OSINT-to-Trace-APT-Group-Bowen-Pan.pdf
MD5: f158704b68741adb15f46b83715b2115
Format: application/pdf
Last Update: June 7th, 2024
Size: 9.9 Mb
Hinne Hettema
Course Level: Beginner
Intended Audience: CSIRT team members, SOC analysts
Pre-requisites: A laptop with 8GB or RAM and Virtualbox installed.
In this one day course you will learn rapid triage of malicious content and next steps. These steps can be taken by a small team when targeted by specific malware. After completion of this process you can hand off to your AV vendor with a summary of your findings and links to any reports that you have generated, as well as put in some protection immediately.
The aim is to complete this process in about 30 minutes, have a definite answer whether something is malware or not, and give your AV vendor enough to go on as a starting point, share your findings with colleagues and clearly inform your business about the threat of this specific malware.
After this course, you will be able to:
The course is targeted to beginners in malware analysis and those who need to make sense of the many tools available in this area.
October 26, 2018 09:00-17:00
Yan Hanbing (CNCERT, CN) (CN)
Han-Bing YAN obtained the Ph.D. degree from the Department of Computer Science and Technology, Tsinghua Univer- sity, China in 2006. He is now working in the National Computer Network Emergency Response Technical Team/Coordination Center of China. His research interests include cyber security, image analysis and computer graphics. (Email: yhb@cert.org.cn)
Routing security is facing more and more challenges in recent years. Several incidents seriously threated the Internet, such as Telegram hackjacking, Amazon hacking and Goolge leakage. There have been several solutions for routing security, RPKI, BGPsec, soBGP, ROVER and others. Though RPKI is deployed in some regions, but which could not solve all of the problems in Internet routing, while BGPsec is advanced very slowly.
CNCERT did the work of protecting the routing security in two ways: 1. Collecting and analyze the BGP data in China, and try to detecting and handling routing incident in its first time. 2. Push the research and the deployment of routing authority measures in China, such as RPKI, BGPsec.
October 25, 2018 09:30-10:00
Wataru Takahashi (JPCERT/CC, JP) (JP)
Wataru was previously engaged in security system integration and service development at an IT vendor where he learned expertise in securing servers and access controls against servers. He joined JPCERT/CC in October 2016 and ever since he has been committed to malware analysis and forensics, especially dealing with ever-evolving malware and attack techniques with his persevering attitude.
OS events in the logs such as running applications, created registry entries and network communication. Most commonly, many analysts convert Sysmon logs into text format and search for specific events, however, it is difficult to conduct investigation on multiple devices simultaneously.
For more efficient investigation, JPCERT/CC has developed and released a system "Sysmon Search" which consolidates logs, enabling faster and more accurate log analysis. This system visualizes Sysmon logs to describe relations between processes and networks. Furthermore, with the log search and monitor functions, it will help identifying infected devices according to malware hash value and C&C server host name so that incidents can be detected in an early stage. This presentation will describe the details of this tool.
October 25, 2018 11:00-11:30
FIRST-Shanghai-Sysmon-Search-Wataru-Takahashi.pdf
MD5: 5e8c04b66816ebfcfd5f28b99ae71b7a
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.48 Mb
Wei-Chea Ang, In-Ming Loh (MWR InforSecurity)
Wei Chea ANG is a Senior Threat Hunter at Countercept, a 24/7 managed threat hunting service by MWR InfoSecurity. He has nine years of experience in information security and has worked in security operations, threat hunting for two global fortune 200 organizations.
In Ming LOH is a Threat Hunter at Countercept, a 24/7 managed threat hunting service by MWR InfoSecurity. He currently holds OSCE and OSCP accreditation and was previously a software developer. His major interests are attack detection and prevention.
Traditional methods of attack detection have failed us. Threat Hunting approaches the problem of attack detection from a new perspective, and seeks to find traces of attacker behavior with the assumption that networks are already compromised.
We’ll cover our approach for real world threat hunting at scale, the key datasets required, and why threat hunting is such an important new development for threat detection. By sharing a range of the real world attack scenarios we have personally encountered, we’ll show you how essential and effective it is to implement threat hunting scenarios into your detection strategy.
Finally, we’ll give you advice on how to start your own threat hunting journey within your organization.
By the end you’ll not only have an understanding of the concept of threat hunting, you’ll also know how to combine people, processes and technology to apply it yourself.
October 25, 2018 14:30-15:00
FIRST-Shanghai-Threat-Hunting-The-New-Way-Wei-Chea-Ang-In-Ming-Loh.pdf
MD5: 89d35ab922619905243f502823c275da
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.12 Mb
Mantai A. (Eversec)
Over 10 years working experience in cyberspace security industry , extensive experience in R&D(5+years) , product solutions team management ( 60+ staffs). In-depth insight of product R&D , operation, process asset management , risk controls etc. Entitled as head of Security research Institute( one of the three fundamental research institutes in Eversec ) and founder of Everlab, drives key systems accomplishments including Evereye App( threat intelligence mining engine ) App security assessment system , App malware detecting system, and EverWDs .
During the Internet rapid development, there has been spawned a very large internet underground black industrial chain which is caused by the characteristics of Internet, openness and integration.
According to estimates, China's ""network black production"" has more than 1.5 million employees, and the market scale is over 100 billion. In 2017, the personal information leaked on the black market reached 9.6 billion times; the average personal information of each person in China was leaked 5 times at least. Black production and gray production are intertwined, forming a huge industrial chain, which makes the network security situation complicated. How to combat the black industry chain is getting more and more attention.
The famous hacker Redrain once said at the Kcon conference: ""The hacker industry chain is an industrial chain that acquires resources illegally and seeks economic benefits through hacking techniques.
The core ecosystem of the current black industry chain contains traffic acquisition and distribution, traffic monetization and user privacy data According to its living environment which is currently more harmful, mainstream black industry can be divided into mobile black production and PC black production.
With the influence of mobile applications surpassing computer applications, the main Internet black production industry chain has also migrated to mobile platforms.Cell phone charges, malicious mobile advertising, mobile application distribution, and APP promotion black products are the most typical. These mobile black products industry has brought huge economic losses to users and software developers.
The traditional offensive and defensive strategy is now disabling to effectively compete with the current black production forces. Security researchers of Eversec believe that threat intelligence gathering, risk detection and threat perception will be the top three effective strategies, in the new confrontation model, and they will be able to know each other in the process of combating black production.
During the black production discovery processing, threat intelligence can effectively discover black resources, then accumulate and update real-time black IP, black card, bulk registration account, steal account, malicious traffic, etc. that have been leaked and already in use.
During the risk detection processing, threat intelligence can track and monitor the production, dissemination and attack process of the black industry chain in real time, and master the victim and development process of the black product.
During the confrontation, intelligence gathering and analysis can effectively restore the profit and attack methods of black products for targeted attacks. For example, through intelligence and data analysis, we can get the attacker's purpose, after that, attack process and action mode is obtained, multi-dimensional strikes can be struck. What's more, the risk which is detected in the A scene is given the hit in the B scene, in this way the attacker can't figure it out and test the routine. When there is something missing at the entrance, it can be also striked again at the exit. If the registration office may not have all intercepted, when the registration is detected, immediately tie the card to grab the red envelope and withdraw the one-time users, mark the high-level dangerous label, raise the cash threshold, etc.
During the tracking back of the source, threat intelligence can conduct real-time and accurate traces of IP, geographical location, virtual identity, and the immediate trace back of accurate identity, producers, and communicators, and help the regulatory authorities crack down on black sources.
October 25, 2018 14:00-14:30
Tian Tian (ZTE)
Tian graduated from TU Dortmund in Germany majoring in Electronic Information Engineering, and worked at Infineon Technologies AG in Germany as a wireless sensor network R&D engineer before joining ZTE Corporation in 2009. She is a senior system architect and product expert with more than 10 years of experience in tel-communication and security area, and has worked on 3GPP SA3 and IETF standards for several years. She has been involved in pre-research in various fields, such as IMS security, M2M security, WLAN, SDN/NFV, and owns more than 10 granted patents in Europe and the US. She is now the APT project manager at ZTE and has more than 3 years of experience in anti-APT solution and product development, which includes advanced threat cloud analysis platform, Email/Web advanced treat prevention system and cyber behavior analysis system.
When talking about advanced cyber attack, the APT, I couldn’t help thinking of one man, Kevin Mitnick, who is the world's most famous hacker. His book The Art of Deception is a classic of social engineering. He wrote in his book, I cannot remember the exact words, to the effect that people is the weakest link in the whole security defense system. As long as people exist, there must be vulnerabilities. As long as you have assets and value, you may become the target of APT attack. Nowadays organizations and companies increasingly expect that it’s not if they will be compromised, but rather when will they be compromised.What I'm going to share today is a technical perspective of where and hot to detect the unknown threats , and our practice in ZTE Corporation.
October 25, 2018 15:00-15:30
FIRST-Shanghai-Unknown-Threat-Detection-TianTian.pdf
MD5: bd5a9a5ca3788716417bab798859cba8
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.4 Mb