Times below are reflected in UTC. Please check your local times.
Summit Day 1 - all times in UTC
Summit Day 2 - all times in UTC
Summit Day 3 - all times in UTC
Summit Day 1 - all times in UTC | |
---|---|
13:00 – 13:05 | |
13:05 – 13:35 | OSINT In the Box on DFIR Investigations with Tsurugi Linux Giovanni Rattaro (Vectra AI); Marco Giorgi (Freelance) |
13:35 – 14:00 | US Adventures in Open DNS Resolution: Threat Intelligence for the Public Good John Bambenek (Bambenek Consulting, US) |
14:00 – 14:30 | US Special Sauce: The Bespoke Specialization of Cybercriminals Brandon Levene (Google, US) |
14:30 – 15:00 | TW Targeting Critical Infrastructure - Ransom as a Smokescreen CK Chen, Minsky Chan (CyCraft Technology, TW) |
15:00 – 15:30 | LU Alexandre Dulaunoy , Jean-Louis Huynen (CIRCL, LU) |
15:30 – 16:15 | Initial Access Brokers – An Excess of Access for Ransomware Operators James Chappell |
16:30 – 17:00 | US [TLP:AMBER] To the Moon! The Cyber Kill Chain Meets Blockchain Jacqueline Koven (Chainalysis, US) |
Summit Day 2 - all times in UTC | |
---|---|
13:00 – 13:05 | |
13:05 – 13:50 | JP Relation Between Multiple Malvertisement Methods of Zloader Malware Takehiko Kogen (LAC/LACERT, JP, JP) |
14:00 – 14:30 | DE NO A Datamodel for Enabling Automation in Knowledge Representation and Exchange Dr. Martin Eian, Fredrik Borg, Geir Skjøtskift (mnemonic); Morton Swimmer (Trend Micro, DE); Siri Bromander (mnemonic as, University of Oslo, NO) |
14:30 – 15:00 | TW DE Red Flags in Analyzing Hosting Infrastructure Dr. Fyodor Yarochkin (Trend Micro, TW); Vladimir Kropotov (Trend Micro, DE) |
15:00 – 15:30 | US Krassimir Tzvetanov (Purdue University, US) |
15:30 – 16:00 | CTI Analyst’s Guide to Threat Based Prioritization of Security Improvements Bence Horvath (Ernst & Young); Robert Moody (The Home Depot) |
16:00 – 16:30 | NL [TLP:AMBER] RTM: Sink-Holing the Botnet Rustam Mirkasymov (Group-IB, NL) |
16:30 – 17:00 | US Conceptualizing a Continuum of Attribution Joe Slowik (DomainTools, US) |
Summit Day 3 - all times in UTC | |
---|---|
13:00 – 13:05 | |
13:05 – 13:50 | Vicente Diaz (VirusTotal - Google) |
14:00 – 14:45 | US John Grim (Verizon, US) |
15:00 – 15:45 | Intelligence is Good. Requirements-Driven Intelligence is Better Maurits Lucas (Intel 471) |
15:30 – 17:00 | US Krassimir Tzvetanov (Purdue University, US) |
Siri BromanderDr. Martin Eian (mnemonic), Fredrik Borg (mnemonic), Geir Skjøtskift (mnemonic), Morton Swimmer (Trend Micro, DE), Siri Bromander (mnemonic as, University of Oslo, NO)
For a strong, collective defense in the digital domain we need to produce, consume, analyze and share cyber threat intelligence. With an increasing amount of available information, we need automation in order to ensure adequate efficiency. We propose a strict data model for cyber threat intelligence which enables consumption of all relevant data, data validation and analysis of consumed content. The main contribution of this presentation is the strictness of the data model which enforces input of information and enables automation and deduction of new knowledge.
Siri Bromander works as part of the Research and Development team at mnemonic. She holds a PhD from the University of Oslo and a MsC in Telematics/information security from NTNU. She has worked in mnemonic since 2008 and has more than 12 years of work experience in IT security and information security research roles, including serving as Security Manager at mnemonic for five years.
Dr. Martin Eian is the Head of Research at mnemonic, and he is the Project Manager for the research projects "Semi-Automated Cyber Threat Intelligence (ACT)" and "Threat Ontologies for CyberSecurity Analytics (TOCSA)". He has more than 15 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is a member of the Europol EC3 Advisory Group on Internet Security. He has previously presented ACT workshops at the FIRST Conference and at the FIRST CTI Symposium.
April 20, 2021 14:00-14:30
John Bambenek (Bambenek Consulting, US)
There is an increasing number of open public DNS resolvers but very few provide any meaningful protection or operate under a public benefit model. This talk will explore the possibilities of the possibilities of integrating high-quality threat intelligence into a public open resolver and the data that can be mined from that to better identify new threats, identify active threats within specific geographies, and to help CERTs better serve their constituencies and make the Internet safer for their citizens.
John Bambenek is President of Bambenek Labs, a global threat intelligence firm. He has over 20 years of information security experience and has spent the last 8 years developing automated tools to track cybercrime networks. He is currently finishing his PhD in cybersecurity machine learning at the University of Illinois at Urbana-Champaign.
April 19, 2021 13:35-14:00
Joe SlowikJoe Slowik (DomainTools, US)
Few topics in the field of Cyber Threat Intelligence (CTI) prompt as much passion and debate as the concept of threat attribution. From numerous conference talks to blogs and papers to application in CTI analysis, the question of threat attribution repeatedly emerges, yet typically manifests in a very binary fashion. Whereas attribution, as will be discussed in this presentation, represents various gradations, most discussion limits itself to binary “yes or no” discussions as to the value and need for CTI attribution—when the actual answer (as with most things in CTI) is, “it depends.” In this presentation, we will explore a concept of attribution that moves the CTI community away from binary conceptions of CTI attribution value and instead approaches a continuum of attribution types. In doing so, multiple possibilities emerge for CTI attributive statements, of different values and significance for different parties—as well as different degrees of relevance for those who wish to make such statements. Through this discussion, we will examine the relative value of different types of statements, and why some positions along the emerging continuum of attribution types may be less than desirable for all parties, and best avoided.
Joe Slowik currently performs threat research for DomainTools with an emphasis on state-directed cyber operations and critical infrastructure threats. Previously, Joe conducted ICS-focused threat research for Dragos and led incident response operations at Los Alamos National Laboratory.
April 20, 2021 16:30-17:00
Bence Horvath (Ernst & Young), Robert Moody (The Home Depot)
A tried and proven approach taken by the speakers involves the mapping of real world threats to security improvement initiatives such as the bolstering of “Hardening” and “Detective” capabilities. During the presentations the speakers will walk the audience through a hypothetical scenario designed to show case their methodology. The speakers will discuss the most efficient way to interview business stakeholders to gain an in depth understanding of business priorities and the organization’s crown jewels.
The speakers will then pivot to discuss the best approach for CTI analysts to identify the most relevant cyber-adversaries for their organization’s region and sector. From cyber-adversary selection, the speakers will then captivate the audience by deep diving into how a CTI team can perform an effective threat modeling exercise and discuss how leveraging a common threat centric lexicon will ensure the success of the exercise. Lastly, the speakers will broach the topic of risk with the audience. The speakers will discuss how an organizations appetite for risk may affect a CTI team’s methodology for risk classification for potential attack scenarios.
Bence Horvath is a seasoned cybersecurity executive focused on next-generation cyber defense and intelligence-led offensive operations. Bence works currently as a Director at Ernst & Young based in the UK. He has an MBA from ie Business School, an M.Sc. in business information systems from the Corvinus University, and holds CRTIA, CISSP and CISM certifications. His background includes working in telecommunication, aerospace and defense, financial services and consulting. Please let us know if you need any more information.
Robert A. Moody is a cyber threat intelligence and digital forensics expert, currently working as System Engineering Manager overseeing the Cyber Threat Intelligence team at The Home Depot. Robert leads a team charged with monitoring the Threat Landscape for all of North of America. Robert holds the Certified Information Security Manager (CISM), Certified Information System Auditor (CISA), Certified Data Privacy Solutions Engineer (CDPSE), and a Crest Registered Threat Intelligence Analyst (CRTIA) certifications, and has a Master’s degree in Cybersecurity from IE University. He has a background working in critical infrastructure sectors including manufacturing, banking, finance, telecommunication, retail, and energy.
April 20, 2021 15:30-16:00
Alexandre DulaunoyJean-Louis HuynenAlexandre Dulaunoy (CIRCL, LU), Jean-Louis Huynen (CIRCL, LU)
CSIRTs/CERTS, like CIRCL, are regularly tracking, monitoring and disturbing botnet networks. This can be a tedious task for incident responders. We will release the threat intelligence related to a large coin-mining threat-actor(s) during this talk. Excel sheets don’t scale anymore and this case showed to us when to automate and where the benefit from proper tooling is a gain for a team.
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.
Jean-Louis Huynen is a security researcher at CIRCL. He works on threat detection/intel and the development of tools to support incident response, Previously he collaborated with LIST-- Luxembourg Institute of Science and Technology (LU)--to the development of a Mixed Reality platform for the training for Security Critical Agents (mainly on firearms events and CBRN incidents). Previous research works (and his PhD) at SnT--Interdisciplinary Centre for Security, Reliability and Trust (LU)--focused on the usability of security systems and root cause analysis techniques for investigating security incidents.
April 19, 2021 15:00-15:30
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University, US)
Over the past 5 years, the term ‘fake news’ has become more and more common. Previously referred to as propaganda, or campaigns to influence the thoughts and perceptions of the masses, we now call the same thing ”active measures.” Regardless of semantics, Influence Operations are very real and have existed for centuries; In the exact same way as nailing paper to a door or inventing the printing press, the Communications Revolution of the last half century has again forever changed the method used. What has not changed however, is the strategic objectives of the latest incarnation of the Influencer. Beware of geeks bearing gifts… because of course the ’new’ factor is the geek. With the advent of social media, Influence Operations have acquired a new method of distribution, which is more dynamic, far reaching, and allows better targeting and highly accurate feedback. Although this method is indeed very powerful, it is not what IO is all about. IO is way more than bots on social or mainstream media. Those operations are designed to influence human beings, not bots. While chasing Russian bots on Twitter and Facebook is relatively easy, it does little to deter the end goal of a IO campaign, especially since the objectives are difficult to infer. This makes counteracting an IO campaign and denying it’s objectives particularly difficult. In this talk, the author tries to present the basics in communications theory, to make these concepts accessible to non-practitioners in the field. The presenter will cover the two-step flow of information, gatekeeping, agenda-setting, priming, framing, spiral of silence, echo chambers, and cultivation, as well as the effects of some of the mental processes that these actions have. This talk will stay away from political topics and current events as attitudes towards those topics may interfere with perception. Furthermore, there will be no guilt - i.e., attribution - assigned. The talk is the geek version by a geek who endeavored in social sciences and communication. The hope is that it will make this field more understandable to geeks.
Krassimir Tzvetanov is a graduate student at Purdue University focusing his research on Threat Intelligence, Operational Security Research, and Social Media Influence Operations, in the cyber domain. In the recent past Krassimir was a security architect at Fastly, a content delivery network (CDN) designed to accelerate content delivery as well as serve as a WAF and a shield against DDoS attacks. His current focus is on incident response and investigations, threat intelligence and security systems architecture. In the past he worked for hardware vendors like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation features, product security and security software development best practices. Before joining Cisco, Krassimir was Dedicated Paranoid (security) at Yahoo!, Inc. where he focused on designing and securing the edge infrastructure of the production network. Part of his duties included dealing with DDoS and abuse. Before Yahoo! Krassimir worked at Google, Inc. as an SRE for two mission critical systems, the ads database supporting all incoming revenue from ads and the global authentication system which served all of the company applications. Krassimir is very active in the security research and investigation community, has a number of contributions to FIRST SIGs, as well as participates in the Honeynet Project. In addition, Krassimir ran the BayThreat security conference and has contributed to a number of other events like DefCon, where he ran the Radio Communications group, and ShmooCon and DC650. Krassimir holds Bachelors in Electrical Engineering (Communications) and Masters in Digital Forensics and Investigations.
April 20, 2021 15:00-15:30
James Chappell
Remote-access software, virtual private networks (VPNs), and other innovations have steadily swelled the remote workforce. As the adoption of those technologies has jumped suddenly and exponentially, threat actors have been quick to find ways to exploit network access tools. Initial access brokers (IABs) are among the threat actors benefitting from this situation, which has elevated their status in the cybercriminal underground to critical. Our photon research team has been tracking these threat actors since 2016, and we’re now witnessing a “perfect storm“: a dramatic increase in remote working and an incredibly successful ransomware monetization model. To better understand this phenomenon and what it means for security practitioners, we analyzed more than 500 access listings between 1 Jan 2020 and 31 Dec 2020, and made some useful discoveries, covered in this research. During this period this research has sought to establish patterns against how organizations come to be targeted, which lead us in turn, to learn more about the opportunistic nature of these targeted operations. In this talk we will explore how initial access brokers appear to be collaborating with these groups, and playing a role in the wide scale exploitation of organizations.
James is the Co-Founder and Chief Innovation Officer at Digital Shadows. He has led teams in InfoSec and Cybersecurity since 1997, working across the private sector and government organizations helping them to understand the technical aspects of information security.
James spent over ten years of his career as a security architect and deputy head of the Information Security profession at BAE Systems Detica; he previously worked at Nortel Networks in the United States. James has always been fascinated by innovative ways of counteracting the growth of crime and fraud in computer networks and developing effective ways of measuring and managing the security big picture. In 2011 this journey led to an exploration of digital footprints, and their impact on the security of the modern business. James is a regular speaker at technology events and cybersecurity conferences across the globe and is regularly quoted in the press.
April 19, 2021 15:30-16:15
Maurits LucasMaurits Lucas (Intel 471)
Many intelligence professionals will have heard of “Requirements driven intelligence” - the approach of establishing Intelligence Requirements as the blueprint of your CTI programme. But how do you operationalise such an approach? In this presentation we introduce a methodology we developed at Intel 471 called “CU-GIRs”, and is publicly available, that allows you to establish Intelligence Requirements by looking at stakeholders and use cases, group and prioritise those intelligence requirements and build collection plans corresponding to the requirements. In this way, the CTI programme can create more measurable value for its stakeholders and can de continually tweaked to increase its effectiveness and efficiency and respond to changing stakeholder demands.
Key Topics:
Maurits Lucas is Director of Intelligence Solutions at Intel 471, where he specialises in bridging the gap between technology and business. Maurits has held various positions in Cyber Threat Intelligence and IT Security over the past 17 years and is a subject matter expert on cybercrime, presenting his research and providing his thought-leadership to distinguished audiences around the world.
April 21, 2021 15:00-15:45
Vicente Diaz (VirusTotal - Google)
Threat Hunting is one of the most popular techniques used by security analysts for all kinds of investigations. It is both science and, to some degree, inspiration. However in the last years the security industry has developed new tools and techniques that can dramatically improve the effectiveness and efficiency of our Threat Hunting. In particular, similarity and automatic Yara generation are key when dealing with large amounts of data. In this talk we learn what´s new in the process of Threat Hunting and showcase how to leverage new techniques available for analysts to step research up to the next level.
Vicente is a specialist in Threat Intelligence and Threat Hunting, and recently joined the VirusTotal team in Google as Threat Intelligence Strategist. He holds a degree in Computer Science and an MsC in Artificial Intelligence. He was e-crime manager in S21sec for 5 years and deputy director for EU in Kaspersky's Global Research and Analysis team for almost 10 years. He was responsible for the APT Intelligence Reporting service.
April 21, 2021 13:05-13:50
Giovanni RattaroMarco GiorgiGiovanni Rattaro (Vectra AI), Marco Giorgi (Freelance)
Tsurugi Linux as DFIR OS/Tool is one of the options that DFIR experts can take to perform their investigations, but there are a lot of tools also for OSINT activities, malware analysis and computer vision investigations. During the talk will be presented this open source project with a particular focus on the "OSINT mode". Some demos will be performed and a new OPSEC feature, available in the next release, will be revealed to the participants. The Tsurugi Linux project is freely available for download on the official website at this address: https://tsurugi-linux.org/downloads.php
Giovanni is a Customer Success Manager for Vectra AI, old italian Backtrack Linux ambassador and ex DEFT Linux developer, now is the Tsurugi Linux team leader and core developer. DFIR instructor in his free time, he has spoken in several international security conferences and he is passionate of many other topics like cyber-threat intelligence investigations, OSINT and interpersonal communication with a particular focus on non verbal ones.
Marco is a freelance digital forensics examiner and computer forensics analyst. Digital forensics expert with interests in mobile forensics, malware analysis, security, deep/dark web. Teacher for forensic trainings for Law Enforcements and professionals. Core team member of Tsurugi Linux and ex DEFT Linux developer.
April 19, 2021 13:05-13:35
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University, US)
Krassimir Tzvetanov is a graduate student at Purdue University focusing his research on Threat Intelligence, Operational Security Research, and Social Media Influence Operations, in the cyber domain. In the recent past Krassimir was a security architect at Fastly, a content delivery network (CDN) designed to accelerate content delivery as well as serve as a WAF and a shield against DDoS attacks. His current focus is on incident response and investigations, threat intelligence and security systems architecture. In the past he worked for hardware vendors like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation features, product security and security software development best practices. Before joining Cisco, Krassimir was Dedicated Paranoid (security) at Yahoo!, Inc. where he focused on designing and securing the edge infrastructure of the production network. Part of his duties included dealing with DDoS and abuse. Before Yahoo! Krassimir worked at Google, Inc. as an SRE for two mission critical systems, the ads database supporting all incoming revenue from ads and the global authentication system which served all of the company applications. Krassimir is very active in the security research and investigation community, has a number of contributions to FIRST SIGs, as well as participates in the Honeynet Project. In addition, Krassimir ran the BayThreat security conference and has contributed to a number of other events like DefCon, where he ran the Radio Communications group, and ShmooCon and DC650. Krassimir holds Bachelors in Electrical Engineering (Communications) and Masters in Digital Forensics and Investigations.
April 21, 2021 15:30-17:00
Vladimir KropotovDr. Fyodor Yarochkin (Trend Micro, TW), Vladimir Kropotov (Trend Micro, DE)
In this presentation we are going to share our experience in investigating underground bulletproof hosting infrastructure and associated threat actors. Namely, we would like to share with the attendees what kind of suspicious artifacts, so called "red-flags" a threat analyst should be paying attention to while analyzing such information. Red flags, based cross correlation of IP-Space and ASNs data: cross matching metadata, connectivity Investigating red flags in associated business operations and investigations. Finding and investigating business attributes of entities registered in post-soviet region, China, off-shore locations
Vladimir Kropotov is a researcher with Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, BHEU and many others.
Fyodor Yarochkin is a researcher at Trend Micro, incident investigation volunteer at Academia Sinica and a Ph.D. candidate at EE, National Taiwan University. An early Snort developer, and open source evangelist as well as a “happy” programmer. Prior to that, Fyodor professional experience includes over eight years as an information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organizations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.
April 20, 2021 14:30-15:00
Takehiko Kogen (LAC/LACERT, JP, JP)
In Japan, there are a lot of Emotet damages caused by “Email Malvertisement” (in short: MalSpam) that have occurred since December 2019. In addition, the malware downloaded from Emotet has also been changed to Trickbot, Qbot (Qakbot), and Zloader. When Emotet's infection infrastructure disrupted , MalSpam's activity has been carried out to infect other malware like Qbot (Qakbot) and Zloader downloaded from Emotet.
From December 2019, we have confirmed that Zloader malware has been downloaded from Exploit Kit that infects malware by malicious advertisements on the websites. Also, from the end of October 2020, the campaign to distribute Ramnit and Ursnif malware targeting Japan has been switched to use Zloader malware.
Through our Zloader's malware analysis, we can acquire the RC4 key used to decrypt the Zloader’s used modules and multiple elements of Zloader's hardcoded bot and campaign ID. From that information, we can unravel the relationship between MalSpam and the bad actors who use malicious web advertisement campaigns.
We will present our method in analysis supported with statistical information and evidence that can help fellow incident response colleges to dissect the similar threat, and to help the legal authority to adapt and adjust the method for their investigation to stop this malvertisement.
Takehiko Kogen was started to engage in security from JSOC an analyst who was in-charge to analyze malicious traffic from proxies and firewalls, he was writing threat detection signatures for ArcSight and Splunk systems. Since 2018 Takehiko has been supporting malware analysis team and SOC operation from in Cyber Emergency Center in LAC/LACERT. He works on threat intelligence to disseminate and to share malvertisement information.
April 20, 2021 13:05-13:50
Brandon Levene (Google, US)
The world of cybercrime has seen marked evolution throughout its history. While 2020 was a difficult and oftentimes frustrating time for many, cybercriminals thrived by adapting their operations towards increased specialization and bespoke roles. We can roughly divide these roles into the following 4 categories: distribution, breach/access, intrusion, and monetization. This “new order” of cybercrime is no longer purely malware or tool driven but rather focuses on effective tactics and procedures to ensure maximum return on investment from threat actors; oftentimes to devastating effect.
Brandon is the lead cyber crime researcher for Google Cloud's research team, Uppercase. He is responsible for identification, tracking, and countermeasures for all financially motivated threat actors: from targeted to commodity. He is also responsible for strategic level advisory on policies to thwart cyber crime. He is a former SOC Analyst and founding member of multiple Incident Handler, Incident Response, and Threat Research Organizations. Brandon has been a speaker and teacher at multiple international conferences and other, invite only, blue team events and published multiple threat focused publications. Prior to Google (Chronicle) he was a founding member of threat organizations at Salesforce.com and Palo Alto Networks.
April 19, 2021 14:00-14:30
CK ChenCK Chen (CyCraft Technology, TW), Minsky Chan (CyCraft Technology, TW)
One of the largest cyberattacks targeting Taiwan in 2020, was the targeted attack on the CPC Corporation--a largest state-owned petroleum Taiwanese company. While CI(Critical Infrastructure) maintains our daily society operation, attacks to these systems will make a vital consequence. This incident attract a lot of public awareness as it shows threat actors‘ ability to compromise significant systems. As we involved in one investigation to one victim (not CPC) in the cyberattacks, we would like to disclosure our research to aware other CI sector. In this presentation, we will discuss how threat actors can utilize and weaponize smokescreen ransomware as well as demonstrate how threat hunting and threat intelligence can be applied in digital environments that require immediate clean installs, which tend to eradicate evidence and artifacts of an attack.
Chung-Kuan Chen is currently a senior researcher in CyCraft, and responses for organizing research team. He earned his PHD degree of Computer Science and Engineering from National Chiao-Tung University (NCTU). His research focuses on cyber attack and defense, machine learning, software vulnerability, malware and program analysis. He tries to utilize machine learning to assist malware analysis and threat hunting, and build automatic attack and defense systems. He has published several academic papers, and has involved in many large research projects from digital forensic, incident response to malware analysis. He also dedicates to security education. Founding of NCTU hacker research clubs, he trained students to participate world-class security contests, and has experience of participating DEFCON CTF (2016 in HITCON Team and 2018 as coach in BFS team). He organized BambooFox Team to join some bug bounty projects and discover some CVEs in COTS software and several vulnerabilities in campus websites. Besides, he has presented technical presentations in technique conferences, such as BlackHat, HITCON, HITB, RootCon, CodeBlue OpenTalk, FIRST and VXCON. As an active member in Taiwan security community, he is the chairman of HITCON review committee, and ex-chief of CHROOT - the top private hacker group in Taiwan.
Minsky Chan (Shih-Min Chan) is currently a senior security analyst in CyCraft, mainly focuses on incident response, APT research, malware analysis and threat intelligence analysis. He has been the speaker in various training for practitioners and presented technical presentations in technical conferences, such as Taiwan Botnet Confernece, CodeBlue OpenTalk and SINCON.
April 19, 2021 14:30-15:00
Rustam Mirkasymov (Group-IB, NL)
This talk is about how I found the flaw in C&C computational algorithm. And used that logical weakness to sinkhole the botnet. This gave me as a result a list of compromised machines and an ability to shutdown it. I will also reveal the whole infrastructure used by RTM gang.
Rustam Mirkasymov Head of Cyber Threat Research, Group-IB Europe 7+ years in cyber threat research and threat intelligence, strong skills in reverse engineering, knowledge in exploit development and understanding software vulnerabilities mechanisms. Author / co-author of numerous APT threat reports (including Lazarus, Silence, Cobalt, MoneyTaker, RedCurl) Experienced speaker at key cyber security media & events.
April 20, 2021 16:00-16:30
Jacqueline Koven (Chainalysis, US)
The professionalization of the criminal underground has led to attack sophistication where everything from access, malware, credentials, C2 domains -- the soup to nuts of an attack-- is up for sale in bitcoin. We have found blockchain-level evidence that shows the amount of value flowing between bad actors is increasing rapidly. Darknet marketplaces are increasingly connecting threat actors with the tools and infrastructure to scale their attacks. Due to the transparency of blockchains, we can map out the entire Kill Chain and the players and markets that underpin it. We can see the times when threat actors are purchasing malware-as-a-service with cryptocurrency, using money laundering infrastructure, purchasing exploits on darknet markets or simply using the markets to launder money. It can be visualized, investigated, correlated with other data sets, and yes, -- even attributed.
In this presentation we will walk through the Netwalker ransomware takedown and other case studies of how blockchain forensics has enriched cybersecurity investigators’ threat intelligence, identified precursors to attack, emerging threats, and centers of gravity for disruption.
Jackie Koven is a Solutions Architect at Chainalysis where she works with law enforcement, financial institutions, and cybersecurity firms. Prior to joining Chainalysis, she served in the U.S. Intelligence Community. She holds a Masters in Public Administration from Columbia University where she was a Research Fellow for Technology & Public Policy.
April 19, 2021 16:30-17:00
John Grim (Verizon, US)
VERIS, the Vocabulary for Event Recording and Incident Sharing, is a set of metrics designed to provide a common language for describing cybersecurity incidents (and data breaches) in a structured and repeatable manner. VERIS provides cyber defenders and intelligence practitioners with the ability to collect and share useful incident-related information - anonymously and responsibly - with others. The VERIS Framework underpins the Data Breach Investigations Report (DBIR) - it's what Verizon uses to codify the data and build this annual report.
VERIS employs the A4 Threat Model to describe key aspects of incidents and breaches that affect victim organizations. Simply put, the A4 Threat Model seeks to answer: who (Actor) did what (Action) to what (Asset) in what way (Attribute). More specifically, the A4 Threat Model is:
John at Verizon, has over 19 years of experience leading investigations of data breaches and cybersecurity incidents within the government and civilian security sectors. Currently, as a Distinguished Architect, John leads the Verizon Threat Research Advisory Center (VTRAC) Research, Development, and Innovation effort. In this role, John focuses on all aspects of cybersecurity incidents, performing digital forensic examinations, advising on data breach containment and eradication efforts, and creating data breach response preparedness training and breach simulation exercises for customers worldwide.
Prior to Verizon, John served 12 years with the U.S. Army as a Counterintelligence Special Agent investigating security incidents.
April 21, 2021 14:00-14:45