- FRTLP:CLEAR
A Collective CTI Doctrine
David Bizeul
Fabien GainierDavid Bizeul (FR), Fabien Gainier (FR)
David Bizeul is a 20+ years cybersecurity expert. As main achievements, David wrote several major whitepapers on cybersecurity threats or evolution, he initiated 3 CSIRT teams in France (Societe Generale, Airbus Cyber and Sekoia), he founded the first threat intel company in France now part of Sekoia.io. He now works as Chief Scientific Officer in Sekoia.io, making sure the platform use the latest interesting standards or approaches and sharing this approach with the community.
After several years in information systems consulting and CSR policy coordination, Fabien Gainier joined a Master's degree in Strategic Management of Sustainable Development. With this experience, he specialised in supporting organisation transformation through cultural shift and innovation. Subsequently, he set up various entrepreneurial projects. In 2020, he joined the ANSSI teams to help set up the Cyber Campus project where he became head of the Commons Studio and CSR Studio. Its mission is to develop the innovation capacity of Campus Cyber ecosystem by developing cyber commons.
Alias title: “One CTI doctrine to rule them all”
Optimizing CTI analyst time is critical. When you have major cybersecurity entities working together in the same place, you need to define rules to create and manage your threat intelligence smartly. This is exactly what CampusCyber had to deal with when trying to federate companies with different size, sector, maturity, culture working all together. This national retex explains what has been done and why.
Reminder, slides for download are TLP:CLEAR
- CZTLP:CLEAR
Abusing Electron-Based Applications in Targeted Attacks
Jaromir HorejsiJaromir Horejsi (Trend Micro, CZ)
Jaromir Horejsi is a Senior Threat Researcher for Trend Micro Research. He specializes in tracking and reverse-engineering threats such as APTs, DDoS botnets, banking Trojans, click fraud, and ransomware that target both Windows and Linux. His work has been presented at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf, and CARO.
The first part of the presentation will look at Electron framework and discuss possible infection vectors - Chromium vulnerabilities, or trojanizing the Electron applications by replacing/patching the app.asar archive (containing application sources). The second part will follow with analyses of several real-life scenarios which involved Electron-based applications - (1) Iron Tiger threat actor abusing a secure chat application; (2) a threat actor abusing a chat-based customer engagement platform; (3) Water Labbu threat actor abusing a live chat application. The last part will talk about targets of these campaigns, as well as the connections to previous campaigns operated by the same threat actors.
- USTLP:CLEAR
An Introduction to EPSS, The Exploit Prediction Scoring System
Jay Jacobs (Cyentia, US), Sasha Romanosky (RAND Corporation, US)
Jay Jacobs is a Co-founder and Chief Data Scientist at Cyentia Institute, a research firm dedicated to advancing the state of information security knowledge and practice through data-driven research. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST. He is also a co-founder of the Society for Information Risk Analysts (SIRA), a not-for-profit association dedicated to advancing risk management practices where he served on the board of directors for several years. Finally, Jay is a co-author of "Data-Driven Security", a book covering data analysis and visualizations for information security professionals.
Sasha Romanosky, PhD, researches topics on the economics of security and privacy, cyber crime, cyber insurance, and national security. He is a Senior Policy Researcher at the RAND Corporation, a faculty member of the Pardee RAND Graduate School, and an affiliated faculty in the Program on Economics & Privacy at the Antonin Scalia Law School, George Mason University. Sasha was a security professional for over 10 years in the financial and e-commerce industries, and is one of the original authors of the Common Vulnerability Scoring System (CVSS), and co-creator of the Exploit Probability Scoring System (EPSS), an emerging standard for estimating the probability of a vulnerability being exploited in the wild. Sasha is a former Cyber Policy Advisor in the Office of the Secretary of Defense for Policy (OSDP) at the Pentagon, where he oversaw the Defense Department's Vulnerability Equities Process (VEP), the Vulnerability Disclosure Program (VDP), and other cyber policy matters. Sasha is also an appointed member of DHS's Data Privacy and Integrity Committee (DPIAC), where we advise the Secretary of Homeland Security and DHS's Chief Privacy Officer on policy, operational, and technology issues.
The Exploit Prediction Scoring System (EPSS) is an emerging standard that estimates the probability that a vulnerability will be exploited. Since our creation in April 2020, we have grown to over 150 members from around the world, with tens of thousands of daily downloads of our probability scores and API calls.In addition, we have improved and refined the model, and augmented the data feeds with even more data partners. In this presentation, Sasha Romanosky and Jay Jacobs - the original authors and co-chairs of the EPSS SIG - will discuss the evolution of EPSS, some initial findings from our data analysis, and future directions. No prior knowledge or experience with EPSS is required for this talk.
- FRTLP:CLEAR
AnoMark - Anomaly Detection in Command Lines with Markov Chains
Alexandre Junius (ANSSI (National Cybersecurity Agency of France), FR)
Alexandre Junius is a Master's graduate of ENSAE's Statistical Engineering programme and of Sciences Po's Public Policy (Security and Defence speciality) programme. He is currently working as Data Scientist in the Detection team of the National Cybersecurity Agency of France.
AnoMark is a Machine Learning algorithm that uses NLP (Natural Language Processing) methods to analyze the command lines that come up at each process creation in the event logs of an information system. Based on a decomposition into n-grams (from the letters composing the command line), AnoMark trains a statistical model based on a Markov chain. This model then calculates a likelihood score of new order lines, and extracts the most abnormal ones from past activity.The application of this algorithm has already resulted in the detection of malicious behavior in process creation event logs on several occasions. This gives reason to be optimistic about the use of automated anomaly detection methods in cybersecurity, in addition to the usual methods for detecting known behavior.The project is now open source on the National Cybersecurity Agency of France's GitHub and can be integrated in any modern SIEM. As an example, a Splunk custom command implementation is provided in the repository.
- NLTLP:CLEAR
Assessing e-Government DNS Resilience
Jeroen van der HamJeroen van der Ham (NCSC-NL & UTwente, NL)
Jeroen van der Ham is senior researcher at NCSC-NL and Associate Professor at Twente University. He has contributed to numerous FIRST working-groups, including co-chairing the Ethics WG. Jeroen has published on many cybersecurity topics including anonymization, DNS security, and on vulnerability information. His research interests include ethics of cybersecurity and professionalization of incident response
Electronic government (e-gov) enables citizens and residents to digitally interact with their government via the Internet. Underpinning these services is the Internet Domain Name Systems (DNS), which maps e-gov domain names to Internet addresses. Structuring DNS with multiple levels of redundancy that can withstand stress events such as denial-of-service (DoS) attacks is a challenging task. While the operator community has established best practices to this end, adopting them all involves expert knowledge and resources. In this work, we obtain and study a list of e-gov domain names used by four countries (The Netherlands, Sweden, Switzerland, and the United States) and measure the DNS structuring of these domains. We show the adoption of best practices, inter-country differences such as the use of anycast, and provide recommendations to improve DNS service robustness.
- USTLP:CLEAR
Automating Cloud Forensics Lab Provisioning
Tim Ip (Adobe, US)
Tim has worked for 10+ years for InfoSec across education, pharmaceutical and software industries. Currently he is working as Security Engineer at Adobe focusing on DFIR and Purple Teaming. Prior to Adobe, he served as Security Architect for University of San Francisco and Senior Consultant at Deloitte. He has expertise in Security Automation, Data Analytics and Offensive Security. He enjoys wielding everything from soldering irons to assembly language in Cyber Security Competitions, Hackathons and CTFs. Outside of work, he is leading the monitoring team for Global Collegiate Penetration Testing Competition (CPTC). He is a current holder of CISSP, CISM, OSEE and GXPN certification.
Gathering relevant artifacts and performing a forensic investigation following a cybersecurity incident is a challenge for any organization. However, for larger companies that have a presence across multiple sites and countries, the challenge is far more complex. Not only is there a higher volume of incidents to respond to and investigate, but there are regional regulations and compliance restrictions that limit where and how data and other artifacts can be shared or transmitted.Our project (Forensics VM) is leveraging Infrastructure as Code (IaC) to automate cloud forensics lab provisioning. The project enables us dynamically deploying the lab in different geographic regions across different cloud service providers such as AWS, Azure and GCP. We will discuss how this project streamlines and simplifies our forensics process, as well as resolving different issues due to regulations and compliance restrictions.
- NLTLP:CLEAR
Automating the Junior Analyst: Cyber Security Report Generation with Classic AI
Sergey PolzunovSergey Polzunov (BlackStork.io, NL)
Sergey Polzunov is a Senior Software Engineer with more than 15 years of experience, focused for the last seven years on building solutions for cyber security. Sergey was a core developer of a threat intelligence platform, participated in designing STIX2 / TAXII2 standards as a member of the OASIS CTI technical committee, released the opensource library Stixview for STIX2 graphs, and developed multiple tools for threat detection, digital forensics, and security telemetry processing.
Presenting Fabric -- a content generation system that aims to automate the prosaic and tedious parts of cyber-security reporting. Automatically creating overviews, timelines, and briefings from structured cyber security data (SIEM alerts, CTI bundles, detection rules, CVE lists) saves the security team time for creative work. Flexible schema-style document generation with a tunable level of details and integrated data enrichment allows the Fabric to generate writing prompts, summaries, and complete documents ready for dissemination.
- AR IT ID
Before Disclosure | Predicting Security Attacks in FOSS: Why You Want It and One Way to Do It
Carlos Esteban Budde
Fabio Massacci
Ranindya ParamithaCarlos Esteban Budde (Department of Information Engineering and Computer Science, AR), Fabio Massacci (University of Trento, IT), Ranindya Paramitha (DISI Security Group at the University of Trento, ID)
Before Disclosure:
Forecasting vulnerabilities from source code or software projects, SSDLC, and/or bug bounties.
FOSS is here to stay, displacing more and more its privative counterparts. Advantages of this transition include the exposure of bugs to be fixed by a community of experts. In the same box, however, we find disadvantages like the exposure of security issues that can be exploited by attackers. Today we even have security websites exposing vulnerabilities and exploits online—and despite good practices like responsible disclosure, it is the sheer amount of (external) code what makes everyone ultimately vulnerable.
From that base, this talk puts forward a concept of probability of future vulnerabilities. This is crucial for project management, but also at developer level, to see the risks of not upgrading (or yes upgrading!) a dependency. We show how this probability can, and must, be computed from a project's dependency tree, in a manner that is intimately related to the use of FOSS. We also show that the development history of the project and its dependencies is key to getting useful results.
Finally, we merge the dependency tree and development history of a project into a white-box model, which we use to estimate the probability of future exploits. We show one way to do this for the Java-Maven environment, for which we can use a battery of tools from the formal methods community.
Carlos Estebran Budde received his PhD in Computer Science in 2017 (Universidad Nacional de Córdoba, AR), continued on to do a postdoc at the Universiteit Twente (NL) in collaboration with Dutch Railways until 2021, and since then works as assistant professor at the Università di Trento (IT).
Carlos uses his background in formal methods to perform simulation and probabilistic-based analyses, to assess the cybersecurity resilience of systems' models.
In 2022 Carlos was awarded a Marie Curie Postdoctoral Fellowship: his ProSVED project studies how security vulnerabilities can be used for the estimation of future exploits.
Fabio Massacci (MEng’92, PhD’98 Computer Engineering, MA’95 in International Relations), married with two children, has been in Rome, Cambridge, Toulouse, Trento, and Amsterdam. He held visiting positions in Durham, Koblenz, Lueven, Marina del Rey, and Oslo. For a full biography on Fabio, see this page: https://fabiomassacci.github.io/
Ranindya Paramitha (also called Nanin) is currently pursuing a PhD at the University of Trento, Italy, focusing on software security under the supervision of Prof. Fabio Massacci.
My interest on this field started when I was doing my bachelor in informatics, at Institut Teknologi Bandung, Indonesia. I continued my master on the same field, doing my thesis on mining software repositories for security.
I'm grateful that until now, ALL my higher education years are covered by several scholarships. During my bachelor and master periods, I had several internship experiences in some software companies in Indonesia. Despite having some experiences working in industry, I discovered that I enjoy teaching and (later) researching, which encouraged me to pursue my PhD. I also enjoy attending conferences/ schools as they broaden my knowledge while giving me networking opportunity.
- US
Big-Game Stealing: Practical Detection Engineering & Validation for an Underrated Threat
Scott SmallScott Small (Tidal Cyber, US)
The term “threat-informed defense” has gained recent popularity, but what does it actually look like in practice? This session will detail practical, repeatable workflows – relevant for adversary emulation & detection engineers, threat hunters, and analysts across skill levels – enabling them to kickstart (or advance) their efforts to apply threat intelligence in an operational setting.
We will first review the processes and publicly available sources & tools that we used to conduct a broad threat assessment covering 16 major infostealer families, and present evidence that demonstrates why infostealers remain an underrated threat relative to the rising risks they pose to higher-value targets like business. Next, we’ll detail the steps that Tidal’s Adversary Intelligence team used to identify relevant coverage gaps in the primary public behavioral analytic resource (the Sigma repository), and close those gaps by building & validating new detections directly in line with several top stealer techniques, ultimately sharing them back with the community. By going beyond straightforward 1:1 simulation of adversary procedures from individual CTI reports, we’ll also show how our approach encourages more resilient and proactive detection development and validation planning, as stealers (and many other notable malware) appear to be increasingly evolving their TTPs. The host anticipates attendees will take away renewed appreciation for the “threat-informed” mindset, as well as inspiration for their next work sprint (or side project)!
Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He currently serves as Director of Cyber Threat Intelligence at Tidal Cyber. Scott has advised enterprise and public sector security teams across maturity levels on technical and strategic applications of intelligence and on using technology to help identify and mitigate organizational risk. Throughout his career, he has briefed and trained large and small audiences and has presented original content at major security conferences, including DEFCON, FIRSTCON, MITRE ATT&CKcon, & BSides, and ISAC & other industry events.
Scott is an active member of the professional security and intelligence communities and a proponent of open-source information for upskilling and strengthening our collective security. In addition to contributing to community projects, he has published independent projects that aggregate and streamline publicly accessible security resources, as well as his own original tools & resources.
Big-Game-Stealing.pdf
MD5: aec050aac9e251af9a3920f2c2a6a814
Format: application/pdf
Last Update: April 18th, 2023
Size: 2.96 Mb
- WSTLP:GREEN
Breaking the Cultural Norms to Improve Cybersecurity Awareness
Alex Abraham (WS), Suetena Faatuuala Loia (WS)
Please note slides for download are TLP:CLEAR
- DETLP:CLEAR
Patrick StaubmannPatrick Staubmann (VMRay GmbH, DE)
Patrick Staubmann joined VMRay as a threat researcher back in 2019. As part of the Threat Analysis team, he continuously researches the threat landscape and conducts analyses of malware samples in depth. To further improve the companies' product, he also extends its detection capabilities in form of behaviour-based rules, YARA rules, and configuration extractors. He is especially interested in reverse-engineering, low-level system security and exploitation.
In early 2022, a new malicious loader named BumbleBee was discovered. Multiple cyber-attacks have been identified that use BumbleBee to deliver well-known malware families to harm systems. While analyzing different BumbleBee samples, we identified many structural changes and improvements implemented since its first sighting. These changes are a strong indicator that the family is still under heavy development, and we expect more changes in the future. This makes the family an interesting and important object of research.To protect itself against detection and manual as well as automated analysis, BumbleBee uses various techniques to detect sandboxes and analysis environments. Most of this logic is taken from an open-source sandbox detection project.This talk shares our insights and thoughts collected over the past months while analyzing and tracking this malware family.
- JPTLP:CLEAR
Can We Tell the Threat Actor from Their ATT&CK TIDs?
Ryusuke Masuoka
Toshitaka Satomi
Koji YamadaRyusuke Masuoka (Fujitsu System Integration Laboratories Limited, JP), Toshitaka Satomi (Fujitsu System Integration Laboratories Limited, JP), Koji Yamada (Fujitsu System Integration Laboratories Limited, JP)
Dr. Ryusuke Masuoka is a Global Fujitsu Distinguished Engineer and a research principal at Fujitsu System Integration Laboratories Limited, working on Cyber Security. He also works part-time as a Chief Cybersecurity Advisor for Japan Ministry of Defense. Over 30 years, he has conducted research in neural networks, simulated annealing, agent system, pervasive/ubiquitous computing, Semantic Web, bioinformatics, Trusted Computing, Software/Security Validation, Cloud Computing, Smart Grid, the Internet of Things, Cyber Security Policy, and Cyber Security. He also led numerous standardization activities and collaborations with universities, national and private research institutes, and startups. He is an ACM senior member and an IEEE senior member. (For more detail, check http://masuoka.net/Ryusuke/cv/)
Toshitaka Satomi Toshitaka Satomi is a researcher with Fujitsu System Integration Laboratories LTD (FSI). He joined Fujitsu PC Systems in 1997 after graduating from the Tokyo Institute of Technology. He worked on the development of an F-BASIC compiler and insurance business systems. After that, he became interested in cybersecurity research and he developed various cybersecurity PoC systems. Since he moved to FSI in 2017, he has been conducting research on Cyber Threat Intelligence (CTI) and has developed a Cyber Threat Intelligence Platform, "S-TIP" which is now available as OSS. He is also the initial developer of "ATT&CK Powered Suit", a Google Chrome Extension, which puts the MITRE ATT&CK knowledge base at your fingertips.
Koji Yamada
Koji Yamada is a cybersecurity research manager at Fujitsu System Integration Laboratories LTD (FSI). He had been engaged in FJC-CERT activities for over two years. He also had been engaged in cyber threat intelligence and cyber deception technologies. He is a Certified Information Systems Security Professional (CISSP) and has previously spoken at conferences including Black Hat USA, Arsenal, CodeBlue, and FIRSTCON21.
We examined the research question of "Can we tell the threat actor from their ATT&CK TIDs?" We started to see ATT&CK Technique IDentifiers (TIDs) in more and more tools and CTI reports. With the holistic view of threat actors provided by ATT&CK, we came up with the idea of applying TF-IDF to Groups as documents and TIDs as terms to determine the similarity of the set of ATT&CK TIDs to a particular Group. Our initial answer to the question is "Not a Complete Yes, but Very Promising", based on the evaluation results. We also found a way to utilize Decision Trees for threat hunting purposes in an Analysis of Competing Hypotheses (ACH) context. As a conclusion, observed TIDs in a cyber attack should help you make better informed attribution decisions. This capability makes your cyber defenses more proactive and focused by knowing your adversaries.
- NZTLP:CLEAR
Capture the Flag (CTF)
Hayden Searle (NZ)
Please note slides for download are TLP:CLEAR
- CATLP:CLEAR
Collective Defense Intelligence: A Model for Empowering the Open Cybersecurity Ecosystem
Jason Keirstead (IBM Security, CA)
Jason Keirstead is an IBM Distinguished Engineer and CTO of Threat Management in IBM Security. His role includes the complete threat life cycle, from Threat Insight, through Prevention, Detection, Response and Recovery and encompasses XForce Threat Management products, and the QRadar XDR product suite including SIEM, SOAR, and Reaqta EDR. Jason also sits on the OASIS Board of Directors and serves as a co-chair of the Open Cybersecurity Alliance project governing board.
We are at a turning point in the cybersecurity market. Products will soon no longer be measured solely on how many security use cases they can fulfill, or how many attacks their black-box AI can detect or prevent. They will additionally be measured on how easily and robustly they allow users to consume the outputs of the open cybersecurity ecosystem, and how easily they allow analysts to contribute back to it. In order to enable and accelerate this change, the cybersecurity community needs a common collaboration model for defense, that builds upon what already exists in the community for collaboration on threat intelligence, and enhances it to allow for highly agile defense intelligence creation and deployment.
- US NLTLP:CLEAR
Communication Skills for Incident Response (Full Day)
Don StikvoortJeff Carpenter (Secureworks, US), Don Stikvoort (Open CSIRT Foundation, NL)
Jeffrey Carpenter has dedicated more than 30 years to improving the state of information security in roles such as analyst, product security officer, information security officer and leader. In 1995, Jeffrey joined the CERT® Coordination Center, located at Carnegie Mellon University's Software Engineering Institute, as an incident response analyst. He became the incident response team leader in 1998 and technical manager in 2000. Jeffrey managed more than 50 technical individuals who conducted applied research and operational analysis with a focus on incidents, software vulnerabilities, network monitoring, malicious code, vulnerability discovery, and secure coding. Jeffrey currently is the Secureworks Senior Director of Incident Response Consulting and Threat Intelligence. The Incident Response Consulting Practice with ovr 100 consultants, analysts and researchers, provides rapid containment and eradication of threats, minimizing the duration and impact of a security breach for Secureworks' customers, as well as helping customers effectively prepare to have an incident. The practice performes more than 1500 engagements per year. The Threat Intelligence group is part of the Counter Threat Unit™ (CTU) and delivers threat intelligence services to customers.
Don Stikvoort was born in in 1961, and did his MSc in physics. From 1988 onwards he was one of Europe's Internet and cyber security pioneers. Led the 2nd European CSIRT until 1998, started the cooperation of European CSIRTs in 1993, and was founding father of NCSC-NL, the Dutch national team. Co-author of the CSIRT Handbook, and creator of the SIM3 CSIRT maturity model. FIRST hall-of-fame member.
Don is an NLP master trainer & practitioner, and has been giving train-the-trainer trainings especially for FIRST and TF-CSIRT. Additionally, Don does life/work coaching and therapy.
This workshop is designed to enhance the communication skills of incident response and security analysts, so they can confidently and competently relay key messages to business stakeholders during a cyber crisis. No prior experience of qualifications is needed, as it will provide attendees with advice and recommended best practice, as well as the opportunity to practice communications in a safe environment. Ultimately, the session will immediately enable and equip incident responders with the tools to proactively and consciously develop their own effective communication capability.
Attendees of this workshop should please download the following materials:
https://onedrive.live.com/?authkey=%21AAGXkSnV22XWYv4&id=A1E5DDD23CE78CFE%21512&cid=A1E5DDD23CE78CFE
- USTLP:CLEAR
"Compromising the Keys to the Kingdom" - Exfiltrating Data to Own and Operate the Exploited Systems
Aditya K SoodAditya K Sood (F5, US)
Aditya K Sood, Ph.D., is a senior director of threat research and security strategy at the Office of the CTO at F5. Dr. Sood manages the Advanced Threat Research Center of Excellence (ATRCoE). With the experience of more than 15 years in the field of security, Dr. Sood focuses on a wide spectrum of cybersecurity and next-generation technologies. Dr. Sood obtained his Ph.D. from Michigan State University in computer sciences. He also authored Targeted Cyberattacks and Empirical Cloud Security books. Dr. Sood is also a frequent speaker at global cybersecurity conferences and contributes regularly to industry and academic leading journals and magazines. Website: https://adityaksood.com Company: https://www.f5.com
Cyberattacks are evolving at an exponential rate. The adversaries (attackers, cybercriminals, nation-state actors) are focused on stealing, exfiltrating, and destructing data. The question is, "Why?" The answer is simple, "Data holds the keys to the kingdom!" In this session, we will present the current state of advanced threats and how "controlling data" has become the breeding ground for cyberattacks. A number of data exfiltration case studies will be discussed, covering nation-state cyber warfare, and targeted cyber-attacks including broad-based attacks.
- LTTLP:CLEAR
Continuous Threat Intelligence Improvements
Leonardas Marozas (CUJO AI, LT)
Leonardas Marozas is a researcher and cyber security research manager in CUJO AI and lecturer in Vilnius technical university. For the past 15+ years working in cyber security related area, last 6 years were spent with focus towards threat intelligence and IoT security
Beginning as a need to cover the identified gaps that threat intelligence solutions at the time had and having the data at hand, it became obvious that one of the biggest challenges that there is - it's contextualizing the data given the specific area of operating. We explore the usefulness of ML, but only in a certain subset of the data, how global threat intelligence offerings are far less efficient than regional ones and provide an overview of challenges and missteps that were made throughout the journey of building threat intelligence platform suitable to protect globally distributed NSPs' customers
- JPTLP:CLEAR
Creating the Coordinator Rules
Tomo ItoTomo Ito (JPCERT Coordination Center (JPCERT/CC), JP)
Working as a vulnerability coordinator at JPCERT/CC for 7 years, Tomo currently leads the Global CVD project of the organization, which aims to contribute to the global CVD ecosystem stability through collaborations with the stakeholders from different parts of the world.
As the world is becoming more and more interdependent, the importance of Coordinated Vulnerability Disclosure (CVD) activities is increasing rapidly. Today, multiple organizations, such as national CERTs, Governments, bug bounty services, etc. are working as CVD coordinators. In each case, the coordinator aims the best outcomes, which could be said as to reduce the risks to the relevant stakeholders. While the diversity between the coordinators is to be respected, too much difference between them can cause confusions among CVD stakeholders such as vendor PSIRTs and researchers - a stakeholder may not be able to know what and how much to expect from a coordinator, or a coordinator may not act as expected in communication or information distribution timing, etc. To avoid such confusions and decrease the number of unsuccessful CVD cases, JPCERT/CC is suggesting and working to create the rules/guidelines for CVD coordinators. In this presentation, the basic ideas of the coordinator rules and its progression will be explained to the audience.
- US DETLP:CLEAR
CSAF Writing Bootcamp (Full Day)
Justin Murphy
Thomas SchmidtJustin Murphy (CISA, US), Thomas Schmidt (BSI, DE)
Justin Murphy is a Vulnerability Disclosure Analyst with the Cybersecurity and Infrastructure Security Agency (CISA). He helps to coordinate the remediation, mitigation, and public disclosure of newly identified cybersecurity vulnerabilities in products and services with affected vendor(s), ranging from industrial control systems (ICS), medical devices, Internet of Things (IoT), and traditional information technology (IT) vulnerabilities. He also assists Dr. Allan Friedman in coordinating the global, multi-stakeholder community-led efforts around software bill of materials (SBOM), and other Technology Assurance related projects at CISA. Justin is a former high school mathematics teacher turned cybersecurity professional and has a M.Sc. in Computer Science from Tennessee Technological University, and a B.Sc. degree in Statistics from the University of Tennessee (Knoxville).
Thomas Schmidt works in the 'Industrial Automation and Control Systems' section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM work. Prior to this, Schmidt was BSI's lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric's TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).
The Common Security Advisory Framework (CSAF) become in 2022 an OASIS standard. CISA and BSI announced that CSAF will be a core pillar of a better vulnerability management. But how to create those machine-readable security advisories? Where should I start and what tools are out there? The bootcamp gets you started with CSAF. It starts with a short intro into the standard and available open source tools. Then, several hands-on exercises explore the security advisory and VEX profiles in CSAF.
- US
CVSS v4: Where the Rubber Meets the Road
Dave Dugal
Nick LealiDave Dugal (Juniper, US), Nick Leali (Cisco , US)
In this presentation, we discuss some of the practical challenges and considerations of the new CVSS v4 scoring standard. See v4 scores for the first time and hear guidance about best practices for analysts who may use the new metrics.
Dave Dugal oversees the design and development of CVSS as the FIRST CVSS SG Co-Chair and Principal Product Security Incident Manager with Juniper SIRT.
Nick Leali works as an Incident Manager with Cisco PSIRT and serves on the FIRST CVSS SIG, most recently working on the CVSS v4 Examples document.
- TOTLP:CLEAR
Cyber Awareness Campaigns - TWICT
Fihinoa Maea (TO), Seluvaia Kaukava (TO)
Please note slides for download are TLP:CLEAR
- PL
Cyber Fortress - Simulation-Strategic Games Based on Scenarios of the Latest Advanced Cyber Attacks
Marcin Fronczak
Miroslaw Maj
Piotr KepskiMarcin Fronczak (ComCERT S.A., PL), Miroslaw Maj (ComCERT S.A., PL), Piotr Kepski (ComCERT S.A., PL)
Cyber fortress is online strategy TTX game in which players learn how to build and defend critical infrastructure of various organizations in their virtual countries. For this purpose there are scenarios prepared, based on real attacks. Scenarios, which consist of both - technical ana organizational aspects, simulate real cyber-attacks. The game can be played by individual players as well as teams. Especially team based version bring a significant value in terms of understanding and learn a cooperation during crisis situations. Building the most effective cybersecurity system is on the budget-based approach.Players and teams receive a virtual budget that limits the scope of their investments. The main idea and the task during the game is protection of teams/players critical infrastructure against the most likely threats and to effectively react during the attack phases. Competitors have available various cybersecurity measures, which represent real choices from organizational aspects, processes and technical cybersecurity solutions.
The game has the three years history and proved its practical value during many events and trainings.
Marcin Fronczak has worked for 12 years as Chief Information Security in the financial and insurance sectors, and performed IT/OT area security audits for a critical infrastructure operator. Prior to that, he spent 5 years as a consultant in the area of technology risk and security. During many audits and consulting projects in Europe, he gained extensive experience and thorough knowledge of risks and auditing of ICT systems, confirmed by obtaining international certifications including CISA, CIA, CRISC, Comptia Security +, ISO 27001 LA. He was the first Pole to earn the CCSK certification in the Cloud Security Area. He currently works at ComCERT as a leader of the R&D team and serves as President of the Polish branch of the Cloud Security Alliance.
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL)
Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities.
Founder and president of the Cybersecurity Foundation, Vice-president of the ComCERT company, a former leader of CERT Polska team. The member of the Digital In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures and establishing international cooperation in the field of cyberdefence. In March 2021 was appointed a member of the Digitalization Council at the Ministry of Digital Affairs.
European Network Information Security Agency expert and co-author of many ENISA publications including CERT exercises and papers on improvement CSIRT maturity. He organised 10 editions of cyber exercises (Cyber-EXE™) in several countries for most essential sectors (e.g energy, banking, telecommunication). Speaker on many international conferences including the FIRST conferences. He is also the originator and organiser Security Case Study conference, one of the largest cybersecurity event in Poland.
Piotr Kepski currently works as a Cybersecurity Systems Analyst at ComCERT S.A., where he works in the area of cyber threat modeling and TTP (techniques, tactics and procedures) in cyber attacks. He is an internal auditor of the Information Security Management System according to the ISO/IEC 27001 standard. As a member of the Cybersecurity Foundation, he actively works to strengthen awareness in the area of threats from cyberspace, including, among other things, conducting trainings, co-creating the Cyber, Cyber... podcast series and participating in the organization of the Cyber Fortress League.
CyberFortress_Workshop.pdf
MD5: a3cb91d89e6e833e9f75c171acf1e4c3
Format: application/pdf
Last Update: February 10th, 2023
Size: 4.18 Mb
- JPTLP:CLEAR
Cyber Hygiene Hunting : Security Effectiveness Validation for Valid Security Posture
Tomohisa Ishikawa (Tokio Marine Holdings, JP)
Tomohisa is a seasoned cyber security engineer, and a global security manager working for a global insurance company. He has engaged in various security projects/operations including global security strategy, security architecture, threat intelligence analysis, and DFIR. His previous experience includes red team and security training. He holds a Doctor of Engineering, CISSP, CSSLP, CISA, CISM, CDPSE, CFE, PMP etc. In addition, he has a lot of contributions as a speaker, national IT exam committee member in Japan, translator, and author. He speaks at various conferences such as SANSFIRE 2011 & 2012, DEFCON 24 SE Village and Japan domestic conferences. Also, he writes a book related to threat intelligence in Japanese, and I published 4 DFIR translated books from O'Reilly Japan.
Cyber hygiene is a basic strategy but applying it without exception is difficult, and cyber hygiene failure allows the intrusion by threat actors. In this presentation, I will present the "Cyber Hygiene Hunting" concept to identify the failure of cyber hygiene. In this session, I will explain the concept of Cyber Hygiene Hunting and related concepts such as CM&CI (Continuous Monitoring & Continuous Improvement), EoC (Enabler of Compromise), and Pyramid of Hygiene, and compare how this "Cyber Hygiene Hunting" conceptis similar to and different from "threat hunting", "vulnerability assessment" and/or "penetration test ". Then, I will explain numerous examples to identify cyber hygiene failures such as Active Directory check, security control validation, and compromise assessment. Finally, I will explain that these activities are beneficial for not only KPI and actionable improvement for senior leadership, security heads, and global cybersecurity governance, but also security due diligence processes in M&A or strategic partnership.
- AUTLP:CLEAR
Cybersecurity: A Risky Business
Geoff Thonon (AU)
Please note slides for download are TLP:CLEAR
- AR
Democratizing Incident Response Tabletop Exercises
Federico PachecoFederico Pacheco (BASE4 Security, AR)
Incident response tabletop simulation exercises allow training people in skills related to reactions and processes in crisis situations. This paper analyzes several experiences of tabletop simulations that resulted in learning of practical utility for the participants. After applying the traditional approach based on conversational interaction, and the modern approach based on interaction through virtual platforms, a new, more accessible, and scalable modality was proposed, developed in free software, which allows taking this practice to any environment. In addition, it was found that the exercises carried out in educational environments improve the learning of the topics for both participants and observers.
Federico Pacheco - Cybersecurity professional with background in electronics engineering and several industry renowned certifications. 20+ years of teaching experience at the most prestigious universities in Argentina. Published four books and several research whitepapers. Has worked for the public and private sector, including regional roles in global companies.
- NLTLP:CLEAR
Dissect: the Solution to Large-Scale Incident Response (and Why APTs Hate Us)
Erik Schamper (Fox-IT, NL), Willem Zeeman (Fox-IT, NL)
Erik is a security researcher at Fox-IT working on various topics, ranging from threat intelligence to working on complex incident response engagements. He is one of the key authors of Fox-IT's enterprise investigation framework, Dissect. He helped shape the tooling and methods of how Fox-IT approaches enterprise investigations today.
Willem started his career (2000) as a system engineer and studied technical informatics. 2007-2017, he worked in both operational and organisational roles at an MSP. Since 2017 and currently in the role of Principal CIRT Consultant he's enjoying his passion for security and the usage of tools like Dissect.
Fox-IT made it possible to investigate many systems in a short amount of time, without compromising on quality or capabilities. We developed Dissect, an enterprise investigation framework that we have now open-sourced.With Dissect, you can go from an intake call to patient zero in a matter of hours, even in infrastructures with thousands of systems, no matter the operating systems. It also takes away concerns about how to access investigation data, so you can now focus on performing analysis, developing complex analysis plugins, and performing research. Dissect conveniently supports the analyst, from the moment of acquisition to normalization and processing.Behind the easy-to-use analyst tooling is a deep and extensive Python framework powering it all. The Dissect API enables technical analysts to easily get access to the lowest level of traces. This allows analysis and research of artefacts that were previously unnoticed or hard to get to, especially at scale. Because no adversary, no matter how high-end or widespread, should be beyond your reach.Dissect works for us in incident response and traditional digital forensics of computer systems, but it's flexible enough to incorporate forensics of just about any type of device. We can already investigate routers and firewalls, what else can you think of?Attendees will learn what Dissect is, get to know its capabilities, and how to use the Dissect framework to their advantage!
- NLTLP:CLEAR
Do You Want to Improve Your Country's or Organisation's Handling of Cyber Security Incidents?: Where to Start (virtual presentation)
Don StikvoortDon Stikvoort (Open CSIRT Foundation, Chairman of the Board EU Cyber4Dev Expert, NL)
Don Stikvoort is founder of the companies “S-CURE” and “Cross Your Limits”. S-CURE offers senior consultancy in the area of cyber security – specialising in CSIRT matters. Cross Your Limits coaches and trains in the human area. Based in Europe, Don’s client base is global.
After his MSc degree in Physics, he became Infantry platoon commander in the Dutch Army. In 1988 he joined the Dutch national research network SURFnet. In that capacity he was among the pioneers who together created the European Internet since November 1989. He recognised “security” as a future concern in 1991, and was chair of the 2nd CSIRT in Europe (now SURFcert) from 1992-8, and FIRST member since 1992. Today Don is a FIRST Liaison Member.
Together with Klaus-Peter Kossakowski he initiated and built the closer cooperation of European CSIRTs starting in 1993 – this led to the emergence of TF-CSIRT in 2000. In 1998 he finished the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown of CERT/CC. He was active in the IETF and RIPE (co-creator of the IRT-object). Don chaired the Program Committee for the 1999 FIRST conference in Brisbane, Australia, and kick-started the international FIRST Secretariat in the same year. From 2001-2011 his company ran TF-CSIRT’s Trusted Introducer service. He wrote and taught several training modules for the CSIRT community.
In 1998 Don started his first company. A first assignment was to build the network connecting over 10,000 schools in The Netherlands. Many CSIRTs were created with his help and guidance, among which the Dutch national team (NCSC-NL). Second opinions, audits and maturity assessments in this field have become a specialty – and in that capacity Don developed SIM3 in 2008, the maturity model for CSIRTs which is used worldwide today for maturity assessments and certifications. SIM3 has is now under the wings of the “Open CSIRT Foundation” (OCF). Don was one of the founders in 2016 and now chairs its board.
Starting in 1999, Don was certified in NLP, Time Line Therapy®, Coaching and Hypnotherapy, and brought that under the wing of “Cross Your Limits”, which portfolio is life & executive coaching, and training courses in what Don likes to call “human arts”. He also trains communicators, presenters and trainers, including many in the CSIRT field.
Don thrives as motivational and keynote speaker. He enjoys to share his views on how the various worlds of politics, economics, psychology and daily life, but also cyber security, all intertwine and relate – and how deeper understanding and a better ability to express ourselves, increase our ability to bring good change to self as well as the world around us. He has discussed such topics all over the world, from Rome to the Australian Outback. His goal is to challenge his audience to think out-of-the-box, and motivate them to be the difference that makes the difference, along the lines of the old African proverb:
“If you think you’re too small to make a difference, try sleeping in a closed room with a mosquito”.
Don-Stikvoort-Slides.pdf
MD5: db433e34deb5620572ebd382af2dc3d3
Format: application/pdf
Last Update: March 22nd, 2023
Size: 3.03 Mb
- GHTLP:CLEAR
Effective Controls for Data Privacy; The Role of Technology Professionals (virtual presentation)
Albert SeshieAlbert Seshie (GH)
Data Privacy in Africa over the past years has seen some significant growth largely within the space of policymaking, directives, and regulations with about 33 countries enacting related laws as of 2021. This has been driven by efforts to ensure the protection of data as fundamental to the rights of citizens and also with the upsurge of global commerce in the digital economy age.
The success of global privacy programs involves the implementation of effective administrative and technical controls that will ensure compliance with the relevant regulatory regimes including the lawfulness of processing, the cross-border data flow requirements, and data security safeguards. The journey towards compliance has focused more on the education and awareness of what these regulatory requirements are, and conspicuously missing out on the implementers of technical controls, i.e. the technology professional’s role, an important stakeholder who must be involved and own key processes within the data processing value-chain.
This presentation will highlight the role of technology professionals in the effective implementation of data privacy controls and the protection of information relevant to the ultimate compliance requirement.
Albert Seshie is an Information Security, Audit, Privacy Professional & Trainer with over 13+ years in Industry. He is a committed member of prestigious ISO Certification, Information Security, Audit, Privacy & Training bodies such as PECB, ISACA, (ISC)2, IAPP, IIA, IIPGH & EC-Council. Though coming from a non-technical background, his passion for technology, information security and training has driven him to achieve industry certifications such as CISM, CEH, C|HFI, MCSA, ISO 27001 LI/LA. ISO 22301 LI, ISO 27032, ITIL, Prince2, CoBIT, PSM1, CIDM, (ISC)2 CC, VCA-DCV, VCA-Cloud, NSE1, NSE2, PECB Trainer-ISO 27001 ISMS Auditor and currently pursuing his MSc. Information Technology. His areas of specialties are Information Security, Audit, Data Center Infrastructure + Cloud Security Management, Enterprise Security / Risk Management, Privacy and IT/Security Training, Technology Pre-Sales, Vulnerability Assessment, Unified Communications and Collaboration, Incident Management, ISO 27001:2013 Implementation & Auditing, Cyber Security Threats Management, Business Continuity, IT Service Management, Data Protection/Privacy & Training. In his free time, he volunteers on several projects with Africa Digital Rights Hub' and has been a speaker at the Data Protection Africa Summit (2018/2019 and 2022)
- MY SGTLP:AMBER
Effective DFIR Investigation with Limited Resources
Ahmad Zaidi Said (MY), Salman Shaikh (SG)
Please note slides for download are TLP:CLEAR
- SKTLP:CLEAR
Everyone Should Care About National Cyber Security Strategy
Matej ŠalmíkMatej Šalmík (National Cyber Security Centre SK-CERT, SK)
As head of Training, Awareness, Cooperation and Support Centre at National Cyber Security Centre SK-CERT under National Security Authority, Matej is responsible for a broad range of activities at strategic and decision making level including development of legislation and other high level documents. His hobbies include risk management on sectoral and national levels and maturity assessment of CSIRTs.
A hidden resource to boost your organization's success may be something you never imagined: a national cyber security strategy. If done by bureaucrats, it is a boring piece of paper that collects dust. At the same time, aligning your organization's interests with the national strategy can help you out. And who is better equipped to define the really important strategic goals if not CSIRT teams who are on the front line of incident response and crisis management.We will present lessons learned while building the national cyber security strategy of Slovakia; how we engaged with the community; how you can take a part in developing your own country's strategy.
- NOTLP:CLEAR
Foresight Analysis: The Magic Eight Ball of Intelligence Analysis
Freddy MurstadFreddy Murstad (Nordic Financial CERT, NO)
Freddy Murstad is the senior threat intelligence analyst at the Nordic Financial CERT (NFCERT) in Norway and works serving 200+ financial institutions in the Nordics with threat intelligence, reports, and analysis on threat actors. He shares his knowledge on intelligence analysis and intelligence processes and focus on bridging the gap between Strategic and Tactical analysis for his stakeholders. Currently, Freddy is doing basic research in preparation for a PhD in the cross-section of intelligence analysis and cybersecurity.
Enhancing the foresight capabilities of CTI analysts is vital for staying ahead of future threats. However, this remains a daunting challenge, especially for data-driven and reactive analysts.
Drawing from my experience conducting foresight analysis workshops for the Nordic cybersecurity community, I'll showcase the success of these sessions. We'll explore how bias detection, structured analytical techniques (SATs), and improved critical thinking have empowered participants, enabling them to apply foresight analysis effectively within their teams.
Reminder, slides for download are TLP:CLEAR
- US
Harder, Better, Faster, Locker: Ransomware Groups Flex On Defenders
Lindsay KayeLindsay Kaye (HUMAN Security, US)
Ransomware actors continue to evolve their tools and TTPs; innovation by cybercriminals in response to global and local events is nothing new. However, recently we have observed several interesting innovations - some very successful for the threat actors, some not so much. We will present case studies, including technical deep-dives on a few of these, including: ALPHV’s Morph AV-evasion tool, usage of an access token to prevent chat hijacking, ARM locker and blog of indexed victim files, LockBit’s adoption of the BlackMatter code, PLAY ransomware’s evolution to use ROP, and multiple actors’ implementations of intermittent file encryption. We will also discuss what made some of these new TTPs effective for the threat actors’ business, and what made them less successful, both at the technical and human intelligence levels. During the talk, we will highlight particular areas that created the most trouble for threat actors, and often made them easier to track. Finally, we will discuss how defenders can adapt to these changing TTPs, and how we expect the ransomware landscape to continue to evolve in the future.
Lindsay Kaye is the Director of Operational Outcomes for Insikt Group at Recorded Future. Her primary focus is driving the creation of actionable technical intelligence - providing endpoint, network and other detections that can be used to detect technical threats to organizational systems. Lindsay’s technical specialty and passion is malware analysis and reverse engineering. She received a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.
- TLP:CLEAR
Helping Organizations Anticipate and Approach Emerging Technology Threats
Natalie KilberNatalie Kilber (Harman International)
Natalie Kilber is a Quantum Physicist, who has ventured into the cyber realm. Initially securing Quantum Computers and assessing their initial threat to infrastructure, as an independent voice on emergent technology cybersecurity, she established Nabla Co - A Natalie Kilber Advisory and resides as a senior researcher at the Institute of Software Engineering, University of Stuttgart. She has worked in the cloud, venture capital industry, as well as AI and secure software development as a technical expert and strategist. Currently, she is the Senior Director for Product Security at Harman International.
Shifts in the IT and cyber security landscape over the past decade have occurred more frequently by orders of magnitude than in traditional science and technology fields. To properly anticipate organizational impact of emergent technologies, organizations need to develop and employ a methodology to evaluate on-the-horizon technologies, understanding the multi-dimensional risks and benefits each may provide.
For each technology there are early stage indicators on how adversaries can capitalize on such technology to improve operational effectiveness. Devising a strategy to approach evaluating emerging technologies—irrespective of whether that is framework or series of templates—provides immense benefits to C-suite stakeholders and risk management and is a function that threat intelligence teams can serve.
In this talk, we take a multi-dimensional approach to examining the problem to aid organizations in understanding prioritization and timelines for potential disruption from emerging technologies. We use quantum technology as an example for how organizations can create an effective strategy to forecast and discern business impact analysis of on-the-horizon disruptive technology threats. We adapt existing cyber threat intelligence frameworks like MITRE ATT&CK and the diamond model to help existing threat intelligence teams accurately translate and communicate emerging threats while determining an effective risk management strategy.
Reminder, slides for download are TLP:CLEAR
- DETLP:CLEAR
How Much Alert Fatigue Actually is Threat Intel Fatigue?
Markus LudwigMarkus Ludwig (ticura, DE)
Markus Ludwig, (ticura GmbH, CEO) is working in the Cybersecurity space since more than 17 years in multiple global roles (eg. for IBMs X-Force Threat Intel team, Internet Security Systems) and owns several patents around CTI. His mission is to create simple solutions for complex CTI problems and make life easier instead of adding another layer of complexity. e in Cybersecurity.
In times when we face a gap of 2.5+ million cybersecurity professionals, security operation teams are overloaded by alerts and incidents. 80% of the cybersecurity professionals state they feel some level of burnout. It's time to look deeper into the reasons behind alert fatigue and talk about root causes. The maturity of a Threat Intelligence program is one of those worth talking about.
Reminder, slides for download are TLP:CLEAR
- LUTLP:CLEAR
How to Improve Your Threat Intelligence Process with AIL Project
Alexandre DulaunoyAlexandre Dulaunoy (CIRCL, LU)
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.
AIL is an invaluable resource for enhancing your threat intelligence processes, with a particular emphasis on improving the quality of your intelligence. By leveraging AIL's advanced capabilities for collecting, crawling, and analyzing unstructured data, you can gain valuable insights that might otherwise go unnoticed. With AIL, you can stay ahead of potential threats by quickly identifying and analyzing suspicious patterns and behaviors, enabling you to take proactive measures to mitigate risks. Whether you're a cybersecurity professional, a law enforcement agency, or an intelligence analyst, AIL provides a powerful set of tools to help you stay one step ahead of emerging threats.
Reminder, slides for download are TLP:CLEAR
- USTLP:CLEAR
How to Save Your SOC from Stagnation
Carson Zimmerman (Microsoft, US)
Carson Zimmerman is a veteran cybersecurity operations specialist, author, and speaker. In his current role at Microsoft, Carson leads an investigations team responsible for defending the M365 platform and ecosystem. In his previous role, at The MITRE Corporation, Carson specialized in cybersecurity operations center (CSOC) architecture and CSOC consulting. His experiences over 20 years as a CSOC analyst and engineer led Carson to author /Ten Strategies of a World-Class Cybersecurity Operations Center/, and co-authored its second edition, /11 Strategies.../ which may be downloaded for free at mitre.org/11Strategies.
Your SOC is overwhelmed. Your analysts feel powerless. Your response lead just rage quit. You must do something. In this presentation, Carson Zimmerman will show the audience how to instill a culture of empowerment into the SOC. He will present seven key processes SOCs of any size or age can implement in to build engagement and improvement at a grassroots level.
- AT
How to summarize CTI reports
Aaron KaplanAaron Kaplan (CERT.at, AT)
Aaron Kaplan studied computer sciences and mathematics in Vienna, Austria Since 2008 he works at CERT.at. The, he is (next to Tomas Lima (ex-CERT.pt)) one of the main architects of IntelMQ and the whole approach of incident handling automation at CERT.at.
Aaron is proud to have served FIRST.org as member of the board of directors between 2014 and 2018. He also is a regular speaker at IT security conferences.
He is founder of Funkfeuer.at - a wireless mesh network covering the whole city of Vienna and beyond.
Currently he looks at data science driven approaches to IT security.
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
How to summarize CTI reports
July 13, 2023 11:30-18:45
- DETLP:CLEAR
I Opened Pandora's Box and It Was Full of Obfuscation
Geri RevayGeri Revay (Fortinet, DE)
Geri has more than 13 years of experience in cybersecurity. He started on this path as he specialized in network and information security in his M.Sc. in computer engineering. Since then, he has worked as a QA engineer for a security vendor, then changed to penetration testing first as an external consultant and than as an internal consultant at Siemens. He is a hacker at heart and a consultant by trade. He worked on both IT and OT systems. In the past years, he focused on security research in binary analyses and reverse engineering, which led him to Fortinet. At FortiGuard Labs, he currently does malware analysis and reverse engineering related research.
In Greek mythology, opening the infamous Pandora's box introduced terrible things to the world. That can also be said about today's ransomware. The Pandora ransomware that crowned the name is no exception. It steals data from the victim's network, encrypts the victim's files, and unleashes the stolen data if the victim opts not to pay.The sample contains multiple layers of obfuscation and anti-reverse-engineering techniques. Among others: string encoding with 14 different decoding functions, call address obfuscation with opaque predicates, control-flow flattening with a twist, and so on.The Greek myth says hope was left in the box. In this presentation, we will discuss the hope reverse engineers have to save their souls. First, we will discuss what these obfuscation methods mean and how they can be bypassed generally. Then we will build the necessary tooling using IDAPython and emulation to be able to turn the disassembly in IDA Pro into a format that does not cause a heart attack and allows the analyst to understand what is happening in the malware.
- US
IcedID: Defrosting a Recent Campaign Illustrating Evolving Tactics and Shared Infrastructure
Colin Cowie (Sophos, US), Paul Jaramillo (Sophos, US)
With its origins as a banking trojan, IcedID has evolved into a fully modular backdoor and one of the most prolific malware families used by eCrime threat groups today. Also known as BokBot, it is observed as both an initial payload of phishing attacks and frequently downloaded as a secondary payload by other malware families, such as Emotet. This highlights their working collaboration with both Mummy Spider and Wizard Spider and the complex interplay of malware developers, initial access brokers, and affiliates.
Beginning in December 2022, Sophos observed a major change in tactics leveraging a novel malvertising vector to compromise victims with IcedID. Over 20 unique software brands are being targeted, including Adobe, Vmware, Slack, Discord, and several remote access and collaboration tools. An unwitting victim searching to install these legitimate packages will instead be served a malicious Google Ad mirroring the benign download site at the top of their search results. The attacker makes use of frequently changing Traffic Distribution System (TDS) servers and multiple redirections to deliver a malicious MSI or ISO file inside a ZIP archive.
Detecting or preventing IcedID is important because it's one of the most common precursors to a ransomware incident. Our analysis will step the audience through the attack chain of an IcedID infection and highlight opportunities to both hunt for and disrupt the process. In addition, we will also provide insight into IcedID’s infrastructure, as well as share yara and sigma rules for detection.
Colin Cowie is a Threat Intelligence Analyst for the Sophos Managed Detection Response team. He focuses on detecting emerging threats, threat actor identification, and incident response. In past roles he has worked in the financial sector performing penetration testing as well as in mobile forensics for law enforcement.
Paul Jaramillo is an extremely passionate, technical, and results oriented security professional with over 10 years of incident response and 15 years of IT experience. Previously working at Splunk, CrowdStrike, and the US DoE, Paul is currently Director of Threat Hunting & Intelligence at Sophos. He has a long-distinguished record of reducing enterprise risk and guiding organizations to an improved security posture. Some highlights include breaking into a 2-factored VPN as a pen tester, successfully investigating an insider threat case across the globe as a forensic examiner, and hunting & ejecting nation state adversaries from corporate and government networks.
IcedID-FIRST-AMS-2023.pdf
MD5: 073f833f6c8e04818076ee579c3d67f4
Format: application/pdf
Last Update: April 24th, 2023
Size: 4.35 Mb
- EGTLP:GREEN
Identity and Access Management Risks (virtual presentation)
Nermen IbrahimNermen Ibrahim (Banque Du Caire, EG)
An IAM system introduces risks to the enterprise, but the consensus is the benefits of IAM outweigh the drawbacks. Businesses leaders and IT departments are under increased regulatory and organizational pressure to protect access to corporate resources. As a result, they can no longer rely on manual and error-prone processes to assign and track user privileges. That is where identity and access management or IAM comes in.
Nermen Ibrahim is a 20-year information technology veteran with a focus on information security and network security. She currently serves as the Head of Identity and Access Management Engineering at Banque Du Caire. Her technical expertise and analytical skills, honed through 9+ years in the information security field and 10+ years of professional experience, have earned her recognition as a privacy and risk management professional.
Ms. Nermen holds a Master's in Information Security from Nile University and is certified in CEH and CEI. She has also completed courses in CISSP, CRISC, ECSP.Net, CISM, PCI-DSS, MOBILE BANKING MASTERCLASS, SWIFT CSP, Digital Transformation, Fintech, CIMP, and Blockchain.
Ms. Nermen’s skills were acknowledged in 2018 when she placed third in the CTF Women in Security competition. She also delivered a speech at the 2018 Arab Security Conference on the topic of "Common Vulnerabilities in Online Payment Systems."
In summary, Ms. Nermen is a highly capable information technology professional with a proven track record of excellence in her field.
- USTLP:CLEAR
If You Want to Build Good Intelligence Requirements, You Do Not Start with Intelligence Requirements.
Brian MohrBrian Mohr (Reqfast, US)
Brian Mohr helps intelligence teams of all sizes and industries provide excellent service to their decision-makers using intelligence requirements. Brian believes that intelligence work comes down to two core tenets: the purpose of intelligence is providing decision support to leadership and providing intelligence is a customer service. To support these tenets within intelligence teams, Brian co-founded the SaaS company 'ReqFast' providing intelligence requirements and workflow management for intelligence teams. Improving the efficiency & efficacy of teams and enabling them to demonstrate value with actual metrics. Previously, Brian worked in both the private and public intelligence community for over twenty years.
This may sound like a Zen koan, but an intelligence requirement without context is no better than one hand clapping. In this talk, I will briefly discuss the importance of intelligence requirements and how they are used in the government. I will then discuss why requirements management usually fails in the private sector, not because they are impossible to utilize effectively but because most organizations make the process too complicated. You first need to understand stakeholders' decisions and the available actions they can take.
Following this introduction, I will discuss several techniques to establish the context intelligence teams need to support their decision-makers. These techniques are not prescriptive - there is no “RIGHT” way to do this; there is only a right way for your organization - but I hope this talk will give you ideas on establishing functional requirements for your intelligence program.
Reminder, slides for download are TLP:CLEAR
If-You-Want-Brian-Mohr.pdf
MD5: 5804623791993cec2a8f738e4d3938be
Format: application/pdf
Last Update: November 17th, 2023
Size: 17.08 Mb
- GBTLP:CLEAR
Incident Command and "The Cloud" - 72 Hours of IR and Ticking
Rebecca TaylorRobert Floodeen (New Anderton, GB), Rebecca Taylor (Secureworks, GB)
Rob Floodeen is a Partner at New Anderton Advisory Services. He leads cybersecurity readiness services. Rob has worked across federal, defense, and commercial operations. Highlights from his cybersecurity career include Pentagon IR team lead, member of CERT/CC, manager of a DoD agency CERT, Technical Advisor to the Director of the SEI managing the FFRDC contract, proactive services lead for PwC, and EMEA director of incident response services at Dell Secureworks. Rob has engaged in the security community through FIRST as the Program Chair, Membership Chair, and Education & Training Chair. He was the editor for ISO 27035:2016 Incident Management and has delivered dozens of DFIR technical and academic courses as an Adjunct Professor at Carnegie Mellon University and as a Visiting Scientist at the Software Engineering Institute, CMU. He holds a BS and MS in computer science and an MBA.
Rebecca Taylor joined Secureworks in 2014, where she developed an immediate passion for cybersecurity. Rebecca quickly expanded her cyber acumen, supporting Incident Response as Incident Command Knowledge Manager, and then moving into Secureworks first Threat Intelligence Knowledge Manager role in 2022. Rebecca is primarily focused on the implementation of knowledge management processes and procedures for the Counter Threat Unit, the ingestion and management of Secureworks Threat Intelligence knowledge, and its associated quality, storage and maintenance. Rebecca continues to study and mature her cybersecurity depth of knowledge, with a longer-term ambition of becoming a Threat Intelligence researcher.
The shift of many organisations to the Cloud, has instigated a change in Incident Response activities prioritised and executed in the first days of a major cybersecurity crisis. Incident Responders must be prepared for this shift and be ready to tackle the investigative, detective, remediation and stakeholder management tasks associated with attacks against Cloud environments. This presentation will compare and contrast the on-prem, hybrid, and cloud-native organizational response activities that need to occur in the first three days of a major incident. We will spotlight the necessary Knowledge Management activities which can be utilised to increase Incident Response productivity in relation to Cloud based attacks, including demonstrations of tools and techniques which can be implemented.
- FJTLP:AMBER
Incident Response, Lessons Learned and Case Studies
Watisoni Kaumaitotoya (FJ)
Please note slides for download are TLP:CLEAR
- KRTLP:CLEAR
Info-Stealer: Most Bang for the Buck Malware in 2022
Jiho Kim (S2W Inc., KR)
Jiho Kim is enrolled in Bachelor of Cyber Security in Ajou University. She graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2021. Recently, Jiho has been focusing on cybercrime group who has been active on the DDW at TALON, S2W.
In the past few years, cases of targeting individuals and using stolen credentials as an initial access vector for accessing corporate internal networks are steadily increasing, and info-stealer type malware is firmly establishing its position at the center of this trend. In particular, as MaaS-type malware increases, stealer operators start operating malware more systematically, and attackers who purchase and distribute stealer also tend to move from individual to organized. As the stealer market expands, the damage suffered by individuals and companies is increasing day by day. In fact, there are more than 5 million stolen logs as of December 2022 in Russian Market, one of the large markets selling stealer logs, and a bulletin board exclusively for trading Stealer logs was created in the Breached forum. The Lapsus$ group, who leaked credentials of famous companies around the world, also used RedLine stealer as an initial access vector. As such, the stealer is exerting great influence as a tool for stealing information from various attack groups. In the field of cybercrime, stealers respond sensitively to changing trends, quickly adjust distribution routes and items to collect, and actively utilize social engineering techniques to deceive general users. The Traffer team provides traffic, such as phishing sites and Redirection Infra, necessary for the distribution of stealer malware, as a service in hacking forums. We have been monitoring various stealer operators and several Traffer teams involved in actual distribution for a long time within DDW, and tracking the changing attack techniques and distribution methods of stealers. Based on this, I would like to explain the change in the method used to distribute the stealer, how the stolen credentials are used in actual attacks, and how the information of the attacker can be specified through the stealer log. I hope that this announcement will be helpful in catching petty theft trying to steal access keys.
- JPTLP:CLEAR
IOC-DREAM - IOC Distribution in Restricted Environment and Automating response based on MISP
Yifan Wang
Kunio MiyamotoYifan Wang (NTT Data Corporation, JP), Fukusuke Takahashi (NTT Data Corporation, JP), Kunio Miyamoto (NTT Data Corporation, JP)
Yifan Wang joined NTTDATA-CERT in 2017. She has been working on IR, OSINT, SOAR for 6 years and promoting effective threat intelligence sharing via MISP among multiple overseas organizations. From 2023, she starts to work on talent development for MDR.
Fukusuke Takahashi joined NTTDATA-CERT in 2018. He has been working on IR, OSINT, and SOAR for 5 years. In recent years, he has been promoting effective threat intelligence sharing via MISP among multiple organizations. Also, Fukusuke is one of developers of Hayabusa project, which is a fast forensic tool.
Dr. Miyamoto is a member of NTTDATA-CERT since 2010 and works as an incident responder and researcher of preventing incidents and reducing damage. He started to research and deploy MISP in NTTDATA-CERT from 2018. He received Ph.D. in Informatics(INSTITUTE of INFORMATION SECURITY, Yokohama, Japan) degree in 2011, and he registered as Professional Engineer Japan(Information Engineering) in 2014.
Across the world, CSIRT teams collect cyber threat intelligence, enrich the indicators of compromises based on their investigation and apply them on security products as soon as possible for early prevention of attacks. However, action and decision-making at the human level will cause a delay of response. Time lag issue also remains in large organizations like an international corporation. For these issues, we improve our workflow by automation, manage the indicators of compromise as machine readable data, and share threat intelligence with overseas group companies in near real time by implementation of Malware Information Sharing Platform (MISP) and MISP instances’ integration. Furthermore, we could automate response by using security tool's API from MISP and simple script. In this presentation, we will present our auto-workflow implemented by MISP and MISP integration of other tools/security products. Also, knowledge obtained in MISP integration and cases of real threat response will be described.
- FR CZTLP:CLEAR
Iron Tiger’s Supply Chain Attack Targeting Windows, MacOS and Linux Users
Daniel LunghiJaromir HorejsiDaniel Lunghi (Trend Micro, FR), Jaromir Horejsi (Trend Micro, CZ)
Iron Tiger, also known as APT27 or Emissary Panda, is an advanced threat actor that has been doing espionage for more than a decade, targeting multiple sensitive industries worldwide.
In the past months, we noticed the threat actor enhancing its toolkit to target all three major platforms – Windows, MacOS and Linux. We found out that a previously unreported remote access tool named “rshell” was the final stage of the delivery chain targeting MacOS users. This campaign was very interesting as the threat actor obtained access to backend of a lesser-known chat application, whose installers were modified to deliver malicious payload, thus acting as a supply chain attack against chat application users.
Our presentation will start with the analysis of this interesting infection vector (modified MacOS installers, where and how they were modified and how we initially discovered it), followed by discussion of an earlier compromise of the same chat application to deliver HyperBro malware for the Windows platform. We will analyze the features of both rshell and HyperBro malware families utilized in this campaign, and later we will discuss connections to previous campaigns operated by the same threat actor.
As a conclusion, we will provide information on the targets of this campaign and explain our approach to attributing this campaign to Iron Tiger.
Daniel Lunghi is a threat researcher at Trend Micro. He has been hunting malware and performing incident response investigations for years. Now he focuses on long-term monitoring of advanced threat actors from all over the world, exploring new ways of tracking them, and enjoying their mistakes. The result of such investigations are shared through blogposts, whitepapers, and conference talks.
Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.
- LTTLP:CLEAR
ISO 27035 Practical Value for CSIRTs and SOCs
Vilius BenetisVilius Benetis (NRD Cyber Security, LT)
Dr. Vilius Benetis is from NRD CIRT (@NRD Cyber Security), where he leads a team of experts to establish and modernise cybersecurity incident response teams (CSIRT/SOCs) for sectors, governments and organisations in Africa, Asia, Europe, Latin America. He is active contributor and speaker on cybersecurity incident response, contributes to development of CSIRT methodologies for ENISA, FIRST.org and ITU. He is industry professor in Cybersecurity at Kaunas Technology University.
ISO 27035 is recently updated international standard on "Information security incident management". In meantime, more methodologies and standards on information security incident response has been released - such as FIRST.org CSIRT Services Framework, RSIT taxonomy, others. The presentation will introduce ISO 27035 and its' practical and applicable value to all FIRST.org members - for establishment, improvement, or daily operations. The standard will be viewed in the light of other frameworks including NIST 800-61r2:2012, ENISA's "Good Practice Guide for Incident Management" (2010), FIRST.org frameworks.
Jupyter Notebook for Link Analysis in OSINT
Jason LancasterJason Lancaster (SpyCloud)
Jason Lancaster is Senior Vice President, Sales Engineering and Investigations at SpyCloud. He began his career performing pen testing, designing and implementing secure network infrastructures. First as a government contractor and then at a Fortune 500 healthcare company. In 2003, he joined TippingPoint where he held several roles including SE Director. TippingPoint was acquired by 3Com in 2005 and later by HP in 2010.
At HP, Jason ran a cross-functional team as Director with the Office of Advanced Technology. In 2013, Jason co-founded HP Field Intelligence, as part of the Security Research organization, delivering actionable threat intelligence to a wide audience.
Jason spent 15 months at a cloud security start-up CloudPassage prior to joining SpyCloud, where he leads the Investigations and Sales Engineering teams.
This talk introduces Jupyter Notebook as an analytic platform for OSINT investigations. Pandas dataframes and built-in methods allow for importing many data types from many different sources. Methods for cleaning and normalizing data for analysis are discussed. Details of how to analyze, visualize, and develop intelligence from open source data are presented in an easy to consume way. This provides the building blocks to capture investigative methodology and scale for great efficiency. Jupyter notebook allows analysts to capture their methods, document processes, and produce results that are easy to understand.
Jupyter Notebook for Link Analysis in OSINT
September 20, 2023 11:30-17:00
- TLP:CLEAR
Keynote: Cybercrime and Law Enforcement Evolutions and Improving Integration Within Cyber Incident Response
Chris LynamChris Lynam (RCMP)
The continuous evolution of the cyber domain brings with it an equally shifting balance of opportunity and challenge. As technology increasingly enables efficiencies within our society’s systems, processes, controls and aspects of everyday life, a corresponding dependency also develops. This cyber dependency results in a matching vulnerability within society – a vulnerability that cybercriminals aim to exploit. On the historical spectrum of criminal activity, cyber-based criminality remains a relatively recent development and has brought with it new global challenges to which the law enforcement community has had to adjust. As the cybercriminal continues to evolve, so does the cyber security community that aims to lesson vulnerability alongside law enforcement partners who aim to reduce cyber-criminality.
However, the role of Canadian law enforcement in cyber incident response continues to play a secondary or non-existent role at times. There remains an uncertainty when it comes to understanding how law enforcement investigations are conducted specifically in the context of cybercrime and a resulting hesitancy to engage and integrate efforts with police. Cyber victims may be unwilling to report cybercrime occurrences to law enforcement for fear of reputational damage and public exposure. In many cases, victims may simply be unaware of how to engage law enforcement, the value of including law enforcement, and the ways in which parallel law enforcement activities could be integrated into other, core incident response mechanisms. Canadian and international law enforcement successes in this space include arrests, charges and prosecutions, but also extend to other measures to dismantle the cybercrime business model - such as lawfully taking down cybercriminal infrastructure and assets, tracing the criminal use of cryptocurrencies, and combatting further victimization through prevention, outreach and information sharing.
Mr. Lynam will provide a brief background on the evolution of law enforcement’s role in cybercrime and the evolving dynamics domestically and internationally that are continuing to shape how law enforcement engages partners in efforts to respond to and, in the end, reduce cybercrime. Specific attention on the relationship to critical infrastructure owner/operator organizations and how cyber incident management is currently configured will then lead to a discussion of where law enforcement investigation currently resides in the spectrum and explore opportunities for future value-added integration of effort.
- TLP:CLEAR
Keynote: How Did We Get Here? The History and Future of Cyberattacks against Industrial Control Networks
Lesley CarhartLesley Carhart (Dragos Inc)
Lesley Carhart is the Director of Incident Response for North America at the industrial cybersecurity company Dragos, Inc., leading response to and proactively hunting for threats in customers’ ICS environments. Prior to joining Dragos, Lesley was the incident response team lead at Motorola Solutions. Following four years as a Principal Incident Responder for Dragos, Lesley now manages a team of incident response and digital forensics professionals across North America who perform investigations of commodity, targeted, and insider threat cases in industrial networks. Lesley is also a certified instructor and curriculum developer for Dragos’ incident response and threat hunting courses. Lesley is honored to be retired from the United States Air Force Reserves, and to have received recognition such as “DEF CON Hacker of the Year”, “SANS Difference Maker”, and “Power Player” from SC Magazine. You may find Lesley organizing resumé and interview clinics at several cybersecurity conferences, lecturing, and blogging and tweeting prolifically about cybersecurity. When not working, Lesley enjoys being a youth martial arts instructor.
There are a lot of misconceptions about cyberattacks against critical infrastructure systems. As cybersecurity professionals, their secuirty condition and the attacks they appear vulnerable to can be baffling. Lesley will walk the audience through the intriguing history of the digital control devices which supply our power, water, gas, and manufacturing services (among others), how they grew into the systems they are today, and how attacks have developed against them. The talk will culminate in a discussion about what happens next, and the real condition of those systems and their cybersecurity, today.
- VUTLP:AMBER
Lesson Learnt: Cyber Security Operations in an Island State
Jeff Garae (VU)
Please note slides for download are TLP:CLEAR
- LUTLP:CLEAR
MISP 3 - Teaching an Old Dog New Tricks
Andras Iklody
Sami MokaddemAndras Iklody (CIRCL, LU), Sami Mokaddem (CIRCL, LU)
Andras Iklody works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL as a software developer and has been developing the MISP core since early 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.
Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools.
MISP, the open source threat information sharing platform, has been around for over a decade and whilst the platform has been rapidly growing along with the practices of the organisations using it, a major rework of the fundamentals has been long overdue.
This session aims at introducing what is coming in MISP 3 along with the new possibilities it brings to the FIRST community as well as the threat sharing community at large.
Besides the new features, we'll also explore some of our lessons learnt over the past decade of building MISP and related tooling.
Reminder, slides for download are TLP:CLEAR
- CHTLP:CLEAR
Mistakes Happen, Either Learn From Them Or Rinse And Repeat!
Gregor WegbergGregor Wegberg (Oneconsult International CSIRT, CH)
After his IT apprenticeship with a focus on software development, Gregor Wegberg studied at the Swiss Federal Institute of Technology (ETH) in Zurich, Switzerland. During his studies, he specialized in information security. After completing his master's degree in computer science (MSc ETH CS), he joined Oneconsult in January 2017 as a penetration tester and security consultant. Since February 2020 he is Head of Digital Forensics & Incident Response and leads the OCINT-CSIRT. At the same time, he teaches Incident Response at the University of Applied Sciences OST and likes to share his experience in lectures, workshops and trainings.
When you look at our community, it often seems so flawless. Everyone is just easily detecting, analyzing, and resolving incidents. Yet we know this is not our reality and it is absolutely essential to our success that we learn from mistakes and continuously improve.This talk will give you an insight into mishaps, misguided ventures and plain old mistakes from our CSIRT's everyday incident response and digital forensics life. We will also delve into the valuable lessons our team has learned from these events. This will hopefully stop your team from falling into the same traps. It's time we all started to talk openly and actively about our struggles, mistakes and what we have learned!
- JPTLP:CLEAR
MyJVN Product Dictionary Challenge for Collaboration with Vulnerability Database and Asset Management
Masato Terada (Information-technology Promotion Agency, JP)
Dr. Masato Terada is the Technology and Coordination Designer for Hitachi Incident Response Team (HIRT), the leader in vulnerability handling and vulnerability database. He launched a research site, a predecessor of JVN: Japan Vulnerability Notes (http://jvn.jp/) in 2002 and launched MyJVN, a security automation platform for JVN vulnerability database in 2008, and is developing functional extensions of MyJVN currently. Also, he has worked as a visiting researcher at the Information-technology Promotion Agency (IPA)(ipa.go.jp), a senior advisor at JPCERT Coordination Center (jpcert.or.jp).
As Cyber-attacks become more sophisticated, information systems are becoming more serious for the threats. To prevent damage from cyber-attacks, it is necessary to respond quickly to the vulnerabilities that are disclosed. This paper describes the JVN Product Dictionary that supports collaboration between the vulnerability database and asset management in order to construct an environment that enables rapid response to cyber-attacks. JVN is public Vulnerability Database by IPA and JPCERT/CC in Japan. JVN Product Dictionary is configured as a product dictionary for associating product identifiers based on correspondence to Software Bill of Materials (SBOM).
- CHTLP:CLEAR
N-IOC's to Rule Them All
Stephan Berger (InfoGuard AG, CH)
Stephan Berger have worked in security for over ten years, now for two years at the Swiss security company InfoGuard, where he leads the Incident Response Team. He is an active twitterer (@malmoeb) and regularly presents for InfoGuard or at the CH-Certs meetings, where various Swiss security teams are combined. He owns a Bachelor's in Computer Science and a Master's in Engineering, as well as various SANS certifications and the OSCP.
The Swiss GovCERT published monthly statistics on the most common malware families in Switzerland. Much of the published analysis on these malware families focused on the malware's reverse engineering rather than the forensic artifacts that a successful infection leaves on a host.In our research, we examined the top malware families from a forensic perspective to find commonalities in infection, data collection, and network transmission. Through the data obtained through our research, we were able to identify targeted IOC (Indicators of Compromise) that can be used for all malware families (for example, run keys, executables in the AppData folder, specific event logs). This abstraction or generalization of malware families allows SOC analysts, incident responders, and threat hunters to search for malicious behavior on the network more precisely and quickly without focusing on just one malware family.
- GBTLP:CLEAR
No One Likes to be Excluded: What Is the Role of War Exclusions in Cyber Insurance?
Éireann LeverettÉireann Leverett (Concinnity Risks, GB), Rick Welsh (Waratah.io, GB)
Éireann Leverett is the co-author of Solving Cyber Risk, and a cyber risk entrepreneur. His career has taken him from hardhats and steel toed boots in industrial control systems to the implications for critical national infrastructure in policy. He works regularly with the international CERT community at FIRST.org, and writes papers when he finds the time. His proudest achievement is co-authoring a paper which has inspired legislation in the EU. He loves nature, travel, and reading when he gets away from computers.
Rick Welsh has 20 years of experience in cyber insurance.
The recent settlements of Merck and Mondelez with their cyber insurers have set precedents. However, they're hard to decode. Lloyd's of London has said they want cyber exclusions written into all policies, and that may have very important ramifications to all incident responders. We invite a mixture of cyber re/insurance professionals and incident responders to a public discussion of these decisions and their implications.
- GBTLP:CLEAR
Objectifying Your Incident Management to Lift the Fog of IR
Robert Floodeen (New Anderton, GB)
Rob Floodeen is a Partner at New Anderton Advisory Services. He leads cybersecurity readiness services. Rob has worked across federal, defense, and commercial operations. Highlights from his cybersecurity career include Pentagon IR team lead, member of CERT/CC, manager of a DoD agency CERT, Technical Advisor to the Director of the SEI managing the FFRDC contract, proactive services lead for PwC, and EMEA director of incident response services at Dell Secureworks. Rob has engaged in the security community through FIRST as the Program Chair, Membership Chair, and Education & Training Chair. He was the editor for ISO 27035:2016 Incident Management and has delivered dozens of DFIR technical and academic courses as an Adjunct Professor at Carnegie Mellon University and as a Visiting Scientist at the Software Engineering Institute, CMU. He holds a BS and MS in computer science and an MBA.
IR requires elusive facts to support rapid decisions that resemble a risk-based-game of Jenga. This session will introduce key decision points during IR and provide a methodology to ensure resource allocations, supporting information for decision-making, and effort management is well communicated and effective by using objectives, workstreams, confidence, and levels of effort.
- NLTLP:CLEAR
Open for Extortion: Upcoming Ransomware Evolutions and Revolutions
Feike HacquebordFeike Hacquebord (Trend Micro, NL)
In this presentation we explore the current state of ransomware in cybercrime and how ransomware business models will change in the near and far future. We will talk about the triggers that will cause ransomware actors to adapt. Some triggers will lead to a gradual evolution of ransomware. These triggers include the usage of more 0days in the initial access phase, better operational security, automation to optimize revenues, targeting Linux cloud servers more and targeting exotic platforms. Only when ransomware actors are pushed hard they will radically rethink their business models. Triggers include geopolitical events, regulations of cryptocurrency and the realization that other cybercrime is more profitable. We will discuss business models where the ransomware payload is changed to other, more profitable payloads, while still many of the core specialist skills of ransomware actors are leveraged. Finally we discuss how private industry, government and law enforcement can work together to fight against the crimes committed by the most prolific ransomware actors today and in the future.
Feike Hacquebord has more than 18 years experience in doing threat research as a Senior Threat Researcher. Since 2005, he has been a regular advisor of international law enforcement agencies and has assisted in several high-profile investigations. Hacquebord is the author of more than a dozen blog postings and papers on advanced cyberattacks. Prior to joining Trend Micro, he earned a Ph.D. in theoretical physics from the University of Amsterdam.
- MW LTTLP:CLEAR
Operationalization of Malawi CERT- Lessons Learnt and Challenges
Christopher BandaVilius BenetisChristopher Banda (MACRA, MW), Vilius Benetis (NRD Cyber Security, LT)
Mr. Christopher Ganizani Banda is the head of the Computer Emergency Response Team (CERT) and works under Malawi Communications Regulatory Authority (MACRA). He has been at the center of developing and coordinating Cyber security issues in Malawi, like developing the National Cyber Security Strategy, facilitating the designing, establishment, and management of the National CERT, and initiating various Cyber Security activities. He has been involved in various national and international cybersecurity Policy Forums such as ITU, COMESA, SADC, etc. He was the vice Rapporteur for ITU-D Study Group 2 Questions 3/2 (Securing information and communication networks: best practices.
for developing a culture of cyber security) for the study period 2014-2017. Formally focused on ICT Development and was responsible for facilitating ICT Development in Malawi through Policy and Planning; licensing telecommunications networks; implementing ICT development Projects; Research and Development.
He holds MSc and BSc Degrees in ICT, an MSc Degree, a Certified Network Defender (CND), and a Certified Ethical Hacker (CEH). He has over fourteen years of technical experience in the ICT sector. The last five years have focused on cyber security.
Dr. Vilius Benetis is from NRD CIRT (@NRD Cyber Security), where he leads a team of experts to establish and modernise cybersecurity incident response teams (CSIRT/SOCs) for sectors, governments and organisations in Africa, Asia, Europe, Latin America. He is active contributor and speaker on cybersecurity incident response, contributes to development of CSIRT methodologies for ENISA, FIRST.org and ITU. He is industry professor in Cybersecurity at Kaunas Technology University.
National Computer Emergency Response Teams (CERTs) or national Computer Security Incidence Response Teams (CSIRTs) are tasked with developing the capacity to manage cyber security incidents for a specific nation, industry, or organization. They also serve as the focal point for coordinating and supporting the response to cyber security incidents while performing the barest minimum of incident handling tasks. At around 2018 Malawi started the journey of establishing the National CERT, which serves as the country's hub for national coordination of cybersecurity incidents. Of late, MWCERT has been getting a lot of enquiries on the process of establishing the National CERT.
- US GB NLTLP:CLEAR
Preserving Confidentiality When Hunting With Friends
Gabriel Bassett (Liberty Mutual, US), Paolo Di Prodi (Priam Cyber AI ltd, GB), Hugo Ideler (Roseman Labs, NL), Toon Segers (Roseman Labs, NL)
Gabriel is the lead data scientist and a contributing author on the Data Breach Investigations Report team at Verizon Enterprise Solutions specializing in data science and graph theory applications to cyber security including VERIS and Attack Flow. He supports several information security data science conferences, is game architect for the Pros vs Joes Capture the Flag series and has previously held cyber security risk management, testing, intelligence, architect, and program management positions at the Missile Defense Agency and Hospital Corporation of America.
Paolo is the founder of Priam Cyber AI, a startup developing a native incident response platform for SOC teams. He was previously a data scientist for companies including Fortinet, Microsoft and Context IS. He worked on the Cyber Threat Alliance consortium and contributed to the following MITRE Engenuity projects including TRAM, Sightings, AttackFlow. He maintains an open source project called TypeDB CTI that is soon to become an OASIS compliant library for STIX source/sinks. He is also a contributor for the EPSS SIG in FIRST ORG. He holds a Phd in multi-agent machine learning and a degree in software engineering.
Hugo Ideler is currently the head of Engineering at Roseman Labs, a start-up specializing in Multi-Party Computation. Hugo is a former senior manager at Deloitte's Incident Response practice and has 10 years of experience in responding to breaches and threat hunting in complex client environments. Hugo is also the lead engineer delivering NCSC' SecureNed platform.
Toon Segers is co-founder and COO at Roseman Labs, the company developing privacy-preserving collaboration software that is used at the Dutch National Cyber Security Center. Toon is a PhD candidate in applied cryptography at TU Eindhoven, focusing on Secure Multi-Party Computation. Prior to this, he was a Partner at Deloitte, responsible for its Cyber Risk practice in the Netherlands. Toon worked at the Boston Consulting Group for 10 years, holds an MBA from Columbia University, and an MSc in Applied Math.
What if data sharing could be better? What if we could cooperatively perform threat hunting across multiple organizations in near-real time with each team adding the pieces of the puzzle they observe.This talk is focused on the tools needed to do that. We'll cover data formats that improve shareability, and tools that improve sharing them while protecting privacy.Come find out what Multi-Party Computation (MPC) and Differential Privacy (DP) are and how you can put them to use without a PhD in applied mathematics.Others like the National Cyber Security Centre (NCSC) in the Netherlands are already using this approach, and you can too!
- NL
Prioritising Response | Tesorion Vulnerability Explorer powered by EPSS
Roel van der JagtRoel van der Jagt (Tesorion, NL)
Prioritising Response
Which to fix, which to patch, which to investigate after an incident. How to choose between different vulnerabilities at different times.
Roel van der Jagt has worked in cyber security for 15 years with several Dutch MSSPs. Roel currently works for Tesorion in the role of CERT incident handler with T-CERT. This team can be best described as the firefighters of cyber security. Along with helping organizations during critical incidents, Roel really likes finding the vulnerability being exploited (if there is one).
- CZTLP:CLEAR
Priority Intelligence Requirements Workshop - How to Set the Directions of Your CTI Program
Ondra Rojcik
Vladimir JanoutOndra Rojcik (Red Hat, CZ), Vladimir Janout (Red Hat, CZ)
Ondra Rojcik is a Senior Cyber Threat Intelligence Analyst at Red Hat CTI team. He is responsible for providing intelligence analysis and strategic perspective to the Red Hat’s CTI program and its analytical production. Previously he worked for the Czech National Cyber and Information Security Agency (NUKIB) as a Deputy-Director of Department and Head of Strategic Analysis Unit which he co-founded.
Vladimir Janout is a Cyber Threat Intelligence Analyst at Red Hat, currently specializing in the Collection&Processing phases of the Intelligence Cycle with a focus on process automation and streamlining. He holds a Master's degree in Information Security from Brno University of Technology.
Priority Intelligence Requirements (PIRs) Workshop aims to assist attendees in developing a mindset for establishing intelligence requirements for their organizations. PIRs are a tool that help to prioritize relevant topics of CTI team activities, such as data collection, analysis production, threat hunting, and detection.
To achieve this, participants will have access to a template (link below) that they can customize to meet their organization's specific requirements. We will work with a mock-up company annual report provided by the workshop facilitators which you can optionally go through prior to the workshop. During the workshop, the participants will undergo series of steps for setting the PIRs, including finding elements of an organization and their function, finding supporting assets of the elements, mapping most impactful adversarial operations and conducting a risk assessment, which includes assessing the likelihood and impact of a potential attack on the organization and supporting assets.
The workshop will also cover the customization of the results of the exercise into actual PIRs and how to operationalize them in CTI team activities.
Stellar Electric 2022 Annual Report: https://drive.google.com/file/d/1bzWfeR-Gw1z9MsDfshh3fGYHgRUkqWoF/view?usp=drive_link
Reminder, slides for download are TLP:CLEAR
- NLTLP:CLEAR
Q&A After Hours | Dissect: the Solution to Large-Scale Incident Response (and Why APTs Hate Us)
Willem Zeeman (Fox-IT, NL), Erik Schamper (Fox-IT, NL)
Willem started his career (2000) as a system engineer and studied technical informatics. 2007-2017, he worked in both operational and organisational roles at an MSP. Since 2017 and currently in the role of Principal CIRT Consultant he's enjoying his passion for security and the usage of tools like Dissect.
Erik is a security researcher at Fox-IT working on various topics, ranging from threat intelligence to working on complex incident response engagements. He is one of the key authors of Fox-IT's enterprise investigation framework, Dissect. He helped shape the tooling and methods of how Fox-IT approaches enterprise investigations today.
- GB USTLP:CLEAR
Ransomware Zugzwang
Éireann Leverett
Scott SmallÉireann Leverett (Concinnity Risks, GB), Scott Small (TidalCyber, US)
Éireann Leverett is the co-author of Solving Cyber Risk, and a cyber risk entrepreneur. His career has taken him from hardhats and steel toed boots in industrial control systems to the implications for critical national infrastructure in policy. He works regularly with the international CERT community at FIRST.org, and writes papers when he finds the time. His proudest achievement is co-authoring a paper which has inspired legislation in the EU. He loves nature, travel, and reading when he gets away from computers.
Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He is currently Director of Cyber Threat Intelligence at Tidal Cyber. Scott’s prior roles involved advising enterprise and public sector security teams across maturity levels on technical and strategic applications of intelligence and on using technology to help identify and mitigate organizational risk. Throughout his career, he has briefed & trained large & small audiences, presented original content at major security conferences & other industry events, and actively contributed to the professional community & open source security projects.
Ransomware threat actors use drastically different techniques, and target different groups. That might seem hard to keep up with when organising your defenses, but in fact it's an advantage: you get to deprioritise groups that don't target organisations like yours, and you get to focus on a handful of ATT&CK techniques that are relevant. In turn this means you only need a small number of defenses, and we list them for you in this presentation. We also know some of you want to prevent, while others want to detect and respond, so we build two profiles of defenses, depending on your strategy. We end with a message of hope about how the age of ransomware will come to pass.
- KETLP:CLEAR
Routing Security for Network and Internet Safety
Kevin ChegeKevin Chege (ISOC, KE)
Insecure routing is one of the most common paths for malicious threats to networks. Inadvertent errors can take entire countries offline, and attackers can steal an individual's data or hold an organization's network hostage. A network's safety depends on a routing infrastructure that weeds out bad actors and accidental misconfigurations that wreak havoc on the Internet. The session will cover the importance of routing security in improving overall Internet security.
Kevin Chege is the Director - Internet Development at the Internet Society. He is currently engaged in several projects at ISOC related to technical capacity building, building communities of practice, and Internet measurements. He helps design technical online teaching content, courses and online labs used to train network engineers. He also helps out as an instructor at various NOGs and NRENs in Africa and has also helped to get several NOGs and tech forums in Africa started. He is based in Nairobi, Kenya. Kevin holds a Master's Degree in Information Security from the Lulea University of Technology (Sweden). I am also a Certified Information Systems Security Professional (CISSP by ISC2) and a Certified Information Privacy Manager (CIPM by IAPP).
Russia’s War on Ukraine: One year of Cyber Operations
George KoutepasGeorge Koutepas (CERT-EU)
We have been monitoring the cyber aspects of Russia’s war on Ukraine since January 2022, when the conflict was brewing up, and systematically analysed the conflict-related cyberattacks that came to our knowledge. We observed the global cyber landscape, to anticipate if and how cyber operations would target our constituents, the EU institutions, bodies, and agencies (EUIBAs), or organisations in Ukraine and EU countries.
We created a dedicated report to showcase this work. It is our attempt at taking a step back from the day-to-day events, trying to pierce through the fog of war’s veil to make a bigger picture materialise. A picture that could help us see how the conflict shaped the cyber threat landscape in Ukraine and elsewhere.
We don’t have a first-hand knowledge of cyberattacks in Ukraine, except for a handful of EUIBAs that have operations in the country. As a consequence, what you will read here largely relies on the reporting of, and information verification by public and private sources we deem trustworthy.
For each cyberattack we describe in this product, we analyse the context (timing, objectives, impact), victimology (targeted sectors, countries), main tactics, techniques and procedures (TTPs), and, when applicable, attribution made by third parties.
George Koutepas is an IT Security engineer with career-long experience in the field. He holds a PhD. in IT Security and Network Management from the National Technical University of Athens. He is also an ISACA Certified Information Security Manager. He is currently a member of the Cyber Threat Intelligence team at CERT-EU, the Cyber Security and Incident Response Team for EU institutions, bodies, and agencies.
- HKTLP:CLEAR
Safeguarding IoT Devices in Digital Age - Building IoT Test Lab
Frank ChowFrank Chow (HKCERT, HK)
Frank Chow is the Head of Cyber Security and HKCERT, Hong Kong Productivity Council. Frank oversees HKCERT operations and leads a team to deliver a wide range of cyber security consulting services for Hong Kong industries. He has over 20 years of experience in Financial and Service Provider industries spanning across cyber security, technology risk management, IT governance, and business continuity. Prior to joining HKPC and HKCERT, Frank held management role of cybersecurity and information risk in various financial institutions, such as Ping An OneConnect Bank, Livi Bank, Manulife, and Fubon Bank. Frank was awarded the Hong Kong Cyber Security Professionals Awards, (ISC)2 Asia Pacific Information Security Leadership Awards and BCI Asia Business Continuity Awards in recognition of his commitment in the cyber security and business continuity industries. Frank was invited to serve on various advisory panels of local and global organizations, such as Education Bureau, HKIRC, and (ISC)2. Besides, he has held leading roles to serve the professional community in Professional Information Security Association, Cloud Security Alliance Hong Kong and Macau Chapter, (ISC)2 Hong Kong Chapter, Information Security and Forensics Society, and Project Management Institute Hong Kong Chapter.
IoT security has become a necessary subject of study for manufacturers and organizations. The attack consequence has also had a substantial operational impact on critical infrastructure and smart city environments. IoT Test Lab is an innovative platform that will impact vary industries around the globe. IoT Test Lab can help manufacturers and organizations to identify vulnerabilities and provide information to do vulnerability prioritization. The focus of the IoT Test Lab is to sniff the IoT communication and perform vulnerability scanning in enclosed platform. This talk will help participants learn how to build IoT Test Lab and Labelling Scheme.
- TLP:CLEAR
SIG Updates: Multi-Stakeholder Ransomware, CVSS, Cyber Insurance, DNS Abuse, EPSS
CVSS SIG; DNS Abuse SIG; EPSS SIG; Multi-Stakeholder Ransomware SIG; Cyber Insurance SIG;
- TLP:CLEAR
SIG Updates: SecLounge, Automation, NETSEC, CSIRT, CSIRT Metrics, Vulnerability Coordination, IEP, VRDX
Group 2: CVSS SIG; DNS Abuse SIG; EPSS SIG; Multi-Stakeholder Ransomware SIG; Cyber Insurance SIG; IEP SIG; VRDX SIG; Vulnerability Coordination SIG
- TLP:CLEAR
SIG Updates: TLP, Malware Analysis, CTI, WoF, Red Team, Ethics
Group 3: Malware Analysis SIG; CTI SIG; Red Team SIG; TLP SIG; Ethics SIG; WoF SIG;
- JP USTLP:CLEAR
SOC, CERT/CSIRT and then "Cyber Defense Centre" - A Workshop On How to Defend African Nations/Businesses with ITU-T X.1060 (virtual presentation)
Dr. Jema Ndibwile
Koichiro Komiyama
M. Arnaud TaddeiDr. Jema Ndibwile (Carnegie Mellon University), Koichiro Komiyama (JP), M. Arnaud Taddei (Symantec, US)
CSIRTs and SOCs, which aim to improve cyber security in companies and organizations, are active worldwide. On the other hand, cyber-attacks continue to become more sophisticated, and cyber-security increasingly requires functions that have not been required of CSIRTs in the past, such as strategies and policies. Based on this understanding, this workshop will introduce the "Cyber Defense Centre" framework, which was discussed in ITU-T and standardized in 2021, and discuss how it can support cyber security measures of enterprises and countries in Africa.
https://www.itu.int/rec/T-REC-X.1060-202106-I
Koichiro Komiyama is the Director of the Global Coodination Division at JPCERT/CC, the Japanese Computer Emergency Response Team. He was a FIRST Board of Directors from 2014-2018. He was awarded the AfricaCERT Meritorious Service Award In 2016 for his contribution to AfricaCERT's establishment.
M. Arnaud Taddei is a Global Security Strategist for Symantec, a Division of Broadcom Software Group. In his role, M. Taddei has two inter-related missions as he supports:
a) the development of strategic directions for the top Broadcom world wide customers and he developed a unique method to create solid relationships with customers executives and project thought leadership through specific knowledge sharing and workshop models.
b) the development of security through his engagement in International Standards Defining Organizations (SDO) such as the International Telecommunication Union (ITU) where he was diplomatic elected as Vice Chairman of Study Group 17 and Associate Rapporteur for Emerging Technologies at the Telecommunication Standards Advisory Group (TSAG) of the ITU-T. He participates as well to the Internet Engineering Task Force (IETF) where he develops ideas on Network Encrypted Traffic Management through Internet Drafts.
Dr. Jema David Ndibwile is an assistant teaching professor in cybersecurity at Carnegie Mellon University. He previously worked at the Nelson Mandela African Institute of Science and Technology as an IT network specialist and a lecturer in cybersecurity.
Ndibwile’s current research interests encompass usable privacy and security, hacking countermeasures, the impact of artificial and human intelligence on cybersecurity, and social engineering approaches. He also has expertise assisting the cybersecurity teams in areas such as communication, IT network architecture and in-network, service security, security testing, and developing security concepts for mobile and stationary networks. He has extensive experience in ethical hacking/penetration testing, digital forensics, and project management leveraging tools such as Kali Linux, Parrot OS, Cellebrite, and many others.
- NO NLTLP:CLEAR
SOCCRATES: Automated Security Decision Support for SOCs and CSIRTs
Martin Eian
Frank FransenMartin Eian (mnemonic, NO), Frank Fransen (TNO, NL)
Dr. Martin Eian is a Researcher at mnemonic. He has more than 20 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is a member of the Europol EC3 Advisory Group on Internet Security. Martin was mnemonic's participant contact for the H2020 project SOCCRATES (https://www.soccrates.eu).
Frank Fransen received a MSc in Information Technology at the Technical University of Eindhoven in 1995. He is currently employed as a Senior Scientist in the Cyber Security & Robustness group of TNO. His work at TNO involves consultancy, and acquisition and execution of research projects on emerging security technologies, security of mobile networks (3G, 4G and 5G), automation of security operations, Cyber Threat Intelligence, and cyber security of smart energy grids. Frank was the technical coordinator of the H2020 project SOCCRATES (https://www.soccrates.eu).
You detect a malware infection on a laptop in the engineering department. You discover a new vulnerable server in your DMZ. You detect a change in one of your firewall rules. What is the business impact of these events? What is the potential business impact of an attacker exploiting them to compromise other assets? What is the best course of action to contain or prevent such an attacker?
The SOCCRATES security decision support platform [1] for SOCs and CSIRTs provides answers to questions like these.
The SOCCRATES project researched, designed, developed, deployed and demonstrated the prototype SOCCRATES platform from 2019 to 2022. The platform provides the following capabilities:
- A machine-readable model of the ICT infrastructure
- Automated security reasoning (Attack Simulation & Real-time Business Impact Assessment)
- Automated generation, assessment and execution of response actions
This session will:
- Introduce the SOCCRATES project
- Describe the capabilities above in detail
- Present our lessons learned and recommendations for decision support for SOCs and CSIRTS
[1] https://www.soccrates.eu
- USTLP:CLEAR
Solving CISO Headaches: How to Align CTI and Risk Management
Jamie Collier
John DoyleJamie Collier (US), John Doyle (Mandiant, US)
Dr Jamie Collier is a Senior Threat Intelligence Advisor at Mandiant and an Associate Fellow at the Royal United Services Institute. Jamie previously was the CTI Team Lead at Digital Shadows, completed a PhD in Cyber Security at Oxford University, and attended MIT as a Cyber Security Fulbright Scholar.
John Doyle has over fifteen years of experience working in Cyber Threat Intelligence, Digital Forensics, Cyber Policy, and Security Awareness and Education. He has spent over a decade tracking multiple state-sponsored cyber actors (APTs) to support strategic, operational, and tactical intelligence requirements.
Cyber Threat Intelligence (CTI) and Risk Management have emerged as two traditionally separate areas, both designed to help organizations understand their risk realities and inform decision making on cyber security prioritization and investment. Over the past few years, there has been a growing recognition of benefits from coordinating workflows and sharing knowledge between CTI and Risk Management. Specifically, transcending cyber risk-intelligence silos not only creates a more synchronized cyber defense organization, but also enables both teams to support larger strategic organizational initiatives. However, collaboration challenges between the two elements are plentiful.
This talk will demystify misconceptions about the role each team serves, identify elements unique to each team’s lexicon and frame of reference, as well as highlight how to overcome cultural differences that may lead to potential friction points that could inhibit collaboration from the onset. CTI and Risk Management professionals will receive practical guidance on areas for integration and collaboration in each other’s workflows. These include tips on jointly developing an organization’s cyber threat profile, leveraging external cyber threat landscape publications, improving organizational threat modeling efforts, feeding CTI into risk matrices, and using CTI to prioritize patching management focus.
Reminder, slides for download are TLP:CLEAR
- GRTLP:CLEAR
Spin Your CTI Process Round
Andreas SfakianakisAndreas Sfakianakis (SAP, GR)
Andreas Sfakianakis is a Cyber Threat Intelligence professional with over fifteen years of experience in cyber security. He focuses on applying threat intelligence and helping organizations manage threats mostly within the Energy, Technology, and Financial sectors as well as in European Union’s Agencies and Institutions. Andreas has been contributing to the CTI community since 2012 via public reports and presentations, his blog, newsletter, and instructing. His utmost goals are the maturing of threat management programs within organizations as well as the embedding CTI in policy making. Andreas Twitter handle is @asfakian and his website is threatintel.eu.
Is your CTI team struggling to operationalize the CTI process? Don't worry, your team is not the only one! During the "CTI journey", CTI teams try out approaches and tools, hoping to give value to their organization. This is usually a trial and error process, and when not successful, it costs money and time for organizations and also demotivates CTI analysts.
This presentation will discuss some of the basic "baby" steps that CTI teams often neglect. We will be focusing on case management and intelligence workflows. Moreover, we will elaborate on how you can take advantage of the knowledge produced by the CTI team and provide meaningful metrics to the CTI team and the management. Finally, we elaborate on the essential ingredients for CTI teams in the early phases of their "CTI journey".
The key takeaway for the audience is the realization of some basic steps that a CTI team has to take to coordinate its workload better, build workflows, and better manage the CTI knowledge it produces. The audience will also be presented with real-world examples and implementations within corporate environments of such approaches. Ideally, we will give you some hints to spin your CTI process round!
Reminder, slides for download are TLP:CLEAR
- CATLP:CLEAR
Supercharge Your Malware Analysis Workflow with Assemblyline (Full Day)
Steve Garon (Canadian Center for Cyber Security, CA), Kevin Hardy-Cooper (Canadian Center for Cyber Security, CA), Ryan Samaroo (Canadian Center for Cyber Security, CA), Gabriel Desmarais (Canadian Center for Cyber Security, CA), Marc-Olivier Guilbault (Canadian Center for Cyber Security, CA)
Steve is the Team Leader for the Assemblyline project at the Canadian Center for Cyber Security (CCCS). He has been at CCCS for 16 years and began as an analyst working on malware reverse engineering. His wish to speed up triaging malware detection led to Assemblyline, which he has worked on since 2010.
Kevin is the dynamic analysis expert for the Assemblyline project at the Canadian Center for Cyber Security (CCCS). Kevin has been at CCCS for 3 years and is one of CAPE sandbox’s maintainers and top contributors. Kevin can be found spending his time improving JavaScript and PowerShell script detection in Assemblyline, as well as getting as many IOCs out of malware as possible (which coincidentally is also the bane of his existence).
Ryan is the infrastructure expert for the Assemblyline project at the Canadian Center for Cyber Security (CCCS). He has been at CCCS for 2 years, where he spends time deploying and maintaining multiple Assemblyline instances and working on the core components of Assemblyline. He can also be found responding to the community’s questions and suggestions and working towards improving Assemblyline to benefit the cyber community.
Gabriel has been at the Canadian Center for Cyber Security (CCCS) for 10 years and is now working to find the most interesting samples to bring up to the team. Anything from absurdly obfuscated scripts to the strangest file format is going to be of interest. He is always looking into incorporating cutting edge techniques into existing modules or writing new modules.
Marc-Olivier is a new member of the Assemblyline team at the Canadian Center for Cyber Security (CCCS). His primary focus is improving the monitoring agent behind the CAPE sandbox’s project (known as Capemon) and discontinuing usage of Cuckoo sandbox in Assemblyline.
Malware analysis and incident response are very time-consuming processes which is why automating as many tasks as possible can be a game changer. This is where Assemblyline comes into play. This workshop will showcase CCCS' opensource automated malware analysis and triaging system by giving a quick overview of what it is and what its used for. We will then show the participants how to perform malware analysis using Assemblyline by looking at results of know malware inside it. After that, we will dig deep into the multiple facets of its user interface like searching, alerting, etc... Then the participants will start their hands-on experience with Assemblyline by using its python client to write scripts that will access the different APIs and finally create a custom service to add functionalities to the system. Participants will work on a system deployed for the event and will be shown how they can deploy one themselves.
For workshop pre-requisites and instruction, see the following link: https://github.com/CybercentreCanada/assemblyline-training-first2023
- USTLP:CLEAR
The 4 Pillars of Cyber Security
Laurie Tyzenhaus (SEI CERT, US)
Laurie has worked at the Software Engineering Institute (SEI) on the CERT team for almost 10 years. She joined the Vulnerability Coordination and Analysis Team in 2017. Laurie presented at FIRST in 2018 on the evolution of Coordinated Vulnerability Disclosure from a 'hub and spoke model' to a 'shared bus model' which was later implemented in VINCE. Today Laurie is focused on National and International Standards, working to guide standards which can support implementable cybersecurity policy and procedures. Prior to joining the SEI Laurie was at the Department of Energy (DOE) as a member of the Intelligence and Counterintelligence Team for 12 years, working as a Technical Analyst.
These 4 standards and related policies should be implemented on a global basis. Companies of different sizes can leverage their acquisition process of a product, service, or combination and request information on how the supplier has implemented the four pillars. The four pillars are:Coordinated vulnerability disclosure (CVD)Supply chain transparency/Software Bill of Materials (SBoM)Secure software updatesEnd of security support/end of product life
- GB US IE GH CHTLP:CLEAR
The Female Conversation – Empowering Women in IR and CI
Rebecca Taylor
Tracy BillsRebecca Taylor (Secureworks, GB), Tracy Bills (CERT® Division of the Software Engineering Institute (SEI), US), Emer O'Neill (VMware, IE), Audrey Mnisi (Ghana Association of Banks; FIRST.org Board Member; Vice President for Women in Cybersecurity Wes, GH), Khushali Dalal (Juniper, US), Amanda Capobianco (Richemont International SA, CH)
Rebecca Taylor joined Secureworks in 2014, where she developed an immediate passion for cybersecurity. Rebecca quickly expanded her cyber acumen, supporting Incident Response as Incident Command Knowledge Manager, and then moving into Secureworks first Threat Intelligence Knowledge Manager role in 2022. Rebecca is primarily focused on the implementation of knowledge management processes and procedures for the Counter Threat Unit, the ingestion and management of Secureworks Threat Intelligence knowledge, and its associated quality, storage and maintenance. Rebecca continues to study and mature her cybersecurity depth of knowledge, with a longer-term ambition of becoming a Threat Intelligence researcher.
Amanda first joined Richemont International SA in 2019 with a degree in Comp Sci. and Cybersecurity, and an internship opportunity which allowed her to explore various Incident Response and Threat Hunting activities. 3.5 years later, Amanda is leading Richemont CSIRT’s Cyber Threat Intelligence team and is responsible for tactical, operational, and strategic intelligence operations within the Group. Through her work, she aims to advance Richemont’s understanding of its adversaries while contributing to a proactive, threat driven defense against the evolving tradecraft of attackers.
Audrey Mnisi is an experienced Information Security Professional with 23 years of experience, Audrey is currently the Chief Information Security and Risk Officer, at the Ghana Association of Banks, FIRST.org Board Member and Vice President for Women in Cybersecurity West Africa Affiliate, a cyber sisterhood, to recruit, retain, mentor, and advance women in cybersecurity.
She played a significant role in the drafting of Ghana Cyber Security Legislation, ACT 1038 and reviewing Ghana National Cyber Security Strategy, establishing Ghana National CERT and in 2019 she led Ghana’s National CERT to join FIRST.
Audrey is passionate about protecting Children online and is a co-founder of Future Jewels, an NGO which advocates for child online safety.
Emer has over 20 years of technology experience and has worked in VMware since 2007. Her current role is Director of the VMware Security Response Center, where she leads a global team of technical program managers and security engineers to ensure the company is responding to external security reports, influencing stakeholders across the business, and advocating for VMware customers. Emer is passionate about security, joining the security incident response team with limited experience, she has built her reputation through seeking out mentors and immersing herself in the field.
Khushali was born and raised in a small town of India- Ahmedabad, Gujarat. She has a bachelor’s in electrical and Telecommunication Engineering from India and a master’s in cyber security from University of Maryland College Park.
Khushali joined Juniper Networks in 2019, where she began her journey as an Associate Sales Engineer supporting and implementing Juniper lab in Verizon’s infrastructure. In 2021, she moved into the Verizon channel team as a Partner Sales Engineer for Verizon’s Managed WLAN solutions. And in this role, she established an early-in-career program to support and build relationship between the Juniper and Verizon sales community. In her current role, she is a Product Security Incident Manager where she is responsible for the receipt, confirmation, verification, management, validation, and resolution of reports of potential product security vulnerabilities in products manufactured and sold by Juniper Networks.
Tracy is a Sr. Cybersecurity Operations Researcher at the CERT® Division of the Software Engineering Institute (SEI). Tracy has worked extensively to assist both public and private organizations to develop, implement, and refine their incident response, security operations, and threat intelligence processes. Currently, her focus is on helping countries build their national-level incident management capabilities and capacity.
According to a recent ISC2 workforce study, around 24% of the cybersecurity workforce is female. Yet despite the need for more diverse representation being a prominent conversation topic across the industry, there is still little focus on how it is actually achieved and the actions all individuals can take to support this initiative. Join Rebecca Taylors panel "The Female Conversation" and gain a higher understanding of what your organisation can do to better empower female talent in your Incident Response teams. From recruitment to team dynamics, to reasonable adjustments and to bridging the gender pay gap- this panel will address these hard-hitting topics and equip you with top tips to take back to improve the hiring, retention and progression of the females leading your Incident Response efforts.
- USTLP:CLEAR
The Internet DDoS Threat Landscape
John KristoffJohn Kristoff (NETSCOUT, US)
John is a principal analyst at NETSCOUT on the ATLAS Security Engineering and Response Team (ASERT). He is a PhD candidate in Computer Science at the University of Illinois Chicago studying under the tutelage of Chris Kanich. John is also adjunct faculty in the College of Computing and Digital Media at DePaul University. He currently serves as a research fellow at ICANN and sits on the NANOG program committee, He is also a founder and operator of the non-profit Dataplane.org.
In this presentation, we will discuss global and regional trends in DDoS attacks over the past year. This will include details of new DDoS vectors, observed attack volumes and prevalence, targeted verticals, notable attack campaigns, and other information relevant to network operators, incident responders, and targeted endpoints.
- NZTLP:CLEAR
The Power of Azure Sentinel: SIEM & SOAR All in One
Dylan Apera (NZ)
Please note slides for download are TLP:CLEAR
- US
Think You Understand Risk? Let's Challenge That
Sharon Mudd (Carnegie Mellon University / CERT, US), Vanessa Rodriguez (Carnegie Mellon University / CERT, US)
Cybersecurity and Incident Response professionals use the word “risk” to mean many things, from threats and threat actors to vulnerabilities or potential impacts. So, what exactly does “risk” mean, and what are the critical building blocks for defining risks for an organization? Key questions risk managers strive to answer revolve around what needs to be protected, how critical is it to the organization, which security measures are effective, and what are the potential consequences of these measures failing? When organizations establish priorities for protective measures, they need to get key players in the organization on the same page. The starting point for these higher-level goals is to develop a practical understanding of how to think about “risk,” which is often fundamentally different than how the term gets used. Understanding risk identification and management is critical for building effective risk assessments, prioritization strategies, and incident response processes.
This session redefines common misconceptions about security risk by examining the real-world scenarios for understanding and managing risk that every cybersecurity person needs to know. Concepts explored in this workshop have been used to challenge information security leaders and incident response personnel across the world, allowing them to step back from a black-and-white perspective of cybersecurity. This helps them have more nuanced conversations about how security is implemented and how risk is evaluated. The fundamentals learned through interactive discussions are exciting and educational for up-and-coming cybersecurity professionals and seasoned leaders. Attendees will learn the building blocks for developing or enhancing the context needed to evaluate and prioritize security risks. This session helps to lay the groundwork for moving away from a reactionary approach towards a more proactive approach for securing critical data and systems.
For incident responders, the session sets the stage for better engagement with constituents on protection measures they have in place - before an incident occurs. To gauge the impact of an incident, it’s critical to understand where key assets are located, how critical the data is to the organization, and what is required to manage the associated risk. This discussion helps incident responders become more proactive in these discussions with their constituents and helps drive appropriate urgency for response activities. The CSIRT teams that have been through this session have found it to be entertaining, enlightening, and thought-provoking because it challenges their assumptions about how to think and talk about risk.
Sharon Mudd is currently a Senior Cybersecurity Operations Researcher in the CERT® division of the Software Engineering Institute @Carnegie Mellon University, helping international teams build security operations and incident management capabilities. In this role, she provides mentoring and training on a broad range of cybersecurity topics to foster the development of maturity for security incident response and security operations teams internationally. Her career spans over 30 years in IT and information security roles, focusing on information security governance, risk management, compliance, and assurance. She has been a GRC leader in several organizations with global information security responsibilities across a diverse set of industries, including financial services, retail, education, government, telecommunications, and healthcare. Sharon is also in the process of completing a PhD in Information Assurance and Cybersecurity.
Vanessa Rodriguez is currently an Assistant Cybersecurity Operations Researcher in the CERT® division of the Software Engineering Institute @Carnegie Mellon University, helping international teams build security operations and incident management capabilities. In this role, she provides mentoring and training on a broad range of cybersecurity topics to Spanish-speaking countries. Her career spans over four years in Computer Science and information security roles, focusing on software development, secure coding, and cybersecurity research. Vanessa recently finished her Master's Degree in Information Technology - Information Security at Carnegie Mellon University, focusing on courses in Forensics and IoT security.
- USTLP:CLEAR
Threat Quantification & Prioritization 101: A Practical Guide to Building (& Maintaining) Your Cyber Threat Profile (08:30-11:00)
Scott Small
Simone KrausScott Small (Tidal Cyber, US), Simone Kraus
Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He currently serves as Director of Cyber Threat Intelligence at Tidal Cyber. Scott has advised enterprise and public sector security teams across maturity levels on technical and strategic applications of intelligence and on using technology to help identify and mitigate organizational risk. Throughout his career, he has briefed and trained large and small audiences and has presented original content at major security conferences, including DEFCON, FIRSTCON, MITRE ATT&CKcon, & BSides, and ISAC & other industry events.
Scott is an active member of the professional security and intelligence communities and a proponent of open-source information for upskilling and strengthening our collective security. In addition to contributing to community projects, he has published independent projects that aggregate and streamline publicly accessible security resources, as well as his own original tools & resources.
Simone Kraus has worked since 2001 in IT-Security. After my apprenticeship I studied computer science, was a specialized SAP consultant for many years and left the IT 2013. After some years as triathlete, a-licence fitness coach, life-guard and civilian on the battlefield for the US Army and Bundeswehr I had made the decision to start again in the IT as a cyber security analyst. Since June 2022 I work as a security analyst for Orange Cyberdefense in the incident response (OT/IT environment). Within the Analyst as a Service consulting I do "MITRE Detection Engineering" and threat modeling besides incident response and threat hunting. https://www.orangecyberdefense.com/be/about-us/international-womens-day/simone-kraus
Which threats matter most to my organization? A common question from security leadership, but not an easy one to answer, especially quickly. This session gives participants the foundation to confidently answer this question by providing practical, immediately-applicable guidance on building, refining, and maintaining cyber threat profiles tailored to their organizations, helping drive defensive prioritization. Using examples based on key regional industries, we’ll peel back the cover on a discipline once reserved for highly-resourced teams and show how members of virtually any security function (not just dedicated CTI or risk analysts) can build accurate threat profiles based on publicly-accessible resources.
Often considered a buzzword, threat profiling is in fact a powerful capability that allows security teams to proactively address threats with confidence, while de-escalating would-be “fires” that may in fact not pose major risks, providing teams clearer focus and giving them back (at least a little) control over their priorities. However, adoption of this discipline has been limited by misconceptions and a lack of awareness on where to start, where to find reliable sources, and how to apply the end-product. Drawing on the presenter's experience advising security programs across the maturity spectrum, attendees will take away various resources & repeatable processes that enable them to turn a buzzword into an achievable goal and start realizing the value of threat profiling for security prioritization. These include:
- A simplified approach to building a tailored yet repeatable threat profile
- Reliable, publicly available sources for informing a cyber threat profile
- Tips on real-world applications of community resources (e.g. Atomic Red Team & Sigma rules) that enable taking action based on a threat profile
- Guidance on quantification and potential automation opportunities
Review/download of all resources is optional!
Our workshop focuses mainly on methodologies & workflow guidance, but we also want to arm participants with a variety of representative resources relevant to the workflows, to jumpstart their threat profiling journey more quickly.
No tools or materials are required for the workshop. A laptop with internet connection is helpful for following along/browsing to resources of interest live alongside the presenters.
Threat Quantification & Profiling Resources:
Threat Quantification – Top Resources
Resources for Taking Action on Your Threat Profile:
If you want to test tools like Atomic Red Team, we recommend using a VM for additional safety.
Additional Tools:
Free-Registration Platforms:
Reminder, slides for download are TLP:CLEAR
- GBTLP:CLEAR
ThreatIntelGPT: STIX from Chaos
David GreenwoodDavid Greenwood (EclecticIQ & Signals Corp, GB)
David Greenwood helps early stage cyber-security companies to build products that make users go; ""Wow! That's what I need!"".
During his career he has worked with great minds at Splunk and Anomali. David currently works at EclecticIQ building world-class threat intelligence solutions."
ChatGPT 3.0 made waves across almost every industry when it hit the market in late November last year.
Far from a silver bullet for the cyber-security industry, ChatGPT, and more specifically the GPT-3 model, do have many practical uses, namely the automation of highly repetitive tasks. Ask any threat intelligence analyst and they will concur; extraction and dissemination of threat intelligence often requires many hours of ctrl+c, ctrl+v.
Earlier this year I set out to use ChatGPT to create structured knowledge graphs from a variety of intelligence reports in my inbox.
In this session I will explain the trial and error that went into generating prompts that accurately extract artefacts and their relationships from unstructured intelligence reports (including: PDFs, emails, and Slack messages).
Taking it a step further, I will also talk you through my attempts at using Chat-GPT to model the intelligence as rich STIX 2.1 Objects for easy dissemination into existing security tooling.
Rest easy, the content covered in this talk will not replace your job.
Reminder, slides for download are TLP:CLEAR
- GB
ThreatIntelGPT: Structure from Chaos
David GreenwoodDavid Greenwood (EclecticIQ & Signals Corp, GB)
ChatGPT 3.0 made waves across almost every industry when it hit the market in late November last year.
Far from a silver bullet for the cyber-security industry, ChatGPT, and more specifically the GPT-3 model, do have many practical uses, namely the automation of highly repetitive tasks. Ask any threat intelligence analyst and they will concur; extraction and dissemination of threat intelligence often requires many hours of ctrl+c, ctrl+v.
Earlier this year I set out to use ChatGPT to create structured knowledge graphs from a variety of intelligence reports in my inbox.
In this session I will explain the trial and error that went into generating prompts that accurately extract artefacts and their relationships from unstructured intelligence reports (including: PDFs, emails, and Slack messages).
Taking it a step further, I will also talk you through my attempts at using Chat-GPT to model the intelligence as rich STIX 2.1 Objects for easy dissemination into existing security tooling.
Rest easy, the content covered in this talk will not replace your job.
David Greenwood helps early stage cyber-security companies to build products that make users go; "Wow! That's what I need!".
During his career he has worked with great minds at Splunk and Anomali. David currently works at EclecticIQ building world-class threat intelligence solutions.
- USTLP:CLEAR
Three Simple and Effective Cybersecurity Exercises
John Hollenberger (Fortinet, US)
John Hollenberger is a cybersecurity consultant with over fifteen years of experience in web- and host-based vulnerability assessments, incident response, digital forensics collection, PCI compliance, and Data Loss Prevention with a primary focus on proactive incident response consulting services. In his current position, John is a Senior Security Consultant of Proactive Services, where he develops and facilitates tabletop exercises, and reviews and creates Incident Response Plans and related documentation for large corporations, small businesses, and non-profit organizations, and conducts a variety of security assessments. John currently holds the following degrees and certifications: BA, CISSP, CISA, CISM, CRISC, GCIH, GWAPT, and Security+.
The genesis of many cybersecurity exercises begins with a simple request: An executive approaches a manager and says, "We need a tabletop. Get it done." This request may stir up angst as some planning is required and, to some, may be a new experience.But what do you do when you simply don't have the luxury of ample time to plan for a cybersecurity exercise? How do you conduct a cybersecurity exercise that is simple yet effective and worth the participants' valuable time?This presentation will present three simple cybersecurity exercise ideas that may be conducted with minimal planning, are applicable to most organizations and will deliver value by identifying potential deficiencies or confirming the efficacy of existing processes.
- US
Time and Magnitude | Epoch Fail: Forecasting Vulnerabilities Amid Temporal Discontinuity
Benjamin Edwards
Sander VinbergBenjamin Edwards (US), Sander Vinberg (US)
Time and Magnitude:
Are CVEs changing over time? What is the magnitude of a vulnerability or it's exploitation
A key assumption to forecasting any quantity is that the underlying processes that will generate future data are the same processes that generated previous data. Unfortunately for vulnerability forecasting, this is not the case on multiple levels. Attackers and vulnerability researchers will change their efforts based on changes to the current software landscape. Standards bodies will change the way frameworks are structured in response to perceived and known shortcomings as well as in response to the shifting sands created by developers and researchers. Attacker interest in a vulnerability can bloom or wither depending on dynamics beyond our vision, such as out-of-band exploit dissemination.
How can forecasters work in this fluid landscape? The first step is attempting to identify when particular changes to the underlying structure have occurred. In this talk we’ll focus on the CVE process and related frameworks. We’ll show that a number of technical and procedural changes to the CVE, CWE, OWASP, and CVSS frameworks have altered the trajectory of vulnerability reporting and data. We’ll then dive into modeling techniques that can approximate both the timing and the magnitude of technical changes that impact data. In particular, we’ll present two regression techniques, segmented regression and generalized additive models, as examples of an approach to identifying structural changes to systems of data.
Dr. Benjamin Edwards is a security data scientist working at the Cyentia Institute. An expert in ML and statistics, Ben has led research on a variety of security topics including vulnerability management, application security, human risk, Next-gen SIEM, and security program performance. He is an active member of the security community, contributing to both EPSS and CVSSv4. Prior to joining Cyentia, his research examined global attack trends, the effects of security interventions, nation state cybersecurity policy, and the security of ML models.
Sander Vinberg is a Threat Researcher for F5 Labs. He is the project lead on many of F5 Labs’ intelligence products, including the 2023 Identity Threat Report, the Application Protection Report 2019-2022, the 2021 Credential Stuffing Report, and the Sensor Intelligence Series. Sander is a frequent speaker, having spoken at RSAC, SIRAcon, BSides, the Washington State CISO Forum, BCAware, (ISC)2 events, and Infragard meetings, among others. He holds a master’s degree in Information Management from the University of Washington, as well as bachelor’s degrees in History and African and African-American Studies from the University of Chicago.
Vuln4Cast-Ben-Edwards.pdf
MD5: c738ad4a22c99f5ec3cc036e9eae4c5b
Format: application/pdf
Last Update: November 7th, 2023
Size: 13.67 Mb
- US
Time and Magnitude | "This is the Big One. Again." Are 'catastrophic' vulnerabilities increasing?
Matthew BerningerMatthew Berninger (Marsh McLennan Cyber Risk Intelligence Center, US)
Time and Magnitude:
Are CVEs changing over time? What is the magnitude of a vulnerability or it's exploitation
These days it feels like there is a new 'catastrophic' vulnerability every month. Is this actually the case, or simply a symptom of better information exchange and (maybe) some cyber marketing? We aim to examine and understand this dynamic by analyzing historical vulnerability datasets, cyber incident data, and public data feeds. If the rate of major vulns is increasing, when did this start? Where are we heading? Can we predict how many "big" vulnerabilities next year will bring?
Additionally, it has been said that once a vulnerability has been found, a trail of follow-ons may often follow. Google reported that in 2022, 17 of 41 zero-day vulnerabilities were variants of previous zero-days. Anecdotally, we know that this behavior happens. But can we see this play out in a meaningful sense over years of vulnerability data? Do specific platforms exhibit this behavior more often than others? Furthermore - are we able to predict which vulnerabilities might be best suited for lots of variations, and might therefore require more complete solutions than targeted patches?
Matthew Berninger is a Principal Cyber Analyst for the Marsh McLennan Cyber Risk Intelligence Center. He has previously led teams in Detection and Response, Data Science, and Cyber Incident Response across private industry and within the U.S. Government. He has an M.S. in Cyber Warfare and Operations from the Naval Postgraduate School and a B.A. in Mathematics from Columbia University. He enjoys baseball, math, and baseball math."
- TOTLP:GREEN
Tonga - TCC Security Perspective from Smaller ISP
Maile Halatuituia (TO)
Please note slides for download are TLP:CLEAR
- ILTLP:CLEAR
Tracking Attackers in Open Source Supply Chain Attacks: The New Frontier
Jossef Harush KadouriJossef Harush Kadouri (IL)
Widespread use of open source software has motivated malicious actors to take advantage of the medium, spawning significant and widespread attacks.
To be able to identify these threats at scale we automated this process and would like to present and share some open source tools to detect those attacks.
RED LILI
This is the largest batch of malicious packages from a single threat actor (1500 packages and still counting ).
We will dive into the attack and discuss the infrastructure required for such attacks.
To keep track of RED-LILI as they continue to publish malicious packages, our research team has launched RED-LILI Tracker (https://red-lili.info)
UA-Parser (Good package gone BAD)
An attacker comprised a legitimate account of a popular open-source contributor.
We will dive into the attack and TTPs used (Account Takeover) and will discuss Chain alert Free service for the open-source community to alert on those attacks.
Protestware
A pro-Ukraine NPM user account riaevangelist released several new versions of its popular package “node-ipc” (over million weekly downloads ), which included a wiper functionally targeting Russian and Belarusian IP addresses and running a malicious payload, destroying all files on disk by overwriting their content with a heart emoji “❤️” .
Jossef Harush Kadouri is passionate about Linux and Windows, and has a strong interest in exploring the possibilities of Mac in the future. With his expertise in IoT and a knack for creating real-life automation solutions, he is able to control a variety of devices using his phone. Additionally, Jossef is a designer and digital asset creator, with a focus on pixel-perfect UI.
In his free time, Jossef enjoys growing hot peppers and organizing hot pepper events in Ramat Gan, the second best city in Israel. Jossef is also an active member of the open-source community, and is ranked in the top 1% on Stack Overflow.
In 2020, he co-founded Dustico, a software supply chain security company that was acquired by Checkmarx the following year. Since then, he has been working with his team to identify and prevent software supply chain attackers, ensuring the safety of the ecosystem.
- US DETLP:CLEAR
Universal (Software) Product Identity: Solving a Hard Problem Twice Over
Art Manion
Thomas ProellThomas SchmidtArt Manion (Art Manion, US), Thomas Proell (Siemens ProductCERT, DE), Thomas Schmidt (BSI, DE)
Art Manion is the Deputy Director of ANALYGENCE Labs where he and his team perform in-depth vulnerability analysis and coordinated vulnerability disclosure. Art has lead and contributed to a variety of vulnerability-related efforts in ISO/IEC JTC 1/SC 27, the CVE Program (Board member), the Forum of Incident Response and Security Teams (FIRST), and the (US) National Telecommunications and Information Administration (NTIA). Art works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA) and previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Thomas Proell has been working for Siemens in product security for 15 years. After five years of penetration testing he changed sides and is leading the incident handling and vulnerability response team for Siemens ProductCERT.
Thomas Schmidt works in the 'Industrial Automation and Control Systems' section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM work. Prior to this, Schmidt was BSI's lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric's TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).
The year is 2023. Vulnerability disclosure and management are still based on a haphazard foundation of independent software identification systems. We identify software products, systems, and components by name. We also use versions, dates, file hashes, and other identifiers. Unfortunately, we all have slightly (or very) different ideas about the names. And versions. Possibly the dates too. It's harder to disagree about file hashes, but not impossible. We've solved identification for some things. VIN for cars, ISBN for books, UUID, DNS, and DOI for the internet. We've solved software identification for isolated partitions. Package managers, ports, operating system updates, development and build tools, software composition analysis, containers, software services: All of these systems define and manage identification and dependency. But for the most part, these systems don't interoperate. This "hard problem" of universal identification has gained importance with the growing adoption of Software Bills of Materials (SBOM) and related supply chain concepts. So how do we sort out when we are talking about the software, or different software, or how software components are related? This panel will present and discuss nothing less than a global-scale unique product identification (UPID) solution. Or two solutions.
- BE AT FRTLP:CLEAR
Using Apple Sysdiagnose for Forensics and Integrity Check
David DurvauxDavid Durvaux (European Commission, BE), Aaron Kaplan (European Commission, AT), Emilien Le Jamtel (CERT-EU, FR)
David is leading EC DIGIT CSIRC and is active in the incident response field for more than a decade. He has work on many IT security incidents and especially on computer forensics aspects. David presented twice at the FIRST conference and in other conferences.
Aaron has been working at the national CERT of Austria between 2008 and 2020, he has a background in maths and computer science. Since 2020 he works for EC-DIGIT-CSIRC, the IT security team of the European Commission. He is the co-founder of intelmq.org, a tool for automating the typical tasks of IT security teams. Aaron is a regular speaker at IT security conferences such as FIRST, hack.lu, Blackhat, CCC. He also had the honor to serve as a FIRST board of director between 2014 and 2018 where he initialized multiple infrastructure projects such as misp.first.org. He believes in using automation, open source and machine learning for improving the lives of DFIR folks. In fact, he believes that without those tools, we won't be fast enough to keep up with attackers.
Emilien Le Jamtel is a cyber security expert since 15 years. After building its technical skill in offensive security, he joined CERT-EU in 2014 as a Threat Intelligence Analyst before quickly moving to the Digital Forensics and Incident Response team. Since 2021, Emilien is now leading the DevSecOps team responsible for the infrastructure and tooling used by CERT-EU staff. Emilien is a regular speaker at IT Security conferences such as FIRST, hack.lu, Botconf or NorthSec.
The talk will demonstrate how to use Sysdiagnose for forensics purposes of Apple devices. Sysdiagnose is a tool which was originally intended for other purposesThis approach was used successfully to detect the infamous Pegasus spyware on iOS devices.The presenters will share with the audience hands-on experiences and share what works and what does not work with this approach.
- CH
Using Jupyter Notebook for Incident Response
Dr. Serge DrozDr. Serge Droz (FIRST, CH)
Serge Droz is a senior IT-Security expert and seasoned incident responder. After more than twenty years work in different CSIRTs he now works as a senior adviser for the Swiss FDFA. He studied physics at ETH Zurich and the University of Alberta, Canada and holds a PhD in theoretical astrophysics. He has worked in private industry and academia in Switzerland and Canada in different security roles as well as at the national CERT in Switzerland.
Serge is a member of the board of directors of FIRST (Forum for Incident Response and Security Teams), the premier organisation of recognised global leaders in incident response. In this role he actively participates in discussion relating to cyber security at various policy bodies, in particular related to norm building.
Serge is an active speaker and a regular trainer for CSIRT (Computer Security Incident Response Team) courses around the world.
Today incident response often involves analyzing large amounts of data (think log files, output of forensic analysis). Some of the analysis will be repetitive, some will be specific to the incident.
Modern data analysis tools allow conducting this work efficiently and in a documented manner. Jupyter Notebooks using the pandas framework are popular among data scientists but not so much in the security community. We try to change the latter.
In this talk we present a basic intro into Jupyter and pandas, illustrating this with real live examples.
Links:
Using Jupyter Notebook for Incident Response
August 28, 2023 09:00-10:30
- US
You Are Only Seeing the Tip of the Iceberg
John StonerJohn Stoner (Google Cloud, US)
When Solorigate occurred, we witnessed a nation-state actor gaining initial access using a software vendor’s supply chain culminating with an attack utilizing Golden SAML to gain access to Office 365 cloud resources. At the time, I was developing an adversary emulation activity in support of a blue team capture the flag event and the unique attack piqued my interest.
If you are like me, you may have spent at least some portion of your career working with events generated from on-premise systems. With the move toward cloud, I noticed that logs that I just took for granted and expected to have available were no longer. This realization spurred me to use Golden SAML as a case study around what could be identified and detected within the Microsoft Graph.
Because workloads and solutions continue to migrate to the cloud and the pervasiveness of Active Directory in nearly every organization’s environment, the idea of setting up a federation with on premise active directory servers and Azure Active Directory is not an uncommon configuration which is why it is important to understand this attack within this context.
While there has been a lot of good content created about the Golden SAML attack, less focus has been paid to the visibility that a defender has from the extraction of a token through its forgery to its application against Microsoft’s Graph API. The intent of this talk is to contextualize and drive a greater awareness of what the defender will see (and more importantly what they will not see) when a Golden SAML token is extracted and forged and utilized in an Azure AD / M365 environment.
Attendees will come away with
- A better understanding of what a Golden SAML attack looks like
- A greater awareness of what they will have available for analysis within the Microsoft Cloud, specifically from Azure and M365 logging
- Ideas for detections that can be applied to monitor for this kind of activity
John Stoner is a Principal Security Strategist at Google Cloud and leverages his experience to improve users' capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He blogs on threat hunting and security operations and has built multiple APT threat emulations for blue team capture the flag events. John has presented and led workshops at various industry symposia including FIRST, BSides, SANS Summits and DefCon Packet Hacking Village. He also enjoys listening to what his former teammates referred to as "80s sad-timey music."
