Russians, Chinese and whoever comes
Espionage, theft of source code, violation of intellectual property, leaking personal information, extortion and critical infrastructure, are just some of the incidents that were reported (many too late) in the first half of the year. The source of these attacks are not isolated people with a computer and good Internet connection but sophisticated groups with a strategy and military like operation. The main weapon still what we call APTs (Advanced Persistent Threats), they study their objectives, plan in detail and develop tools for years with a similar process (and in many cases better) than the mature technology companies out there. The security of organizations are challenged when trying to protect them from them, since they use advanced techniques to remain undetectable and thus be able to meet their goals stealthily under the use of legitimate applications and camouflaging their traffic. However, some of these groups are governed by formal rules and procedures consistent with a tactical and military procedure, which leads to many of these resources being reused through various campaigns. In the development of this talk, we will demystify some popular beliefs showing filtered information, examples of how these groups operate, and how it was possible to trace them from multiple sources of information. To achieve this we developed NEOkanji, an open source software based on Python and Neo4j for the clustering and visualization of malware based on its characteristics, techniques and context, in order to find relationships between campaigns, attacks and malware in order to come up with the threat actors behind it.
The Wrong Kind of DevOps Talk
DevOps seems to be where all the cool kids in IT are hanging out these days. While not all of us get to work in DevOps shops, we can steal some of the toolset to up our game for lab and skills development purposes. In this talk, you'll not only learn about DevOps-y tools like packer, vagrant and ansible - but how you can use them to make it easier to build and share lab environments for testing, training and more.
Deep Learning - Next Generation Threat Protection
Neural networks, Brave New World, Skynet. Are we in the future? The buzzwords in the security industry are; big data, machine learning, and artificial intelligence. Every vendor is claiming to have these technologies in their products. However, what do these technologies really do, how do they work, and how will they make your organization more secure? This talk will examine the details behind neural networks and how they are being used to help make detection of threats quicker, and how they can protect networks much more efficiently. Lastly, we will examine how Fortinet is working with these technologies.
Data Security & Office 365—Stop Chasing Data
Data security is a never-ending battle to keep up with the latest regulations and protect intellectual property from targeted attacks and accidental exposure—all while adapting to evolving IT environments of cloud applications. Understandably, most enterprises want to meet their compliance demands and data protection needs with integrated, built-in DLP features that come with cloud applications like Office 365. Most take the seemingly logical approach to chase the data in your Office 365, other cloud apps and IT systems—find it, catalogue it, control it. But this ignores the biggest threat to data security—your people. Data security shouldn’t start and stop with the data. In this presentation you will learn that by focusing on your people and how they interact with the data, data security teams can deliver actual data protection that eases the burden of compliance, identifies risk based on user behavior and stops data loss.
Getting The Most Bang For Your Bug!
For more than ten years, the Zero Day Initiative (ZDI) has been investing in security research by providing sustaining incoming to the security research community by purchasing quality vulnerability reports. That said, the ZDI collection of vulnerability research and exploits is a curated collection. While ZDI does not accept all submissions, we have a higher acceptance rate than other programs. This is thanks in part to our strong base of submitters – even with our high-quality bar. However, researchers new to the ZDI community are often unsure how to get started, and they sometimes miss the mark a bit.
In this talk, we suggest steps to increase your odds of acceptance and to potentially increase your bounty payout from ZDI and other vulnerability bounty programs. The talk will familiarize anyone less acquainted with vulnerability bounty programs in general and will prepare security researchers to make stronger submissions, potentially increasing their rate of acceptance and their payouts. We will go over all the specific details required to optimize and expedite the submission through the vetting process.
Lessons Learned Hunting IoT Malware
Permeating the entire spectrum of computing devices, malware can be found anywhere code is executed. Embedded devices, of which many are a part of the Internet of Things (IoT), are no exception. With their proliferation, a new strain of malware and tactics have emerged. This presentation will discuss our lessons learned from reverse-engineering and hunting these threats. During our session, we will explain the difficulty in collecting malware samples and why operating effective honeypots is an absolute requirement. We will study some honeypot designs and will propose an IoT honeypot architecture comprising several components like full packet capture, a man-in-the-middle framework and an emulator. Additionally, reverse-engineering problems and practical solutions specific to embedded systems will be demonstrated. Finally, we will explore three real-world cases of embedded malware. First, Linux/Moose, a stealthy botnet who monetizes its activities by selling fraudulent followers on Instagram, Twitter, YouTube and other social networks. Second, a singular encrypted connect-back backdoor that uses raw sockets and can be activated by a special handshake. Third, LizardSquad’s LizardStresser DDoS malware known as Linux/Gafgyt. Attendees will leave this session better equipped to hunt this next generation of malware using primarily open source tools.
Introducing CSE’s open source AssemblyLine: High-volume malware triaging and analysis
The Communications Security Establishment (CSE), Canada’s national cryptologic agency and a leading expert in cyber security, believes in fostering collaboration and innovation. For the first time ever, CSE is releasing one of its own tools to the public as an open source platform. Developed internally, AssemblyLine is a cyber defence framework designed to perform distributed analytics at scale, focusing primarily on detecting and analyzing malicious files. Learn how AssemblyLine can not only minimize the number of innocuous files that cyber security professionals are required to inspect every day, but how you can collaborate with others to customize and improve the platform.
- What is it?
- AssemblyLine is a distributed file analysis platform
- Review of key features
- Single platform for analysis of suspected malware
- Simply UI, easily extensively with APIs.
- Commodity hardware
- Simplified cluster management
- Full text inducing on majority of data store
- Demo of AssemblyLine
Exploits in Wetware: How the Defcon 2017 SE CTF experience can help organizations defend against social engineering.
Robert discusses his third place experience at the Defcon 2017 SE CTF and how his efforts clearly show how easy it is to get sensitive information from any organization. The 2017 Verizon report clearly shows the dramatic growth rate of social engineering attacks and Robert demonstrates how he collected hundreds of data points from the target organization using OSINT techniques. He then goes into the vishing strategy he implemented to maximize the points he collected in the 20 minute live contest. Without much effort Robert was able to know their VPN, OS, patch level, executive personal cell phone numbers and place of residence.
Robert lifts the curtain of the social engineering world by showing tricks of the trade such as the “incorrect confirmation” which is one of many methods to loosen the tongues of his marks. Robert then shows the pretexts he designed to attack companies and the emotional response each pretext is designed to trigger. By knowing these patters we can better educate our staff.
With that much information at his fingertips, how long would it take him to convince your executive to make a bank transfer? If your organization lost a few million dollars due to social engineering, who would be to blame? Are you insured for that? Who is getting fired?
Robert wraps up his talk with a series of strategies companies can take to reduce exposure and risk. He goes over current exposure, building defenses, getting on the offense and finally… a culture shift.
The Spread of Cyberthreats: How Hackers Are Connecting with Your Organization
Organizations today rely on connectivity. However, while organizations recognize the importance of this connectivity to meet consumer demand and maintain a competitive edge, today’s connected world also assists in how malware, ransomware and other threats spread. As connected devices proliferate, this increased connectivity introduces more vulnerabilities, and more openings, for hackers to exploit. In our connected world, threats can come from any direction. Security strategists need to think differently, factoring in the full threat landscape and thinking like a hacker. With the cross-contamination of connected devices, threats easily cross boundaries of the connected home, the connected building, mobile devices and the enterprise. Gone are the days where protecting devices inside corporate walls is enough. Simply put, the proliferation of persistent threats on so many fronts is a serious issue. Without putting themselves in the shoes of an attacker, many organizations are failing to properly implement the best cybersecurity approach.
Cyber Security Incident Response. Are You Ready?
When a security breach happens to your organization (and it will), the first step in the recovery process is your ability to respond effectively. Being prepared is the key to managing an incident and whether it be a line of business, or the entire corporation, the objective is to ensure priority services continue while impact to the organization is minimized.
Key Points that an Attendee will take away from Ken and Mark's presentation:
- A well defined plan will save you time, effort, and a lot of unnecessary risk
- Open lines of communication between your IT resources and your senior management will enable your response
- Having the right skilled team identified will drive an effective response
Test your plan, don’t let it gather dust
Detecting Reverse Engineering with Canaries
Reverse engineering software is commonly done and has various goals such as finding vulnerabilities, learning about security mechanisms and countermeasures, and for general understanding and information extraction. Obviously all software will be reverse engineered at some point but you will never really find out. This talk is about detecting if your software is being reverse engineered. Software is complex and reverse engineering is hard. People will “cheat” and search the web for clues about your software. The idea behind this research is that this “cheating” can be detected. The idea is to embed canaries into binaries and application data to help detecting “reverse engineering” at the time when somebody searches the web for your tokens. In the talk we will discuss different ideas around this general idea and how this can be implemented. Finally we show how this can be used to detect different level of adversaries.
- Reverse Engineering Goals
- Why, etc…
- It is hard, complex software
- Background on canaries
- Web bugs
- What can they
- RE Canaries
- General idea
- Deeper dive into RE canaries
- Different levels, detect different kinds of adversaries
- RE canaries for different Platforms
War in the Internet-of-Everything
Clairvoyance Cyber Corp
Consider that the largest mobile device you will soon own will be your car. Picture an aircraft as software with wings, a spaceship as a rocket-propelled supercomputer and navy ships as floating data-centres. Look at augmented reality gaming on our sidewalks, autonomous drones in the sky, bitcoins in our wallet and semantic botnets influencing mass-populations as we sleep.
Nowadays, nearly all cyber compromises are socially engineered or originate from human error. The largest magnitude of “denial of service” attacks comes from the Internet-of-Things. Cyber is the nervous system that binds all critical infrastructures, can influence populations and interfere with the democratic process. This new type of warfighting requires fundamentally rethinking of doctrine, policy and organizational models. It requires an agile capability to hunt an adversary across social, cyber, physical and human networks. As a defender, the next attack will come at you sideways, from outside your domain, and for this, we need a winning strategy.
Cyber has the ability to achieve strategic balance between deterrence, containment, intervention, influence, and the projection of soft or hard power while maintaining the legitimacy of force.
Deterrence is based upon a credible proactive defence and an offensive capability in which to project power, security and to exert influence globally through Cyberspace in the defence of Canada. Furthermore, deterrence and diplomacy are required in the right dosage to dissuade and deter purposeful interference with our critical infrastructures by foreign states.
Cyber offers a response somewhere between a diplomatic note and a nuke strike.
- Strategic understanding of contested space
- Adversarial Dynamics
- Cyber Intelligence, Surveillance and Reconnaissance
- Critical Infrastructure Protection
- Proactive cyber defence
- Foundational informationalized warfare
- Strategic Deterrence
- Cyber Physiological Operations (CyOp)
- Information Peace Keeping and Counter-Influence Activities
Summarizing 9 Trillion Rows of Internet Security Threat Data into Strategic Action Items
Symantec tracks over 700,000 global adversaries and records events from 98 million attack sensors, generating 9 trillion rows of data. This is the world’s largest Global Threat Intelligence Network. Every year, for the past 21 years, this data is analyzed and summarized into the Internet Security Threat Report (ISTR) which provides insights into global threat activity, cyber-criminal trends and motivations for attackers. This discussion will summarize ISTR findings, focus on coming cyber-security trends, and ways to combat against such threats.
IoT (Internet of Things) Security
Spectral Guard Inc
Threats are becoming more complex as Threat Agents look for new ways to use technology in their quest for valuable data. As the number of connected devices grows to more than 20 billion by 2020, the Internet of Things (IoT) will likely provide an unprecedented expansion of new threat vectors for which Enterprises will need to be able to respond.
It is almost certain that 75% of IoT devices will have one thing in common…Their communications link will be based upon radio signals that use a number of existing, as well as new/emerging wireless protocols.
Just like Wi-Fi, Blue Tooth and cellular devices the IoT is based upon radios which begs the question: How does the Security professional go about securing the Internet of Radios?
Enterprise security teams need tools and methodologies to assess and mitigate the risk associated with the Internet of Radios. But what are the vulnerabilities associated with this new and emerging and how can the security professional bring visibility to IoT (and legacy) devices emitting radio signals (Wi-Fi, cellular, wireless dongles and others) in an organization’s airspace?
This presentation will:
- Briefly overview the and explain the fundamental technology terms of IoT Security.
- Relate IoT protocols and waveforms to the wired equivalent IDS sensor. Show why they are similar, but unique and why the wireless space requires a much different mindset than the wired space.
- Examine the current IoT Waveforms and what they can and cannot do from a Threat and risk perspective.
- Discuss the newer IoT waveforms and what they are designed to do
- Show the protocols used by IoT devices
- Show the radio frequency bands where we find IoT devices
- Show the data speeds including uplink and downlink of IoT devices
- Show the relative power levels of the IoT radios and explain why this is important to the attacker and the defender..
- Show the propagation characteristics affecting IoT usage and exploitation
- Who or What is the Threat?
- Threat Agents. Who are they and where are they learning their tradecraft?
- Threat agent technology and modelling tools they use.
- Their tradecraft when going after IoT devices in order to exploit them
- Cost/Risk trade offs impacting the Threat Agent’s desire to exploit
- How quickly are threats developing?
- Are there any specific vulnerabilities we can show now?
- What about threat research? Who is leading, who has a dedicated team and where do we need to go to do it successfully?
- Are there any Threat databases and what are some important characteristics to look for in the database?
- Overview and Propose a Detect/Analyze/Respond/Make Safe cycle.
- What is Detect: Frequencies/Protocols/Frequency ‘clusters’ and IoT spectrum reconnaissance vs IoT protocol reconnaissance. What is missing from each and is there the possibility of convergence and what will it take?
- Should be jump in with a full solution or start with basics and grow? Advantages and disadvantages of each.
- What does it mean to Analyze?: How much analysis, what type, what are the priorities, what and why is ‘rubber banding’ important in the analysis space? What information should the cyber analyst keep, what is not useful and why, How to conduct forensics ‘after the attack’.
- Geolocation trade offs and examples in typical operational environments. Do we need precise geolocation? In what environments?
- Power - on Arrival geolocation challenges in the IoT environment. Is accuracy everything?
- What is an adequate response to IoT threats: Reporting/Jamming/tradecraft and tools. ‘Hot’ versus ‘warm versus ‘cold’ responses to IoT event detection. When and why do they work.Legal ramifications.
- Overview current approaches to securing IoT:
- What are the various current wireless security solutions. Single point vs band segment vs total band. Which bands do we want and why are they appropriate given our operational environments?
- What is the relationship of IoT security services to TSCM and Sigint. Are these techniques and tools useful in securing the IoT. Show the TSCM and SIGINT ‘battle space’ and what is missing for effective IoT security.
- Software defined radio: how useful? How fast and what I/Q throughput? Why is I/Q important in the analysis phase. What characteristics should we seek if we need to detect and analyze?
- Review of Applications that are ‘specific’ to other-related fields such as TSCM and SIGINT, Can they be ported to IoT or are new tools and technologies needed?
- What do the Russians do? What do the US and UK do? Can we learn from them?
- Does anyone have a better approach: The multiple receiver approach with ‘smart stacking’, use of the ‘cloud’ and why it is becoming extremely important. Outsource vs I source.
- What specific tools are missing/yet to be developed?
- Show advantages and disadvantages of current technology-specific tools and explain where and why they may be effective, including limitations on deployment and operational advantages and disadvantages.
- Are we unnecessarily limited by poor selection of wireless policies?
- What are the newer, emergent technologies with the potential to solve some of the current problems. Which ones show the most promise.
- Summarize the basic understanding of the IoT and security problem space and the direction that industry sectors are taking to assess and provide IoT and security within a ‘Detect, Analyze and Respond/Make Safe’ framework.
Facilitating Fluffy Forensics 3.0
LEO Cyber Security
Cloud computing enables the rapid deployment of servers and applications, dynamic scalability of system resources, and helps businesses get products to market faster than ever before. Most organizations are aware of the benefits of adopting cloud architectures and many are becoming aware of the potential security risks. The majority of organizations, however, don’t realize the numerous challenges of conducting incident response (IR) activities and forensic investigations across public, private, and hybrid cloud environments.
It’s not all doom and gloom, however. The consumption model of cloud architectures actually lends itself to helping investigators conduct forensic and IR exercises faster and more efficiently than on a single workstation. For this to happen, however, the tools and techniques employed must evolve.
In this session, Andrew Hay will revisit the forensic and IR challenges of investigating servers and applications in cloud environments in addition to the opportunities that cloud presents to help expedite forensic investigations. Topics that will be discussed include:
- Traditional forensics and IR
- Cloud architectural challenges for responders
- Chain-of-custody and legal issues across architectures and regions
- How existing forensics/IR tools can help - and what they can do better
- Advantages of conducting forensics/IR in cloud environments
Infrastructure Security 2.0
Shopify has leveraged Kubernetes through Google Container Engine (GKE) to build its new cloud platform. This PaaS is currently serving the majority of the company's internal tools as well as business-critical production workloads. Moving to Kubernetes and a public cloud is no easy task, especially for a security team.
Given industry's limited experience with cloud computing and cloud native technologies, this talk hopes to demystify some of these core cloud concepts. We'll talk about containers: what they are, how to build them, how to secure them, and how to integrate security tooling into build and deployment pipelines.
Building a secure container is one thing, but how do we deploy containers to production? What does this mean? We'll introduce Kubernetes, an open-source system for automating deployment, scaling, and management of containerized applications. With Kubernetes we also have a number of security controls that we can implement to further restrict the operation of containers. We'll explore some of these primitives as they'll fit nicely with the context on container security.
Lastly, running on a public cloud comes with its own unique challenges. We'll explore some of the pitfalls we've encountered deploying infrastructure to a public cloud.
Cyber Warfare in the CAF
Canadian Armed Forces
The Canadian Armed Forces, as a result of the Defence Policy Review, is investing heavily in Cyber warfare. This includes the creation of a new occupation, developing new doctrine and establishing a new command structure to help the military take on this challenging battlespace. Master Warrant Officer Arndt will provide a high-level overview of what the Canadian military has done, is doing and will do in the Cyber environment and give some insights into the challenges that come with working in this emerging area of operations.
If I Had a Million Dollars
Privy Council Office
If you had a million dollars to spend on your IT security program, what would you invest in?
In today's fast-paced digital world, it can be challenging to know where to focus your priorities. IT security industry trends, recent headlines and the latest gadgets and tools can provide some enticing options but they don't necessarily lead to a coherent strategy. In this presentation, we will study examples of cyber incidents and how they might influence an organization's IT security program. Then we will discuss a number of other factors that should be considered when prioritizing investments and developing a sound IT security strategy tailored to your organization's needs.
No Ordinary Phishermen: The Rise of the “Mcrypt” Gang
Royal Bank of Canada
This talk will cover the research and work done to uncover the operations of a group of sophisticated phishers who have built a vast network of compromised servers to run their phishing campaigns. At the same time, this gang sells access to part of their infrastructure to other, low level phishers. Part of the presentation focuses on a tracker and a logger built to monitor their activities using their own artifacts. This tracker allows for information to be shared about the phishing campaigns before they go live, recover credentials and obtain tools and information about the attackers including one underground spam shop they operate. So far, six actors have been identified, plus an operator who is in charge of compromising new sites and uploading backdoors that are later used to arm the phishing campaigns. This work covers some human intelligence obtained from e-mail and Jabber conversations with some of the actual actors. Referred to as the “Mcrypt” gang, they keep evolving their tactics in order to defend their attacks from timely takedowns from Anti-Phishing companies, and this has forced the techniques used to monitor their activities to constantly require innovation and improvement.
The Cyber Threat Intelligence Matrix: Taking the Red Pill of Attacker Eviction
When you are responding to severe and targeted intrusions, it has been gospel for the past years to observe, scope and learn before attempting to evict the attacker. This is very sound advice, and probably the only way you can successfully evict an entrenched, determined and mission driven adversary from your networks. But when is the right time? When are you done scoping? When do you know enough to evict, and more importantly, resist immediate re-entry? Take the red pill and enter the Cyber Threat Intelligence Matrix.
SciBabe's Guide to Surviving Fake News
Can you spot fake news when it pops up in your Twitter feed? Are you sure? Even the most ardent skeptics and trained scientists can have trouble separating landmark discoveries from hyperbolic writing or dry satire when reported in popular media. The new media landscape of sponsored content and fake news is making the simple act of deciphering a fact from an "alternative fact" a little more difficult.
Yvette d'Entremont (aka SciBabe) combines science and sardonic humor to cut through the BS in social media. With her background in analytical chemistry and forensic science, she will help you seek out accurate reporting on science and current events in our evolving media landscape with her Guide to Surviving Fake News.
Analyzing and Understanding the Criminal Ecosystem
The concept of capitalism thrives on the open market forces of supply and demand, and these same forces are driving the evolution of today’s Crimeware microcosm, where a close-knit ecosystem of independent actors offers goods and services based on demand from ongoing malicious campaigns.
In this discussion, RSA FirstWatch will discuss the various pillars of the Crimeware ecosystem, the market forces fueling their growing interdependence, and the evolution of proven business models/practices.
Healthcare hacked, the growing threat to internet connected medical devices in hospitals
The healthcare sector has been the industry with the highest number of data breaches, followed by the government and retail sectors. Hackers can invade hospital networks through insecure medical equipment in the ER and patient treatment rooms by gaining the same level of access as a member of hospital staff. According to Shodan data, over 158,000 medical devices are currently exposed on the internet, making this an easy target for hackers. Medical devices like insulin pumps, x-ray diagnostic machines, heart monitors are not always under HIPAA making security hard to monitor and many of these devices are not required to be FDA approved. With no governing body for cybersecurity standards hospitals are often in the dark about medical devices vulnerabilities.
When Good Software Goes Bad
Amidst all of the furor and noise about NSA exploits and failed patching efforts, this year’s NotPetya ransomware campaign also revived awareness of a potent and often underestimated means of compromise: software supply chain attacks. In truth, you don’t need to look far to find a surprising number of similar incidents over the past decade. And while this tactic shares some commonalities with watering holes and similar forms of attack, it also provides some unique benefits to an intruder seeking to jump-start a targeted compromise.
This presentation will begin with a brief history of software supply chain attacks, illustrating the scale of opportunity (realized or not) that each afforded to adversaries. It will draw distinctions among how attacks against end-user software compare to other forms of supply-chain compromise. Next, it will cover why typical enterprise security controls - ranging from automated prevention to detection and hunting - are often unable to to stop or detect these techniques. Finally, it will offer practical approaches to mitigate such attacks, and in the process, bolster defenses against other common sources of security risk.