#FIRSTCTI22 FIRST CTI Event Berlin 2022 Review

It is November 9th 2022 and I had a few days to digest and think about the FIRST CTI event taking place in Berlin from 2022-11-01 to 2022-11-03.

You can find more direct feedback and impressions on Twitter with the hashtag #FIRSTCTI22 where I also shared stuff.

The program is published at https://www.first.org/events/symposium/berlin2022/program. So let’s dive into my thoughts.

To give some context, I participated in the first FIRST CTI, called FIRST Technical Colloquium on Threat Intelligence, hosted by Siemens in 2016. Back then the topic was very new (remember STIX/CybOX, Mantis). But some topics were relevant already back then like how to operationalize Threat Intelligence and how to evaluate information. It was great then and I was excited to see what has changed since then.

Training

As I only arrived on Tuesday, I had to skip the trainings, but I was able to talk to participants with mixed impression, which is no surprise given the different roles / background of the participants (more on that later) so I hope many of them provide feedback to the event team so they can extract the right learnings on which training is best suited for the audience.

Wednesday

I had the honor to moderate the Wednesday, so while I was able to hear all talks, I had to also focus on logistics, take time and have some questions ready for the speakers. To my surprise the audience did not take that much advantage of the fact that we were all in one room and asked very few questions. Maybe this is something which we need to re-learn after the pandemic?

I really liked the talk from James Chappell „Ten Years of Cyber Threat Intelligence: Retrospectives“. It was a perfect entry and set the stage for the two following days and for sure James is a veteran in the field, so there were several observations that stuck with me.

Next up was another highlight for me: „Crossing the Cyber Sad Gap“ from Jake Nicastro. Jake went into the risk of our jobs and how it can affect the mental health and offered some points to take home and address in your team, very eye opening and I am sad that this talk will not be made available to the public.

Another thing I want to highlight is the mixture at the event between practitioners and academia, Clemens Sauerwein from the University of Innsbruck, Department of Computer Science, AT presented on stage and there were several delegates who were really interested in conversation with industry and public sector people.

Obviously I was nervous giving my own talk together with tomchop, but I think it went really well.

Overall Wednesday was a really pleasant mixture of topics.

Audience

Overall the audience was a little over 330 delegates. From conversations I would assume around 40 % with a DFIR background, 40 % from CTI related roles and 20 % either a mixture or something else, but I guess the organizers have better stats on this.

The size of the audience felt ideal for me as well. There were enough people to run into random people to start a conversation but it was not too large to get lost, I think sub 400 is ideal.

There were delegates from all kinds of regions, with a majority coming from Europe, which is not a surprise given the event location. To build a reputation I would like to see the event happen again in Berlin, if there is demand to have something similar in other regions like AMER or APAC, I would suggest building local forks vs. Rotating over the planet like FIRST does for the annual conference. That should also make it easier for the planning team to figure out logistics, but again is my personal opinion and there are also advantages for changing locations.

Length

Personally I prefer events under three days. Longer events make me tired and come with too much social toll for me. Two days still enable follow up and enough opportunities to have conversations going a little deeper then „hey my name is John Doe, I work at XYZ, nice to meet you“ and then never see that person again.

Thursday

Started with another excellent talk about the human aspect of our industry „Why Your Security Analysts Are Leaving and What You Can Do to Retain Them“ by Thomas Kinsella, I highly recommend this talk.

I skipped one talk that was pre-recorded and instead spent my time networking with delegates, as I hope to see the talk afterwards on YouTube instead.

It is always nice to see new tools announced at events, same here, when „ORKL: Building an Archive for Threat Intelligence History“ was covered by Robert Haist. Solid talk and I recommend checking out the project web page and reaching out to Robert if you want to help the project.

The rest of the talks were all solid but I do not want to bother you with all my thoughts, I have provided feedback to the events team and I recommend you doing the same (check your mails for the survey).

The program committee did an excellent job setting up a program that catered for technical and strategic folks. Kudos: @thomasschreck_ , @adulau , @asfakian, James Chappell and Dr. Morton Swimmer.

Dinner

An important aspect of such events for me is to meet with old friends but also make new connections and introduce new people to the community. This time I tried to execute something I learned from Kate.

I made (or asked someone to make one) reservation in a restaurant nearby for 6-8 people, asked 2-4 people I already know and want to see again and added people I wanted to meet for a long time and or folks who asked to be introduced.

The result: a great combination of nice food, excellent group sizes to have different topics to talk about but not too large that it would go nowhere or someone would feel lost (at least I hope).

The absolute highlight for me was going to C-Base, if you have never heard about it, make sure to check it out, I will not spoil it here. Thanks Y.W. For your hospitality my friend.

Wish

If I had one wish for the future of that event, I would hope to have a more diverse audience and speakers. We as the community need to push more and improve.

Disclaimer

I have not been involved in the planning of the event other than setting a draft budget in November / December 2021 as part of the normal FIRST budgeting process. And above is purely my personal opinion on things.

Photocredit: Kamil Bojarski

API of the month: MISP

MISP is a very well known tool in the infosec community that enables individuals and teams to work and share indicators and other case relevant information.

The MISP API comes for free with every MISP installation of the free and open source software, so if you want to try it out, go for it. There are various install guides for MISP.

Once your MISP instance is up and running, you can head over to the MISP API documentation.

Search

Among all endpoints I did use the Search endpoint the most. This endpoint can be used to search all your MISP data. You can either just pass a string and search everything, or you filter by dedicates types. The query can be as complicated as you want it to be. Be careful with just value searches, depending on your data size, the requests might take a while to complete.

Get events

Another very useful thing after your searched is then pull the events that matched your search. This can be helpful to provide more context to analysts who started the search.

PyMisp

When writing about the MISP API, it is important to mention pyMISP, the Python library to access the MISP REST API. It is maintained by the same people behind MISP, so it is kind of a reference implementation of the API and is very easy to use.

Target audience

The target audience for the MISP API is researchers, students, DFIR professionals and everyone who has a need to store and query structured data around events.

More

Want to find more Security APIs? Go and visit my repository: https://github.com/jaegeral/security-apis

Let’s talk about time – in a different blog

I wrote a blogpost, but in a different blog that I however wanted to link to. It is a blog that is maintained by a bunch of open source digital forensics incident response people some of which are my current team mates.

The blogpost is about Time. More specific on some general ideas and concepts around time. It then goes on to explain how time is relevant in IT and why it is important in digital forensics. It also contains some recommendations that everyone can (and should) apply.

Here is a except of the goal of the blog post:

Goal
This article explains the importance and challenges of time in digital forensics and incident response. You will learn how time is handled in various open source tools and get practical tips on managing time in your environment.

Are you curious: go over to: https://osdfir.blogspot.com/2021/06/lets-talk-about-time.html

New project: Awesome security videos

Cyber security is a global issue but most people interested in the topic are not able to visit the big conferences because they are expensive or because they are not allowed to travel to the destinations.

But thanks to the evolving technology of video hosting sites and the fact that capturing talks on video is more and more getting the new norm, a lot of good security talks can be watched online.

Looking for good videos, I ended up in either a total mess of crappy videos or pretty good videos where not pushed up on the result pages by video hosting platforms because low number of views (most security talks at the moment to not attract that much audience). This is when I started a new repository called: „awesome security videos

The idea is simple, collect and curate a list of online videos that is good from a content and a presentation point of view.

Because it is on github, I hope for others to contribute ideas, I will also have a close look on twitter, so feel free to send me a DM to https://twitter.com/alexanderjaeger

Also all videos will be added to a public youtube list: https://www.youtube.com/playlist?list=PLbE0nb-0VwXRB7kjFLlc-RBc4ihCkcP-A

lnav the log file navigator

This is a recommendation to a tool that I am using since months – the log file navigator.

Who does not know the issue, you have to look at logs from various places and you start with stuff like more, grep, cat etc. or upload it to your ELK, Splunk, QRadar – you name it.

While those tools have their good reason, log files usually have a specific set of requirements to handle effectively. And for that reason use lnav. The tool enables you to work with your log file(s) locally, offline and effective.

Some quotes:

Just point lnav to a directory and it will take care of the rest.  File formats are automatically detected and compressed files are unpacked on the fly.

The log message format is automatically determined by lnav while scanning your files.   The following formats are built in by default:

More features on the project website.

The best part? The tool is free! Yes free as free, so no data is shared with the developer, no shareware, it is free!

It runs on Apple OSX and linux – I am waiting for a Windows version as there is Linux subsystem support on Windows 10.

15 Must read books if you want to work on Cyber Security

Motivation

One of the most frequent questions I get asked by my students: What books should I read if I want to work in Cyber Security?

So I reviewed what I have read so far, talked to colleagues I trust to conduct the following list (as I have a lot of german readers, there is always a link to the german and the english version). The list is a mixture of educational books as well as books that will give an idea about mindset of hackers, defenders and other players in that field.

If you have other recommendations, opinions or comments, I would highly appreciate every feedback in the comments below.

I will try to update the post on a regular base as new trends are coming up e.g. machine learning, AI or blockchain (but I do not see any must-read-books in that areas).

It is fair to say, it is not the only way into the security area, a good amount of people learned by blogs, twitter, youtube and such and there is nothing wrong with it, it is quite the opposite, as the pace of change is so fast, it is hard to keep books up to date.

Every item has links to amazon.com, if you happen to buy the book using the links you support the blog, thank you for that.

1. The Art of War

by Sun Tzu

A relative short (and cheap) book that teaches various aspects of war that most experts agree can also be applied to cyber security. To be honest, there are also a good amount of people who think Art of war is not as important, so read it and make your own opinion.
At least it will be a good ice breaker for networking.

Englisch link / German link

2. Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

by Kevin Mitnick

This was the first security related book I read after attending a conference talk of the author Kevin Mitnick. It is fair to say he is one of the most known hackers and reading his stories gives the reader first hand access to the mind and motivation of a hacker. The book is also very good to read.

English link / German link

3. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage

by Cliff Stoll

What to say, a book about espionage, spies and many more. Good book that for sure must be read.

English link / German link

4. Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software

by Michael Sikorski

Reading that book will equip you with all concepts and skills to analyse malicious files. This is even a very good skill if your goal is not to become the top notch malware reverse engineer, but the concepts outlined in the book will help to understand weaponizing files to target systems or users.

English link / German link

5. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Kim Zetter

This book covers the maybe most prominent cyber security attack in history: Stuxnet. To understand motivation of companies to invest money in cyber security, knowing and trying to understand the Stuxnet case is so helpful and Kim Zetters book is the best to do so.

English link / German link

6. Rtfm: Red Team Field Manual

by Ben Clark

This list would be incomplete without at least one book covering the offensive aspect of cyber security professionals: red teaming. Even if you do not want to be payed to hack into companies, it is good to know what the people getting paid to hack into companies have read without a doubt.

English link / German link

7. Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan

by Jeff Bollinger, Brandon Enright, Matthew Valites

Legendary book outlining how to ramp up an Incident Response Plan to defend a network. If your goal is to go into red teaming, read that book to understand how defenders work.

English link / German link

8: 1984

by George Orwell

Fictional book but also a must read for making a career because it will sharpen your sensors for privacy more than any other book out there.

German link

9: Practical Unix & Internet Security

by by Simson Garfinkel, Gene Spafford, Alan Schwartz

Sooner or later everyone in the industry encounters Unix, that is why this book is on that list, because it is the bible for that area.

English link / German link

10: Computer Incident Response and Product Security

by Damir Rajnovic

Damir „Gaus“ Rajnovic created the standard to read to set up an Computer Security Incident Response Team (CSIRT / CIRT / CERT / CSIRT) or a Product Security Incident Response Team (P-SIRT).

German link

11: Applied Cryptography: Protocols, Algorithms and Source Code in C

by Bruce Schneier

A top x list in Cyber Security without a book from Bruce Schneier is not worth to listen to. Bruce Schneier is the rockstar in the area and his book the go to for cryptography.

English link / German link

12: Secure Coding: Principles and Practices

by Mark G. Graff, Kenneth R. van Wyk

You need to understand how to write secure code. Without that know how it is way harder to argue on basic security principles. This book is bootcamp for that purpose.

English link

13: Hacking: The Art of Exploitation

by Jon Erickson

Refered by a trusted friend as one of the go-to books for understanding exploitation.

English link

14: Cryptonomicon

by Neal Stephenson

Another fictional book on that list to understand motivation and boost your motivation in the field.

English link

Bonus: The Ultimate Hitchhiker’s Guide to the Galaxy

by Douglas Adams

When asking friends for opinions and recommendations for that list, the ultimate hitchhiker’s guide to the Galaxy was mentioned „because no security professional will take you seriously if you haven’t read it“ – nothing to add here.

English link / German link

Comment

You might have discovered, it is not yet 15 books, I am still on the journey to discover the remaining bricks. But rather prefer to let people read less books that have a big impact than more books with some that might not be the same caliber.

Have fun with reading.

(This post is inspired by 15 Must Read Books if You Want to Work on Wall Street)

gpg: signing failed ioctl

While signing PGP keys the following error occured:

gpg: signing failed: Unpassender IOCTL (I/O-Control) für das Gerät

Which is german so googling for the following words:

gpg: signing failed ioctl

Revealed a possible solution that actually worked:

GPG_TTY=$(tty)
export GPG_TTY

Security API collection

While working on different stuff I was searching for a collection of APIs that are related of useful for security researchers, incident response people or threat intel.

Unable to find a good list of REST APIs decided to start it. The collection is hosted on a Security API list, and pull requests or issues mentioning missing APIs are highly welcome.

Why did I produce such a list? More and more people want to automate their workflows, Security Orchestration is the new Buzzword after last years Threat Intelligence, but basically containing the same, they both have in common to facilitate already available data, with Orchestration not storing that much data but enriching dots collected.

However the challenge is, what to integrate, everyone has their „go to“ tools they use on a daily base risking to miss some golden nuggets that are handy.

The list is divided (at the moment) in tools that are mostly on prem., online tools, SIEMs and various. With an increasing number of APIs that ordering might change of course.

So I really hope the list is useful and people can use it and that it can grow.

MISP Issues with certificates

Recently I came a across some MISP issues with Certificates with remote servers. Even it is okay with Test connection, if you try to push or pull events it will not do anything. Also logs will not tell you anything. If you run tcpdump to debug and watch in Wireshark you will see something like the screen shot.

Before adding it to the documentation of MISP, here is a brain dump what I did:

Scenario:
Server 1 – running MISP
Server 2 – running MISP

Server 1 wants to push events to Server 2

Server 2 has a TLS / SSL certificate signed by an internal CA. Because cakephp is not respecting the OS CA store. This needs to be done manually.

Looking up the certificate with full chain in Firefox will not reveal the FULL cert patch because it is not showing the ROOT CA.

What you need to do is create a new text file and add all public certificates to that file and save it as a .pem file (including the sign of the Root CA)
This pem file then needs to be added as certificate to the MISP Server config.

Within gitter we had a discussion why it is not okay to simply mark the „self signed“ box. It appears that certificates that are signed by a CA (and not signed locally) have several indications for such signatures:

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
...

and

ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

Useful:

keytool -printcert -file certificate.pem

And:

openssl s_client -showcerts -connect server2:443