hack.lu 2023

Thomas Chopitea

Thomas has been a DFIR practitioner for 10+ years. He's currently a Security Engineer in the DFIR team at Google who loves running towards the proverbial cyber fires. He enjoys detective work and poking malware with a long stick, and has given talks about DFIR, malware analysis, and threat intelligence at many conferences throughout Europe and the US


Sessions

10-17
17:55
30min
Yeti - old dog, new tricks
Sébastien Larinier, Thomas Chopitea

Yeti is an opensource platform dedicated to the curation and management of operational threat intelligence,
geared towards incident responders and forensic practitioners. It's written in Python and maintained since ~2017.

It consists of several modules:

  • a graph database & search engine
  • a threat feed ingestion engine
  • a data enrichment module (e.g. sandbox information, domain resolution, IOC extraction...)
  • Signature management (YARA, Sigma, etc.)
  • High-level entity management (Threat actors, TTPs, Campaigns) to tie everything together in a neat graph database.

Yeti has existed since 2017, and is used both in industry and academia, and has
recently been undergoing several big changes, which we would like to present at
CTI-Summit 2023:

cti-summit
Salle Europe
10-19
14:00
120min
Full Stack Forensics with FOSS
Sébastien Larinier, Thomas Chopitea

This workshop will showcase a suite of free and open source tools to leverage
threat intelligence in DFIR investigations. Participants will be setting up a
full forensics pipeline, including collection (GRR), processing
(Plaso) and analysis (Timesketch), and orchestration
(dfTimewolf). In addition to that, they'll be using Yeti to augment
their processing and analysis with threat intelligence.

Thw workshop will last two hours and is open for anyone to attend. Experience
installing packages on Linux and using the Linux CLI in general is required.
Experience running and managing Docker containers would be a nice addition.

Participants will be given an initial list of Docker containers to pull and set
up before the workshop

[UPDATE] Here's the list! https://docs.google.com/document/d/1TKqOleH2rdtPjybUt3PYybJ7RrH59kqaHnmywJhRPGk/preview

[UPDATE2] Here's the slides with the links to everything: https://docs.google.com/presentation/d/1_IIhazlZF4Nxa_fn4YJ0SieFPJGzP91OwuAO4LIUWOg/edit#slide=id.g24fcb0d3240_0_70

hack.lu
Schengen 1 and 2