Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
[Hitcon 2020 CTI Village] Threat Hunting to Campaign TrackingSu Steve
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 50 mins so we can't covered everything. However through this talk we hope to share our experience and insight in the workshop.
About our CTI Village:
https://docs.google.com/document/d/18Tfaie4t38-_pY2lxB-PhXiBc-kA1vsKw5DIiosiIvk/
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)Alex Pinto
Follow along with the R Markdown file at http://rpubs.com/alexcpsec/tiq-test-Summer2014-2
Source code available at:
https://github.com/mlsecproject/tiq-test
https://github.com/mlsecproject/tiq-test-Summer2014
https://github.com/mlsecproject/combine
---------
Full Abstract:
Threat Intelligence feeds are now being touted as the saving grace for SIEM and log management deployments, and as a way to supercharge incident detection and even response practices. We have heard similar promises before as an industry, so it is only fair to try to investigate. Since the actual number of breaches and attacks worldwide is unknown, it is impossible to measure how good threat intelligence feeds really are, right? Enter a new scientific breakthrough developed over the last 300 years: statistics!
This presentation will consist of a data-driven analysis of a cross-section of threat intelligence feeds (both open-source and commercial) to measure their statistical bias, overlap, and representability of the unknown population of breaches worldwide. Are they a statistical good measure of the population of "bad stuff" happening out there? Is there even such a thing? How tuned to your specific threat surface are those feeds anyway? Regardless, can we actually make good use of them even if the threats they describe have no overlap with the actual incidents you have been seeing in your environment?
We will provide an open-source tool for attendees to extract, normalize and export data from threat intelligence feeds to use in their internal projects and systems. It will be pre-configured with current OSINT network feed and easily extensible for private or commercial feeds. All the statistical code written and research data used (from the open-source feeds) will be made available in the spirit of reproducible research. The tool itself will be able to be used by attendees to perform the same type of tests on their own data.
Join Alex and Kyle on a journey through the actual real-world usability of threat intelligence to find out which mix of open source and private feeds are right for your organization.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
[Hitcon 2020 CTI Village] Threat Hunting to Campaign TrackingSu Steve
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 50 mins so we can't covered everything. However through this talk we hope to share our experience and insight in the workshop.
About our CTI Village:
https://docs.google.com/document/d/18Tfaie4t38-_pY2lxB-PhXiBc-kA1vsKw5DIiosiIvk/
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)Alex Pinto
Follow along with the R Markdown file at http://rpubs.com/alexcpsec/tiq-test-Summer2014-2
Source code available at:
https://github.com/mlsecproject/tiq-test
https://github.com/mlsecproject/tiq-test-Summer2014
https://github.com/mlsecproject/combine
---------
Full Abstract:
Threat Intelligence feeds are now being touted as the saving grace for SIEM and log management deployments, and as a way to supercharge incident detection and even response practices. We have heard similar promises before as an industry, so it is only fair to try to investigate. Since the actual number of breaches and attacks worldwide is unknown, it is impossible to measure how good threat intelligence feeds really are, right? Enter a new scientific breakthrough developed over the last 300 years: statistics!
This presentation will consist of a data-driven analysis of a cross-section of threat intelligence feeds (both open-source and commercial) to measure their statistical bias, overlap, and representability of the unknown population of breaches worldwide. Are they a statistical good measure of the population of "bad stuff" happening out there? Is there even such a thing? How tuned to your specific threat surface are those feeds anyway? Regardless, can we actually make good use of them even if the threats they describe have no overlap with the actual incidents you have been seeing in your environment?
We will provide an open-source tool for attendees to extract, normalize and export data from threat intelligence feeds to use in their internal projects and systems. It will be pre-configured with current OSINT network feed and easily extensible for private or commercial feeds. All the statistical code written and research data used (from the open-source feeds) will be made available in the spirit of reproducible research. The tool itself will be able to be used by attendees to perform the same type of tests on their own data.
Join Alex and Kyle on a journey through the actual real-world usability of threat intelligence to find out which mix of open source and private feeds are right for your organization.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Maturity Model of Security Disciplines Florian Roth
A slide deck that was created for a private talk outlining the maturity model of security disciplines, recommendations on security monitoring, log source priority, low hanging fruits and some highlights
After anomalous network traffic has been identified there can still be an abundance of results for an analyst to process. This presentation is for data scientist and network security professionals who want to increase the signal-to-noise.
Flare is a network analytic framework designed for data scientists, security researchers, and network professionals. Written in python, flare is designed for rapid prototyping and development of behavioral analytics. Flare comes with a collection of pre-built utility functions useful for performing feature extraction.
Using flare, we'll walk through identifying Domain Generation Algorithms (DGA) commonly used in malware and how to reduce the dataset to a manageable amount for security professionals to process.
We'll also explore flare's beaconing detection which can be used with the output from popular Intrusion Detection System (IDS) frameworks.
More information on flare can be found at https://github.com/austin-taylor/flare
www.austintaylor.io
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
The broad list of topics include (but not limited to):
- What is Threat Intelligence?
- Type of Threat Intelligence?
- Intelligence Lifecycle
- Threat Intelligence - Classification & Vendor Landscape
- Threat Intelligence Standards (STIX, TAXII, etc.)
- Open Source Threat Intel Tools
- Incident Response
- Role of Threat Intel in Incident Response
- Bonus Agenda
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Ismael Valenzuela and Jose Luis Sanchez Martinez, Trellix
The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats.
In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.).
They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.
Threat Modeling as a structured activity for identifying and managing the objects (such as application) threats.
Threat Modeling – also called Architectural Risk Analysis is an essential step in the development of your application.
Without it, your protection is a shot in the dark
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Cyber threat intelligence: maturity and metricsMark Arena
From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision
support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will
seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.
PatrOwl is an advanced platform for orchestrating Security Operations like Penetration testing, Vulnerability Assessment, Code review, Compliance checks, Cyber-Threat Intelligence / Hunting and SOC & DFIR Operations.
Fully-Developped in Python (Django for the backend and Flask for the engines). It remains incredibly easy to customize all components. Asynchronous tasks and engine scalability are supported by RabbitMQ and Celery.
In our webinar “What is Threat Hunting and why do you need it?" we discussed the folowing key points:
1. What Threat hunting is.
2. Why it is becoming so popular and what kinds of attacks are making it necessary.
3. What the challenges are.
4. Threat Hunting and Investigation services for attacks.
5. Case studies.
Find out more on https://www.pandasecurity.com/business/adaptive-defense/?utm_source=slideshare&utm_medium=social&utm_content=SM_EN_WEB_adaptive_defense&track=180715
Maturity Model of Security Disciplines Florian Roth
A slide deck that was created for a private talk outlining the maturity model of security disciplines, recommendations on security monitoring, log source priority, low hanging fruits and some highlights
After anomalous network traffic has been identified there can still be an abundance of results for an analyst to process. This presentation is for data scientist and network security professionals who want to increase the signal-to-noise.
Flare is a network analytic framework designed for data scientists, security researchers, and network professionals. Written in python, flare is designed for rapid prototyping and development of behavioral analytics. Flare comes with a collection of pre-built utility functions useful for performing feature extraction.
Using flare, we'll walk through identifying Domain Generation Algorithms (DGA) commonly used in malware and how to reduce the dataset to a manageable amount for security professionals to process.
We'll also explore flare's beaconing detection which can be used with the output from popular Intrusion Detection System (IDS) frameworks.
More information on flare can be found at https://github.com/austin-taylor/flare
www.austintaylor.io
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
The broad list of topics include (but not limited to):
- What is Threat Intelligence?
- Type of Threat Intelligence?
- Intelligence Lifecycle
- Threat Intelligence - Classification & Vendor Landscape
- Threat Intelligence Standards (STIX, TAXII, etc.)
- Open Source Threat Intel Tools
- Incident Response
- Role of Threat Intel in Incident Response
- Bonus Agenda
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Ismael Valenzuela and Jose Luis Sanchez Martinez, Trellix
The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats.
In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.).
They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.
Threat Modeling as a structured activity for identifying and managing the objects (such as application) threats.
Threat Modeling – also called Architectural Risk Analysis is an essential step in the development of your application.
Without it, your protection is a shot in the dark
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Cyber threat intelligence: maturity and metricsMark Arena
From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision
support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will
seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.
PatrOwl is an advanced platform for orchestrating Security Operations like Penetration testing, Vulnerability Assessment, Code review, Compliance checks, Cyber-Threat Intelligence / Hunting and SOC & DFIR Operations.
Fully-Developped in Python (Django for the backend and Flask for the engines). It remains incredibly easy to customize all components. Asynchronous tasks and engine scalability are supported by RabbitMQ and Celery.
In our webinar “What is Threat Hunting and why do you need it?" we discussed the folowing key points:
1. What Threat hunting is.
2. Why it is becoming so popular and what kinds of attacks are making it necessary.
3. What the challenges are.
4. Threat Hunting and Investigation services for attacks.
5. Case studies.
Find out more on https://www.pandasecurity.com/business/adaptive-defense/?utm_source=slideshare&utm_medium=social&utm_content=SM_EN_WEB_adaptive_defense&track=180715
Threat Hunting with Elastic at SpectorOps: Welcome to HELKElasticsearch
HELK offers another approach for advanced cyber-hunting analytics, focusing on the importance of data documentation, quality, and modeling when developing analytics and making sense of disparate data sources inside the contested environment.
Vulnerability Assessment and Penetration Testing using Webkillijtsrd
Data is more defenseless than any time in recent memory and each mechanical development raises new security danger that requires new security arrangements. web kill tool is directed to assess the security of an IT framework by securely uncovering its weaknesses. The performance of an application is measured based on the number of false negatives and false positives. Testing technique that is highly automated, which covers several boundary cases by means of invalid data as the application input to make sure that exploitable vulnerabilities are absent. Deepesh Seth | Ms. N. Priya "Vulnerability Assessment and Penetration Testing using Webkill" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37919.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37919/vulnerability-assessment-and-penetration-testing-using-webkill/deepesh-seth
DataWorks 2018: How Big Data and AI Saved the DayInterset
In this presentation titled "How Big Data and AI Saved the Day: Critical IP Almost Walked Out the Door," Interset Field Data Scientist Roy Wilds discussed real-world examples of how businesses can expand their threat analysis using security analytics powered by artificial intelligence in a big data environment. This was presented at DataWorks Summit 2018.
Today's threats demand a more active role in detecting and isolating sophisticated attacks. This must-see presentation provides practical guidance on modernizing your SOC and building out an effective threat hunting program. Ed Amoroso and David Bianco discuss best practices for developing and staffing a modern SOC, including the essential shifts in how to think about threat detection.
Watch the presentation with audio here: http://info.sqrrl.com/webinar-modernizing-your-security-operations
Classification is one of the data mining technique to classify the data. Here, I have tried the different technologies such as Machine Learning and Deep Learning using R Programming Language.
In this presentation we will look at the cause and effect of the problem, analyze preparedness and learn how you can better prepare, detect, respond and recover from cyber-attacks.
Fraud and Malware Detection in Google Play by using Search Rankijtsrd
Fraudulent behaviors in Google Play, the most popular Android app market, fuel search rank abuse and malware proliferation. To identify malware, previous work has focused on app executable and permission analysis. In this paper, we introduce FairPlay, a novel system that discovers and leverages traces left behind by fraudsters, to detect both malware and apps subjected to search rank fraud. . Fair Play discovers hundreds of fraudulent apps that currently evade Google Bouncer’s detection technology. A. Brahma Reddy | K. V. Ranga Rao | V. Vinay Kumar "Fraud and Malware Detection in Google Play by using Search Rank" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-6 , October 2020, URL: https://www.ijtsrd.com/papers/ijtsrd35728.pdf Paper Url: https://www.ijtsrd.com/computer-science/computer-network/35728/fraud-and-malware-detection-in-google-play-by-using-search-rank/a-brahma-reddy
Recently, NTT published the Global Threat Intelligence Report 2016 (GTIR). This year’s report focused both on the changes in threat trends and on how security organizations around the world can use the kill chain to help defend the enterprise.
Turning threat intelligence data from multiple sources into actionable, contextual information is a challenge faced by many organizations today. The Global Threat Intelligence Platform provides increased efficiency, reduces risks and focuses on global coverage with accurate and up-to-date threat intelligence.
This presentation was given at Carnegie Mellon University by Kenji Takahashi, VP of Product Management, Security at NTT Innovation Institute.
Cyberware covers technologies you need to enjoy our security monitoring services. With our third-party service implemented rules and use cases, threat intelligence, GeoIP technology, human analysts to analyze and recommend your needs and requirements, you can invest your resources on what you do best and make better, faster decisions when cyber incidents arise. - https://www.cyberware.ai/security-monitoring/
Dayton Microcomputer Association (DMA):
April 2020 - Online Meeting
Date: April 28, 2020
Topic: Stupid Cyber Criminal Tricks and How to Combat Them
Speaker: Matt Scheurer
This talk covers various techniques used by cyber criminals, and how to spot them. This is the accompanying slide deck for a presentation that covers live demos. Who does not love a good cyber-crime story?
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
2. The views and opinions expressed in this slide are those of the
authors and do not necessarily reflect the official policy or
position of their employers. Any content provided in this training
are of their opinion and are not intended to malign any religion,
ethnic group, club, organization, company, individual or anyone or
anything.
Disclaimer
3. ● Security Engineer @ Google
● HITCON GIRLS Co-Founder
● Black Hat Asia Review Board
飄洋過海回來的Google 資安工程師,已經隔離過了很安全。
AshleyShen
● Cyber Security Researcher @ FireEye・Mandiant
● Kaspersky SAS2018, SAS2019 Speaker
● Research focus on threat around Eastern Asia
誤入資安圈的小白兼Fireeye 研究員。 腦容量很小,總是記不起惡意程式的
名字。
SteveSu
4. Agenda
ThreatHunting101
What is Threat Hunting? Who and why do
we do threat hunting?01
How and what tools can we use?
02
What is campaign tracking? How to do it?
03
Case Study.
04
ThreatHuntingTools/Techniques
CampaignTracking101
CampaignTrackingCaseStudy
7. WHATISTHREATHUNTING?
Threat hunting is the practice of proactively searching for cyber
threats that are lurking undetected in your network environment.
(Crowdstrike & Me)
● Network
● System
● Service / Platform
● Application (Mobile / Desktop)
● Forums
9. KnowntoSelf NotKnowntoSelf
Knowto
Others
● Internally detected threats
shared to partners.
● Threat Intelligence shared
by 3rd party.
● Undetected threats
discovered by 3rd party and
not shared to us.
> can be makeup by ingesting
more intelligence.
NotKnownto
Others
● Internally detected threats
not shared externally.
● Undetected threats not
discovered by anyone but
lurking in the shadow.
> Most dangerous threat
ThreatHuntingfocusThreatDetectionFocus
10. 10
ThreatHuntingservesdifferentpurposefordifferentroles.
● Orgs perform threat
hunting to discover
threats intruding
org environment.
● Leverage Internal
telemetry, hunting
on internal
infrastructure.
ProtectingOrg
● Service providers
(e.g. Twitter,
Facebook, Google)
needs to protect
services from the
abuser and protect
users/org from
abuses.
● Hunting on
platforms,
applications,
services
infrastructure.
Protecting
Services/Users
● Security vendors
perform threat
hunting to provide
threat intelligence or
services (MDR).
● Threat intelligence
hunt on external
resources (VirusTotal,
OSINT...etc).
● Vendors hunts with
endpoint telemetry
and data.
Protecting
Customers
13. Quality?ConfidenceLevel?Visibility?
Golden Time Operation? Freemilk Operation?
Evil New Year Operation? APT10? Menupass?
Or not the same elephant?picture from:
https://ltcinsurancece.com/the-blind-leading-the-blind-through-ltc-insurance/
14. ThreatHuntingDrivers
Analytics-Driven
● Aggregated data
gathered from automatic
and analytics tools (include
but not limit to ML
systems, User and Entity
Behavior Analytics(UEBA).
● Service provider create
customized tools to
capture threat signals.
https://github.com/Cyb3rWard0g/HELK
16. ThreatHuntingProcess
Investigate the scenarios with
tools.
Investigate
improve existing detection
mechanisms with the TTPs
and create automatic
detection.
Create a possible attack
scenario that your hunting
is focus on.
Inform&Enrich
CreateHypothesis
From the investigation results,
find the techniques used by
attacker and the pattern to
build the actor TTPs profile.
UncoverTTPs
25. Reconnaissance
HuntingReconnaissanceActivities
In Reconnaissance stage attacker collects data for the
following campaigns.
● Try to catch the attackers before it enter intrusion
stages.
Common Techniques
● Bots, crawlers, spiders scrapping
○ e.g. Scraping email addresses for targeted
attack
● Port Scan
26. Hypothesis
● Attackers are doing scrapping on webpage
to collects target’s email address.
Investigate
● Identify data sources:
○ Proxy logs
○ IIS logs
○ reCaptcha logs
● What is abnormal activities
○ known scripting JA3 fingerprints, known
bad IPs from Intelligence
○ Identical outdated User-Agent
○ Traffic without referrers
○ Short sessions and high frequency /
high bounce rate
https://github.com/puppeteer/pupp
eteer
https://engineering.salesforce.com/tls-finge
rprinting-with-ja3-and-ja3s-247362855967
https://www.youtube.com/
27. Uncover TTPs
● IPs with high solve rate, frequency and
speed.
● Comparing request IPs with internal intel,
some scrapping IPs were used to send
phishing emails.
● Attackers are using reCaptcha farm service
to solve reCaptcha.
Inform & Enrich
● Leverage phishing emails sender IPs to
detect scraping activities or vice versa.
● Using the collected reCaptcha farm solving
score to improve reCaptcha service and
detection.
● Using the JA3 to detect scripting.
https://datadome.co/bot-detection/how-to-detect-captcha-farms-and-block-captcha-bots/
https://anti-captcha.com/
28. JA3/JA3SFingerprint
What is this?
● The JA3 algorithm extracts SSL
handshake settings for fingerprinting
the SSL stack.
● JA3 - client SSL setting fingerprint
● JA3S - server SSL setting fingerprint
How can it be useful for threat hunting?
● Detect / identify malware traffic.
● Fingerprint attacker. (Note, not 100%
high confident. )
https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
30. Reconnaissance
HuntingReconnaissanceActivities
What to hunt?
● IP address
○ Comparing access IPs with intelligence.
○ Attacker use the scraping IP to send phishing emails
● User-Agent
● JA3 SSL Fingerprint. (identify what kind of tools, or
custom tools used by attacker)
● Customized signals
31. HuntingWeaponizationActivities
Common Techniques
● Upload malware sample to public scanning service (e.g.
VirusTotal) for testing anti-detection.
How to hunt?
● With known intelligence, writing Yara
rule to hunt on scanning service.
● Monitoring underground with intelligence
service.
Weaponized
https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/
32. VirusTotal
● The "Google" of malware. One of the world’s largest malware intelligence
services.
○ 2+ Billion malware samples
○ 1 Million files uploaded per day
● Basic and advanced research capabilities.
● Crowdsourced verdicts (basic, free).
● Threat hunting, investigation, relationship analysis (advanced, paid tiers)
● Powerful intelligence tools: YARA, Hunt, Graph.
● Part of Chronicle, Alphabet’s cybersecurity company.
34. Example1:FindingnewmalwarehostedonDrive
itw:docs.google.com p:20+ fs:2020-09-01T00:00:00+
first Seen
Filters the files to be returned
according to the first submission
datetime to VirusTotal.
positives
Filters the files to be returned
according to the number of
antivirus vendors that detected it
upon scanning with VirusTotal.
itw
Return all those files that have
been downloaded from a URL
containing the literal provided.
35. Example2:FindingAttackerstestingActivities
p:20+ type:peexe subspan:500- pets:2020-09-0500:00:00+
submissions:2+ sources:1
type
Type of file. (e.g. pdf, doc..etc)
pets
Filter PE according to their
compilation timestamp.
submissions
number of times they were
submitted to VirusTotal.
subspan
The difference (in seconds)
between the first submission
time and the compilation
timestamp.
source
Number of distinct
sources that submitted
the file to VirusTotal
36. Upload in ~2 mins
~ 7 mins difference
Same Submitter
10 times bigger??
https://www.virustotal.com/
37. MalwareAnalysis
Importantskillforathreathunter!
Why doing malware analysis?
● Understand malware capability to understand the motivation and threat
levels. (infostealer? RAT? miner?).
● Extract IoC (indicator of compromise) to hunt in the network environment,
track the campaign and attribution.
● Identify malware family to understand attacker’s TTPs. (Is this malware only
use by Group A? or shared among different groups?)
● Produce detection rules. To hunt in the network and deploy detection.
38. StaticAnalysis
Examining any given malware
sample without actually running or
executing the code.
DynamicAnalysis
Analysis while running the code in a
controlled environment.
https://www.amazo
n.ca/Practical-Mal
ware-Analysis-Han
ds-Dissecting/dp/1
593272901
https://
tenor.c
om/vie
w/pand
a-offic
e-pisse
d-tantr
um-ma
d-gif-5
14682
5
41. SandboxAnalysis
Automatethedynamicanalysis,detectionandhuntingpipeline.
● Execute a program in an instrumented environment and monitor their
execution.
● They are increasingly used as the core of automated detection processes.
https://www.hybrid-analysis.com/
https://any.run/
https://twitter.com/joe4security
https://cuckoosandbox.org/
45. IngestOSINTwithCriticalThinking
Whatinformationhavewegotsofar?
● Potential attacker from Brazilian IP.
● C&C domain resolved to a Brazilian IP.
MoreinformationaboutXtremeRAT.
● Xtreme RAT is a commodity RAT that was first publicly sighted in 2010.
● The RAT is available for free and the source code for it has been leaked.
Wedon’thaveenoughinformationforattributioninthiscase!
46. YaraRule
What is Yara?
● Tool to assist malware researchers identify and classify malware
● Identify malware in string or binary patterns
● YARA rule = strings + condition
● Useful to catalog threat actors and associated IOCs
49. UndergroundForumMonitoring
Some attackers (specially crime) are not low-profile
● Recruiting hackers.
● Buying ransomware, malwares, stealers..etc.
● Selling stolen data, accounts.
How to hunt?
● 3rd party intelligence.
● Monitoring service.
● Forum crawlers.
50. HoneypotHunting
Present opportunity instead of finding needle in haystack
● Honeypot mimics a target for hackers, and uses their intrusion attempts to
gain information about attacker’s intrusion techniques.
● Honeypot can be a virtual system, a fake database, a fake email address, or
a webpage.
● Collects intelligence from monitoring attacker’s behaviors in the pot.
○ TTPs
○ IoC
○ What are they most interested?
52. IsCampaignTrackingUseless???
Purpose
High level intelligence could be
useless in tactical level.
Understand your purpose and use
proper intelligence
Ingest
Without ingest, intelligence
report won’t be your security
assets.
Note: Definition of Operation Level & Tactical Level might swap in other materials.
55. CyberAttributionModel
CyberAttackInvestigation
● 3W1H : Who / Why / What /
How
● Four Components
○ Victimology / Adversary
○ Infrastructure
○ Capabilities
○ Motivation
[1] https://cybersecurity.springeropen.com/articles/10.1186/s42400-020-00048-4
56. CyberAttributionModel
CyberThreatActorProfiling
● Who could be the
perpetrator
● What infrastructure
have they used for
the attack and What
capabilities and
motivation might
they have.
[1] https://cybersecurity.springeropen.com/articles/10.1186/s42400-020-00048-4
57. ASolidGroundforStart?
OSINT Report
Communities Resource
Security Conference/Summit
Company Online Seminar
Incident Response Report
IngestInformation
AttributionAnchor
Attributes that are
relatively unique, would
be difficult for an
adversary to change, and
exist across multiple
phases of the kill chain.
58. CAMPAIGNTrackingAttributes
● Any intrusion can be modeled into 7 phases (Kill Chain)
● An intrusion can be considered as a highly-dimensional set of indicators,
called “attributes”
Nowadays, signatures
are far from
sufficient to detect
malicious files
Against high-value
targets for
specific purpose
Backdoor
C2INFRASTRUCTURE TargetScope
EXPLOITTOOL
Zero-day exploits
are rarer and more
expensive than ever
Adversaries might use same
infrastructure for years
65. * Actor profiling
- Ability of intrusion
- Purpose & target
- TTPs
* Victim profiling
- Affected industry
- Scale of damage
- Root cause of the
intrusions
DataPreprocess
Investigation
For identify all of the possible
victims in the leaked data,
information likes IP, domain,
organization name, personal
credentials are useful.
* Separated IPs by
GEO-location information.
* Separated Domains by
WhoIs information.
* Back trace routing path.
Routing server name might
reveal host identity.
* Credential Analysis
Triage
RetrieveIndicator
66. InfrastructureInvestigation
What matters?
● Server Type
○ VPS
○ Webhosting server
○ CDN server
○ Compromised site
○ Sinkholed
○ Private server
● Timestamp
○ Resolve timestamp
○ Info update timestamp
● Registrant information
○ Registrant name,
organization, address, phone
● Certificate
○ Hash / Serial Number
○ Organization Name
○ Common Name
PassiveDNSRecords
Passive DNS records can help you to
trace back domains which associated
to the IP address
https://community.riskiq.com/
67. VictimInvestigation
PassiveDNSRecords
Passive DNS records can help you to
trace back domains which associated
to the IP address
RegistrantInformation
Most of the registrant info. might
be masked due to GDPR regulation.
Information still available for
normal company, service provider.
[3] https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en
https://www.nic.ad.jp/
https://community.riskiq.com/
68. VictimInvestigation
CertificateInformation
SSL certificate serial number,
contact name, email, address,
...etc are useful indicators
RegistrantInformation
Most of the registrant info. might
be masked due to GDPR regulation.
Information still available for
normal company, service provider.
PassiveDNSRecords
Passive DNS records can help you to
trace back domains which associated
to the IP address
https://community.riskiq.com/
69. VictimInvestigation
CertificateInformation
SSL certificate serial number,
contact name, email, address,
...etc are useful indicators
RegistrantInformation
Most of the registrant info. might
be masked due to GDPR regulation.
Information still available for
normal company, service provider.
PassiveDNSRecords
Passive DNS records can help you to
trace back domains which associated
to the IP address
70. * Malicious EXE file disguised
with Doc Icon in June
* Use “Hong Kong security law”
related issue as lure theme
* Lure document is a letter from
Vatican
ThreatDetected
CampaignTrackingCaseStudy
* A delicate malware downloader for
infecting system by 2nd stage.
* The 2nd stage backdoor is a
variant of PlugX.
* PlugX is a malware widely used by
many APT groups.
MalwareAnalysis
* Abuse Google Drive for deliver
compressed malicious files
* Use service from CN based
service providers
* Infrastructure appears in many
Mustang Panda related report
InfrastructureAnalysis
source: any.run sandboxsource: FireEye
71. CampaignTrackingCaseStudy
* User ID could be found in many
programing forum, blogger,
github...etc
* From the self-introduction page
of the services above, we found
the surname overlap. Got you!
* Personal CV found in the wild.
PossiblePersona
* A personal blog domain
associated to the C2
infrastructure used for this
operation.
* Registrant Name: “Ma Ge Bei
Luo Xiang Gang Jiu Dian”
InterestingOverlap
[4] www.xuepojie.com
72. In August, a new sample with
Tibet-Ladakh Relationship lure
content discovered in the
wild...
What we learn from tracking?
◂ Get updated anchors for
future reference
◂ Understand the whole
landscape not separated
incidents.
◂ Learning history is helpful
in that we can review the
past and predict the
future.
Afterstory...
BackwardTracing
* Found related sample on google
drive from the same account with
file title “QUM, IL VATICANO
DELL'ISLAM”.
* They used Middle East related
lure in June as well.
Lure Document
source: FireEye
75. ● Source Reliability / Fidelity
● Mixing Fact with Assessment
○ Differentiate KNOW & THINK
○ Public research & Media might not differentiate them
● Failure to Consider Visibility
● Failure to Account for Human Action
● Failure to Consider Alternate Explanations
CommonErrors
76. ● Depends too heavily on an initial piece of information offered to make
subsequent judgments during decision making.
○ Quick Tweet from Community
○ Similar Exploit Template
○ Same Malware/Hacking Tool from forensic
○ Detect Code Snippet Overlapped
○ Detect C2 Infrastructure Overlapped
● Don’t ignore evidence conflict with your initial vector
Decide attribution when you have sufficient evidence !
AnchoringEffect
78. CiscoTalos
OlympicDestroyer shared same
techniques in Badrabbit and
NotPetya
Intezer
They found code in the
OlympicDestroyer that connects to
known Chinese threat actors.
RecordedFuture
Found similarities to malware
loaders from BlueNoroff/Lazarus.A
North Korea based APT group.
FalseFlag&Disinformation
[6] Securelist Mar. 2018 https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/
81. AttributionGuide
Best Practices for Determining Attribution
● Looking for Human Error
○ Almost all cyber attribution successes have resulted
from attackers’ operational security errors
● Timely Collaboration, Information Sharing, and
Documentation.
○ Acquisition, documentation, and recovery of data
within twenty-four hours of a cyber incident
● Rigorous Analytic Tradecraft
○ Must be careful to avoid cognitive bias
[7] A Guide to Cyber Sep. 2018 Attributionhttps://www.dni.gov/files/CTIIC/documents/ODNI_A_Guide_to_Cyber_Attribution.pdf
82. AttributionGuide
Best Practices for Presenting Attribution Analysis
● De-layer the Judgment
● Provide Confidence Level
○ High: The totality of evidence and context with no reasonable alternative
○ Moderate: The totality of evidence and context to be clear and
convincing, with only circumstantial cases for alternatives
○ Low: More than half of the body of evidence points to one thing, but there
are significant information gaps
● Identify Gaps
○ Do not have enough data for a judgment or confidence statement
83. AttributionGuide
[7] A Guide to Cyber Sep. 2018 Attributionhttps://www.dni.gov/files/CTIIC/documents/ODNI_A_Guide_to_Cyber_Attribution.pdf
84. Summary
● Threat Hunting
○ Threat hunting serve different purposes from different roles.
○ Create hypothesis before developing a threat hunting program.
○ Threats do not started from intrusion. Reconnaissance and weaponization
stages are also threat hunting’s playgrounds.
● Campaign Tracking
○ Decide a solid anchor as reference base for tracking.
○ Attribution is a very delicate topic. It should be handled with great care.
○ Avoid possible cognitive bias and de-layer your Judgment
○ NO rush with attribution.