Workflows for Identifying and Dealing with Advanced Threats and Sharing Information with the CiviCERT Community

From the 3rd to the 6th December 2019, we held our first CiviCERT workshop on Workflows for Identifying and Dealing with Advanced Threats and Sharing Information with the CiviCERT Community. This workshop was coordinated and co-funded between DDP and Access Now. Greenhost kindly contributed to our dinner with all participants on the last day.

The workshop gathered 28 participants, among which 11 were female-identified, 15 male identified and 2 non binary/other identified. It also included a team of 7 facilitators from DDP, Access Now, Human Rights Watch, Amnesty Tech and Circl.lu. And there were participants from the following organisations,: Access Now, Amnesty Tech, Center for Digital Resilience, Circl.lu, DDP, Defend Defenders, Freedom of Press, Front Line Defenders, Fundacion Karisma, Greenhost, Human Rights Watch, ShareCERT, Syrian Archive. Particpants travel from the following locations to attend the workshop: Bahrain, Brasil, Costa Rica, Colombia, Germany, Kirghistan, Luxembourg, Philippines, Serbia, The Netherlands, Uganda, USA and Zimbabwe.

In order to prepare the workshop, we sent questions to all participants for better understanding how they dealt with advanced threats in the field. Concretely we asked them to share 1 or 2 cases where they didn’t feel enough skilled or prepared to do initial triage of an advanced threat, and ask them to answer these questions in particular:

  • What kind of access did you have to the person looking for help?
  • Did you have access to the physical computer or mobile device?
  • Were you trying to collect indicators remotely via Teamviewer or remote desktop?
  • What kind of issues made you feel you could not deal with the threat?

We collected 14 answers that were reviewed by the team of facilitators in order to prepare the contents of their sessions.

Regarding the agenda, the first day has been focused in having the 28 participants getting to better know each other, sharing stories on advanced threats and starting a conversation on how to detect advanced threats. On the second day, the morning was focused on how to deal with advanced threats (Windows and Linux) and the afternoon on smartphones (Android and IOS). The third day was focused on MISP and information sharing and on the last day we split in break out groups to discuss more indepth several topics of interest for the community.

We include below more details regarding the contents and resources used during the workshop.

Training curricula

How to recognize advanced threats?

Tools for checking documents and links looking for malware

Live Forensync

Smartphone Forensync

MISP – Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing

Screenshot MISP Platform

Leave a Reply

Your email address will not be published. Required fields are marked *