Firstcon22 Conference with Ransomware and Ukraine

Firstcon22 hits the security itch in Dublin’s National Convention Centre

Firstcon22 as the Security Industry’s premier event was held in Dublin from June 26th to July 1st 2022. I attended the final two days and was greatly impressed by the content of the talks, the quality of attendance and the event’s organization by the first.org team. As I made my way around the exhibition area, I stopped at Sentinal One where PJ Norris delivered a shining account of their product efficacy on today’s systems.

My first interview of the day was with Viktor Zhora, Head of the State Service of Special Communications and Information Protection of Ukraine (aka. SSSCAP). Viktor along with Johann and Yeuhenilia from his InfoSec team were also present. As 1 of 10 Ukrainian State Agencies, their mission is basically to secure Ukrainian state data resources, and state communication along with supporting cryptographical services for the state of Ukraine.

I was impressed by Viktor and his team’s commitment to Ukraine where sheer determination and know-how will see a better future for their people. Interestingly, Ukraine also overhauled their laws to allow state information to leave Ukraine for up to 6 months and is seeking out partners in the west to collaborate and brainstorm new solutions to their existing challenges.

When I asked Viktor what statement he has for us readers in the west, he said ‘We in Ukraine need more economic, political and military support to defeat our enemy who has the benefit of more numbers, resources and long-range weapons’. Viktor also made a great point on international security cooperation saying that the Russian Federation is behind some serious cyberattacks in recent years. As such a threat is faced by us all in the world, we should tell tyrants that we free peoples will stand together no matter where we are from under a www.freeworld.web umbrella.

Next up was the Rise of Vermillion and cross-platform Cobolt beacon strikes by Intezer’s Ryan Robinson and Avigayil Mechtinger. Cobolt Strike version 4.5 was released in February 2022 and is a popular choice in its pirated form for hackers to use primarily against windows-based systems.

It was noted as being used in the Russian APT cyberattack. Whilst a windows-based hacking tool, it also can also be used against Linux systems. What researchers found in their detection of Vermillion was the presence of code known to originate from Cobolt Strike, a windows centric attack tool. This along with previously unknown code makes Vermillion particularly interesting as this new codebase requires considerable funding and support to develop for bad actors.

After the Hall of Fame awards, my next talk was by Google’s John Stone where baseline challenges designed to educate the team on security were deemed the best approach to take in red-blue exercises. My last talk of the day was by Christian Folini of OWASP who gave a detailed background into the great work OWASP volunteers do and their ongoing challenges in turning security researcher findings into OWASP security rules.

The final day for me was primarily on Ransomware. I attended the Ransomware talk by Tony Kirtley, Director of Incident Command at SecureWorks. Tony talked about Ransomware and the stages of grief a company goes through during an attack. The key notion of good communication and solution-focused leadership in incident response shone through.

Afterwards, I interviewed Tony and Jeffrey James Bryan Carpenter, Senior Director of Threat Intelligence and Incident Response at SecureWorks on Ransomware as a Service. Tony outlined the use of access brokers who specialise in gaining access to your systems and then give that access to an affiliate who delivers the ransomware to the targeted system.

He advised me that SecureWorks research shows 80% of bad actor access in 2021 was engineered via web exploits, credential compromise and phishing attacks. There is no easy fix to such a serious attack as this ‘Ransomware As A Service’ model seems to scale well for cybercriminals cooperating with each other for a cut of the spoils. Tony recommends that if you are the victim of such an attack, the first thing to do is not panic.

He then recommends you call in specialists on Ransomware who will guide you in your incident response and system remediation. It’s important to note that how you deal with each other during an attack is as important as the actual system recovery itself.

The conference finished on a high with a keynote speech by Professor Vic Bains who talked about rhetoric in security and how words matter. Critical thinking and effective communication were strongly featured in her speech. Leaving the event, I can say the qualitative lineup in such a condensed timeline was truly impressive and suspect it’s nothing new to those attending Firstcon events.

John Mulhall @johnmlhll is a writer with Irish Tech News for over 5 years and also a DevOps and Infrastructure Engineer specialising in cloud-related technologies. You can learn more about John at https://maolte.ie.

See more stories by John here.