In late March 2023, a consortium of journalists and investigators released analysis of “the Vulkan files”. Consisting of a trove of documents associated with a Russian contracting company working with intelligence and military authorities, the papers revealed a variety of ambitious, concerning programs such as “Scan-V” and “Amezit.” Both program, in the sense that they offer capabilities to acquire, maintain, and task infrastructure for cyber and information operations at scale, are deeply concerning, indicating a significant advancement in Russian-linked network warfare and related actions.
However, placing these items in context reveals a murkier, far more troubling picture. After reviewing the capabilities of Amezit and Scan-V, we can see glimpses of other, historical programs in the advertised efficacy of these projects. Notably, we will consider other items that have leaked out over the years offering similar capabilities, albeit in different circumstances. Examples include Russia’s own SORM framework for domestic operations, China’s Great Firewall and (more significantly) Great Cannon programs, and items that emerged nearly a decade ago in the Snowden leaks such as the US’s alleged “Quantum” program.
By analyzing these additional projects, we will observe a decade’s long trend in the systematization and increasing scale of cyber programs, especially with respect to automated exploitation and infrastructure management frameworks. Thus, Vulkan and related items, as significant as they are, represent a culmination of operational evolution and a prime example of the proliferation of capabilities following public disclosure. With programs such as Scan-V exposed, we should anticipate other entities seeking to mirror such capabilities, progressing beyond simple botnets and other distributed systems to effective management of dispersed capabilities for signals intelligence and cyber operations purposes.
Guido van den Belt (Head of Management Services Germany, OutSmart GmbH) presented a case study Building Your ISO 55000 Asset Management Quickly at the Asset Management for Power Utilities Conference in Prague on 23rd February 2016. He focused on the advantages of ISO 55000 for wind energy assets and how to create a world-class asset management system.
・NIST 「SP 800-180(Draft): NIST Definition of Microservices, Application Containers and System Virtual Machines」(2016年2月)
・NIST「SP 800-204: Security Strategies for Microservices-based Application Systems」(2019年8月)
・NIST「SP 800-204A(Draft): Building Secure Microservices-based Applications Using Service-Mesh Architecture」(2020年1月)
・CSA 「Security Guidance for the Critical Areas of Focus in Cloud Computing v4.0」(2017年7月)
・CSA Application Containers and Microservices Working Group「Challenges in Securing Application Containers and Microservices」(2019年7月)
・CSA Application Containers and Microservices Working Group「Best Practices in Implementing a Secure Microservices Architecture」(2020年2月)
Guido van den Belt (Head of Management Services Germany, OutSmart GmbH) presented a case study Building Your ISO 55000 Asset Management Quickly at the Asset Management for Power Utilities Conference in Prague on 23rd February 2016. He focused on the advantages of ISO 55000 for wind energy assets and how to create a world-class asset management system.
・NIST 「SP 800-180(Draft): NIST Definition of Microservices, Application Containers and System Virtual Machines」(2016年2月)
・NIST「SP 800-204: Security Strategies for Microservices-based Application Systems」(2019年8月)
・NIST「SP 800-204A(Draft): Building Secure Microservices-based Applications Using Service-Mesh Architecture」(2020年1月)
・CSA 「Security Guidance for the Critical Areas of Focus in Cloud Computing v4.0」(2017年7月)
・CSA Application Containers and Microservices Working Group「Challenges in Securing Application Containers and Microservices」(2019年7月)
・CSA Application Containers and Microservices Working Group「Best Practices in Implementing a Secure Microservices Architecture」(2020年2月)
ISO 37001:2016 is used for Anti-Bribery Management System. This publication is about readymade documentation kit which can be used as completed tool for documentation process and it defines requirements of various documents during ISO 37001:2016 Certification.
For more details visit our website: https://www.globalmanagergroup.com/
[SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか? de:code 2017
大規模災害や管理者のオペレーションミス、標的型攻撃による管理者アカウントの乗っ取りなど、様々な理由で Active Directory や Azure Active Directory が正常に利用できなくなった場合に IT 管理者はどうすれば良いのか、事前に何を準備しておけば良いのかの対策について具体例を交えて紹介致します。
受講対象: Active Directory の設計と運用を担当するエンジニア
製品/テクノロジ: Microsoft Azure/アイデンティティ (AD/Azure AD)/クラウド/事業継続/運用/セキュリティ
渡辺 元気
NTTコミュニケーションズ株式会社
クラウドサービス部
主査
ISO 37001:2016 is used for Anti-Bribery Management System. This publication is about readymade documentation kit which can be used as completed tool for documentation process and it defines requirements of various documents during ISO 37001:2016 Certification.
For more details visit our website: https://www.globalmanagergroup.com/
[SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか? de:code 2017
大規模災害や管理者のオペレーションミス、標的型攻撃による管理者アカウントの乗っ取りなど、様々な理由で Active Directory や Azure Active Directory が正常に利用できなくなった場合に IT 管理者はどうすれば良いのか、事前に何を準備しておけば良いのかの対策について具体例を交えて紹介致します。
受講対象: Active Directory の設計と運用を担当するエンジニア
製品/テクノロジ: Microsoft Azure/アイデンティティ (AD/Azure AD)/クラウド/事業継続/運用/セキュリティ
渡辺 元気
NTTコミュニケーションズ株式会社
クラウドサービス部
主査
Scholarly Communications at a National Research Lab: Approaches to Research a...Dee Magnoni
Presentation takes a 360 degree look at open scholarly communication at Los Alamos National Laboratory (LANL), identifying key stakeholders and their roles in the success of Lab research. Approaches and activity to date are discussed, including cross-Lab collaboration, policy creation and implementation, service and tool development, and our work on international research challenges such as link rot.
New Era of Software with modern Application Security v1.0Dinis Cruz
(as presented at Codemotion Rome 2016)
This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive
Extending Network Visibility: Down to the EndpointLancope, Inc.
In today’s world of constantly evolving security threats and attack vectors, organizations need to be vigilant about monitoring their network infrastructure. The network perimeter and security infrastructure is often challenged with the adoption of mobile devices, cloud, and BYOD policies. The need for visibility into endpoint activity has become more important than ever.
Join Josh Applebaum (Ziften), Matthew Frederickson, (Council Rock School District) and Peter Johnson (Lancope) for a complimentary webinar to learn how you can achieve real-time network visibility and intelligence for improved incident response.
Discover how you can:
- Achieve additional visibility and context to network activity
- Enhance your existing security investments (NetFlow, Firewall, SIEM, threat intelligence)
- Improve incident response by obtaining real-time and historical endpoint data
Teaching Elephants to Dance (Federal Audience): A Developer's Journey to Digi...Burr Sutter
We can be brilliant developers, but we won’t succeed—and won’t lead our organizations to succeed—without a new perspective (if you will) and new assumptions about the components of the “technology ecosystem” that are fundamentally critical to our success. This includes the operators, QA team, DBAs, security folks, and even the pure business contingent—in most cases, each of these individuals and groups plays a critical role in the success of what we create and give birth to as developers. What we do in isolation might be genius, but if we insulate ourselves—especially with arrogance—from these colleagues, neither our code nor our organizations will realize their full potential, and most will fail. The bottom line is that our old ways are no longer viable, and as the elite within our industry, we will be the leaders and heroes who discard old assumptions and adopt a new perspective in this exciting journey to digital transformation—where the impossible can become reality.
Paul takes a look at the relevance of NFV in CloudStack orchestrated environments and how CloudStack can be leveraged to both accelerate NFV delivery within operator organisations and also to deliver NFV functionality to end-users. Paul will discuss the core concepts of NFV, emerging standards and how these are relevant to CloudStack. He will also look in detail at a new initiative in CloudStack, allowing it to support complex virtualised network topologies for end-users.
Reactive Streams are a cross-company initiative first ignited by Lightbend in 2013, soon to be joined by RxJava and other implementations focused on solving a very similar problem: asynchronous non-blocking stream processing, with guaranteed over-flow protection. Fast forward to 2016 and now these interfaces are part of JSR-266 and proposed for JDK9.
In this talk we'll first disambiguate what the word Stream means in this context (as it's been overloaded recently by various different meanings), then look at how its protocol works and how one might use it in the real world showing examples using existing implementations.
We'll also have a peek into the future, to see what the next steps for such collaborative protocols and the JDK ecosystem are in general.
This is the slide deck used in my recent talks at 2600Edinburgh and DEFCON Glasgow.
The aim of this presentation is to provide a clear comparison of the most well known Internet-wide scanning tools: Censys, Shodan and ZoomEye. After this comparison, the talk then looks towards the potential use case is to
Template is from SlidesCarnival.
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems
In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a “through the eyes of the attacker” experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies.
In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities.
In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers.
In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
APNIC Senior Security Specialist Adli Wahid spoke on the importance and role of CERTs in helping prevent cyber attacks at the Philippines Cybersecurity Conference 2021, held online from 13 to 29 October 2021.
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
I started my company, Net-Square, 12 years ago. This talk is a collection of 13 thoughts and observations from the past 12 years - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively. This talk is not a rant, not a venting session and certainly not a criticism of sorts as many infosec talks have now become.
Cyber consequences, operational dependencies, and full scope securityJoe Slowik
Cyber impacts are typically viewed in isolation - yet paired with secondary effects or specific process targeting, they can result in outsized physical or reputational impacts. This talk will examine such attacks, their execution, and how Purple Teaming can incorporate these events in testing.
Cyber events are typically viewed in isolation as information-centric events, perhaps with some secondary effects in terms of victim organization finances or reputation. Yet this perspective ignores both the increasing physical consequences of cyber manipulation, greater inter-organization dependencies leading to expanded attack surface, and the potential for targeting operational or procedural “weak points” to propagate impacts to more secure or sensitive areas. Essentially, just as the idea of network isolation or “airgaps” no longer makes sense for defense, the idea of network defense as being limited only to the defended organization’s “border” no longer applies either.
This talk will examine how critical operational dependencies, perceptions, and third-party relationships can be used to achieve not just initial network access, but potentially network or even physical disruption. Examples to illustrate this concept will include sequenced cyber impacts combined with information operations to create panic or reduce confidence in critical infrastructure; targeting up- or down-stream dependencies as a mechanism to bypass security to achieve outsized impacts; and leveraging proper timing to increase the impact of a cyber intrusion or disruption event.
The above will cover attack scenarios and their impacts, but the talk will conclude with how organizations must expand scope for security testing, evaluation, and auditing to include such scenarios. Essentially, red (and purple) teaming no longer stops at the network border, but instead must include dependencies and external influencing factors to adequately map out true security risk. By designing intrusion scenarios to simulate such conditions, implementing wide-ranging table-top exercises, and incorporating third-parties (from suppliers to vendors to service providers) in testing activity, organizations can prepare for sequenced, dependency-focused attacks increasingly used by advanced adversaries. Failure to recognize and adapt to these trends will leave organizations unaware of and ill prepared for an increasingly expanded attack surface based on modern network and operational inter-dependencies.
Full-Spectrum Information Operations for Critical Infrastructure AttacksJoe Slowik
Presentation from 2019 CYBERWARCON covering layered/sequenced use of different disciplines of information operations (including cyber attacks) for critical infrastructure disruption.
Attribution within threat intelligence operations generally focuses on trying to find a 'who' - pick a US three-letter agency or other intelligence service - rather than the 'how' - what totality of activities makes up a specific activity group responsible for one (or more) campaigns. This talk will explore and outline the differences between these approaches, and how the former might be useful when discussing things in the press or looking at events from a law enforcement perspective, but the latter is far more useful (and significantly less controversial) for actual network defenders. Specifically, by limiting ourselves to defining a collection of behaviors or TTPs surrounding a specific event or campaign, threat intelligence can then develop playbooks, response procedures, and evaluation of expected follow-on actions related to the documented activity group. Most importantly, activity groups - as collections of behaviors - are distinct from 'actors'. Thus, you may have multiple activity groups, associated with a set of targets and TTPs, that all happen to belong to the same hostile foreign intelligence service. But from an IR or SOC perspective, the 'geopolitical' aspect is irrelevant.
To illustrate the above and how this matters, I would provide a couple of examples - including one where aggressive attribution for the sake of press or other motives muddies the waters from a defense perspective. Specifically, I'll look into the Dragonfly2.0 report released earlier in 2017 and follow-on reporting related to it (most notably US-CERT's report) to show how multiple activity groups can be conflated and produce a confusing and unhelpful threat landscape understanding for network defenders.
Following this discussion, attendees will have a more robust understanding of threat intelligence operations, the different types of attribution based upon threat intelligence work, and why an activity group-focused approach is more useful to security operations than alternatives. Attendees will be equipped to more robustly examine and, where necessary, challenge threat intelligence reporting, and learn what details are most useful in applying threat intelligence data to security operations.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
9. What Are The Vulkan Files?
Computer Technology Firm, Founded In 2010 By Russian Military
Veterans With Approval To Perform Classified Work.
NTC Vulkan
10. What Are The Vulkan Files?
Computer Technology Firm, Founded In 2010 By Russian Military
Veterans With Approval To Perform Classified Work.
NTC Vulkan
Unknown Entity Leaked Project Information And Documentation For
Various Projects To German Journalists
The Leaks
11. What Are The Vulkan Files?
Computer Technology Firm, Founded In 2010 By Russian Military
Veterans With Approval To Perform Classified Work.
NTC Vulkan
Unknown Entity Leaked Project Information And Documentation For
Various Projects To German Journalists
The Leaks
Rarely Do We See The “Nuts & Bolts” Of CNO Tool Development &
Procurement Processes - Lots Of Data To Go Through!
The
Significance
22. Scan-V
Design
● Distributed, Multi-Component System Crossing Various Information Boundaries
● Designed For Automated Tasking & Action Within Pre-Programmed Capabilities
Purpose
23. Scan-V
Design
● Distributed, Multi-Component System Crossing Various Information Boundaries
● Designed For Automated Tasking & Action Within Pre-Programmed Capabilities
Purpose
● Combine External Scanning Functionality With Catalog Of Vulnerabilities & Exploits
● Automate Or Increase The Efficiency Of Cyber Operations, Infrastructure Harvesting
26. Amesit
Information Operations & Collection Platform
Capable Of Capturing & Proxying Communication
Streams For Collection & Manipulation
27. Amesit
Information Operations & Collection Platform
Capable Of Capturing & Proxying Communication
Streams For Collection & Manipulation
Potential Applications In Both Foreign & Domestic
Targeting
34. Diving Into The Vulkan Leaks
The Vulkan Leaks Represent A
Significant Event In The History Of
Cyber Operations - We Need To Review
Just What’s Inside!
37. Diving Into The Vulkan Leaks
NTC
Vulkan
Scan-V
Amesit
Krystal-2V
MiniDuke
38. Diving Into The Vulkan Leaks
NTC
Vulkan
Scan-V
Amesit
Krystal-2V
MiniDuke
GRU
74455
FSB Radio
Research
Institute
SVR
39. Vulkan & Russia’s “Cyber Hydra”
For Various Reasons, Research
Institutes & External Entities Generally
Perform Dedicated Work For One
Element Of Russia’s Cyber Forces…
40. Vulkan & Russia’s “Cyber Hydra”
For Various Reasons, Research
Institutes & External Entities Generally
Perform Dedicated Work For One
Element Of Russia’s Cyber Forces…
NTC Vulkan Worked With EACH Element
Of Russian External Cyber Ops - GRU,
FSB, & SVR - Not Completely Unique
But Rare!
42. RU Cyber & The Private Sector
TsNIIKhM &
XENOTIME
43. RU Cyber & The Private Sector
TsNIIKhM &
XENOTIME
SVA Institute &
SVR
44. RU Cyber & The Private Sector
TsNIIKhM &
XENOTIME
ODT & FSB’s
Fronton Botnet
SVA Institute &
SVR
45. RU Cyber & The Private Sector
TsNIIKhM &
XENOTIME
ODT & FSB’s
Fronton Botnet
Kvant Institute &
FSB
SVA Institute &
SVR
46. RU Cyber & The Private Sector
TsNIIKhM &
XENOTIME
ODT & FSB’s
Fronton Botnet
Kvant Institute &
FSB
SVA Institute &
SVR
INCONTROLLER /
PIPEDREAM?
47. RU Cyber & The Private Sector
TsNIIKhM &
XENOTIME
ODT & FSB’s
Fronton Botnet
Kvant Institute &
FSB
SVA Institute &
SVR
INCONTROLLER /
PIPEDREAM?
48. Privatization Of Cyber Development
NTC Vulkan Is Both An Example And A
Pioneer Of Increasingly Outsourced
Cyber Development & Engineering Work
For State-Directed Operations!
49. Privatization Of Cyber Development
NTC Vulkan Is Both An Example And A
Pioneer Of Increasingly Outsourced
Cyber Development & Engineering Work
For State-Directed Operations!
NOTE: This Is
NOT Just
Russia!
61. The “So What” Behind Vulkan
Focus On Scalability & Control Of Widespread
Operations
62. The “So What” Behind Vulkan
Focus On Scalability & Control Of Widespread
Operations
Enables Greater Efficiency & Increases Extent Of
Cyber Activity
63. The “So What” Behind Vulkan
Focus On Scalability & Control Of Widespread
Operations
Enables Greater Efficiency & Increases Extent Of
Cyber Activity
Transition From “One Operator, One Op” To Massive,
Distributed Campaigns
82. SORM To Amesit
Amesit Enables A Mobile, Flexible
Deployment Of SORM-Like Capabilities,
Including For INFORMATION &
INFLUENCE OPERATION PURPOSES.
Can Also Be “Forward Deployed.”
88. PRC CNO & IO Operations
Great Cannon
Is Nearly 10
Years Old Now
- Disclosed In
2015!
89. PRC CNO & IO Operations
Great Cannon
Is Nearly 10
Years Old Now
- Disclosed In
2015!
PRC (Likely)
Continues To
Invest &
Innovate In
Cyber
Operations
90. PRC CNO & IO Operations
Great Cannon
Is Nearly 10
Years Old Now
- Disclosed In
2015!
PRC (Likely)
Continues To
Invest &
Innovate In
Cyber
Operations
Widespread
Intrusion Ops -
Exchange,
Barracuda
ESGs,
Emphasize
This!
91. PRC CNO & IO Operations
Great Firewall & Great Cannon
Functionality Give Glimpses Of Similar
Ambitions & Programs - Main Question
Is Scalability & Management Of These
Capabilities & Widespread Intrusion
Campaigns
93. The United States & FVEY
Hey - Remember The
Snowden Leaks?
NOTE THAT THE FOLLOWING SLIDES
ARE BASED ON PUBLIC COMMENTARY
AND POSTING HERE NEITHER
CONFIRMS NOR DENIES THE ACCURACY
OR VERACITY OF THESE ITEMS!
96. NSA Leaks & Implications
Popular Conception
● Emphasis On Privacy Violations & Other Elements Detrimental To Open Democracies
● Clearly Important - But Hardly The Limit Of What Was Disclosed
97. NSA Leaks & Implications
Popular Conception
● Emphasis On Privacy Violations & Other Elements Detrimental To Open Democracies
● Clearly Important - But Hardly The Limit Of What Was Disclosed
Additional Details
98. NSA Leaks & Implications
Popular Conception
● Emphasis On Privacy Violations & Other Elements Detrimental To Open Democracies
● Clearly Important - But Hardly The Limit Of What Was Disclosed
Additional Details
● Snowden (And Potentially Others) Disclosed SIGNIFICANT Information On CNO
Capabilities & Tradecraft Beyond Privacy & Legality Issues!
● Less-Heralded But Arguably More Significant Were Widespread, Automated
Exploitation & Control Frameworks
104. Automated Exploitation At Scale
QUANTUM, TURBINE, Etc.
Represent Automated
Exploit Systems
Disclosed Publicly In Early
2010’s - Possibility
Adversaries Identified Earlier
105. Automated Exploitation At Scale
QUANTUM, TURBINE, Etc.
Represent Automated
Exploit Systems
Disclosed Publicly In Early
2010’s - Possibility
Adversaries Identified Earlier
Alleged FVEY “State Of
The Art” In 2010 Now
Reflected In RU, PRC Ops
106. Snowden, Vulkan, & Beyond
IF TRUE - Snowden Leaks Were
Arguably A DISASTER For US, Related
CNO & SIGINT Capabilities By
Disclosing Methodology…
107. Snowden, Vulkan, & Beyond
IF TRUE - Snowden Leaks Were
Arguably A DISASTER For US, Related
CNO & SIGINT Capabilities By
Disclosing Methodology…
…It Also Appears That Multiple Parties
Were Taking Notes On How To Build
Similar (Or More Ambitious) Programs
Based On Disclosures!
113. The Road To Scalable Cyber
Cyber Talent Is Expensive - Codifying Capabilities In Technology &
Programs Is Key To Expansive & Efficient Action!
Personnel
114. The Road To Scalable Cyber
Cyber Talent Is Expensive - Codifying Capabilities In Technology &
Programs Is Key To Expansive & Efficient Action!
Personnel
Global Ambitions Require Global Actions. Assumptions On Targeting &
Focus Go Out The Window - Especially When Targets Can Be “Means
To An End!”
Targeting
115. The Road To Scalable Cyber
Cyber Talent Is Expensive - Codifying Capabilities In Technology &
Programs Is Key To Expansive & Efficient Action!
Personnel
Global Ambitions Require Global Actions. Assumptions On Targeting &
Focus Go Out The Window - Especially When Targets Can Be “Means
To An End!”
Targeting
Top-Tier Threat Actors Know How Defenders & CTI Analysts Operate -
They Will Work To Evade Known Analytical Tradecraft & Minimize
Touchpoints Wherever Possible!
Operational
Security
116. NTC Vulkan & CNO
Vulkan Capabilities Are LAGGING
Indicators - This Activity Has Already
Taken Place!
117. NTC Vulkan & CNO
Vulkan Capabilities Are LAGGING
Indicators - This Activity Has Already
Taken Place!
We Need To Anticipate Greater Degrees
Of Automation, Queueing, & Reactive
Targeting!
119. What Should We Expect?
Greater
Automation &
Improved
Scalability
120. What Should We Expect?
Greater
Automation &
Improved
Scalability
Leverage
“Neutral Web”
For Offensive
Action
121. What Should We Expect?
Greater
Automation &
Improved
Scalability
Reduced
Reliance On
“Rockstars” -
Commoditization
Leverage
“Neutral Web”
For Offensive
Action
122. What Should We Expect?
Greater
Automation &
Improved
Scalability
Reduced
Reliance On
“Rockstars” -
Commoditization
Leverage
“Neutral Web”
For Offensive
Action
Actual,
Meaningful
Applications Of
ML/AI
127. Capability Inspiration & Proliferation
Adversaries Learn From “Other Adversary”
Operations & Open Source Research
128. Capability Inspiration & Proliferation
Adversaries Learn From “Other Adversary”
Operations & Open Source Research
Today’s Leak Or Disclosure Is Inspiration For
Tomorrow’s Capability & Evolution
129. Capability Inspiration & Proliferation
Adversaries Learn From “Other Adversary”
Operations & Open Source Research
Today’s Leak Or Disclosure Is Inspiration For
Tomorrow’s Capability & Evolution
CNO Is NOT A Static Field - But A Constantly
Evolving One With Multiple Factors
137. Advice For Offense
Human-Drive Operations Are
Rapidly Being Replaced In Ops
Adversary Emulation &
Success Requires
Understanding Trends
138. Advice For Offense
Human-Drive Operations Are
Rapidly Being Replaced In Ops
Adversary Emulation &
Success Requires
Understanding Trends
Testing & Probing Will Become
More Technically Challenging!
139. Where Do We Go From Here?
Networks Of Various Types Will
Continue To Be Weaponized By Diverse
Parties, Either As End-Targets Or Means
To Reaching Them…
140. Where Do We Go From Here?
Networks Of Various Types Will
Continue To Be Weaponized By Diverse
Parties, Either As End-Targets Or Means
To Reaching Them…
…The Increasing Scale & Velocity Of
Campaigns Will Make Defense &
Response Challenging - But Not
Impossible!
142. Selected Works Cited
● The Vulkan Files - Papertrail Media (https://www.papertrailmedia.de/investigations/vulkan-files/)
● Vulkan Files - Der Spiegel (https://www.spiegel.de/thema/vulkanfiles/)
● “Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions” - Craig Timberg, Ellen Nakashima, Hannes Munzinger, & Hakan Tanriverdi, The
Washington Post (https://www.washingtonpost.com/national-security/2023/03/30/russian-cyberwarfare-documents-vulkan-files/)
● “‘Vulkan Files’ Leak Reveals Putin’s Global And Domestic Cyberwarfare Tactics” - Luke Harding, Stiliyana Simeonova, Manisha Ganguly, & Dan Sabbagh,
The Guardian (https://www.theguardian.com/technology/2023/mar/30/vulkan-files-leak-reveals-putins-global-and-domestic-cyberwarfare-tactics)
● “Contracts Identify Cyber Operations Projects From Russian Company NTC Vulkan” - Alden Wahlstrom, Gabby Roncone, Keith Lunden, & Daniel
Kapellmann Zafra, Mandiant (https://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan)
● “Dragos Analyzes Russian Programs Threatening Critical Civilian Infrastructure” - Kevin Woolf & Bryce Livingston, Dragos
(https://hub.dragos.com/hubfs/Dragos_IntelBrief_Russian-Programs-Threatening-Critical_Infrastructure.pdf)
● “Zeroing In On XENOTIME” - Joe Slowik, VirusBulletin
(https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Zeroing-in-on-XENOTIME-analysis-of-the-entities-responsible-for-the-Tri
ton-event.pdf)
● CyberWatchers Twitter Thread (https://threadreaderapp.com/thread/1615358254409986053.html)
● “New VPNFilter Malware Targets At Least 500k Networking Devices Worldwide” - William Largent, Cisco Talos
(https://blog.talosintelligence.com/vpnfilter/)
● “New Sandworm Malware Cyclops Blink Replaces VPNFilter” - US CISA (https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-054a)
● “The Great Firewall Of China: Xi Jinping’s Internet Shutdown” - Elizabeth C. Economy, The Guardian
(https://www.theguardian.com/news/2018/jun/29/the-great-firewall-of-china-xi-jinpings-internet-shutdown)
● “China’s Great Cannon” - Bill Marczak, Nicholas Weaver, Jakub Dalek, Roya Ensafi, David Fifield, Sarah McKune, Arn Rey, John Scott-Railton, Ron Deibert, &
Vern Paxson, The Citizen Lab (https://citizenlab.ca/2015/04/chinas-great-cannon/)
● “A Close Look At The NSA’s Most Powerful Internet Attack Tool” - Nicolas Weaver, Wired (https://www.wired.com/2014/03/quantum/)
● “NSA’s Automated Hacking Engine Offers Hands-Free Pwning Of The World” - Sean Gallagher, Ars Technica
(https://arstechnica.com/information-technology/2014/03/nsas-automated-hacking-engine-offers-hands-free-pwning-of-the-world/)
● “Hack Like The NSA: The Quantum Insert” - otw, HackersArise (https://www.hackers-arise.com/post/2016/09/09/hack-like-the-nsa-the-quantum-insert)