A security conference does not need to be “big” to be interesting. Size doesn’t matter with security conferences ;-). I’m in Lille, France where I attended the conference called “CoRIIN“. This event is held in French and means “Conférence sur la réponse aux incidents et l’investigation numérique” or “Incident Response and Digital Forensics Conference” in English. Aways organized the day before the other major even, FIC, it was already the 4th edition and the first one for me. I was honoured to be invited as a speaker. In a few words, the conference helps people from law enforcement agencies, SOC’s, CERT’s to meet and exchange experiences during a full day. This year, there was 250 people mainly from France but also from Belgium, Luxembourg and Switzerland (as the conference is fully organized in French). I saw a lot of familiar faces. After a short introduction by Eric Freyssinet, the chairman of CoRIIN, the single-track conference started. Here is a quick wrap-up of the presentations.
As you can imagine, all the talks focussed on forensics, digital laws, investigations, feedback from useful cases, etc. Eve Matringe, a lawyer working Luxembourg, explained the impact of the GDPR in the context of investigations. As it was mentioned on Twitter during her talk, Eve explained with clear sentences what will be the impact of the data protection regulation that will be effected in a few month. Not only, organizations performing investigation must properly handle the data collected but, it is pretty sure that the regulation will also be invoked by bad guys against investigators to try to nullify their cases.
The next slot was mine, I presented “Full Packet Capture for the Masses“. Here are my slides:
Thank you for all the feedbacks, I already started to build a list of improvements!
The next slot was assigned to the ANSSI. They presented the Microsoft BITS tool or “Background Intelligent Transfer Service“. This tool is often used by malwares to download some extra payloads. This is not only a transfer tool, it can also schedule the transfers, limit the bandwidth or execute a command once the file transfer is completed. The tool can be managed by a command line (now obsolete) or PowerShell using its API. But, with API’s, there is always a risk that a rootkit will modify its behaviour. To perform investigation around malicious BITS usage, they developed their own tool in Python to extract artefacts from data files managed by the tool. They had to reverse engineer the file format for this. The tool is available for free and can be installed using pip:
$ pip install bits_parser
The source code will be released soon on their GitHub repository. Very nice tool to add to your DFIR toolbox!
After the lunch break, Paul Rascagneres presented a detailed review of the bad story that hit the well-known Windows tool: CCleaner. In the first part of his talk, Paul explained how the tool was compromized at the source. The attackers were able to recompile a malicious version of the tool and deploy it using the official website. He explained how the malware worked and what were the anti-analysis techniques used to defeat security analysts (like using a bug in IDA – the debugger – to hide some part of the malicious code in the debugging session). The second part was a long but very interesting review of statistics gathered from the database grabbed from the C&C server. How? This was not mentioned by Paul. He just “received” the data… Some numbers were impressive: 800K hosts contacted the C&C only on a period of 4 days and 1 out of 5 C&C servers!
The next talk was a very interesting feedback about the NotPetya infection that affected two organizations. Quentin Perceval et Vincent Nguyen (from the Wavestone CERT) explained how they were involved starting from the initial attack until the complete recovery of the infrastructure. Basically, everything was destroyed and they had to rebuild from scratch. If you’re a CISO, I recommend you to read their slides and watch the recorded video. Definitively!
Then, Rayna Stamboliyska explained why communication is a key point when an incident hit your organization. Communication is mandatory but, to be effective, it must be properly prepared to pass the right message to your partners/customers. A bad communication might increase the impact of the crisis. The first part was a review about key points to communicate while the second part was, of course, some
badfunny example about how to NOT communicate.
Sebastien Larinier presented his personal view of the massive attacks that hit many organizations in 2017: Wannacry, NotPetya, Bad Rabbit. Indeed, everything and nothing has been said about them. From rumours to disclosure of false information, journalists but also many security professionals failed to handle the case properly. Sébastien explained why and gave some interesting info about them. Example: If the well-know kill-switch domain really a feature or just a bug in the malware that was released too early?
Finally, François Bouchaud closed the day with an interesting approach to perform forensics investigations that involve IoT devices. More and more criminal cases involve such kind of gadgets. How to deal with them? For regular computers, it’s quite easy: take a memory dump, a disk image and launch your carving and artefact finding tools. But with gadgets that have limited features, no interface, no storage? The challenge is to define a new chain of custody. How to perform investigations? According to François, the challenge is to start from the data (“what information do I need?“) and then focus on the devices that could have such data. A good example was given: how to determine the number of people present in a room at a certain time? We could use sensors, cameras but also the wifi (number of connected devices) or a thermostat (the temperature will grow). Interesting approach!
That’s all for this quick wrap-up. If you are working in forensics, incident management and understand French, I really recommend you this event! The next edition is already scheduled maybe at another location to welcome more visitors! Tomorrow, I’ll visit the FIC, ping me you’re in the area!