Delivered at ACSC in Canberra on 11 April 2018.
I uploaded a version with easier to read font colours at https://www.slideshare.net/MarkArena/the-cybercriminal-underground-understanding-and-categorising-criminal-marketplace-activity-93856202
This presentation builds upon previous research Intel 471 has undertaken with Dhia Majoub (Cisco/OpenDNS) and Jason Passwaters (Intel 471)
Upgrading your Cyber Threat Intelligence to Track Down Criminal Hosting Infrastructure
Dhia Majoub - https://www.sans.org/summit-archives/file/summit-archive-1517343456.pdf
VB 2017: BPH exposed - RBN never left they just adapted and evolved. Did you?
Jason Passwaters / Dhia Majoub - https://www.virusbulletin.com/conference/vb2017/abstracts/bph-exposed-rbn-never-left-they-just-adapted-and-evolved-did-you
The Cybercriminal Underground: Understanding and categorising criminal market...Mark Arena
Delivered at ACSC in Canberra on 11 April 2018.
Better font colours.
This presentation builds upon previous research Intel 471 has undertaken with Dhia Majoub (Cisco/OpenDNS) and Jason Passwaters (Intel 471)
Upgrading your Cyber Threat Intelligence to Track Down Criminal Hosting Infrastructure
Dhia Majoub - https://www.sans.org/summit-archives/file/summit-archive-1517343456.pdf
VB 2017: BPH exposed - RBN never left they just adapted and evolved. Did you?
Jason Passwaters / Dhia Majoub - https://www.virusbulletin.com/conference/vb2017/abstracts/bph-exposed-rbn-never-left-they-just-adapted-and-evolved-did-you
How to build a cyber threat intelligence programMark Arena
Delivered at ACSC in Canberra on 10 April 2018.
Associated intelligence requirements spreadsheet is available for download at https://www.dropbox.com/s/rtisz5zdy5sl1w1/ACSC-Reqs.xlsx?dl=0
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks.
In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools.
The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources.
One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence.
Presenters: Jaime Blasco and Santiago Bassett
Cornerstones of Trust 2014:
https://www.cornerstonesoftrust.com
6 Steps for Operationalizing Threat IntelligenceSirius
The best form of defense against cyber attacks and those who perpetrate them is to know about them. Collaborative defense has become critical to IT security, and sharing threat intelligence is a force multiplier. But for many organizations, good quality intelligence is hard to come by.
Commercial threat intelligence technology and services can help enterprises arm themselves with the strategic, tactical and operational insights they need to identify and respond to global threat activity, and integrate intelligence into their security programs.
Threat intelligence sources have varying levels of relevance and context, and there are concerns about data quality and redundancy, shelf life, public/private data sharing, and threat intelligence standards. However, if processed and applied properly, threat intelligence provides a way for organizations to get the insight they need into attackers’ plans, prioritize and respond to threats, shorten the time between attack and detection, and focus staff efforts and decision-making.
View to learn:
--The difference between threat information and threat intelligence.
--Available sources of intelligence and how to determine if they apply to your business.
--Key steps for preparing to ingest threat information and turn it into intelligence.
--How to derive useful data that helps you achieve your business goals.
--Tools that are available to make collaboration easier.
The information security industry is a fast-paced ever-transforming field, which in the past couple of years with the influx of off-the-shelf malware, advance exploit kits and paid DDoS services has seen an increase in the importance of timely, proactive response. To enable the organization to successfully mount an impregnable defense, the need of the hour is to capture, analyze and provide actionable information that can be used to safeguard the organization. Enter ‘Cyber Threat intelligence’.
Cyber Threat Intelligence is a new yet massively evolving domain in information security today. Since the beginning of time, Information (Knowledge) has always been regarded as a critical form of an advantage in any strategy-making process. CTI over the years has rolled from a previously perceived set of skills and techniques to a well-defined framework with the new infused market requirements spawning from the recent threat activities in the ever-changing IT landscape which has bought sophisticated attacks such as State-sponsored cyber-attacks, Ransomware, APT’s, Zero-days and Hacktivism that is now at the very doorstep of government, big & small corporations alike.
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Albert Hui
Introduces "Hui's Hierarchy of CTIs", a reference model upon which cyber threat intelligence (CTI) can be classified, a 5W1H model for CTI contexts, and illustrates through examples what CTIs IR and TRM will find useful.
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
The broad list of topics include (but not limited to):
- What is Threat Intelligence?
- Type of Threat Intelligence?
- Intelligence Lifecycle
- Threat Intelligence - Classification & Vendor Landscape
- Threat Intelligence Standards (STIX, TAXII, etc.)
- Open Source Threat Intel Tools
- Incident Response
- Role of Threat Intel in Incident Response
- Bonus Agenda
The Cybercriminal Underground: Understanding and categorising criminal market...Mark Arena
Delivered at ACSC in Canberra on 11 April 2018.
Better font colours.
This presentation builds upon previous research Intel 471 has undertaken with Dhia Majoub (Cisco/OpenDNS) and Jason Passwaters (Intel 471)
Upgrading your Cyber Threat Intelligence to Track Down Criminal Hosting Infrastructure
Dhia Majoub - https://www.sans.org/summit-archives/file/summit-archive-1517343456.pdf
VB 2017: BPH exposed - RBN never left they just adapted and evolved. Did you?
Jason Passwaters / Dhia Majoub - https://www.virusbulletin.com/conference/vb2017/abstracts/bph-exposed-rbn-never-left-they-just-adapted-and-evolved-did-you
How to build a cyber threat intelligence programMark Arena
Delivered at ACSC in Canberra on 10 April 2018.
Associated intelligence requirements spreadsheet is available for download at https://www.dropbox.com/s/rtisz5zdy5sl1w1/ACSC-Reqs.xlsx?dl=0
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks.
In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools.
The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources.
One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence.
Presenters: Jaime Blasco and Santiago Bassett
Cornerstones of Trust 2014:
https://www.cornerstonesoftrust.com
6 Steps for Operationalizing Threat IntelligenceSirius
The best form of defense against cyber attacks and those who perpetrate them is to know about them. Collaborative defense has become critical to IT security, and sharing threat intelligence is a force multiplier. But for many organizations, good quality intelligence is hard to come by.
Commercial threat intelligence technology and services can help enterprises arm themselves with the strategic, tactical and operational insights they need to identify and respond to global threat activity, and integrate intelligence into their security programs.
Threat intelligence sources have varying levels of relevance and context, and there are concerns about data quality and redundancy, shelf life, public/private data sharing, and threat intelligence standards. However, if processed and applied properly, threat intelligence provides a way for organizations to get the insight they need into attackers’ plans, prioritize and respond to threats, shorten the time between attack and detection, and focus staff efforts and decision-making.
View to learn:
--The difference between threat information and threat intelligence.
--Available sources of intelligence and how to determine if they apply to your business.
--Key steps for preparing to ingest threat information and turn it into intelligence.
--How to derive useful data that helps you achieve your business goals.
--Tools that are available to make collaboration easier.
The information security industry is a fast-paced ever-transforming field, which in the past couple of years with the influx of off-the-shelf malware, advance exploit kits and paid DDoS services has seen an increase in the importance of timely, proactive response. To enable the organization to successfully mount an impregnable defense, the need of the hour is to capture, analyze and provide actionable information that can be used to safeguard the organization. Enter ‘Cyber Threat intelligence’.
Cyber Threat Intelligence is a new yet massively evolving domain in information security today. Since the beginning of time, Information (Knowledge) has always been regarded as a critical form of an advantage in any strategy-making process. CTI over the years has rolled from a previously perceived set of skills and techniques to a well-defined framework with the new infused market requirements spawning from the recent threat activities in the ever-changing IT landscape which has bought sophisticated attacks such as State-sponsored cyber-attacks, Ransomware, APT’s, Zero-days and Hacktivism that is now at the very doorstep of government, big & small corporations alike.
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Albert Hui
Introduces "Hui's Hierarchy of CTIs", a reference model upon which cyber threat intelligence (CTI) can be classified, a 5W1H model for CTI contexts, and illustrates through examples what CTIs IR and TRM will find useful.
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
The broad list of topics include (but not limited to):
- What is Threat Intelligence?
- Type of Threat Intelligence?
- Intelligence Lifecycle
- Threat Intelligence - Classification & Vendor Landscape
- Threat Intelligence Standards (STIX, TAXII, etc.)
- Open Source Threat Intel Tools
- Incident Response
- Role of Threat Intel in Incident Response
- Bonus Agenda
Cyber threat intelligence: maturity and metricsMark Arena
From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision
support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will
seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.
Cyber Threat Intelligence is a process in which information from different sources is collected, then analyzed to identify and detect threats against any environment. The information collected could be evidence-based knowledge that could support the context, mechanism, indicators, or implications about an already existing threat against an environment, and/or the knowledge about an upcoming threat that could potentially affect the environment. Credit: Marlabs Inc
Practical and Actionable Threat Intelligence CollectionSeamus Tuohy
A great deal of the existing human rights reporting and analysis aggregate and strip away contextual information in order to produce “quantified knowledge” that is technically reliable and useful for governmental decision making. The results produced often end up too delayed, partial, distorted, and misleading to be used by local actors and human rights defenders to directly respond to the threats that they face. Those who could benefit most from the human rights knowledge being collected and shared in the digital world are those that existing repositories of information serve the least.
In this presentation I will provide concrete guidance on approaches for adopting data-rich, practical, and actionable threat information collection. In this content heavy 1.5 hour talk I will discuss a range of tools and techniques for seeking out sources of actionable information, distinguishing valuable information from useless but interesting information, and streamlining your information collection and analysis process to allow you to focus on your real work.
This talk WON’T be focused on collecting or sharing threat intelligence and/or human rights research aimed at evidence creation or changing the public dialogue. It WILL be focused on helping you identify, collect, and use publicly available sources of information to respond to your changing threat landscape.
Threat intelligence is information that informs enterprise defenders of adversarial elements to stop them.
It is information that is relevant to the organization, has business value, and is actionable.
If you having all data and feeds then data alone isn’t intelligence.
#Threat #Intelligence #Forensics #ELK #Forensics #VAPT #SOC #SIEM #Incident #D3pak
Speaker at the IDC IT Security Roadshow 2017 in Doha. It was a one day event bringing together some Security Vendors and End User folks to present and discuss security related topics. The event midway was split into two tracks A - Threat Intelligence and B - Securing the Endpoint to the cloud. My End User Presentation (Track A) covered Threat Intelligence. There were some some interesting speakers and audience Q & A discussions followed by a networking lunch to boot. The venue at the Shangri La Hotel in Doha provided a great space and good networking opportunity.
Today, the topic of cybersecurity has moved from IT and the datacenter to the highest levels of the boardroom. Attacks and threats have grown substantially more sophisticated in frequency and severity. Attackers reside within an internal network an average of eight months before they are even detected. In the vast majority of attacks, they compromise user credentials and they are increasingly using legitimate IT tools rather than malware.
You are now working under the assumption of a breach. How do you find the attackers--before they cause damage?
In this Blackhat talk we will discuss the TTPs (Tactics Techniques & Procedures) of advanced attackers and how they manifest themselves over the network. We will give a special attention to the Reconnaissance and Lateral Movement phases of the Cyber Kill Chain and discuss how network monitoring can be employed to mitigate these risks.
Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks. Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like who is attacking you, what their motivations and capabilities are, and what indicators of compromise in your systems to look for.
reference:https://www.recordedfuture.com/threat-intelligence-definition/
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Threat Intelligence Data Collection & AcquisitionEC-Council
In this slideshare, we’ll discuss threat data collection and methods. To discover more about threat intelligence, visit: www.eccouncil.org/cyber-threat-intelligence
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
Presented at BSides Perth 2019
Synopsis:
Although the practice of collecting and using intelligence has been studied and conducted by governments and the military for centuries, it’s relative application to Cyber Security has only recently been highlighted. This area of infosec has been termed Cyber Threat Intelligence, where the marriage of traditional intelligence techniques and analysis with deep technical understanding within the Cyber domain are used to predict future actions by threats through long term analysis and modelling. This approach is then used to support both proactive and reactive cyber security actions, from incident response to penetration testing. This presentation focuses on threat intelligence from a practical data perspective, moving away from just the commercial concept of threat intelligence feeds (although these form one part of the equation). This presentation will approach threat intelligence from an analysts perspective of what questions needs to be answered to effectively investigate an incident, using the Diamond Model and Cyber Kill Chain as framing devices. These questions will then lead to examples of the data that can be used to answer these questions. Although traditionally data collection has focused on external cyber information, more often than not however, it’s actions outside of those seen within an organisations network, or even outside cyberspace that can provide context to the actions a threat takes. Finally, we provide a number of use cases on which the results of threat intelligence processes can be applied within a Security Operations Centre, including Incident Response as well as traditional Penetration Testing and Red Teaming.
Recently, NTT published the Global Threat Intelligence Report 2016 (GTIR). This year’s report focused both on the changes in threat trends and on how security organizations around the world can use the kill chain to help defend the enterprise.
Turning threat intelligence data from multiple sources into actionable, contextual information is a challenge faced by many organizations today. The Global Threat Intelligence Platform provides increased efficiency, reduces risks and focuses on global coverage with accurate and up-to-date threat intelligence.
This presentation was given at Carnegie Mellon University by Kenji Takahashi, VP of Product Management, Security at NTT Innovation Institute.
My Presentation on Career Opportunities in Cyber Security presented at the North Cap University during the course inauguration ceremony, where I talked about different career paths to get into the cyber security domain.
This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.
The concept of online anonymity refers to keeping the identity of communicators hidden. Online privacy is more than just encrypting and decrypting data; it also includes the concealment of identity. The Dark Web is a section of the Internet that achieves the highest levels of anonymity and security. Dark Web, which, unlike the normal web, requires specialized access procedures, is regarded as the "Evil Twin of the Internet" since more than 57 percent of its area is occupied with unlawful content.
Cyber threat intelligence: maturity and metricsMark Arena
From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision
support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will
seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.
Cyber Threat Intelligence is a process in which information from different sources is collected, then analyzed to identify and detect threats against any environment. The information collected could be evidence-based knowledge that could support the context, mechanism, indicators, or implications about an already existing threat against an environment, and/or the knowledge about an upcoming threat that could potentially affect the environment. Credit: Marlabs Inc
Practical and Actionable Threat Intelligence CollectionSeamus Tuohy
A great deal of the existing human rights reporting and analysis aggregate and strip away contextual information in order to produce “quantified knowledge” that is technically reliable and useful for governmental decision making. The results produced often end up too delayed, partial, distorted, and misleading to be used by local actors and human rights defenders to directly respond to the threats that they face. Those who could benefit most from the human rights knowledge being collected and shared in the digital world are those that existing repositories of information serve the least.
In this presentation I will provide concrete guidance on approaches for adopting data-rich, practical, and actionable threat information collection. In this content heavy 1.5 hour talk I will discuss a range of tools and techniques for seeking out sources of actionable information, distinguishing valuable information from useless but interesting information, and streamlining your information collection and analysis process to allow you to focus on your real work.
This talk WON’T be focused on collecting or sharing threat intelligence and/or human rights research aimed at evidence creation or changing the public dialogue. It WILL be focused on helping you identify, collect, and use publicly available sources of information to respond to your changing threat landscape.
Threat intelligence is information that informs enterprise defenders of adversarial elements to stop them.
It is information that is relevant to the organization, has business value, and is actionable.
If you having all data and feeds then data alone isn’t intelligence.
#Threat #Intelligence #Forensics #ELK #Forensics #VAPT #SOC #SIEM #Incident #D3pak
Speaker at the IDC IT Security Roadshow 2017 in Doha. It was a one day event bringing together some Security Vendors and End User folks to present and discuss security related topics. The event midway was split into two tracks A - Threat Intelligence and B - Securing the Endpoint to the cloud. My End User Presentation (Track A) covered Threat Intelligence. There were some some interesting speakers and audience Q & A discussions followed by a networking lunch to boot. The venue at the Shangri La Hotel in Doha provided a great space and good networking opportunity.
Today, the topic of cybersecurity has moved from IT and the datacenter to the highest levels of the boardroom. Attacks and threats have grown substantially more sophisticated in frequency and severity. Attackers reside within an internal network an average of eight months before they are even detected. In the vast majority of attacks, they compromise user credentials and they are increasingly using legitimate IT tools rather than malware.
You are now working under the assumption of a breach. How do you find the attackers--before they cause damage?
In this Blackhat talk we will discuss the TTPs (Tactics Techniques & Procedures) of advanced attackers and how they manifest themselves over the network. We will give a special attention to the Reconnaissance and Lateral Movement phases of the Cyber Kill Chain and discuss how network monitoring can be employed to mitigate these risks.
Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks. Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like who is attacking you, what their motivations and capabilities are, and what indicators of compromise in your systems to look for.
reference:https://www.recordedfuture.com/threat-intelligence-definition/
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Threat Intelligence Data Collection & AcquisitionEC-Council
In this slideshare, we’ll discuss threat data collection and methods. To discover more about threat intelligence, visit: www.eccouncil.org/cyber-threat-intelligence
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
Presented at BSides Perth 2019
Synopsis:
Although the practice of collecting and using intelligence has been studied and conducted by governments and the military for centuries, it’s relative application to Cyber Security has only recently been highlighted. This area of infosec has been termed Cyber Threat Intelligence, where the marriage of traditional intelligence techniques and analysis with deep technical understanding within the Cyber domain are used to predict future actions by threats through long term analysis and modelling. This approach is then used to support both proactive and reactive cyber security actions, from incident response to penetration testing. This presentation focuses on threat intelligence from a practical data perspective, moving away from just the commercial concept of threat intelligence feeds (although these form one part of the equation). This presentation will approach threat intelligence from an analysts perspective of what questions needs to be answered to effectively investigate an incident, using the Diamond Model and Cyber Kill Chain as framing devices. These questions will then lead to examples of the data that can be used to answer these questions. Although traditionally data collection has focused on external cyber information, more often than not however, it’s actions outside of those seen within an organisations network, or even outside cyberspace that can provide context to the actions a threat takes. Finally, we provide a number of use cases on which the results of threat intelligence processes can be applied within a Security Operations Centre, including Incident Response as well as traditional Penetration Testing and Red Teaming.
Recently, NTT published the Global Threat Intelligence Report 2016 (GTIR). This year’s report focused both on the changes in threat trends and on how security organizations around the world can use the kill chain to help defend the enterprise.
Turning threat intelligence data from multiple sources into actionable, contextual information is a challenge faced by many organizations today. The Global Threat Intelligence Platform provides increased efficiency, reduces risks and focuses on global coverage with accurate and up-to-date threat intelligence.
This presentation was given at Carnegie Mellon University by Kenji Takahashi, VP of Product Management, Security at NTT Innovation Institute.
My Presentation on Career Opportunities in Cyber Security presented at the North Cap University during the course inauguration ceremony, where I talked about different career paths to get into the cyber security domain.
This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.
The concept of online anonymity refers to keeping the identity of communicators hidden. Online privacy is more than just encrypting and decrypting data; it also includes the concealment of identity. The Dark Web is a section of the Internet that achieves the highest levels of anonymity and security. Dark Web, which, unlike the normal web, requires specialized access procedures, is regarded as the "Evil Twin of the Internet" since more than 57 percent of its area is occupied with unlawful content.
Technical development is what most people think of when they think of attackers. This aspect of hacking requires computer-savvy actors performing development activities that include research to find zero-day vulnerabilities, development of exploits for these vulnerabilities, and tools to automate the different pieces of a hack (bot-nets, data exfiltration, etc.).
The Business of Hacking - Business innovation meets the business of hackingat MicroFocus Italy ❖✔
Introduction
Attackers are sophisticated. They are organized. We hear these statements a lot but what
do they mean to us? What does it mean to our businesses? When we dig deeper into the
“business of hacking,” we see that the attackers have become almost corporate in their behavior.
Their business looks a lot like ours. Cyber criminals look to maximize their profits and minimize
risk. They have to compete on quality, customer service, price, reputation, and innovation. The
suppliers specialize in their market offerings. They have software development lifecycles and
are rapidly moving to Software as a Service (SaaS) offerings. Our businesses overlap in so many
ways that we should start to look at these attackers as competitors.
This paper will explore the business of hacking: the different ways people make money by
hacking, the motivations, the organization. It will break down the businesses’ profitability and
risk levels, and provide an overall SWOT analysis. From this, opportunities for disruption will be
discussed and a competitive approach for disrupting the business of hacking will be laid out.
The information in this paper draws on data and observations from HPE Security teams, open
source intelligence, and other industry reports as noted.
Whether building in enterprise security or applying security intelligence and advanced analytics,
we can use our understanding of the business of hacking and the threats to our specific
businesses to ensure that we are investing in the most effective security strategy.
Presented on April 14, 2018 at CarolinaCon (https://www.carolinacon.org). This talk will provide a quick overview honeypots, an explanation of the cyber deception space, and the benefits of implementing deception as part of your cyber defense program. In addition, this talk will highlight the HoneyDB project, which enables anyone to get started with operating deception sensors and start collecting threat information. Finally, this presentation will describe how I built scalable honeypot sensor collection, employing a "Frankenstein Cloud Architecture", for minimal cost.
The Dark web - Why the hidden part of the web is even more dangerous?Pierluigi Paganini
Bad Actors (cyber criminals, terrorists, foreign spies) and their Tactics, Techniques, and Procedures (TTPS).
How is evolving the criminal underground in the Dark Web?
The response of the law enforcement.
Session 1 (one) of the course Information Security and business continuity. Concept of Information security , Term , Trends and Impact are discussed .
Presented at Bangladesh Institute of Management on 21 November 2015.
This will give you knowledge about basics of what ethical hacking is and few attacks. This document edited in Ubuntu. Types of hackers explained in detail. what kind of language is used by the hacker. How attacks happen with the help of scanning and access point for the system which is helpfull for the hacker after doing attacks gaining the access and maintaining the access. how to protect the system from the attackers and what to do after the attack happened.
A look at the methodology and techniques or hackers, cyber criminals and state sponsored attackers. Explores the kill chain, Geo political instability and the dark web.
An APM webinar sponsored by the APM Midlands Branch on 15 March 2022.
Speaker: Fábio Morais
An overview of the people behind major cybercriminal activities, the dark web and how much your data is worth; and finally what basic measures project managers should be putting in place to reduce the cyber-risk profile of their projects.
In today’s data-driven world, data breaches can impact on projects that affect hundreds of millions or even billions of people at a time. Digital transformation has increased the supply of data moving, and data breaches have scaled up with it as attackers exploit the data-dependencies of daily life.
With recent attacks threatening to de-rail high profile projects, it’s vital that the risks are identified and actions implemented, not only to protect project data, but to protect project managers and stakeholders.
Most cybercrime is an attack on information about individuals, corporations, or governments and events can occur in jurisdictions separated by vast distances. The Internet offers criminals multiple hiding places in the real world as well as in the network itself, posing severe problems for law enforcement, since international cooperation is usually required to investigate and attempt to trace down cybercriminals.
But who are these individuals and where exactly does cybercrime take place? What, as project professionals, can we do to protect ourselves?
We look to answer these questions by lifting the veil of hacking and the Dark Web.
https://youtu.be/TDXPetxXDMA
https://www.apm.org.uk/news/cyber-security-for-project-managers-lifting-the-veil-of-hacking-webinar/
The hacker employee profile is as diverse as the ways people earn money or power, but they fall, roughly, into 10 basic types.
With all these threats in the cyber world you need an experienced cybersecurity team on your side with artificial intelligence, behavioral detection, and a 24/7 security operation center, Data Guard 365 (https://data-guard365.com/) has proven to be the answer to stopping threats that would otherwise harm your organization.
Oct 23rd 2014 Offices of Arthur Cox - Presentation by Paul C Dwyer CEO of Cyber Risk International outlining a high level overview of the holistic cyber threat landscape in 2014
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
When stars align: studies in data quality, knowledge graphs, and machine lear...
The Cybercriminal Underground: Understanding and categorising criminal marketplace activity
1. “Play the man, not the malware”
The Cybercriminal Underground
Understanding and categorising criminal marketplace activity
2. ● Token Australian at Intel 471 but haven’t lived in AU for 5+ yrs
● CEO and Founder of Intel 471
● Previously Chief Researcher at iSIGHT Partners (FireEye)
● Previously Technical Specialist at Australian Federal Police
● Over a decade of researching and tracking top tier cyber threat actors
across both government and the commercial space
2
About Me
3. ● Understand how cybercrime works by viewing it through a business lens
● Establish a common vocabulary
● Conceptualise cybercrime and all related aspects
● Show how you can map out, organise, and visualise the underground
● Remove marketing from the intelligence equation
○ “Deep and dark web” is a lame marketing term
3
Objectives
4. ● Your own attack surface ← #1 way to observe as it relates to you
● The attack surface of other people like you (sharing)
● Technical collection (botnet/campaign tracking and emulation)
● Actor communications (the underground) 4
Observing the adversary
R
E
A
C
T
I
V
E
P
R
O
A
C
T
I
V
E
--------------------------------THE PERIMETER--------------------------------
5. ● Vast majority of threat actors there are financially motivated
● Includes criminal forums, marketplaces and places where actors can be
engaged
○ “Adversary space”
● Nation states/espionage actors are in the underground but operate
quietly
5
What is the cybercriminal underground?
6. ● Criminal forums/marketplaces that anyone can register for
○ Alphabay (dead), Silkroad (dead), Dreammarket etc
● Vetted/invite only forums and marketplaces
● Information obtainable only via direct communication with
cybercriminals
6
What does the underground look like from our perspective?
7. ● Making money is the goal
● The marketplace exists so that actors can buy, sell, and talk about
buying/selling
● Reputations and brands are built over years
● Fortune 500 CEOs would be impressed
● Understand the business models, processes, and pain-points
7
Viewing cybercrime through a business lens
8. ● Decentralised and grouped by specialisation
○ Not often structured like traditional organised crime (hierarchical,
culture of trust)
● Examples:
○ Gameover/Jabber Zeus
○ “Carbanak”
8
Typical structure of cybercriminals
10. ● Financially motivated cybercrime is primarily facilitated by the
underground marketplace comprised of actors that buy, sell and talk
about products, services, and goods
10
Underground Marketplace - Organisation
Cybercrime
Products GoodsServices
11. A thing that has been
refined for sale
11
Underground Marketplace - Organisation
Cybercrime
Products GoodsServices
12. A thing that has been
refined for sale
12
Underground Marketplace - Organisation
Cybercrime
Products GoodsServices
Organised system
that provides
accomodation
required by the
underground
13. A thing that has been
refined for sale
13
Underground Marketplace - Organisation
Cybercrime
Products GoodsServices
Organised system
that provides
accomodation
required by the
underground
Illicit digital
merchandise, wares,
or commodities
usually sold in bulk
14. 14
Underground Marketplace - Organisation
Tier 1
● Least number of actors
● Most significant actors
● Biggest victim impact
15. Underground Marketplace - Tier 1
Cybercrime
Products GoodsServices
Tier 1 Tier 1 Tier 1
Tier 1 products, services, and goods are core elements
and key enablers of financially motivated cybercrime
activity. They form the basis for what we consider
“financially motivated cybercrime”
19. Underground Marketplace - Tier 3
Cybercrime
Products GoodsServices
Tier 1
Tier 2
Tier 3
Tier 1
Tier 2
Tier 3
Tier 1
Tier 2
Tier 3
Tier 3 products, services, and goods are those tertiary
elements of financially motivated cybercrime that have
limited impact on their own
20.
21. ● Used by cybercriminals to host malicious things and not have them
taken down
21
Introduction to Bulletproof Hosting (BPH)
23. ● Key enabler for huge amounts of cybercrime
○ Malware C&C, phishing, exploit kits etc
● Spend lots of resources tracking the malware and exploit kit IOCs (after
they are used) = lots of resources
● Track bulletproof hosters = Proactive, timely and less resources
required
● Only 8-10 tier 1 bulletproof hosters in the underground
23
Putting it into practise - Bulletproof Hosting (BPH)
24. ● RFI received from a customer
● Identified a Hancitor malspam campaign detected at their perimeter
● Provided IOCs and other info (domain WHOIS info, etc) related to the
campaign
● The ask:
○ Provide information about “WHO” (Infrastructures, Groups, Individuals,
etc)
○ Highlight any TTPs associated with the threat actors and their activity
24
Real case study
25. Visualise the flow of what happened
!
Phishing email sent from
fedex@wowgreatshop.com
palmbeachmarinecontractor.com
palmbeachstrykers.com
cleanairexperts.com
palmbeachautomotive.com
gonegreensupply.com
1
Victims click on
malicious URLs
2
26. Visualise the flow of what happened
Malicious Word doc drops
Hancitor
Hancitor makes C2 call to
domains for trojans
kedmolorop.com
tttconstruction.co.za
thettertrefbab.ru
3 4
27. Visualise the flow of what happened
Trojans (Pony, Evil
Pony, Zloader, Gozi-
ISFB, etc) make C2
call for extra malware
or functionality
pahattitbut.com
Infection on device &
positioned for data
extraction
5 6
28. Patterns across a dozen Hancitor campaigns
Malspam Campaign
wowgreatshop.com
palmbeachautomotive.com
palmbeachstrykers.com
kedmolorop.com
tttconstruction.co.za
pahattitbut.com
Spoofed sender
domain
Phishing urls
Hancitor C2
Pony C2
EvilPony C2
Zloader C2
BPH 1
Tier 1 BPH
service
BPH 2
Dedicated small
time BPH and
abused hosters
29. ● Get upstream and monitor/track infrastructure providers to be proactive
against many different threats
● Track BPH services to identify infrastructure before the bad guys are using it
for badness - pre-IOCs (our marketing gimmick term)
● Understand the business models and processes to identify proactive and
more impactful courses of action
29
End result of bulletproof hosting tracking
30. ● Have been tracking the actor Alex for over a year
● The IP addresses on the previous slide tied to his bulletproof hosting
infrastructure
30
Alex
31. 31
Who are Alex’s clients?
MALWARE PHISHING
CERBER,
LOCKY/OSIRIS
SAGE
YAKES
RAZY
BARYS
KOVTER
DRIDEX
HANCITOR
NEMUCOD
PANDA BANKER
(ZEUS)
NYMAIM
ZUSY
SYMMI/GRAFTOR
GAFGYT (LINUX)
MARCHER
(ANDROID)
VALYRIA
PONY/FAREIT
MIRAI
and more
GLOBAL BANKS
AMAZON
CDN
PROVIDERS
YANDEX
MICROSOFT
LOCAL UK GOV
CROWN
PROSECUTION
HILTON
Google
and whole lot
more
EXPLOITATION
OF
CVE-2017-0199
DRUG SHOPS
CYBERCRIME
FORUMS
DUMP SHOPS
CASINOS
PIRATING/FILE
SHARING
RANSOMWARE MALWARE PHISHING OTHER
32.
33. ● Visualize the underground marketplace in terms of products, services, and
goods (and consumers)
● Organize products, services, and goods in terms of their significance by Tier
1-3
● Understand that cybercrime is a collection of systems, processes, actors, and
groups working very similar to how businesses work to make money
● Realize that it’s possible to map out the marketplace and identify that small
amount of actors that do the most damage
33
Conclusions
At the top is things directly relevant to you
At the top is being the most reactive - like doing a boxing match with your hands tied by your back
At the bottom is being the most proactive
Ultimately cyber threat intelligence is threat focused meaning threat is a person with an intent, goal, motivation and TTPs (malware isn’t a threat, the person using it against you or your customers is)
Fortune 500 CEOs would be impressed
Marketing
Productization / Commoditization
Impressive returns on investment
Longevity in a semi-permissive environment
Sophistication
Understand the business models, processes, and pain-points
Provides a fuller understanding of the threat from a macro to micro view
Help Identify realistic and most impactful courses of action
Gameover Zeus
Slavik sold Zeus on a buy in amount of $ plus a % of every transaction that went through it
The actors who bought this service used a third party service for the management and recruiting of mules which cost a % of the $
Carbanak
Horrible name to describe this activity as Carbanak is a combination of the words Carberp and Anunak which are separate trojans
Some actors who have used Anunak have also used Carberp alongside other trojans/tools like Money Maker Banker Bot, Smoke Loader etc
Not a good idea to name a group after the malware they have used especially when said malware is used by multiple actors
Of the 17M actors in the underground, probably less than 2,500 actually are doing most of the real damage
Of the 17M you have lots of duplicates, researchers, LE, skids, and scammers too
There’s a good bit of effort up front to do this, but it’s a bell curve basically
Once completed efforts are focused on the threat actors that matter for most impact and valuable intelligence collection
You build an intimate knowledge of the underground marketplace that new actors are quickly noticed, actors that are assuming other’s identities are easily sniffed out, legitimate and scammers are easily identified, etc.
In the end this provides true intelligence value to the teams you can support
This marketplace facilitates actors involved with buying, selling, or talking about products, services and good
A lot of analysts don’t realize that if you listen to what the criminals say they’ll tell you some interesting stuff...of course criminals are lying scum as well so we need to assess the info appropriately. This ability comes with time.
Examples:
Malware authors announce new releases and functionality
BPH providers provide descriptions of their services
Actor’s complain about others
You can elicit information from actors (HUMINT/engagements)
We can divide the underground marketplace up into 3 primary areas
Products, Services, and Goods...these are all business terms for the most part
Products are basically just stuff that you can buy
Actor’s have productized this stuff into a solid product
The market is the judge
Services play an enabling role in cybercrime
These folks are the hidden hand of cybercrime
As is expected, service providers interact with more cybercriminals than any other
Easy to quantify impact a product or good, but very hard to quantify the impact of services
This is your bulk data that’s often advertised in the marketplace, but sold in custom shops
Before we get into some examples I want to organize the marketplace 1 step further
Think of “Tiers” as a measure of significance some product, service, or good plays in the cybercrime ecosystem
1 - most significant, 3- least significant
Tier 1 is the top tier actors
Tier 1 is often the most sophisticated and mature in a business sense
Impacting Tier 1 has more of a downstream effect on the entire model essentially making things harder or even impossible
Most impact can be realized when you affect key enabling services
Tend to involve more sophisticated actors and business models/setups - front companies, large amounts of money, etc
This is usually where your Top tier and most impactful actors like to hang out
Now we start mapping in the actors and making sense of things
Our job starts to get much easier as we build that clarity on the “who’s who”
We can even categorize the actor’s in terms of significance within their respective area/specialty, but we’ll leave that for another day
Lastly we start to target the actor’s specifically to answer key questions and fill gaps in knowledge
This is where we really start to understand the business models, processes, and identify pain-points where max impact can be realized
Yalishanda is a Russian actor who spends his time between Russia and China and is a tier 1 bulletproof hoster
Huge amounts of badness has been hosted by him including ransomware (cerber, locky), malware (dridex, Panda banker, Pony, Mirai and more), phishing (banks, CDNs, retail companies) and other things like exploits, drug shops, cybercrime forums, CC dump shops etc