Countermeasures: Supercharging Threat Intelligence
In June 2016, Motherboard’s Lorenzo Franceschi-Bicchierai did an interview with the alleged DNC hacker Guccifer 2.0. When asked about Russian metadata in the documents he leaked, Guccifer 2.0, a self-proclaimed Romanian, said “it is my ‘filigran’”. ‘Filigran’ is an odd word and almost never used in casual conversations; some younger people may have never heard it before. Translated into English however, it means “watermark”. Similarly, translating “watermark” from English into Romanian results in “filigran”. This and other “watermarks” effectively gave Guccifer 2.0 away as not being Romanian but simply using Google Translate to talk to journalists. In the end, it was his usage of “watermarks” that exposed him.
How about the code? Are there such things as “watermarks” for x86 executable code? During 2017, several high profile incidents occurred which had something in common - they were all difficult to attribute or associate with any previously known actor. These include WannaCry, NotPetya, Shadowpad and the CCleaner supply chain attack. Building on our experience from handling WannaCry and NotPetya and combining it with Yara rules and big data, we have been able to associate Shadowpad and CCleaner with an APT group known as Barium, operating under the Axiom umbrella.
This presentation will cover the following points:
- The information war: from espionage to mass opinion manipulation
- Supply chain attacks and why they are so difficult to catch
- WannaCry attribution and linkage
- Shadowpad and CCleaner code reuse; Winnti, Axiom, APT17 and Aurora
- Existing technologies for identifying code reuse in APT attacks and beyond
- Leveraging big data and Yara to find the needle in the haystack
On May 2nd Cambridge Analytica, a company that claimed to use predictive and prescriptive analytics to influence the outcome of the 2016 American election and the BREXIT campaign, among others, closed its doors following a swath of bad press.
Following the scandal, Canada’s Privacy Commissioner promised to study and report on Cambridge Analytica’s activities in Canada. But did Cambridge Analytica actually break any laws in Canada? What power does the Privacy Commissioner have when the CRTC has already ruled that it will not police social media as all posts made online should be considered public by the people who post them? What does the government’s own standing offer for social media monitoring permit?
You've got mail! from: Turla
Turla, also known as Snake, is an espionage group known for targeting governments, diplomats and militaries all around the world. In the past months, we have analyzed two different active campaigns from the Turla group that stand out by their ingenuity.
The first campaign, called Mosquito, aims at infecting users who download Adobe Flash. We found evidence that, from the endpoint perspective, a Turla malware was downloaded over HTTP from a legitimate Adobe domain. The IP addresses belong to Akamai which is the CDN Adobe uses. As the same addresses are also used to distribute legitimate Flash installers, it is not a simple DNS hijacking. We will discuss the different possibilities that could lead to this kind of behavior, one possibility being network interception at the ISP level.
The second one is the Turla Outlook backdoor that was allegedly used to spy on the German government from 2016 to early 2018. This is a full-featured backdoor targeting email clients, especially Microsoft Outlook. The commands are received through specially crafted PDF attachments that are then decoded and interpreted by the backdoor. It also automatically exfiltrates, to an attacker controlled mailbox, all outgoing emails. This unusual way of communication for a backdoor allows the attackers to blend in the normal network traffic and increase its chances to bypass security monitoring solutions. We have traced back the origin of this undocumented plugin to at least 2013. We will present a development timeline highlighting its changes in functionality throughout the years.
A State of the Union on the Canadian Cyber Threat Landscape
Would you direct air traffic without knowing what else is in the sky? Would you give medical advice without knowing the symptoms? Would you give driving instructions without knowing what is down the road? As a security professional, can you honestly say you know the Canadian landscape of threats?
As Canadian Threat Analysts, one challenge that we face is there are very few threat reports that focus on Canada. It’s been our mission to protect Canadians in Cyberspace, and the very things that make Canada great are the things that make our threat landscape distinct from others. However, how can we tackle the problem if we don’t accurately know what we are dealing with?
We’ll discuss research conducted over the last year on Canadian malware trends, attackers, Internet exposures, and Deepweb components. We’ll map out where Canada is in terms of the current state of cyber security, and then discuss what can be done next.
The Role of Cyber Security in Digital Transformation
The increased focus on digital transformation, coupled with the rapid evolution of technology, has made cyber security even more of a key strategic priority for business. However, in an era where “digital” is synonymous with words like agility, adaptability and speed, traditional risk-averse approaches to cyber security are no longer acceptable.
This session will focus on how cyber security practices need to evolve to enable successful digital transformation, including some examples of what the Government of Canada is doing in an effort to change its culture of cyber security.
The “Hunt-able” Network – A Practical Approach to Executing a Threat Hunting Program
Paul Kivikink and Ian Redden - RSA
This session will explore a practical approach for enabling Threat Hunting as a practice within organizations of any size. We will talk about finding the right people, getting the tools and visibility in place, and techniques for how to strategically approach hunting in both network and endpoint environments. We will also share our proven hunting methodology along with real-world examples to get you started.
Top Priorities for Cloud Application Security
How can organizations create and maintain secure applications in the cloud? Is it really any different than hosting applications in a data center? Yes and no. The cloud presents both new challenges and opportunities for security, IT, software, and operations staff. Given the complexity of cloud, rapid pace of change, and security skills gap, organizations need to consider new ways to achieve security objectives. By leveraging technical and human resources in new and different ways, companies can create security strategies that offer a more holistic approach to preventing data breaches in the cloud.
AI's Role in the New Cyber Security Frontier
Jeff Crume - IBM
In February 2011 an historic event took place. IBM’s Watson computer competed against the two biggest winners of the TV quiz show Jeopardy! — and the Watson won. Since that time artificial intelligence (AI) has found its way into increasingly more and different types of applications ranging from cancer treatment to cyber security. This session will provide an overview of some of the various AI technologies and how they are being used to give the good guys an unfair advantage in the cyber war.
Human-Led. Technology Accelerated.
Mike Morris - root9B
Cybersecurity continuously attempts to evolve as a necessary response to cyberattacks and agile adversaries in the space. As soon as cyber adversaries understand defensive measures and technologies, they can (and do) find ways around them. One example of a well-subscribed but now outmoded approach to security is “defense in depth.” For years, organizations have been layering security solutions on top of security solutions. That includes appliances, software, processes, and services. In the end, this results in increasingly complex security networks that necessitate significant attention and maintenance, while increasing the amount of data and the resulting number of false positives. Often, data simply goes ignored. Unfortunately, defense in depth can actually increase the number of vulnerabilities in a network while distracting analysts from detecting network compromise and the presence of an adversary. This situation is clearly illustrated and highlighted at security vendor shows where it is commonplace to see dozens of different endpoint and network-based automation products falsely claiming to defeat human adversaries who are still proving to successfully defeat all of this technology. None of this is to say that defense in depth should be abandoned outright. Instead, we must reimagine defense in depth and develop new and innovative ways to integrate human defenders into a more effective and usable technology stack. Threat hunting brings this type of innovative approach to cybersecurity. Rather than adding one more piece of hardware or installing one more program, a trained human operator is introduced to an enterprise environment with a mandate to find adversaries that other solutions have missed. Put simply, threat hunting is the proactive search for and elimination of cyber adversaries within proprietary networks.
Quit Thinking in Colors
Quit Thinking In Colors is based upon the concept that over the past decade we have completely missed the concept of offense in enterprise security. The old way of thinking - in terms of red, blue, and purple teams - must be thrown out and a new way of thinking ushered in. We need to shift from “let’s find problems before they do” to knowing and seeing your network like an attacker does. Shifting to this mindset will help us drive home that offense for enterprise security isn’t an “us vs the defenders” battle. It is instead about communicating how an attacker might approach your network to aid the defenders in preventing and detecting badness. With the onset of Next-Gen $Technology to the concepts of targeted attacks, the methodologies behind network security have changed, but the use of offense really hasn’t. This talk is about a new thought processes and how we at Riot Games have engineered a solution to enable our offensive security to assist our network defenders instead of creating more problems for them.
An Approach to Embedded Device Analysis for Network Defense
Analysis and defense of embedded devices, which includes the Internet of Things (IoT), is not always straightforward for network defenders and incident responders. Embedded devices are found in networks big, small, new, or established, which is changing the threat ecosystem of a network. The CERT Coordination Center proposed an initial methodology, the first of its kind, for vulnerability analysis that can be applied to any embedded device, to understand the threat and impacts to a network, and to best defend these devices on a network. This presentation will walk through our methodology, which includes embedded device list curation and identification, information gathering, firmware analysis, web application analysis, mobile application analysis, hardware analysis, and concluding with vulnerability analysis. In addition to the methodology, we also created an open source tool, called TROMMEL, to help incident responders, network defenders, and researchers during firmware analysis. This presentation
will discuss a streamlined and repeatable methodology to produce more comprehensive and actionable results when analyzing and defending embedded devices.
- Defining Embedded Devices
- Embedded Device Vulnerability Analysis Methodology
- Applying this Methodology to Network Defense
- Budget Concerns
- Current Work
IT Security vs. Defensive Cyber Operations: The Evolution of CAF Cyber
This presentation will explain the impact of the establishment of the Canadian Centre for Cyber Security (CCCS) on the CAF and explain how the CAF is evolving in response. The difference between IT Security and Defensive Cyber Operations will be laid out, emphasizing how the Canadian Forces Network Operation Centre integrates into Government of Canada IT Security initiatives while fulfilling its mission. An update on the progress made on Cyber-related initiatives in the latest Canadian Defence Policy will also be provided.
Evolution of Computer Emergency Response Teams
Moderator: Chris Hallenbeck
Panelists: Nguyen Trong Duong, Pat Clow
This panel will discuss the evolving role of computer emergency response teams in the context of the changing cyber threat landscape faced by both government and private sector organizations. The panel will discuss the challenges of information sharing under the different legislative and legal frameworks the sectors work within and potential solutions that can be implemented within policy, response teams’ SOP’s, as well as opportunities for co-operation between organizations.
Topics to be discussed include new issues posed by technologies such as cloud computing, IoT and ICS threats as more organizations adapt to smart building accommodations, and threat vectors such as supply chain management attacks which are being increasingly exploited by threat actors for long term access to high value victims.
Securing Self-Driving Cars
In the not too distant future, we'll live in a world where computers are driving our cars. Soon, cars may not even have steering wheels or brake pedals. But, in this scenario, should we be worried about cyber attack of these vehicles? In this talk, two researchers who have headed self-driving car security teams for multiple companies will discuss how self driving cars work, how they might be attacked, and how they can ultimately be secured.
How Stealthier Attacks are Blurring the Lines Between Cybercrime and Statecraft
Join CrowdStrike as we reveal some of the most alarming tactics, techniques and procedures (TTPs) being employed by today’s highly sophisticated adversaries. This session addresses the enhanced risks companies face, how organizations should leverage security capabilities and resources to best defend their assets and how a robust intelligence program separates the strong from the weak in operational security.
- The current global threat landscape and some of the latest cyber trends that have been uncovered by a team of elite intelligence professionals
- Some of the most advanced tactics, techniques and procedures (TTPs) utilized by nation-state actors, which are finding their way into mainstream criminality – these are an indicator of what to prepare for
- Best practice strategies you can implement to best protect your organization from increasingly sophisticated attacks
Advanced Russian Threat Actors Targeting the Financial Sector: The Sound of Silence
Silence is an advanced threat actor group which is constantly learning new tactics and techniques. Applying knowledge learned from security reports, other threat actors and potentially with a connection to the security industry, this group has proven to be a worthy adversary. In this talk, Dmitry Volkov, CTO and Co-Founder of Group-IB will provide a detailed overview of this group's TTP, how they were modified over time as well as what we can expect in the future from this group.
Artificial Intelligence versus Malware
Due to the wide range of readily-available resources for creating malicious payloads, such as coders for hire and Software as a Service, malware is an exponentially growing issue. Threat actors are able to rapidly assemble and deploy high volumes and varieties of malicious code to unsuspecting users. Current malware management models are simply overwhelmed or incapable of providing complete protection while reducing false positives toward that magical zero rate. During this session we will examine the history and workings of artificial intelligence. We will also explore a system comprised of highly efficient deep machine learning neural networks that are currently deployed to proactively defeat malware attacks against enterprises. We will then discuss the future of these systems and how they will be further leveraged into fighting cybercrime. AI is not just a concept or marketing buzz word - it is a functioning, operational game changer.
From the Trenches and Beyond: How NOT to do Intel Sharing
Information sharing isn't as simple as telling what you know to others. When during an investigation should you share even if it might hurt your response efforts? Should you shout it from the rooftops, or only share with tight knit, trusted communities? Should you call out indicators as being specific to a given intrusion or attacker, or simply mix them in with other indicators of badness?
Starting with the US-CERT EWIN-11-077A in early 2011 we'll talk about vetting of information, circles of trust, timeliness, and appropriate(?) use of shared information. We'll touch on efforts to improve on information sharing during the NASDAQ and RSA responses. We'll pivot to the OPM intrusion, and wrap up by discussing GRIZZLY STEPPE and the DHS Automated Indicator Sharing (AIS) program.