THE KINGS IN YOUR CASTLE - All the lame threats that own you but will never make you famous

March 17, 2016 (at 11:30 a.m.) in Attack & Research

It is the same question being directed to audiences around the security conference scene: How many people in the room can tell their machine or network is currently not compromised? No hand has been seen to rise in answer. APT has been fashion five years ago and still rocks the most-feared charts on every cyber threat survey. While tabloid press is generally after the latest most-sophisticated-threat, the analyst community has long resorted to talk about threats that are advanced and persistent.. enough. In terms of sophistication targeted attacks show all shades of grey, on average though tend to be rather shallow. On the other hand, security products all have a single weak spot in common that they will always rely on patterns; whether patterns that are there, like signatures, or patterns that are not there, like anomalies. This enables attackers to evade detections with shallow, but unknown tools which manage to fly under the radar.

The proposed talk will take on the APT myths by formulating hypotheses based on a set of APTs documented in the MISP platform. MISP stands for Malware Information Sharing Platform and is used by hundreds of organizations to share data on APT events. It is possible to split the content of the information shared between reports of vendors and events seen by the users of the platform.

Marion Marschalek

Marion Marschalek is a Security Researcher, focusing on the analysis of emerging threats and exploring novel methods of threat detection. Marion started her career within the anti-virus industry and also worked on advanced threat protection systems where she built a thorough understanding of how threats and protection systems work and how both occasionally fail. Next to that Marion teaches malware analysis at University of Applied Sciences St. Pölten and has presented at a number of international conferences, among others Blackhat, RSA, SyScan, hack.lu and Troopers. She also serves as a review board member for Black Hat Europe and was listed as one of Forbes’ "30 under 30" in the technology Europe division in 2016. Once year, Marion runs BlackHoodie, a reverse engineering workshop for women, in order to increase the number of femgineers in the field of low level technology.

Raphaël Vinot

Raphaël is a CERT operator at CIRCL, the CERT for the private sector, communes and non-governmental entities in Luxembourg. His main activity is developing or participating to the development of tools[1] [2] [3] [4] to improve and ease the day-to-day incident response capabilities of the CSIRT he works for but also for other teams doing similar activities.Another big part of his activities is to administrate the biggest MISP instance in Europe [5] with >150 companies, 400 users and more than 250.000 attributes. This is the source used in this research project.

[1] Personal account: https://github.com/Rafiot

[2] Work account: https://github.com/CIRCL/

[3] MISP account: https://github.com/MISP

[4] Wrote the MISP module: https://github.com/viper-framework/viper

[5] Information on how to get access to the platform: https://www.circl.lu/services/misp-malware-information-sharing-platform/