Despite your best efforts, there is a good chance your organization will be the victim of a ransomware attack. What do you do when that happens? Organizations need to plan for a ransomware attack. This talk will cover steps organizations can take to prepare for a ransomware attack and review the initial steps after an attack happens. Topics include:
1. What log sources should be collected.
2. Getting the right people involved
3. Testing your IR plan
The speakers have an abundance of experience working with organizations across many different sectors and regions. Something they have seen be the most effective use of tactical Threat Intelligence and Purple Teaming is the concept of “Active Defense Exercises”. “Active Defense Exercises” involve the creation of realistic and timely, adversary specific, kill chain scenarios. During this talk the speakers will discuss the best approaches for scenario selection. The speakers will then pivot to discuss the nuances of liaising Purple Team testing to determine the level of effectiveness of the organization’s security controls. The speakers will also discuss strategies for engaging internal security teams and detail the most effective mechanisms for conveying the “Active Defense Exercise” lessons learned to technical and non-technical stakeholders.
Read MoreThe threat of ransomware is ever-evolving, just as artificial intelligence is. It’s clear that businesses need better defense, but the answer isn’t solely AI – it’s actually human intelligence.
In this session, Bryce Webster-Jacobsen, an expert ransomware negotiator who deals with ransomware negotiations on a daily basis, will challenge the ideas of human intelligence versus artificial intelligence when it comes to ransomware attacks. Learn how expert ransomware negotiators can validate the reputation of the threat actor and why dark web monitoring and human reconnaissance is an indispensable part of the resolution process.
SOC analysts are familiar with Wireshark and all of it's capabilities but are often at a roadblock when the pcap is relatively large. My tool, PacketSifter, and the open-source tool TShark will enable analysts to jump over that hurdle and learn to analyze pcaps on the command line!
Gone are the days of opening a large pcap in Wireshark and waiting two days for Wireshark to parse and load the pcap. PacketSifter will carve out noteworthy traffic as well as provide enrichment capabilities with GeoIP lookups via AbuseIPDB and hash lookups via VirusTotal.
This talk will demo PacketSifter as well as introduce TShark to continue on with the output files provided by PacketSifter.
Advanced Persistent Threat (APT) groups do not like to have the evidence of their crime into their targets, usually, they would develop or use file-less malware to not leave any fingerprints traces proof their crime and unleashed their operations. Network forensics analysis became an essential skills to uncover APTs operation and identify what has happened by utilizing Wireshark and other open-source tools to analyze network packet captures (PCAP). In this lecture, we will introduce couple of APT attack scenarios and walk-through how to analyze them.
Read MoreLockBit ransomware operators have been active since September 2019, but still there’s very limited pieces of information on their operations available in public space. The ransomware-as-a-service program and ransomware itself have updated in June 2021, so now we are dealing with LockBit 2.0. Despite the fact the updated RaaS has quite short lifecycle, their affiliates already performed at least a hundred of successful attacks. In this talk, we’ll look at the threat actor’s tactics, techniques and procedures, from gaining the initial access to impact, as well as some custom tools leveraged by them for data exfiltration (StealBit) and files encryption (LockBit).
Read MoreTrack 3
5 Feb 2022 9:00 AM - 10:00 AMNefilim’s malware sample uses a polymorphic dropper, meaning the file it drops may be one of over 2000 different file hashes. Polymorphism is used in a dropper to make a malware sample harder to detect, and I will explain a lot of basics about reverse engineer for a diverse IT security crowd.
Mark Embrich
Malware Analyst
Mark has been a Network Admin, System Admin, SOC Analyst, Sec Eng, Forensics Analyst, Threat Detection Analyst, and Malware Analyst.
Threat Hunting may be one of the more glamorized components of modern security operations today. Every week we read of how modern security controls are being evaded and bypassed. We know that a more proactive approach to detecting Evil is needed. Still, Threat Hunting is much more complicated than reviewing our SIEM enriched and neatly packaged alerts that our security controls have decided are worth our attention. It can often be challenging to know where to start, obtain a high ROI, and measure and communicate value or progress with Threat Hunting.
In this talk, we are going to explore how to do just that.
It is not expensive tools or highly situational graphical user interfaces that are needed. What we need is a repeatable, scalable, and measurable process that will give the effort vision and direction at the beginning and the ability to validate maturation as advance in the dicipline. While paid products can help, there are more than enough open-source resources to develop a Threat Hunting operation that can reliably detect some of the techniques used by the advanced adversaries of our day.
Tag managers (such as Google Tag Manager, Adobe Launch...) are scripts which let non-developer easily add and remove—in one word manage—third-party scripts. Marketing people often require them in order to promptly experiments with analytic scripts, without bothering the development team for their inclusion on the website.
More than 40% of websites uses Google Tag Manager[^1] which is used to fires on average 12 scripts[^2] per website. Unfortunately, those scripts are often added ad hoc, outside of the regular development life-cycle and CI/CD pipeline.
Here lies the problem for security professionals: those scripts and their usage often don't go through the imposed security processes; they bypass code review and tests.
As an ex-web marketing professional, I will explain how those tag manager scripts are used, what kind of scripts are deployed through them and the pipeline used by marketers to deploy them to the end-user facing website.
As a current web application security developer, I will explain how security professionals can work with the marketing team to ensure the scripts used are not compromising the website integrity, nor the user's security, without hindering the marketing team's productivity.
That’s what Daniel was told in May 2020, two months after starting a new job. In this talk, he’ll share the inside experience of how a small team of (mostly government!) infosec folks worked to secure the entire vaccine development, distribution, and supply chain, and the key takeaways for the larger infosec community from this crazy (and surprisingly successful) experience.
This talk will cover a few key topics. First, Daniel will share the overall story of the operation, some of the (nation state) attacks they saw, and how the team were able to help harden literally dozens of companies in a matter of months. He’ll cover the critical role that the infosec/hacker community played, between collaboration with CTI League and industry partners, as well as an effective use of bug bounties to rapidly secure a plethora of questionable apps developed by contractors. He’ll explain some of the problems and promises that industry faces when collaborating with government, from what role each agency plays to some of the barriers that were overcome. And he’ll dive into the vaccine supply chain and its vulnerabilities, and how badly we need the larger infosec community to help harden this rapidly ‘techifying’ space before the next bio-catastrophe hits.
New phishing websites are setup every few seconds with intentions on stealing your credentials, infecting your system, or convincing you to do something via social engineering. Most of these sites are distributed and deployed through (mostly crude) automation which usually results in attackers leaving their kits behind. During this talk I will walk through what phish kits are, why they are important for proactive defense, security research, and how you can automate identifying these kits in the wild.
Read MoreThe usage of JavaScript obfuscation techniques have become prevalent in today’s threats, from phishing pages, to Magecart, and supply chain injection to JavaScript malware droppers all use JavaScript obfuscation techniques on some level.
The usage of JavaScript obfuscation enables evasion from detection engines and poses a challenge to security professionals, as it hinders them from getting quick answers on the functionality of the examined source code.
Deobfuscation can be technically challenging (sometimes), risky (if you don’t know what you are doing), and time consuming (if you are lazy, as I am). Yet, the need to find and analyze high scaled massive attacks using JavaScript obfuscation is a task I’m faced with on a daily basis.
In this presentation I will present a lazy, performance cost effective approach, focusing on the detection of JavaScript packer templates. Once combined with threat intelligence heuristics, this approach can predict the maliciousness level of JavaScript with high probability of accuracy.
In addition to the overview of what I’ve developed, I’ll share the techniques used, as well as source code needed to create a representation of JavaScript by using AST parsing, obfuscation pattern matching, and the machine learning techniques involved.
Congratulations, you recently completed a successful, high-value Purple Team Exercise in your organization! Your Cyber Threat Intelligence team identified an adversary that has the capability, internet, and opportunity to attack your organization and provided those adversary behaviors to the red team. The red team emulated those same tactics, techniques, and procedures (TTPs) in your production environment while the Blue Team watched and learned how the attack works. Then the blue team showed everyone how they identify those adversary behaviors and follow their response process to quickly mitigate the threat. All your security teams collaborated and efficiently tested, measured, and improved your people, process, and technology! A month has passed, what happens next?
This talk picks up after your first successful Purple Team Exercise is complete and teaches you how to continue maturing and improving your security program by operationalizing the collaboration between your security teams (Cyber Threat Intelligence, Red Team, and Blue Team). You don’t have to wait for the next scheduled, formal exercise to continue testing your people, process, and technology. You can leverage new Cyber Threat Intelligence and collaborate with your team to test new TTPs through a process called Detection Engineering.
atomic-operator enables security professionals to test their detection and defensive capabilities against prescribed techniques defined within atomic-red-team. By utilizing a testing framework such as atomic-operator, you can identify both your defensive capabilities as well as gaps in defensive coverage.
Read More