SteelCon 2019

Hello everyone!
In my usual manner, I decided to blog about a conference which took place over a month ago. Let’s pretend this is not because of a major episode of unbearable FOMO I got after seeing my hacker fam having the time of their lives at BSides Manchester earlier this week.
Just joking, I obviously deal very well with situations like that, and am so so good at Mudita
Or am I?

Anyway, please dive right into my notes below. The talks are all available on Youtube thanks to the eighth wonder of the world of infosec, which is oviously our dear friend Cooper. Oh by the way, you can support him filming all the conferences across the globe by buying him a Mate.

Key takeaways from SteelCon 2019

All videos available online now on their official Youtube channel here.

High level summary

If you’re going to spend only two minutes on reading this, please read this!
  • You are responsible for the security of all open source libraries you might be using which can be a huge risk; read more about diagnosing and mitigating these vulnerabilities in the ‘Owning an Infrastructure in 3 Lines of Code’ notes. I think it was the most informative session I’ve attended so if you’re writing any code I would highly recommend watching this talk or reading the notes provided.
  • Cyber Threat Intelligence
    STIX (Structured Threat Information Expression) could be a useful framework to use to describe a product’s threat model. There are examples available, eg defining a known threat actor: click. or defining indicators of a phishing campaign
    There are a number of tools which could be used for tracking/researching suspicious IP addresses or domains as well as following current attack trends and prevalence patterns: RedactedFuture, Censys, DomainTools
  • If you’re interested in what problems and struggles the UK cyber security industry faces, read my notes on the ‘State of Cyber Security Report’ talk below.

Detailed notes on each session

WTF is CTI – workshop by MD Haynes

Key takeaways:

  • Introduction of key terminology as:
    • OSINT (Open Source Intelligence) – gathering intelligence from open sources such as social media, without interacting with the target
    • SIGINT (Signals Intelligence) – gathering intelligence by intercepting signals
    • HUMINT (Human Intelligence) – gathering intelligence through social interactions
    • TECHINT (Technical Intelligence) – usually regarding weapons and equipment used by armed forces of foreign nations
    • MLCOA (Most Likely Course of Action) & MDCOA (Most Dangerous Course of Action)
    • STIX (Structured Threat Information Expression) – a structured language for cyber threat intelligence, more details here.
  • Types of intelligence: operational, tactical, strategic
  • Tools to use for gathering cyber threat intelligence:
    • Censys
    • DomainTools
    • Redacted Future
      Can be used to eg track suspicious domains.

Talk: State of Cyber Security Report by Dan Raywood

The talk featured statistics extrapolated from the author’s research done by interviewing a sample of 60 information security professionals. As I understood it, all participants were known by the researcher personally which might diminish the applicability but for people in the UK this is probably going to reflect your environment pretty well too.
Anyway, it provided some interesting insight into the state of cybersecurity industry. The participants were asked to identify the most problematic issues they encounter, and these were the most popular mentioned:

  • Product Problems 35%
    Product problems are understood as more than just technological problems; they involve being stuck in a cycle of constant crisis, struggling with vulnerability management, detection issues, use of legacy technologies and applications, phishing.
  • Human Factor 31%
    • Breaches down to internal errors
    • Tech being customer centric, not friendly for the developers / employees
    • More emphasis on career options
    • Upskilling
    • Spending more money and time on company culture
    • Social engineering
    • Skills shortage
    • Weakest vs strongest link
  • Compliance 25%
    • GDPR, CCPA, PSD2, PCI DSS
  • Company and board engagement 18%
  • Automation 18%
    More: cyber hygiene, cloud issues, APT and nation state attacks, malware, agile, transformation

Talk: Owning an Infrastructure with Three Lines of Code

Key problem: code used to be written mainly in house, now libraries are being imported for everything and quite thoughtlessly; broken code can cause data breaches and break your project altogether.

The risk is really high, examples:

  • British Airways got fined £183million for a data breach which resulted from the hacking group Magecart leveraging a broken library BA was using. More deets: click
  • Cryptominer attached to a widely used library called ‘event-stream’, details: clicks
  • Some modules were pulled from NPM and caused problems in thousands of projects. The modules included left-pad, padding out the lefthand-side of strings with zeroes or spaces, which was apparently used by thousands of developers: click

Key recommendations on mitigating this problem

  • Don’t use too many external libraries to start with, make sure you actually really need to use someone else’s code
    • Harden your development environment
    • Always verify you’re using the correct component, not one with a similar name or a forked github repo
    • Ensure downloads are using secure connections and signatures of packages are verified
    • Use your own package server storing all versions, previous and current of the libraries you’re using
    • Containerisation
    • Only allow restricted network access from and to the build system/container
  • Choose libraries written in a language your team knows; and also ones with active development and maintenance communities.
  • Try to minimise the exposure of critical data to third party libraries you’re using
  • Smaller components have smaller attack surface
  • Keep up to date with vulnerability intelligence; check daily for new published vulnerabilities
    • Majority of those won’t be CVEs but rather will just be published on the project’s blog or website
    • Use OWASP dependency checker, retire.js
  • If your business case can justify it, consider purchasing commercial support for your Open Source components.
  • Pay attention to the Core Infrastructure Initiative’s badge program: click
  • To securely consume third party libraries make sure you perform static analysis of the code you’re using.

Other talks I attended & recommend:

Talk: War Stories from the Front Line of Security Management

A very well performed, lightweight but informative talk about cybersecurity from two perspectives – of a CISO of Revolut and a DPO (Data Protection officer).

Talk: Novel VM Detection Tricks

Discover the ways in which an application (most probably malware) can realise it is running in a virtual machine.

Talk: The Problem with DNS

Talk: Can An Open Internet Fight Extremism?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s