CCCC 2020 Presentations for Download
Alex Matrosov, NVIDIA
Anna Borgström, NetClean Technologies AB
Axelle Apvrille, Fortinet
Gabor Szappanos, Sophos Group Plc.
Jayson E. Street
Katherine Carpenter, Independent Consultant
Kristinn Gudjonsson, Google
Maciej Kotowicz, MalwareLab.pl
Mikael Jensen, DI – Dansk Industri
Patrick A. Westerhaus, Jason R. Britt, Cyber Team Six
Paul Rascagnères, Cisco Talos
Peter Kruse, CSIS Security Group
Todd Bame, Brian Plants, U.S. Postal Inspection Service
Blind Spots of Threat Intelligence: Hardware and Firmware Challenges
Protecting What Matters
Malware and Cybercrime in Medical IoT
Mining Mayhem: The Fallout of EternalBlue
The Spoon Problem with: Life, Hacking & InfoSec
Breach Notifications – How to Prepare for the Worst and Set Your Business up for Success
Forensic Automation Using Open Source Tools
Fishing Elephant, or How to Build a Cloud-Based APT
Setting New Standards in Cybersecurity & Ethics.
Fraud Prevention: The Future Is Cyber-Threat Intelligence.
Bisonal: 10 Years of Play
Our Top 5 Cyber Trends and Predictions for the Year Ahead
How Does a Reshipping Mule Operation Work?
The download file is password protected. The password was sent to all conference participants after the event. In case you attended the conference, but can’t find the password anymore, please, send an email to mah(@)csis.dk in order to have it resent.
Bisonal: 10 Years of Play
Paul Rascagnères, Cisco Talos
Technical level: High
Bisonal is a remote access trojan (RAT) that’s part of the Tonto Team arsenal. The peculiarity of the RAT is that it’s been in use for more than 10 years — this is an uncommon and long period for malware. Over the years, it has evolved and adapted mechanisms to avoid detection while keeping the core of its RAT the same. During this presentation, we will show the evolution of the malware, the different campaigns and a couple of targets where Bisonal was used.
Blind Spots of Threat Intelligence: Hardware and Firmware Challenges
Alex Matrosov, NVIDIA
Technical level: High
In nowadays, it’s difficult to find any hardware vendor who develops all the components present in its products. The big piece of it outsourced to OEM’s includes firmware too. That creates additional complexity and limits to hardware vendors to have full control under its hardware products. That creates not only additional supply chain security risks but also produce security gaps in the threat modelling process by design. In most cases hardware vendor separate threat model and security boundaries for each hardware component present on the platform but in reality, it misses a lot of details which is directly reflected on platform security. In this talk, we will look over the prism hardware and firmware forensics with threat intelligence souse.
Breach Notifications – How to Prepare for the Worst and Set Your Business up for Success
Katherine Carpenter, Privacy Consultant, Licensed attorney
Non-Technical
We’ve all heard the saying, “it’s not a matter of if you’ll be breached, it’s a matter of when.” Under GDPR, businesses must alert Data Protection Authorities (DPAs) within 72 hours of a data breach (with a potentially small exception). Understanding European requirements and taking a few important steps will help prepare your business to respond properly when a data breach does occur. You’re likely to be responding to a security incident if you need to deal with breach notifications. Businesses’ security infrastructure exists in a special place where we expect systems to be robust and are not able to view or judge their quality. This talk will also address security requirements to minimize your chances of a breach.
Fishing Elephant, or How to Build a Cloud-Based APT
Maciej Kotowicz, Founder of MalwareLab.pl
Technical Level: Low
In order to make a successful espionage campaign, we need a couple of things, mostly the idea of a good lure and infrastructure for both infection and exfiltration. Nowadays everyone was, is or will be moving their infra to the cloud so why not APTs? Why set up a costly dedicated server when we can use free PaaS hosting? Why not use a cloud-storage service for exfiltration with all of it unlimited quota and backups? Want to host some malware? Guess who gets you covered? Same goes for a lure, abusing the image of a trusted third party is a perfect way to trick the user to click where he shouldn’t. What about tools? Just swing by a popular code-sharing platform and choose a tool in the language of your liking! Code-based attribution won’t be a problem!
In this presentation, we will show how to set up a successful campaign abusing publicly available services and tools. In order to do so, we will use campaigns conducted by Fishing Elephant as an example. Fishing Elephant is a newish set of targeted activities operating in South Asia we discovered last year.
Forensic Automation Using Open Source Tools
Kristinn Gudjonsson, Google
Technical level: High
The need to scale up your operations is ever-growing, we can’t keep on just hiring more people to do forensics and incident response, we need to instead focus on codifying the knowledge of our current analysts.
In this talk, I’ll walk through one example of how to achieve this utopia of ours of having our different forensics and response tools talk together. The talk will make use of dftimewolf, plaso, Timesketch and an open source SIEM solution to demonstrate how we can automate the collection, parsing, analysis and reporting of a security incident, helping analysts to speed up their investigations.
Fraud Prevention: The Future Is Cyber-Threat Intelligence. We Really Can Do a Whole Lot Better!
Jason R. Britt, Patrick A. Westerhaus
Cyber Team Six
Technical level: Low
Online fraud affects the customers of banks, financial services companies, retailers, utility companies, telecommunications service providers and any other companies that have a significant online presence. Being successful in the fight against account takeover in the cyber age requires new types of analytical and technological capabilities.
This session will present a new fraud prevention analytical methodology. The presentation will include actual use-cases to demonstrate what can happen when cyber threat intelligence is gathered in volume, automated promptly and utilized in predictive models to stop fraudsters in their tracks.
How Does a Reshipping Mule Operation Work?
Brian Plants, Todd Bame
U.S. Postal Inspection Service
Non-Technical
In the effort to shed light on how people steal, reship and sell stolen goods, the U.S. Postal Inspection Service will talk about how threat actors utilize technology to automate many components of their reshipping operation, how mules are recruited, and discuss search warrants that yielded an estimated 1 million dollars in stolen retail merchandise.
How to Deal With a Major Ransomware Attack; Key Insights and Learnings From the Real World
Rasmus Rasmussen, Demant
Non-Technical
In this session, Rasmus will talk about the huge Ransomware attack that hit Demant in 2019. Rasmus will also share some of the lessons learned and present the plans the Demant have made to improve the IT security setup.
Malware and Cybercrime in Medical IoT
Axelle Apvrille, Fortinet
Technical level: Medium
Connected pill bottles, glucose sensors and insulin pumps are not gadgets. They help people. Do cybercriminals care about our health? Probably not 😉 but they make money out of it. – Discover mobile malware which targets medical applications. – Understand the economy of underground markets with full health reports, medicine and organs.
Mining Mayhem: The Fallout of EternalBlue
Gabor Szappanos, Sophos Group Plc.
Technical Level: High
Remember what you did on the 12th of May 2017? There are days that leave a lasting memory that never fades. The most recent of these events in our profession was the day WannaCry was set on loose rendering over 200,000 systems unusable.
This worm was using one of the zero-day exploits leaked from NSA that was released by the mysterious Shadow Brokers group. Shortly after this devastating incident followed the more targeted destructive NonPetya attack. After these two incidents, a more quiet period came. One would think that the bad guys lost interest in the exploit, the world learned the lesson, and the vulnerable systems got patched: the threat is over. Nothing could be further from the truth.
After the fireworks fade out, the time for the hard-working cybercrime groups comes. These groups are the SMB enterprises of the criminal world: they don’t have the resources that nation-state or high-end criminal groups have, but have capable coders, and what they lack in money compensate with creativity. They keep working on implementing these exploits in the malware distribution toolset. These efforts were dominated by cryptomining botnets (Powerghost, Lemon Duck, Mykings, just to name a few), but other high-profile malware, like Trickbot, also used the opportunity of a new infection vector.
The presentation will cover the post-WannaCry era of the EternalBlue exploit, the most important campaigns using it, and the different approach the cybercrime groups were following in implementing the exploit (sometimes even borrowing ideas from concurrent groups).
The presentation will cover the different approaches and solutions the cybercrime groups came up using to unlock Eternalblue. It is important to understand the sources they were using, their methods and their capabilities because it helps us prepare for future exploits and attacks.
Our Top 5 Cyber Trends and Predictions for the Year Ahead: What Companies Need to Prioritize
Peter Kruse, CSIS Security Group
Non-Technical
This year has surely been a turbulent one, but let us prepare for the year ahead. What threats do we need to be aware of? The presentation will cover topics like BEC, APT, Ransomware as disruption and attack engine, Financially motivated spear phishing attacks and Crime-as-a-service and the ongoing commercialization of the underground economy.
Protecting What Matters
Anna Borgström, NetClean Technologies AB
Non-Technical
While companies spend excessive amounts of money on cybersecurity, fraud, data leakage and virus protection for good reason there is one aspect that is often overlooked; the fact that 1 in 500 employees are using company assets and networks to consume child sexual abuse material (CSAM)
While most people are aware that CSAM is produced and shared online, most people do not know how the material is consumed and shared and why the pattern of dissemination puts companies and organizations at risk.
The NetClean 2017 Report states that 65.5% of the police officers surveyed had worked on investigations where CSAM was found on workplace computers in the private sector and that there is a strong correlation between viewing CSAM and abusing children.
The NetClean 2018 report focuses not only on the insights on child sexual abuse crime from about 300 police officers around the world but also the experience and perspective of companies actively working with CSAM detection and the conclusions that can be drawn from more than 500 actual alerts that the surveyed companies have had in total.
This presentation will elaborate on how companies can display ethical leadership, strengthen company values and help plot a brighter future for children by working towards the requirements of Agenda 2030.
Setting New Standards in Cybersecurity & Ethics, Denmark’s New Scheme for Trustworthy Use of Data
Mikael Jensen, DI – Dansk Industri
Non-Technical
By the end of 2020, a new Danish labelling scheme and seal for IT-security and responsible use of data will be launched and companies in Denmark will be able to apply for the seal. The labelling scheme will enhance IT-security and responsible data use and digital trust, by: – providing a solid boost of enhanced IT security, cyber security and responsible use of data to the Danish industry at large. – providing business value for the companies in question – creating increased trust among customers and consumers – making cyber security, responsible data use and digital trust a Danish & European position of strength The founding partners behind the initiative are the Confederation of Danish Industry, the Danish Chamber of Commerce, SMVdenmark and the Danish Consumer Council. The initiative is financially supported by The Danish Industry Foundation. The Danish Business Authority and The Danish Industry Foundation have an observer role on the board.
Should You Negotiate With IT-Criminals and If So, How?
Jan Kaastrup, CSIS Security Group
Michael Sjøberg, Human Advisor Group
Michael Sjøberg, Human Advisor Group
Non-Technical
This presentation builds on a real case, where a company was taken hostage by IT-criminals that were asking for a substantial ransom. The presentation will reveal how, by engaging with a professional negotiator, a company can gain significant ground compared to “going it alone”. The presentation will look into the psychological aspects involved in negotiation processes.
The Ex-Robotos BEC Scam Investigation
Peter Kruse, CSIS Security Group
Technical level: Medium
In a time span of several months and person or group has conducted several campaigns against Office365 with the target to compromise credentials. The purpose of these attacks is to use that very same access that is being obtained through these campaigns to login and conduct BEC (Business Email Compromise) fraud. In this presentation we shall follow the MO of the attackers behind these campaigns, show how we were able to consistently take down all the malicious domains (more than 3000 over the past 3 months) and give insight about the infrastructure and the kit being used to do these attacks. We shall also try to follow the breadcrumbs and eventually get an idea about who’s behind these massive waves of attacks against enterprises, educational institutions and public services in Denmark and elsewhere.
The Pandemic’s Pandemic:
How Cybercriminals Continue to Leverage COVID-19
Jan Kaastrup, CSIS Security Group
Technical level: Low
While the world has struggled with the social and economic impact of the pandemic, it has become more apparent than ever that society’s woes are yet another opportunity for unscrupulous cybercriminals to exploit individuals and organizations alike. Cyber-attacks were rampant; a rapid growth in email fraud campaigns, for example, were seen the world over. Organizations around the world had to adapt their ways of working to a remote and virtual new normal. People all of a sudden became reliant on remote connectivity, access and communication/ collaboration for all aspects of their day-to-day work. The need for greater cyber threat awareness came into focus. IT Security teams, processes, procedures and infrastructure had to be re-thought, improved and hardened. Beyond a recap of some of the campaigns we witnessed, this opening conference presentation will look into an incident response case that the CSIS team worked on during this time, which will reveal some crucial insights and learnings about the things that organizations should consider as we continue to fight the good fight against cybercrime in this new reality.
The Spoon Problem with: Life, Hacking & InfoSec
Jayson E. Street, SphereNY
Technical level: Low
It’s the start of a new decade (please no arguing about that, let’s just say it is.) The best way to start it off right is with a delightful educational rant. One of the most asked questions I receive is, “How do I become a Hacker?” I’ve been asked this so many times I literally created a webpage, iR0nin.com, on this very topic. Spoiler alert that hasn’t helped with people asking the question. So let’s not only address that topic for the next year with help from people in the industry, but there are some other things I would like to get off my chest as well, so why not lump them all together and get this party/decade started right! I promise there will be no war stories, but hopefully, some will be started with it! So prepare for some insights as well as information being delivered more loudly and probably more passionately than usual. The main objective is not to watch Jayson burn everything down to the ground, though it may appear that way, but to hear some unvarnished truth and knowledge shared for the benefit of the community we all are a part of.