Cyber security has been a game of cat-and-mouse recently.
Adversaries create techniques for evading detection, then defensive researchers struggle to analyze the evasion and develop detection techniques.
However, the adversaries come to identify the detection, then repeatedly create next evasive techniques.
The defensive researchers have been in an overwhelming disadvantage situation.
Under such the situation, are the developed detection techniques not available if the adversaries identify?
That's not true.
Adversaries have intention for their activity.
Their purpose is often business, then their funds and selected techniques depend on targets, like a particular organization or clients with low security literacy.
All adversaries do not always use state-of-the-art techniques.
In short, there are differences of clues between targeted attacks and broad ones.
SOC operators are always busy coping with a various kind of attacks, then difficult to deal with all alerts.
They have to set priority of alerts, sometimes explain the reason why the alerts occur for management or responsible person.
They have overwork because of limited time.
We aim to enable SOC operators to reduce tasks related to explanations for alerts.
We have developed a method for identifying attack types with explainable diagnosis by taking advantage of advanced adversary's evasive behavior.
In addition to differences between legitimate and malicious behavior, we learn from comparison of targeted attacks and broad ones.
This learning is a basis for explainable detection of attack types for unidentified domains.
In this presentation, we will show that advanced adversaries rarely leave traces which defensive researchers are easy to detect then compare traces of targeted attacks with ones of broad attacks.
For unidentified domains, we will demonstrate that our system identifies attack types with explainable diagnosis.
[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...CODE BLUE
LogonTracer is a tool to investigate malicious logons by visualizing and analyzing Windows Active Directory event logs. In many of our incident response cases, LogonTracer is able to detect malicious logons. Since we introduced this tool at CODE BLUE 2018, we have received a lot of feedback and continue updating it.
LogonTracer is designed mainly for DFIR at present. We received many requests for using this tool for real-time log analysis, so we have added a new function for that purpose.
A new version of LogonTracer v1.5 has added the function to analyze AD event logs stored in Elasticsearch. Many real-time log analysis systems monitor thresholds and specific event IDs, and they also require additional logs such as network traffic logs. LogonTracer can investigate malicious logons by visualization and machine learning based on event logs only.
LogonTracer is an open source tool and the best suitable solution for real-time monitoring on malicious logons to Windows network.
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...CODE BLUE
This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan's semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan's semiconductor industry.
Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation Chimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals.
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
Tons of insecure IoT devices are out there and ready to be compromised to join next IoT botnet or misused in even more serious threats. Since many of them are unmanaged, the situation does not seem to improve naturally in a short term. This talk will focus on series of efforts on discovery, monitoring, analysis, and notification of these devices trying to clean up "the mess".
[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidde...CODE BLUE
In our presentation at CODE BLUE last year, we called attention to the threat regarding tokyo.2020.TLD, tokyo2.020.TLD, tokyo20.20.TLD, tokyo202.0.TLD (TLD is an arbitrary Top-Level Domain). Many numeric domains which do not depend on candidate sites of the Olympic Games were registered long before Tokyo stood as a candidate for the Olympic Games, then subdomains of the numeric domains were abused for impersonating "tokyo2020". Most of the domains had been parked and low risk. However, we were fearful of the scenario of changing the parked domains to malicious ones during the Olympic Games Tokyo 2020. We had observed the domains for half a year, then continued to observe during the Olympic Games Tokyo 2020, as the result, fortunately, we did not detect serious threats as far as we observed.
On the other hand, we came to identify potential threats based on in-depth analysis of subdomains not registered in WHOIS or TLD zone files. Recently, the abuse of subdomains for impersonating URLs of brand domains in phishing stands out since domain owners can operate any strings as subdomains without any limitation from registrars. Under this situation, we identified the potential threats regarding combinations of event and brand abuse. In short, brand domains are abused like google.com.2020.TLD and yahoo.com.2020.TLD in a normal time, and ticket.tokyo.2020.TLD is abused during the event. We investigated upcoming Olympic Games like "beijing2022" and "paris2024". There are no footprints regarding abuse of the Olympic Games. However, we confirmed brand abuse in relation to "2022" and "2024".
In this presentation, based on our follow-up evaluation regarding tokyo2020 similar domains which were evaluation targets last year, we will report pre-event evaluation, actual observation, post-event evaluation of the Olympic Games Tokyo 2020. In addition, we will discuss future potential threats and its countermeasures based on in-depth analysis of subdomains.
[CB20] It is a World Wide Web, but All Politics is Local: Planning to Survive...CODE BLUE
Since the birth of the World Wide Web in 1989, despite the fact that the key function of the Internet is to communicate, share and distribute information without borders, countries have varied in their understanding and policies on how the Internet should work in their jurisdiction; some have codified laws bolstering Internet sovereignty or built firewalls to control online information flows. At the 25th anniversary of the Internet in 2014, the Pew Research Center invited over 1400 technology industry leaders and academics to reflect on the impact of the Internet over the next ten years. The top Internet threat these experts named was that nation-states could increasingly block, filter, segment and Balkanize the Internet for geopolitical, economic, social and security reasons.
In 2020, six years after that Pew report, amidst a global pandemic, growing populist partisanship in many countries, and heightened geopolitical tensions between the world’s largest economies, the splintering of Internet communities seems even more imminent than before, as governments seek to limit the sometimes harmful power of social media speech and Internet companies' encroachments on personal privacy. Is the global trend towards segmentation and Balkanization of the Internet forthcoming? What are its implications for business operations globally in terms of cost, planning, continuity, and liabilities ? How will cyber threats evolve as businesses adjust their operations to adapt to a more-segmented Internet? This talk will address these issues by identifying and characterizing the evidence of the segmentation and Balkanization of the Internet and by providing broad cyber threat and risk profiles for each region and practical mitigation measures to improve business resilience.
Slides presented. at Anomali Detect 19 by Katie Nickels and Adam Pennington in National Harbor, MD on "Turning Intelligence into Action with MITRE ATT&CK"
From ATT&CKcon 3.0
By Matt Snyder, VMWare
Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks.
These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.
[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...CODE BLUE
LogonTracer is a tool to investigate malicious logons by visualizing and analyzing Windows Active Directory event logs. In many of our incident response cases, LogonTracer is able to detect malicious logons. Since we introduced this tool at CODE BLUE 2018, we have received a lot of feedback and continue updating it.
LogonTracer is designed mainly for DFIR at present. We received many requests for using this tool for real-time log analysis, so we have added a new function for that purpose.
A new version of LogonTracer v1.5 has added the function to analyze AD event logs stored in Elasticsearch. Many real-time log analysis systems monitor thresholds and specific event IDs, and they also require additional logs such as network traffic logs. LogonTracer can investigate malicious logons by visualization and machine learning based on event logs only.
LogonTracer is an open source tool and the best suitable solution for real-time monitoring on malicious logons to Windows network.
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...CODE BLUE
This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan's semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan's semiconductor industry.
Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation Chimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals.
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
Tons of insecure IoT devices are out there and ready to be compromised to join next IoT botnet or misused in even more serious threats. Since many of them are unmanaged, the situation does not seem to improve naturally in a short term. This talk will focus on series of efforts on discovery, monitoring, analysis, and notification of these devices trying to clean up "the mess".
[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidde...CODE BLUE
In our presentation at CODE BLUE last year, we called attention to the threat regarding tokyo.2020.TLD, tokyo2.020.TLD, tokyo20.20.TLD, tokyo202.0.TLD (TLD is an arbitrary Top-Level Domain). Many numeric domains which do not depend on candidate sites of the Olympic Games were registered long before Tokyo stood as a candidate for the Olympic Games, then subdomains of the numeric domains were abused for impersonating "tokyo2020". Most of the domains had been parked and low risk. However, we were fearful of the scenario of changing the parked domains to malicious ones during the Olympic Games Tokyo 2020. We had observed the domains for half a year, then continued to observe during the Olympic Games Tokyo 2020, as the result, fortunately, we did not detect serious threats as far as we observed.
On the other hand, we came to identify potential threats based on in-depth analysis of subdomains not registered in WHOIS or TLD zone files. Recently, the abuse of subdomains for impersonating URLs of brand domains in phishing stands out since domain owners can operate any strings as subdomains without any limitation from registrars. Under this situation, we identified the potential threats regarding combinations of event and brand abuse. In short, brand domains are abused like google.com.2020.TLD and yahoo.com.2020.TLD in a normal time, and ticket.tokyo.2020.TLD is abused during the event. We investigated upcoming Olympic Games like "beijing2022" and "paris2024". There are no footprints regarding abuse of the Olympic Games. However, we confirmed brand abuse in relation to "2022" and "2024".
In this presentation, based on our follow-up evaluation regarding tokyo2020 similar domains which were evaluation targets last year, we will report pre-event evaluation, actual observation, post-event evaluation of the Olympic Games Tokyo 2020. In addition, we will discuss future potential threats and its countermeasures based on in-depth analysis of subdomains.
[CB20] It is a World Wide Web, but All Politics is Local: Planning to Survive...CODE BLUE
Since the birth of the World Wide Web in 1989, despite the fact that the key function of the Internet is to communicate, share and distribute information without borders, countries have varied in their understanding and policies on how the Internet should work in their jurisdiction; some have codified laws bolstering Internet sovereignty or built firewalls to control online information flows. At the 25th anniversary of the Internet in 2014, the Pew Research Center invited over 1400 technology industry leaders and academics to reflect on the impact of the Internet over the next ten years. The top Internet threat these experts named was that nation-states could increasingly block, filter, segment and Balkanize the Internet for geopolitical, economic, social and security reasons.
In 2020, six years after that Pew report, amidst a global pandemic, growing populist partisanship in many countries, and heightened geopolitical tensions between the world’s largest economies, the splintering of Internet communities seems even more imminent than before, as governments seek to limit the sometimes harmful power of social media speech and Internet companies' encroachments on personal privacy. Is the global trend towards segmentation and Balkanization of the Internet forthcoming? What are its implications for business operations globally in terms of cost, planning, continuity, and liabilities ? How will cyber threats evolve as businesses adjust their operations to adapt to a more-segmented Internet? This talk will address these issues by identifying and characterizing the evidence of the segmentation and Balkanization of the Internet and by providing broad cyber threat and risk profiles for each region and practical mitigation measures to improve business resilience.
Slides presented. at Anomali Detect 19 by Katie Nickels and Adam Pennington in National Harbor, MD on "Turning Intelligence into Action with MITRE ATT&CK"
From ATT&CKcon 3.0
By Matt Snyder, VMWare
Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks.
These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...CODE BLUE
MUSHIKAGO is an automatic penetration testing tool using game AI, MUSHIKAGO focuses on the verification of post-exploitation. A post-exploitation is an attack that an attacker carries out after invading the target environment. By focusing on post-exploitation verification, we can understand how far an attacker can actually penetrate and what kind of information is collected. MUSHIKAGO uses the GOAP (Goal-Oriented Action Planning), which is game AI commonly used in NPC (Non Player Character). To using GOAP, we can flexibly change the content of the attack according to the environment like NPC, and mimic the attacks by real APT attackers and testers. The operation and verification results of MUSHIKAGO can be checked on the dedicated web page. Moreover, MUSHIKAGO supports ICS (Industrial Control System), and can be used for penetration testing across IT and OT (Operation Technology).
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
The latest massive IoT DDoS attack from the Mirai botnet that took major websites like Twitter and Reddit offline for hours – has already gained notoriety as one of the worst DDoS strikes in history.
In this webinar Manish Rai & Ty Powers of Great Bay Software will help you understand exactly how the enterprise IoT landscape is changing, and what it means for the assumptions organizations have been making in regards to safeguarding against IoT cyberattacks. You will:
Gain insights into how the recent IoT-based DDoS attacks were launched
How similar attacks could be launched inside enterprise networks
How to safeguard against IoT device compromises
How to reduce your risk, whose job is it anyway?
Learn about what your peers are doing for IoT device security, relevant findings from the 2016 Great Bay Software IoT Security Survey
Watch this ondemand webinar with this link: https://go.greatbaysoftware.com/owb-safeguarding-against-iot-ddos-attacks
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
Downloadable slides presented at the 2019 RH-ISAC Retail Cyber Intelligence Summit by Adam Pennington in Denver, CO on "Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense"
This project mainly focuses on remotely scanning the organization’s internal network using precise, advanced and most efficient tools built installed on the Raspberry Pi. Keeping all the security aspects in scope, this tool is built and configured to meet and protect one’s required operations through the process. The whole scanning operation is done through the Secured Shell because it’s open source and uses open protocol, so it’s hard to plant a backdoor attack. The encryption will provide privacy and maintain integrity throughout the operation and will protect against network sniffers, eavesdropping and Man in the Middle Attack. This tool is made to completely eliminate the physical traveling of security team to the client’s location and to perform any contractual based security operations. Sharique Raza | Feon Jaison Maliyekkal | Nitin Choudhary "Remotely Scanning Organization’s Internal Network" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-6 , October 2020, URL: https://www.ijtsrd.com/papers/ijtsrd33636.pdf Paper Url: https://www.ijtsrd.com/computer-science/computer-network/33636/remotely-scanning-organization’s-internal-network/sharique-raza
Brian Gorenc, Trend Micro
Much like their six-legged counterparts in nature, bugs in software have a lifecycle. They are discovered, they get exploited, they get reported, they get patched, and usually, they go away. At each stage of this lifecycle, information about the vulnerability equates to a monetary value, and, depending on how this information is disseminated, that monetary value can drastically change. Various marketplaces exist for security research, and the current gray and black markets can be as robust as their white market counterparts. Different agents within these markets influence research trends by shifting finances to or away from specific areas, resulting in more bugs discovered and reported in that area.
Even if you don’t directly participate in this economy, it impacts you and the systems you defend. Bugs bought and sold in the marketplace often become security patches and sometimes get wrapped into exploit kits or malware. Administering the world’s largest vendor agnostic bug bounty program puts us in a unique position to examine the inner workings of these transactions. While firmly in the white market, our experience and relationships provide us with insight across the entire exploit landscape. Some of these factors might not be obvious to those outside of the marketplace until exposed through data leaks or compromise.
These hidden factors can shift prices and send researchers – and thus exploits – in new directions. Like any open market, various factors can spur changes in supply and demand, and market actors can shape what types of research either becomes public – or finds its way into an exploit kit. This presentation covers the inner-workings of the exploit marketplace, the main players in various sectors, and the winding, often controversial lifespan of a security bug. We include real-world examples of how effectively run programs have disrupted nation-state exploit usage in the wild, and take a look at how existing and impending legislation could irrevocably affect the exploit marketplace – and maybe not for the better.
[CB18] Discover traces of attackers from the remains of disposable attack inf...CODE BLUE
In order to detect malicious activities, we often make use of blacklists. The blacklists are useful, however malicious domain names in the blacklists can be considered static threat intelligence after we receive them. On the other hand, the behavior of the malicious domain names depends on adversaries. Advanced cyber adversaries often change their attack infrastructure in a short time in order to avoid tracking. In the extreme cases, the malicious domain names expire soon after we receive them from the blacklists.
Previous studies have paid attention to the determination problem for unidentified domain names. Once some unidentified domain name prove to be malicious, operators simply register the malicious domain names with their blacklists and wait for updates.
We have already presented our research regarding “Detection index learning based on cyber threat intelligence and its application” and continue to concentrate on an effective utilization of known threat intelligence. In this presentation, we will present an extended framework for examining indicators based on Domain Name System (DNS) actively and passively. In short, for malicious domain names from blacklists, while we make query regarding the domain names (Active DNS), we learn the history of the domain names from the point of view of DNS for both the survival and disposable domain names (Passive DNS). Then we make opinion, for example, we guess that some malicious domain name continue to be used, on the other hand, other one disappears soon then we recommend that you have to prepare for the next malicious activities. Based on the extended framework, we implement our indicator diagnosis system. We will show several case studies regarding the diagnosis results.
Detection index learning based on cyber threat intelligence and its applicati...CODE BLUE
While the importance of sharing cyber threat intelligence (CTI) and considering countermeasures in advance as cyber attacks become more sophisticated is increasing, IP addresses and domains as detection indices included in CTI are attacked by attackers in short cycles Dispose (change or disappear). As a countermeasure on the defender side, we are moving towards increasing the cost of attackers by improving the sharing speed of CTI, and we receive large amounts of CTI every day. As a result, the situation is such that the CTI is also disposable in a short cycle. In this report, we built a detection index learning method based on CTI that is accumulated day by day and implemented a detection index learning engine learning how detection indices are used by attackers Report on the learning result. We also report on the possibility of reconstructing and combining the result of learning the detection index and applying it to mid- to long-term advanced protection in combination with another data source.
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...CODE BLUE
MUSHIKAGO is an automatic penetration testing tool using game AI, MUSHIKAGO focuses on the verification of post-exploitation. A post-exploitation is an attack that an attacker carries out after invading the target environment. By focusing on post-exploitation verification, we can understand how far an attacker can actually penetrate and what kind of information is collected. MUSHIKAGO uses the GOAP (Goal-Oriented Action Planning), which is game AI commonly used in NPC (Non Player Character). To using GOAP, we can flexibly change the content of the attack according to the environment like NPC, and mimic the attacks by real APT attackers and testers. The operation and verification results of MUSHIKAGO can be checked on the dedicated web page. Moreover, MUSHIKAGO supports ICS (Industrial Control System), and can be used for penetration testing across IT and OT (Operation Technology).
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
The latest massive IoT DDoS attack from the Mirai botnet that took major websites like Twitter and Reddit offline for hours – has already gained notoriety as one of the worst DDoS strikes in history.
In this webinar Manish Rai & Ty Powers of Great Bay Software will help you understand exactly how the enterprise IoT landscape is changing, and what it means for the assumptions organizations have been making in regards to safeguarding against IoT cyberattacks. You will:
Gain insights into how the recent IoT-based DDoS attacks were launched
How similar attacks could be launched inside enterprise networks
How to safeguard against IoT device compromises
How to reduce your risk, whose job is it anyway?
Learn about what your peers are doing for IoT device security, relevant findings from the 2016 Great Bay Software IoT Security Survey
Watch this ondemand webinar with this link: https://go.greatbaysoftware.com/owb-safeguarding-against-iot-ddos-attacks
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
Downloadable slides presented at the 2019 RH-ISAC Retail Cyber Intelligence Summit by Adam Pennington in Denver, CO on "Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense"
This project mainly focuses on remotely scanning the organization’s internal network using precise, advanced and most efficient tools built installed on the Raspberry Pi. Keeping all the security aspects in scope, this tool is built and configured to meet and protect one’s required operations through the process. The whole scanning operation is done through the Secured Shell because it’s open source and uses open protocol, so it’s hard to plant a backdoor attack. The encryption will provide privacy and maintain integrity throughout the operation and will protect against network sniffers, eavesdropping and Man in the Middle Attack. This tool is made to completely eliminate the physical traveling of security team to the client’s location and to perform any contractual based security operations. Sharique Raza | Feon Jaison Maliyekkal | Nitin Choudhary "Remotely Scanning Organization’s Internal Network" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-6 , October 2020, URL: https://www.ijtsrd.com/papers/ijtsrd33636.pdf Paper Url: https://www.ijtsrd.com/computer-science/computer-network/33636/remotely-scanning-organization’s-internal-network/sharique-raza
Brian Gorenc, Trend Micro
Much like their six-legged counterparts in nature, bugs in software have a lifecycle. They are discovered, they get exploited, they get reported, they get patched, and usually, they go away. At each stage of this lifecycle, information about the vulnerability equates to a monetary value, and, depending on how this information is disseminated, that monetary value can drastically change. Various marketplaces exist for security research, and the current gray and black markets can be as robust as their white market counterparts. Different agents within these markets influence research trends by shifting finances to or away from specific areas, resulting in more bugs discovered and reported in that area.
Even if you don’t directly participate in this economy, it impacts you and the systems you defend. Bugs bought and sold in the marketplace often become security patches and sometimes get wrapped into exploit kits or malware. Administering the world’s largest vendor agnostic bug bounty program puts us in a unique position to examine the inner workings of these transactions. While firmly in the white market, our experience and relationships provide us with insight across the entire exploit landscape. Some of these factors might not be obvious to those outside of the marketplace until exposed through data leaks or compromise.
These hidden factors can shift prices and send researchers – and thus exploits – in new directions. Like any open market, various factors can spur changes in supply and demand, and market actors can shape what types of research either becomes public – or finds its way into an exploit kit. This presentation covers the inner-workings of the exploit marketplace, the main players in various sectors, and the winding, often controversial lifespan of a security bug. We include real-world examples of how effectively run programs have disrupted nation-state exploit usage in the wild, and take a look at how existing and impending legislation could irrevocably affect the exploit marketplace – and maybe not for the better.
[CB18] Discover traces of attackers from the remains of disposable attack inf...CODE BLUE
In order to detect malicious activities, we often make use of blacklists. The blacklists are useful, however malicious domain names in the blacklists can be considered static threat intelligence after we receive them. On the other hand, the behavior of the malicious domain names depends on adversaries. Advanced cyber adversaries often change their attack infrastructure in a short time in order to avoid tracking. In the extreme cases, the malicious domain names expire soon after we receive them from the blacklists.
Previous studies have paid attention to the determination problem for unidentified domain names. Once some unidentified domain name prove to be malicious, operators simply register the malicious domain names with their blacklists and wait for updates.
We have already presented our research regarding “Detection index learning based on cyber threat intelligence and its application” and continue to concentrate on an effective utilization of known threat intelligence. In this presentation, we will present an extended framework for examining indicators based on Domain Name System (DNS) actively and passively. In short, for malicious domain names from blacklists, while we make query regarding the domain names (Active DNS), we learn the history of the domain names from the point of view of DNS for both the survival and disposable domain names (Passive DNS). Then we make opinion, for example, we guess that some malicious domain name continue to be used, on the other hand, other one disappears soon then we recommend that you have to prepare for the next malicious activities. Based on the extended framework, we implement our indicator diagnosis system. We will show several case studies regarding the diagnosis results.
Detection index learning based on cyber threat intelligence and its applicati...CODE BLUE
While the importance of sharing cyber threat intelligence (CTI) and considering countermeasures in advance as cyber attacks become more sophisticated is increasing, IP addresses and domains as detection indices included in CTI are attacked by attackers in short cycles Dispose (change or disappear). As a countermeasure on the defender side, we are moving towards increasing the cost of attackers by improving the sharing speed of CTI, and we receive large amounts of CTI every day. As a result, the situation is such that the CTI is also disposable in a short cycle. In this report, we built a detection index learning method based on CTI that is accumulated day by day and implemented a detection index learning engine learning how detection indices are used by attackers Report on the learning result. We also report on the possibility of reconstructing and combining the result of learning the detection index and applying it to mid- to long-term advanced protection in combination with another data source.
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
In November 2019, I started monitoring the Bitcoin operation by the adversaries who hid IP addresses of their C&C server in the blockchain. In June 2020, I started collaborating with Professor Christian Doerr of the Hasso Plattner Institute based on the idea of redirecting C&C server communication to a sinkhole server (called takeover), and we successfully achieved this in August. However, the adversaries quickly took evasive action, where they managed to implement an evasion mechanism in only two weeks and restarted their attack. Although we could not conduct our takeover, our monitoring system could worked well. The end of their attack was brought upon by the surge in Bitcoin prices. Due to the fees for the Bitcoin miners, a transaction had reduced the adversaries' profits, and we confirmed the last C&C update was in January 2021 and the abandonment of the attack infrastructure came in March. Since then, no similar attacks have been observed by my monitoring system.
Although this attack has already concluded and is unlikely to restart unless the value of Bitcoin declines, I would like to share the know-how I have learned through the direct confrontation with the adversaries. That is, at the time of the confrontation with them, this attack was highly novel, and the adversaries themselves did not fully understand the best solution for its' operation. They needed to evolve their tactics, techniques, and procedures (TTPs) while operating the system. We carefully analyzed their TTPs and tried to catch them off their guard. Even more troublesome was the need to understand as quickly as possible what they intended to do each time they were affected by the Bitcoin halving or making a simple operational error. This presentation is a culmination my insights learned from interactions with these adversaries and I am looking forward to sharing this information with everyone.
T22.Fujitsu World Tour India 2016-Business Intelligence and Data Analytics in...Fujitsu India
Maturing technologies around big data make it now possible to derive benefits in a cost effective manner. Discover the methodologies which make this possible with Fujitsu's experts.
Log Analytics for Distributed MicroservicesKai Wähner
Log Analytics and Operational Intelligence for Distributed Microservices.
IT systems and applications generate more and more distributed machine data due to millions of mobile devices, Internet of Things, social network users, and other new emerging technologies. However, organizations experience challenges when monitoring and managing their IT systems and technology infrastructure. They struggle with distributed Microservices and Cloud architectures, custom application monitoring and debugging, network and server monitoring / troubleshooting, security analysis, compliance standards, and others.
This session discusses how to solve the challenges of monitoring and analyzing Terabytes and more of different distributed machine data to leverage the “digital business”. The main part of the session compares different open source frameworks and SaaS cloud solutions for Log Management and operational intelligence, such as Graylog , the “ELK stack”, Papertrail, Splunk or TIBCO LogLogic Unity). A live demo will demonstrate how to monitor and analyze distributed Microservices and sensor data from the “Internet of Things”.
The session also explains the distinction of the discussed solutions to other big data components such as Apache Hadoop, Data Warehouse or Machine Learning, and how they can complement each other in a big data architecture.
The session concludes with an outlook to the new, advanced concept of IT Operations Analytics (ITOA). Prsesn
Video Streaming Outside The Firewall Market Shares, Strategies, and Forecasts...ReportLinker.com
WinterGreen Research announces the following study: Video Streaming Outside the Firewall Market Shares, Strategies, and Forecasts, Worldwide, 2012-2018.Video content delivery on the internet is all about content and infrastructure. Infrastructure is needed to manage end point devices. Content is almost an afterthought once the infrastructure is in place. The vision of video content delivery is to change fundamentally the way media is accessed and consumed. User generated content represents a move away from entirely professional content to some content captured on the fly. As better video tools become more widely available, the quality of the user generated content and the professional video begins to converge. There has often been little or no charge for uploading user-generated content. As a result, data centers are replete with exabytes of user-generated content that, in addition to creating a corporate asset, may also contain data that can be regarded as a liability.
Data, Interconnectedness & The Internet of Things Software AG
Innovation World 2013 presentation.
The key to deriving value from fast data is being able to access, analyze and respond to it in real-time. Robin Gilthorpe explores the deep capabilities and synergies of Real-Time Analytics (Apama) and In-Memory (Terracotta) Platforms, sharing a breadth of insights around use cases and customer successes.
Speaker:
Robin Gilthorpe
CEO, Terracotta
Deep Dive into Pivotal Cloud Foundry 2.0VMware Tanzu
SpringOne Platform 2017
Jeffrey Hammond, Forrester; Richard Seroter, Pivotal
Pivotal Cloud Foundry (PCF) is the enterprise platform of choice for cloud-native apps. With the release of PCF 2.0, the platform undergoes its biggest change ever. In this session, learn all about the latest release of PCF and all the major new capabilities that power your transformation. This is the place to learn all about Pivotal vision for the future of the platform.
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...Splunk
With the acceleration of customer and business demands, site reliability engineers and IT Ops analysts now require operational visibility into their entire architecture, something that traditional APM tools, dev logging tools, and SRE tools aren’t equipped to provide. Observability enables you to inspect and understand your IT stack on premises and in the cloud(s); It’s no longer about whether your system works (monitoring), but being able to task why it is not working? (Observability). This presentation will outline key steps to take to move from monitoring to observability.
Part 3, the final part of the series "Mastering Next Gen SIEM Use Cases".
The following presentation talks about building use cases to detect anomalies pertaining to applications and application servers.
Importance of correlating events pertaining to applications and applications servers.
Discover sample use cases for detecting anomalies in the SWIFT application.
In de huidige wereld zien we continue veranderingen. Het aantal remote gebruikers neemt toe en de eindgebruikers verwachten meer en sneller antwoord van de IT afdeling. Hoe gaat U daar vandaag de dag mee om?
Hoe kijkt Ivanti hiernaar en hoe tackelen wij de huidige uitdagingen met kijk op de toekomst?
Neem deel om kennis te maken met het MSP-aanbod van Ivanti, gebaseerd op bestaande use cases.
Similar to [CB20] Explainable malicious domain diagnosis by Tsuyoshi Taniguchi (20)
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
Bitcoin Lightning wallet and tic-tac-toe game XOXO
[CB20] Explainable malicious domain diagnosis by Tsuyoshi Taniguchi
1. Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Explainable Malicious
Domain Diagnosis
0
CODE BLUE 2020 Track 2
(October 30th
, 2020)
FUJITSU SYSTEM INTEGRATION LABORATORIES LTD.
Tsuyoshi TANIGUCHI
2. Tsuyoshi TANIGUCHI
◼ Fujitsu System Integration Laboratories Researcher, Ph.D.
◼ Mar. 2008 - Hokkaido University Ph.D. (computer science)
◼ Apr. 2008 - Researcher, FUJITSU
◼ Apr. 2016 - Researcher, FUJITSU SYSTEM INTEGRATION LABORATORIES
LTD
◼ Speaker
CODE BLUE 2017 Day0 Special Track Counter Cyber Crime Track
CODE BLUE 2018
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED1
3. Research Overview
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Learning from existing
threat intel.
Current situation recognition
Stock-taking
Trend analysis
Proactive defense
Indicator Learning
CODE BLUE 2017
Day0
Indicator Diagnosis
CODE BLUE 2018
Explainable Malicious
Domain Diagnosis
CODE BLUE 2020
Threat intelligence
Contrast set mining
Active + Passive DNS WHOIS history
Treasure hunting among a
lot of threat intel.
Toward “Explainable”
Indicators
known -> unknown
Distinction of long-
term targeted attacksTechnique, data
2
4. Principle of “Explainable”
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Legitimate
Long-term
malicious
⋯ Registration
Registered decades ago, then continue to update
Name server 1 Name server 2 Name server
Short-term
malicious
Stable operation of name servers
Recently registered, disposable before expiration
Short-term change in a case of large-scale spam attack
Registrar 1 Registrar 3Registrar 2
Unnatural change of registrars
Comparison
of detection
viewpoints
Take advantage of
evasive behavior
Malicious
detection
Registration
Name server
Registration
Name server
3
5. Future Goal
◼ SOC support by explainable malicious domain diagnosis
◼ Work saving of explanation tasks when SOC operators cope with alerts
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Explainable
maliciousdomain
diagnosis
• Results of malicious
detection
• Detection viewpoints
• Estimated attack types
List of unknown
domains
Learning Results
(Reasoning for explanation)
Explanation for
management
SOC
Operators
4
6. System Overview
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
DNSDB
API
(curl)Passive DNS
Dashboard
input
• Legitimate domains
• Malicious domains for short-term attacks
• Malicious domains for targeted attacks
Lookup Analyzer
Registration Analyzer
WHOIS history
PassiveTotal
API (curl)
GeoIP Analyzer
IP Geolocation
GeoLite2
MySQL
Diagnosis
DB
Metabase
API
output
Visualization
(BI tool)
Explainable Learning & DiagnosisUnknow domains
input
5
7. Data Sources
◼ Farsight Security – DNSDB
◼ https://www.dnsdb.info
◼ RiskIQ – PassiveTotal
◼ https://www.riskiq.com/products/passivetotal/
◼ MaxMind - GeoLite2
◼ https://dev.maxmind.com/geoip/geoip2/geolite2/
◼ Metabase
◼ https://www.metabase.com/
◼ Alexa Web Information Company
◼ https://www.alexa.com/topsites
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED6
8. Differences between Registration and Lookup
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
domain
ns
TLD
IP
ns
SLD
IP
domain domain
⋯
zone
IP IP IP
example.jp IN NS ns1.example.jp
ns1.example.jp IN A 1.2.3.4
host1.example.jp IN A 5.6.7.8
registrar registryRegistration application
Caching
DNS server
Client
Query (lookup)
ns: name server
host1.example.jp
5.6.7.8
Lookup is not always conducted
soon after registration
7
9. Forensics based on Histories of Registration and
Lookup
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Registration
history
Lookup
history
Registration Update
First seenLegitimate
Update
Last seen
Registration
history
Lookup
history
Registration Expiration
First seen Last seen (before expiration)
Registration
history
Lookup
history
Registration Expiration
First seen Last seen
Disposable
Lookup Delay
Spam, Fast-Flux
Behavior for Brand protection
Registrationterm: a year, two years, five years, and so on,not operate during all terms
delay
8
10. Malicious Detection of Long-term Attacks Based on
Unnatural Registration Change
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Registration
history
Lookup
history
Registration Expiration
First seen Last seen
Registration
history
Lookup
history
Registration
First seen Last seen
Disposable
Unnatural
registration
change
RegistrationExpiration Expiration
First seen Last seen
Short-term
Long-term
Short term malicious:
drop catch
Not legitimate behavior:
expiration
9
11. Demonstration
1. Can we detect malicious behavior from well known viewpoint in
cyber security for targeted attacks?
2. Do all-purpose detectable viewpoints for all malicious behavior
exist?
3. Explainable malicious domain diagnosis for unknown domains
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED10
12. Summary of Learning Data
◼ Targeted: Three campaigns targeting Japan
◼ Short-term: famous campaigns regarding botnet, spam, ransomware
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Type Campaign domains Data sources Period
Legitimate 50 Alexa (top 50, Jun. 23rd ,2020) -
Targeted
BlackTech 40
JPCERT (Mar. 1st, May 28th ,2018,
Oct. 23rd ,2019, Feb. 26th, 2020),
LAC (Apr. 25th, 2018)
2012 -
DarkHotel 17 OTX (May 9th, 29th, Jun. 24th, 2019) 2007 -
Gamaredon 19 Trend Micro (Mar. 30th, 2020) 2013 -
Short-
term
Goznym 365 Talos Blog, Cisco (Mar. 6th, 2018) 2016 to May 2019
Necurs 243 Talos Blog, Cisco (Jan. 18th, 2018) 2012 to (Mar. 2020)
Cerber 1305
Ransomware Tracker (Closed)
2016 to Dec. 2017
Locky 214 2016 to 2017
11
13. Demonstration 1
◼ Can we detect malicious behavior from well known viewpoint
in cyber security for targeted attacks?
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED12
14. Can we detect malicious behavior from well known
viewpoint in cyber security for targeted attacks?
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Viewpoints Criteria Legitimate behavior Summary
Freshness
Registration within
a year: basis date
Registered decades
ago
• Short-term: concentrated on
registering domains during the
corresponding campaigns
• Targeted: 10 to 30%
Name
server
Change more than
once + within three
month per name
server
Stable operation • Short-term: short interval change
Registrar
A particular
registrar
Not use for abused
registrars
• Short-term: concentrate on
abusing registrars
• The 10 Most Abused Domain
Registrars by spamhaus
◼ -> rarely detect
13
15. Backup Slides for Dashboard Error
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED14
16. Backup Slides for Dashboard Error
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED15
17. Demonstration 2
◼ Do all-purpose detectable viewpoints for all malicious
behavior exist?
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED16
18. Do All-purpose Detectable Viewpoints for All
Malicious Behavior Exist?
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Viewpoints Citation Explainable
Short lifetime Exposure [Bilge et al., 2011]
Fast-Flux [Holz et al., 2008]
Freshness
Name sever change Predator [Hao et al., 2016]
Lookup delay [Holz et al., 2008], [Hao et al., 2011]
A particular registrar Predator [Hao et al., 2016]
Unnatural registration
change
Long lookup delay
17
19. Backup Slides for Dashboard Error
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Particular
registrar
Short
lifetime
Lookup
delay
Fast
Flux
Freshness
Name server
change Before
expiration
After
dormant Long lookup
delay
18
20. Do All-purpose Detectable Viewpoints for All
Malicious Behavior Exist?
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Viewpoints Citation Explainable
Short lifetime Exposure [Bilge et al., 2011]
Short Term
Fast-Flux [Holz et al., 2008]
Freshness
Name sever change Predator [Hao et al., 2016]
Lookup delay [Holz et al., 2008], [Hao et al., 2011]
A particular registrar Predator [Hao et al., 2016]
Unnatural registration
change Long Term
Long lookup delay
◼ -> no cure-all,can distinguish short-term from long-term
19
21. Demonstration 3
◼ Explainable malicious domain diagnosis for unknown
domains
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED20
22. Analysis of tokyo2020 Typosquatting Domains
◼ Theme: social contribution toward smooth operation of Olympic
◼ The Tokyo Organising Committee of the Olympic and Paralympic Games and JC3 (Japan
Cybercrime Control Center) struggle to realize smooth operation of Olympic against cyber threat.
◼ Fujitsu support JC3 as a member company.
◼ Aoki who cooperate with JC3 and Shimizu provide me with tokyo2020 typosquatting domains
from their system as Fujitsu activity
◼ Special thanks to FUJITSU SOCIAL SCIENCE LABORATORY Taichi Aoki
and Satoru Shimizu
◼ tokyo2020 similar domains: 2385
◼ Evaluation targets: 474
◼ 190 Similar domains related to IDN homograph attack: not applicable
◼ 1721 WHOIS histories (.fm, .la, .ph, .vg, .ws, DGA behavior): not available
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED21
23. tokyo2020 Similar Domain Analysis by Tatsuya Mori
Laboratory
◼ Survey analysis regarding similardomains related to Tokyo Olympic
Official Site
◼ https://nsl.cs.waseda.ac.jp/tokyo2020/
◼ Similardomains: 956 (As of Jun. 2019)
◼ Extract domains with “tokyo””2020” string from 1358 TLD in domainlists.io
◼ Most of domains were related to “domain parking” service, others were
legitimate services
◼ It is difficult to judge official sites or careful domains even if specialists
analyze based on string analysis
◼ “typosquatting” and IDN homograph attack: not applicable
◼ Our target: “typosquatting” similar domains
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED22
24. Backup Slides for Dashboard Error
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED23
25. Backup Slides for Dashboard Error
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Tokyo Olympic:
decided to be held
Long-term operation before Tokyo Olympic decision
24
27. In-depth Analysis of Long-Term Similar Domains
◼ Most of similar domains have not operated yet (As of Oct. 16th
)
◼ dig,lookup history based on Passive DNS,subdomains from VirusTotal
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Similar domains dig Passive DNS subdomains
tokyo.2020.biz ○ × 1
tokyo2.020.biz ○ × 0
tokyo.2020.cz ○ × 1
tokyo.2020.in ○ × 2
tokyo.2020.info ○ × 3
tokyo.2020.pl ○ × 6
tokyo.2020.us ○ × 3
tokyo2.020.us ○ × 2
tokyo2.020.org ○ ○ 0
tokyo2.020.se ○ × 0
tokyo20.20.cl ○ × 2
Similar domains dig Passive DNS subdomains
tokyo20.20.cn ○ × 8
tokyo20.20.com ○ ○ 62
tokyo20.20.fr ○ × 31
tokyo20.20.hk ○ × 2
tokyo20.20.kz ○ × 2
tokyo20.20.ms ○ × 3
tokyo20.20.net ○ × 41
tokyo20.20.org ○ × 24
tokyo20.20.pl ○ × 8
tokyo20.20.st ○ × 3
26
28. In-depth Analysis: tokyo20.20.com
◼ VirusTotal https://www.virustotal.com/gui/domain/tokyo20.20.com/relations
◼ The following subdomains includingtokyo20.20.com were mapped to
39.108.146[.]115
◼ Targets of domain parking were not only tokyo2020 but also other strings
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
10.10.1.20.com
10.20.com
10.212.31.20.com
10.216.219.20.com
11.20.com
162.20.com
163.20.com
192.168.0.20.com
27.20.com
4.20.com
67.220.91.20.com
aka.20.com
corp.20.com
cvpr.20.com
hotmail.20.com
likes.20.com
miniclipplayers2.20.com
mobile.20.com
msn.20.com
myspace.20.com
nuha.20.com
nusha.20.com
ol.20.com
publixcorona20.20.com
qq.20.com
rbicompaudio.20.com
shahthealone.20.com
shop.20.com
smtp.20.com
technet.20.com
theclose.20.com
tiscaly.20.com
vip.20.com
www.10.0.0.20.com
www.10.238.228.20.com
www.118.69.210.20.com
www.121.184.168.20.com
www.160.219.3.20.com
www.172.16.0.20.com
www.172.16.1.20.com
www.172.31.50.20.com
www.192.168.1.20.com
www.192.168.10.20.com
www.192.168.2.20.com
www.192.168.20.20.com
www.192.168.6.20.com
www.201.78.2.20.com
www.50.100.30.20.com
www.bva20.20.com
www.hackchi2.20.com
www.ladies.20.com
yahoo.20.com
yahoo.com.20.com
ycc.20.com
z.20.com
27
29. Conclusion
◼ Explainable Malicious Domain Diagnosis
◼ For unknown domains, can explain about detection viewpoints connected with
attack types
In principle, take advantage of evasive behavior by advanced adversaries
◼ Demonstration: tokyo2020 similar domains
◼ Short-term:registrationincrease after Tokyo Olympic decision
◼ Long-term
2020.xxx, 020.xxx, 20.xxx (xxx: TLD): No clues of operations -> be careful
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED28
30. Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED29
31. Previous Studies
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
DNS
Lookup
DNS
Registration
: our contribution
Passive DNS
2005
Notos
2010 Exposure
2011
Active DNS
2016 Indicator
Diagnosis
2018
Predator
2016
Kopis 2011
Proactive Domain
Blacklisting
2010
Fast-Flux
Observation
2008
Phoenix (for DGA)
2014
Initial DNS Behavior
2011
2005 20202010 2015
Explainable
Diagnosis
2020
30
32. Citation
◼ Holz, Thorsten, et al. "Measuring and Detecting Fast-FluxService Networks."NDSS. 2008.
◼ Nazario, Jose, and Thorsten Holz. "As the net churns: Fast-flux botnet observations."2008 3rd
International Conference on Malicious and Unwanted Software (MALWARE). IEEE, 2008.
◼ Weimer, Florian. "Passive DNS replication."FIRST conference on computer security incident. 2005.
◼ Antonakakis, Manos, et al. "Building a dynamic reputation system for dns." USENIX security symposium.
2010.
◼ Bilge, Leyla, et al. "EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis." Ndss. 2011.
◼ Felegyhazi, Mark, Christian Kreibich, and Vern Paxson. "On the Potential of Proactive Domain
Blacklisting."LEET 10 (2010): 6-6.
◼ Hao, Shuang, Nick Feamster, and Ramakant Pandrangi. "Monitoring the initial DNS behavior of malicious
domains." Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference.
2011.
◼ Hao, Shuang, et al. "PREDATOR: proactive recognitionand elimination of domain abuse at time-of-
registration."Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications
Security. 2016.
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED31
33. Citation: Threat Intel.
◼ OTX Pulse, Continued DarkHotel Activity, May 9th
, 2019.
◼ OTX Pulse, Continued Activity by DarkHotel, May 29th
, 2019.
◼ OTX Pulse, DarkHotel disclosed the latest attack on Chinese foreign trade, Jun. 24th
, 2019.
◼ JPCERT, TSCookie,https://blogs.jpcert.or.jp/ja/2018/03/tscookie.html, Mar. 1st
, 2018.
◼ LAC, “BlackTech”, “PLEAD”,https://www.lac.co.jp/lacwatch/people/20180425_001625.html, Apr. 25th
,
2018.
◼ JPCERT, BlackTech, PLEAD, https://blogs.jpcert.or.jp/ja/2018/05/linopid.html, May 28th
, 2018.
◼ JPCERT, BlackTech, IconDown, https://blogs.jpcert.or.jp/ja/2019/10/IconDown.html, Oct. 23rd
, 2019.
◼ JPCERT, BlackTech(ELF_TSCookie), https://blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html, Feb. 26th
,
2020.
◼ Trend Micro,Gamaredon,https://blog.trendmicro.co.jp/archives/24285
◼ Talos Blog, Cisco, Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution,
https://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html, Mar. 6th
, 2018.
◼ Talos Blog, Cisco, The Many Tentacles of the Necurs Botnet,
https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html, Jan. 18th
, 2018.
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED32