CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
Real World Threat Hunting
Security threats have grown from network annoyances to attacks on sensitive infrastructure; penetrating network perimeters, moving laterally within networks, breaching new device types, and cloaking movements. This presentation will share techniques utilized by Cisco to detect and investigate sophisticated, embedded threats.
The speaker, who has conducted monitoring and investigations on customer networks, will review recent real attacks observed on customer networks, from discovery to remediation, and provide lessons learned. These interactive case examples will highlight how to identify these threats using security intelligence, expert staff, and the Cisco OpenSOC platform.
Examples of attacks and illustrations:
* Sophisticated phishing attacks targeted at customer environments.
* Breaches and data exfiltration resulting from the high-profile HeartBleed and Shellshock vulnerabilities.
* Sophisticated malware targeting financial institutions with the goal of data theft.
* Use of full packet capture to identify data exfiltration.
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
Dragos Adversary Hunter Jimmy Wylie presents "TRSIS in Perspective" at the 13th annual API conference in Houston, TX. This presentation analyzes the 2017 TRISIS event at an unspecified gas facility in Saudi Arabia--the first deliberate targeting of SIS that could have resulted in potential loss of life. This presentation also examines post-TRISIS, as Dragos has observed that XENOTIME, the adversary group responsible for TRSIS, has expanded its targeting to North America and other safety systems.
Visit www.dragos.com to learn more.
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
Real World Threat Hunting
Security threats have grown from network annoyances to attacks on sensitive infrastructure; penetrating network perimeters, moving laterally within networks, breaching new device types, and cloaking movements. This presentation will share techniques utilized by Cisco to detect and investigate sophisticated, embedded threats.
The speaker, who has conducted monitoring and investigations on customer networks, will review recent real attacks observed on customer networks, from discovery to remediation, and provide lessons learned. These interactive case examples will highlight how to identify these threats using security intelligence, expert staff, and the Cisco OpenSOC platform.
Examples of attacks and illustrations:
* Sophisticated phishing attacks targeted at customer environments.
* Breaches and data exfiltration resulting from the high-profile HeartBleed and Shellshock vulnerabilities.
* Sophisticated malware targeting financial institutions with the goal of data theft.
* Use of full packet capture to identify data exfiltration.
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
Dragos Adversary Hunter Jimmy Wylie presents "TRSIS in Perspective" at the 13th annual API conference in Houston, TX. This presentation analyzes the 2017 TRISIS event at an unspecified gas facility in Saudi Arabia--the first deliberate targeting of SIS that could have resulted in potential loss of life. This presentation also examines post-TRISIS, as Dragos has observed that XENOTIME, the adversary group responsible for TRSIS, has expanded its targeting to North America and other safety systems.
Visit www.dragos.com to learn more.
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner.
VERIS has been the base analysis framework for supporting the Verizon Data Breach Investigations Report (DBIR) since its inception. However, as organizations work to interpret the richness of information present on the DBIR to a more tactical level, the Threat Action Varieties available on VERIS fail to capture the detail present on the incidents recorded.
This talk presents the Verizon Common Attack Framework (VCAF), an effort from the Security Data Science team and the DBIR team in Verizon to expand and map the ATT&CK framework in alignment with the DBIR Threat Action Varieties to provide this much-sought level of granularity in recording and analyzing recorded breaches.
Additionally, this talk describes possible outcomes when this data is available and organized as such. Examples include applying DBIR-inspired attack vector analytics upon ATT&CK layer information, effectively identifying optimal control choke points on the attack graphs according to specific industries covered by the DBIR.
From ATT&CKcon 3.0
By Jared Stroud, Lacework
Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...Cristian Garcia G.
Conozca más a
fondo la estrategia, soluciones y
mejores prácticas para la
identificación, contención y cacería
de amenazas, para que usted pueda
incorporar estos procesos en su flujo
de trabajo diario logrando estar más
protegidos de los ciberataques más
sofisticados.
A look at current cyberattacks in UkraineKaspersky
Kaspersky researchers have been monitoring the activity of APT actors, cybercriminals and hacktivists currently involved in the conflict in Ukraine. During this webinar, the Global Research and Analysis Team (GReAT) will share their findings on the most recent cyberattacks targeting Ukraine and present their observations, analysis and top findings.
- The types of attacks that have been targeting Ukraine for the past few months
- The results of analysis on destructive attacks and malware (HermeticWiper, etc...)
- How organizations can defend themselves against cyberattacks
GReAT, Kaspersky’s Global Research and Analysis Team, consists of 40 researchers based around the world that work on uncovering APTs, cyberespionage campaigns, major malware, ransomware and underground cybercriminal trends across the world.
CoinMiners are on the rise, trending so high that in the last couple of month they almost completely replaced ransomware in both media and the research community. Unlike ransomware which profit from rapid encryption of user’s data taken hostage, CoinMiners profit comes from high jacking computer resources. As long as the CoinMiner stays undetected and stealth, the higher its author profit.
In this talk we will focus on the unexplored territory of CoinMiner evasive maneuver and functionality to avoid getting found by its victims and provide tactics and tools to combat them.
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
Discovery of TRISIS/TRITON was a landmark event in the Industrial Control Systems (ICS) security community. It is the fifth known ICS-specific malware (following Stuxnet, Havex, BlackEnergy2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS, its operation, and mitigations; however, such mitigations are usually too specific to TRISIS and fall short in assisting defenders with safety systems other than a Schneider Electric Triconex. In May, Dragos discovered that XENOTIME, the activity group behind TRISIS, had expanded its targeting to North America and other safety systems. Given this new data, a generalized approach to safety system defense is critical knowledge for ICS security personnel. This discussion aims to provide such an approach to guarding safety systems. We will provide an overview of the TRISIS malware, including its installation, execution and modification to the controller. Next, we will break down the TRISIS event's specific tactics, techniques and procedures (TTPs) and generalize them across the ICS kill chain. Using this model, we provide present-day actionable defense strategies for asset owners, as well as guidance for forensics, restoration, and recovery should an attack be discovered. We also look to the future and recommend ways in which the state of the art can be improved by vendors and ICS owners to empower defenders with the information they need to stop future attacks.
Learn more here: https://www.dragos.com/blog/trisis/
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
Monthly DFIR Training in collaboration with DFIR Austin. This month's training covered the process of getting remote access during incident response investigations, delving into rapid agent deployment options such as GPOs and RMM tools as well as agentless triage channels such as WMI, Powershell Remoting, SSH, etc.
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
As an incident responder, have you ever thought about how much easier an investigation would be if you had the C2 server in your possession? In this talk, we are going to deep dive a rare investigation in which Mandiant obtained a forensic copy of an attacker C2 system. You will learn about the initial compromise of the C2 server, the tools and tactics used by the attacker, and the investigative steps taken to identify the full scope of the attack. In addition, you will learn about the specific challenges involved with the analysis, the tool I developed to carve all PostGreSQL rows from a forensic image, and some unique lessons learned from performing this investigation.
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
Upon discovery and initial analysis in mid-2017, audiences primarily viewed CRASHOVERRIDE as a disruptive event targeting electric utility operations in Ukraine. Similar to the 2015 attack in the same area, CRASHOVERRIDE interrupted the flow of electricity by manipulating ICS equipment and delayed recovery operations to prolong the impact. However, CRASHOVERRIDE’s immediate effects represent only the precursors for an attempt at a more ambitious attack than what was achieved.
In this presentation, Dragos Principal Adversary Hunter Joe Slowik reexamines the CRASHOVERRIDE event and likely attacker intentions, highlighting how CRASHOVERRIDE attempted a different type of attack than 2015.
Viewers learn how to begin developing and deploying the required visibility, resilience, and response measures needed to cope with an attack like CRASHOVERRIDE.
To view the webinar, go here: https://youtu.be/yX0ZSu_rVc0
Dragos Adversary Hunter Joe Slowik presents on Behavior-Based Defense in ICS at the 13th annual API conference in Houston, TX. This presentation discusses how identifying adversary behaviors and their common requirements and behaviors can help network defenders prepare for future events--exemplifying how network defense for sensitive environments is strengthened through continuous improvement from prior events.
Visit www.dragos.com to learn more.
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
Dragos' Sergio Caltagirone and Robert M. Lee discuss the four types of threat detection methods for industrial control systems operations, while providing ICS-specific use cases, to help you determine which detection strategy is most effective for your organization.
The recorded webinar can be found here: hhttps://youtu.be/zqvDu0OaY8k
Aslo check out: Four Types of Threat Detection White Paper: https://dragos.com/blog/FourTypesOfTh...
Part of the Secrets of ICS Cybersecurity webinar series: https://dragos.com/blog/20181017Webin...
More info www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
Jason Christopher, Dragos Principal Cyber Risk Advisor, joins CyberWire for this podcast that discusses the evolution of ICS/OT ransomware, its impacts on the community, and cybersecurity best practices ICS/OT practitioners can implement to combat it. Listen to the full podcast here: https://dragos.com/resource/ransomware-in-an-industrial-world/
TRITON: The Next Generation of ICS MalwareThomas Roccia
This presentation is about the industrial malware dubbed Triton that targeted Safety Industrial System in a oil and gas plant in 2017. It was presented during the CNES COMET event about Industrial Threats.
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Jacob Benjamin, Principal Industrial Consultant Dragos, INL, & University of Idaho
Design Basis Threat (DBT) is concept introduced by the Nuclear Regulatory Commission (NRC). It is a profile of the type, composition, and capabilities of an adversary. DBT is the key input nuclear power plants use for the design of systems against acts of radiological sabotage and theft of special nuclear material. The NRC expects its licensees, nuclear power plants, to demonstrate that they can defend against the DBT. Currently, cyber is included in DBTs simply as a prescribed list of IT centric security controls. Using MITRE’s ATT&CK framework, Cyber DBTs can be created that are specific to the facility, its material, or adversary activities.
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner.
VERIS has been the base analysis framework for supporting the Verizon Data Breach Investigations Report (DBIR) since its inception. However, as organizations work to interpret the richness of information present on the DBIR to a more tactical level, the Threat Action Varieties available on VERIS fail to capture the detail present on the incidents recorded.
This talk presents the Verizon Common Attack Framework (VCAF), an effort from the Security Data Science team and the DBIR team in Verizon to expand and map the ATT&CK framework in alignment with the DBIR Threat Action Varieties to provide this much-sought level of granularity in recording and analyzing recorded breaches.
Additionally, this talk describes possible outcomes when this data is available and organized as such. Examples include applying DBIR-inspired attack vector analytics upon ATT&CK layer information, effectively identifying optimal control choke points on the attack graphs according to specific industries covered by the DBIR.
From ATT&CKcon 3.0
By Jared Stroud, Lacework
Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...Cristian Garcia G.
Conozca más a
fondo la estrategia, soluciones y
mejores prácticas para la
identificación, contención y cacería
de amenazas, para que usted pueda
incorporar estos procesos en su flujo
de trabajo diario logrando estar más
protegidos de los ciberataques más
sofisticados.
A look at current cyberattacks in UkraineKaspersky
Kaspersky researchers have been monitoring the activity of APT actors, cybercriminals and hacktivists currently involved in the conflict in Ukraine. During this webinar, the Global Research and Analysis Team (GReAT) will share their findings on the most recent cyberattacks targeting Ukraine and present their observations, analysis and top findings.
- The types of attacks that have been targeting Ukraine for the past few months
- The results of analysis on destructive attacks and malware (HermeticWiper, etc...)
- How organizations can defend themselves against cyberattacks
GReAT, Kaspersky’s Global Research and Analysis Team, consists of 40 researchers based around the world that work on uncovering APTs, cyberespionage campaigns, major malware, ransomware and underground cybercriminal trends across the world.
CoinMiners are on the rise, trending so high that in the last couple of month they almost completely replaced ransomware in both media and the research community. Unlike ransomware which profit from rapid encryption of user’s data taken hostage, CoinMiners profit comes from high jacking computer resources. As long as the CoinMiner stays undetected and stealth, the higher its author profit.
In this talk we will focus on the unexplored territory of CoinMiner evasive maneuver and functionality to avoid getting found by its victims and provide tactics and tools to combat them.
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
Discovery of TRISIS/TRITON was a landmark event in the Industrial Control Systems (ICS) security community. It is the fifth known ICS-specific malware (following Stuxnet, Havex, BlackEnergy2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS, its operation, and mitigations; however, such mitigations are usually too specific to TRISIS and fall short in assisting defenders with safety systems other than a Schneider Electric Triconex. In May, Dragos discovered that XENOTIME, the activity group behind TRISIS, had expanded its targeting to North America and other safety systems. Given this new data, a generalized approach to safety system defense is critical knowledge for ICS security personnel. This discussion aims to provide such an approach to guarding safety systems. We will provide an overview of the TRISIS malware, including its installation, execution and modification to the controller. Next, we will break down the TRISIS event's specific tactics, techniques and procedures (TTPs) and generalize them across the ICS kill chain. Using this model, we provide present-day actionable defense strategies for asset owners, as well as guidance for forensics, restoration, and recovery should an attack be discovered. We also look to the future and recommend ways in which the state of the art can be improved by vendors and ICS owners to empower defenders with the information they need to stop future attacks.
Learn more here: https://www.dragos.com/blog/trisis/
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
Monthly DFIR Training in collaboration with DFIR Austin. This month's training covered the process of getting remote access during incident response investigations, delving into rapid agent deployment options such as GPOs and RMM tools as well as agentless triage channels such as WMI, Powershell Remoting, SSH, etc.
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
As an incident responder, have you ever thought about how much easier an investigation would be if you had the C2 server in your possession? In this talk, we are going to deep dive a rare investigation in which Mandiant obtained a forensic copy of an attacker C2 system. You will learn about the initial compromise of the C2 server, the tools and tactics used by the attacker, and the investigative steps taken to identify the full scope of the attack. In addition, you will learn about the specific challenges involved with the analysis, the tool I developed to carve all PostGreSQL rows from a forensic image, and some unique lessons learned from performing this investigation.
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
Upon discovery and initial analysis in mid-2017, audiences primarily viewed CRASHOVERRIDE as a disruptive event targeting electric utility operations in Ukraine. Similar to the 2015 attack in the same area, CRASHOVERRIDE interrupted the flow of electricity by manipulating ICS equipment and delayed recovery operations to prolong the impact. However, CRASHOVERRIDE’s immediate effects represent only the precursors for an attempt at a more ambitious attack than what was achieved.
In this presentation, Dragos Principal Adversary Hunter Joe Slowik reexamines the CRASHOVERRIDE event and likely attacker intentions, highlighting how CRASHOVERRIDE attempted a different type of attack than 2015.
Viewers learn how to begin developing and deploying the required visibility, resilience, and response measures needed to cope with an attack like CRASHOVERRIDE.
To view the webinar, go here: https://youtu.be/yX0ZSu_rVc0
Dragos Adversary Hunter Joe Slowik presents on Behavior-Based Defense in ICS at the 13th annual API conference in Houston, TX. This presentation discusses how identifying adversary behaviors and their common requirements and behaviors can help network defenders prepare for future events--exemplifying how network defense for sensitive environments is strengthened through continuous improvement from prior events.
Visit www.dragos.com to learn more.
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
Dragos' Sergio Caltagirone and Robert M. Lee discuss the four types of threat detection methods for industrial control systems operations, while providing ICS-specific use cases, to help you determine which detection strategy is most effective for your organization.
The recorded webinar can be found here: hhttps://youtu.be/zqvDu0OaY8k
Aslo check out: Four Types of Threat Detection White Paper: https://dragos.com/blog/FourTypesOfTh...
Part of the Secrets of ICS Cybersecurity webinar series: https://dragos.com/blog/20181017Webin...
More info www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
Jason Christopher, Dragos Principal Cyber Risk Advisor, joins CyberWire for this podcast that discusses the evolution of ICS/OT ransomware, its impacts on the community, and cybersecurity best practices ICS/OT practitioners can implement to combat it. Listen to the full podcast here: https://dragos.com/resource/ransomware-in-an-industrial-world/
TRITON: The Next Generation of ICS MalwareThomas Roccia
This presentation is about the industrial malware dubbed Triton that targeted Safety Industrial System in a oil and gas plant in 2017. It was presented during the CNES COMET event about Industrial Threats.
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Jacob Benjamin, Principal Industrial Consultant Dragos, INL, & University of Idaho
Design Basis Threat (DBT) is concept introduced by the Nuclear Regulatory Commission (NRC). It is a profile of the type, composition, and capabilities of an adversary. DBT is the key input nuclear power plants use for the design of systems against acts of radiological sabotage and theft of special nuclear material. The NRC expects its licensees, nuclear power plants, to demonstrate that they can defend against the DBT. Currently, cyber is included in DBTs simply as a prescribed list of IT centric security controls. Using MITRE’s ATT&CK framework, Cyber DBTs can be created that are specific to the facility, its material, or adversary activities.
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
VMworld 2013: Security Automation Workflows with NSX VMworld
VMworld 2013
Gargi Keeling, VMware
Don Wood, McKesson
Troy Casey, McKesson
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
On Tuesday, June 22nd Jonny Griffin, Security Engineer at Working Group Two, gave a presentation at a three day conference at GSMA FASG.
In the last three years, Working Group Two has been developing a DevSecOps framework to ensure their cloud-native mobile core network is secure.
Automating Cloud Security introduces the topics around cloud computing, DevSecOps, cloud-native Security Layers, and how WG2 built a security tool chain that can be leveraged by any organisation.
As security is evolving so is WG2's capabilities for identifying, preventing, and responding to security events in our networks.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
Catch Me If You Can - Finding APTs in your networkDefCamp
Adrian Tudor & Leo Neagu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
VMworld 2013
Merritte Stidston, McKesson
James Wiese, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
To address the inadequacy of traditional anti-virus solutions, white-listing and secure containerization approaches have both gained traction in the enterprise. Both approaches have the overarching goal of preventing a successful breach at the endpoint, but each works differently and also focus on different parts of the cyber kill chain.
Invincea, a secure containerization solution, inoculates high-risk and Internet-facing applications against attack by running them in secure virtual containers, which have restricted access to the underlying host OS. This effectively removes the most common means of delivering the infection (see figure below). Any successful exploits of targeted applications (such as IE, Java, Flash, etc.), including by 0-day exploits, are kept safely in quarantine where additional forensic details may be uncovered.
Whitelisting attempts to prevent infections by allowing only certain known executables to run. This means whitelisting solutions will not see initial exploits; rather, whitelisting focuses on the next step beyond the exploit where many attacks then attempt to launch 2<sup>nd</sup> stage (malicious) executables with additional goals such as privilege escalation, lateral movement, or data exfiltration. In other words, whitelisting solutions do not have visibility into exploits of existing programs and for memory-resident malware. In addition, whitelisting solutions that prevent unknown software from running will flag legitimate software (such as patches) that are not updated with the whitelist.
This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.
Secure Application Development in the Age of Continuous DeliveryTim Mackey
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
White hat defense systems continue to improve on supervised learning sets using machine and deep learning neural networks to defend against an exploding attack surface. Zombies that require commands from botnet herders are becoming intelligent, capable of their own decisions as we saw with Hajime in 2017. Swarm intelligence can be used to enhance these networks. What can we do to defend?
Learning Objectives:
1: Learn about the current state of black hat automation/AI practices.
2: Understand the next stage of black hat swarm intelligence hive networks
3: Gain insight into practical defense approaches using white hat automation and AI.
(Source: RSA Conference USA 2018)
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP
Businesses and organizations have numerous network devices, databases, servers, applications, and domains, and all of these IT assets are through IP addresses and Ports.
Attack Surface Management refers to the proactive detection and management of attack vectors such as open ports, server vulnerabilities, similar domains, phishing, and domains distributing malicious code.
Criminal IP ASM automatically monitors and generates a report on assets exposed to the attack surface.
All IT assets are thoroughly detected globally, with a streamlined introduction procedure requiring registration of only one primary domain.
Request a FREE Demo of Criminal IP ASM at:
https://www.criminalip.io/asm/attack-surface-management
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
2. About
ZY Wu
• Threat analysts at Fox-IT intel team
• Malware analysis & threat intel
• Find me at zong-yu.wu@fox-it.com
CK Chen
• HITCON Member
• HITCON 2021 Review Board Chairman
• Researcher, focus on malware analysis, APT investigation and threat intel
3. Agenda
• What happened?
• Define the supply chain attack
• Impact Assessment – Finding the targets
• How special it is?
4. Kudos to
Danny at Fox-IT
YJ at TrendMicro
Anonymous Hamster at Exercise wheel
5.
6. CrowdStrike
release SUNSPOT
investigation
report
2021.01.11
2021.01.13
CISA: bypass MFA
in cloud services
FireEye released
Remediation for
Microsoft 365
2021.01.19
2021.01.19
MalwareBytes
claim to be
hacked
Microsoft
Deep dive into
the Solorigate
second-stage
activation
2021.01.22
2021.02.18
Microsoft Internal
Solorigate
Investigation – Final
Update
Microsoft,
FireEye New
SUNSHUTTLE
Backdoor
Targeting U.S.-
Based Entity
2021.03.04
FireEye
hacked, Red
team tools
leaked
2020.12.09
2020.12.13
CISA issued
emergence
directive
WSJ, REUTERS
U.S. Treasury
and Commerce
departments
Hacked
2020.12.13-14
2020.12.15-18
Second
malware
Supernova
discovered
Microsoft,
FireEye,
GoDaddy
establish
killswitch
2020.12.17
2020.12.17
Microsoft
report
potential
victims
Microsoft
confirmed
source code
stolen
2020.12.31
2021.01.05
CISA, DNI,
NSA suspect
the actor is
Russia-based
Department
of Justice
confirmed
hacked
2021.01.06
7.
8. AB
(A %verb% B)
Target Supplier Attacker
Target
Afraid of (the
insider)
Relied on Afraid of
Supplier Relied on - Afraid of
Attacker Interested in Proxy through -
9. Advantage of exploiting Supply Chain
• Abuse the trust between supplier and targets
• It is possible to find a weaker supplier among those
• Compromising a whole range of companies if the major supplier in a sector is
taken
10. Attack Against Code Dev.
Commit
->
Build (Signing)
->
Test
->
Deploy
Commit ->
SUNSPOT injects SUNBURST ->
Build (Signing)
->
Test (SUNBURST stay low)
->
Deploy
->
SUNBURST’s party time
11. Impact Assessment
• More likely espionage purpose, but this is tough to do impact assessment.
• In this presentation, I invite you to take a journey with me to picture targeted
industry.
12. Malwares on the Desk
SUNSPOT
(injector)
SUNBURST
(Beacon)
TEARDROP
(Loader)
RAINDROP
(Loader)
GoldMax
Inside SolarWinds
Running at Victims’ Env.
SiBot
GoldFinder
CobaltStrike
13. SUNBURST under X-Ray
• The beacon, the backdoor, installed to SolarWinds Orion Platform.
• It avoids being launched in any dev. env.
15. Malware stays low under these AD
domains:
It checks antivirus driver/process/service
and analysis tool as well.
https://github.com/fireeye/sunburst_countermeasures/blob/mai
n/hashcat.potfile
swdev.local saas.swi
emea.sales dmz.local
pci.local lab.local
apac.lab dev.local
swdev.dmz lab.rio
cork.lab lab.brno
lab.na test
Solarwinds
SUNBURST was coded like a
legitimate class, for example:
Encode Process
Name in fact
Mimicking the
legitimate traffic on
the Platform
16. SUNBURST under X-Ray
• The beacon, the backdoor, installed to SolarWinds Orion Platform.
• It avoids being launched in any dev. env.
• The callback domain is generated by victim information on DNS protocol.
• Stage 1 – on DNS to get the HTTP sever
• Stage 2 – on HTTP for the backdoor
17. • There are up to 4 different types (2 encoding x 2 input), giving an example:
57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com
SUNBURST Callback Protocol
Prefix Fixed Random C&C
15 else
Encoded GUID Encoded
AD domain name
06a4ea63c80ee24a scc.state.va.
-> The AD domain can be retrieved by a DNS query!
-> Reverse Engineering to decode
18. SUNBURST Callback Protocol
• DNS traffic, for those are not running on SSL, is not encrypted
• It is possible to gather the domains which were been queried at a certain time
by listening the network traffic from the internet backbone.
• This dataset is called Passive DNS record.
20. Searching the victims (in PASSIVE mode)
57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com
m1g39j9sctjtv6m0f6.appsync-api.us-east-1.avsvmcloud.com
Prefix Fixed Random C&C
15 else
Encoded GUID Encoded
AD domain name
06a4ea63c80ee24a scc.state.va.
Prefix Fixed Random C&C
15
Encoded GUID
06a4ea63c80ee24a us Add up to scc.state.va.us
DGA Encoding method for PASSIVE state
23. Searching the targets (in ACTIVE mode)
9q5jifedn8aflr4ge3nu.appsync-api.us-east-1.avsvmcloud.com
Prefix Fixed Random C&C
8 3 else
GUID Meta Running Antivirus
06a4ea63c80ee24a mode=1
active=1
timestamp=2020-05-31 12:00:00
The GUID is mapped to
scc.state.va.us
DGA Encoding method for ASSOCIATED/ACTIVE state
24. Searching the targets (in ACTIVE mode)
scc.state.va.us
central.pima.gov
mgt.srb.europa
fc.gov
ddsn.gov
phpds.org
central.pima.gov
Government
HQ.FIDELLA
lagnr.chevronte
xaco.net
coxnet.cox.com
Energy
ng.ds.army.mil
nsanet.local
Defense
corp.qualys.com
paloaltonetworks.com
logitech.local
wctc.msft
ggsg-us.cisco.com
cisco.com
fox.local
Tech/CyberSecurity
25. AB
(A %verb% B)
Target Supplier Attacker
Target
Afraid of (the
insider)
Relied on &
Afraid of
Afraid of
Supplier Relied on - Afraid of
Attacker Interested in Proxy through -
26. Software
Supply Chain
While better defense mechanism is
deployed, threat actor move their target
to the weakest point of supply chain
More complicated software -> more
complicated supply chain
We talk a lot about supply chain, so…
What’s the supply chain of you daily used software?
34. APTs Utilize Supply Chain Attacks
• While most organization gradually enhance their security, adversarial
try to compromised the weakest point of partner/supply chain first.
ASUS Shadow
Hammer(2019)
Discovered by Kaspersky
ASUS Web Storage(2019)
We discover this operation in the
same time as ESET
35. APTs Utilize Supply Chain Attacks
• While most organization gradually enhance their security, adversarial
try to compromised the weakest point of partner/supply chain first.
SolarWinds Supply Chain
Attack (2021)
36. Highlight TTPs
• Supply Chain Attack: Large number of enterprises are potential
victims
• Compromise DevOps: Keep Stealthy in Develop Environment
• Sophiscated Malware: Separate the Malware’s Execution Path
• Attacking the Cloud Service
37. Attacking the Cloud Service
• Lateral movement from on-premises networks to gain unauthorized
access to the victim’s Microsoft 365 environment
• Golden SAML Attack
• Modify Trusted Domains
• Hijack Azure AD Applications
• Compromise the credentials of
on-premises user accounts
that are synchronized to
Microsoft 365
38. Mitigation
• Threat Hunting for Malicious IoCs
• FireEye’s Red Team Tool IoCs
• SunBurst IoCs
• CISA “Advanced Persistent Threat Compromise of Government Agencies, Critical
Infrastructure, and Private Sector Organizations”
• Summary about the IoCs
• https://shorturl.at/fxKTV
39. Mitigation
• Mandiant Azure AD Investigator
• https://github.com/fireeye/Mandiant-Azure-AD-Investigator
• CISA “Strengthening Security Configurations to Defend Against
Attackers Targeting Cloud Services”
• https://github.com/cisagov/Sparrow
40. Lesson Learned
• While being compromised is hard to avoid, proactive threat hunting and
response to the incident.
• Communicate and share with security community
• Sophiscated APT attacks
• Supply Chain Attack
• Compromised DepOp Process
• Laverage cloud service attacks
• Supply chain security will still be the loophole for enterprises’ security
• Using threat intelligence, e.g. PDNS, to help us understand threat actor’s
targets
• Cloud Services become a new attack vector for LM