xorl %eax, %eax

Archive for the ‘conferences/trainings’ Category

BSides Athens 2020: Threat Landscape: Greece

leave a comment »

In June 2020 I got the opportunity to present at BSides Athens for the first time. As you can see in the agenda, the event had a wide variety of topics ranging from security engineering, to exploitation, case studies, and others.

In my case, I decided to do something to help me better understand what threats my home country is dealing with. So, I spent a few weekends in a period of 2-3 months to study this topic and the outcome was the presentation I did for that conference. You can find the slide deck here.

Of course, the slides themselves are not that useful since they lack the required context. However, BSides Athens recorded all the sessions and made them available through YouTube. This means that you can watch my talk here.

It’s always an honor being able to use your knowledge to give back something to your home country and hopefully that threat landscape provided some insights into the cyber threats that Greece had been dealing with and what this means for the future.

Now that we are almost a year after this presentation, it’s an excellent time to revisit some of the assessments that I made in the final section of the talk, and whether or not those actually reflect what’s happening.

  • In hacktivism my assessment was a medium risk of geopolitically motivated hacktivism movements with low sophistication (DDoS and website defacements) mainly from Turkish threat actorts due to the tensions in East Mediterranean region. This unfortunately was proven true with several such cases during August 2020, others in September 2020, and continuing to this day, clearly following geopolitical tensions between Greece and Turkey. This was reflected also at PwC’s “Cyber Threats 2020: A Year in Retrospective” report from December 2020.
  • Regarding cyber-crime I had assessed that there is medium risk mainly from non-targeted/commodity malware with the domestic activity being mainly around scams. As we can see in the news Greece was involved in some high-profile cyber-crime cases but not targeting Greece. In October 2020 the Hellenic Bank Association (HBA) issued a warning for increase of tech support scams in Greece.
  • Finally, on cyber-espionage due to the continuously increased tensions in East Mediterranean region I was assessing that there is a high risk of cyber-espionage operations mainly from Turkey, Russia, FIVE EYES and China targeting government entities but also specific industries such as telcos. Publicly available attribution is usually non-existent for those types of operations but in October 2020 one of the biggest telcos of Greece responded to a cyber-espionage operation, on September 2020 there were reports on APT35 (although allegedly with tasking from Turkish liaison officers) compromising personal accounts of Greek Navy officers, and even more recently, in March 2021 several Greek journalists started receiving a nation-state attack warning from Google Security that some government actor is trying to infiltrate in their accounts. If you have access to premium threat intelligence reporting it’s easy to validate my other assessments for cyber-espionage too but I was unable to find any public reports to attach here.

In conclusion, one side of me is happy that my threat landscape was quite accurate in the future assessment section, but on the other side I’d wished that none of that would have happened. In any case, I’d like to thank the BSides Athens team once again for giving me this opportunity and I’m looking forward to dive more into some of those specific threats against my home country in the future.

Written by xorl

April 2, 2021 at 16:22

HUMINT in the age of cyber

leave a comment »

For the last few years I have been spending significant amount of time learning, researching, and evaluating different intelligence disciplines for use in the cyber/online domain. One of them was Human Intelligence (HUMINT), and no I don’t mean social engineering, more like adapting traditional HUMINT for cyber intelligence operations. At some point in 2020 I got the opportunity to present some of my findings from this research in a private conference event.

There are many TTPs from traditional HUMINT tradecraft that can be used equally effectively in online intelligence collection operations. I cannot publicly share this slide deck but here is a rough overview of the topics I talked about in that private conference from 2020:

  • Definitions/terminology
  • HUMINT examples as a cyber collector and as a cyber defender
  • Preparation (cover story, infrastructure, OPSEC measures)
  • Deep dive in the two main HUMINT collection approaches
    • Elicitation
    • Recruitment
  • Frameworks – theory & practice
  • How to select your approach
  • Key takeaways

Although I cannot share the content, I can share the some important recommendations in case you are performing, or you are interested, in online HUMINT.

  • Your security is the first priority. Remember that you are dealing with either criminals or intelligence professionals.
  • Don’t limit yourselves in any framework, use them as guidelines.
  • Humans change, don’t assume what you used in the past will still work in the future. Do your assessment.
  • Know (and set) your limits. It’s easy to end up doing criminal activities if you don’t.
  • If you are doing that professionally, make sure you have all required legal sign-offs before starting.

In case you want to get this one step further and perform Information Operations (IO) by exploiting the human nature, I highly recommend you to check out this leaked slide deck from GCHQ’s Human Science Operations Cell (HSOC) which goes through the Online Covert Action Accreditation (OCAA) program the Joint Threat Research Intelligence Group (JTRIG) was setting up in 2012-2013. It covers:

  • Introduction to online HUMINT
  • Introduction to online Influence & Information Operations
  • Introduction to Computer Network Attacks (CNA) & Disruption operations

A video presentation of it is available here. It’s slightly outdated, but it has some really good foundations.

Written by xorl

April 1, 2021 at 16:47

PrivSec Global: Mastering the use of Cyber Threat Intelligence

leave a comment »

A couple of months ago I received an invitation to speak at a panel discussion in PrivSec Global 2021, and I accepted it. The panel’s topic was “Mastering the use of Cyber Threat Intelligence” and it was comprised by the following people. It was a great experience for me as a speaker and I hope that it was equally pleasant for all the attendees too.


I really liked the fact that although we didn’t have any prior alignment on our answers, we all had a very similar perspective on what are the key areas for a successful Cyber Threat Intelligence (CTI) program, what CTI is and the value it brings to a business, and what are the pitfalls to be careful of if you are starting your journey now. Most importantly, none of us was focusing on specific products or vendors but on the core components of what’s needed to build an effective CTI team.

Of course, with six people in a panel the time we had for answering was carefully tracked and followed which means that many of our answers were not going into all the details and process as a presentation would. Nevertheless, if you were one of the several hundreds of people that attended PrivSec Global 2021 and have questions about my answers in this session, please let me know. I’d be more than happy to answer them.

On a final note, I’d like to thank Rosie F., Ruki R., and my co-speakers from this panel for this opportunity to participate in this event, and share some of my views on CTI programs with leaders of the industry.

Written by xorl

March 30, 2021 at 14:28

DeepINTEL 2020

leave a comment »

On 18 November 2020 I got the opportunity to present at DeepINTEL. This is an Austria-based TLP:AMBER conference for intelligence. Because of that I cannot say much about it but I’ll try to share some insights without exposing any sensitive information.

At DeepINTEL 2020 my presentation was about GEOINT based on some cases I worked on throughout 2020 while supporting a few investigative groups and organizations, outside of my professional career. In addition to that, the last 3 years I had completed several GEOINT trainings and certifications. So in that presentation I shared some real world examples and practical techniques for GEOINT analysts. However, that was a TLP:AMBER talk so I cannot share anything else in a public blog post.

This was my first time presenting at DeepINTEL and I was positively surprised with the level of professionalism, skill level of the participants, and that rare atmosphere of active participation. DeepINTEL didn’t have a large audience or dozens of tracks with talks, but everyone was actively participating with the goal of knowledge sharing in a quite open discussion. The organizers went to great extends to ensure the privacy of everyone involved and that was also reflected to all the participants.

If you are looking for a high quality conference about intelligence that reminds you more of a community gathering rather than an industry event, then you’ll love this event. Personally I cannot wait for the next one! :)

Written by xorl

January 21, 2021 at 11:57

FIRST Cyber Threat Intelligence Webinar Series: Building an intelligence-driven organization

leave a comment »

Just like for most people that speak at conferences, this year has been quite unusual for me too. Recently, I gave my talk, Building an intelligence-driven organization, and it was a new experience for me. Talking to an industry conference remotely. So, here is how this went.

In 2019 I submitted a talk in the CFP of FIRST Cyber Threat Intelligence Symposium that was scheduled to take place in Zurich in March 2020. I received some feedback and after some back-and-forth, in February 2020 I received an email that a version of my talk with some minor adjustments was accepted. Getting accepted to talk at this event for me was one of the biggest highlights of my professional life in 2020, but as we all know… COVID-19 happened.

Again, after various back-and-forth, the awesome FIRST CTI organisers team decided to run the event online in the first weeks of May 2020 and rename it to FIRST Cyber Threat Intelligence Webinar Series. That worked out nicely, and the entire event was great. Based on this small experience I gained from this, here are some recommendations for any “remote” conference speakers:

  • Find a quiet place
  • Make sure you have good internet connectivity
  • Good audio/video hardware
  • Test your setup and content in a test conference call before the event
  • Test your setup and content a few minutes before the presentation once again
  • Keep everything you might need close by (water, notes, etc.)
  • Turn off mobile phones, pagers, chat applications, or anything else that can cause interruptions or unwanted noise (jewellery, cables/cloths touching the mic, etc)
  • It’s easier to derail when presenting in this format, be focused and plan carefully your talk
  • Depending on the talk, you might not have video which means the non-verbal communication is removed from the equation so you have to rely more on the way you present your content
  • If you do have video, make sure your appearance, the lighting and background are professional and not distracting your audience from the actual content
  • It’s much harder to assess audience’s engagement throughout the talk, so make sure that you ask for a lot of feedback afterwards

Just to be clear, I am not saying that I succeeded in all of the above. Just that I realized the importance of those throughout this process. Hopefully that will be useful to future “remote” presenters. :)

Written by xorl

May 15, 2020 at 09:44