Excursion: Vilnius – a city of secrets

Excursion: Business Hive Vilnius (BHV)

As a part of long-term research into the security of Czech and Slovak Internet (.CZ and .SK domains and/or on IP addresses geolocated within CZ or SK, to be more precise), ALEF CSIRT conducted an analysis of data from several thousand freely accessible open directories. Many files from these directories turned out to be quite interesting as Jan will discuss during his talk.

TLP:White

A quick introduction to the recently open-sourced data sharing platform created by CERT Polska.

n6 automates collection, normalization, enrichment and exchange of security data feeds, and was designed to handle large amounts of abuse reports and indicators. After several years in production at CERT Polska, it was open-sourced in June 2018. This presentation will introduce the tool, cover recent developments and lay out plans for upcoming development.

Source code: ​https://github.com/CERT-Polska/n6

TLP: White

• Ivo Dijkhuis – Whoistory.
  Frederic Fautrier – Snapshot of CERT-MC.
• David Crooks – WLCG Security Operations Centres
  Working Group.
• Daniel Kouril – Coinmining.
• Paweł Pawliński – SISSDEN Status.
• Henrik Lund Kramshøj – VXLAN.
• Aaron Kaplan – Android APK Malware detection with ML.
• Jan Kopriva – Security Research on a Budget (Part II).

“Map of Public Internet” for national public internet network topology visualization, analysis, operational monitoring and threat detection that could be used by national CERTs in all EU countries. This platform would be developed, based on expertise of Lithuania’s CERT, which has developed a national solution dedicated to Lithuania’s public internet network. The platform would function as the information system based on data collected from public sources (based on BGP and related network protocols). System’s functionality would include data collection and its integration into the system, administration, history preservation and information sharing functions. The system would be able to gather information (in common formats) from additional sources (honeypots, abuse feed systems, incident management systems and other information systems), as well as from countries that agree to share its security events (feeds).

TLP:GREEN

The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) is a NATO-accredited cyber defence hub focusing on research, training and exercises. The international military organisation based in Estonia is a community of currently 21 nations providing a 360-degree look at cyber defence, with expertise in the areas of technology, strategy, operations and law.

NATO CCDCOE is home of the Tallinn Manual 2.0, the most comprehensive guide on how International Law applies to cyber operations. The Centre also organises the world’s largest and most complex international live-fire cyber defence exercise Locked Shields. Another highlight of the Centre is the annual International Conference on Cyber Conflict, CyCon, a unique event joining key experts and decision-makers of the global cyber defence community in Tallinn every spring.

Some specific topics, which we cover in our research, range from Malware Analysis to Industrial Control System Security, from doctrine development and operational planning processes to applicability of International Law and Cyber Norms for Cyber Operations. Research results from our projects will be applied into CCDCOE’s trainings, courses, and exercises.

TEAM UPDATES: Henrich Slezak, CSIRT.SK

Team Update from the CSIRT.SK team
TLP:GREEN

Sylwia will present a training event that will take place on 6-7th November in Warsaw. It will be the Polish edition of combined training GridEx and SANS NetWars.

On November 6th there will be exercise SANS ICS NetWars. As described by SANS, NetWars is a suite of hands-on, interactive learning scenarios that enable cyber security professionals to develop and master the real-world, in-depth skills they need to defend real-time systems.

On November 7th will be training PolEx (Polish Grid Exercise). It will consist of a one day table top exercise followed by a separate executive out brief at the conclusion of the event. It will be modeled for Poland off the US GridEx event, which is the biennial exercise conducted by NERC that is designed to simulate a cyber/physical attack on electric and other critical infrastructures across North America.

TLP: White

“A click on a link in an email infects the computer system of your organization with ransonmware. It’s up to you and your colleagues to rescue the data. You have to put down the attack of the criminal hacker.

TLP: White

• How important is the role of communication (message content, critical timing, local and international collaboration) to us?
• What are the difficulties and threats we come across in order to ensure trustworthy communication with the society and media? Are we able to defeat/cope with all of them?
• Suggestions of “know-how” exchange between PRs in CERT community and its’ potential benefits, case studies.

TLP:GREEN

Threat hunting is an important process in every security operation – whether it is meant to produce intelligence for internal or external use. Threat hunting consists of proactively searching through large scale network data to detect and pinpoint threats that evade automated and signature-based security systems.

In this talk, Dhia will discuss the different steps of efficient threat hunting at scale and describe how to initially use a set of short term high signal seeds from manual analysis to uncover additional threats (domains, IPs, binaries, etc). Then, Dhia introduce a set of techniques that facilitate the automated generation of long term signals associated with the detection of malicious campaigns (botnets, malspam, ransomware).

The generation of longer term signals involves analyzing large amounts (1TB+) of hourly global DNS query traffic to identify patterns that exhibit non-random anomalous behaviour. These signals have proven to have long term predictive power because they model the network effects of a campaign as it spreads globally.

Specifically, network signals are more difficult for a malicious operator to obfuscate and thus these signals can be used for an extended period of time.

Dhia will show how the anomalies arising in DNS query patterns and client lookups can all be used to generate a set of initial domains or IPs that can be further researched and by correlating similar hosting patterns between such domains we can identify malicious campaigns at scale.

Subsequently, we show the importance of investigating overarching patterns and TTPs behind malicious campaigns in order to go beyond short-lived IOCs and develop an understanding of the operational setup of criminal actors. This can provide us a proactive and longer-lasting advantage over the adversary.

TLP: TBC