xorl %eax, %eax

Archive for the ‘conferences/trainings’ Category

Predict 21: Tradecraft Tips for Unusual Recorded Future Uses

leave a comment »

Since it’s first instance (known as RFUN back then), the Recorded Future’s intelligence summits have been one of my favourite industry events. That’s not only due to the content which is always incredible and covers multiple aspects of the intelligence world, but also for the overall atmosphere of the event. The attention to detail and passion of the organizers is apparent if you ever had the opportunity to attend either RFUN or its successor, called Predict.

In 2019, together with an amazing colleague, we had the honour to do a podcast for RFUN while attending the event. But this year, I was even more excited since a talk I had submitted was accepted and that marked my first speaking event at Predict. My talk was titled “Tradecraft Tips for Unusual Recorded Future Uses” and was about, more or less, what the title says.

That is, tradecraft tips on how you can use Recorded Future’s platform for things that aren’t so common knowledge. For example, taking advantage of the platform’s OCR capabilities, crisis monitoring, how you can take advantage (“exploit” in intelligence lingo) of “noisy” sources, threat actor tracking and alerting, enriching the platform by onboarding new sources, etc.

Now on the event itself, there were some great talks and people presenting (which makes it even more humbling to be part of it). To give you an idea talks included people like Sir Alex Younger, Former Chief of MI6, multiple CISOs of big U.S. cities like Los Angeles and New York, representatives of the Dutch High-Tech Crime Unit, and of course, lots and lots of experienced intelligence experts from both Recorded Future’s intelligence teams, and other private companies. You can check the agenda here on your own.

Now for this blog post here, I’d like to close it with something that is common knowledge but frequently forgotten… No matter how “smart” your technology is, it’s how the people use it that matters.

Think about it from the public sector side too… You might have some super impressive spy satellites with SAR CCD, dozens of sensors… And yet, what if all your analysts just use the optoelectronic and FLIR sensors? Does it matter?

So… Regardless of what technologies you have available, ensure that you make the most of what they offer. Whether this is your SIEM, your XDR, or even your spy satellites! :)

Written by xorl

October 27, 2021 at 13:17

x33fcon: In nation-state actor’s shoes

leave a comment »

x33fcon is a cybersecurity conference that I had the opportunity to attend a couple of times the previous years. This year I decided to submit a topic, and eventually it was accepted. This meant that in 2021 I also had the honour to present at x33fcon. My talk was titled “In nation-state actor’s shoes” and its goal was to give a different perspective, mainly to blue teamers, about nation-state actors.

So, I regularly use the following quote when talking about security:

If you know the enemy and know yourself, you need not fear the result of a hundred battles

Sun Tzu, The Art of War

I like it because it summarizes perfectly the challenge any security organization faces. No matter how well you know your environment, and how well you think you’re protecting it, unless you know equally well your adversaries you’ll fail. So, my talk was about this. What can we learn about nation-state actors by studying leaked material, and how can we use this to protect our organizations more effectively.

I really enjoyed researching this subject and making this talk possible since it combined multiple areas that I regularly find myself involved with. Espionage history, threat research, cryptology, security engineering, training people, etc. If you want to watch it, the x33fcon team has published it (along with all the other talks, check them out too!) in the conference’s channel on YouTube.

On a final note, I’d like to thank the amazing x33fcon team for making this event possible in this flawless manner, and for giving me the opportunity to present this research to that audience. Also, I have done a few virtual conference talks the past couple of years but this was the first time that in the speaker package there was a framed certificate of appreciation together with a beautiful hoodie. Thanks a lot x33fcon team and hope to see you again next year!

Written by xorl

August 15, 2021 at 20:32

My ICCH talk on DE-59 cipher machine

leave a comment »

On July 10, 2021 I had the great honor to present a talk at the International Conference on Cryptologic History (also known as ICCH). Espionage and secure communications history is one of my hobbies for quite some time, and I had even started a Youtube channel last year to share artefacts from my collection, but that talk was a whole new level for me.

In this case I did a far more thorough, multi-month long, research on an OTT-based (One Time Tape) cipher machine used by the Greek government during the Cold War, the DE-59. The device was recently declassified but still there are very few details about it online.

The event was amazing and, as always, the participants included some of the most key people of the cryptologic history space. I would have never even dreamed of meeting those people, not even talking about presenting some cryptologic history content to them and receiving positive feedback about it.

So, excluding the introduction, the talk was revolving about the DE-59. Specifically, I talked about:

  • biographical information of the people behind it
  • situation in Greece at that time
  • its invention
  • how it worked and where it was used
  • pros/cons (based on information from actual users of the device)
  • its (known) cryptanalytic history (AKA foreign intelligence attempts to break it)
  • its decommissioning
  • the important role its inventor played to secure communications in Greece

Before closing, I’d like to thank the following since without them this talk would never have been possible.

  • Association of Retired Signal Corps Officers (ΣΑΑΔΒ)
    • The only DE-59s in display are in this association’s museum, and all the people there were extremely helpful in providing me with all sorts of help and support while doing my research for this talk. If you ever consider donating your radio or crypto equipment, please consider giving it to the museum of this association. If you’re unsure on how to do this, reach out to me and I’ll be happy to help.
  • Tom Perera, Ph. D.
    • Now, if you are into cryptologic history you definitely know who Dr. Tom Perera is. So, this extremely experienced, dedicated, and influential cryptology expert helped me overcome my fear of presenting in front of such an audience of world leaders in cryptology. Thank you for all the support!

Written by xorl

July 19, 2021 at 11:09

BSides Athens 2021: .GR TLD hijacking

leave a comment »

Last year I presented a high-level/strategic cyber threat landscape for Greece as a country. My methodology back then was to split the threats to three broad categories (hacktivism, cyber-crime, and cyber-espionage) and do my research from a historical perspective. Meaning, what has been happening in the past and what assessments we can make from that for the future.

This year I wanted to do something different, move to the tactical level and talk about a specific cyber-espionage operation targeting Greece. Thankfully, my submission was accepted and in mid-June I got the opportunity to present my research which is currently publicly available through BSides Athens official Youtube channel.

I had to rush this talk a little bit due to time constraints, but hopefully I did it on the less important parts, leaving sufficient time to go through the more crucial parts of the presentation.

If you want to know more about the talk, you can watch the video. Here I’d like to use this space to encourage more people to talk about those lesser known cyber-espionage activities since it’s easy to get sucked into the large players like the, so-called, “big 4” threats to the US government, the FIVE EYES, and others. What about the rest of the world though?

Greece is an example of that. Although a small country, I had many recent and interesting cases to choose from for this talk. Multiple Turla operations, numerous cyber-espionage operations from FIVE EYES and China… But this one was one of those subtle, yet very impactful operations for the general region, also considering the past operations of this threat actor (see the presentation for an overview of those).

So, if you’re reading this and you’re looking for research topics for your next presentation, consider researching something regional, something not so well known outside of your country… This will help everyone improve their situational awareness, and who knows… You might even uncover a previously unknown nation-state actor.

On a final note, I’d like to give a huge thanks to the BSides Athens team for all their hard work before, during, and after the event, as well as Cisco TALOS who was the only one that publicly released some IOCs for this operation. Those were the most valuable starting point for my research. Lastly, after my talk I had the opportunity to learn many more details about this, and other, operations from several organizations that reached out to me, and I’d like to thank them too for all the feedback, knowledge, and experience they shared with me.

Written by xorl

July 7, 2021 at 12:01

OSAC NL Chapter: Cyber Threat Briefing

leave a comment »

Recently (February 2021) a colleague of mine and the Diplomatic Security Service with U.S. Embassy of the Hague gave me the opportunity to present at the Overseas Security Advisory Council (OSAC), Netherlands chapter. My presentation was titled “Cyber Threat Briefing: A look at 2020 and assessing the near future” and although I cannot share the slides of my talk, I’ll do my best to go through the experience of presenting at OSAC.

First of all, the OSAC-NL/U.S. Embassy of the Hague team were incredible and I want to thank them for all their feedback, help, and support. Having said that, my presentation was structured as follows:

  • Cyber domain trends
  • Cyber-actors activities related to EU and the Netherlands
    • Hacktivism
    • Cyber-crime
    • Cyber-espionage
  • Case studies from 2020
  • Cyber threat forecast for 2021

I really enjoyed the engagement with the participants of the event but more importantly, the openness even for controversial subjects to be heard in a U.S. government sponsored event such as how specific cyber operations of the the U.S. government and/or the FIVE EYES can have negative impact (e.g. collateral damage, retaliation) to private sector entities.

Overall, it was an event where I got the vibe that all participants deeply cared on how to protect their organizations, with all the potential political aspects completely removed. It was a great event and an honor to be part of it. I hope to be able to participate in more of them in the future.

Written by xorl

April 27, 2021 at 11:01