A threat and technology focused view of the R&D opportunities that we can collectively go after to help to make the UK the safest place to live and work online.

This year, a team of threat-hunters from CrowdStrike’s OverWatch hunting team reviewed and refreshed their understanding of emerging Defense Evasion tactics in use by today’s adversaries. Studying the data available, we conducted a deep-dive into five main tactics that we have seen in-the-wild over the past 12 months. The five strategies we focused on were staying off the land, bringing your own island, harnessing the wilderness - using shadow and unmonitored infrastructure, hiding in plain sight - avoiding the aperture of existing defensive technologies, and impairing defenses altogether.

We consolidated our understanding and learnings from this study into a whitepaper aimed at empowering other defenders to hunt for and uncover adversaries using these techniques. The whitepaper is due to be published in Q3 2023. In this talk we will discuss our findings, illustrate the different approaches to defense evasion through a collection of case-studies, and share the lessons we’ve learned on how to hunt for adversaries that use this tradecraft.

In early 2022, a new malicious loader named BumbleBee was discovered. Multiple cyber-attacks have been identified that use BumbleBee to deliver well-known malware families to harm systems. While analyzing different BumbleBee samples, we identified many structural changes and improvements implemented since its first sighting. These changes are a strong indicator that the family is still under heavy development, and we expect more changes in the future. This makes the family an interesting and important object of research.

To protect itself against detection and manual as well as automated analysis, BumbleBee uses various techniques to detect sandboxes and analysis environments. Most of this logic is taken from an open-source sandbox detection project.

This talk shares our insights and thoughts collected over the past months while analyzing and tracking this malware family.

ENISA Threat Landscape (ETL) report provides a general overview of the cybersecurity threat landscape. Over the years, the ETL has been used as key instrument in understanding the current status of cybersecurity across the EU and provide insight in terms of trends and patterns, leading to relevant decisions, prioritisation of actions and recommendations. The ETL report is partly strategic and partly technical, with information relevant to both technical and non-technical readers.This presentation will give a view from the EU on trends and tactics considering active threat actors and the most prominent threats that were observed during the year

Over the past year, Microsoft and the National Cyber Security Centre (NCSC) have collaborated to respond to several incidents involving sophisticated cyber actors. This talk will delve into the lessons we've learned from these incidents, covering everything from victim notification to remediation. We will discuss the tactics, techniques, and procedures (TTPs) we've observed, as well as provide guidance on how to prepare for a cyber-attack notification. We hope to showcase the power of collaboration between government and industry, and how it can lead to the best possible outcomes. Specifically, for this talk we will focus on the lessons learned from an APT29 compromise, which can be applied to a variety of other scenarios.

ChatGPT 3.0 made waves across almost every industry when it hit the market in late November last year.

Far from a silver bullet for the cyber-security industry, ChatGPT, and more specifically the GPT-3 model, do have many practical uses, namely the automation of highly repetitive tasks. Ask any threat intelligence analyst and they will concur; extraction and dissemination of threat intelligence often requires many hours of ctrl+c, ctrl+v.

Earlier this year I set out to use ChatGPT to create structured knowledge graphs from a variety of intelligence reports in my inbox.

In this session I will explain the trial and error that went into generating prompts that accurately extract artefacts and their relationships from unstructured intelligence reports (including: PDFs, emails, and Slack messages).

Taking it a step further, I will also talk you through my attempts at using Chat-GPT to model the intelligence as rich STIX 2.1 Objects for easy dissemination into existing security tooling.

Rest easy, the content covered in this talk will not replace your job.

Cybercrime intelligence is sometimes viewed as navigating forbidden parts of the darkweb and is too risky to perform on your own. I want to show you how straightforward it can be be showcasing my investigation and method for gathering intelligence on one of the longest running ransomware operations, who've been active for up to seven years.

My talk will include all techniques I used to investigate this group using various disciplines in cybercrime intelligence. I will share OSINT tips and tricks and how to manually research and navigate the darkweb, as well as how to perform blockchain analysis. I will also show how I use malware sandbox detonations and pivot on malware sandbox submissions, as well as MITRE ATT&CK TTP extraction. The investigation will also conclude with some cybercriminal digital dossier creation and threat actor profiling.

In the era of ever-evolving world of cyber warfare, the global cyber landscape has become a battlefield where nation-states deploy new, cutting-edge techniques to obtain non-public and confidential information.

An example for such a player is the newly discovered activity group, “CL-STA-0043”, whose level of sophistication, determination and espionage motives bear the hallmarks of a true advanced persistent threat.

In our talk, we will step into the depths of the cyber landscape, where we unfold the story behind the activity group “CL-STA-0043”.

We will showcase our research on the activity group’s attacks on governments in the Middle East and Africa. This research offers an exclusive glimpse into some very rare and previously unreported tactics, techniques, and procedures designed to penetrate even the most fortified defenses and evade traditional security measures.

By dissecting their never-before-seen TTPs, we aim to equip cybersecurity professionals with hands-on knowledge and tips needed to stay one step ahead and hunt down these highly sophisticated threats.

Join us as we unveil previously undisclosed information and lay out the attackers' playbook, while shedding light on the intricate web of attribution and clustering surrounding this emerging activity group.

A human behavioural take on strategies and guidance, using insights and tales from the front line.

Crisis management, crisis simulation, crisis response. These terms are currently being banded around somewhat interchangeably. There is a constant undercurrent of cyber incident related anxiety, for obvious reasons.

Very few have visibility of what actually happens when a cyber crisis occurs, let alone how they should prepare themselves. Perhaps they have a run an annual mandatory IT team tabletop exercise for the IT team, or compulsory incident training. Conversely, Crisis Management simulations are hugely in demand from enterprise clients, but after initial conversations it becomes clear that this exercise may be to appease the board and tick a box, as opposed to truly exposing an organisation to the wide-scale chaos of a cyber crisis causing wide spread business impact. Very few clients know what a Crisis Management simulation might entail, let alone what they should be looking to achieve.

There are some basic principles that will help an organisation be more resilient to this type of incident, and practical insights that can be shared from those who have seen it, warts and all.

In order to address some of these problems, my presentation will cover the following key topics:

• Leveraging communication strategies in a crisis

• The importance and power of the human element in any crisis response efforts

• How research and context are essential to prioritizing and coordinating your crisis response activities

• Practical ways to ensure cyber crisis preparedness

• Tales from the front line of some of the worlds largest cyber response efforts

These points will be delivered, from a unique standpoint, in comparison to a typical cyber related presentation.

So, who is this presentation for:

• Internal or external technical or non-technical persons who are likely to be part of an organisations cyber crisis or incident response

• Anyone who has seen the recent media frenzy around cyber security incidents, and wants real insight into what a crisis management effort constitutes and how it can be managed effectively

In combining the psychological and human element, plus experience both my own and from industry experts, this presentation will offer a practical and insightful approach to those wishing to truly be prepared for a cyber crisis in the current climate.

What happened when a flying-under-the-radar threat actor decided to directly go after web-hosting providers who host thousands of legitimate websites? How and why did they do it? These questions stand at the heart of our talk, in which we’ll explore the evolution of a determined threat actor that has been targeting web hosting providers throughout 2020-2023.

This group’s only documented campaign so far, was dubbed “Manic Menagerie” back in 2018, where the threat actor was focused mainly on conducting coin-mining and search engines optimization (SEO) activities. Our investigation revealed that the group has recently upgraded its toolset and shifted towards a far more dangerous and innovative attack scheme.

While investigating incidents related to the group, a unique tool was identified. This custom-built tool’s purpose was to facilitate a mass-backdooring of legitimate websites hosted on the web hosting providers. Such malicious activity can potentially lead to a devastating impact affecting both web hosting companies and the websites that are stored on their servers, including unknowingly hosting command and control servers.

In this talk, we will provide analysis of the custom-built backdooring tool that was used to compromise at least hundreds of websites, together with other selected tools from the attacker’s arsenal. In addition, we will share our threat hunting methodology that led to this discovery, starting with the initial anomalous behavioral findings that kicked off our long investigative journey.

We shall share our challenges with big-data hunting, how to effectively conduct an investigation on nearly three years worth of data, and how we dealt with certain research gaps.

By the end of the talk the audience will be acquitted with previously undiscovered custom tools, the modus-operandi of a rarely seen threat actor, and of course actionable intelligence on how to hunt for similar threats.

The Cyber Helpline is a UK charity that supports over 2000 victims of cybercrime every month by linking them with cybersecurity experts for free, expert help.

Cybersecurity professionals are best placed to fill the gap in support for individuals experiencing cybercrime, but the impact, trends and the importance of giving safe advice means that it differs from 'traditional' cybersecurity. Individuals facing cybercrime face unique challenges and require tailored support and expertise, which isn't always available.

This presentation provides an insight into the threats facing individuals in the online space, the impact it has on them, why the advice that you might give your friends and family could be inadvertently dangerous and how you can use your experience to make a difference in peoples lives with the skills you already have, just by learning to apply them to a different audience.

The session will allow for a Q&A to provide attendees with the chance to ask questions and understand more about this emerging career pathway and opportunities to support victims of cybercrime and online harm.

Despite Microsoft’s efforts to increase mitigation within the Windows Kernel the adversaries' access is on the rise. One reason for this increase is the widespread use of the BYOVD technique, where legitimate but vulnerable drivers are exploited to gain access at ring0. This technique enables the adversary to perform sensor tampering, disable driver signing, install bootkits and allow them to evade detection. This talk covers real world examples of this trend, digs into observed techniques in practice, discusses the difficulties in defending BYOVD and provides you with suggested mitigations including what to look out for.

The following are key take aways of this talk:

• The trend for BYOVD incidents is on the increase and what this means for your defensive posture
• Which adversaries are using this technique and how are they using it.
• What makes this threat challenging to detect.
• What are the best mitigation strategies to prevent this threat.

Both of the main security agencies in Iran - the Islamic Revolutionary Guard Corps and the Ministry of Intelligence and Security - use private companies and individual contractors for malware development, operational activity, and support/training. Using recent and historical examples, we will discuss how researchers have linked companies and individuals back to threat groups (and security agencies) through OSINT and technical links, and outline the types of services contractors likely provide to Iran's government. These are comprised of a range of different activities, including espionage, cyber-enabled influence, and disruptive operations.

This talk identifies ongoing trends and remaining areas of uncertainty when it comes to Iran's contracting landscape, including contractors' remits, tactics, and relationships to the government. We explore questions about the talent pools used to build Iran's contractors, the comparisons with other countries' contracting models, how Western sanctions and indictments have addressed these third-party companies, and how they have informed the UK and US's policies towards Iran.

My talk focuses on how we can access and analyze volatile memory in the kernel on a Google Kubernetes Engine (GKE) node using AVML. The purpose of this is to collect a memory snapshot to get granular information about running processes and activities on the GKE node as well as pods and containers running on that node. By using the memory snapshot we can troubleshoot current node activities or use it to collect additional information as part of a security investigation. I will also cover how this method is applicable to other cloud instances running Linux distributions that are supported by AVML.

In my talk I will show how we can:

• Build a custom privileged docker container running AVML.
• Deploy it to a specific GKE node we want to take a memory snapshot of.
• Access the kernel space on the GKE node in /proc/kcore and take a snapshot of it.
• Get a copy of the unencrypted vmlinux file for the active running version of the GKE node.
• Build an intermediate symbol file (ISF) of the kernel using dwarf2json to analyze the memory dump using the vmlinux file.
• Provide methods for how to analyze the snapshot, using for example Volatility3.

Sophistication is a misleading descriptor for threat actors and has become amorphous in the various ways it is used. This talk proposes a more precise discussion of adversaries’ attributes to meaningfully differentiate between threats.

Our central argument will be that adopting a richer vocabulary of descriptors offers far more than just nuanced understanding. Rather, our focus will be on the way that focusing on actor attributes can improve security outcomes. We do this by demonstrating how actor attributes can enable threat intelligence to be applied more effectively to wider range of use cases beyond the security operation centre. Here, we will focus on how adversary attributes can be used to improve threat-led red teaming and cyber risk assessments.

Part 1: Intro speakers and central argument

Part 2: Outline why sophistication and other related terms such as APT are limited terms + explain why they fall short. Some of the content discussed here will build on this article I wrote (https://www.collierjam.com/untitled-4/)

Part 3: Outline a collection of more precise descriptors and explore some as examples (i.e. stealthy, brazen, clumsy, tailored, pragmatic, etc.).

Part 4: Outline how the use of these more precise terms can better inform a) red teaming and b) cyber-risk.

This talk will build off previous work on the topic, such as Juan-Andres Guerrero Saade's 2018 Virus Bulletin paper (https://www.virusbulletin.com/blog/2019/01/vb2018-paper-draw-me-one-your-french-apts-expanding-our-descriptive-palette-cyber-threat-actors/). A lot of the added value of this paper is to focus the discussion on the pragmatic benefits of using more precise descriptors as well as offer practical advice on how this can be applied to various threat intel use cases.

In Microsoft's Compromise Recovery team we fight cyber attacks besides our customers almost every day. Our work includes different technologies, but Active Directory is our main focus in most cases as it is still an attractive target for attackers. Active Directory has a long history with certificate-based authentication, with smart card authentication being the most widely known use case.

Having some technical knowledge of certificate-based authentication in Active Directory allows to correctly assess the sensitivity of a Certification Authority's private key for Active Directory security. Unexpectedly, not only Certification Authorities are entitled of verifying incoming certificate requests, in some cases this sensitive task is delegated to a role called "Certificate Enrollment Agent". A (Certificate) Enrollment Agent is a user who can enroll for a certificate on behalf on another client or user. The permission to do so is based on the requirement of a digital counter-signature with an Enrollment Agent certificate. In other words, a counter-signature from an entitled Enrollment Agent will result in a certificate issued by the Certification Authority.

This session will deal with the Certificate Request Agent's superpower, how it can be abused during attacks and how to protect.