FortiGuard Labs Threat Research
The T2 2017 conference took place on October 26 and 27, 2017 at the Radisson Blu seaside hotel in Helsinki, Finland. As in every edition, a CTF (Capture The Flag) competition is organized prior the conference, with the winner receiving a free ticket.
This year, a private bug bounty was held by LähiTapiola, a well-known insurance company in Finland, under the supervision of T2 organizers through the HackerOne platform. As there were zero submissions, it was decided to reward Harri Kuosmanen of team ROT who found the most severe vulnerability during the LähiTapiola HackDay event.
The first day started with giving out honorific T2 badges to the most loyal participants and supporters over the past 14 years. Welcome to Helsinki!
Dave Aitel, founder of Immunity took the stage and presented a keynote about cybersecurity strategies, policies, and his actors using Overwatch (a famous team-based FPS game) analogies. He declared that everyone needs a cybersecurity strategy from small business to nations, including a roadmap for the next five years to identify and address incoming threats.
He explained that a company should work on both the defensive and the offensive aspects of their security strategy. These need to be rooted to real world issues. While multiple cybersecurity policy templates exist, such as the Wassenar arrangement, the Tallin manual, and sovereign documents, they have been mainly authored by academia, and are not always relevant in practice due to the academic field’s lack of access to security industry data.
Despite the high technical level demonstrated by the InfoSec community, the set of currently implemented security solutions and protocols are far too simple when simple compared to worms in real life. Every platform, such as .NET, Java, and Flash, has major vulnerabilities. A company would require a large team of vulnerability assessors just to be up-to-date.
At the same time, the number and class of bugs is so vast that it requires a long and complicated task to build a comprehensive and complete security posture. And depending on the background of a security team, talented people will focus more on a bug class they are familiar with, but totally forget another one. To address this challenge, building alliances inside and outside an organization makes sense, and is important to increasing the quality of defensive postures. He also explained that the reason this process is critical is because every bug can turn into a worm.
Building a red team is a trend. Toby Kohlenberg, who took the lead few years ago for Intel, spoke on this topic.
Red teams are frequently associated with unlimited hardcore penetration testing, but are they really that? It is more critical that these teams step into the shoes of the adversary shoes in order to enhance the defensive skillset and actions of the organization’s IT team by identifying the preferences and strategies of attackers.
A good red team should also have a skeptical opinion about security posture and be knowledgeable on the business perspective of the company, and the financial goals of cybercriminals, in order to defend against an identified class of adversaries. The end goal is to update the company’s threat model.
A good red team consists of a mix of engineers with different backgrounds, skillsets, and culture. This team also needs constant training, especially in areas outside of their comfort zone and skills in order to build intelligence around their adversary’s strategies and tools.
The red team is a sparring partner, not the enemy. Diplomacy is king. Which is why when a problem is identified, a sponsor from the senior management should act like a Kerberos to protect the red team from cyber or even political assaults launched by other groups in the organization, especially if their findings have embarrassed or upset a party. On the other side, a reward is a good idea if a blue team member detects red team activity.
Hugo Teso likes new challenges. Right after the T2’2016 edition he asked Tomi Tuominen to find him a challenge for this year. The selected topic was memory forensics, and, more precisely, Windows.
After a year of work, a memory dump of a metasploitable3 virtual image with malicious activity was weaponized by Hugo and returned to Tomi. With the help of the InfoSec community, it was possible to also exploit some vulnerabilities in the forensic framework and intentionally modify some of the framework’s DLL. This DLLs exploit code supports Windows, Linux, and OSX platforms, including different flavors of 32 and 64 bit operating systems, enabling it to successfully infect an analyst’s toolset.
A GUI (Game User Interface) was developed in pygame for the Volatility framework to investigate memory dumps with features such as imageinfo, pstree, strings, malfind, netscan and cmdline. The avatar is controlled with a gamepad, and each room in the GUI corresponds to a windows process. When an analyst executes volatility, the code written by Hugo acts as a proxy in order to hide malicious activity from the analyst’s screen.
The pitch of the talk was that offline memory dumps are usually analyzed in a confined environment. However, the analyst’s toolset themselves are never verified for a potential implant.
There were other great talks in Finland during the two days. The full program is available on the T2 website: https://t2.fi/schedule/2017/