AISA Australia Cyber Conference – Security & Hacking

On October 10 & 11 I was lucky enough to attend AISA Cyber Conference. This was a security focused conference with someone for all levels.
What an eye opener on many levels, but also I’m not surprised.
I took lots of notes and below is a summary of insights and links I collected or researched as follow up. Where possible, I have provided video links to the sessions/talks – so you get the full context.
I learnt so many things – something from every session.

Click, explore and learn

TLDR; for the best of

for techs/architects – Exploring the DevSecOps Toolchain
for Management/HR/Recruitment – Hacking the Skills Gap
for AWS builders – Serverless From F to A+

Opening Keynote

Speaker – Greg Touhill https://www.linkedin.com/in/gregorytouhill

formerly 1st Federal CISO of the United States
Turn on DMARC Email Security https://dmarc.org/
Invest in training
Carnegie Mellon – https://www.cmu.edu/ini/academics/msis/index.html
Academic leader in cyber and information security
Spoke about Cyber Security for executives and his experience running National Cybersecurity and Communications Integration Center’s (NCCIC) https://www.dhs.gov/national-cybersecurity-and-communications-integration-center and https://www.us-cert.gov/
Implement Software-Defined Layer 3 Perimeter Technology – https://cloudsecurityalliance.org/working-groups/software-defined-perimeter/#_overview
TCP/IP = Connect first, Authenticate second – inherently flawed
SDN = Authenticate first, Connect second – improved
Coined Touhill’s Law for Recapitalization Planning – like 1 Human year = 7 dog years, Touhill’s Law submits that 1 Human Year = 25 Computer years (ie, tech is out dated/dead in 3 years, and need to refresh).

The Future Impact of AI on Cybercrime

Speaker – Dave Palmer https://www.linkedin.com/in/davepalmersecurity/

YouTube link to the same talk/different location https://youtu.be/ooPOOs7Y7lk
Ambient surveillance
is high risk and received low attention. May not be on the radar of the InfoSec team, and AV suppliers are less inclined about security
Attack the Edge
IOT; Where none IT control the infrastructure (think submersibles and sailors)
it is outside the traditional security perimeter
likely not ready/capable of running anti-virus software for example
Ransomware/encryption is becoming less effective, the next thing criminals/APT will be after is DATA INTEGRITY and attacking the Information Supply Chain
Big enterprises rarely pay ransomware anymore. Regular backups are winning the war here. But Small/Medium Enterprise (SME) may be more at risk due still as they may not have current data. Its an economics equation, backups cost money, and sometimes they consider the ransom price to be cheaper.
Little Bing / Xiao-ice https://en.wikipedia.org/wiki/Xiaoice, pronouced ‘shao-ice’ is AI system developed by Microsoft STCA in 2014 based on emotional computing framework. Instead of criminals setting up call centres to help you buy Bitcoins for your ransomware payments (who does this anyways!), crims can now use smart chat bots to smooth out the processes and reduce costs.
https://sociable.co/technology/microsofts-little-bing-ai-evoking-love-in-chinas-lonely-hearts/
Tools
American fuzzy lop http://lcamtuf.coredump.cx/afl/ is a security-oriented fuzzer for binaries
Microsoft Security Risk Detection
Windows and Linux (sign-up required) https://www.microsoft.com/en-us/security-risk-detection/ Upload binaries (yours or others!), run fuzzers, identify bugs, get a bug report – then fix bugs
MSFT Security Risk Detection in practice – video https://www.youtube.com/watch?v=kRCCLtDF_Z4
Dave Palmer works at https://www.darktrace.com/en/, AI network immune system and threat detection software

Embracing the Rise of DevSecOps

Speaker – Jameson Cooke https://www.linkedin.com/in/jameson-cooke-52a69948/

DevOps Periodic Table v2 https://blog.xebialabs.com/2016/06/14/periodic-table-devops-tools-v-2/
DevOps Diagram Generator https://xebialabs.com/devops-diagram-generator/ (requires email address)

Hacking the Skills Gap

Speaker – Jane Frankland https://www.linkedin.com/in/janefrankland/

worked with National Cyber Security Council UK https://www.ncsc.gov.uk/
Boardroom needs more cyber educations, including CEO and NEDs (Non Executive Directors, eg Chairman)
Need to change our language from cyber security/ CISO / SecOps to Risk Mitigation Specialists
Trust is key – How is trust measured, using a trust equation we can better under it https://trustedadvisor.com/why-trust-matters/understanding-trust/understanding-the-trust-equation , https://trustedadvisor.com/public/Equation_Full-1-705×492.jpg
NCSC – Cyber needs to identify young recruits, like football or soccer does. Look to high schools and early technical programs (code camps). This is also how terrorists recruit
Gamers are a prime example of exceptional youngsters who are good at cyber
Setting high expectations will lead to an increased performance – https://en.wikipedia.org/wiki/Pygmalion_effect
Understand your staffs capabilities – develop a Cyber Skills Capability Matrix – https://3jd8gl2iires146kaw2hgqy9-wpengine.netdna-ssl.com/wp-content/uploads/2018/02/Slide1-3.png
Key Skills/Jobs to be in demand by 2021
Intrusion Detection, secure software development & attach mitigation
Penetration testing & application testing
SOC & Forensic analysts

Cyberwarfare and the Journalist

Speaker – Ben Makuch – https://www.vice.com/en_au/contributor/ben-makuch

TV Documentary – CyberWar (currently on SBS OnDemand in Australia)
talked about the Western Ukraine power grid attack in 2015 https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack , using Blackenergy malware https://www.kaspersky.com.au/resource-center/threats/blackenergy
Meme’s are memorable and effective – terrorist uses them, Anonymous uses them, Arjen uses them, Russian dis-information uses them.
Spoke of Fancy Bear https://en.wikipedia.org/wiki/Fancy_Bear
Spoke of Latvia’s ability to thwart Russian FUD and Spear Phishing, https://twitter.com/janis_sarts?lang=en . Director at the NATO Strategic Communications Centre of Excellence- https://www.globsec.org/speakers/janis-sarts/
Commented on the best Snowden interview with John Oliver, in his opinion https://www.youtube.com/watch?v=XEVlyP4_11M
Spoke of Phineas Fisher Hacking Group – https://www.youtube.com/watch?v=BpyCl1Qm6Xs
Spoke of NSA Exploits / Shadow Brokers leaks https://thehackernews.com/2017/09/shadowbrokers-unitedrake-hacking.html
Eternalblue and WannaCry https://en.wikipedia.org/wiki/EternalBlue https://www.welivesecurity.com/2018/05/10/one-year-later-eternalblue-exploit-wannacryptor/

Popular Misconceptions about Security and Cybercrime

Speaker – Brian Krebs https://twitter.com/briankrebs

Runs the Security News site https://krebsonsecurity.com/
Security Boulevard https://securityboulevard.com/
Data leak databases – input username/email address and get clear text passwords that have been used in breaches
https://haveibeenpwned.com/ – Tony Hunt’s security password website
https://weleakinfo.com/ (paid)
https://ghostproject.fr/ (free) <- try yours!!! you'd be surprised (it is old data)
https://citadel.pw/ (paid)
End user training and education is important – tell your friends and family how to be safe and improve their online security
Everyone should be using a password safe & enable MFA where possible
Pathways to cybercrime https://www.mdx.ac.uk/__data/assets/pdf_file/0025/245554/Pathways-White-Paper.pdf – Gaming is a major factor.
Recruit for cyber defense from secondary schools, like sports do.
China and Israel are good at strategy
Use GPG (encryption) for email – https://emailselfdefense.fsf.org/en/

Exploring the DevSecOps Toolchain

Speaker – Eric Johnson https://www.sans.org/instructors/eric-johnson

Sans DevSecOps Poster https://www.sans.org/security-resources/posters/secure-devops-toolchain-swat-checklist/60/download
Verizon Breach Report 2018 – good insights to how breaches have happened https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf
if using a WAF, it must be in blocking mode – NOT inspect mode otherwise it's useless
5 phases – Pre-commit, Commit (CI), Acceptance (CD), Production (CD), Operations
7 keys tools (from Sam/Arjen)
IDE Security Plugins: like https://www.sonarlint.org/ & http://find-sec-bugs.github.io/ & https://github.com/Microsoft/DevSkim – encourage your devs to use these to "shift left" security as far as possible
awslabs/git-secrets : https://github.com/awslabs/git-secrets blocks ACCESS and SECRETS before they are committed
OWASP Dependency Checks scanner https://www.owasp.org/index.php/OWASP_Dependency_Check
Docker – CIS benchmark https://github.com/dev-sec/cis-docker-benchmark – if using containers, run this on them as part of the toolchain
Containers – https://anchore.com/ – Automate Your Container Security and Compliance
Resources for DevOps Culture
The Phoenix Project https://www.booktopia.com.au/ebooks/the-phoenix-project-gene-kim/prod9781942788300.html
Five Dysfunctions of a Team https://www.booktopia.com.au/the-five-dysfunctions-of-a-team-patrick-lencioni/prod9780787960759.html
Lean Enterprise https://www.booktopia.com.au/lean-enterprise-jez-humble/prod9781449368425.html
Building a DevOps Culture https://www.oreilly.com/webops-perf/free/building-devops-culture.csp
Mozilla Rapid Risk Assessment (RRA) model https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html & https://binary.protect.io/workcard.pdf
OWASP
User Stories / Evil Stories / Abuse Stories (not always the 'happy path') https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories
Threat Dragon is a free, open-source threat modelling tool from OWASP https://threatdragon.org https://www.owasp.org/index.php/OWASP_Threat_Dragon

SOC – How to

Speaker – Gavin Reid https://www.linkedin.com/in/gavinsreid/

https://blogs.cisco.com/security/cisco-csirt-on-advanced-persistent-threat
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 start here to develop your own Incident Response Handbook – and practice it – don't leave it to run under first breach conditions
https://splunkbase.splunk.com/app/3378/ (requires login) The Security Playbook is a collection of state-of-the-art alerts developed and reviewed by some of the world’s leading security practitioners and bundled into a convenient Splunk app. This is as a basis to develop search queries in other platforms too (like Kibana)
https://www.oreilly.com/library/view/crafting-the-infosec/9781491913598/ Crafting the InfoSec playbook

Ruin your life feat. Google Chrome

Speaker – Sam Reid https://www.linkedin.com/in/sreid11

How Google Chrome extension with too many permission (read/write all) can be really dangerous
demo'd a Bitcoin extension, with full perm's, which when logged in, created API keys on btcmarkets.net, which then did a blind transfer of all currency from his account.
He developed https://github.com/sudosammy/chrown – Chrown – A Google Chrome Extension Exploitation Framework – easy to make Chrome extensions for submission to google. Like a boilerplate for Chrome extensions. Written to handle V2 Manifests (current)
Chrome background permission allows Chrome to start up system login and persist until system log off, all without opening Chrome (unless explicitly Chrome/Exit)
BeEF – Browser Exploition Framework https://blog.beefproject.com/ – like Kali Linux or Metasploit for browser extension
provides a Persistent Man in the Browser attack – demo'd how to hook and then get a shell on the victim
Demo'd how even just browser to Facebook, he got user/password in plain text
Demo'd how using a 'decoy' LastPass, even if the user just types on the screen, without pressing Enter, he still got the keystrokes
Allows hardware control, like webcam and screen shot as well.
https://www.youtube.com/watch?v=GNBSEbn9tEc BeEF – How to link/hook a browser with BeEF – this is an eye opener.
https://docs.kali.org/general-use/starting-metasploit-framework-in-kali Kali / Metasploit
Inspiration – BlackHat 2012 – https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Osborn
Defending against this;
Disable installation of Extension in Group Policy
Lock the installation folder with folder permissions
(Hope) Googles static code analysis will get better – fast
The key message I took from this was, like all apps, check the permission we grant them – anything with 'too much' may not be good for your health
Yes, he still uses Chrome (and Firefox)
Incognito is a good way to not run extensions (must be allowed to run in Incognito mode)

Voice of the Customer Analytics

Speaker – Tom McMeekin – AWS Solution Architect https://www.linkedin.com/in/tommcmeekin

AWSUG Forum talk / sub stream of Cyber Conference

Sydney Summit video – https://aws.amazon.com/summits/sydney/on-demand/Tracks/analyse/
Go Learn
Detect Sentiment from Customer Reviews using Amazon Comprehend -http://amzn.to/2sW88JN
Build a Social Media Dashboard – http://amzn.to/2EZvIXH

Serverless From F to A+

Speaker – Chris Coombes – https://www.linkedin.com/in/chriscoombs/