This document summarizes an analysis of over 12 million web defacement records spanning 19 years from several databases. The analysis found that 50% of actors joined at least one campaign team. It identified various campaigns responding to the 2015 "Charlie Hebdo" attacks in France and showed how attackers are organized into interconnected campaigns and teams. The study also examined long-term and aggressive defacement campaigns as well as trends over time, concluding that semi-automated detection of campaigns can help analysts understand modern defacements and their real-world context and motivations such as political conflicts.
Social media platforms have become the norm for companies to engage with customers and communicate information with the rest of the world. These networks also provide data that, when used with social monitoring tools, can be used to mitigate security issues before they become a major problem.
In this presentation you can learn how some of the world’s leading companies are using social intelligence to monitor security threats, identify liabilities, and get ahead of risk.
Covered:
Cyber security attacks
Fraud detection
Intellectual property protection
Executive and talent threats
C* Summit 2013: Big Data Analytics – Realize the Investment from Your Big Dat...DataStax Academy
The term "big data" seems to be everywhere these days. With the ever growing number of attendees at big data and Hadoop events, it’s clear big data is here to stay. But what does that mean for the analytics market, and how does big data fit into the picture? This session, featuring Mark Davis, Sr. Product Architect at Dell, will explore what big data means in a practical sense to the IT department. It will also explore the many ways that big data affects an organization’s picture of performance. Plus, see how big data analytics, using technologies like Cassandra and Hadoop, will converge with traditional business intelligence to create a complete picture of the enterprise's information assets, thereby giving the business a complete and insightful view of its operational efficiency.
Introducción a Briar: inter-conectarse sin internetBarbara Maseda
Minitaller para instalar y aprender a usar Briar, una aplicación para conexión de dispositivo a dispositivo que no requiere servidores de internet. Impartido por Torsten Grote
Use of hog descriptors in phishing detectionSelman Bozkır
In this paper we are diving into the details of an anti phishing detection system which employs HOG features.
* The presentation is built with voice recording
Social media platforms have become the norm for companies to engage with customers and communicate information with the rest of the world. These networks also provide data that, when used with social monitoring tools, can be used to mitigate security issues before they become a major problem.
In this presentation you can learn how some of the world’s leading companies are using social intelligence to monitor security threats, identify liabilities, and get ahead of risk.
Covered:
Cyber security attacks
Fraud detection
Intellectual property protection
Executive and talent threats
C* Summit 2013: Big Data Analytics – Realize the Investment from Your Big Dat...DataStax Academy
The term "big data" seems to be everywhere these days. With the ever growing number of attendees at big data and Hadoop events, it’s clear big data is here to stay. But what does that mean for the analytics market, and how does big data fit into the picture? This session, featuring Mark Davis, Sr. Product Architect at Dell, will explore what big data means in a practical sense to the IT department. It will also explore the many ways that big data affects an organization’s picture of performance. Plus, see how big data analytics, using technologies like Cassandra and Hadoop, will converge with traditional business intelligence to create a complete picture of the enterprise's information assets, thereby giving the business a complete and insightful view of its operational efficiency.
Introducción a Briar: inter-conectarse sin internetBarbara Maseda
Minitaller para instalar y aprender a usar Briar, una aplicación para conexión de dispositivo a dispositivo que no requiere servidores de internet. Impartido por Torsten Grote
Use of hog descriptors in phishing detectionSelman Bozkır
In this paper we are diving into the details of an anti phishing detection system which employs HOG features.
* The presentation is built with voice recording
How to break the delivery stage of cyber kill chain was the main topic I delivered last sunday during IDSECCONF 2018 in Malang.
Cyber kill chain wasn’t new at all, it was there since long time, the term popularized by lockheed martin few years ago to help industry identify methodology / technology to prevent cyber attack.
I covered signatured based malware detection, sandboxing, artificial intelligence, and introducing “content disarm reconstruction” in details.
IDSECCONF is always about contributing back to community since we learnt from community many years ago. I hope what I’ve learn from Industry related to CDR technology can be beneficial to the Indonesian IT security community.
FireHost Webinar: Protect Your Application With Intelligent SecurityArmor
Learn from the experts how to effectively secure your online business. Join FireHost’s CEO, Chris Drake, and WhiteHat Security’s CTO, Jeremiah Grossman as they identify current threats, and reveal how examining billions of attempted attacks at a macro level has identified a new way for enterprises to make intelligent decisions about better protecting their information assets.
Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
Black Duck senior technology evangelist Tim Mackey talks containers this week at DevSecCon and elaborates on his presentation, “When Good Containers Go Bad,” with IT Pro, Cloud Pro and Data Centre News. Black Duck VP of Security Strategy Mike Pittenger shares his thoughts on the biggest security threat we face in 2018. Artifex and Hancom settle their long-running open source licensing dispute, and the hidden costs of open source security.
Read all the hottest open source security and cybersecurity news in this week’s Open Source Insight.
Using Chaos to Disentangle an ISIS-Related Twitter NetworkSteve Kramer
Paragon Science used a combination of network analysis, community detection, topic detection, sentiment analysis, and anomaly detection to find key influencers and emotionally charged websites in a ISIS-related Twitter network.
The Credit Union National Association (CUNA) issued a statement on Friday, April 26th, 2013 that a possible widespread Distributed Denial of Service (DDoS) attack may take place on Tuesday, May 7th, 2013.
Despite the numerous warnings, CUNA has offered little advice on how to manage the situation and mitigate an attack.
Realizing the severity of the situation, RedZone has put together 5 practical ways to mitigate against a DDoS happening to you that was presented via GoToWebinar on Wednesday, May 1st, 2013.
The types of attacks we reviewed were:
1. Pure network attack against the credit union
2. Pure network attack against the ISP router
3. Content DDoS
4. DNS DDoS
5. Random Botnet attack
We also answered the following questions:
• What does it mean?
• What are your Zero day protection options?
• What to check on your security products?
• How to enable Global IP protection?
• How do I detect fraud communication in advance?
• What are some vendor product options?
Information Extraction and Aggregation from Unstructured Web Data for Busines...Alexander Michels
Team Praedicat's final presentation at UCLA's Research in Industrial Projects for Students. We discuss our project for Praedicat, Inc. which helped them algorithmically profile companies to help them assess their actuarial risk.
GitHub: https://github.com/alexandermichels/pcatxcore
SEMANTIC CONTENT MANAGEMENT FOR ENTERPRISES AND NATIONAL SECURITYAmit Sheth
Amit Sheth, SEMANTIC CONTENT MANAGEMENT FOR ENTERPRISES AND NATIONAL SECURITY, Keynote at:
CONTENT- AND SEMANTIC-BASED INFORMATION RETRIEVAL @ SCI 2002.
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Trend Micro
Modern cybercrime operates highly-sophisticated campaigns that challenge, or even evade, the state-of-art in defense and protection. On a daily basis, users worldwide are fooled by new techniques and threats that went under the radar, like new 0-days or attack vectors. We passively monitored how these attacks are conducted on real installations, and unveiled the modus operandi of malware operators. In this presentation, we share with the audience our recent findings and trends that we observed in-the-wild from the analysis we conducted on 3 million software downloads, involving hundreds of thousands of Internet connected machines. During the talk, we provide insights on our investigation like the effect of code signing abuse, the compromise of cloud providers' operations, the use of domains generated automatically via social engineering, and the business model behind modern malware campaigns. We also discuss the problem of "unknown threats", showing how the Internet's threats landscape is still largely unexplored and how it badly impacts on million of users. We conclude with a proof-of-concept system that we designed and that uses machine-learning to generate human-readable rules for detection. Our system represents a potential mitigation to the problem of "unknown threats" and an assistance tool for analysts globally.
More Related Content
Similar to Investigating Web Defacement Campaigns at Large
How to break the delivery stage of cyber kill chain was the main topic I delivered last sunday during IDSECCONF 2018 in Malang.
Cyber kill chain wasn’t new at all, it was there since long time, the term popularized by lockheed martin few years ago to help industry identify methodology / technology to prevent cyber attack.
I covered signatured based malware detection, sandboxing, artificial intelligence, and introducing “content disarm reconstruction” in details.
IDSECCONF is always about contributing back to community since we learnt from community many years ago. I hope what I’ve learn from Industry related to CDR technology can be beneficial to the Indonesian IT security community.
FireHost Webinar: Protect Your Application With Intelligent SecurityArmor
Learn from the experts how to effectively secure your online business. Join FireHost’s CEO, Chris Drake, and WhiteHat Security’s CTO, Jeremiah Grossman as they identify current threats, and reveal how examining billions of attempted attacks at a macro level has identified a new way for enterprises to make intelligent decisions about better protecting their information assets.
Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
Black Duck senior technology evangelist Tim Mackey talks containers this week at DevSecCon and elaborates on his presentation, “When Good Containers Go Bad,” with IT Pro, Cloud Pro and Data Centre News. Black Duck VP of Security Strategy Mike Pittenger shares his thoughts on the biggest security threat we face in 2018. Artifex and Hancom settle their long-running open source licensing dispute, and the hidden costs of open source security.
Read all the hottest open source security and cybersecurity news in this week’s Open Source Insight.
Using Chaos to Disentangle an ISIS-Related Twitter NetworkSteve Kramer
Paragon Science used a combination of network analysis, community detection, topic detection, sentiment analysis, and anomaly detection to find key influencers and emotionally charged websites in a ISIS-related Twitter network.
The Credit Union National Association (CUNA) issued a statement on Friday, April 26th, 2013 that a possible widespread Distributed Denial of Service (DDoS) attack may take place on Tuesday, May 7th, 2013.
Despite the numerous warnings, CUNA has offered little advice on how to manage the situation and mitigate an attack.
Realizing the severity of the situation, RedZone has put together 5 practical ways to mitigate against a DDoS happening to you that was presented via GoToWebinar on Wednesday, May 1st, 2013.
The types of attacks we reviewed were:
1. Pure network attack against the credit union
2. Pure network attack against the ISP router
3. Content DDoS
4. DNS DDoS
5. Random Botnet attack
We also answered the following questions:
• What does it mean?
• What are your Zero day protection options?
• What to check on your security products?
• How to enable Global IP protection?
• How do I detect fraud communication in advance?
• What are some vendor product options?
Information Extraction and Aggregation from Unstructured Web Data for Busines...Alexander Michels
Team Praedicat's final presentation at UCLA's Research in Industrial Projects for Students. We discuss our project for Praedicat, Inc. which helped them algorithmically profile companies to help them assess their actuarial risk.
GitHub: https://github.com/alexandermichels/pcatxcore
SEMANTIC CONTENT MANAGEMENT FOR ENTERPRISES AND NATIONAL SECURITYAmit Sheth
Amit Sheth, SEMANTIC CONTENT MANAGEMENT FOR ENTERPRISES AND NATIONAL SECURITY, Keynote at:
CONTENT- AND SEMANTIC-BASED INFORMATION RETRIEVAL @ SCI 2002.
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Trend Micro
Modern cybercrime operates highly-sophisticated campaigns that challenge, or even evade, the state-of-art in defense and protection. On a daily basis, users worldwide are fooled by new techniques and threats that went under the radar, like new 0-days or attack vectors. We passively monitored how these attacks are conducted on real installations, and unveiled the modus operandi of malware operators. In this presentation, we share with the audience our recent findings and trends that we observed in-the-wild from the analysis we conducted on 3 million software downloads, involving hundreds of thousands of Internet connected machines. During the talk, we provide insights on our investigation like the effect of code signing abuse, the compromise of cloud providers' operations, the use of domains generated automatically via social engineering, and the business model behind modern malware campaigns. We also discuss the problem of "unknown threats", showing how the Internet's threats landscape is still largely unexplored and how it badly impacts on million of users. We conclude with a proof-of-concept system that we designed and that uses machine-learning to generate human-readable rules for detection. Our system represents a potential mitigation to the problem of "unknown threats" and an assistance tool for analysts globally.
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Trend Micro
In today’s real-time enterprise where we all must do more with less, the operations team is sometimes forced to take shortcuts. Forgetting to manually apply security controls is often one of the first tasks to fall by the wayside. VMs that are put in production, lacking adequate protection, leave high-risk vulnerabilities open for exploitation. Learn how building-in security automation with VMware NSX and Trend Micro Deep Security provides visibility, assesses risk, and applies the right protection. Once in operation, using the adapter for vRealize Operations, the security events become visible next to the operational events, providing a holistic view of the environment. This will be illustrated through the case study of a leading manufacturing company, Plexus Corporation, who will also share their NSX journey.
This was one of Trend Micro's sessions presented at VMworld 2017.
Skip the Security Slow Lane with VMware Cloud on AWSTrend Micro
While migrating your infrastructure to the cloud offers an opportunity to rethink your approach to management and security, it can create a patchwork of processes and tools, a disorganized team, and duplication of work. In a few years, you may learn that the IT security team needs a unified approach to data protection and you must already overhaul your “new” setup. You thought you were speeding ahead with improved operations and lower costs, but you are actually in the security slow lane! Pull over and find a new route forward with VMWare on AWS by leveraging tools you know in an environment you already understand. Save years of work by utilizing a common set of tools, operational processes, and security framework when moving to the cloud. Learn tips and tactics from Trend Micro and Capgemini for setting your teams up for success now…and tomorrow.
This was one of Trend Micro's sessions presented at VMworld 2017.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Trend Micro
In this work we explored the Attacks Landscape in the Dark Web. While in the past FTR looked at good and services offered and traded, here we investigated on the attacks and exposure. We observed hacking groups targeting each other, for example by defacing concurrent web sites in order to promote their -- or stealing Onion's private keys to possibly tampering on encrypted traffic in Tor.
All content not indexed by traditional web-based search engines is known
as the DeepWeb. Wrongly been associated only with the Onion Routing
(TOR), the DeepWeb's ecosystem comprises a number of other anonymous and
decentralized networks. The Invisible Internet Project (I2P), FreeNET,
and Alternative Domain Names (like Name.Space and OpenNic) are examples
of networks leveraged by bad actors to host malware, high-resilient
botnets, underground forums and bitcoin-based cashout systems (e.g., for
cryptolockers).
We designed and implemented a prototype system called DeWA for the
automated collection and analysis of the DeepWeb, with the goal of
quickly identifying new threats as soon they appear.
In this talk, we provide concrete examples of how using DeWA to detect,
e.g., trading of illicit and counterfeit goods, underground forums,
privacy leaks, hidden dropzones, malware hosting and TOR-based botnets.
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)Trend Micro
AIS, Automatic Identification System, is a promoted standard and implementation for vessels traffic safety and monitoring. With more than 400,000 installations worldwide, AIS is currently a mandatory installation for commercial vessels and a de-facto equipment for leisure crafts. AIS is largely used in ports worldwide -- Rotterdam alone monitors over 700 AIS-enabled vessels each day, serving 32,000 seagoing and 87,000 inland vessels a year.
Back in October 2013, during HITB KUL, we showed that AIS is hardly broken, both at implementation and protocol level, and it suffers from severe vulnerabilities like spoofing and man-in-the-middle. In this talk, we extend our research by sharing with the audience several novel attacks that we recently discovered, for example how to extensively disable AIS communications or attack the software installed at back-end by port authorities. By doing so, we hope to raise the necessary awareness and lead the involved parties into calling for a more robust and secure AIS.
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsTrend Micro
A talk given by Kyle Wilhoit and Marco Balduzzi from Trend Micro's Forward Looking Threat Research team, along with independent researcher Alessandro Pasta.
Abstract:
In recent years, automated identification systems (AISes) have been introduced to enhance vessels tracking and provide extra safety to marine traffic, on top of conventional radar installations. AIS, which is currently a mandatory installation for all passenger ships and ships over 300 metric tonnes, works by acquiring GPS coordinates and exchanging vessel’s position, course and information with nearby ships, offshore installation, i.e. harbors and traffic controls, and Internet tracking and visualizing providers.
With an estimated number of 400,000 installation, AIS is currently the best system for collision avoidance, maritime security, aids to navigation and accident investigations.
Given its primary importance in marine traffic safety, we conducted a comprehensive security evaluation of AIS, by tackling it from both a software and a hardware, radio frequency perspective.
In this talk, we share with you our finding, i.e how we have been able to hijack and perform man-in-the-middle attacks on existing vessels, take over AIS communications, tamper with the major online tracking providers and eventually fake our own yacht!.
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
Targeted attacks and advanced persistent threats (APTs) are becoming the new norm of cyber security threats— encompassing organized, focused efforts that are custom-created to penetrate enterprises and government agencies for valuable data, trade secrets, and access to internal systems. We explore the anatomy of targeted attacks: the inner workings of the APT lifecycle, along with an in-depth overview of Trend Micro Deep Discovery advanced threat protection solution, and how it enables enterprise IT to adopt a custom defense strategy that modernizes its risk management program to defend against targeted attacks.
The Custom Defense Against Targeted AttacksTrend Micro
Advanced persistent threats (APTs) and targeted attacks have a proven ability to penetrate standard security defenses and remain undetected for months while siphoning valuable data or carrying out destructive actions. We review challenges faced by information security leaders, their options for dealing with attackers and how to a Custom Defense approach to deploy a comprehensive Detect—Analyze—Adapt—Respond lifecycle that enhances current security investments while providing new weapons to fight back against their attackers.
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesTrend Micro
Dave Asprey, VP-Cloud Security of Trend Micro presented to members of the SDforum in Jan. 2011. This is an adapted version of is presentation which covers key considerations addressing data privacy concerns in the Cloud.
More than 80% of Today’s Top Malware Arrives via Web. More than 80% of Today’s Top Malware Arrives via Web. And
Security Demands on cloud service providers will increase. See the rest of Trend Micro's predictions for 2011.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Search and Society: Reimagining Information Access for Radical Futures
Investigating Web Defacement Campaigns at Large
1. Investigating Web Defacement
Campaigns at Large
Federico Maggi, Marco Balduzzi, Ryan Flores,
Lion Gu, Vincenzo Ciancaglini
Trend Micro, Forward-Looking Threat Research
2.
3. # of Records Per Reporting Site
Source Site URL #Records
Zone-H www.zone-h.org 12,303,240
Hack-CN www.hack-cn.com 386,705
Mirror Zone www.mirror-zone.org 195,398
Hack Mirror www.hack-mirror.com 68,980
MyDeface www.mydeface.com 37,843
TOTAL 12,992,166
15. Clustering
• BIRCH (Balanced Iterative Reducing and Clustering Hierarchies)
• Statistics values are efficient to compute
• Quickly find the closest cluster for each new data points
30. Conclusion
• Conduct a large-scale measurement
• 13M records spanning 19 years
• Introduce an approach to semi-automatically detect defacement
campaigns
• Show how our approach empowers the analyst in understanding
modern defacements
• Live campaigns in the real world
• Social structure of actors
• Modus operandi
• Motive, especially political reason
Today we are going to talk about web defacement attack.
Website defacement is a very common attack.
We know that hackers attack websites everyday.
After websites are compromised, web pages could be altered by hackers.
Hackers usually leave some messages in deface pages, like who they are, why they attack.
Most of the time, hackers are driven by political motivation.
Like picture in this slide, hackers want people to pay attention to Palestine situation.
But there are more questions about defacement attack.
Like, is there any defacement campaigns?
And, what is defacer’s modus operandi, social structure and organization?
And another question is, Is there any way to track and investigate defacement attacks?
Those questions are our research motivation.
In this talk, we will use our findings to answer those questions.
Data collection is the start point of our research.
We found that there are some defacement reporting sites in the Internet.
Many defacement incidents are reported to those sites.
Zone-h is the largest organization for defacement reporting.
So we acquired data from zone-h for research purpose.
At the same time, we collected data from another 4 sites.
The total amount of our dataset is almost 13M records.
In this slide, we will see what our data look like.
Zone-h is a major data source in our research.
So we can take one zone-h record as an example.
The record has two parts: metadata and raw content.
In the metadata part, there are several data fields, like timestamp, reporter name, victim domain, victim IP address, and so on.
Raw content is the cached deface page.
Our dataset has both metadata and raw content.
This figure shows records per year for our dataset.
Our collection spans over almost 19 years, ending at September 2016.
You can see that there is a very clear increasing trend for defacement attack.
The reported incidents grew from thousands to more than one million per year.
When our dataset is ready, we are very curious about what message defacers conveyed in the deface pages.
So we use topic modeling technique to determine the subject of deface pages.
The table shows the evolution of the topics.
In the early stage, that is from 1998 to 2004, defacers were interested in security problems in websites.
We can see some related keywords like ’security’, ‘backup’, ’encryption’.
After 2005, the topics are shifting to real world events.
More deface pages reacted to some incidents in reality.
We can see that some keywords are about real world events, like ‘pope’, ’turkey’, ’terrorism’.
Deface pages are not only used for conveying messages. Sometime they have malicious content.
We used Trend Micro web security checking service to scan all deface pages, and found a lot of deface pages have malicious scripts.
Some malicious scripts may download malware to visitor’s computer.
We summarize scan result into this figure.
The figure shows the general trend is increasing.
When we were checking some deface pages manually, we found these two deface pages by accident.
These deface pages are quite interesting.
The first impression is that these two pages look very similar.
They have almost same page layout, and almost same font color.
We believe those deface pages are made from one template.
If we read the text, we can know that both of them want more people to understand Islam religion. They have same motivation.
So we have one important observation, that is, similar deface pages almost have same motivation, and they belong to same deface campaign.
So we think clustering similar deface pages is a good approach to detect deface campaign.
Now let me introduce to our approach to analyze deface pages automatically.
When deface pages are input into system, they are deduplicated first.
We only keep one copy of deface pages with same hash.
De-duplication will reduce the computation resources in our pipeline.
The next stage is deface page analysis.
In this stage, our system extract content from deface pages.
We conduct both dynamic analysis and static analysis to extract content.
All content and metadata are stored to one Elastic database.
Then the system performs campaign detection.
Our system use an unsupervised machine-learning pipeline to do campaign detection.
First, some features are extracted from deface pages.
Then, feature data is normalized.
After that, we use clustering to detect campaigns.
After clustering, we re-duplicate the data in each cluster. This step help us get the “expanded” clusters with the full set of original records.
The last stage is labeling and visualization.
We create a web portal to show clustered deface.
The portal is designed for security analyst to carry out in-depth investigation manually.
I will introduce the web portal later.
Feature engineering is central to any clustering problem.
We found some features could be extracted to represent a deface page.
Let’s look at this deface page.
First, Page title is a key element of a web page. Defacers usually leave their names or core messages in there.
-----We calculate the ratio of letters, digits, punctuation, whitespace in title as features.
Then, we notice that deface pages have different background color. So we extract average color as one feature.
Next, defacers tend to put some images in deface pages. So we count number of image tags as one feature.
And then, many defacers leave their social handlers in deface pages. The number of social handlers is another important feature.
Then, most deface pages have text. Text encoding can be treated as a feature.
Some defacers also leave their email addresses or include multimedia URLs in deface pages.
email addresses or multimedia URLs are high quality features to represent deface pages.
So we take the number of email addresses and multimedia URLs as features.
For clustering, we use BIRCH algorithm to do that
After clustering, we build a web portal to show clusters.
This is the web portal.
Each row is a summary of one cluster.
Take the first row as one example.
This row shows size of cluster, keys, start time, end time, number of attackers, and so on.
In the size column, the number is size of cluster. Here this cluster has 920 deface pages.
In the key column, there are some icons. Each icon represents one feature.
In our cluster results, some clusters have same deface pages. While some clusters have very similar pages.
Here is one cluster sample with similar pages
Can you find the differences?
The difference is highlighted here.
If you are fans of spot difference game, we have some clusters for you.
After getting cluster results, we want to know if some clusters are connected to certain real world events.
So we select some real world events, and then we search evidences in our cluster results.
This figure shows the timeline of major real world events. And we also list cluster results related to those events.
Let’s look at this timeline.
First, for each real world event here, we can find relevant clusters.
Then, we notice that, some events got a lot of defacers’ attention.
For example, The death of Osama Bin Laden, Battle of Aleppo, Charlie Hebdo Shooting.
So we can see that, some defacement attacks are driven by real world events.
In this slide, we will try to explain how attackers are organized.
This CDF graph gives us some clue.
We can see that 50% actors are joined at least one team.
That means half actors identify themselves using a team name. They are coordinated to conduct attack.
Let’s look at one example.
This example is about various campaigns targeting Charlie Hebdo which is a French magazine.
A short background story. In 2015, Two terrorists opened fire to headquarters of Charlie Hebdo, and killed 12 people for religious reason.
This terrorism attack caused various defacement campaigns.
After shooting event happened, we could find some deface pages related to such event.
This graph shows the relationship between defacer teams and campaigns.
In deface pages, campaign name are usually highlighted by defacers. Here the campaign name is ’opcharlie’.
The diamond nodes are defacer teams, like fallaga, thameur.
We can see that those three teams joined ‘opcharlie’ campaign.
This graph shows the relationship between team and defacer.
The diamond nodes are teams.
The circles are defacers.
If there is one connection between defacer and team, that means the defacer refer the team name in deface pages.
We can see that many connections from defacer point to fallaga team, so fallaga team has a lot of members..
This graph gives us the overview of charlie Hebdo attack.
We can see that there are nine campaigns.
Each campaign has participants. The participants are either teams or defacers.
Some teams are big, like fallaga.
And, we can see that most defacers joined at least one team, and very few defacers worked independently.
This slide shows the longest lasting campaigns.
The table gives you the idea of how many attacks conducted by campaigns in the years between 1998 and 2016.
Long lasting campaigns are the campaigns spanning over years.
For example, campaigns r00t lasted 13 years, and campaign redhack span over 10 years and caused many attacks.
Comparing to long term campaign, we also conclude some campaigns causing most attacks. We call such campaign “aggressive campaigns”.
We find a lot of aggressive campaigns, like savegaza here.
Such aggressive campaigns are geopolitical campaigns.
Take savegaza as one example. It reacted to war events in Palestine.
Let’s look at another example. This example can show how our system help analyst investigate campaigns.
Timeline analysis is a very useful method for analyst. So our system provide timeline feature of campaign.
We can see that the campaign in this slide spans over 4 years, and includes over 60 clusters.
The clusters are grouped by targeted TLDs.
We can have many good insight of the campaign, like how many TLDs are targeted, how long each cluster last.
Comparing to previous example of long running campaign, this slides shows another 5 campaigns.
Those campaigns last quite short, less than one month.
And each campaign just attacked one TLD.
This slide shows one example of large-scale joint campaigns.
The joint campaigns share common motives and objectives
The topic of this joint campaign is Israeli-Palestinian Conflict
It Involve 12 campaigns
It Target Israel websites
FEDE: too much text, but it’s probably allowed in the conclusions – maybe use some build-out?
FEDE: add FTR/Trend Micro branding
FEDE: I know I’m asking to expand the number of slides dramatically and you might find yourself going overtime. It’s OK to just remove the least interesting part and focus on what really matters/excites: the details are on the paper, your goal is to make sure that at least one message is received and people are happy ;-)