AISA Australia Cyber Conference – Security & Hacking
On October 10 & 11 I was lucky enough to attend AISA Cyber Conference. This was a security focused conference with someone for all levels.
What an eye opener on many levels, but also I’m not surprised.
I took lots of notes and below is a summary of insights and links I collected or researched as follow up. Where possible, I have provided video links to the sessions/talks – so you get the full context.
I learnt so many things – something from every session.
Click, explore and learn
TLDR; for the best of
- for techs/architects – Exploring the DevSecOps Toolchain
- for Management/HR/Recruitment – Hacking the Skills Gap
- for AWS builders – Serverless From F to A+
Opening Keynote
Speaker – Greg Touhill https://www.linkedin.com/in/gregorytouhill
- formerly 1st Federal CISO of the United States
- Turn on DMARC Email Security https://dmarc.org/
- Invest in training
- Carnegie Mellon – https://www.cmu.edu/ini/academics/msis/index.html
Academic leader in cyber and information security - Spoke about Cyber Security for executives and his experience running National Cybersecurity and Communications Integration Center’s (NCCIC) https://www.dhs.gov/national-cybersecurity-and-communications-integration-center and https://www.us-cert.gov/
- Implement Software-Defined Layer 3 Perimeter Technology – https://cloudsecurityalliance.org/working-groups/software-defined-perimeter/#_overview
- TCP/IP = Connect first, Authenticate second – inherently flawed
- SDN = Authenticate first, Connect second – improved
- Coined Touhill’s Law for Recapitalization Planning – like 1 Human year = 7 dog years, Touhill’s Law submits that 1 Human Year = 25 Computer years (ie, tech is out dated/dead in 3 years, and need to refresh).
The Future Impact of AI on Cybercrime
Speaker – Dave Palmer https://www.linkedin.com/in/davepalmersecurity/
- YouTube link to the same talk/different location https://youtu.be/ooPOOs7Y7lk
- Ambient surveillance
- is high risk and received low attention. May not be on the radar of the InfoSec team, and AV suppliers are less inclined about security
- Attack the Edge
- IOT; Where none IT control the infrastructure (think submersibles and sailors)
- it is outside the traditional security perimeter
- likely not ready/capable of running anti-virus software for example
- Ransomware/encryption is becoming less effective, the next thing criminals/APT will be after is DATA INTEGRITY and attacking the Information Supply Chain
- Big enterprises rarely pay ransomware anymore. Regular backups are winning the war here. But Small/Medium Enterprise (SME) may be more at risk due still as they may not have current data. Its an economics equation, backups cost money, and sometimes they consider the ransom price to be cheaper.
- Little Bing / Xiao-ice https://en.wikipedia.org/wiki/Xiaoice, pronouced ‘shao-ice’ is AI system developed by Microsoft STCA in 2014 based on emotional computing framework. Instead of criminals setting up call centres to help you buy Bitcoins for your ransomware payments (who does this anyways!), crims can now use smart chat bots to smooth out the processes and reduce costs.
- https://sociable.co/technology/microsofts-little-bing-ai-evoking-love-in-chinas-lonely-hearts/
- Tools
- American fuzzy lop http://lcamtuf.coredump.cx/afl/ is a security-oriented fuzzer for binaries
- Microsoft Security Risk Detection
- Windows and Linux (sign-up required) https://www.microsoft.com/en-us/security-risk-detection/ Upload binaries (yours or others!), run fuzzers, identify bugs, get a bug report – then fix bugs
- MSFT Security Risk Detection in practice – video https://www.youtube.com/watch?v=kRCCLtDF_Z4
- Dave Palmer works at https://www.darktrace.com/en/, AI network immune system and threat detection software
Embracing the Rise of DevSecOps
Speaker – Jameson Cooke https://www.linkedin.com/in/jameson-cooke-52a69948/
- DevOps Periodic Table v2 https://blog.xebialabs.com/2016/06/14/periodic-table-devops-tools-v-2/
- DevOps Diagram Generator https://xebialabs.com/devops-diagram-generator/ (requires email address)
Hacking the Skills Gap
Speaker – Jane Frankland https://www.linkedin.com/in/janefrankland/
- worked with National Cyber Security Council UK https://www.ncsc.gov.uk/
- Boardroom needs more cyber educations, including CEO and NEDs (Non Executive Directors, eg Chairman)
- Need to change our language from cyber security/ CISO / SecOps to Risk Mitigation Specialists
- Trust is key – How is trust measured, using a trust equation we can better under it https://trustedadvisor.com/why-trust-matters/understanding-trust/understanding-the-trust-equation , https://trustedadvisor.com/public/Equation_Full-1-705×492.jpg
- NCSC – Cyber needs to identify young recruits, like football or soccer does. Look to high schools and early technical programs (code camps). This is also how terrorists recruit
- Gamers are a prime example of exceptional youngsters who are good at cyber
- Setting high expectations will lead to an increased performance – https://en.wikipedia.org/wiki/Pygmalion_effect
- Understand your staffs capabilities – develop a Cyber Skills Capability Matrix – https://3jd8gl2iires146kaw2hgqy9-wpengine.netdna-ssl.com/wp-content/uploads/2018/02/Slide1-3.png
- Key Skills/Jobs to be in demand by 2021
- Intrusion Detection, secure software development & attach mitigation
- Penetration testing & application testing
- SOC & Forensic analysts
Cyberwarfare and the Journalist
Speaker – Ben Makuch – https://www.vice.com/en_au/contributor/ben-makuch
- TV Documentary – CyberWar (currently on SBS OnDemand in Australia)
- talked about the Western Ukraine power grid attack in 2015 https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack , using Blackenergy malware https://www.kaspersky.com.au/resource-center/threats/blackenergy
- Meme’s are memorable and effective – terrorist uses them, Anonymous uses them, Arjen uses them, Russian dis-information uses them.
- Spoke of Fancy Bear https://en.wikipedia.org/wiki/Fancy_Bear
- Spoke of Latvia’s ability to thwart Russian FUD and Spear Phishing, https://twitter.com/janis_sarts?lang=en . Director at the NATO Strategic Communications Centre of Excellence- https://www.globsec.org/speakers/janis-sarts/
- Commented on the best Snowden interview with John Oliver, in his opinion https://www.youtube.com/watch?v=XEVlyP4_11M
- Spoke of Phineas Fisher Hacking Group – https://www.youtube.com/watch?v=BpyCl1Qm6Xs
- Spoke of NSA Exploits / Shadow Brokers leaks https://thehackernews.com/2017/09/shadowbrokers-unitedrake-hacking.html
- Eternalblue and WannaCry https://en.wikipedia.org/wiki/EternalBlue https://www.welivesecurity.com/2018/05/10/one-year-later-eternalblue-exploit-wannacryptor/
Popular Misconceptions about Security and Cybercrime
Speaker – Brian Krebs https://twitter.com/briankrebs
- Runs the Security News site https://krebsonsecurity.com/
- Security Boulevard https://securityboulevard.com/
- Data leak databases – input username/email address and get clear text passwords that have been used in breaches
- https://haveibeenpwned.com/ – Tony Hunt’s security password website
- https://weleakinfo.com/ (paid)
- https://ghostproject.fr/ (free) <- try yours!!! you'd be surprised (it is old data)
- https://citadel.pw/ (paid)
- End user training and education is important – tell your friends and family how to be safe and improve their online security
- Everyone should be using a password safe & enable MFA where possible
- Pathways to cybercrime https://www.mdx.ac.uk/__data/assets/pdf_file/0025/245554/Pathways-White-Paper.pdf – Gaming is a major factor.
- Recruit for cyber defense from secondary schools, like sports do.
- China and Israel are good at strategy
- Use GPG (encryption) for email – https://emailselfdefense.fsf.org/en/
Exploring the DevSecOps Toolchain
Speaker – Eric Johnson https://www.sans.org/instructors/eric-johnson
- Sans DevSecOps Poster https://www.sans.org/security-resources/posters/secure-devops-toolchain-swat-checklist/60/download
- Verizon Breach Report 2018 – good insights to how breaches have happened https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf
- if using a WAF, it must be in blocking mode – NOT inspect mode otherwise it's useless
- 5 phases – Pre-commit, Commit (CI), Acceptance (CD), Production (CD), Operations
- 7 keys tools (from Sam/Arjen)
- IDE Security Plugins: like https://www.sonarlint.org/ & http://find-sec-bugs.github.io/ & https://github.com/Microsoft/DevSkim – encourage your devs to use these to "shift left" security as far as possible
- awslabs/git-secrets : https://github.com/awslabs/git-secrets blocks ACCESS and SECRETS before they are committed
- OWASP Dependency Checks scanner https://www.owasp.org/index.php/OWASP_Dependency_Check
- Docker – CIS benchmark https://github.com/dev-sec/cis-docker-benchmark – if using containers, run this on them as part of the toolchain
- Containers – https://anchore.com/ – Automate Your Container Security and Compliance
- Resources for DevOps Culture
- The Phoenix Project https://www.booktopia.com.au/ebooks/the-phoenix-project-gene-kim/prod9781942788300.html
- Five Dysfunctions of a Team https://www.booktopia.com.au/the-five-dysfunctions-of-a-team-patrick-lencioni/prod9780787960759.html
- Lean Enterprise https://www.booktopia.com.au/lean-enterprise-jez-humble/prod9781449368425.html
- Building a DevOps Culture https://www.oreilly.com/webops-perf/free/building-devops-culture.csp
- Mozilla Rapid Risk Assessment (RRA) model https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html & https://binary.protect.io/workcard.pdf
- OWASP
- User Stories / Evil Stories / Abuse Stories (not always the 'happy path') https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories
- Threat Dragon is a free, open-source threat modelling tool from OWASP https://threatdragon.org https://www.owasp.org/index.php/OWASP_Threat_Dragon
SOC – How to
Speaker – Gavin Reid https://www.linkedin.com/in/gavinsreid/
- https://blogs.cisco.com/security/cisco-csirt-on-advanced-persistent-threat
- https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 start here to develop your own Incident Response Handbook – and practice it – don't leave it to run under first breach conditions
- https://splunkbase.splunk.com/app/3378/ (requires login) The Security Playbook is a collection of state-of-the-art alerts developed and reviewed by some of the world’s leading security practitioners and bundled into a convenient Splunk app. This is as a basis to develop search queries in other platforms too (like Kibana)
- https://www.oreilly.com/library/view/crafting-the-infosec/9781491913598/ Crafting the InfoSec playbook
Ruin your life feat. Google Chrome
Speaker – Sam Reid https://www.linkedin.com/in/sreid11
- How Google Chrome extension with too many permission (read/write all) can be really dangerous
- demo'd a Bitcoin extension, with full perm's, which when logged in, created API keys on btcmarkets.net, which then did a blind transfer of all currency from his account.
- He developed https://github.com/sudosammy/chrown – Chrown – A Google Chrome Extension Exploitation Framework – easy to make Chrome extensions for submission to google. Like a boilerplate for Chrome extensions. Written to handle V2 Manifests (current)
- Chrome background permission allows Chrome to start up system login and persist until system log off, all without opening Chrome (unless explicitly Chrome/Exit)
- BeEF – Browser Exploition Framework https://blog.beefproject.com/ – like Kali Linux or Metasploit for browser extension
- provides a Persistent Man in the Browser attack – demo'd how to hook and then get a shell on the victim
- Demo'd how even just browser to Facebook, he got user/password in plain text
- Demo'd how using a 'decoy' LastPass, even if the user just types on the screen, without pressing Enter, he still got the keystrokes
- Allows hardware control, like webcam and screen shot as well.
- https://www.youtube.com/watch?v=GNBSEbn9tEc BeEF – How to link/hook a browser with BeEF – this is an eye opener.
- https://docs.kali.org/general-use/starting-metasploit-framework-in-kali Kali / Metasploit
- Inspiration – BlackHat 2012 – https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Osborn
- Defending against this;
- Disable installation of Extension in Group Policy
- Lock the installation folder with folder permissions
- (Hope) Googles static code analysis will get better – fast
- The key message I took from this was, like all apps, check the permission we grant them – anything with 'too much' may not be good for your health
- Yes, he still uses Chrome (and Firefox)
- Incognito is a good way to not run extensions (must be allowed to run in Incognito mode)
Voice of the Customer Analytics
Speaker – Tom McMeekin – AWS Solution Architect https://www.linkedin.com/in/tommcmeekin
AWSUG Forum talk / sub stream of Cyber Conference
- Sydney Summit video – https://aws.amazon.com/summits/sydney/on-demand/Tracks/analyse/
- Go Learn
- Detect Sentiment from Customer Reviews using Amazon Comprehend -http://amzn.to/2sW88JN
- Build a Social Media Dashboard – http://amzn.to/2EZvIXH
Serverless From F to A+
Speaker – Chris Coombes – https://www.linkedin.com/in/chriscoombs/
AWSUG Forum talk / sub stream of Cyber Conference
- How to build a AWS serverless website – Presentation Slide Deck @ https://docs.google.com/presentation/d/1gK2tzxbSSuZrHjPYKKIV11sA9pDkFDfF88ufOfHvKlk/edit?usp=sharing
- Use Case from AWS Well Architected Framework – Serverless Lens
- https://observatory.mozilla.org/ – website security health check
- https://www.ssllabs.com/ssltest/ – Qualys SSL test for websites
- https://bit.ly/2EbdSoy – AWSUG – Melbourne home page
- Lambda@Edge Security Headers @ https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/
- AWS WAF Cloudformation Quick Start @ https://aws.amazon.com/answers/security/aws-waf-security-automations/ – this is a really easy way to get AWS WAF up and running