Skip to main content

CCCC 2017 Presentations for Download

Marie Moe, SINTEF:

Ford Merrill, CSIS:

Peter Kruse, CSIS:

Andreas Bruun Strøbek, Data & More:

Michael Christensen, inHouse Security:

Paul Vixie, Farsight Security:

Philippe Jessen:

Kristoffer V. Scavenius, CERTA:

Casper Munk Christiansen, Nordea:

James Wyke, FireEye:

Veronica Valeros, Cisco Systems:

The individual download files are password protected. The password was sent to all conference participants after the event. In case you attended the conference, but can’t find the password anymore, please, send an email to mah(@) in order to have it resent.

Dare to Share

Poul Otto Schousboe, Chief Information Security Officer, Danske Bank

We often hear about large corporations in the Media who have not been able to protect their own and their customers personal and confidential information.
Most reactions to such news reflect frustration that the company has not done enough to keep information safe.
However, as more companies begin to break the news to the Media earlier on in the attack process, reactions are changing: The future of cybersecurity lies in sharing information and knowledge about the various attack vectors and attacks themselves.
The Nordic Financial CERT has been established to enable sharing of information and to encourage collaboration to protect our customers and society.

Stuxnet and Beyond: Digital Weapons and the Future of Our Cities

Kim Zetter, Journalist

Technical Level: Medium
In 2010, a computer security firm in Belarus stumbled upon Stuxnet, a mysterious virus of unparalleled complexity that was attacking systems in Iran.
Unlike any other virus or worm built before, this one didn’t just simply hijack the targeted computers or steal information from them, it escaped the digital realm to wreak actual physical destruction on an Iranian nuclear facility.
The first digital weapon discovered in the wild, Stuxnet shone a light on the potential for such attacks in the U.S. and elsewhere, and the threats posed by nation-state adversaries, terrorists or anonymous hacktivists who might launch destructive digital attacks against other critical infrastructure.
This talk will not only focus on Stuxnet but also on the security issues with systems that control trains, planes, water treatment plants and the power grid. The recent hack of Ukraine’s power grid shows the potential for more widespread attacks.

Hacking My Own Heart

Marie Moe, Research Scientist, SINTEF

Technical level: Low
This talk will be about medical device security and privacy, in particular for connected medical devices like implanted cardiac devices with remote monitoring functionality.
Gradually we are all becoming more and more dependent on machines. We will be able to live longer with an increased quality of life due to medical devices and sensors integrated into our bodies.
However, our dependence on technology grows faster than our ability to secure it, and a security failure of a medical device may cause patient harm and have fatal consequences.
Marie’s life depends on the functioning of a medical device, a pacemaker that generates each and every beat of her heart.
This talk is about Marie’s personal experience with being the host of a vulnerable medical implant, and why she decided to start a hacking project, investigating the security of her own personal critical infrastructure.

DDoS: An Enduring Problem (Track: Cur. Persistent Threats)

Ford Merrill, Senior Security Specialist, CSIS Security Group A/S

Since the inception of the internet, denial of service and related attacks have historically been a problem. This talk will explore the history of DDoS and it’s evolution over the years.
Topics covered will also include current attack metodologies, traffic capabilities, attacker motivations, and monetization of attack platforms.
There will additionally be a focus on practical systems and network design choices that can be made to ensure a more robust and resilient system designed to withstand attacks.

Payment Diversion Fraud: The New Nigerian Way (Track: Fraud & Response)

Gabor Szappanos, Sophos Plc.

Technical level: High
Nigerian criminals have been heavily involved in email scams for decades. They started with the classic 419 scams and then moved on to CEO spoofing.
The latest development of this process was the transition to the (slightly) more sophisticated business email compromise (BEC) schemes, most notably payment diversion.
We will explain the importance of the change from CEO spoofing to BEC: there is a significant difference from both the user awareness and the protection point of view.
In a typical payment diversion scheme the criminals use credential stealers in order to gain access to corporate email services then look for pending invoices.
Using the compromised account they send out updated invoices that divert the payments to the criminals’ bank account.
The compromise is not the working of a single individual, rather it is a larger, complex and organized group of people working together.
The presentation will give an insight into and deep analysis of the working and internal structure of an average Nigerian BEC group. At the top of the group are those responsible for the administration of the drop servers.
Others are preparing the keyloggers used in the attacks, and hand them to the distributors, who collect the potential target addresses and send out the phishing emails.
Finally the operators are at the bottom of the food chain and work with the compromised accounts. These criminals are not highly sophisticated computer experts.
Instead of developing their own solutions, they heavily rely on commercial offerings from the underground markets.
The presentation will show the most important tools that are popular with the Nigerian criminals, including keylogger builders, cryptors, Office exploit generators, mass-mailers.
We will also give an overview of the pre-infection, infection and post-infection process of the common BEC schemes, detailing the preparation of the malware, the selection of targets, the mass-mailing the malware to the victim, the server side components used for keeping track the infected systems, and managing the compromised accounts and collecting the diverted payments.

GDPR – Data Identification and the DPO Toolbox (Track: GDPR)

Andreas Bruun Strøbek, Partner, Data & More

The general data protection regulation (GDPR) will hit in on the businesses from May 25th 2018.
The GDPR is not only affecting the IT domain, but it is reaching the entire organization and the processes within.
In a survey conducted in December, a vast number of Danish businesses had just started the effort of getting compliant with the GDPR. Only 32% of the businesses stated they ran ISO27001 and 25% ITIL.
This is worrying low percentages. (ISC)2 has identified 12 main elements, that need to be completed, in the presentation I will outline these elements, and some of the main processes, bringing GDPR to life within the organization; dataflow analysis, Data Privacy Impact Analysis (DPIA) and “Privacy by Design and by Default”. Further the presentation will outline how the businesses can utilize existing compliance with ISO27001 and ITIl.

Evolution of Ransomware (Track: Cur. Persistent Threats)

Peter Kruse, Head of Research&Intelligence, Partner, CSIS Security Group A/S

Technical Level: Medium
No doubt Ransomware has been on everybody’s agenda to watch, either user or cyber-criminal. Over the last 2 years, ransomware significantly increased.
More and more companies and consumers are hit by Ransomware, more and more internet-aware devices are open for Ransomware, the prices that have to be paid to release the files taken hostage increased to sometimes astronomical values, and the social engineering to get the ransomware on the systems as well as the social pressure to extort the money got really professional.
This professionalism even extended to the helpdesks of the cyber-criminals that often operate at a 24/7 basis with a service far beyond services supplied by commercial companies.
Likewise, the creators of ransomware provide Control Panels to the Ransomware Operators giving them visibility into systems a system administrator would almost “kill” for.
Peter and Righard will go into the evolution of Ransomware from novice (simple) to professional (expert), both from the victims and from the operator’s perspective showing real examples.
Furthermore they will get into the awareness of Ransomware as well as unified active defense for both the corporates entities as well as consumers.
Type of presentation: Lecture with demo (either live or recorded, depending on the availability of Control Panels at that time)

Building DNS Firewalls using Response Policy Zones (Track: Fraud & Response)

Paul Vixie, CEO, Farsight Security, Inc.

Technical Level: Medium
The Internet’s first distributed reputation system was the Realtime Blackhole List (RBL) in 1996, and literally all e-mail you will receive in what remains of your lifetime will be protected by at least one RBL (the largest of which is SpamHaus).
However, e-mail is only one app, and the Internet is now dominated by new and newer and newest apps. The common element of all Internet apps is that they rely on the Domain Name System — DNS. In 2011, members of the original RBL design team created the Response Policy Zone (RPZ) system which brings distributed reputation filtering capabilities to the DNS itself.
Now in 2016, DNS RPZ has evolved enough to become an Internet standard, has been implemented in both the BIND9 and Unbound name servers, and is being deployed by operators of all sizes in all regions.
In this short talk, Paul Vixie, co-inventor of both RBL and RPZ, will explain the motivations and methods of distributed reputation system protection for the DNS, along with pointers to both open source and commercial resources for those interested in joining the DNS RPZ revolution.

GDPR – Main Processes and Drivers (Track: GDPR)

Michael Christensen, Compliance and InfoSec Consultant, inHouse Security

The general data protection regulation (GDPR) will hit in on the businesses from May 25th 2018. The GDPR is not only affecting the IT domain, but it is reaching the entire organization and the processes within.
In a survey conducted in December, a vast number of Danish businesses had just started the effort of getting compliant with the GDPR. Only 32% of the businesses stated they ran ISO27001 and 25% ITIL.
This is worrying low percentages. (ISC)2 has identified 12 main elements, that need to be completed, in the presentation I will outline these elements, and some of the main processes, bringing GDPR to life within the organization; dataflow analysis, Data Privacy Impact Analysis (DPIA) and “Privacy by Design and by Default”.
Further the presentation will outline how the businesses can utilize existing compliance with ISO27001 and ITIl.

Using Behavioural Analysis to Spot Fraudulent Online Activity (Track: Finance)

Casper Munk Christiansen, Fraud Solution Management, Nordea

Technical Level: Low-Medium
Traditionally we have been using old-fashioned rules to detect and try to predict online fraudulent behaviour.
This has become increasingly harder as the threat landscape has become much more complex.
A new way of thinking was needed. In this engaging and energetic talk Casper will go through how Nordea has chosen to mitigate the online threats for their customers using a tool that listens to the traffic, analyses the behaviour and spot fraudulent trends using a much more adaptive method than before.
This will include learnings on how behavioural analysis can be implemented, the customer privacy issues we encountered and how partnering with vendors and other banks has become a big party of the fraud prevention strategy.

I’m an APT Paleontologist and You Can Be One Too! (Track: APT & Detection)

Costin G. Raiu, Director, Global Research and Analysis Team, Kaspersky Lab

Technical Level: Medium
Sometimes, I like to compare APT researchers to paleontologists that find bones of a long-gone dinosaur.
In those circles, it often happens that some paleontologists have an unusual or rare bone but nobody has the full skeleton.
Similarly, in security research we like to collect things, especially rare artifacts. Sometimes we join efforts with other “paleontologists” and share our discoveries.
Once we collect enough of bones from a monster to understand its potential size, danger and habits, we start the next phase, which might lead us to its mysterious lair.
At Kaspersky Lab, we are processing hundreds of thousands of malware samples every day. The art of figuring out which ones are significant and further yet which ones belong together as part of a big APT attack is akin to finding dinosaur bones in a huge haystack and then figuring out which ones belong to the same skeleton.
We are grateful for every bone we discover, because this makes the world a little safer.
In this presentation, Costin Raiu will guide you through some of the most exquisite discoveries of the Global Research and Analysis Team, from zero days to the elusive Wild Neutron APT group.

Behavioral Change Communication to Prevent Hacking (Track: Awareness & OSINT)

Philippe Motet Jessen , Independent Communication Advisor

Firewalls, anti-virus programmes and ongoing updates of critical software. Technical protection is essential to protect your company against cybercrime.
However, the protection of technical solutions is limited due to the human factor within companies. Insufficient IT-security awareness among employees and non-compliance with basic behavioral principles increase the risk of hacking.
Employees may use malicious USBs, click on links in phishing mails or share sensitive information on phishing sites – unaware that the company may face cybercrime with possible economic loss to follow.
A classic one-way communication effort conducted to build awareness and compliance among employees does not suffice to ensure a general change of behavior.
It may lead to a false sense of protection. Stronger communication strategies are needed.
The use of behavioral science and strong employee involvement in recurring internal communication campaigns is a prerequisite to obtain not only high awareness, but also a strong behavioral IT-safety compliance to mitigate the risk of cybercrime in the company.

Commodity Banking Malware – Alive and Kicking? (Track: Finance)

James Wyke, Senior Security Researcher, FireEye

Technical Level: Medium
In these days of state-sponsored APT and billion dollar banking heists, it is understandable that the humble banking bot receives less attention than perhaps it once did.
However, the market for commodity banking malware has been quietly flourishing. There are a variety of active threats including newer families such as Terdot, TrickBot, DreamBot and Panda that represent re-worked and improved modifications to older threats such as Zeus, Dyre and ISFB.
Various older threats are still active, in some cases, despite arrests and takedowns including Dridex, Nymaim, Vawtrak, Gootkit, Kronos, Atmos and Chthonic. There is also considerable activity from malware families that have had their builders or full source code leaked such as Zeus, Citadel, KINS, ISFB and Tinba.
This presentation explores some interesting aspects of several currently active banking malware threats.
We note differences in distribution methods such as reliance on RIG EK, use of intermediary downloaders such as Chanitor in high volume spam campaigns, or more geo-targeted campaigns where lures are restricted to specific languages.
We highlight the families that are openly sold to any buyer that is willing to pay, those that are exclusively available by invitation only, and those that are owned and operated by one group with no external customers.
Where possible we match the common name for the malware to the name as advertised by the seller.
We note the many families that share common code lineage, such as Zeus or ISFB, and how far from the original code they have diverged, using this knowledge to highlight common traits in observed web injects and deployment by multiple families of the same third party systems such as ATS’s.
Finally, we will explore how the Avalanche takedown had a far greater impact on certain families than others.

OSINT – The Intelligent Approach to Cyber Crime and Other Security Threats (Track: Awareness & OSINT)

Kristoffer V. Scavenius, Senior Analyst, CERTA Intelligence & Security A/S

Private corporations are increasingly exposed to more and new security related threats. The dynamic and complex threat picture requires a strategic, timely and proactive approach in order for private corporations to prevent, identify and counter specific threats effectively.
A strategic, timely and proactive approach can only be ensured, if it is intelligence-based, and the capacity as well as the capability to collect, process and analyze the relevant information is therefore essential.
Open Source Intelligence (OSINT) has become one of the most important intelligence sources not only for national intelligence and security agencies, but also for private corporations.
In his presentation, Kristoffer V. Scavenius will address why and how OSINT must be applied as an integrated part of due diligence procedures and other security related procedures within private corporations.

Threat Hunting En Masse: The 9 Circles of Evil (Track: APT and Detection)

Veronica Valeros, Software Engineer, Cisco Systems

Technical Level: Medium
Threat hunting is a fascinating field. Starting with the assumption what your organisation is already compromised, it intends to find and identify existing threats in the network.
The threats you are trying to look for are threats that already bypassed all your security measures, making this task even more challenging.
Can you imagine doing threat hunting at big scale? Now imagine doing threat hunting at a really big, big scale.
This talk will walk you through my experience as a threat hunter in hundreds of networks simultaneously covering more than a million hosts.
The talk will cover the common challenges and limitations we often face when working with big data, how human threat hunters can be complemented with Machine Learning and how this combination actually works out.
Finally, this talk will introduce ‘The 9 Circles of Evil’ based on more than 2 years of threat hunting in this large scale scenarios.

        CSIS Security Group A/S, Vestergade 2B, 4th floor, 1456 Copenhagen