What’s the best place to discuss security and threat intelligence? Well, according to Austrian investigative journalist Emil Bobi there are over 7,000 spies living and working in Vienna. To quote the article: „Austria has been an international spy hub since the late 19th Century, when people from all parts of the Austro-Hungarian empire flocked to the city.“ Basically it’s ancient tradition going back to the 19th century. During DeepINTEL we will discuss modern threats – advanced, persistent, networked, or otherwise. The focus will be on indicators of suspicious behaviour, the human component of information security, challenges by drone technology, and how to protect sources of information.
“Across the ICS spectrum, organizations are gathering threat data (information) to protect themselves from incoming cyber intrusions and to maintain a secure operational posture.”, says John. “Organizations are also sharing information; along with the data collected internally, organizations need external information to have a comprehensive view of the threat landscape. Cyber threat information comes from a variety of sources, including sharing communities such as Information Sharing and Analysis Centers (ISACs), open-source, and commercial sources. Immediately actionable information is mainly low-level indicators of compromise, such as known malware hash values or command-and-control IP addresses, where an actionable response can be executed automatically by a system. Threat intelligence refers to more complex cyber threat information that has been subjected to the analysis of existing information. Information such as different Tactics, Techniques, and Procedures (TTPs) used over
DeepSec 2016 Talk: Assessing the Hacking Capabilities of Institutional and Non-institutional Players – Stefan Schumacher
Cyberwar, Cyberterror and Cybercrime have been buzzwords for several years now. Given the correct context, using cyber has merits. However Cyber-Headlines are full with Cyber-Reports about Cyber-Incidents, Cyber-Hacking and Cyber-Cyber in general. However, that whole discussion does not only suffer from sensationalism of journalists and bloggers, there are also some fundamental problems, says Stefan Schumacher. We are still lacking useful definitions for modern IT security threats and we still have to think about the assessment of capabilities in the IT field.Besides institutional actors like states and their military and intelligence community we also have to assess the capabilities of non-institutional actors like terrorist groups or organised crime. Unlike the assessment of classic military strength (eg. fighting power or Kriegsstärkenachweise), assessing the capabilities and powers of actors in the IT field is much more complicated
Nation state attacks are very popular – in the news and in reality. High gain, low profile, maximum damage. From the point of information security it is always very insightful to study the anatomy of these attacks once they are known. Looking at ways components fail, methods adversaries use for their own advantage, and thinking of possible remedies strengthens your defence. At DeepSec 2016 Gadi Evron will share knowledge about an operation that went after government systems all around the world. Patchwork is a highly successful nation state targeted attack operation, which infected approximately 2,500 high-value targets such as governments, worldwide. It is the first targeted threat captured using a commercial cyber deception platform. In his talk Gadi Evron will share how deception was used to catch the threat actor, and later on secure their second stage malware
The DeepSec 2014 schedule features a presentation about (hidden) hypervisors in server BIOS environments. The research is based on a Russian analysis of a Malicious BIOS Loaded Hypervisor (conducted between 2007 and 2010) and studies published by the University of Michigan in 2005/2006 as well as 2012/2013. The latter publications discuss the capabilities of a Virtual-Machine Based Rootkits and Intelligent Platform Management Interface (IPMI) / Baseboard Management Controller (BMC) vulnerabilities. Out-of-band management is sensitive to attacks when not properly protected. In the case of IPMI and BMC the management components also play a role on the system itself since they can access the server hardware, being capable to control system resources. Combining out-of-band components with a hypervisor offers ways to watch any operating system running on the server hardware. Or worse. It’s definitely something
Many articles like to mention Advanced Persistent Threat (APT), point out that 0-day attacks are extremely dangerous, and that anyone and your neighbour might already be compromised, but doesn’t know about it. So APT casts a long shadow even when not having arrived yet. This is exactly why we used the word „hype“ in the title. If you are not feeling very well and you look up symptoms in popular search engines, then you suddenly end up with lots of diseases that might fit. Doing this won’t change anything, you still got the symptoms and you still got no idea what’s going on. Reading information on security breaches alone won’t alone won’t get you anywhere (currently you can find some news on the RSA hack online). Exchanging ideas and hearing about stories is fine,