GhostDNSbusters: Tracking and Responding to a Large Scale DNS Hijacking Campaign
Before 2020 many companies may not have considered a mostly remote workforce when designing networks and network defenses. Similarly, most workers may not have considered the possibility of a “work from home” situation. The vulnerability of home network devices has probably never been more of a threat to information security.
Attackers continue to compromise vulnerable SOHO routers by taking advantage of default or weak user-defined passwords, as well as the use of publicly available exploits.
GhostDNS is a platform developed to help attackers find vulnerable routers and change the DNS settings of those that are exploitable. Most notably, attackers have used GhostDNS to target Brazilian financial institutions and their customers, with 100,000+ routers compromised to date.
In this presentation, we will explain our methodology for hunting for the various elements of GhostDNS infrastructure, share what we have discovered to date and also speak about our efforts to collaborate with a national CSIRT to mitigate this threat.
ビジネスメール詐欺（BEC = Business Email Compromise）は、多額の資金が窃取される可能性のあるサイバー犯罪の一つです。FBIの調査では、米国内で被害額は年々増加しており、昨年は日本円で1,900億円に達したと報告されています。日本企業やその海外拠点においても、被害の全体像が見えていないものの、被害額は相当額に上ると推定されます。洗練されたビジネスメール詐欺の多くは、取引先のメールアカウントの侵害から発生しています。つまり、自組織において高度なセキュリティ対策が実装されていても、取引先で発生したメール内容の盗聴により、攻撃者は高度なソーシャルエンジニアリングを仕掛けることができるのです。本セッションでは、弊社が実際に対応した「取引先の侵害から発生したBEC」の事案を取り上げ、攻撃者の手口、インシデント対応の勘所などについて共有いたします。
Accelerating the Analysis of Offensive Security Techniques Using DetectionLab
While offensive security professionals enjoy the luxuries of having entire Linux distributions like Kali and endless code repositories dedicated to their craft, incident responders often find themselves building and rebuilding entire lab and malware analysis environments by hand in order to analyze attack techniques. This process is time consuming and repetitive. DetectionLab is an open source project that automates the process of building an Active Directory based lab environment on many different platforms and configures the lab hosts for maximum telemetry collection using tools like Sysmon and osquery. This talk will provide an overview of DetectionLab, show how it can be used to analyze modern attack techniques such as Zerologon, and discuss how it can be used to build detections for new and existing offensive security techniques.
Malware Analysis at Scale ~Defeating EMOTET by Ghidra~
Shuffle the SOC - automating anything, anytime, anywhere
Shuffle is an automation platform for and by security professionals, built to make it easy for anyone to automate their daily tasks. Our primary goal is to elevate the security community as a whole by getting everyone up to the level of the best. This workshop will explore all areas of Shuffle from getting started, to collaboration, architecture, app creation, python migration, how it's built for service providers, and the future of Shuffle.
Stuck doing the same thing day in, day out? Don't know where to focus your attention next? Jumping between 12 different windows during an investigation? Can't enrich your dataset with your new shiny threat intel provider? Are you "collaborating" using Outlook and Excel? Got a customer that doesn't know why they need the shiny new EDR? Did the SOC manager buy a new tool without thinking about integration?
Shuffle fixes all of these issues. You'll be able to automate anything within minutes, rather than days, weeks or months. Our community of automation enthusiasts is a growing, collaborative and helpful bunch. The silent heroes that make everything run smoothly behind the scenes. Join us by taking this four hour crash course in everything security automation!
Level - Beginner to expert
Hardware - A laptop with 10GB+ disk space and 8GB+ RAM
Minimum Software to Install - Linux, MacOS or Windows Subsystem for Linux 2 (WSL2) installed to be able to run Docker
Josh has been a member of Team Cymru’s threat intelligence team for the past 3.5 years, seeking to further the company’s mission of making the Internet a more secure and safe space. Prior to Team Cymru, he spent time working with BAE Systems, as well as 8 years in UK law enforcement.
Manabu works as an engineer in a company in Japan and also he researches some cyber threats topics, mainly focusing on OSINT, in his free time. He made presentations in several security conferences such as HITCON, JSAC, OBTS and Botconf.
Fredrik is a software engineer and entrepreneur with industry experience in DFIR, Automation, Pentesting and Open Source tool creation and collaboration. He started out in an MSSP environment, learning the secrets of the blue team, before quickly moving to a FinTech company to secure their assets from within. With this knowledge he set out on a mission to put all his knowledge to good use by building Shuffle. He's currently residing in Japan, integrating into the culture through language, travel and startups. Get in touch @frikkylikeme
Chris Long is a Senior Security Engineer at Netflix who has been specializing in Detection Engineering for the last decade and is the creator of DetectionLab. Although he's primarily focused on detection, he is an OSCP and OSCE certification holder and does his best to stay up to date with offensive security tooling and techniques. He is passionate about enabling defensive security practitioners to build more effective and robust countermeasures to protect against well known attack vectors.
株式会社サイバーディフェンス研究所でマルウェア解析、インシデントレスポンス業務、脅威情報の収集・分析業務に従事。JSAC、HITCON CMT、AVAR、CPRCon、Black Hat EUROPE Arsenal、CodeBlue BlueBoxなどで発表経験あり。技術系同人サークルAllsafeのプロデューサー。