Infosecurity Europe 2021: Day 3

Infosecurity Europe 2021: Day 3

Notes and thoughts


5 min read


Infosecurity Europe 2021 is an online conference that is organized/hosted by Reed Exhibitions. It is split in two events

  • Virtual/Live Sessions: 13-15 July
  • On-demand Sessions: 16-29 July

Please, find my notes from the last day below.

If you have missed the first or second day check my other articles.


  1. Introduction
  2. Aston Martin's Road to Zero Threats by Robin Smith
  3. Tackling Ransomware Head On: How Microsoft is Disrupting the Criminal Networks by Marja Laitinen, Sarah Armstrong-Smith
  4. 4 Ways Attackers Sidestep Endpoints by Scott Walker
  5. Advanced Attack Simulation by Pavel Mucha
  6. Additional readings

๐Ÿ”” CyberEthical.Me is maintained purely from your donations - consider one-time sponsoring with the Sponsor button or ๐ŸŽ become a Patron which also gives you some bonus perks.

Aston Martin's Road to Zero Threats by Robin Smith

  • five pillars (framework) of intelligence approach by Aston Martin
    • identify
    • protect
    • detect
    • respond
    • recover
  • if cyber crime would be classified as a country - it would be ranked higher than 183 countries (13th place in global revenue ranking)
  • when Cyber Intelligence fails?
    • failing to act on gather information
    • not prioritizing fixes
    • failing to verify and update threat feeds
  • Threat Lead Security Testing
    • Bank of England and CREST launched CBEST and STAR testing frameworks in 2014
    • CBEST introduced a codified, detailed and threat-led approach to conducting security testing
    • goals:
    • realistic tests based upon a set of evidence of threats observed in the wild
    • tailored to the organization
    • hold organizations accountable to test findings and highlighting areas to improve resilience
    • broader in scope than a standard pen test and often focused on critical functions where applicable
  • CTIM Model
    • based on existing intelligence management process within law enforcement
    • focused on producing actionable intelligence and products for review
    • harmonizes with management planning and business development
    • agile and lean to ensure resource management

Back to top โคด

Tackling Ransomware Head On: How Microsoft is Disrupting the Criminal Networks by Marja Laitinen, Sarah Armstrong-Smith

  • Microsoft Digital Crimes Unit, strategy and area of focus
    • Business Email Compromise
    • Azure Fraud
    • Malware
    • Ransomware
    • Online Child Exploitation
    • Tech Support Fraud
    • Business Operations Integrity
  • ransomware continues to be the most common reason behind Microsoft incident response engagements (2019/10 - 2020/06)
  • cybercriminals perform massive wide-ranging sweeps of the internet for vulnerable entry points, then access at the most advantageous time to strike
  • in some indicents ransomware entire network took 45 minutes counting from "patient zero"
Commodity RansomwareHuman Operated Ransomware
Targets individualsTargets entire company
Pre-programmed attacks that are best-effortCustomized attacks driven by determined human intelligence
Opportunistic data encryptionCalculated data encryption/data exfiltration
Unlikely to cause catastrophic business disruptionGuaranteed to cause catastrophic and visible business disruption
Successful defense is malware remediationSuccessful defense is adversary eviction
  • How Human Operated Ransomware operation looks like
    • client attack (email, a browser, etc.)
    • datacenter attacks (SSH, RDP, etc.)
    • attacker gains access to organization, horizontal movement and spreading starts
    • looped until elevated access found: credential theft and malware installation
    • attacker gains administrative permissions access
    • data exfiltration
    • data encryption
    • backdoor installation
    • extortion and ransom demands
  • security goal is attackers disruption
    • increase attacker costs at the lowest possible cost
  • paying ransom won't prevent attacker from staying inside your network
  • priorities of ransomware protection
    • prepare for the worst - recover without paying
    • limit the scope of damage - protect privileged roles
    • make it harder to get in - incrementally remove risks
    • secure backups and test them
    • use MFA
  • Human-Operated Ransomware Mitigation Project Plan

Like what you see? Join the now. Things that are awesome:

โœ” Automatic GitHub Backup

โœ” Write in Markdown

โœ” Free domain mapping

โœ” CDN hosted images

โœ” Free in-built newsletter service

By using my link you can help me unlock the ambasador role, which cost you nothing and gives me some additional features to support my content creation mojo.

Back to top โคด

4 Ways Attackers Sidestep Endpoints by Scott Walker

  • example of Fortinet FortiOS System File Leak that leads to revealing plaintext passwords related to the same Fortinet Vulnerable IPs list CVE-2018-13379
  • current dark marketplace is dominated by initial access methods for sale - it means there are people who just find the entry points to some organization but are not committing to exploiting this; and other group of people who don't want to spend time on searching for entry points themselves - so they are willing to buy that information from others
  • popular gateway vulnerabilities
  • well, it is very hard to keep up with the zero-days and CVEs so..
  • are you ready to be compromised?
  • you only need one person tricked, to have malicious actor inside your network
  • how can you make your Microsoft 365 Applications more secure?
    • watch out for guest accounts and unsuspecting administrators
    • Graph API can be used to make changes - be aware of that
  • don't give your new employees more access than he need
    • Tesla December 28, 2020 example - employee almost immediately after being employed started to upload files to his personal Dropbox account
  • sometimes files are not necessary to gather valuable information - directory names can be sufficient
  • one of example of pulling the data out of the network is to set up a web server and get them via HTTP requests
  • others can be DNS Tunneling
  • the biggest AD vulnerability to this day - Zerologon
    • 80% of Ryuk infections was introduced using this vulnerability

Back to top โคด

Advanced Attack Simulation by Pavel Mucha

That was the single most interesting session of the whole three days. The way Pavel was speaking was very engaging. Unfortunately, the demo he was doing was streamed by the platform in the awful quality. I'm in contact with Cybereason to get this demo in a better quality.

Update: here is an older recording that Pavel provided me - but still amazing.

Additional readings

๐Ÿ“Œ Follow the #CyberEthical hashtag on the social media

๐Ÿ‘‰ Instagram:

๐Ÿ‘‰ LinkedIn: Kamil Gierach-Pacanek

๐Ÿ‘‰ Twitter: @cyberethical_me

๐Ÿ‘‰ Facebook: @CyberEthicalMe

This is a part of Infosecurity Europe 2021 series. Follow the links below to read about other days.

Back to top โคด

Did you find this article valuable?

Support Kamil Gierach-Pacanek by becoming a sponsor. Any amount is appreciated!