Publications (2023)

•  US

  Big-Game Stealing: Practical Detection Engineering & Validation for an Underrated Threat

  Scott SmallScott Small (Tidal Cyber, US)

  The term “threat-informed defense” has gained recent popularity, but what does it actually look like in practice? This session will detail practical, repeatable workflows – relevant for adversary emulation & detection engineers, threat hunters, and analysts across skill levels – enabling them to kickstart (or advance) their efforts to apply threat intelligence in an operational setting.

  We will first review the processes and publicly available sources & tools that we used to conduct a broad threat assessment covering 16 major infostealer families, and present evidence that demonstrates why infostealers remain an underrated threat relative to the rising risks they pose to higher-value targets like business. Next, we’ll detail the steps that Tidal’s Adversary Intelligence team used to identify relevant coverage gaps in the primary public behavioral analytic resource (the Sigma repository), and close those gaps by building & validating new detections directly in line with several top stealer techniques, ultimately sharing them back with the community. By going beyond straightforward 1:1 simulation of adversary procedures from individual CTI reports, we’ll also show how our approach encourages more resilient and proactive detection development and validation planning, as stealers (and many other notable malware) appear to be increasingly evolving their TTPs. The host anticipates attendees will take away renewed appreciation for the “threat-informed” mindset, as well as inspiration for their next work sprint (or side project)!

  Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He currently serves as Director of Cyber Threat Intelligence at Tidal Cyber. Scott has advised enterprise and public sector security teams across maturity levels on technical and strategic applications of intelligence and on using technology to help identify and mitigate organizational risk. Throughout his career, he has briefed and trained large and small audiences and has presented original content at major security conferences, including DEFCON, FIRSTCON, MITRE ATT&CKcon, & BSides, and ISAC & other industry events.

  Scott is an active member of the professional security and intelligence communities and a proponent of open-source information for upskilling and strengthening our collective security. In addition to contributing to community projects, he has published independent projects that aggregate and streamline publicly accessible security resources, as well as his own original tools & resources.

  Amsterdam 2023 Technical Colloquium

  Amsterdam, NL

  April 18, 2023 14:00-14:45

  Hosted by Human Security, LinkedIn

  Big-Game-Stealing.pdf

  MD5: aec050aac9e251af9a3920f2c2a6a814

  Format: application/pdf

  Last Update: April 18th, 2023

  Size: 2.96 Mb

•  PL

  Cyber Fortress - Simulation-Strategic Games Based on Scenarios of the Latest Advanced Cyber Attacks

  Marcin FronczakMiroslaw MajPiotr KepskiMarcin Fronczak (ComCERT S.A., PL), Miroslaw Maj (ComCERT S.A., PL), Piotr Kepski (ComCERT S.A., PL)

  Cyber fortress is online strategy TTX game in which players learn how to build and defend critical infrastructure of various organizations in their virtual countries. For this purpose there are scenarios prepared, based on real attacks. Scenarios, which consist of both - technical ana organizational aspects, simulate real cyber-attacks. The game can be played by individual players as well as teams. Especially team based version bring a significant value in terms of understanding and learn a cooperation during crisis situations. Building the most effective cybersecurity system is on the budget-based approach.Players and teams receive a virtual budget that limits the scope of their investments. The main idea and the task during the game is protection of teams/players critical infrastructure against the most likely threats and to effectively react during the attack phases. Competitors have available various cybersecurity measures, which represent real choices from organizational aspects, processes and technical cybersecurity solutions.

  The game has the three years history and proved its practical value during many events and trainings.

  Marcin Fronczak has worked for 12 years as Chief Information Security in the financial and insurance sectors, and performed IT/OT area security audits for a critical infrastructure operator. Prior to that, he spent 5 years as a consultant in the area of technology risk and security. During many audits and consulting projects in Europe, he gained extensive experience and thorough knowledge of risks and auditing of ICT systems, confirmed by obtaining international certifications including CISA, CIA, CRISC, Comptia Security +, ISO 27001 LA. He was the first Pole to earn the CCSK certification in the Cloud Security Area. He currently works at ComCERT as a leader of the R&D team and serves as President of the Polish branch of the Cloud Security Alliance.

  Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities.

  Founder and president of the Cybersecurity Foundation, Vice-president of the ComCERT company, a former leader of CERT Polska team. The member of the Digital In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures and establishing international cooperation in the field of cyberdefence. In March 2021 was appointed a member of the Digitalization Council at the Ministry of Digital Affairs.

  European Network Information Security Agency expert and co-author of many ENISA publications including CERT exercises and papers on improvement CSIRT maturity. He organised 10 editions of cyber exercises (Cyber-EXE™) in several countries for most essential sectors (e.g energy, banking, telecommunication). Speaker on many international conferences including the FIRST conferences. He is also the originator and organiser Security Case Study conference, one of the largest cybersecurity event in Poland.

  Piotr Kepski currently works as a Cybersecurity Systems Analyst at ComCERT S.A., where he works in the area of cyber threat modeling and TTP (techniques, tactics and procedures) in cyber attacks. He is an internal auditor of the Information Security Management System according to the ISO/IEC 27001 standard. As a member of the Cybersecurity Foundation, he actively works to strengthen awareness in the area of threats from cyberspace, including, among other things, conducting trainings, co-creating the Cyber, Cyber... podcast series and participating in the organization of the Cyber Fortress League.

  TF-CSIRT Meeting & 2023 FIRST Regional Symposium for Europe

  Bilbao, ES

  February 2, 2023 15:30-17:00, February 2, 2023 13:30-15:00

  Hosted by Basque Cybersecurity Centre

  CyberFortress_Workshop.pdf

  MD5: a3cb91d89e6e833e9f75c171acf1e4c3

  Format: application/pdf

  Last Update: February 10th, 2023

  Size: 4.18 Mb

•  AR

  Democratizing Incident Response Tabletop Exercises

  Federico PachecoFederico Pacheco (BASE4 Security, AR)

  Incident response tabletop simulation exercises allow training people in skills related to reactions and processes in crisis situations. This paper analyzes several experiences of tabletop simulations that resulted in learning of practical utility for the participants. After applying the traditional approach based on conversational interaction, and the modern approach based on interaction through virtual platforms, a new, more accessible, and scalable modality was proposed, developed in free software, which allows taking this practice to any environment. In addition, it was found that the exercises carried out in educational environments improve the learning of the topics for both participants and observers.

  Federico Pacheco - Cybersecurity professional with background in electronics engineering and several industry renowned certifications. 20+ years of teaching experience at the most prestigious universities in Argentina. Published four books and several research whitepapers. Has worked for the public and private sector, including regional roles in global companies.

  Amsterdam 2023 Technical Colloquium

  Amsterdam, NL

  April 18, 2023 11:30-12:15

  Hosted by Human Security, LinkedIn

  Democratizing-Incident-Response-Tabletop-Exercises.pdf

  MD5: 92f7cd5742e16a5d39ea67218564ba86

  Format: application/pdf

  Last Update: April 18th, 2023

  Size: 3.57 Mb

•  NLTLP:CLEAR

  Do You Want to Improve Your Country's or Organisation's Handling of Cyber Security Incidents?: Where to Start (virtual presentation)

  Don StikvoortDon Stikvoort (Open CSIRT Foundation, Chairman of the Board EU Cyber4Dev Expert, NL)

  Don Stikvoort is founder of the companies “S-CURE” and “Cross Your Limits”. S-CURE offers senior consultancy in the area of cyber security – specialising in CSIRT matters. Cross Your Limits coaches and trains in the human area. Based in Europe, Don’s client base is global.

  After his MSc degree in Physics, he became Infantry platoon commander in the Dutch Army. In 1988 he joined the Dutch national research network SURFnet. In that capacity he was among the pioneers who together created the European Internet since November 1989. He recognised “security” as a future concern in 1991, and was chair of the 2nd CSIRT in Europe (now SURFcert) from 1992-8, and FIRST member since 1992. Today Don is a FIRST Liaison Member.

  Together with Klaus-Peter Kossakowski he initiated and built the closer cooperation of European CSIRTs starting in 1993 – this led to the emergence of TF-CSIRT in 2000. In 1998 he finished the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown of CERT/CC. He was active in the IETF and RIPE (co-creator of the IRT-object). Don chaired the Program Committee for the 1999 FIRST conference in Brisbane, Australia, and kick-started the international FIRST Secretariat in the same year. From 2001-2011 his company ran TF-CSIRT’s Trusted Introducer service. He wrote and taught several training modules for the CSIRT community.

  In 1998 Don started his first company. A first assignment was to build the network connecting over 10,000 schools in The Netherlands. Many CSIRTs were created with his help and guidance, among which the Dutch national team (NCSC-NL). Second opinions, audits and maturity assessments in this field have become a specialty – and in that capacity Don developed SIM3 in 2008, the maturity model for CSIRTs which is used worldwide today for maturity assessments and certifications. SIM3 has is now under the wings of the “Open CSIRT Foundation” (OCF). Don was one of the founders in 2016 and now chairs its board.

  Starting in 1999, Don was certified in NLP, Time Line Therapy®, Coaching and Hypnotherapy, and brought that under the wing of “Cross Your Limits”, which portfolio is life & executive coaching, and training courses in what Don likes to call “human arts”. He also trains communicators, presenters and trainers, including many in the CSIRT field.

  Don thrives as motivational and keynote speaker. He enjoys to share his views on how the various worlds of politics, economics, psychology and daily life, but also cyber security, all intertwine and relate – and how deeper understanding and a better ability to express ourselves, increase our ability to bring good change to self as well as the world around us. He has discussed such topics all over the world, from Rome to the Australian Outback. His goal is to challenge his audience to think out-of-the-box, and motivate them to be the difference that makes the difference, along the lines of the old African proverb:

  “If you think you’re too small to make a difference, try sleeping in a closed room with a mosquito”.

  FIRST & AfricaCERT Symposium: Africa and Arab Regions

  Kigali, RW

  March 2, 2023 12:30-12:45

  Hosted by FIRST, AfricaCERT, National Security Agency Rwanda

  Don-Stikvoort-Slides.pdf

  MD5: db433e34deb5620572ebd382af2dc3d3

  Format: application/pdf

  Last Update: March 22nd, 2023

  Size: 3.03 Mb

•  GHTLP:CLEAR

  Effective Controls for Data Privacy; The Role of Technology Professionals (virtual presentation)

  Albert SeshieAlbert Seshie (GH)

  Data Privacy in Africa over the past years has seen some significant growth largely within the space of policymaking, directives, and regulations with about 33 countries enacting related laws as of 2021. This has been driven by efforts to ensure the protection of data as fundamental to the rights of citizens and also with the upsurge of global commerce in the digital economy age.

  The success of global privacy programs involves the implementation of effective administrative and technical controls that will ensure compliance with the relevant regulatory regimes including the lawfulness of processing, the cross-border data flow requirements, and data security safeguards. The journey towards compliance has focused more on the education and awareness of what these regulatory requirements are, and conspicuously missing out on the implementers of technical controls, i.e. the technology professional’s role, an important stakeholder who must be involved and own key processes within the data processing value-chain.

  This presentation will highlight the role of technology professionals in the effective implementation of data privacy controls and the protection of information relevant to the ultimate compliance requirement.

  Albert Seshie is an Information Security, Audit, Privacy Professional & Trainer with over 13+ years in Industry. He is a committed member of prestigious ISO Certification, Information Security, Audit, Privacy & Training bodies such as PECB, ISACA, (ISC)2, IAPP, IIA, IIPGH & EC-Council. Though coming from a non-technical background, his passion for technology, information security and training has driven him to achieve industry certifications such as CISM, CEH, C|HFI, MCSA, ISO 27001 LI/LA. ISO 22301 LI, ISO 27032, ITIL, Prince2, CoBIT, PSM1, CIDM, (ISC)2 CC, VCA-DCV, VCA-Cloud, NSE1, NSE2, PECB Trainer-ISO 27001 ISMS Auditor and currently pursuing his MSc. Information Technology. His areas of specialties are Information Security, Audit, Data Center Infrastructure + Cloud Security Management, Enterprise Security / Risk Management, Privacy and IT/Security Training, Technology Pre-Sales, Vulnerability Assessment, Unified Communications and Collaboration, Incident Management, ISO 27001:2013 Implementation & Auditing, Cyber Security Threats Management, Business Continuity, IT Service Management, Data Protection/Privacy & Training. In his free time, he volunteers on several projects with Africa Digital Rights Hub' and has been a speaker at the Data Protection Africa Summit (2018/2019 and 2022)

  FIRST & AfricaCERT Symposium: Africa and Arab Regions

  Kigali, RW

  March 3, 2023 15:15-15:45

  Hosted by FIRST, AfricaCERT, National Security Agency Rwanda

  FIRSTAA23-Speaker-Slides-Albert-Seshie.pdf

  MD5: eb78b1739815477e540ae3c474c133d0

  Format: application/pdf

  Last Update: March 6th, 2023

  Size: 1.8 Mb

•  US

  Harder, Better, Faster, Locker: Ransomware Groups Flex On Defenders

  Lindsay KayeLindsay Kaye (Recorded Future, US)

  Ransomware actors continue to evolve their tools and TTPs; innovation by cybercriminals in response to global and local events is nothing new. However, recently we have observed several interesting innovations - some very successful for the threat actors, some not so much. We will present case studies, including technical deep-dives on a few of these, including: ALPHV’s Morph AV-evasion tool, usage of an access token to prevent chat hijacking, ARM locker and blog of indexed victim files, LockBit’s adoption of the BlackMatter code, PLAY ransomware’s evolution to use ROP, and multiple actors’ implementations of intermittent file encryption. We will also discuss what made some of these new TTPs effective for the threat actors’ business, and what made them less successful, both at the technical and human intelligence levels. During the talk, we will highlight particular areas that created the most trouble for threat actors, and often made them easier to track. Finally, we will discuss how defenders can adapt to these changing TTPs, and how we expect the ransomware landscape to continue to evolve in the future.

  Lindsay Kaye is the Director of Operational Outcomes for Insikt Group at Recorded Future. Her primary focus is driving the creation of actionable technical intelligence - providing endpoint, network and other detections that can be used to detect technical threats to organizational systems. Lindsay’s technical specialty and passion is malware analysis and reverse engineering. She received a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.

  Amsterdam 2023 Technical Colloquium

  Amsterdam, NL

  April 18, 2023 10:30-11:15

  Hosted by Human Security, LinkedIn

  Harder-Better-Faster-Locker.pdf

  MD5: e9a30d433abfdc9565f24cf54beb3ecb

  Format: application/pdf

  Last Update: April 18th, 2023

  Size: 8.29 Mb

•  US

  IcedID: Defrosting a Recent Campaign Illustrating Evolving Tactics and Shared Infrastructure

  Colin Cowie (Sophos, US), Paul Jaramillo (Sophos, US)

  With its origins as a banking trojan, IcedID has evolved into a fully modular backdoor and one of the most prolific malware families used by eCrime threat groups today. Also known as BokBot, it is observed as both an initial payload of phishing attacks and frequently downloaded as a secondary payload by other malware families, such as Emotet. This highlights their working collaboration with both Mummy Spider and Wizard Spider and the complex interplay of malware developers, initial access brokers, and affiliates.

  Beginning in December 2022, Sophos observed a major change in tactics leveraging a novel malvertising vector to compromise victims with IcedID. Over 20 unique software brands are being targeted, including Adobe, Vmware, Slack, Discord, and several remote access and collaboration tools. An unwitting victim searching to install these legitimate packages will instead be served a malicious Google Ad mirroring the benign download site at the top of their search results. The attacker makes use of frequently changing Traffic Distribution System (TDS) servers and multiple redirections to deliver a malicious MSI or ISO file inside a ZIP archive.

  Detecting or preventing IcedID is important because it's one of the most common precursors to a ransomware incident. Our analysis will step the audience through the attack chain of an IcedID infection and highlight opportunities to both hunt for and disrupt the process. In addition, we will also provide insight into IcedID’s infrastructure, as well as share yara and sigma rules for detection.

  Colin Cowie is a Threat Intelligence Analyst for the Sophos Managed Detection Response team. He focuses on detecting emerging threats, threat actor identification, and incident response. In past roles he has worked in the financial sector performing penetration testing as well as in mobile forensics for law enforcement.

  Paul Jaramillo is an extremely passionate, technical, and results oriented security professional with over 10 years of incident response and 15 years of IT experience. Previously working at Splunk, CrowdStrike, and the US DoE, Paul is currently Director of Threat Hunting & Intelligence at Sophos. He has a long-distinguished record of reducing enterprise risk and guiding organizations to an improved security posture. Some highlights include breaking into a 2-factored VPN as a pen tester, successfully investigating an insider threat case across the globe as a forensic examiner, and hunting & ejecting nation state adversaries from corporate and government networks.

  Amsterdam 2023 Technical Colloquium

  Amsterdam, NL

  April 19, 2023 15:45-16:30

  Hosted by Human Security, LinkedIn

  IcedID-FIRST-AMS-2023.pdf

  MD5: 073f833f6c8e04818076ee579c3d67f4

  Format: application/pdf

  Last Update: April 24th, 2023

  Size: 4.35 Mb

•  EGTLP:GREEN

  Identity and Access Management Risks (virtual presentation)

  Nermen IbrahimNermen Ibrahim (Banque Du Caire, EG)

  An IAM system introduces risks to the enterprise, but the consensus is the benefits of IAM outweigh the drawbacks. Businesses leaders and IT departments are under increased regulatory and organizational pressure to protect access to corporate resources. As a result, they can no longer rely on manual and error-prone processes to assign and track user privileges. That is where identity and access management or IAM comes in.

  Nermen Ibrahim is a 20-year information technology veteran with a focus on information security and network security. She currently serves as the Head of Identity and Access Management Engineering at Banque Du Caire. Her technical expertise and analytical skills, honed through 9+ years in the information security field and 10+ years of professional experience, have earned her recognition as a privacy and risk management professional.

  Ms. Nermen holds a Master's in Information Security from Nile University and is certified in CEH and CEI. She has also completed courses in CISSP, CRISC, ECSP.Net, CISM, PCI-DSS, MOBILE BANKING MASTERCLASS, SWIFT CSP, Digital Transformation, Fintech, CIMP, and Blockchain.

  Ms. Nermen’s skills were acknowledged in 2018 when she placed third in the CTF Women in Security competition. She also delivered a speech at the 2018 Arab Security Conference on the topic of "Common Vulnerabilities in Online Payment Systems."

  In summary, Ms. Nermen is a highly capable information technology professional with a proven track record of excellence in her field.

  FIRST & AfricaCERT Symposium: Africa and Arab Regions

  Kigali, RW

  March 2, 2023 14:15-14:45

  Hosted by FIRST, AfricaCERT, National Security Agency Rwanda

  FIRSTAA23-Speaker-Slides-Nermen-Ibrahim.pdf

  MD5: 8ecafa95494a9f7366b66221a1ab5f5c

  Format: application/pdf

  Last Update: March 6th, 2023

  Size: 1.87 Mb

•  FR CZTLP:CLEAR

  Iron Tiger’s Supply Chain Attack Targeting Windows, MacOS and Linux Users

  Daniel LunghiJaromir HorejsiDaniel Lunghi (Trend Micro, FR), Jaromir Horejsi (Trend Micro, CZ)

  Iron Tiger, also known as APT27 or Emissary Panda, is an advanced threat actor that has been doing espionage for more than a decade, targeting multiple sensitive industries worldwide.

  In the past months, we noticed the threat actor enhancing its toolkit to target all three major platforms – Windows, MacOS and Linux. We found out that a previously unreported remote access tool named “rshell” was the final stage of the delivery chain targeting MacOS users. This campaign was very interesting as the threat actor obtained access to backend of a lesser-known chat application, whose installers were modified to deliver malicious payload, thus acting as a supply chain attack against chat application users.

  Our presentation will start with the analysis of this interesting infection vector (modified MacOS installers, where and how they were modified and how we initially discovered it), followed by discussion of an earlier compromise of the same chat application to deliver HyperBro malware for the Windows platform. We will analyze the features of both rshell and HyperBro malware families utilized in this campaign, and later we will discuss connections to previous campaigns operated by the same threat actor.

  As a conclusion, we will provide information on the targets of this campaign and explain our approach to attributing this campaign to Iron Tiger.

  Daniel Lunghi is a threat researcher at Trend Micro. He has been hunting malware and performing incident response investigations for years. Now he focuses on long-term monitoring of advanced threat actors from all over the world, exploring new ways of tracking them, and enjoying their mistakes. The result of such investigations are shared through blogposts, whitepapers, and conference talks.

  Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.

  TF-CSIRT Meeting & 2023 FIRST Regional Symposium for Europe

  Bilbao, ES

  February 1, 2023 16:00-16:30

  Hosted by Basque Cybersecurity Centre

  Iron-Tiger-s-Supply-Chain-Attack.pdf

  MD5: a7894c41d0ba486d1c5cf7656208483b

  Format: application/pdf

  Last Update: February 8th, 2023

  Size: 1.7 Mb

•  NLTLP:CLEAR

  Open for Extortion: Upcoming Ransomware Evolutions and Revolutions

  Feike HacquebordFeike Hacquebord (Trend Micro, NL)

  In this presentation we explore the current state of ransomware in cybercrime and how ransomware business models will change in the near and far future. We will talk about the triggers that will cause ransomware actors to adapt. Some triggers will lead to a gradual evolution of ransomware. These triggers include the usage of more 0days in the initial access phase, better operational security, automation to optimize revenues, targeting Linux cloud servers more and targeting exotic platforms. Only when ransomware actors are pushed hard they will radically rethink their business models. Triggers include geopolitical events, regulations of cryptocurrency and the realization that other cybercrime is more profitable. We will discuss business models where the ransomware payload is changed to other, more profitable payloads, while still many of the core specialist skills of ransomware actors are leveraged. Finally we discuss how private industry, government and law enforcement can work together to fight against the crimes committed by the most prolific ransomware actors today and in the future.

  Feike Hacquebord has more than 18 years experience in doing threat research as a Senior Threat Researcher. Since 2005, he has been a regular advisor of international law enforcement agencies and has assisted in several high-profile investigations. Hacquebord is the author of more than a dozen blog postings and papers on advanced cyberattacks. Prior to joining Trend Micro, he earned a Ph.D. in theoretical physics from the University of Amsterdam.

  TF-CSIRT Meeting & 2023 FIRST Regional Symposium for Europe

  Bilbao, ES

  February 1, 2023 11:30-12:15

  Hosted by Basque Cybersecurity Centre

  Open-for-Extortion_-Upcoming-Ransomware-Evolutions-and-Revolutions.pdf

  MD5: 5060cdca5a6652a96336bd8c8cdc84fa

  Format: application/pdf

  Last Update: March 13th, 2023

  Size: 5.3 Mb

•  KETLP:CLEAR

  Routing Security for Network and Internet Safety

  Kevin ChegeKevin Chege (ISOC, KE)

  Insecure routing is one of the most common paths for malicious threats to networks. Inadvertent errors can take entire countries offline, and attackers can steal an individual's data or hold an organization's network hostage. A network's safety depends on a routing infrastructure that weeds out bad actors and accidental misconfigurations that wreak havoc on the Internet. The session will cover the importance of routing security in improving overall Internet security.

  Kevin Chege is the Director - Internet Development at the Internet Society. He is currently engaged in several projects at ISOC related to technical capacity building, building communities of practice, and Internet measurements. He helps design technical online teaching content, courses and online labs used to train network engineers. He also helps out as an instructor at various NOGs and NRENs in Africa and has also helped to get several NOGs and tech forums in Africa started. He is based in Nairobi, Kenya. Kevin holds a Master's Degree in Information Security from the Lulea University of Technology (Sweden). I am also a Certified Information Systems Security Professional (CISSP by ISC2) and a Certified Information Privacy Manager (CIPM by IAPP).

  FIRST & AfricaCERT Symposium: Africa and Arab Regions

  Kigali, RW

  March 2, 2023 16:00-16:30

  Hosted by FIRST, AfricaCERT, National Security Agency Rwanda

  FIRSTAA23-Speaker-Slides-Kevin-Chege.pdf

  MD5: 1e2d2f39165dadcefe0e9d96a08eda42

  Format: application/pdf

  Last Update: March 13th, 2023

  Size: 2.44 Mb

• Russia’s War on Ukraine: One year of Cyber Operations

  George KoutepasGeorge Koutepas (CERT-EU)

  We have been monitoring the cyber aspects of Russia’s war on Ukraine since January 2022, when the conflict was brewing up, and systematically analysed the conflict-related cyberattacks that came to our knowledge. We observed the global cyber landscape, to anticipate if and how cyber operations would target our constituents, the EU institutions, bodies, and agencies (EUIBAs), or organisations in Ukraine and EU countries.

  We created a dedicated report to showcase this work. It is our attempt at taking a step back from the day-to-day events, trying to pierce through the fog of war’s veil to make a bigger picture materialise. A picture that could help us see how the conflict shaped the cyber threat landscape in Ukraine and elsewhere.

  We don’t have a first-hand knowledge of cyberattacks in Ukraine, except for a handful of EUIBAs that have operations in the country. As a consequence, what you will read here largely relies on the reporting of, and information verification by public and private sources we deem trustworthy.

  For each cyberattack we describe in this product, we analyse the context (timing, objectives, impact), victimology (targeted sectors, countries), main tactics, techniques and procedures (TTPs), and, when applicable, attribution made by third parties.

  George Koutepas is an IT Security engineer with career-long experience in the field. He holds a PhD. in IT Security and Network Management from the National Technical University of Athens. He is also an ISACA Certified Information Security Manager. He is currently a member of the Cyber Threat Intelligence team at CERT-EU, the Cyber Security and Incident Response Team for EU institutions, bodies, and agencies.

  Amsterdam 2023 Technical Colloquium

  Amsterdam, NL

  April 19, 2023 11:30-12:15

  Hosted by Human Security, LinkedIn

  TLP-CLEAR-CERT-EU-1YUA-CyberOps.pdf

  MD5: 1d7599416fbd24ccc1b2bc4caa3ad9e0

  Format: application/pdf

  Last Update: April 24th, 2023

  Size: 5.51 Mb

•  JP USTLP:CLEAR

  SOC, CERT/CSIRT and then "Cyber Defense Centre" - A Workshop On How to Defend African Nations/Businesses with ITU-T X.1060 (virtual presentation)

  Dr. Jema NdibwileKoichiro KomiyamaM. Arnaud TaddeiDr. Jema Ndibwile (Carnegie Mellon University), Koichiro Komiyama (JP), M. Arnaud Taddei (Symantec, US)

  CSIRTs and SOCs, which aim to improve cyber security in companies and organizations, are active worldwide. On the other hand, cyber-attacks continue to become more sophisticated, and cyber-security increasingly requires functions that have not been required of CSIRTs in the past, such as strategies and policies. Based on this understanding, this workshop will introduce the "Cyber Defense Centre" framework, which was discussed in ITU-T and standardized in 2021, and discuss how it can support cyber security measures of enterprises and countries in Africa.

  https://www.itu.int/rec/T-REC-X.1060-202106-I

  Koichiro Komiyama is the Director of the Global Coodination Division at JPCERT/CC, the Japanese Computer Emergency Response Team. He was a FIRST Board of Directors from 2014-2018. He was awarded the AfricaCERT Meritorious Service Award In 2016 for his contribution to AfricaCERT's establishment.

  M. Arnaud Taddei is a Global Security Strategist for Symantec, a Division of Broadcom Software Group. In his role, M. Taddei has two inter-related missions as he supports:

  a) the development of strategic directions for the top Broadcom world wide customers and he developed a unique method to create solid relationships with customers executives and project thought leadership through specific knowledge sharing and workshop models.

  b) the development of security through his engagement in International Standards Defining Organizations (SDO) such as the International Telecommunication Union (ITU) where he was diplomatic elected as Vice Chairman of Study Group 17 and Associate Rapporteur for Emerging Technologies at the Telecommunication Standards Advisory Group (TSAG) of the ITU-T. He participates as well to the Internet Engineering Task Force (IETF) where he develops ideas on Network Encrypted Traffic Management through Internet Drafts.

  Dr. Jema David Ndibwile is an assistant teaching professor in cybersecurity at Carnegie Mellon University. He previously worked at the Nelson Mandela African Institute of Science and Technology as an IT network specialist and a lecturer in cybersecurity. Ndibwile’s current research interests encompass usable privacy and security, hacking countermeasures, the impact of artificial and human intelligence on cybersecurity, and social engineering approaches. He also has expertise assisting the cybersecurity teams in areas such as communication, IT network architecture and in-network, service security, security testing, and developing security concepts for mobile and stationary networks. He has extensive experience in ethical hacking/penetration testing, digital forensics, and project management leveraging tools such as Kali Linux, Parrot OS, Cellebrite, and many others.

  FIRST & AfricaCERT Symposium: Africa and Arab Regions

  Kigali, RW

  March 3, 2023 09:00-11:00

  Hosted by FIRST, AfricaCERT, National Security Agency Rwanda

  FIRSTAA23-Speaker-Slides-Arnaud-Taddei.pdf

  MD5: 42a1048be19c0e7b4d358f18586d3926

  Format: application/pdf

  Last Update: March 6th, 2023

  Size: 1.45 Mb

  FIRSTAA23-Speaker-Slides-Koichiro-Komiyama.pdf

  MD5: 34902a4b12c4784c770301be3430b78e

  Format: application/pdf

  Last Update: March 6th, 2023

  Size: 1.75 Mb

•  US

  Think You Understand Risk? Let's Challenge That

  Sharon Mudd (Carnegie Mellon University / CERT, US), Vanessa Rodriguez (Carnegie Mellon University / CERT, US)

  Cybersecurity and Incident Response professionals use the word “risk” to mean many things, from threats and threat actors to vulnerabilities or potential impacts. So, what exactly does “risk” mean, and what are the critical building blocks for defining risks for an organization? Key questions risk managers strive to answer revolve around what needs to be protected, how critical is it to the organization, which security measures are effective, and what are the potential consequences of these measures failing? When organizations establish priorities for protective measures, they need to get key players in the organization on the same page. The starting point for these higher-level goals is to develop a practical understanding of how to think about “risk,” which is often fundamentally different than how the term gets used. Understanding risk identification and management is critical for building effective risk assessments, prioritization strategies, and incident response processes.

  This session redefines common misconceptions about security risk by examining the real-world scenarios for understanding and managing risk that every cybersecurity person needs to know. Concepts explored in this workshop have been used to challenge information security leaders and incident response personnel across the world, allowing them to step back from a black-and-white perspective of cybersecurity. This helps them have more nuanced conversations about how security is implemented and how risk is evaluated. The fundamentals learned through interactive discussions are exciting and educational for up-and-coming cybersecurity professionals and seasoned leaders. Attendees will learn the building blocks for developing or enhancing the context needed to evaluate and prioritize security risks. This session helps to lay the groundwork for moving away from a reactionary approach towards a more proactive approach for securing critical data and systems.

  For incident responders, the session sets the stage for better engagement with constituents on protection measures they have in place - before an incident occurs. To gauge the impact of an incident, it’s critical to understand where key assets are located, how critical the data is to the organization, and what is required to manage the associated risk. This discussion helps incident responders become more proactive in these discussions with their constituents and helps drive appropriate urgency for response activities. The CSIRT teams that have been through this session have found it to be entertaining, enlightening, and thought-provoking because it challenges their assumptions about how to think and talk about risk.

  Sharon Mudd is currently a Senior Cybersecurity Operations Researcher in the CERT® division of the Software Engineering Institute @Carnegie Mellon University, helping international teams build security operations and incident management capabilities. In this role, she provides mentoring and training on a broad range of cybersecurity topics to foster the development of maturity for security incident response and security operations teams internationally. Her career spans over 30 years in IT and information security roles, focusing on information security governance, risk management, compliance, and assurance. She has been a GRC leader in several organizations with global information security responsibilities across a diverse set of industries, including financial services, retail, education, government, telecommunications, and healthcare. Sharon is also in the process of completing a PhD in Information Assurance and Cybersecurity.

  Vanessa Rodriguez is currently an Assistant Cybersecurity Operations Researcher in the CERT® division of the Software Engineering Institute @Carnegie Mellon University, helping international teams build security operations and incident management capabilities. In this role, she provides mentoring and training on a broad range of cybersecurity topics to Spanish-speaking countries. Her career spans over four years in Computer Science and information security roles, focusing on software development, secure coding, and cybersecurity research. Vanessa recently finished her Master's Degree in Information Technology - Information Security at Carnegie Mellon University, focusing on courses in Forensics and IoT security.

  Amsterdam 2023 Technical Colloquium

  Amsterdam, NL

  April 19, 2023 15:00-15:45

  Hosted by Human Security, LinkedIn

  Practical-Risk-Management-prv-1-.pdf

  MD5: 75a87aa7875c179aa9224a838a670bb9

  Format: application/pdf

  Last Update: April 24th, 2023

  Size: 6.62 Mb

•  GB

  ThreatIntelGPT: Structure from Chaos

  David GreenwoodDavid Greenwood (EclecticIQ & Signals Corp, GB)

  ChatGPT 3.0 made waves across almost every industry when it hit the market in late November last year.

  Far from a silver bullet for the cyber-security industry, ChatGPT, and more specifically the GPT-3 model, do have many practical uses, namely the automation of highly repetitive tasks. Ask any threat intelligence analyst and they will concur; extraction and dissemination of threat intelligence often requires many hours of ctrl+c, ctrl+v.

  Earlier this year I set out to use ChatGPT to create structured knowledge graphs from a variety of intelligence reports in my inbox.

  In this session I will explain the trial and error that went into generating prompts that accurately extract artefacts and their relationships from unstructured intelligence reports (including: PDFs, emails, and Slack messages).

  Taking it a step further, I will also talk you through my attempts at using Chat-GPT to model the intelligence as rich STIX 2.1 Objects for easy dissemination into existing security tooling.

  Rest easy, the content covered in this talk will not replace your job.

  David Greenwood helps early stage cyber-security companies to build products that make users go; "Wow! That's what I need!".

  During his career he has worked with great minds at Splunk and Anomali. David currently works at EclecticIQ building world-class threat intelligence solutions.

  Amsterdam 2023 Technical Colloquium

  Amsterdam, NL

  April 18, 2023 09:45-10:30

  Hosted by Human Security, LinkedIn

  ThreatIntelGPT-Structure-from-Chaos.pdf

  MD5: e6af795178e0210ec282aed99926ba6a

  Format: application/pdf

  Last Update: April 18th, 2023

  Size: 9.22 Mb

•  ILTLP:CLEAR

  Tracking Attackers in Open Source Supply Chain Attacks: The New Frontier

  Jossef Harush KadouriJossef Harush Kadouri (IL)

  Widespread use of open source software has motivated malicious actors to take advantage of the medium, spawning significant and widespread attacks.

  To be able to identify these threats at scale we automated this process and would like to present and share some open source tools to detect those attacks.

  RED LILI

  This is the largest batch of malicious packages from a single threat actor (1500 packages and still counting ).

  We will dive into the attack and discuss the infrastructure required for such attacks.

  To keep track of RED-LILI as they continue to publish malicious packages, our research team has launched RED-LILI Tracker (https://red-lili.info)

  UA-Parser (Good package gone BAD)

  An attacker comprised a legitimate account of a popular open-source contributor.

  We will dive into the attack and TTPs used (Account Takeover) and will discuss Chain alert Free service for the open-source community to alert on those attacks.

  Protestware

  A pro-Ukraine NPM user account riaevangelist released several new versions of its popular package “node-ipc” (over million weekly downloads ), which included a wiper functionally targeting Russian and Belarusian IP addresses and running a malicious payload, destroying all files on disk by overwriting their content with a heart emoji “❤️” .

  Jossef Harush Kadouri is passionate about Linux and Windows, and has a strong interest in exploring the possibilities of Mac in the future. With his expertise in IoT and a knack for creating real-life automation solutions, he is able to control a variety of devices using his phone. Additionally, Jossef is a designer and digital asset creator, with a focus on pixel-perfect UI.

  In his free time, Jossef enjoys growing hot peppers and organizing hot pepper events in Ramat Gan, the second best city in Israel. Jossef is also an active member of the open-source community, and is ranked in the top 1% on Stack Overflow.

  In 2020, he co-founded Dustico, a software supply chain security company that was acquired by Checkmarx the following year. Since then, he has been working with his team to identify and prevent software supply chain attackers, ensuring the safety of the ecosystem.

  TF-CSIRT Meeting & 2023 FIRST Regional Symposium for Europe

  Bilbao, ES

  February 1, 2023 09:30-10:15

  Hosted by Basque Cybersecurity Centre

  Tracking-Attackers-in-Open-Source-Supply-Chain-Attacks.pdf

  MD5: 342668f6f45cb358621c59ef1df25376

  Format: application/pdf

  Last Update: March 13th, 2023

  Size: 55.44 Mb

•  US

  You Are Only Seeing the Tip of the Iceberg

  John StonerJohn Stoner (Google Cloud, US)

  When Solorigate occurred, we witnessed a nation-state actor gaining initial access using a software vendor’s supply chain culminating with an attack utilizing Golden SAML to gain access to Office 365 cloud resources. At the time, I was developing an adversary emulation activity in support of a blue team capture the flag event and the unique attack piqued my interest.

  If you are like me, you may have spent at least some portion of your career working with events generated from on-premise systems. With the move toward cloud, I noticed that logs that I just took for granted and expected to have available were no longer. This realization spurred me to use Golden SAML as a case study around what could be identified and detected within the Microsoft Graph.

  Because workloads and solutions continue to migrate to the cloud and the pervasiveness of Active Directory in nearly every organization’s environment, the idea of setting up a federation with on premise active directory servers and Azure Active Directory is not an uncommon configuration which is why it is important to understand this attack within this context.

  While there has been a lot of good content created about the Golden SAML attack, less focus has been paid to the visibility that a defender has from the extraction of a token through its forgery to its application against Microsoft’s Graph API. The intent of this talk is to contextualize and drive a greater awareness of what the defender will see (and more importantly what they will not see) when a Golden SAML token is extracted and forged and utilized in an Azure AD / M365 environment.

  Attendees will come away with

  • A better understanding of what a Golden SAML attack looks like
  • A greater awareness of what they will have available for analysis within the Microsoft Cloud, specifically from Azure and M365 logging
  • Ideas for detections that can be applied to monitor for this kind of activity

  John Stoner is a Principal Security Strategist at Google Cloud and leverages his experience to improve users' capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He blogs on threat hunting and security operations and has built multiple APT threat emulations for blue team capture the flag events. John has presented and led workshops at various industry symposia including FIRST, BSides, SANS Summits and DefCon Packet Hacking Village. He also enjoys listening to what his former teammates referred to as "80s sad-timey music."

  Amsterdam 2023 Technical Colloquium

  Amsterdam, NL

  April 18, 2023 15:45-16:30

  Hosted by Human Security, LinkedIn

  You-Are-Only-Seeing-the-Tip-of-the-Iceberg-FIRST-TC-2023.pdf

  MD5: 2d7b8f934a4cb27bf6479ec59ac0c69d

  Format: application/pdf

  Last Update: April 24th, 2023

  Size: 6.57 Mb