JSAC2023 -Day 2 Workshop-
We continue to introduce the talks at JSAC2023. This third issue covers the workshops on Day 2.
Surviving the hurt locker: or How I Learned to Stop Worrying and Love the Bom
Speakers: Simon Vestin, Manabu Niseki (LINE)
Simon and Manabu explained the SBOM (Software Bill of Materials) and gave a hands-on session on creating a program to generate one. SBOM is a list of software or system components. They explained that SBOMs are used to manage compliance licensing and vulnerabilities and that there are multiple standards and types. They also described how to create an SBOM, both manual modeling and automation with tools.
- DIY
- CycloneDX/cyclonedx-python-lib
https://github.com/CycloneDX/cyclonedx-python-lib
- CycloneDX/cyclonedx-python-lib
- Tools
- microsoft/sbom-tool
https://github.com/microsoft/sbom-tool - anchore/syft
https://github.com/anchore/syft
- microsoft/sbom-tool
The hands-on session of this workshop was conducted in an environment built with VS Code and devcontainer. The Python library, cyclonedx-python-lib, was prepared as program templates, and the participants selected functions that have not yet been implemented. The following five hands-on challenges were provided, and SBOMs were generated for each.
- Parsing requirements.txt (Python)
- Parsing gradle.lockfile (Java / Gradle)
- Site package based SBOM generation (Python)
- Runtime SBOM in Java
- SBOM based vulnerability detection with OSV
The contents of the workshop and the devcontainer used in the hands-on session are available on GitHub below:
https://github.com/ninoseki/jsac2023-sbom-workshop
Detection engineering with Sigma: Defend against APT targeting Japan
Speakers: Shota Nakajima (Cyber Defense Institute), Rintaro Koike (NTT Security Japan)
Shota and Rintaro conducted a workshop on creating Sigma rules using publicly available TTPs based on case studies in which Japanese organizations and companies were targeted. Sigma is a generic signature description format applicable to a variety of logs and can be converted into search queries (detection rules) for various products. In the workshop, they said the rules can also be applied to VirusTotal’s sandbox logs. After explaining the format of Sigma rules, they shared the following tools, which can process Sigma rules.
- Chainsaw
https://labs.withsecure.com/tools/chainsaw - Zircolite
https://github.com/wagga40/Zircolite - Hayabusa
https://github.com/Yamato-Security/hayabusa - Uncoder
https://uncoder.io/ - VS Code Extension
https://marketplace.visualstudio.com/items?itemName=humpalum.sigma
In the hands-on session of the workshop, the participants analyzed Sysmon logs and created Sigma rules. The VS Code Extension was used to write one. Using Chainsaw, a Windows event log analysis tool, the participants checked whether the Sigma rules they created can actually be used for detection. The following attacks targeting Japan were used for examples of Sigma rules to create.
- LODEINFO DLL Side-Loading
- Operation RestyLink LNK file
- Lazarus Operation SnatchCrypto VHD and Files
- TA410 FlowCloud
- BlackTech HPIDoor
The instructors said that it is necessary to understand features that are hard to modify, rather than using IoC information such as hash values and networks, in creating Sigma rules.
In Closing
On February 20, 2023, “After JSAC 2023” was held, and the Best Speaker Award and the Special Recognition Award were presented. The best speaker was selected based on a survey of participants. This year, Special Recognition Award was newly created, and the awardee was selected by the CFP Review Board. The awardees are as follows:
Best Speaker Award
Title: New Research Methods to Predict Attack Trends Using Public Information
Speakers: Yutaka Sejiyama (Macnica)
Special Recognition Award
Title: How Do We Fight against Evolving Go Language Malware? Practical Techniques to Increase Analytical Skills
Speakers: Tsubasa Kuwabara (FFRI Security)
I would like to thank all participants of JSAC2023 and everyone who read this report.
Kengo Teramoto
(Translated by Takumi Nakano)