Call for Paper and Workshop
Following a successful event in 2017, Hong Kong’s premier security research group Dragon Threat Labs is hosting DragonCon, possibly the most technically-intensive security conference borne out of Hong Kong.
Come join us, make friends and see the cyber city!
DragonCon invites proposals for half-day or full-day workshops to be held in December 2018. Workshops are expected to focus on Threat Intelligence, Hardware Hacking, Hardware Forensics, Hardware Attacks, Reverse Engineering, Exploitation, Vulnerabilty Research and any other subject that will make our nerd-o-meter hit the red line!
1. Complimentary ticket to the conference
2. Invitation to the VIP party
3. Remuneration for international speakers
Bart is an Incident Response and Forensics Specialist in MANDIANT's Security Consulting Services team helping clients restore confidence in an event of a breach. He holds a degree in Computer Forensics, is a keen developer, enjoys inspecting network traffic and specialises in Windows forensics with fascination in volatile memory.
Having worked on Incident Response engagements around the world, Bart routinely develops new tools and ideas to solve on-the-job problems and to ensure Mandiant remains an industry leader. Some of these developments led to Bart's contributions to the Volatility project.
After spending 8 years in England, Bart recently relocated to APJ region as he believes it's still the most fascinating, culturally diverse, and opportunistic region in the world. The relative immaturity in Cyber Security in most countries, but also the "hunger to learn" that most businesses and government organizations display, offer a significant growth opportunity.
Brian serves as the Financial Services Information Sharing and Analysis Center (FS- ISAC) Intelligence Officer for Asia-Pacific. Previous to his time at FS-ISAC, Brian worked for the Pharmaceutical Security Institute as the Senior Intelligence Analyst producing intelligence on criminal involvement with global counterfeit pharmaceutical networks, including cyber-based networks. Prior to that he served in the U.S. Department of Defense in intelligence and foreign affairs roles of increasing responsibility for twenty-six years culminating as the Principal Intelligence Officer for the Deputy Assistant Secretary of Defense, with responsibility for Taiwan, China, Japan, North and South Korea and Mongolia. Brian received his Master of Arts degree in Global Affairs from George Mason University focusing on global conflict and security. He is fluent in Mandarin Chinese, Portuguese and Spanish.
I am a forensic researcher at the Institute of Best of the Best in south Korea and currently holds a master's degree in Information Security.
I am interested in analyzing incidents caused mainly by 1-day exploit and APT attacks.
In this conference, I will explain which artifacts is left in system when 1-day exploit works and describes how to make connection between normal information and abnormal infornaion to figure out which software vulnerabilities are causing the attack.
Jay Spreitzer has over 20 years of information security experience and is currently the CISO at Protocol 46. Over the last 13 years, he was the team lead for the cyber threat intelligence team at a large financial institution. Prior to working in the private sector, Jay retired from the US Army, after 23 years of service working in various technology and information security roles. Roles included system administrator, database administrator, Information Assurance Security Officer, and culminating as Information Management Officer. As Information Management Officer, he managed and developed all facets of the organization’s information security program. Jay is also the co-founder of Protocol 46, a US-based company extending cyber security to small and medium businesses.
Jay has completed his Bachelor of Science in Information Technology and a Master of Science in Information Assurance and Security. Some of his other training includes Network Penetration Testing and Ethical Hacking, Advanced Security Essential, the Criminal Intelligence Analyst Course, and the FBI Citizen’s Academy. He holds GIAC Continuous Monitoring and Security Operations, Enterprise Defender, and Incident Handler certifications.
Jay is a member of InfraGard and the High Technology Crime Investigators Association. Jay has been an active member of the Board of Directors for the FBI Citizens Academy Alumni Association and Minnesota InfraGard.
Tracking & Profiling attack source base on offensive research Attacker tracking through analysis of server side data
Moonbeom, he is working in cyber security and incident response sector of South Korea as a general researcher and cyber investigation advisory member of the national investigation agency. Also he is responsible for research on hacking methods, analyze hacking incident also, profiling the relationships. And he has been talking and presentation at many international hacking & security conference as AVTOKYO, Ekoparty, FIRST, HITCON, HITB-GSEC, Swiss Cyber Storm, TDOH Conf, TROOPERS.
Rose Bernard has worked at Digital Shadows since January 2018 and currently manages the Strategic Research Team. Prior to this she worked for Control Risks in the cyber threat intelligence team, and for the National Crime Agency where she focused on counter-narcotics. Rose specialises in online activist and extremist groups, and the evolution of Latin American cybercrime. She holds an MA in History and Languages from University College London and is currently gaining her doctorate at Kings College London, where she is creating a framework for intelligence sharing between civilian and military organizations in the case of public health events of international concern (PHEIC).
Michael is the a technical threat researcher specialising in tracking cyber threat groups and malware analysis. He is also a keen developer and is the founder of the free threat intelligence portal called ThreatMiner.org. He currently works as a team lead on the intelligence collection, analysis and reporting efforts on targeted attacks for a global consultancy firm and has collaborated extensively with law enforcement agencies.
In the past, Michael has served as a Director in Threat Intelligence Operations for an incident response company where he helped create a successful global threat intelligence function that provided intelligence support for incident response, threat hunting and client threat assessments. Michael currently holds the CREST Certified Threat Intelligence Manager (CCTIM) qualification and served as an advisor to the exam committee.
Michael also holds a PhD in quantitative criminology which focused on using social network analysis and graph theory to analyse cyber criminal communities (e.g. carding forums).
09:00am - 09:20am
09:20am - 09:30am
Welcome & opening speech
09:30am - 10:15am
Evolving Beyond GREP: Enterprise-Wide Hunting with Execution Artefacts
Six years ago, Mandiant released a proof of concept tool named ShimCacheParser, along with a blog post titled‚ Leveraging the Application Compatibility Cache in Forensic Investigations. Since then, ShimCache metadata has become increasingly popular as a source of forensic evidence, both for standalone analysis and enterprise intrusion investigations.
While six years may seem like a long time, few community efforts have focused on leveraging ShimCache metadata at an enterprise scale.
The talk will present an open-source tool designed to efficiently process, analyse and hunt at enterprise scale using temporal execution artefacts such as ShimCache and AmCache, that prior to a public release a year ago was only available to Mandiant consultants.
The talk is full of demos and will present custom-built analytics, such as: time execution correlation, Levenshtein distance analysis and time stacking, to name a few. The talk was designed by the tool author and my dear colleague, Matias Bevilacqua.
10:15am - 11:00am
Let's learn about enemy through various IoCs of real APT cases
In the dark world(I mean darkness countries), there are countries that carry out various cyber attacks. We have long been tracking and analyzing cyber attack groups working in the background of such countries. Based on our analysis and response experience, we will show how those cyber attack groups has what attack vectors, what cyber weapons they use, and what IPs they use. And we will show the APT case analysis that they attacked using their attack vectors and cyber weapons. Their attack targets were government agencies, banks, airports, military facilities and defense industries.
ㅇ Cyber attack history and structure of cyber warfare group of the enemy
- History of cyber attack by enemy since 2008
- Structure and purpose of cyber warfare groups
ㅇ The kind of cyber weapon of the cyber warfare organization
- HWP(Hangul Word Processor) exploit & malware
- MS-Office exploit & malware
- RAT(Remote Administrator Tool)
- Dropper, Encryption Tool, Keylogger
- Hacking tool for web server attack
ㅇ Attack vector of cyber warfare group
- Spear phishing e-mail Attack
- Watering hole attack
- PMS(Patch Management System) protocol attack
ㅇ Case analysis of APT incidents related cyber warfare groups
- Case-1 : APT incident case in government sector
- Case-2 : APT incident case in military sector
- Case-3 : APT incident case in national infrastructure sector
- Case-4 : APT incident case in financial sector
- Case-5 : APT incident case in crypto currency sector
- Case-7 : APT incident case in defense industry sector
ㅇ Conclusion : Elements for profiling the enemy's cyber warfare group
- Enemy's IP address found in APT incident case
- Various log in attacked, infected, compromised servers and PCs
- The same point(Evidence) inside malware from each APT incident case
11:00am - 11:15am
11:15am - 12:00pm
An intro to Cyber Threat Intelligence
Jay P. Spreitzer
In today's volatile world organizations operating without threat intelligence are similar to someone driving a car in the dark with the headlights off. This presentation will highlight the value of cyber threat intelligence, where it can be used, and some fundamental aspects of analysis and building requirements. We will start by defining intelligence and how it is often misinterpreted. Evaluating data, the different levels of intelligence, and how to start conducting analysis as well as maintaining operational security.
12:00pm - 12:45pm
Precise Analysis of Attacker's Behavior using Offensive Research
For popular software executed in Windows 7 or 10, Analyze and classfy artifacts left after exploit.
12:45pm - 14:00pm
14:00pm - 14:45pm
Cyberthreat Intelligence: Clearing the haze in a blurry world
FS-ISAC’s Intelligence Officer for Asia-Pacific, Brian Hansen, will present on alarming new trends FS-ISAC has observed in the global threat landscape, and the evolving best practices that are proving most successful against criminal, hacktivist and nation-state adversaries. He will also discuss what sort of intelligence processes should institutions train on and deploy. What kind of technology do we need to enable our analysts and enhance our intelligence products? How best can CISOs and other cybersecurity leaders incorporate threat intelligence that is more than just feeds and data?
14:45pm - 15:30pm
A secret deal in the Dark-Web, Shall we dive in to the Dark-Web, together?
Recently, illegal activities on the Dark-Web are increasing rapidly. This is because of the characteristics of the Dark-Web, ‘anonymity’, which can be accomplished by the restricted access to the Dark-Web only through the Tor network, using the 16 bytes address following onion extension. Dark-Web uses a number of proxies with the packet encryption technique between each nod so that it makes almost impossible to trace back the IP address of the Dark-Web user. Underground intruders exploit these characteristics to conduct illegal activities under the hood. In the Dark-Web, illegal activities including contract killing, drug trafficking, weapons trafficking, illegal pornography, and malware proliferation are implicitly conducted by the malicious activists, however, law enforcement officers from all over the world are suffering severe difficulties due to the Dark-Web characteristics, ‘anonymity’.
When analyzing the characteristics of the Dark-Web, we have difficulties to research and analyze the user activities in the Dark-Web because of the social and cultural differences between countries. We are also having great difficulties in leading the research against the Asian Dark-Web due to the absence of the previous researches about it.
We, Dark Knight team from BoB (Best of the Best, the Korean Government Sponsored Program) conducted detailed analysis against the drug sellers in the Asian Dark-Web markets possibly sourced from South Korea, People’s Republic of China (PRC), and Japan. For the cost-effective way of analysis, we focused on 3 major Dark-Web markets, ‘HighKorea’ from South Korea, ‘Mushroom’ from PRC, and ‘Karasuma’ from Japan.
During the analysis process, we confirmed that the interactions between users in each country is quite different from all around the world. So, we targeted user communication boards in HighKorea for the analysis of the Korean Dark-Web. When we analyze the PRC Dark-Web, we connected to their telegram communication interface by clicking the links on the Dark-Web website and crawled the communication logs to analyze and find out the characteristics of the drug dealers and communication patterns of users. During the analysis against Japan’s Dark-Web site, Karasuma, we found that they are communicating through the chatting page created in the Dark-Web, and we grab the log to analyze it. Through the in-depth analysis, we found widely used jargons on the Dark-Web and drew the result of the meaning of them. What we want to and try to do is to increase public awareness of the seriousness of the Dark-Web, and to contribute to the research against the Asian Dark-Web. We also introduce the methodology to identify individual characteristics of the Dark-Web users, and the services implemented through the methodology, not merely focusing on the analysis of the Dark-Web groups.
15:30pm - 15:45pm
15:45pm - 16:30pm
Cyber resilience: coordinating a strategic response to threats
Cyber security actions are growing more diffuse as sectors and companies become better at recognising tactical threats to their businesses. However, an individual company-led response continues to be ineffective without building sector-wide strategies for security standards. Without understanding and implementing a framework for operational resilience, the maturity of an individual company may be high, but the overall ability of the sector to respond to and absorb shocks will continue to be low, leaving companies vulnerable. In this presentation we discuss the strategic frameworks available to address this sector-wide gap, and how the Mitre Att&ck framework and threat led penetration testing can improve operational resilience.
16:30pm - 17:15pm
7th Dec 2018
09:00am - 18:00pm
A hands-on perspective of modern attacker techniques
Vincent Yiu, SYON Security
Course Length: Full-day training
This course provides students with a solid foundational knowledge about modern attackers, their techniques, and how to perform them. The student will be able to practically execute a basic, modern attack. This hands-on course aims to educate and fast-track train penetration testers with the necessary skills necessary to simulate a modern attacker.
We will utilize the cloud to spin up a real command and control server and simulate an actual attack against TeaLab Corporation.
Introduction to Modern
7th Dec 2018
09:00am - 18:00pm
Security Monitoring Practical Workshop
Dragon Advance Tech Co. Ltd.
Course Length: Full-day training
What You Will Learn
This course provides students with the knowledge and tools to fully leverage security analyst duties, ensures that you can use the functions and features of tools used in a SOC to detect and respond to security incidents and determine the extent of a compromise.
We are seeking sponsors. If you are interested in sponsoring, please contact the following at Dragon Threat Labs.
For the donation, please contact the following at Dragon Threat Labs.
Copyright © 2018 Dragon Threat Labs