Industrial Espionage and Data Tapping are commonplace in IT – DeepSec Conference provides Training for early Detection, Analysis and Mitigation
The excitement used to be great when organizations, parties, celebrities, companies, or government agencies reported intrusions into their own or outsourced digital infrastructure. Meanwhile, reports of data leaks and compromised systems are almost a part of the weather forecast. Security applications on smartphones or portals offer this information to allow the user to check if they might be affected too. The networked world of everyday life makes it seemingly possible to present attack and defence in the same breath. Affected, attackers, defenders and beneficiaries move closer together. But anyone who has this impression has fallen victim to the looming simplification. Modern information technology has to deal with dangerous situations every day that have far more facets. This requires a good deal of specialist knowledge and experience.
First Responders, Analysis and Detection of Threats
All digital systems and networks now have a defence. The spectrum ranges from the minimum to hedging with great effort. During normal operation, you check the required functions and, if necessary, adjust the security measures if there are new messages. This changes abruptly when an actual breach is discovered. The so-called incident response is fundamentally different from the normal operation. It must be determined which systems, applications and data are affected. What have attackers changed? What evidence is there? Thomas Fischer and Craig Jones will be hosting a training session at this year’s DeepSec, where one can learn and try out the processes of Incident Response. Such situations require a very structured and careful approach. The exercises also teach how to spot vulnerabilities and potential threats in your own infrastructure or organization before they are found by potential attackers. In the two days of training, all aspects of this procedure will be performed. The participants also learn about the necessary tools that are needed in such cases.
Breaches go unnoticed for a long Time
Unfortunately, compromised systems are often not discovered immediately. Skillful opponents avoid being detected in order to benefit from the breach for as long as possible. The time between attack and discovery can range from weeks to many months. You can shorten this period by dealing in detail with the normal operation of your own infrastructure and trying to detect deviations. Peter Manev and Eric Leblond, specialists in network intrusion analysis, teach in a two-day training session how this works. Both have been involved in the development team of Network Intrusion Detection Software Suricata for over 10 years. Through their work, they have deep insight into the processes of network transfers and a great deal of experience in finding anomalies. The training will use real data from historical incidents to directly try out techniques. In addition to learning to deal with the tools for discovery, you also learn how to use bait to make it easier to discover attackers. It also teaches how to better distinguish between false positives and real alarms.
Use existing Data, detect new Attacks
Ways to detect events are often already there. Log data is available in all areas of IT. Systems and applications even generate data that is extremely helpful in defence. Xavier Mertens shows in his workshop how to raise these treasures. It will combine techniques for detecting anomalies on systems (OSSEC in particular) with externally available information to sharpen the image of the situation. These so-called Open Source Intelligence (OSINT) sources provide important data to supplement. Xavier Mertens will teach with examples how to properly integrate this data into your own defence. His workshop is for experienced IT administrators who want to increase the level of their defence efforts.
Guesses are always out of Place
When investigating security incidents, there should be no speculation. All findings must be based on facts that emerge from the analysis of the available data. This is an important point where serious mistakes are often made. Assumptions often sneak in, which solidify during the course of the incident. One then likes to develop a tunnel view and interprets information only one-sidedly. That is to be avoided. According to the General Data Protection Regulation (GDPR, DSGVO), incidents involving data of customers or third parties must of course be reported. This does not contradict the effort to avoid to spread any assumptions, but is necessary for the avoidance of speculation.There are numerous examples in current and past news releases. The data leak in 2017 from Equifax, a US financial services company headquartered in Atlanta, Georgia, is well documented. Without disclosing any details, individuals were asked to enter some part of their social security number on a website. The purpose was to determine if own data has been copied or not. But this hasty measure resulted in much greater uncertainty, which was not sustainably improved by rework and additional explanations. Answers that lead to more questions are not a meaningful explanation. They just might lead to more media coverage, because the public can then speculate. In a serious context, this approach has no business.The offered training sessions for the DeepSec Conference are intended as an aid to gain experience in dealing with security incidents in a comfortable environment and to be able to design processes for emergencies in a meaningful way.
Programme and Booking
The DeepSec 2019 conference days are on 28 and 29 November. The DeepSec trainings will take place on the two previous days, the 26th and 27th of November.
The venue for the DeepSec event is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.
Tickets for the DeepSec conference itself and the trainings can be ordered at any time at https://deepsec.net/register.html.
(Original press release was published on 9 September 2019 via pressetext.com)