2019 HITCON Defense: Taiwanese Hackers vs. Corporate and Government Blue Teams
CyCraft attended the second ever HITCON Defense Summit earlier this month on Nov. 13. This year included two separate events: the Enterprise Security Offensive and Defense Competition and the Corporate Security Conference.
2019 HITCON Defense was jointly hosted by the Taiwan Hackers Association and the Industrial Development Bureau, i.e., the administrative agency of Taiwan’s Ministry of Economic Affairs and was organized by Hacks in Taiwan.
Hacks in Taiwan (HITCON) is an annual technical security conference in Taiwan that has been bringing together security analysts, researchers, specialists, and hackers from across the country since 2004. Their Capture the Flag (CTF) competitions are the talk of the local tech community. First place goes home with 10,000 USD. A technical and point system breakdown into this year’s October CTF qualification round can be found at CTFtime.
This year Rakuten, the largest e-commerce site in Japan, addressed the importance of Security Operations Center (SOC) creation in their keynote talk. Chris Liu, Rakuten Organizational Security Dept. Deputy Director, encouraged attendees to develop a layered defense strategy for both networks and endpoints. Whereas external blacklists, antivirus (AV) software, and Indicators of Compromise (IOC) are useful for identifying known threat actors, SOC specialists who incorporate machine learning (ML) with endpoint detection and response (EDR), security orchestration automation and response (SOAR), and user and entity behavior analytics (UEBA) fair far better.
GD, Rakuten Computer Emergency Response Team (CERT) Security Engineer, discussed the evolution of and reasoning behind Rakuten’s current methodology and went into further detail on how to best create effective blue teams. The Rakuten blue team consists of several smaller teams with delegated responsibilities and specialties such as corporate IT security, incident forensics and response, production monitoring, scanning, vulnerability management, and even anti-fraud.
“There is no silver bullet that can solve every security problem. Your blue team needs to deploy several defense systems, from traditional AV and NGFW (next-generation firewall) to modern EDR and UEBA, to complete your defense … these systems are the weapons for your blue team against hackers … don’t be weaponless.”
-GD, Rakuten CERT Security Engineer
Companies and organizations from across the nation pitted their blue teams against one elite red team comprised of members of the Taiwan Hackers Association. This year a high-speed 5G network router was employed to simulate a large ISP allowing participants to use real IP addresses and create a more real-world environment.
This year, blue teams hailed from not only the security industry but also telecommunications, corporate finance, industrial, and even government institutions. In addition to the myriad of malware deployed by the red team, blue teams faced memory exploits, social network attacks, non-portable executable file attacks, and other modern attacks companies face today.
HITCON Defense evolves as well. Bearing in mind the cyberattacks the Taiwan Semiconductor Manufacturing Company (TSMC) faced last year, HITCON included simulated attacks on corporate financial systems and industrial control systems, reported Taiwan News.
At the HITCON Defense Corporate Security Conference, Wave Lo, CyCraft Security Analyst, spoke on the importance of creating new evaluation methodologies for new cybersecurity solutions. While EDR has existed for several years now, on the cybersecurity timeline, it’s still a relatively young concept. Organizations considering an EDR solution for their security may know how EDR is different than AV software but aren’t fully educated on how to properly evaluate the return on investment of EDR solutions from the growing number of vendors.
“EDR is different than an AV solution. You wouldn’t evaluate a police officer the same way you would evaluate a security camera. EDR carries out many kinds of tasks; not just one. EDR learns and evolves — just like the threats we face.”
-Wave Lo, CyCraft Security Analyst
Wave Lo gave several examples of how not to test security solutions. Testing EDR with dormant malware detection wastes precious time and resources that can be better allocated elsewhere. Dormant malware itself typically doesn’t alter normal system or network behavior. Advanced EDR models, such as CyCraft’s managed, detection and response (MDR) solution, track behavior and help SOCs construct the attack’s storyline.
Wave continued, using red teams to evaluate firewall or AV solutions also wastes precious SOC time and resources since most firewall and AV solutions are based on pattern recognition, and therefore have difficulty protecting against unknown threats, such as skilled hackers or red teams, where EDR is needed most.
The term Endpoint Threat Detection and Response was first coined by Anton Chuvakin of Gartner in 2013 to give a “generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints”. In 2015, it was shortened to EDR.
EDR is more than a trending keyword. With the incorporation of ML and artificial intelligence, EDR has been coined as the “next generation” of cybersecurity technology. It’s not just a marketing term; it’s the truth.
According to Ponemon Institute’s 2018 State of Endpoint Security Report, confidence in traditional AV solutions continue to drop. On average, the 660 IT security professionals surveyed estimate AV products missed 57 percent of attacks. As Wave Lo explained at HITCON Defense, AV solutions are virtually useless against zero-day and file-less attacks. As more and more cyberattacks bypass firewall and AV solutions, the demand for EDR will continue to see growth. The 2018 Cost of Data Breach Study, also conducted by Ponemon Institute, revealed that the average dwell time for an organization to detect a data breach increased from 191 days in 2017 to 197 days in 2018. As attacks grow more sophisticated and subtle, and the dearth of security talent continues, turning to ML to drive the next wave of EDR and MDR has been the prudent course of action.
At CyCraft, we harness ML to automate SOC operations, forensics, detection, and response for Fortune Global 500 companies, national governments, and small to mid-size enterprises with MDR, AI-driven investigations, incident response, threat hunting, and remediation solutions.
Recently, one of the four largest fabless semiconductor companies, with over 7.7 billion USD in annual revenue and over 25 global branches, leveraged CyCraft’s cutting edge CyCarrier AIR platform security solution and reduced the time of an exhaustive cybersecurity due-diligence investigation of a recent acquisition from several months to a matter of days — reducing investigation time by 99 percent.