As apart of my new job, my employer is seeking to gain FIRST membership later this year. To support that goal, I was asked to attend the 30th FIRST Conference in Kuala Lumpur. For the travel weary, this is not a trip to take lightly. For me it was 3 flights and 28 hours total of travel just to arrive. I do have to say, the conference venue, the Shangri-La hotel is absolutely fabulous. Very nice, clean, and ultra courteous staff. The swag bag I was given at registration was also very nice, including 3 shirts, challenge coin, notebook, mini first aid kit, and a pretty decent backpack. I also have to say the lunch options for the conference are vastly superior to anything I have ever experienced. SANS and Blackhat could learn a few things. For a 5 day conference, you get a much greater value here.
If you are interested in jumping straight the slides you can visit here.
The conference was kicked off on Day 1 by Thomas Schreck (@shrekts) who gave out some interesting attendance statistics.
- 826 total attendees
- 159 USA
- 110 Japan
- 52 Malaysia
- 45 Singapore
- 35 China
- With 215 total membership orgs representing
I was a little surprised how many attendees from the US made it, but I wonder if a bunch of those were actually vendors/sponsors. Aside from covering how much progress FIRST has made over the last 30 years, Thomas also gave various sponsors the opportunity to address the audience. Alibaba Group announced a new ASRC global security group. Jerry Bryant from MSRC commented that they joined first back in 2003 and have been sponsoring for the last 11 years. Some recent output of their involvement includes a PSIRT framework and some additional associated video training.
Keynote - "The Evolution of the Cyber Threat, Our Response and the Role of Diplomacy" by Chris Painter
With that Jeff Carpenter, the program chair, introduced the day's keynote speaker, Chris Painter (@C_Painter). Chris has a pretty amazing background with stints at the DoJ, FBI, and State Dept. I am definitely going to checkout his movie recommendation of Colossus: The Forbin Project. I had never heard of this before and I love old campy sci-fi type movies. This first part of his talk mentioned cyber diplomacy, which I have mixed opinions of at the moment due to lack of any real verification. He did share an interesting nugget, when talking about the 2000 DDoS attack by Mafia_Boy. He actually had a real Mafia dad who subsequently gained the interest of law enforcement after learning he had authorized a hit on one of his peers. One of his key points raised, is that a recent change in attitudes and awareness has elevated cybersecurity to a core national security policy concern. This is great news for all of us in the business. He threw out the term "silos of excellence" when describing the US government which I thought was spot on. Unfortunately his run as State was cut short when the Trump administration took over and dismantled the cyber diplomacy apparatus that he had just help build. Up to that point, State had active diplomacy efforts with Japan, China, Brazil, India, and the Baltic countries. He is an active promoter of the Budapest Convention on Cybercrime and its goal to gain consensus on how countries handle cybercrime and increasing cooperation. Chris also seems to believe that China is compliant with their recent agreement not to continue to pilfer US intellectual property from the private sector(#cringe). He also mentioned his work with the Global Commission on the Stability for Cyberspace (https://cyberstability.org/). Towards the end of the presentation, there was a great question by a journalist on his opinion regarding Sanger's book and Mandiant's "hack back" to obtain intel on APT1. He smartly didn't comment on that. In response to my question regarding validation of countries abiding to agreements, he believes that controls are weak but that attribution is difficult but possible. Chris also commented on the 24/7 High Tech Network which has the G7 and 48 other countries agreeing to preserve and share critical electronic evidence. Also recently, the US has passed the CLOUD act to enhance evidence sharing further. Lastly he brought the Internet Jurisdiction Project which has similar goals.
Social Mining of Threat Actor Activities by Fyodor Yarochkin of Trend Micro
I enjoyed Fyodor's talk and it really provided some good examples of how one might leverage OSINT to track adversaries. I know right, someone actually sharing tradecraft!?!? God bless this man. The analysis was heavily focused on twitter, which was great because it’s a familiar resource. He categorizes interactions between accounts as Leader, Friend, Groupie, and Shout Outs. This does a lot to align the relationships and various agendas of the interactions. He naturally also tracks URL links and hashtags. Fyodor also mentioned that some eCrime actors even by retweets, including some copycat Lizard squad groups, which I found relevant as well. One of the main tool he uses is TWINT and he has also built ways to automate determining which accounts are machine generated. It typically looks at the age of the account, email registration, and over 3k follows. You might ask why doesn't Twitter just take these accounts down, however they must actually violate the ToS to get banned and that is mostly around activity thresholds. He made a fleeting reference to the NullCrew, which I will need to follow up on. And a final takeaway, was a recommendation to combine your twitter data set against honeypot data sets to see if or when attacks go active.
Cyber Threat Intel SIG with James Chappell and Krassi
The very first meeting of the CTI STIG was held at the conference, and thanks to James and Krassi for taking the initiative to bootstrap this. Directly from the slide deck, the mission is "to discuss common applications of cyber threat intelligence capability with a view to agree on best practices in the context of supporting effective digital forensics and incident response (DFIR) operations." Given the community's basic lack of consensus on what CTI is and how it should be operationalized, I agree with them that this is very much needed. One important caveat, is that this group will not be involved or facilitate exchange of threat intel. The initial working definition of CTI is "Information about threats and threat actors that provides sufficient understanding to mitigate a harmful event in the cyber domain". And quite apropos, the purpose of intelligence is defined as "improving decision making by reducing ignorance”. The discussion was wrapped up by a listing out some shared resources and the process for contributing and curating CTI information going forward. If you want to get involved definitely sign up for the list(email@example.com).
MindHunter - Adversary Inception by Levi Gundert from Recorded Future
This was another great presentation that Levi stated was the culmination of 2 years of work by a group of threat researchers at Recorded Future. Since this presentation was no social media, no press, and TLP "yellow" I will need to leave out a lot of the details in my notes. The first profile was on TDO or TheDarkOverlord which is fairly well known. Starting back in 2016, and then widely targeting medical orgs, schools and even Netflix and HBO, the TDO group has been fairly prolific. A key point made was that they fully rely on other eCrime actors to provide them with access to target orgs, mostly focusing on credential reuse. Next they profiled "Mr.01" a farsi speaking "greyhat" who is known for compromising the large Ashani security forum. K1ngCobra (aka KingCobraSec, Ret2Plt) is known form some exploit work development, but like Mr.01, largely believes they are bug researchers and not "hackers". Finally BigBear, a prominent Russian greyhat hacker was profiled. He is head of security for a bank, but has filed 244 bug bounties, along with acting as a mentor for others in the RU hacker scene. At the end of the presentation I asked a question regarding successful pretexts for their personas, and they indicated if you have time, establishing your self as noob trying to learn hacking on the side tends to work. If know time is available to properly established a persona, often just buying their services can work. Lastly, they reiterated you must exercise extreme caution with any links provided by a target as it may blow your OPSEC.
Cyber Weather - Situational Awareness Product For Our Non-Technical Constituents by Tomi Kinnari
This was actually one of the sessions I had eyed early on the agenda as being one I wanted to attend. Which is rare for me, because I usually gravitate towards the technical talks. What I was looking for was a good way to convey trends to leadership. This really hit the nail on the head for me and proves that sometimes simple and straightforward is the best approach. All this really does is take advantage of a familiar metaphor to in their words "provide situational awareness to the target audience that they can understand and use in their daily work. I would definitely like to use this going forward to product monthly trending reports from our nascent CTI team.
Not Just Indicators: Data Processing with n6 by Pawel Pawlinski
Pawel opened up the talk by discussion how CERT.PL operates and that they are the brokers between defenders and policy makers. They had a common problem in centralizing and normalizing large amounts of data from diverse sources in different formats. The n6 project actually kicked off way back in 2011. I did come to this workshop thinking we would be working through mini labs, however the majority of the presentation was focused on covering the architecture in excruciating detail. I wanted to get a clear understanding of what problems this might solve versus Splunk. I think having a bigger focus up front on the applying use cases would have been a better approach. However I think some really nice work is being done here and will definitely be following any output from CERT.PL.
Mitre ATT&CK BoF by Richard Struse
This was a pretty short session focusing on how people are using ATT&CK and what a possible future roadmap might look like. For those that haven't used it yet, ATT&CK is often referred to as an encyclopedia of adversary behavior. The four main use cases covered by Richard were developing new analytics (detections), assessing your cyberdefense, see the threat (visualizing attacker behavior, and adversary emulation. One discussion that came up was that some felt ATT&CK wasn't granular enough and Richard point to another MITRE project, CAPEC, which is much more detailed.
Memory Forensics in Incident Response and Threat Hunting by Josh Lemon from SANS
This was a pretty standard introduction to using volatility for memory analysis, covering each of the popular modules. Since I have already taken the Volatility course with Case and MHL, there wasn't much here for me to learn but it was interesting none the less. One thing that I though was very cool, is that they gave out a bunch of memory samples so that attendees could analyze on their own time. Josh did provide a workshop book, but it was more of a presentation and not working through examples lab style. I promptly forgot the workshop book when I left and I'm kick myself for that.
Building and Maintaining Large-scale Honeypot Sensor Networks by Piotr Kijewski from Shadowserver
Piotr opened the talk by covering how Shadowserver works. They are large in the US and EU and have 2k employees, but half of those are volunteers. The Sissden is their current project leverages global distribution of VPS's globally that simply forward all their traffic back to a central datacenter that contains all the honeypots. Each honeypot runs in a Docker container on its own VLAN. They leverage Molloch and stenographer for packet capture and they are using hpfeeds to share information. They currently support Cowrie, Glastoph, Conpot, and Spampot but are looking to expand to other honeypot types. They are currently deployed in 49 countries across 300 servers. Their framework and code is closed source and its not clear to me how organizations are going to benefit from this yet.
Deep Dive: Case Study Responding to Intrusions into the US Electric Sector by Mark Bristow DHS
Unfortunately this talk was restricted from social media and pictures. I wasn't quite sure why as this was reported publicly by the government and private sector. Since I had worked a BerzerkBear engagement, I was all too familiar with it, but it was really cool to see how DHS connected the dots all the back to May 2016 as the initial start. Mark who gave the talk, was from the NCCIC HIRT team, which is an offshoot of US-CIRT and ICS-CIRT. He said that this year long effort analyzed over 50K systems! I'm going to assume that doesn't mean full forensic analysis. A couple TTPs I hadn't seen or didn't remember was the use of a 3x2 pixel image instead of 1x1 pixel image to avoid NIDS detection. As well as use of LNK files on corporate intranets to keep recompromising users. If your interested in reading more, you can search for GRIZZLY STEPPE.
Catching Up with Osquery Workshop by Doug Wilson of Uptycs
I haven't done a ton with Osquery, but I have always heard good things about it. This was the ONLY workshop that actually was hands on as Doug had us work through various exercises. For me, it was very beneficial. He gave us a VM from which to work in so their wasn't any install or configuration issues. The first part of the labs were getting comfortable with SQL syntax and how to JOIN data from two disparate tables. This was followed by digging into all the different tables and FIM function. And there are extension you can leverage like Augeas and Prometheus. I tend to think the best benefit of Osquery over other solutions is that its very light touch, which sensitive developers approve, and it provides pretty good coverage on Linux and OSX systems, which to date hasn't been a strong point of the big EDR vendors.
Keynote: Jury-Rigging Democracy: The Crazy, Sad Saga of Election Security in the US by Kim Zetter
This was easily my favorite keynote and it had very little to do with my day job. Kim walked through various election security fails dating back to 1997 when Diebold was found to have a hard coded decryption key and its firmware was not signed. Big shocker, they never fixed it. Something that blew my mind was that in the 2000 Bush/Gore election, a "faulty" memory card took away 16K votes for Gore and gave Bush 2K votes. The problem was that county only had 585 registered voters. What is even more scandalous is that at one point in the 2000's 2 Ukrainian brothers were both CEO for the top 2 electronic voting machine providers. And the government, being the government, is going out of their way to deny there is even a problem here. It sounds like at some point in the future, this will be compiled into a book for all to read.
Patchwork: From One Malicious Document to Complete TTPs of a Medium Skilled Threat Actor by Daniel Lunghi and Jaromir Horejsi from Trend Micro
This was a interesting presentation on how they have tracked Patchwork over the years, also known as QuiltingTiger, DroppingElephant, and Monsoon. This has dated back to 2016 and are targeting countries of interest to India, such as China, Pakistan, Bangladesh, and Sri Lanka. Not just confined to gov and mil, they have targeted online retailers, banks, and telecommunications. One of their TTPs that is unique is their use of the TMLP mail service for sending out their phishing attacks. Within their phishing lures they have used embedded links to scriptlet (.sct) files. Per Trend, at times this group has exhibited very poor OPSEC leaving their web server directories wide open. They make use of QuasarRAT and most noteably created their own .NET backdoor known as NDiskMonitor. And most recently have been observed using AndroRAT. If this group is confirmed as targeting cellphones, what do you think other more advanced groups are doing? That should be sounding alarm bells for most to ramp up their mobile forensics capabilities, which at a minimum could just be having policy in place and a firm on retainer.
Behind the Scenes of Recent Botnet Takedown Operations by David Watson of Shadowserver
At the beginning of the talk, David talked about the Mirai takedown in Dec 2016 which was over 4 million devices. However this talk was about the takedown of Avalanche, a CDN for hire by criminals. Avalanche was used to host over 20 malware families, including the phishing toolkit Rock Fish, Zeus, Gamarue, and others. The platform was fairly advanced, including fastflux DNS backed by 2 tiers of proxies and included a money mule service. What I liked most about this presentation is that David actually covered what happened in the real world in regards to the arrest of their leader Gennadiy Kapkanov. He actually had an AK-47 on him and shot at the police, before jumping to his neighbors balcony. His neighbor was also heavily armed and helped the police detain him. Gennadiy then was released by authorities due to technicality. Let that sink in for a moment. Someone who shot at police with an assault rifle was allowed to go back on the street. He was then captured 14 months later in Kiev, where he is awaiting trial currently.
Banks and Russian Speaking Adversaries by Alexander Kalinin from Group-iB
This talk focused on the "Cobalt Gang", which shouldn't be confused with Carbanak. While the groups may collaborate, they are distinct AFAIK. The text on the slides was very small, so it was hard for me to capture a ton of details. Essentially the group went active in March 2016 targeting SWIFT, ATMs, payment gateways, and card processing. Some of their TTPs include use of alexus-mailer, Rpivot proxy, and PetrWrap ransomware. In English speaking countries, they have been observed using JS 2.0 backdoor. They have also used a variant of Infostealer that can only be started via an obdc process. And they plugged for their CyberCrime (https://2018.group-ib.com/conference) in Moscow on Oct 9-10, 2018.
Crawl, Walk, Run: Living the PSIRT Framework by Mark Stanislav from Duo
I don't have any PSIRT responsibility, but my company has a PSIRT team so I decided to attend this talk largely because of Mark's reputation. The presentation focused on Duo's journey to apply PSIRT framework from FIRST. They leverage ISO 30111 for handling security defects and use DREAD for scoring priority. It's worth noting Microsoft no longer uses DREAD. He stressed that PSIRT is a business function, not a technical function. Two lessons learned he shared was not to send notices as a PDF or before the patch was ready. Both lead to issues. They also make an effort to track the quality of their bug submissions. Another key takeaway he mentioned was to only issue customer communications on Tuesday through Thursday. Avoiding Weekends and Holidays will help avoid customer frustrations.
Keynote: Lessons Learned from a MITM Attack by Frank Groenewegen and Erik de Jong from Fox-IT
This was another talk that didn't allow pictures or social media. And this was actually for good reason this time, because it was a debrief on their own incident. I love this and think it should be a thing at conferences. The big question for orgs, is do you have active alerting in place if your DNS records are modified? Does your DNS provider support 2FA authentication? This allowed a nation state actor to intercept or act as a MITM for their client portal. Fox-IT was able to resolve the incident in just over 10hrs with largely minimal impact. I can't go into any more details on this due to the sensitivity, however they had the quote of the conference for me. "Full packet capture will save your ass" <- by.="" get="" it="" live="" memo="" on="" span="" the="" this.="" to="" wish="" words="" would="">->
What's in a Name? The Need for Global Identifiers of Badness by Richard Struse from MITRE
Richard's main thesis was that CTI doesn't have enough context and I think everyone agrees with that. He then illustrated a Pyramid of Pain-esque diagram of mapping context. He also thinks that name bloat isn't necessarily the problem we think it is, just because most are 1:1 overlaps, but only portions of the observed activity align. I also agree, however I think actor attribution should be standardize but I know it never will because marketing. I would like to see standard threat actor naming, but marketing do their thing on campaign naming. That would be the best of both worlds. He also referenced Florian Roth's great post on threat actor naming.
Determining the Fit and Impact of CTI Indicators on your Monitoring Pipeline (TIQ-Test 2.0) by Alex Pinto from Verizon
This was an updated talk of what Alex has been preaching for a few years. That we need to find a way to properly analyze and rate the value of threat intel feeds. For example how is Feed A different from Feed B. He used a cool example of the current cult, Orange Theory Fitness, as an analogy for diminishing returns on your threat intel. One thing his data showed was that Alienvault OTX has a ton of false positives. This is likely because they include a lot of indicators for shared infrastructure or services. Examples of higher fidelity feeds included Vxvault, tracker_h3x_eu, and Abuse.ch's ransomware tracker. And he provided the 2nd best quote of the conference, "Come on we need vacations, we need the machines to do the work for us!"
Practical Integration of Threat Intelligence and CSIRT Processes to Accelerate Efficiency and Timely Response of Incidents by Malaysia CERT
I didn't have any takeways from this talk. It basically showed how this CERT is trying to slowly mature their CTI program with very little resources and no dedicated staff. This is a very common place to be that many can relate to. They tend to have a high focus on banking and finance related incidents. They currently struggle with building automation and are pursuing to get more diversity in their toolsets.
Keynote: 30 years on…why are we still needed more than ever? By Paul Jackson from Kroll
This talk was a walk through of various cases Paul Jackson was involved in with a heavy nexus to Hong Kong where he worked most of the time. He also had a stint with JPMC in New York City. I don't tend to get a lot of value form these types of talks, despite the heavy expertise and strong credentials of the speaker.
Attacker Antics: Illustrations of Ingenuity by Bartosz Inglot and Vincent Wong from FireEye
This was definitely one of the more useful talks as it exposed people to several TTPS they might have not known about. For example, using Amazon Books as a C2. They did observe CobaltSpider using McAfee ePO to push out malicious powershell scripts appearing like MS KB patches. They also covered TICK/BronzeButler over coming air-gapped networks by conducting recon and collection via USB devvices passed between the networks. They also covered a very cool webshell that implemented a poor man's OTP by embedding time into a comment on the page, which would be appended to the password. And another one of my favorites was about the compromise of an Exchange server. Specifically they were able to install a custom transport agent via powershell cmdlets along with an ISAPI filter to steal credentials. I asked them how they found it, and it was during a endpoint sweep for any hosts that may have had customer patches applied. They believe this activity was attributable to the MS name PLATINUM.
Emotet Malware by Neil Fox from BT Security
I really enjoyed this conference, for two primary reasons. One it was very much a different crowd then those that typically attends a SANS or Blackhat conferences. I was able to meet people from SE Asia that I wouldn't normally interact with during work activities. The second reason was the tremendous value. The venue, the talks, the food, the swag, all were superior to what I've seen at other conferences for the price charged. My only feedback for improvement would be to ensure that the workshops are actually workshops that follow more of a lab format. Other then that, I would highly recommend this conference to anyone. Hopefully I can attend next year when its in Edinburgh.