Following a successful event in 2016, Hong Kong’s premier security research group Dragon Threat Labs is hosting DragonCon, possibly the most technically-intensive security conference borne out of Hong Kong.
Come join us, make friends and see the cyber city!
Mei Nelson is a Security Principal of the Geopolitical and Strategic Intelligence team at iDefense (now part of Accenture Security). She focuses on East Asia region specific analysis of cyber-threat actors and motivations, and strategic cyber-threat analysis related to client organizations’ processes and strategic objectives.
Bart is an Incident Response and Forensics Specialist in MANDIANT's Security Consulting Services team helping clients restore confidence in an event of a breach. He holds a degree in Computer Forensics, is a keen developer, enjoys inspecting network traffic and specialises in Windows forensics with fascination in volatile memory.
Having worked on Incident Response engagements around the world, Bart routinely develops new tools and ideas to solve on-the-job problems and to ensure Mandiant remains an industry leader. Some of these developments led to Bart's contributions to the Volatility project.
After spending 8 years in England, Bart recently relocated to APJ region as he believes it's still the most fascinating, culturally diverse, and opportunistic region in the world. The relative immaturity in Cyber Security in most countries, but also the "hunger to learn" that most businesses and government organizations display, offer a significant growth opportunity.
Industrial safety expert and an experienced security product architect, who worked in communications equipment R & D in Huawei, and in a number of security companies engaged in security research, such as cnns, topsec, kuangn. He has obtained CISSP certification. He is the founder of ArtisanLab and leader of the research team. One of his recent findings include the study of worms in ICS. The findings were successfully demonstrated in a number of safety conferences.
Jay Spreitzer has over 19 years of information security experience in government and private sector. Jay retired from the US Army, after 23 years of service working in various technology and information security roles. He also has 11 years of experience in the financial sector working in the cyber threat intelligence role. Jay is the co-founder and CISO of Protocol 46, a US-based company extending cyber security to small and medium businesses.
Jay has completed his Bachelor of Science in Information Technology and a Master of Science in Information Assurance and Security. Some of his other training includes Network Penetration Testing and Ethical Hacking, Cyber Threat Intelligence, Advanced Security Essential, the Criminal Intelligence Analyst Course, and the FBI Citizen’s Academy. He holds GIAC Enterprise Defender and Incident Handler certifications.
Jay is a member of InfraGard and the High Technology Crime Investigators Association. Jay has been an active member of the Board of Directors for the FBI Citizens Academy Alumni Association and Minnesota InfraGard.
Matt is a malware researcher with an interest in malware used to target civil society. In addition to private malware research, he has experience in intelligence and incident response in the US government and private sectors.
Chris Chan is a senior engineer for ASTRI Security Lab where he is an ethical hacker. He is a cybersecurity researcher for the lab where he discovered vulnerabilities in several brands of routers. He gained his CEH certificate in 2013 and started security research on web assessment. He joined the Information Security Summit HK 2015 and shared his case on the DDoS Attack. He also gave a technical sharing for PISA after the training at Black Hat 2016 and was involved in the Cyber Intelligence Sharing Platform (CISP) development.
Roland Cheung is an information security manager responsible for security incident handling and emerging threat analysis. He is the founding member of the Honeynet Project HK chapter (aka Honeybird) and has rich experience on Honeypot deployment and attack data analysis.
Cyber Threat Intelligence Analyst, Manager, and Advisor for over 13 years
Originated and grew successful threat intel programs for 2 major security firms, and created development plans on behalf of many others
Established a major US security firm's operational presence in Europe and Japan
Past presentations at FIRST, NATO, CodeGate, HTCIA, AVTokyo, PacSec, among others
Author of dozens of cyber policy analyses and advisory reports for governments and multinational firms, including threat modeling guidance for the Bank of England's CBEST programme
Stewart K. Bertram is a known and respected figure within the cyber threat intelligence community having held senior positions at a number of the leading commercial threat intelligence providers. Stewart is currently the Director of Professional Services and Threat Intelligence at Digital Shadows.
As part of this role Stewart is responsible for the delivery of the Threat Intelligence phase of all CBEST, TIBER and iCAST project that Digital Shadows undertakes and is now one of the most experienced providers in the emerging area of Threat Intelligence provision to Threat Led Penetration Testing.
In addition to his professional interests Stewart is reading towards a part time PhD in International Relations that focuses on the use of hacktivists groups as proxies for nation state cyber warfare.
With a background in UK Military Intelligence as well as private sector cyber security, Stewart strives to present a balanced view on cyber threats and how best to address them.
09:50am - 10:00am
Welcome & opening speech
10:00am - 10:45am
Attacker Antics: Illustrations of Ingenuity
The arms race between the vendors creating security defenses and the hackers trying to defeat them continues. While responding to security breaches around the world, we carefully selected several of the more recent and fascinating attacker TTPs and we are excited to share them with you. Come to the talk to hear about attackers breaching air-gapped networks, abusing anti-virus server, hijacking victim’s emails, camouflaging malware and preventing it from sandbox execution, and using obscure persistence mechanisms, to name a few.
10:45am - 11:00am
11:00am - 11:45am
Real World Threat Intelligence
As companies increasingly rely on cyber threat intelligence to guide their decision making at all levels of the organisation, a range of intelligence is increasingly in-demand. This talk will cover how cyber threat intelligence is evolving from purely technical feeds of data to become multi-sourced, fused and therefore actionable and predictive at the tactical, operational and strategic levels. The role of cyber threat intelligence in testing critical national infrastructure is an example of that, and the use of intelligence in the Hong Kong Monetary Authority's iCAST framework will be used as a case study.
11:45am - 12:30pm
Needlefish and Its Fish Family - How is Kim’s Cyber Warriors in Action
Over the past few years, global industry has witnessed an uptick in the number of campaigns attributed to North Korea. How did North Korea build and maintain its cyber threat capabilities? Who is supporting North Korea's operations? How is this support/dependency relationship playing out? This talk will explore these questions and offer an evaluation of the future trend of North Korea's cyber operations and possible geopolitical factors influencing its direction.
12:30pm - 13:15am
Targeting the Vote: Attempted Surveillance of Hong Kong’s Democracy Community
Matt Brooks and Anthony Lai
In this research, we disclose a series of intrusion attempts targeting the Hong Kong democracy community throughout 2017. We will discuss the targeting and technical analysis of multiple case studies to highlight specific examples of how new malware is being developed and deployed to conduct surveillance. We then provide an analysis of the different groups involved in the targeting as well as connections to past research to highlight the existing demand for surveillance of the democracy community.
13:15pm - 14:45pm
14:45pm - 15:30pm
Lazarus and Friends
An overview of cyber-attacks likely emanating from North Korea
* A high level review of events dating back the last decade
* A more detailed review of some more recent activity that I have been researching
* A summary of how the different groups of attackers may link together
* Some new tooling and techniques to track this activity
15:30pm - 16:00pm
Fall in Love with Honeypot
To share the experience on deploying honeypot to collect a variety of attack data, including port scans, vulnerability exploits, password brute force attack etc. and how to learn the attacker’s behavior.
16:00pm - 16:30pm
Moderator: Eli Jellenc
The "i" of intelligence-led Penetreation Testing, CBEST vs iCAST
16:30pm - 16:45pm
16:45pm - 17:15pm
The rise of cyber proxy forces and their utility within the practise of nation state cyber warfare
Stewart K. Bertram
Although hacktivist groups that are patriotically motivated have been an established feature of the cyber threat landscape for well over a decade, a new form of this phenomenon has emerged over the past couple of years – hacktivist groups that are receiving direct material support from nation state level institutions. In effect these groups have become cyber proxy forces for various nation states that provide a deniable cyber warfare capability that be used to project soft – and even hard – cyber power outside of a nation state’s conventional sphere of influence.
Cyber proxy forces have emerged as a feature within a number of global conflicts, such as the ones in the Ukraine, Syria and Iraq. Groups such as CyberBerkut (Ukraine), Ashiyane Digital Security Team (Iran), Guardians of Peace (North Korea) and the Syrian Electronic Army (Syria) are just a handful of examples of cyber proxy forces that have emerged within recent years and represent the cutting edge of cyber power projection by nation states.
This paper presents a framework that seeks to define proxy forces as a subset of a larger ontology that is used to categorise nation state cyber warfare capabilities. This definition will be a critical component of conceptualizing cyber threat in the future as nation states become increasingly involved in cyber warfare as a practise.
Despite the proliferation of cyber proxy forces, there has been little research conducted into the phenomenon as a whole. This paper seeks to redress this balance by examining the motivations behind the creation and sponsorship of proxy forces and how they are being used within current conflicts.
Specific questions that this presentation will address include, what level of attribution is needed to considered a hacktivist groups state sponsored? What is the difference between a hacktivist group that is ideologically aligned with a nation state and one that is overtly backed by a state? What is the future developmental trajectory of cyber proxy forces and how will this capability develop in the future?
This paper presents original research conducted as part of a PhD project into the phenomenon of cyber proxy forces, with a full peer review paper authored by myself on the subject available via the Journal of Terrorism Research (“‘Close enough’ – The link between the Syrian Electronic Army and the Bashar al-Assad regime, and implications for the future development of nation-state cyber counter-insurgency strategies”, available from http://jtr.st-andrews.ac.uk/articles/10.15664/jtr.1294/)
17:15pm - 18:00pm
A step by step guide of writing a worm to infect PLC-based systems using ladder logic
Dr. Siu Ming Yiu and 姜双林
In this presentation, we will demonstrate how to write a worm to infect a PLC-based industrial control system (ICS) using ladder logic programming. We use Siemens PLC as an illustration. However, the same technique can be easily extended to other brands or ICS with PLCs of mixed brands and models. The worm we illustrated, once infected one PLC in the system, is able to automatically locate and identify other PLCs in the system, then infect them. After the infection, the attacker is able to control the system remotely.
18:00pm - 18:45pm
Malware Command and Control using Social Media Platform
Our talk will aim to show the attacker’s perspective on building, operating and maintaining malware and botnets that is controlled via a social media as a c2 communications channel.
18:45pm - 18:55pm
14 Dec 2017 (Thu)
10:00am - 17:00pm
Introduction to Cyber Threat Intelligence
Jay P. Spreitzer
An introduction to cyber threat intelligence that explains what it is and what it is not. Take attendees through an explanation of the intelligence life cycle and the different processes surrounding them. A description of actionable intelligence and introduction to different open sources tools that can be used to enrich intelligence. The workshop will cover operational security considerations of using some opensource tools. Important parts of analysis to develop a hypothesis. The importance and usage on indicators of compromise and types of reporting. Students will have an opportunity to use different tools sets in scenarios using their own laptop.
15 Dec 2017 (Fri)
09:30am - 12:30pm
Monitoring and protecting industrial control systems
Dr. Siu Ming Yiu and 姜双林
15 Dec 2017 (Fri)
14:00pm - 17:00pm
We are seeking sponsors. If you are interested in sponsoring, please contact the following at Dragon Threat Labs.
For the donation, you can donate through the eventbrite donation ticket at here ! For further donation options, please contact the following at Dragon Threat Labs.
if you wish to sponsor DragonCon please contact Frankie Li.
Copyright © 2017 Dragon Threat Labs