Agenda:
ISOI XXI
11-12 April 2018
Burbank, California
Hosted by: Warner Brothers
ISOI XXI
Thursday, 11 April 2018
08:00 - 09:00: Registration
09:00 - 09:15: Greetings, Welcome to ISOI XXI!
- Fergie and Ron greets
- Special & Logistics announcements, etc.
- Evening plans, will also announce after end of day session.
09:15 - 10:00: Warner Brothers slot: TDB
10:00 - 10:45: Jonathan Matkowsky (RiskIQ): "Exploring a Post-GDPR Mitigation Framework for Privacy-invasive Digital Abuse"
- Privacy-invasive forms of digital abuse, such as doxing or sextortion, continue to impact digital cybersecurity risk management. When it comes to mitigating the more traditional harms of phishing, malware, copyright theft, and even brand abuse, incident responders have been relying for decades on voluntary cooperation among private actors, and leveraging regulations incorporating notice-and-takedown principles. This session explores whether Europe's GDPR (and comparable regulations, such as Canada’s PIPEDA) may impact a mitigation framework for digital cybersecurity risk management when it comes to less well-articulated forms of abuse specifically related to privacy harms in the context of incident response. For example, when should a provider made aware of personal data on its platform remove or disable such content? Should right to be forgotten principles influence how intermediaries reasonably interpret and enforce their acceptable use policies on a global basis? How should we balance the rights to privacy with freedom of expression, and freedom to access information online?
10:45 - 11:15: Break
11:15 - 12:00: Krassimir "Krassi" Tzvetanov (Fastly): "OPSEC for investigators and researchers"
- Whether performing an in-depth investigation or merely quick research, the investigator (or researcher) and the investigation itself are exposed to certain risks. This talk focuses on security and safety issues pertaining to online research and investigations. It covers different areas of the investigative process and how tools and particular techniques can leak information detrimental to the case or the investigator.
Furthermore, it goes deeper into how investigators and blue teams can be profiled and targeted. Those can be either direct attack against their computer or supporting infrastructure, their person or the investigation, which in turn may be as subtle as steering the it in the wrong direction or making the evidence inadmissible in court.
More specifically this session will cover different browser and infrastructure fingerprinting techniques, browser hooking, instant message programs, email security and tracking. As it covers the dangers, this session provides series of countermeasures and mitigations, which can help the investigator increase their level of safety and security and decrease their digital footprint. In addition, the session introduces containerization and how it can be used to segment and streamline the process.
12:00 - 13:00: Lunch
13:00 - 13:45: Katherine Carpenter: "2018 CA privacy laws, and laws impacting infosec and your organizations"
- In 2018 CA passed 2 laws that impact the way organizations handle data and/or protect their technology systems. This session will discuss the CA consumer Privacy Act (CCPA) and the CA Security Act. Learn how you may need to adjust your strategies for information handling and how to address challenges that may arise because of these new laws. (If there are questions/there is space to address the impact of GDPR and the differences between the laws that is also available.)
13:45 - 14:15: Break
14:15 - 15:30: Roel Schouenberg (Celsus Advisory Group): "State actors in 2019: Global social engineering at scale via cyber ops"
- Given all the diatribes regarding the security of IE6 back in the day, or the joke that is IoT security today, the most vulnerable system exposed to the internet is the human mind. State actors have always known it's extremely hard to put exploit mitigation in place for brain 1.0. After all, propaganda has existed for as long as human kind has known language.
15:30 - 16:15: James Shank (Team Cymru): "All your DNS, are belong to...?"
- An unknown actor group has been having great success through a modus operandii focussed on changing DNS record entries for targets of interest and exploiting this access for intelligence gathering purposes. These activities have affected both individual zones as well as zones containing authoritative name servers for several other zones and ccTLDs. For targets of specific interest, they have set up infrastructure to intercept and MITM connections to services, such as webmail. These target entities represent multiple sectors, but primarily energy, airlines, and government sectors in multiple Middle Eastern and North African countries. They have created and used multiple fake certificates, generated via Let's Encrypt and Comodo, to facilitate MITM collection of targeted services.
The attackers have also targeted core global DNS infrastructure and naming resources. These victims may have been targeted due only to their position within the global DNS hierarchy, effectively a means to an end. Through this access, the actors have control at the ccTLD level, allowing them to surgically select targets of interest from the data (DNS resolution requests) for manipulation, forwarding non-interesting requests off to legitimate DNS services to send back proper answers. The attacks are advanced in nature, backed by a large infrastructure, exhibiting a high level of sophistication.
Team Cymru and several others have been working to track this activity, understand the impact, contact victims, and issue guidance on increasing security measures both of endpoint organizations as well as the global DNS system as a whole.
This presentation will focus on highlighting the attacker techniques, the analytic processes used to track the attackers, the attacker infrastructure, and a fundamental flaw with global name handling that degrades the entire system to blind trust as a best case, as well as an ongoing effort to fix that flaw.
16:15 - 17:00: Dan Hubbard (Lacework): "Kubernetes security: offensive and defensive?"
- In many ways the drift between "Dev-ops" and security is moving fast and we as a community need to move at the pace of our developers. While architectures are grasping concepts such as; ephemeral workloads, real-time adjusting mesh networks and overlays, serverless functions, and broadly deployed orchestration systems, the security teams unfortunately are still thinking about the moat, their inventory,and key controls.
Kubernetes is arguably the fastest growing open source project for Enterprises since Linux. This presentation will review Kubernetes (K8's) architecture, demonstrate some examples of the attack surface, and then corresponding defense mechanisms with a focus on built-in methods and open source.
17:00: Adjorn, reminder of evening plans again
19:00: ISOI Fun Night
Friday, 12 April 2018
08:00 - 09:00: Registration
09:00 - 09:45: Lior Kolnik (Demisto): "Security automation playbooks - state of blue teams"
- SOC and IR professionals are required to use myriad different tools and services to handle alerts and investigate cases, including EDR, Sandboxes, SIEM, pDNS, TIPs and more. Working through all of these GUIs is time consuming and has a learning curve due to the hundreds of different tools and vendors out there - every environment will have different tools. False positives must often be identified manually due to the lack of direct communication between the siloed tools. Security automation playbooks present a solution to this problem. They combine the mature ideas of orchestration IR workflows into a single focal point to improve capabilities for each type of alert the team needs to handle. In this talk we will review 5 commonly used playbooks in teams that are starting out with orchestration and 5 more advanced playbooks for mature blue teams. We will also share lessons learned from building playbooks with blue teams protecting Fortune50 companies.
09:45 - 10:30:
Lawrence Baldwin (MyNetwatchman.com): "IMAP Stuffing"
- Criminals have stepped up the credential stuffing game--they are testing billions of credentials against associated email providers in an attempt to compromise the victim's email account. The net effect is that email accounts are being compromised at an alarming rate--tens of millions per month. For now, criminals are focused on the low-hanging fruit, hijacking bitcoin accounts and stealing electronic gift certificates from the victim's inbox. Going forward it's not hard to imagine how this access could be used to take over accounts relating to any organization with weak password reset procedures or who allow 2FA via email. Additionally, historical email messages from compromised inboxes provide a detailed map of the victim's relationships: who they bank with, where retirement funds are held, and where they shop. This intel could easily be used to launch highly targeted phishing and malware campaigns.
10:30 - 11:00: Break
11:00 - 11:45: Tom Byrnes (ThreatSTOP): "The Ghettofication of the Internet"
- Every cybercrime starts with a person making decisions and people are creatures of habit. They pick the same places to go to, order the same foods, and the same is true for criminals, they have patterns of behavior. This talk will cover several efforts to create reputation on providers to determine criminal prevalence by ASN, Registrar, and TLD. This will provide actionable data so defenders can simply opt to block the Internet bad neighborhoods and focus effort on those attacks that occur from other locations. Open source data will be provided as part of this presentation.
12:00 - 13:00: Lunch
13:00 - 13:45: Ashlee Benge (Cisco Talos): "When Worlds Collide: a discussion of disagreements between security researchers and vendors"
- In the world of threat research, there are often differences of opinion between vendors and researchers. Vulnerability disclosure is a complicated process, and one that is crucial to the security of the Internet. Cisco Talos’ objective in the disclosure of vulnerabilities is to protect users worldwide from security flaws that may be exploited by people with ill intent. We strive to achieve this by working as closely with vendors as possible in order to fix the issue, and get word out of the fix to our customers and the Internet as a whole. Each vendor handles security issues differently, however, and not every vendor’s process functions ideally. This talk will discuss in detail new vulnerabilities Talos has discovered in Apple, McAfee, and secure IM products including WhatsApp and Telegram. We will then discuss Talos’ disclosure process for each of these vulnerabilities, the challenges of collaboration, and ways this process can be improved as to better achieve our end goal - the improved security and safety of Internet users worldwide.
13:45 - 14:15: Break
14:15 - 15:30: Sylvester Segura (Symantec): "Chafer - An Evolving Attack Group"
- This talk will characterize the targeting and attacks of a group called Chafer and discuss how their attack patterns have continued to evolve.
With regards to targeted attack groups, there is a spectrum from 'less sophisticated' to 'highly sophisticated.' Whereas less sophisticated attack groups might be characterized by poor operational security, or the use of commodity off-the-shelf malware, more sophisticated groups may tend to develop their own malware, use infrastructure that is harder to track and are often well-organized enough to carry out multiple attacks at scale.
Chafer falls somewhere in the middle of this spectrum. They develop their own malware, they are relatively careful operationally and they are difficult to detect. Although they may not be considered one of the most sophisticated or prolific attack groups, Chafer have been very effective. They have evolved and are continuing to evolve, and pose a major threat to their targets. This presentation will discuss Chafer’s historical targeting and motivations, as well as the changing patterns observed in Chafer attacks over time.
15:30 - 16:15: William Peteroy (Gigamon): "On ZeroTrust and BeyondCorp Environments"
- ZeroTrust and Google's BeyondCorp (ZT/BC) started as interesting security architectures to limit risk and over the past few years have become buzzwords and taken on a life of their own. This talk will start with a high level concise analysis of their goals and definitions and then go into some of the practical challenges of embracing ZT/BC as methodologies and finish up with some lessons learned from practical analysis on how we can take components from ZT/BC and embrace them to build stronger security architectures.
16:15 - 17:00: Dan Schwalbe (Farsight Security): "Crossing the streams: data-plane vs. control plane - DOH/DOT/DNScrypt etc."_
- With DOH (DNS over HTTPS) and DOT (DNS over TLS) becoming hot topics it is worth discussing how both of these systems work with and fight against the existing network infrastructure approaches. This will include discussion of the privacy, security, network management, and performance aspects of these alterations to Internet name-service.
17:00 - 17:15 Fergie: Closing Comments
