Welcome to the VB2021 conference!

Threat hunting: from SolarWinds to Hafnium APT

Niv Yona (Cybereason) & Eli Salem (Cybereason)
partner message

Threat Intelligence and Cyber Resilience

https://vblocalhost.com/programme/#TIPS

Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

We don’t just talk about sharing. We do it every day.

https://www.cyberthreatalliance.org/about-cta

Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

partner message

Looking for performance validation for your product?

https://www.virusbulletin.com/testing/

Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected].

partner message

Do you like doing work that matters to you… and really frustrates the bad guys?

https://talosintelligence.com/careers

At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

IoT security begins with your Smart TV

https://chomar.link/smarttv

CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions

https://www.farsightsecurity.com/get-started-guide/

DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

partner message

VirusTotal: Actionable crowdsourced threat intelligence

https://www.virustotal.com/

Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

partner message

F5 helps find malware hiding in plain sight

https://www.f5.com/company/blog/half-the-world-s-malware-is-now-encrypted

Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

partner message

Amazon Information Security - come build the future with us!

https://www.amazon.jobs/en-gb/team/infosec

Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

partner message

Calling all Hackers!

https://www.ise.io/careers/#op-470256-hacker-midseniorprincipal

We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity

https://ti.qianxin.com/marketing/vb2021/

QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

partner message

Stay ahead of threats with VirusTotal

https://www.virustotal.com/

Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

Ransomware prevention starts with zero

https://www.zscaler.com/solutions/security-transformation/ransomware-protection

Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

Threat actors are continuously evolving and adapting their tactics and techniques to bypass security tools, and as threat hunters and incident responders we need to evolve fast. From the latest big events of the year, the SolarWinds supply chain attack and Proxylogon vulnerability exploitation by the Hafnium threat actor, we can learn how threat hunting can save organizations from a bigger breach.

In the past few years, we investigated a large number of activities from commodity malware to complex APT operations. One of the challenging things in those investigations is finding anomalies in an enterprise network and knowing how to differentiate between legitimate use of tools and abuse of legitimate tools for malicious activities.

Threat hunters proactively analyse process execution telemetry data to determine if an organization is coming under attack on an ongoing basis. Newly discovered techniques and behavioural patterns should be integrated into your security tools to enhance and enrich its automated detection capabilities if possible. In some cases, some techniques (such as living off the land binaries, a.k.a. Lolbins) will demand real eyes looking into the activity since they can create more noise than value.

In this session, we will describe our timeline from hour 0 of the SolarWinds supply chain attack and Hafnium exploiting the ProxyLogon vulnerability, and actions to identify the compromise in the first hours. You'll learn by example how to perform threat hunting using your security tools and why you should start doing it today using your telemetry data. We will share the methodologies we follow as threat hunters and incident response professionals and demonstrate the power of hunting.

Threat hunting is a very broad and dynamic subject and seeing our examples we hope to make it more accessible.

The goal of this talk is to empower security analysts to be able to threat hunt and share some easy methods, to begin with. Happy hunting!
Niv Yona
Cybereason

Niv, IR Practice Director, leads Cybereason's incident response practice in the EMEA region. Niv began his career as a team leader in the security operations centre in the Israeli Air Force, where he focused on incident response, forensics, and malware analysis. In his past positions in Cybereason he focused on threat research that directly enhances product detections and the Cybereason threat hunting playbook.

Eli Salem
Cybereason

Eli, Lead Threat Hunter and malware reverse engineer, began his career as a security analyst in the private sector. At Cybereason, Eli leads the threat hunting service in the EMEA region. During his work at Cybereason Eli has published research on various subjects such as advanced persistent threats groups (APTs), cybercrime, its effects on e-commerce and financial companies, and malware research.