New to PHDays: defensive track from the PT ESC team
This year, PHDays will include a special track for digital defenders! Our forum has tended to concentrate more on about attacks, vulnerabilities, and hacking techniques, and less on protection. To close that gap, we have created a special technical track named thrEat reSearch Camp for presentations about incident response, threat intelligence, threat hunting, OSINT, and malware analysis.
During the two days, experts will discuss new APT campaigns, share effective methods and tools for detecting incidents, monitor the darkweb, and analyze open sources. They will also pick apart complex malware. Presentations will target a diverse audience, with content intended both for novices and technical experts.
Elmar Nabigaev, Head of Threat Response at Positive Technologies and member of the PHDays organizing committee, said: "Every year, there is more and more information about new vulnerabilities and flashy hacking techniques. But protection-related topics can get shortchanged. At PHDays 9, we want to change this by doing more to include the other set of people, those who protect us from cybercriminals every day." He continued: "thrEat reSearch Camp will be a space where all PHDays participants can share ideas. We hope this will be the start of a tradition for future years."
The PHDays program committee has already selected the first group of speakers who will present at the defensive track. Visitors will learn how optical character recognition helps combat macro viruses, how cloud incidents can be best investigated, how Active Directory logs can be analyzed in a new way, and how security experts monitor threats on the darknet.
Detecting macro viruses
The 1990s were full of interesting trends. On the computing side, these included documents with injected malicious code. Most commonly, attackers would embed a VBA macro in an innocent-seeming document, such as an invoice. Many still remember the Melissa macro virus, which appeared in March 1999 and infected hundreds of thousands of computers all over the world.
But malicious macros have made an unexpected comeback. In 2014, Microsoft noted an increasing number of such threats: the company's tools were generating as many as around 8,000 VBA detections per day. In 2016, Microsoft blocked macros in Microsoft Office by default. However, malware developers found a way to bypass this restriction: they now kindly ask users to enable macros.
Check Point reverse engineer Ben Herzog will present a new approach to macro detection. Attackers who create such documents invariably use the words "Enable Content" and must hide them in a document's header or in a picture. Ben will demonstrate a classifier that immediately detects infected files and also share the results of his research, based on tens of thousands of malicious documents.
New method of analyzing AD event logs
Analysts from the JPCERT/CC Incident Response Group will speak on the topic "Analyzing Active Directory event logs with visualization and machine learning." Tomoaki Tani coordinates investigation of cybersecurity incidents and analyzes incident trends and attack methods. Shusei Tomonaga is engaged in malware analysis and forensics investigation. He is spearheading a group responsible for analyzing targeted attacks on critical industries in Japan.
Event log analysis is a key stage in incident investigation. Analyzing Active Directory event logs allows identifying the hosts compromised as the result of lateral movement. The duo will show a new method of analyzing Active Directory event logs with LogonTracer, a tool that visualizes relationships between accounts and hosts.
Cloud incident investigation
An increasing number of companies are migrating their infrastructure to public clouds, such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. According to IDC, the biggest spender on cloud services in 2018 was healthcare ($12.1 billion), followed by government ($8.4 billion) and finance ($7.3 billion). Analysts expect that investment in cloud services will continue at an accelerated clip until 2021. The cloud boom has been fuelled by the digitalization of key industries.
Despite the advantages of cloud technology, it also brings security risks. Frederic Baguelin, incident response expert at Société Générale and co-founder of ArxSys, will speak about incident investigation on cloud infrastructure. Frederic will tell about EC2 and methods for analyzing EC2 instances in the AWS ecosystem. He will propose an automated approach based on AWS and the Python API to retrieve snapshots for local analysis. He will also demonstrate the tools needed to perform a full scan directly from the cloud.
Monitoring darknet threats
Muslim Koser, Head of Products & Technology at Volon, will speak about effective methods for gathering information about attackers on the darknet. Muslim has over 20 years of information security experience. For the past 10 years he has been leading threat intelligence teams. The speaker will explain how to cope with information overload to pinpoint the useful nuggets, and how to combine AI and ML with HUMINT to get the most out of the "take."