LABScon | Security Research in Real Time – Talks Not To Miss, Part Two

This is a continuation of our deep-dive into the inaugural LABScon 2022 agenda to shine a spotlight on the can’t-miss presentations on deck in Scottsdale in September.

LABScon will feature talks from various adjacent fields in InfoSec. From vulnerabilities to malicious browser extensions, Chinese APTs, and novel uses of machine learning to detect malicious activities, the agenda is packed with thought provoking content for researchers on the bleeding edge. LABScon 2022 will feature a complimentary track with expert workshops on analyzing Android malware, malware analysis with Ghidra, and more.

As the anticipation builds, we are excited to share our stage with speakers from the International Red Cross, Mandiant, Proofpoint, Cisco Talos, and our own SentinelOne research teams. In this post, we highlight a few more of the talks we can’t wait to host at LABScon.

Are Digital Technologies Eroding the Principle of Distinction in War? – Mauro Vignati (International Committee Of The Red Cross)

Until now, the cyber capabilities of a State have been assessed mainly on technical and tactical perspectives. But describing cyber operations is no longer sufficient to understand the capabilities that States deploy in the digital sphere during armed conflicts. It has been observed that States can gain a major advantage thanks to the digital transformation of societies, this is because armies in conflict are increasingly digitized as are the involved populations. Some prescient examples: States may encourage civilians to engage in offensive cyber operations against targets associated with the enemy or the transformation and consequently the dual use of smartphone applications “enhanced” to encourage users to contribute to the military effort.

Civilians have been used to perform military functions during armed conflicts and to assist in the war effort since time immemorial. With the digitalisation of societies, we are witnessing fundamental shifts both in terms of quality and quantity. The main qualitative shift is that these activities are now much closer to the actual conduct of military operations: we have moved from the provision of food, shelter, or equipment at some distance from the physical battlefield to the direct contribution to the operations on the digital battlefield and as support to kinetic operations. The main quantitative shift is that in the digital space it is much easier to scale up these activities. Encouraging civilian participation in cyber hostilities raises several concerns, first of all it undermines the central humanitarian value that undergirds the principle of distinction (between civilians and combatants), namely the protection of those who must be spared from the effects of the conflict. Encouraging individuals to fight as civilians will inevitably lead to more civilian casualties as combatants struggle to distinguish the fighters amongst the civilians.

UNC788: Wild Kittens and Where to Find Them – Ashley Zaya & Emiel Haeghebaert (Mandiant)

Charming Kitten, Phosphorus, TA453, and UNC788. You’ve heard these names before, but who and what are they, and where can you find them? In this session, Mandiant analysts Emiel Haeghebaert and Ashley Zaha will talk about UNC788, a cluster of threat activity that conducts cyber espionage and credential harvesting on behalf of the Iranian government. UNC788 is characterized by credential theft operations against corporate and personal email accounts and has consistently targeted Western think tanks and academics, current and former government officials, members of the Iranian diaspora in the United Kingdom, Israel, and the United States, as well as high-profile individuals within Iran.

This presentation promises to touch on the history of the group and, drawing on recent use cases, will illustrate how to leverage and turn the group’s bad habits and infrastructure patterns into reliable threat hunting techniques. It will cover how different third-party tools, like Censys, DomainTools, PassiveTotal, and VirusTotal are leveraged to identify new infrastructure in real time as well as changes in techniques over time. Attendance at this session will result in actionable takeaways for threat intelligence analysts!

Star-Gazing: Using A Full Galaxy of YARA Methods to Pursue an Apex Actor – Greg Lesnewich (Proofpoint)

This talk will explore a highly regarded but rarely publicly investigated threat actor, malware similarity, and YARA. Publicly available data yields just a generic AV signature with the actor’s name.

Using YARA as an analyzer with the console output, and a teeny bit of Python to develop a malware similarity methodology, we will highlight just how well our beloved YARA can pursue a true apex predator.

Quiver – Using Cutting Edge ML to Detect Interesting Command Lines for Hunters – Dean Langsam & Gal Braun (SentinelOne)

What do GPT3, DALL-E2, and Copilot have in common? By grasping the structure and nature of language, these projects can generate text, images, and code that provide added value to a user.  Now, they even understand command lines!

Quiver – QUick Verifier for Threat HuntER is an application aimed at understanding command lines and performing tasks like Attribution, Classification, Anomaly Detection, and many others.

DALL-E2 is known to take an input prompt in human language and draw a stunning image with impressive matching results; GPT3 and similar projects can create an infinite amount of text seemingly written by a real person; While Github’s Copilot can generate entire functions from a comment string.

Command lines are a language in themselves and can be taught and learned the same way other languages can. And the application can be as versatile as we want. Imagine giving a command line to an input prompt and getting the probability of it being a reverse shell, by an Iranian actor, or maybe used for cybercrime. A single prompt on its own may not help so much, but with the power of language models algorithms, the threat hunter can have millions of answers in a matter of minutes, shedding a light on the most important or urgent activities within the network.

In this session, we’ll demonstrate how we developed such a model, along with real-world examples of how the model is used in applications like anomaly detection, attribution, and classification.

Malshare: 10 Years Of Running a Public Malware Repository – Silas Cutler (Stairwell)

Since March 2013, alongside a handful of volunteers, I have run a fully public, never-for-profit malware repository named MalShare. The site allows anyone to register and immediately have access to our entire collection of malware samples.

When MalShare first launched, the idea of openly sharing malware was highly controversial; I was told the site would never survive against existing commercial options and the site would only serve to give threat actors deeper insight into defender visibility. Nearly ten years later, we’re still online. What started out as a handful of open web directories has grown into a service used by thousands of researchers and integrated into numerous tools.

Android Malware Analysis: From Triage to RE (Workshop) – Vitor Ventura (Cisco Talos)

Android malware is packing anti-analysis and anti-debug techniques. This workshop will provide the attendees with the knowledge to apply and adapt techniques aimed at bypassing such protections.

This is a full hands on workshop designed to provide the attendees with the knowledge to bypass the most common techniques used by malware to prevent analysis. During the workshop no automated tools will be used for analysis. The objective is that the attendees understand how they can use techniques like instrumentation and patching to help them analyze and bypass malware defenses when the automated tools fail, while using only free and open source tools.

Request an Invite

There are still a limited number of tickets available, so if you haven’t yet requested your invite, now is the time to push that button.