From the 3rd to the 6th December 2019, we held our first CiviCERT workshop on Workflows for Identifying and Dealing with Advanced Threats and Sharing Information with the CiviCERT Community. This workshop was coordinated and co-funded between DDP and Access Now. Greenhost kindly contributed to our dinner with all participants on the last day.
The workshop gathered 28 participants, among which 11 were female-identified, 15 male identified and 2 non binary/other identified. It also included a team of 7 facilitators from DDP, Access Now, Human Rights Watch, Amnesty Tech and Circl.lu. And there were participants from the following organisations,: Access Now, Amnesty Tech, Center for Digital Resilience, Circl.lu, DDP, Defend Defenders, Freedom of Press, Front Line Defenders, Fundacion Karisma, Greenhost, Human Rights Watch, ShareCERT, Syrian Archive. Particpants travel from the following locations to attend the workshop: Bahrain, Brasil, Costa Rica, Colombia, Germany, Kirghistan, Luxembourg, Philippines, Serbia, The Netherlands, Uganda, USA and Zimbabwe.
In order to prepare the workshop, we sent questions to all participants for better understanding how they dealt with advanced threats in the field. Concretely we asked them to share 1 or 2 cases where they didn’t feel enough skilled or prepared to do initial triage of an advanced threat, and ask them to answer these questions in particular:
- What kind of access did you have to the person looking for help?
- Did you have access to the physical computer or mobile device?
- Were you trying to collect indicators remotely via Teamviewer or remote desktop?
- What kind of issues made you feel you could not deal with the threat?
We collected 14 answers that were reviewed by the team of facilitators in order to prepare the contents of their sessions.
Regarding the agenda, the first day has been focused in having the 28 participants getting to better know each other, sharing stories on advanced threats and starting a conversation on how to detect advanced threats. On the second day, the morning was focused on how to deal with advanced threats (Windows and Linux) and the afternoon on smartphones (Android and IOS). The third day was focused on MISP and information sharing and on the last day we split in break out groups to discuss more indepth several topics of interest for the community.
We include below more details regarding the contents and resources used during the workshop.
How to recognize advanced threats?
- Phishing (spear phishing, credential harvesting, watering holes)
- Attacking accounts (password reset forms, emails look likes from services they use – Microsoft Support, etc.)
- Bypassing 2FA (phishing kits)
- SMS (text messages, zero day exploit kits)
- Guide to phishing by Security Without Borders
- Targeted Attacks Against Civil Society : What is New in 2019?
Tools for checking documents and links looking for malware
- Pdf-parser.py and pdfid: will parse a PDF document to identify the fundamental elements used in the analyzed file.
- Oletools: python tools to analyze Microsoft OLE2 files.
- Cuckoo Sandbox: for automating analysis of suspicious files.
- REMnux: toolkit for assisting malware analysts with reverse-engineering malicious software.
- Cyberchef: enables conversion of one data format into anothe and also various parsing, code cleanup, and extraction operations as well.
- Guide to quick foresincs by Security Without Borders
- Slides with methodology for live foresincs on Windows and Gnu/Linux
- Live Foresincs on Windows
- Host-Based Live Forensics on Windows
- Tools for practical session for Windows Forensincs
- Guide Checking smartphones by Security Without Borders
- Slides Smartphones Foresincs
- Snoopdroid: tool to automate the process of extracting installed apps from an Android phone.
- Emergency VPN by Civilsphere