8th December 2018
Hong Kong SAR China

Call for Paper and Workshop

Conference Ticket: HKD $1,200

Following a successful event in 2017, Hong Kong’s premier security research group Dragon Threat Labs is hosting DragonCon, possibly the most technically-intensive security conference borne out of Hong Kong.

Come join us, make friends and see the cyber city!

DragonCon invites proposals for half-day or full-day workshops to be held in December 2018. Workshops are expected to focus on Threat Intelligence, Hardware Hacking, Hardware Forensics, Hardware Attacks, Reverse Engineering, Exploitation, Vulnerabilty Research and any other subject that will make our nerd-o-meter hit the red line!

Speaker perks:
1. Complimentary ticket to the conference
2. Invitation to the VIP party
3. Remuneration for international speakers

Bart Inglot
Principal Consultant

Bart is an Incident Response and Forensics Specialist in MANDIANT's Security Consulting Services team helping clients restore confidence in an event of a breach. He holds a degree in Computer Forensics, is a keen developer, enjoys inspecting network traffic and specialises in Windows forensics with fascination in volatile memory.

Having worked on Incident Response engagements around the world, Bart routinely develops new tools and ideas to solve on-the-job problems and to ensure Mandiant remains an industry leader. Some of these developments led to Bart's contributions to the Volatility project.

After spending 8 years in England, Bart recently relocated to APJ region as he believes it's still the most fascinating, culturally diverse, and opportunistic region in the world. The relative immaturity in Cyber Security in most countries, but also the "hunger to learn" that most businesses and government organizations display, offer a significant growth opportunity.

Vincent Yiu
CEO, Founder of SYON Security

  • Lead attack simulation projects for many companies ranging from Fortune 10 to Fortune 500, and SMEs. Experiences focused on financial, manufacturing, retail, and aviation industries.
  • World recognized in the offensive cyber security space for advanced adversary simulation services and operating on production infrastructure.
  • Known for spreading offensive cybersecurity experience through the “Red Team Tips” series.
  • Speaker at various security conferences, such as HITB GSEC 2017 and 2018, SSC 2018, JD.com 2017, Steelcon 2017, BSides Manchester 2017, Snoopcon 2017 and 2016.
  • Regular blogger: www.vincentyiu.co.uk
  • On-going development of innovative tools to automate large-scale offensive cyber security simulations: MaiInt, LinkedInt, DomLink, CACTUSTORCH, RDPInception, ANGRYPUPPY, morphHTA, genHTA, and more.
  • Past: Accenture FusionX UK Lead, MDSec ActiveBreach CHECK Team Leader, MWR InfoSecurity.
  • Certifications: OSCP, OSCE, CCT INF.
  • UK National Cybersecurity Challenge Finalist in 2015 (3-day competition).
  • Researching topics:
    • Zero-day vulnerabilities in SOC stack such as ELK, and Splunk.
    • Extensions of Domain Fronting and covert Command and Control.
    • Large-scale cloud security research in significant providers such as Amazon, Azure, and Alibaba.
    • Domain and resource hijacking.
    • EDR bypasses and limitations.
    • Developing practical, relevant, and easy to use tooling.
    • Weaponizing 1-day vulnerabilities.

Brian Hansen
Intelligence Officer Asia-Pacific | FS-ISAC

Brian serves as the Financial Services Information Sharing and Analysis Center (FS- ISAC) Intelligence Officer for Asia-Pacific. Previous to his time at FS-ISAC, Brian worked for the Pharmaceutical Security Institute as the Senior Intelligence Analyst producing intelligence on criminal involvement with global counterfeit pharmaceutical networks, including cyber-based networks. Prior to that he served in the U.S. Department of Defense in intelligence and foreign affairs roles of increasing responsibility for twenty-six years culminating as the Principal Intelligence Officer for the Deputy Assistant Secretary of Defense, with responsibility for Taiwan, China, Japan, North and South Korea and Mongolia. Brian received his Master of Arts degree in Global Affairs from George Mason University focusing on global conflict and security. He is fluent in Mandarin Chinese, Portuguese and Spanish.

Seon-Kwang, Kim
Security Reseacher

I am a forensic researcher at the Institute of Best of the Best in south Korea and currently holds a master's degree in Information Security.

I am interested in analyzing incidents caused mainly by 1-day exploit and APT attacks.

In this conference, I will explain which artifacts is left in system when 1-day exploit works and describes how to make connection between normal information and abnormal infornaion to figure out which software vulnerabilities are causing the attack.

Jay P. Spreitzer
CISO and Co-Founder, Protocol 46

Jay Spreitzer has over 20 years of information security experience and is currently the CISO at Protocol 46. Over the last 13 years, he was the team lead for the cyber threat intelligence team at a large financial institution. Prior to working in the private sector, Jay retired from the US Army, after 23 years of service working in various technology and information security roles. Roles included system administrator, database administrator, Information Assurance Security Officer, and culminating as Information Management Officer. As Information Management Officer, he managed and developed all facets of the organization’s information security program. Jay is also the co-founder of Protocol 46, a US-based company extending cyber security to small and medium businesses.

Jay has completed his Bachelor of Science in Information Technology and a Master of Science in Information Assurance and Security. Some of his other training includes Network Penetration Testing and Ethical Hacking, Advanced Security Essential, the Criminal Intelligence Analyst Course, and the FBI Citizen’s Academy. He holds GIAC Continuous Monitoring and Security Operations, Enterprise Defender, and Incident Handler certifications.

Jay is a member of InfraGard and the High Technology Crime Investigators Association. Jay has been an active member of the Board of Directors for the FBI Citizens Academy Alumni Association and Minnesota InfraGard.

You-Jin, Lee
Dark-web Analyst

Moonbeom Park

Tracking & Profiling attack source base on offensive research Attacker tracking through analysis of server side data

Moonbeom, he is working in cyber security and incident response sector of South Korea as a general researcher and cyber investigation advisory member of the national investigation agency. Also he is responsible for research on hacking methods, analyze hacking incident also, profiling the relationships. And he has been talking and presentation at many international hacking & security conference as AVTOKYO, Ekoparty, FIRST, HITCON, HITB-GSEC, Swiss Cyber Storm, TDOH Conf, TROOPERS.

Rose Bernard
Strategic Research Manager, DigitalShadows

Rose Bernard has worked at Digital Shadows since January 2018 and currently manages the Strategic Research Team. Prior to this she worked for Control Risks in the cyber threat intelligence team, and for the National Crime Agency where she focused on counter-narcotics. Rose specialises in online activist and extremist groups, and the evolution of Latin American cybercrime. She holds an MA in History and Languages from University College London and is currently gaining her doctorate at Kings College London, where she is creating a framework for intelligence sharing between civilian and military organizations in the case of public health events of international concern (PHEIC).

Michael Yip
Threat Researcher, ThreatMiner

Michael is the a technical threat researcher specialising in tracking cyber threat groups and malware analysis. He is also a keen developer and is the founder of the free threat intelligence portal called ThreatMiner.org. He currently works as a team lead on the intelligence collection, analysis and reporting efforts on targeted attacks for a global consultancy firm and has collaborated extensively with law enforcement agencies.

In the past, Michael has served as a Director in Threat Intelligence Operations for an incident response company where he helped create a successful global threat intelligence function that provided intelligence support for incident response, threat hunting and client threat assessments. Michael currently holds the CREST Certified Threat Intelligence Manager (CCTIM) qualification and served as an advisor to the exam committee.

Michael also holds a PhD in quantitative criminology which focused on using social network analysis and graph theory to analyse cyber criminal communities (e.g. carding forums).

Program Schedule

Main Conference 8th December 2018

Venue: 2/F HKU SPACE Admiralty Centre, 18 Harcourt Road, Hong Kong

Workshops 7th December 2018

09:00am - 09:20am


09:20am - 09:30am

Welcome & opening speech
Dan Kelly

09:30am - 10:15am

Evolving Beyond GREP: Enterprise-Wide Hunting with Execution Artefacts
Bart Inglot

Six years ago, Mandiant released a proof of concept tool named ShimCacheParser, along with a blog post titled‚ Leveraging the Application Compatibility Cache in Forensic Investigations. Since then, ShimCache metadata has become increasingly popular as a source of forensic evidence, both for standalone analysis and enterprise intrusion investigations.

While six years may seem like a long time, few community efforts have focused on leveraging ShimCache metadata at an enterprise scale.

The talk will present an open-source tool designed to efficiently process, analyse and hunt at enterprise scale using temporal execution artefacts such as ShimCache and AmCache, that prior to a public release a year ago was only available to Mandiant consultants.

The talk is full of demos and will present custom-built analytics, such as: time execution correlation, Levenshtein distance analysis and time stacking, to name a few. The talk was designed by the tool author and my dear colleague, Matias Bevilacqua.

10:15am - 11:00am

Let's learn about enemy through various IoCs of real APT cases
Moonbeom Park
In the dark world(I mean darkness countries), there are countries that carry out various cyber attacks. We have long been tracking and analyzing cyber attack groups working in the background of such countries. Based on our analysis and response experience, we will show how those cyber attack groups has what attack vectors, what cyber weapons they use, and what IPs they use. And we will show the APT case analysis that they attacked using their attack vectors and cyber weapons. Their attack targets were government agencies, banks, airports, military facilities and defense industries.

ㅇ Cyber attack history and structure of cyber warfare group of the enemy
- History of cyber attack by enemy since 2008
- Structure and purpose of cyber warfare groups

ㅇ The kind of cyber weapon of the cyber warfare organization
- HWP(Hangul Word Processor) exploit & malware
- MS-Office exploit & malware
- RAT(Remote Administrator Tool)
- Dropper, Encryption Tool, Keylogger
- Hacking tool for web server attack

ㅇ Attack vector of cyber warfare group
- Spear phishing e-mail Attack
- Watering hole attack
- PMS(Patch Management System) protocol attack

ㅇ Case analysis of APT incidents related cyber warfare groups
- Case-1 : APT incident case in government sector
- Case-2 : APT incident case in military sector
- Case-3 : APT incident case in national infrastructure sector
- Case-4 : APT incident case in financial sector
- Case-5 : APT incident case in crypto currency sector
- Case-7 : APT incident case in defense industry sector

ㅇ Conclusion : Elements for profiling the enemy's cyber warfare group
- Enemy's IP address found in APT incident case
- Various log in attacked, infected, compromised servers and PCs
- The same point(Evidence) inside malware from each APT incident case

11:00am - 11:15am


11:15am - 12:00pm

An intro to Cyber Threat Intelligence
Jay P. Spreitzer
In today's volatile world organizations operating without threat intelligence are similar to someone driving a car in the dark with the headlights off. This presentation will highlight the value of cyber threat intelligence, where it can be used, and some fundamental aspects of analysis and building requirements. We will start by defining intelligence and how it is often misinterpreted. Evaluating data, the different levels of intelligence, and how to start conducting analysis as well as maintaining operational security.

12:00pm - 12:45pm

Precise Analysis of Attacker's Behavior using Offensive Research
Seon-Kwang Kim
For popular software executed in Windows 7 or 10, Analyze and classfy artifacts left after exploit.

12:45pm - 14:00pm


14:00pm - 14:45pm

Cyberthreat Intelligence: Clearing the haze in a blurry world
Brian Hansen
FS-ISAC’s Intelligence Officer for Asia-Pacific, Brian Hansen, will present on alarming new trends FS-ISAC has observed in the global threat landscape, and the evolving best practices that are proving most successful against criminal, hacktivist and nation-state adversaries. He will also discuss what sort of intelligence processes should institutions train on and deploy. What kind of technology do we need to enable our analysts and enhance our intelligence products? How best can CISOs and other cybersecurity leaders incorporate threat intelligence that is more than just feeds and data?

14:45pm - 15:30pm

A secret deal in the Dark-Web, Shall we dive in to the Dark-Web, together?
Youjin Lee
Recently, illegal activities on the Dark-Web are increasing rapidly. This is because of the characteristics of the Dark-Web, ‘anonymity’, which can be accomplished by the restricted access to the Dark-Web only through the Tor network, using the 16 bytes address following onion extension. Dark-Web uses a number of proxies with the packet encryption technique between each nod so that it makes almost impossible to trace back the IP address of the Dark-Web user. Underground intruders exploit these characteristics to conduct illegal activities under the hood. In the Dark-Web, illegal activities including contract killing, drug trafficking, weapons trafficking, illegal pornography, and malware proliferation are implicitly conducted by the malicious activists, however, law enforcement officers from all over the world are suffering severe difficulties due to the Dark-Web characteristics, ‘anonymity’.
When analyzing the characteristics of the Dark-Web, we have difficulties to research and analyze the user activities in the Dark-Web because of the social and cultural differences between countries. We are also having great difficulties in leading the research against the Asian Dark-Web due to the absence of the previous researches about it.
We, Dark Knight team from BoB (Best of the Best, the Korean Government Sponsored Program) conducted detailed analysis against the drug sellers in the Asian Dark-Web markets possibly sourced from South Korea, People’s Republic of China (PRC), and Japan. For the cost-effective way of analysis, we focused on 3 major Dark-Web markets, ‘HighKorea’ from South Korea, ‘Mushroom’ from PRC, and ‘Karasuma’ from Japan.
During the analysis process, we confirmed that the interactions between users in each country is quite different from all around the world. So, we targeted user communication boards in HighKorea for the analysis of the Korean Dark-Web. When we analyze the PRC Dark-Web, we connected to their telegram communication interface by clicking the links on the Dark-Web website and crawled the communication logs to analyze and find out the characteristics of the drug dealers and communication patterns of users. During the analysis against Japan’s Dark-Web site, Karasuma, we found that they are communicating through the chatting page created in the Dark-Web, and we grab the log to analyze it. Through the in-depth analysis, we found widely used jargons on the Dark-Web and drew the result of the meaning of them. What we want to and try to do is to increase public awareness of the seriousness of the Dark-Web, and to contribute to the research against the Asian Dark-Web. We also introduce the methodology to identify individual characteristics of the Dark-Web users, and the services implemented through the methodology, not merely focusing on the analysis of the Dark-Web groups.

15:30pm - 15:45pm


15:45pm - 16:30pm

Cyber resilience: coordinating a strategic response to threats
Rose Bernard

Cyber security actions are growing more diffuse as sectors and companies become better at recognising tactical threats to their businesses. However, an individual company-led response continues to be ineffective without building sector-wide strategies for security standards. Without understanding and implementing a framework for operational resilience, the maturity of an individual company may be high, but the overall ability of the sector to respond to and absorb shocks will continue to be low, leaving companies vulnerable. In this presentation we discuss the strategic frameworks available to address this sector-wide gap, and how the Mitre Att&ck framework and threat led penetration testing can improve operational resilience.

16:30pm - 17:15pm

JavaScript: The Threat That Nobody Talks About
Michael Yip

First introduced by Netscape in 1995, JavaScript is one of the most often used programming languages today. With increased standardization in syntax among the browser developers, JavaScript is now a powerful platform independent language that can behave as designed consistently across different operating systems. In addition, the ever increasing reliance on e-commerce and online banking means that significant amounts of financial transactions are completed via websites everyday using JavaScript. It is therefore no surprise that criminals are increasingly targeting JavaScript enabled websites and injecting their own code like MageCart and Scanbox to steal sensitive data and deliver malware.

To draw awareness to the threat, this talk will provide a brief introduction to JavaScript as well an overview of a few JavaScript malware families that will highlight the power of the language and how it enables criminals to achieve their goals. The talk will also include a demo of a new web browser plugin by ThreatMiner that is aimed to change the way we use the web and provide users with an intuitive way to make an informed assessment whether to trust a website.


Closing speech
Frankie Li

Workshop Schedule

December 2018

Venue: The Hong Kong University - Cyber Security Lab, Haking Wong Building 3/F Room 310A

7th Dec 2018
09:00am - 18:00pm

A hands-on perspective of modern attacker techniques
Vincent Yiu, SYON Security

Course Length: Full-day training

Fees: HKD 12,000
(DTL Members HKD 7,000 - Please enter the promotion code before checkout)

What You Will Get
  • USBNinja with the specific connector of your choice
  • Ubuntu Virtual Machine you will work with to perform the preparation and actual attack
  • Training Materials
What You Will Learn

This course provides students with a solid foundational knowledge about modern attackers, their techniques, and how to perform them. The student will be able to practically execute a basic, modern attack. This hands-on course aims to educate and fast-track train penetration testers with the necessary skills necessary to simulate a modern attacker.
We will utilize the cloud to spin up a real command and control server and simulate an actual attack against TeaLab Corporation.

Introduction to Modern

  • Cyberattacks
  • Attack lifecycles
  • A brief look at Advanced Persistent Threats
  • War-stories
  • Viable techniques from experience

7th Dec 2018
09:00am - 18:00pm

Security Monitoring Practical Workshop
Dragon Advance Tech Co. Ltd.

Course Length: Full-day training

Fees: HKD 10,000 (DTL Member HKD 5,000 - Please enter the promotion code before checkout)

What You Will Learn

This course provides students with the knowledge and tools to fully leverage security analyst duties, ensures that you can use the functions and features of tools used in a SOC to detect and respond to security incidents and determine the extent of a compromise.

  • Preparation: Know Your Environment
  • Tuning your SIEM
  • Threat Intelligence: Detect and Research Threats / Attack Methods
  • Detection: Evaluate Alarms and Events
  • Containment and Response: Minimizing Impact and Automating Response
  • Root Cause Analysis: Trace Security Incident Timelines


         Dragon Advance Tech Consulting Co. Ltd.
         Cyber Security Lab
Department of Computer Science
Hong Kong University

We are seeking sponsors. If you are interested in sponsoring, please contact the following at Dragon Threat Labs.

For the donation, please contact the following at Dragon Threat Labs.

Media and Public Inquiries

Please contact Roland Cheung and/or Dan Kelly.


if you wish to sponsor DragonCon please contact Frankie Li.

Copyright © 2018 Dragon Threat Labs