Workflows for Identifying and Dealing with Advanced Threats and Sharing Information with the CiviCERT Community

From the 3rd to the 6th December 2019, we held our first CiviCERT workshop on Workflows for Identifying and Dealing with Advanced Threats and Sharing Information with the CiviCERT Community. This workshop was coordinated and co-funded by DDP and Access Now. Greenhost kindly contributed to our dinner with all participants on the last day.

The workshop gathered 28 participants, among which 11 were female-identified, 15 male identified and 2 non binary/other identified. It also included a team of 7 facilitators from DDP, Access Now, Human Rights Watch, Amnesty Tech and Circl.lu. And there were participants from the following organisations: Access Now, Amnesty Tech, Center for Digital Resilience, Circl.lu, DDP, Defend Defenders, Freedom of Press, Front Line Defenders, Fundacion Karisma, Greenhost, Human Rights Watch, ShareCERT, Syrian Archive. Participants travelled from the following locations to attend the workshop: Bahrain, Brazil, Costa Rica, Colombia, Germany, Kyrgyzstan, Luxembourg, the Philippines, Serbia, the Netherlands, Uganda, USA and Zimbabwe.

In preparing for the workshop, we sent questions to all participants to get a better understanding of how they dealt with advanced threats in the field. We asked them to share 1 or 2 cases where they didn’t feel enough skilled or prepared to perform an initial triage of an advanced threat, and asked them to answer these questions in particular:

What kind of access did you have to the person looking for help?
Did you have access to the physical computer or mobile device?
Were you trying to collect indicators remotely via Teamviewer or remote desktop applications?
What kind of issues made you feel you could not deal with the threat?

We collected 14 answers that were reviewed by the team of facilitators in order to prepare the contents of their sessions.

Regarding the agenda, the first day has been focused in having the 28 participants getting to better know each other, sharing stories on advanced threats and starting a conversation on how to detect advanced threats. On the second day, the morning was focused on how to deal with advanced threats (Windows and Linux) and the afternoon on smartphones (Android and IOS). The third day was focused on MISP and information sharing and on the last day we split in break out groups to discuss more deeply several topics of interest for the community.

We include below more details regarding the contents and resources used during the workshop.

Training curricula

How to recognize advanced threats?

Phishing (spear phishing, credential harvesting, watering holes)
Attacking accounts (password reset forms, emails look likes from services they use – Microsoft Support, etc.)
Bypassing 2FA (phishing kits)
SMS (text messages, zero day exploit kits)
Macros
Guide to phishing by Security Without Borders
Targeted Attacks Against Civil Society: What is New in 2019?

Tools for checking documents and links looking for malware

Pdf-parser.py and pdfid: will parse a PDF document to identify the fundamental elements used in the analyzed file.
Oletools: python tools to analyze Microsoft OLE2 files.
Cuckoo Sandbox: for automating analysis of suspicious files.
REMnux: toolkit for assisting malware analysts with reverse-engineering malicious software.
Cyberchef: enables conversion of one data format into another, and also enables various parsing, code cleanup, and extraction operations.

Live Forensics

Smartphone Forensics

Guide on Checking Smartphones by Security Without Borders
Slides on Forensics for Smartphones
Snoopdroid: tool to automate the process of extracting installed apps from an Android phone.
Emergency VPN by Civilsphere

Training curricula

MISP – Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing