We are going to talk about how we use Detection-as-Code idea in phishing website detection. We will explain what Detection-as-Code is and practical tips. This talk doesn't focus on "phishing" but Detection-as-Code so we wish you can have some takeaways! Who Are We? Manabu Niseki: A Botconf OBTS and JSAC speaker. A jack of all trades, master of none. A forever V3 climber. Dekai Wah: Dekai (Wally) is a Security engineer at LY Corporation’s Trust & Safety team. Background Recently there were spikes on LINE themed phishing website attacks in Taiwan. For example:

InQuestのThreatIngestorを使うと、構造化されていないIoC(e.g blogやtweetなど)を取集することができます。 Supported IoC: IP address, domain, URL, hash(MD5, SHA1, SHA256, SHA512), YARA rule Input: Beanstalk work queues, Git repositories, GitHub repository search, RSS feeds, Amazon SQS queues, Twitter, Generic web pages

Resistance is Futile – The Undefendable Supply-Chain Attack === :::info - **Date:** Oct.29th 11:00-11:40 - **Speaker:** Sung-Ting_Tsai,Linda_Kuo - **Category:** CyberCrime - Main Track > Whilst the world is suffering from cyber-attacks, a trend of a large-scale massacre is taking the world by storm. This year in March, the invasion against Asus, one of the largest computer and phone hardware manufacturers, hit the headlines of worldwide media. This event becomes one of most tremendous supply c

Transparency in the Software Supply Chain: Making SBOM a Reality === :::info - **Date:** Oct.29th 10:20-11:00 - **Speaker:** Allan_Friedman - **Category:** Law@Policy - Main Track > We can't buy a piece of candy without knowing its ingredients, or design and sell a piece of machinery without accounting for each nut and bolt. Yet, even as supply chain uncertainty has emerged as a top information security risk, there is limited visibility into the third party components on the software running o

CODE BLUE 2019 Collaborative Notes === What is this? --- - [Information](/sMDfCCePTpCGp4ExyEyoEw) Talks --- ### Day 1 - 9:30-10:15 [Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons / Andrew_Futter](https://hackmd.io/@ninoseki/SJecnIaKS) - 10:20-11:00 [Transparency in the Software Supply Chain: Making SBOM a Reality / Allan_Friedman](https://hackmd.io/@ninoseki/SJKoT8pKH) - 11:00-11:40 [Resistance is Futile – The Undefendable Supply-Chain Attack / Sung-Ting_Tsai,Linda_Kuo](http

CODE BLUE 2019 Collaborative Notes === Talks --- ### Day 1 - 9:30-10:15 [Keynote:Hacking the Bomb - Cyber Threats and Nuclear Weapons / Andrew_Futter](https://hackmd.io/@ninoseki/SJecnIaKS) - 10:20-11:00 [Transparency in the Software Supply Chain: Making SBOM a Reality / Allan_Friedman](https://hackmd.io/@ninoseki/SJKoT8pKH) - 11:00-11:40 [Resistance is Futile – The Undefendable Supply-Chain Attack / Sung-Ting_Tsai,Linda_Kuo](https://hackmd.io/@ninoseki/BJM10UpFH) - 11:40-12:20 [Overview of

Wifi sniffing with the WifiKraken === :::info - **Date:** Oct.30th 11:50-12:20 - **Speaker:** Mike_Spicer - **Category:** Bluebox - 1F HALL > The WiFiKraken is the culmination of lessons learned during the last 3 years of wireless monitoring at DEFCON using wireless sniffing tools like the #WiFiCactus. This demo will show you the software and hardware needed to build a robust wireless monitoring sensor network that is capable of capturing everything up to 802.11ac including Bluetooth. This dem

FileInsight-plugins: Decoding toolbox for malware analysis === :::info - **Date:** Oct.29th 11:50-12:20 - **Speaker:** Nobutaka_Mantani - **Category:** Bluebox - 1F HALL > FileInsight-plugins is a collection of plugins for McAfee FileInsight hex editor. It is useful for various kind of decoding tasks in malware analysis such as extracing malware executables and decoy documents from malicious document files. FileInsight-plugins adds many functions including the following:<br><br>- Search for XO

Seamless Threat Intelligence Platform (S-TIP) === :::info - **Date:** Oct.30th 14:30-15:00 - **Speaker:** Koji_Yamada,Toshitaka_Satomi - **Category:** Bluebox - 1F HALL > S-TIP is an open source platform for those who create, share, accumulate, and/or utilize cyber threat intelligence (CTI).<br>There are various kinds of CTI and CTI can be broadly divided into human CTI and system CTI.<br>Human CTI is knowledge on cyber attacks to be consumed by people through social media, email, and other ch

Keynote:Cyberspace – A Lawless Wild West or Orderly Chaos? === :::info - **Date:** Oct.30th 17:40 - 18:25 - **Speaker:** Liis_Vihul - **Category:** Keynote - Main Track > International law is considered to be the foundation of the global normative order underpinning cyberspace. Adherence to it should ensure preservation of international peace and security even when states pursue their strategic ends in cyberspace; that countries respect each other’s borders and do not intervene in other state

Applicability of GDPR and APPI to international companies and the impact on IT Security === :::info - **Date:** Oct.30th 17:00-17:40 - **Speaker:** Matthias_Lachenmann - **Category:** Law@Policy - Main Track > The speech will describe the new Data Protection Laws in Europe (GDPR) and Japan (APPI with supplementary rules). It will give recommendations to company leaders and IT experts on how to avoid or cope with applicability of these laws and describe necessary IT Security measures under the

Why We Click: Studying Threat Actor’s use of Principles of Persuasion to Increase Successful Execution === :::info - **Date:** Oct.30th 16:20-17:00 - **Speaker:** Joshua_Miller - **Category:** General - Main Track > Why do we click? Threat actors continue to have continued success in eliciting targets in engaging operations in order to further intrusions. When we begin to look at cyber threat activity, we can see that throughout the threat landscape, we can see threat actors using Cialdini’s P

From Advanced Persistent Threats to "Advanced Persistent Manipulators": The Evolving Cyber Defense Battlefield === :::info - **Date:** Oct.30th 15:10-15:50 - **Speaker:** Mei_Nelson - **Category:** Law@Policy - Main Track > As advanced persistent threats (APTs) have become pervasive, governments and organizations have spent billions of dollars over the years fighting them. Meanwhile, actors have created a new breed of threat – “Advanced Persistent Manipulators” (APMs), to borrow a term coined

Cyber Threat Landscape in Japan – Revealing Threat in the Shadow === :::info - **Date:** Oct.30th 14:30-15:10 - **Speaker:** Chi_En_Shen,Oleg_Bondarenko - **Category:** Technical - Main Track > For the past few years, Asia Pacific and Japan have continued to be a regular target of cyber threat actors. From 2018 to 2019, we have observed several threats targeting Japan involving cyber espionage and underground activities. Some of the adversaries and campaigns are revealed in OSINT, however, som

New threats are already around you, the IPV6 attack must be understood === :::info - **Date:** Oct.30th 13:50-14:20 - **Speaker:** KunZhe_Chai,YongTao_Wang,Jie_Fu - **Category:** Bluebox - 1F HALL > Due to the exhaustion of IPv4 free address space, the use of IPv6 on the Internet is gradually increasing. All Windows operating systems since Windows Vista have IPv6 enabled by default. IPv6 brings a series of improvements compared to IPV4, but these improvements are also put a double-edged sword.

Recent APT attack on crypto exchange employees === :::info - **Date:** Oct.30th 13:20-14:00 - **Speaker:** Heungsoo_Kang - **Category:** CyberCrime - Main Track > In this talk, I plan to present overview of the recent APT attacks against employees of cryptocurrency exchanges. Attackers took extra care on its social engineering skills while also using advanced malware and two 0-day exploits. This talk will give an overview of the attack. It will explain what kind of social engineering tricks th

Crypto Cobra: Tales of the nation-state actor targeting crypto-exchanges === :::info - **Date:** Oct.30th 12:40-13:20 - **Speaker:** Dani_Goland,Ido_Naor - **Category:** Blockchain - Main Track > There's only one state-sponsored threat actor that targets victims for financial motivations. Because of sanctions and political implications, it has been told that the isolated kingdom of North Korea resorted into launching vicious malware campaigns against financial institutions to fund their operat

MalCfgParser: A Lightweight Malware Configuration Parsing Tool === :::info - **Date:** Oct.30th 12:30-13:00 - **Speaker:** Ycy_Yu,Duckll_Liao,Charles_Li - **Category:** Bluebox - 1F HALL > "MalCfgParser" is a malware configuration parsing tool for incident response analysts and malware researchers.<br><br>Malware detection and analysis evasion is a cat-and-mouse game between analysts and malware authors. The attackers apply diverse landing mechanisms or obfuscation techniques to cloak their b

Integration of Cyber Insurance Into A Risk Management Program === :::info - **Date:** Oct.30th 11:00-11:40 - **Speaker:** Jake_Kouns - **Category:** General - Main Track > Many people believe that there are only two types of companies: those that have been breached, and those that will be. Regardless of your viewpoint, no matter how many new, shiny information security appliances are purchased, data breaches continue to happen at alarming rates. It doesn’t matter what industry or the size o