Fal.Con UNITE 2017 is packed with learning sessions that will leave you better informed, inspired and ready to take on your ever-advancing adversaries.

A final roster of learning sessions will be provided in October, at which time you can choose topics that best serve your learning goals.

Learning sessions will address topics such as:

//Porosity: Decompiling Ethereum Smart Contracts

Ethereum smart contracts are code that is executed on every node of the decentralized Ethereum blockchain network. When connected together, they form the distributed applications (Dapps) that power an emerging “Internet of Value.” Contracts themselves are stored on the blockchain so that everyone can be certain they will generate the exact same output without relying on a central server (or single company) to own that application.

Most Ethereum developers write smart contracts in Solidity, a high-level (human-readable) programming language that resembles JavaScript. While Solidity is not the only language that targets the Ethereum Virtual Machine (EVM) — for example, the Python-like Viper is being developed by Ethereum’s creator Vitalik Buterin — for now, Solidity is by far the most widely used.

Software has bugs, Smart contracts do too.

Prior hacks on the Ethereum network, such as the 2016 DAO theft or the recent Parity multi-sig wallet compromise, resulted because of poorly written Solidity code that introduced vulnerabilities, which hackers exploited to steal funds from other Ethereum users — not because of compromises of the underlying blockchain protocol or cryptographic weakness.

Because of the perceived insecurity of Solidity, so far most tools have focused on scanning Solidity source code, which is assumed to be available. For example, frameworks like Open Zeppelin combine automated scanning for known issues with human review to build a library of “safe” contracts, but tools like this are only helpful if developers choose to submit their code for review.

Once a smart contract is compiled to EVM bytecode and launched on the Ethereum network, however, there is currently no verified way to go back and ensure that code is safe. As new vulnerabilities are discovered, one cannot retroactively identify affected smart contracts unless the developers have retained their own source code or shared it with the world.

“Porosity," is the first decompiler that generates human-readable Solidity syntax smart contracts from any EVM bytecode. Because compiled smart contracts are all world visible on the Ethereum network, this means that now all contracts can be reviewed at any time. Once reversed, the code can be scanned to check for susceptibility to new attacks or to ensure adherence to changing best practices. Porosity removes a major roadblock to interacting with contracts of unknown origin and helps further the “trust but verify” blockchain thinking.

//Learn New Lateral Movement Techniques

When an attacker lands inside a network, pivoting is almost always required to achieve his objective. Attackers and red teamers alike historically rely on the same techniques for lateral movement. Until recently, there has been little innovation in lateral movement tradecraft, so detections have generally stagnated. This talk will highlight several new lateral movement techniques that allow adversaries to “fly under the radar.” It will also provide insight into both the internals of the techniques as well as their various host-based indicators.

//GOTHIC PANDA: Criminal to Contractor

This session will give an overview of the adversary GOTHIC PANDA, with history including the suspected eCrime days, migration to sophisticated operations, economic and defense targeting, and the shift to political targeting with LEGCO. It will include examining parallel activity with other actors and assessing the China/U.S. Cyber Agreement and the shift to contractors. Also, it will give an overview of the current actor activity attribution, including identified details and rumored Boyusec links as well as the future outlook.

//Case Study: Automating Work Flows Using the Falcon Platform

The session will present a case study from Canadian Pacific Railway that discusses using the Falcon platform to automate many work flows. The session will give an overview of what the customer learned and how the Falcon platform helped them.

//Subverting & Restoring Trust in Windows

In the context of computer security, what is trust and what does it mean to you and your organization? While clearly a subjective term, trust should form the basis of what we permit and deny in our enterprise. Trust can also be explicit or implicit and security products exist to cater to both models, specifically, application whitelisting and EPP/EDR solutions, respectively. Additionally, threat hunters and incident responders require a definition of trust so as to be able to quickly make benign versus suspicious classifications during the course of an investigation.

As for the implementation of trust, code signing plays a large role. That said, what does it mean for code to be signed? What certificates should be considered trusted? What are the technical means by which digital signatures are validated against trusted certificates and how might an attacker subvert the process? What are some of the common assumptions security tools and users of security tools make when it comes to trust validation?

All of these questions in the context of Microsoft Windows will be addressed. By the end of this talk, the audience will understand the Windows trust architecture, how it can be subverted, and how to mitigate/detect subversion attempts. Finally, everyone will walk away with an appreciation of trust and the challenges involved in its validation.

//Beyond the Hype: Machine Learning in Practice

Machine Learning (ML) is a hot topic in the security space. As far as anti-malware is concerned, most vendors now claim to have ML capabilities, and several new players that are purely ML-based have entered the scene. This session takes a step back from the hype to look under the hood and examine how ML works, where it can help, and what its limitations are.

//An Inside View of the Final Kelihos Botnet Takeover Operation

In April 2017, there was a joint operation between private industry and law enforcement to seize control of the Kelihos peer-to-peer (P2P) botnet and arrest the primary individual behind the criminal enterprise. Kelihos was operated by Peter Levashov (aka Peter Severa), who was also the mastermind behind the Storm and Waledac P2P botnets. Despite four prior disruptions by researchers, Kelihos was recreated in each case with modifications that made the botnet more resilient to attacks, allowing it to prosper for many years. This presentation will provide a brief history of Severa’s criminal activities that spanned more than a decade, and focus on how CrowdStrike was able to collaborate with law enforcement to take over Kelihos for presumably the final time.

//Untangling the Carbon Spider Web

CARBON SPIDER (aka Carbanak) is an eCrime group that has been around since at least 2013. As part of the Crowdstrike Falcon Intelligence™ team, the speaker for this session has tracked this group from late 2015 to the present. This session will cover the evolution of CARBON SPIDER from its early days targeting Russian banks to current point-of-sale (POS) campaigns against the Western hospitality sector. It will examine its tactics techniques and procedures (TTPs) and compare the possible subgroups and campaigns of this adversary to better understand if it is a single group or multiple subgroups. This session will also discuss other targeted financial campaigns with possible links to CARBON SPIDER and what they are based on. The session will demonstrate advantages of combining teams from Falcon Intelligence, CrowdStrike Services and Falcon Overwatch™ to better tackle an advanced adversary.

//Attributing WannaCry

This presentation will take the audience back to early 2017, months before the WannaCry outbreak, and provide analysis showing that the ransomware attack was a well-crafted, carefully planned operation, executed in different phases. Malware components were developed individually and incrementally, tested separately, and finally combined into a highly effective, self-propagating WannaCry package. All these components carry hallmarks characteristic of malware forged by North Korean state-sponsored actors.

Leveraging a vast malware database and special search capabilities, additional evidence was recovered that corroborates the attribution of this attack to North Korea. The session will describe what makes this malicious program unique, and how technical artifacts can support attribution theories. It will further explain why the widely discussed “kill switch” is a feature any attacker would want in such malware. The presentation will conclude with a discussion of how state-sponsored criminal operations like WannaCry change the way we should think about the threat landscape.

//Memory Integrity Helps You Sleep at Night

#DFIR and associated DevOps workflows can be tedious, ambiguous and especially exhausting. Knowing when you have done “enough” or if you have investigated “everything” can be daunting, even for the most skilled and experienced professional, as the pace becomes increasingly rapid.

This session demonstrate new open source tools designed to save time so that busy IT security professionals can focus on other core objectives — the “good stuff” — with tools that are easy-to-use and create near-zero administrative overhead, while delivering exceptionally high levels of assurance. During this session, we’ll investigate some strongly typed (native reflection) of physical memory that can read/write and help you toy with suspended hypervisors (including nested) without having to configure any debugging or support from Windows (configuring a debugger changes kernel behavior that may be the very thing you want to look at).

This session will also cover how to reduce backlogs in the terabytes of forensic memory analysis backlogs (by several orders of magnitude) in minutes. Using sub-page granularity, in most cases, you wouldn’t have to RE/disassemble more than 256 unknown bytes to qualify risk and exposure.

Aspects of how to compensate for “Gargoyle” style RoP/wait-event-timer persistence techniques will also be shown to be highly applicable and ensure that, in the case where an attacker can only perform data-based (Token or other) attacks against your systems, a succinct set of code integrity procedures (complementing other security infrastructure) will give you assurances that your SEIM is working, and that you didn’t miss anything en masse.

Security Insights and Trends Sessions

//The Latest Trends in Cybersecurity

Globally, organizations are faced with the daunting task of staying secure in a world where threats continue to grow in number, frequency and sophistication. This session offers an overview of the latest trends shaping the cybersecurity field, and shows you how new technology and innovation — by both defenders and attackers — impact your organization and industry sector. You will also learn how to turn these trends to your advantage to improve your organization’s security posture.

//Cyber Threat Landscape

In an ever changing threat landscape, security teams are struggling to understand who the top threat actors are and how to stop them. Threat intelligence should be the driver behind your cybersecurity strategy. This crucial information is invaluable for organizations looking to update their response and detection programs, as they defend against increasingly sophisticated adversaries.

//Attack Scenarios: Phishing E-Mails and Web Exploits

Learn how to use the Falcon platform to detect, prevent and remediate email phishing attacks, and web exploits, and how CrowdStrike Services consultants used these techniques in actual incident response engagements.

//Advanced Persistent Threats

This session will provide an update on the top threat actors and the tactics, techniques and procedures(TTPs) behind the most advanced attacks. We will also discuss the best practices for leveraging intelligence to protect your networks and endpoints.

//Customer Case Study

A prominent CrowdStrike customer in the retail industry will give an overview of the threat hunting program the company established around the CrowdStrike Falcon platform. Find out why establishing a proactive hunting capability was so important, what its objectives were, and what hurdles and challenges were faced. The customer will also share how CrowdStrike helped the company accomplish its goals, what it achieved and what was learned from deploying the next-generation Falcon platform.

Falcon Platform Technical Sessions

_Attack Scenarios: Malware-Free Attacks and Ransomware

Learn how to use the Falcon platform to detect, prevent and remediate malware-free attacks and ransomware, and how CrowdStrike Services incident response teams leveraged these capabilities in real customer engagements.

_Investigation Fundamentals

Learn how to use the Falcon platform to investigate a potential compromise. Discussions will include the kinds of data the Falcon platform captures, how to access this data through the Falcon platform interface, and which Falcon platform apps are most effective for different investigation types. A CrowdStrike Services consultant will provide details on actual intrusion investigations performed using the Falcon platform.

_Prevention Fundamentals

Learn how to use the Falcon platform prevention features, how they work, and configuration options to optimize your organization’s security posture. A CrowdStrike Services incident responder will relate real-life experiences about using Falcon prevention features to disarm threats and prevent breaches.

_Intermediate Level Training: Falcon Platform for Responders

This optional training will be offered for an additional fee of $1,250, selected through the registration process. This intensive 4-hour course will take place on Wed., Nov. 8, 2017, at 1:30-5:30 p.m.

This CrowdStrike 200 level technical training offers an intermediate-level curriculum designed to expand your knowledge beyond the basics and allow you to gain more value from the Falcon platform by developing intermediate analyst response skills, using Falcon Insight™ to accelerate response to detected incidents. Everyone who completes the training will receive a certificate of completion that can be submitted for CPE credits.
› Learn More

Additional sessions will be announced at a later date