Marcin FronczakMiroslaw MajPiotr KepskiMarcin Fronczak (ComCERT S.A., PL), Miroslaw Maj (ComCERT S.A., PL), Piotr Kepski (ComCERT S.A., PL)
Cyber fortress is online strategy TTX game in which players learn how to build and defend critical infrastructure of various organizations in their virtual countries. For this purpose there are scenarios prepared, based on real attacks. Scenarios, which consist of both - technical ana organizational aspects, simulate real cyber-attacks. The game can be played by individual players as well as teams. Especially team based version bring a significant value in terms of understanding and learn a cooperation during crisis situations. Building the most effective cybersecurity system is on the budget-based approach.Players and teams receive a virtual budget that limits the scope of their investments. The main idea and the task during the game is protection of teams/players critical infrastructure against the most likely threats and to effectively react during the attack phases. Competitors have available various cybersecurity measures, which represent real choices from organizational aspects, processes and technical cybersecurity solutions.
The game has the three years history and proved its practical value during many events and trainings.
Marcin Fronczak has worked for 12 years as Chief Information Security in the financial and insurance sectors, and performed IT/OT area security audits for a critical infrastructure operator. Prior to that, he spent 5 years as a consultant in the area of technology risk and security. During many audits and consulting projects in Europe, he gained extensive experience and thorough knowledge of risks and auditing of ICT systems, confirmed by obtaining international certifications including CISA, CIA, CRISC, Comptia Security +, ISO 27001 LA. He was the first Pole to earn the CCSK certification in the Cloud Security Area. He currently works at ComCERT as a leader of the R&D team and serves as President of the Polish branch of the Cloud Security Alliance.
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities.
Founder and president of the Cybersecurity Foundation, Vice-president of the ComCERT company, a former leader of CERT Polska team. The member of the Digital In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures and establishing international cooperation in the field of cyberdefence. In March 2021 was appointed a member of the Digitalization Council at the Ministry of Digital Affairs.
European Network Information Security Agency expert and co-author of many ENISA publications including CERT exercises and papers on improvement CSIRT maturity. He organised 10 editions of cyber exercises (Cyber-EXE™) in several countries for most essential sectors (e.g energy, banking, telecommunication). Speaker on many international conferences including the FIRST conferences. He is also the originator and organiser Security Case Study conference, one of the largest cybersecurity event in Poland.
Piotr Kepski currently works as a Cybersecurity Systems Analyst at ComCERT S.A., where he works in the area of cyber threat modeling and TTP (techniques, tactics and procedures) in cyber attacks. He is an internal auditor of the Information Security Management System according to the ISO/IEC 27001 standard. As a member of the Cybersecurity Foundation, he actively works to strengthen awareness in the area of threats from cyberspace, including, among other things, conducting trainings, co-creating the Cyber, Cyber... podcast series and participating in the organization of the Cyber Fortress League.
TF-CSIRT Meeting & 2023 FIRST Regional Symposium for Europe
Bilbao, ES
February 2, 2023 15:30-17:00, February 2, 2023 13:30-15:00
Hosted by Basque Cybersecurity Centre
MD5: a3cb91d89e6e833e9f75c171acf1e4c3
Format: application/pdf
Last Update: February 10th, 2023
Size: 4.18 Mb
Albert SeshieAlbert Seshie (GH)
Data Privacy in Africa over the past years has seen some significant growth largely within the space of policymaking, directives, and regulations with about 33 countries enacting related laws as of 2021. This has been driven by efforts to ensure the protection of data as fundamental to the rights of citizens and also with the upsurge of global commerce in the digital economy age.
The success of global privacy programs involves the implementation of effective administrative and technical controls that will ensure compliance with the relevant regulatory regimes including the lawfulness of processing, the cross-border data flow requirements, and data security safeguards. The journey towards compliance has focused more on the education and awareness of what these regulatory requirements are, and conspicuously missing out on the implementers of technical controls, i.e. the technology professional’s role, an important stakeholder who must be involved and own key processes within the data processing value-chain.
This presentation will highlight the role of technology professionals in the effective implementation of data privacy controls and the protection of information relevant to the ultimate compliance requirement.
Albert Seshie is an Information Security, Audit, Privacy Professional & Trainer with over 13+ years in Industry. He is a committed member of prestigious ISO Certification, Information Security, Audit, Privacy & Training bodies such as PECB, ISACA, (ISC)2, IAPP, IIA, IIPGH & EC-Council. Though coming from a non-technical background, his passion for technology, information security and training has driven him to achieve industry certifications such as CISM, CEH, C|HFI, MCSA, ISO 27001 LI/LA. ISO 22301 LI, ISO 27032, ITIL, Prince2, CoBIT, PSM1, CIDM, (ISC)2 CC, VCA-DCV, VCA-Cloud, NSE1, NSE2, PECB Trainer-ISO 27001 ISMS Auditor and currently pursuing his MSc. Information Technology. His areas of specialties are Information Security, Audit, Data Center Infrastructure + Cloud Security Management, Enterprise Security / Risk Management, Privacy and IT/Security Training, Technology Pre-Sales, Vulnerability Assessment, Unified Communications and Collaboration, Incident Management, ISO 27001:2013 Implementation & Auditing, Cyber Security Threats Management, Business Continuity, IT Service Management, Data Protection/Privacy & Training. In his free time, he volunteers on several projects with Africa Digital Rights Hub' and has been a speaker at the Data Protection Africa Summit (2018/2019 and 2022)
FIRST & AfricaCERT Symposium: Africa and Arab Regions
Kigali, RW
March 3, 2023 15:15-15:45
Hosted by FIRST, AfricaCERT, National Security Agency Rwanda
FIRSTAA23-Speaker-Slides-Albert-Seshie.pdf
MD5: eb78b1739815477e540ae3c474c133d0
Format: application/pdf
Last Update: March 6th, 2023
Size: 1.8 Mb
Nermen IbrahimNermen Ibrahim (Banque Du Caire, EG)
An IAM system introduces risks to the enterprise, but the consensus is the benefits of IAM outweigh the drawbacks. Businesses leaders and IT departments are under increased regulatory and organizational pressure to protect access to corporate resources. As a result, they can no longer rely on manual and error-prone processes to assign and track user privileges. That is where identity and access management or IAM comes in.
Nermen Ibrahim is a 20-year information technology veteran with a focus on information security and network security. She currently serves as the Head of Identity and Access Management Engineering at Banque Du Caire. Her technical expertise and analytical skills, honed through 9+ years in the information security field and 10+ years of professional experience, have earned her recognition as a privacy and risk management professional.
Ms. Nermen holds a Master's in Information Security from Nile University and is certified in CEH and CEI. She has also completed courses in CISSP, CRISC, ECSP.Net, CISM, PCI-DSS, MOBILE BANKING MASTERCLASS, SWIFT CSP, Digital Transformation, Fintech, CIMP, and Blockchain.
Ms. Nermen’s skills were acknowledged in 2018 when she placed third in the CTF Women in Security competition. She also delivered a speech at the 2018 Arab Security Conference on the topic of "Common Vulnerabilities in Online Payment Systems."
In summary, Ms. Nermen is a highly capable information technology professional with a proven track record of excellence in her field.
FIRST & AfricaCERT Symposium: Africa and Arab Regions
Kigali, RW
March 2, 2023 14:15-14:45
Hosted by FIRST, AfricaCERT, National Security Agency Rwanda
FIRSTAA23-Speaker-Slides-Nermen-Ibrahim.pdf
MD5: 8ecafa95494a9f7366b66221a1ab5f5c
Format: application/pdf
Last Update: March 6th, 2023
Size: 1.87 Mb
Daniel LunghiJaromir HorejsiDaniel Lunghi (Trend Micro, FR), Jaromir Horejsi (Trend Micro, CZ)
Iron Tiger, also known as APT27 or Emissary Panda, is an advanced threat actor that has been doing espionage for more than a decade, targeting multiple sensitive industries worldwide.
In the past months, we noticed the threat actor enhancing its toolkit to target all three major platforms – Windows, MacOS and Linux. We found out that a previously unreported remote access tool named “rshell” was the final stage of the delivery chain targeting MacOS users. This campaign was very interesting as the threat actor obtained access to backend of a lesser-known chat application, whose installers were modified to deliver malicious payload, thus acting as a supply chain attack against chat application users.
Our presentation will start with the analysis of this interesting infection vector (modified MacOS installers, where and how they were modified and how we initially discovered it), followed by discussion of an earlier compromise of the same chat application to deliver HyperBro malware for the Windows platform. We will analyze the features of both rshell and HyperBro malware families utilized in this campaign, and later we will discuss connections to previous campaigns operated by the same threat actor.
As a conclusion, we will provide information on the targets of this campaign and explain our approach to attributing this campaign to Iron Tiger.
Daniel Lunghi is a threat researcher at Trend Micro. He has been hunting malware and performing incident response investigations for years. Now he focuses on long-term monitoring of advanced threat actors from all over the world, exploring new ways of tracking them, and enjoying their mistakes. The result of such investigations are shared through blogposts, whitepapers, and conference talks.
Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.
TF-CSIRT Meeting & 2023 FIRST Regional Symposium for Europe
Bilbao, ES
February 1, 2023 16:00-16:30
Hosted by Basque Cybersecurity Centre
Iron-Tiger-s-Supply-Chain-Attack.pdf
MD5: a7894c41d0ba486d1c5cf7656208483b
Format: application/pdf
Last Update: February 8th, 2023
Size: 1.7 Mb
Feike HacquebordFeike Hacquebord (Trend Micro, NL)
In this presentation we explore the current state of ransomware in cybercrime and how ransomware business models will change in the near and far future. We will talk about the triggers that will cause ransomware actors to adapt. Some triggers will lead to a gradual evolution of ransomware. These triggers include the usage of more 0days in the initial access phase, better operational security, automation to optimize revenues, targeting Linux cloud servers more and targeting exotic platforms. Only when ransomware actors are pushed hard they will radically rethink their business models. Triggers include geopolitical events, regulations of cryptocurrency and the realization that other cybercrime is more profitable. We will discuss business models where the ransomware payload is changed to other, more profitable payloads, while still many of the core specialist skills of ransomware actors are leveraged. Finally we discuss how private industry, government and law enforcement can work together to fight against the crimes committed by the most prolific ransomware actors today and in the future.
Feike Hacquebord has more than 18 years experience in doing threat research as a Senior Threat Researcher. Since 2005, he has been a regular advisor of international law enforcement agencies and has assisted in several high-profile investigations. Hacquebord is the author of more than a dozen blog postings and papers on advanced cyberattacks. Prior to joining Trend Micro, he earned a Ph.D. in theoretical physics from the University of Amsterdam.
TF-CSIRT Meeting & 2023 FIRST Regional Symposium for Europe
Bilbao, ES
February 1, 2023 11:30-12:15
Hosted by Basque Cybersecurity Centre
Open-for-Extortion_-Upcoming-Ransomware-Evolutions-and-Revolutions.pptx
MD5: d3b539db9eeca9d3e8f6f1262625d6c6
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: February 8th, 2023
Size: 7.71 Mb
Dr. Jema NdibwileKoichiro KomiyamaM. Arnaud TaddeiDr. Jema Ndibwile (Carnegie Mellon University), Koichiro Komiyama (JP), M. Arnaud Taddei (Symantec, US)
CSIRTs and SOCs, which aim to improve cyber security in companies and organizations, are active worldwide. On the other hand, cyber-attacks continue to become more sophisticated, and cyber-security increasingly requires functions that have not been required of CSIRTs in the past, such as strategies and policies. Based on this understanding, this workshop will introduce the "Cyber Defense Centre" framework, which was discussed in ITU-T and standardized in 2021, and discuss how it can support cyber security measures of enterprises and countries in Africa.
https://www.itu.int/rec/T-REC-X.1060-202106-I
Koichiro Komiyama is the Director of the Global Coodination Division at JPCERT/CC, the Japanese Computer Emergency Response Team. He was a FIRST Board of Directors from 2014-2018. He was awarded the AfricaCERT Meritorious Service Award In 2016 for his contribution to AfricaCERT's establishment.
M. Arnaud Taddei is a Global Security Strategist for Symantec, a Division of Broadcom Software Group. In his role, M. Taddei has two inter-related missions as he supports:
a) the development of strategic directions for the top Broadcom world wide customers and he developed a unique method to create solid relationships with customers executives and project thought leadership through specific knowledge sharing and workshop models.
b) the development of security through his engagement in International Standards Defining Organizations (SDO) such as the International Telecommunication Union (ITU) where he was diplomatic elected as Vice Chairman of Study Group 17 and Associate Rapporteur for Emerging Technologies at the Telecommunication Standards Advisory Group (TSAG) of the ITU-T. He participates as well to the Internet Engineering Task Force (IETF) where he develops ideas on Network Encrypted Traffic Management through Internet Drafts.
Dr. Jema David Ndibwile is an assistant teaching professor in cybersecurity at Carnegie Mellon University. He previously worked at the Nelson Mandela African Institute of Science and Technology as an IT network specialist and a lecturer in cybersecurity. Ndibwile’s current research interests encompass usable privacy and security, hacking countermeasures, the impact of artificial and human intelligence on cybersecurity, and social engineering approaches. He also has expertise assisting the cybersecurity teams in areas such as communication, IT network architecture and in-network, service security, security testing, and developing security concepts for mobile and stationary networks. He has extensive experience in ethical hacking/penetration testing, digital forensics, and project management leveraging tools such as Kali Linux, Parrot OS, Cellebrite, and many others.
FIRST & AfricaCERT Symposium: Africa and Arab Regions
Kigali, RW
March 3, 2023 09:00-11:00
Hosted by FIRST, AfricaCERT, National Security Agency Rwanda
FIRSTAA23-Speaker-Slides-Arnaud-Taddei.pdf
MD5: 42a1048be19c0e7b4d358f18586d3926
Format: application/pdf
Last Update: March 6th, 2023
Size: 1.45 Mb
FIRSTAA23-Speaker-Slides-Koichiro-Komiyama.pdf
MD5: 34902a4b12c4784c770301be3430b78e
Format: application/pdf
Last Update: March 6th, 2023
Size: 1.75 Mb
Jossef Harush KadouriJossef Harush Kadouri (IL)
Widespread use of open source software has motivated malicious actors to take advantage of the medium, spawning significant and widespread attacks.
To be able to identify these threats at scale we automated this process and would like to present and share some open source tools to detect those attacks.
RED LILI
This is the largest batch of malicious packages from a single threat actor (1500 packages and still counting ).
We will dive into the attack and discuss the infrastructure required for such attacks.
To keep track of RED-LILI as they continue to publish malicious packages, our research team has launched RED-LILI Tracker (https://red-lili.info)
UA-Parser (Good package gone BAD)
An attacker comprised a legitimate account of a popular open-source contributor.
We will dive into the attack and TTPs used (Account Takeover) and will discuss Chain alert Free service for the open-source community to alert on those attacks.
Protestware
A pro-Ukraine NPM user account riaevangelist released several new versions of its popular package “node-ipc” (over million weekly downloads ), which included a wiper functionally targeting Russian and Belarusian IP addresses and running a malicious payload, destroying all files on disk by overwriting their content with a heart emoji “❤️” .
Jossef Harush Kadouri is passionate about Linux and Windows, and has a strong interest in exploring the possibilities of Mac in the future. With his expertise in IoT and a knack for creating real-life automation solutions, he is able to control a variety of devices using his phone. Additionally, Jossef is a designer and digital asset creator, with a focus on pixel-perfect UI.
In his free time, Jossef enjoys growing hot peppers and organizing hot pepper events in Ramat Gan, the second best city in Israel. Jossef is also an active member of the open-source community, and is ranked in the top 1% on Stack Overflow.
In 2020, he co-founded Dustico, a software supply chain security company that was acquired by Checkmarx the following year. Since then, he has been working with his team to identify and prevent software supply chain attackers, ensuring the safety of the ecosystem.
TF-CSIRT Meeting & 2023 FIRST Regional Symposium for Europe
Bilbao, ES
February 1, 2023 09:30-10:15
Hosted by Basque Cybersecurity Centre
Tracking-Attackers-in-Open-Source-Supply-Chain-Attacks.pptx
MD5: 69d1f69fc5ec0df0fc1985ed18e2dbd8
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: February 8th, 2023
Size: 102.63 Mb