Agenda:
ISOI XXII
5-6 March 2020
Rome, Italy
Hosted by: World Food Programme

ISOI XXII
Thursday, 5 March 2020
08:00 - 09:00: Registration/Coffee

09:00 - 09:15: Greetings, Welcome to ISOI XXII!
- Fergie and Kate greets
- Special & Logistics announcements, etc.
- Evening plans, will also announce after end of day session.

09:15 - 10:00: Kate Gagnon (World Food Programme), "What the World
Food Programme does, how we do it, and how you can help"

10:00 - 10:45:  Peter Kruse (CSIS Security), "Package Muling as a
Service"

Whenever criminals are breaking into systems, they need to bring the
stolen goods around and into the hands of somebody willing to act as
a mule. Getting access to a bank account and circumventing 2FA is the
easy part of the job. Getting the money out and into the criminal's
account is more complicated. For this reason, money and package mules
are crucial for most finance-based crimes.

Our insight into the package and money muling business shows that
common money mules generally have a low level of education and
oftentimes are in financial need. Thus, they usually end up as the
lowest link in the criminal chain, even though they actually run the
highest risk of being caught by law enforcement. However, since they
are low-profile individuals, we often times see that money and
package mules are not being prioritized enough by law enforcement,
which leaves the supply chain intact and the criminals in business.

This presentation will give a rare insight into the "mule as a
service" business model, in which criminals provide their affiliates
with easy access to a web based service for managing and controlling
mules globally. The service provides everything from recruitment,
managing large number of mules, package and money tracking to trust
rating, etc.

What happens if we interrupt this supply chain instead of taking down
just another BOTnet? Hopefully, my talk will shed light on how well
package and money mules are being operated, and what impact, in
theory, going after this particular element of the criminal service
could have.

10:45 - 11:15: Break

11:15 - 12:00: John Bambenek (ThreatSTOP), "A Tool To Reliably
Classify a Domain's Maliciousness"

Machine learning is touted as a way for security teams to reduce
their workload by creating smart systems that can do the work of
analysts quickly so humans can focus on those things that truly
require human analysis. This talk will cover a new machine learning
tool called MalDomainML that uses a machine learning model produced
using extracted DNS features to reliably (over 96% accuracy) predict
whether an arbitrary domain is malicious.

Outline:
- Brief overview of machine learning - Discussion of adversarial
machine learning and attempts to manipulate automated models
- Using DNS features to inform machine learning models
- Introduction of MalDomainML: a tool to classify malicious domains
- Overview of research results in effectiveness
- Applying methodology to other classes of data


12:00 - 13:00: Lunch

13:00 - 13:45: Anthony Lauro (Akamai Technologies), "A look at
automated traffic generation for credential abuse and retail
inventory shopping automation"

Looking at traffic stats from the Akamai platform over the past 4
years has revealed the percentage of HTTP requests utilizing API’s
has increased to over 83% of Akamai’s overall web traffic volume by
hit count. We’ve also observed that in an analysis of credential
abuse campaigns, more than 75% of ATO and credential stuffing attacks
target API’s because of their inherent speed and the overall lack of
basic security hygiene practices.

Also take a look at how the configurations of these attack tools is
also closely tied to the API schema of the platform they are
attacking for maximum effectiveness.


13:45 - 14:30: Vitali  Kremez (SentinelLabs), "Hidden Link Between
TrickBot 'Anchor' & North Korea 'Lazarus' State Sponsored Group", or
"How North Korean Hackers are Working with Eastern European
Cybercriminals"

Discovery of One of the Most Sophisticated & Resourceful Botnet
Groups on Crimeware Landscape.

We identified a first-of-its-kind possible collaboration between
crimeware organization TrickBot and North Korean advanced persistent
threat (APT) group Lazarus. The TrickBot branch toolset, known as
"Anchor Project," represents the first known link between cybercrime
groups and APT actors. The research is evidence of "Anchor Project"
tools being used to deploy malware possibly associated with the North
Korean regime, a finding with significant national security
implications.

14:30 - 15:00: Break

15:00 - 15:45: Simon Conant (Palo Alto Networks, Unit 42), "Et tu,
[REDACTED]: A commodity RAT with an Italian flair"

With recent law enforcement action against several popular commodity
RATs, the marketplace has shifted to compensate. Turns out that the
author of the most popular commodity RAT on the market today hails
from just down the road...


15:45 - 16:30: Donald 'Mac' McCarthy (Open Source Context), "How
(hi)Jacked is BGP"

BGP Hijacking is a problem. But how big a problem? Using data
collected from July - December of 2019 we will slice up BGP hijacking
by the numbers. What ASNs are the worst offenders of BGP hijacking?
Which prefixes are the most hijacked? What infrastructure is tied to
the worst offenders? What infrastructure exists within the most
hijacked prefixes? On days where there are statistically significant
numbers of BGP events, do they correspond to major geopolitical
events? Defining the size and scope of a problem is a necessary part
of prescribing and evaluating mitigations and/or structural
changes.


16:30 - 17:15: Gabor Szappanos (Sophos), "50 shades of OSINT"

We are in asymmetric warfare, where the criminals can do anything
they want, while the hunters are tied by legal and ethical
constraints.

The IT security community is actively tracking criminals using a wide
selection of methods. These methods range from legally acceptable
information gathering methods to illegally exploiting the servers of
the criminals:

- Accessing data from open directories 
- Fetching data using information leakage of incorrectly administered
web panels
- Using the hard-coded access information from the malware samples
- Using vulnerabilities in the C&C panels to gain access the data
- Hacking the websites that host the C&C panel

The presentation will cover these methods, with examples observed in
the field. It is not done with the purpose of promoting the use of
any of the methods, rather documenting what is actually going on.
We’d be ignorant to not acknowledge what is happening in our field,
and irresponsible if we didn’t try to direct the efforts through the
appropriate channels.

A single researcher can extract a lot of information by analysing the
particular piece of malware. But in many cases can’t act on it
without breaking legal or ethical barriers. Using illegal methods for
gathering intel on threat actors is also counter-productive: the
information can’t be used to prosecute the criminals. Our final goal
should always be identifying the perpetrators and bring them to
justice.

To have success in this fight, a more organised effort is needed
where all pieces of the puzzle are brought together. Instead of going
for the more aggressive and less ethical methods, a different
approach is needed. We promote a model where all parties are brought
together: security researchers for providing the threat intel, ISPs
to shut down the malicious activities and law enforcement to legally
fetch the data and act on it.

17:15: Adjourn

19:00: ISOI Fun Night



Friday, 6 March 2020


08:00 - 09:00: Registration/Coffee

09:00 - 09:45: Krassimir T. Tzvetanov (Purdue University), "OPSEC for
investigators and researchers"

Whether performing an in-depth investigation or merely quick
research, the investigator (or researcher) and the investigation
itself are exposed to certain risks.

This talk focuses on security and safety issues pertaining to online
research and investigations. It covers different areas of the
investigative process and how tools and particular techniques can
leak information detrimental to the case or the investigator.

Furthermore, it goes deeper into how investigators and blue teams can
be profiled and targeted. Those can be either direct attack against
their computer or supporting infrastructure, their person or the
investigation, which in turn may be as subtle as steering it in the
wrong direction or making the evidence inadmissible in court.


09:45 - 10:30: Dan Heywood & James Shank (Team Cymru), "Emissaries
(Pandas) in the Middle East"

China's APT27 (aka Emissary Panda, TG-3390, BRONZE UNION, Iron Tiger,
LuckyMouse) is busy conducting operations targeting the Middle East.
These threat actors exhibited OpSec awareness, minimizing analysis
possibilities, but there is evidence showing communications with
victims in the energy, health care, technology, education, travel,
and government sectors.

Communications patterns used by APT27 threat actors leave
fingerprints for network forensics. Netflow shows an extensive
infrastructure that has evolved over time, including APT27 migrating
between hosting provider, changing network fingerprints of data
exfiltration, and changing certificates for VPN connections.

In December, the Iranian government issued a statement claiming they
had "foiled" an attack by "the well-known APT27" – but is this really
the case...?

This presentation will focus on highlighting various elements of the
ongoing APT27 campaign, including the threat actor's techniques, the
analytic processes used to track APT27, infrastructure in operation
by APT27, and techniques useful to detect possible compromises by
APT27.


10:30 - 11:00: Break

11:00 - 11:45: Alan Neveille (Symantec/Broadcom), "A look into the
recent activities of the DarkSeoul/Operation Troy/Stonefly attack
group"

In March 2013, three South Korean television stations and a bank
suffered an attack in a suspected act of cyberwarfare that coincided
with the 63rd anniversary of the Korean War. At the time, this attack
was attributed to North Korea and dubbed "DarkSeoul". These attacks
continued until 2015 and appeared to have ceased.. until now. This
presentation provides a walk-through of an investigation into the
recent activities of this attack group detailing a coordinated
espionage operation to steal nation-state secrets.


11:15 - 13:00: Lunch

13:00 - 13:45: Bartosz Kwitkowski (PREBYTES), "Please wait while I’m
transferring out your money" -- Automated and semi-automated fraud

Cybercriminals send spam without bothering about being spotted.
Message content and meaning does not matter so much because end-users
are enough "clicky" to infect system. If not the "invoice" then
"agreement" is the magic word opening doors. Bankers such as Danabot,
Trickbot, GozNym (ISFB) are tools to delivers malicious JS which is
used for real-time attacks against online banking users. The analysis
includes retrospection of different attacks and anti-detection
techniques used in the past years.

13:45 - 14:30: Glenn Deen (Comcast) and Ben April (Farsight
Security), "DoH!, DoT and EDDI - the Encrypted DNS Deployment
Initiative"

DoH and DoT have generated a lot of discussion and worry in the
inboxes of Internet engineers and places like the floor of the UK
Parliament. EDDI was created to fill a void in the discussion - a
place to talk about architectural, protocol, and operational issues
in deploying encrypted DNS and has garnered wide support ranging from
major ISPs in North America, UK and Europe to groups like the EFF.
Just what has got all these folks worried and what is EDDI doing to
help?   This talk will attempt to cut through the fear, uncertainty
and doubt around the coming Internet apocalypse.  Ok, that maybe a
bit over the top, but doing this right is important and we’ve got a
couple decades of engineers doing clever things with DNS to keep
working while adding encryption at scale to DNS.   This talk will get
into the details behind what’s going on and hopefully provide some
calming ahead of the apocalypse.

14:30 - 15:00: Break

15:00 - 15:45: Kaspars Osis (ESet), "Danbot Overview"

DanaBot is a modular trojan horse with multi-stage and
multi-component architecture, written in the Delphi language. In our
presentation, we will demonstrate how DanaBot evolved from a
relatively small threat with only a couple of victims to the
well-known malware it is today, affecting users all over the world.
We will also provide a technical look into DanaBotís architecture,
distribution methods and C&C server infrastructure and share the most
notable findings from our research.

We believe that DanaBot is authors provide their affiliates access to
the servers, compiled DanaBot binaries and tools. Each affiliate then
controls its own part of the botnet, runs its own DanaBot
distribution campaigns and uses a different set of webinjects that
usually target
some specific geographic region.

In the first section of our presentation we cover tools available to
the threat actors - DanaBot’s Control Panel application, plugins and
the configuration options.

In the 2nd part of our presentation we cover different DanaBot
campaigns that we have tracked over last 2 years. We take a closer
look at the most notable affiliates, distribution methods used by
them, and show webinject configurations from the actual campaigns
targeting, for example, Poland, Australia, and the USA.

In the final part of the presentation we share lessons we learned by
tracking DanaBot campaigns, release YARA rules and IDA scripts that
we have developed during our research, and provide suggestions on how
to avoid and detect DanaBot infections in your organization.

15:45 - 16:30: Will Peteroy (Gigamon), "Threat Intelligence: Looked
Better on the Sales Brochure"

We'll talk about the expectations and realities of threat
intelligence feeds, including a TLP:RED discussion on the relative
volume and performance of paid vs. free vs. trust-based indicators
and finish up with a conversation on how we can continue to make
threat intelligence
better.

16:30 - 17:15: Karl Perlman (CIP CORE and ENERGYSEC), "Facilitating
security controls for industrial control systems"

This session will focus on procedural and operational controls to
secure industrial controls. Access management, interactive remote
access, electronic controls and network monitoring will be discussed.
Engineering and information security principles will be identified.
Emerging technologies being used to enhance the protection of
industrial control systems will be identified.


17:15: Fergie: Closing Comments