XVI STIC Conference: 5 trends in Cyber Security highlighted by our analysts for 2023

Félix Brezo Fernández    12 December, 2022

The CCN-CERT STIC Conference has been a classic security event at the end of the year for more than a decade. Held between 29 November and 1 December 2022 at the Kinépolis in Madrid, the National Cryptologic Centre has once again organised an event with several rooms in parallel and a multitude of talks.

This year’s topics ranged from regulatory issues to Threat Intelligence research with a geopolitical slant and a clear defensive focus on threat modelling and the value of people as fundamental elements in defensive management. 

This year Telefónica Tech Cybersecurity & Cloud has had a representation of the Threat Intelligence Platform & Reports team who attended the event to take note of the trends, TTP and threats that the different manufacturers and suppliers have marked for 2023.

In this regard, in this article, we have compiled a chronicle of the talks of greatest interest to our team of analysts.

Cyber Intelligence in the National SOC Network: Telefónica Tech a leader in sharing

One of the main elements of the conference revolved around Cyber Intelligence Sharing (CIS). The second day’s talks revolved precisely around the National SOC Network (RNS) project sponsored by the National Cryptologic Centre itself.

The initiative aims to be a focal point for the sharing of cyber-intelligence at national level and makes available the information known and reported on security events identified in the different national SOCs.

Each of the events reported to the platform is valued according to the nature of the information shared with different criteria, rewarding those events that describe specific tactics, techniques and procedures seen in them, as well as detection rules (Yara, Snort, STIX, etc.) of similar behaviour.

Telefónica Tech Cyber Security & Cloud is the organisation that leads the ranking in terms of contributions since the beginning of the project

Telefónica Tech definitively joined the initiative at the beginning of September and the work carried out by our colleagues has been explicitly recognised by the CCN-CERT at the conference for clear reasons: Telefónica Tech Cyber Security & Cloud is the organisation that leads the ranking in terms of contributions since the beginning of the project. The effort made to integrate the information generated from different services of the Digital Risk Protection, malware or SIEM teams is bearing fruit in an activity that, moreover, is publicly recognised by public bodies such as the Cryptologic Centre itself.

Supply chain and industrial environment security: a strategic priority

The sophistication required to carry out supply chain attacks shows that the structures and resources needed are far from being accessible to single adversaries. While MITRE’s proposed definitions of supply chain attacks have not previously focused as much on supply chain or mitigation solutions, the System of Trust (SoT), a proposed methodology for monitoring supply chain risks in an objective manner, has already been proposed in July 2022.

At the same time as integrating security controls that take supply chain risks into account from their design, at Telefónica Tech Cyber Security & Cloud we have promoted several initiatives with different organisations that also focus on another environment: industrial control systems, which also includes MITRE in its ICS (Industrial Control Systems) matrix.

Proprietary solutions such as Aristeo aim to facilitate the task of identifying attack patterns related to these environments which, by their nature, have higher barriers to entry than conventional ones.

In the Aristeo project, industrial decoys (honeypotting) are used to attract attackers, extract information, and generate intelligence to help protect our clients

The complexity involved in emulating complete plants and industrial centres in Telefónica Tech Cyber Security & Cloudand the wide variety of systems and platforms under control make understanding how they work and how they interact a necessary first step in securing these systems.

Cyberspace as a battlefield

The importance of cyberspace as a scenario that cannot be ignored when planning national defence strategies remained in the air throughout the conference.

If around 2015 it was the Asian countries that were reorganising their military structure with the aim of equipping themselves with offensive cyber capabilities, the current geopolitical reality is showing that the trend will not only not be reversed but, on the contrary, will reinforce the thesis of those who defend the consideration of the cyber environment as a space in which to be present given the large number of connected critical infrastructures.

Cyberspace has been called the ”fifth domain”, of equal strategic importance to land, sea, air and space

The existence of units that in the case of many countries increasingly operate as regular soldiers, with their physical bases in which to train and operate, motivates the increase in cyber capabilities that must be responded to from a purely defensive point of view, on the understanding that the sophistication of these adversaries can escalate all the more the greater the interest of their sponsors.

Behaviour as an Indicator: Tactics, Techniques and Procedures

The security incidents analysed by our colleagues in the Threat Hunting and Digital Forensics and Incident Response units share a common characteristic: attackers are increasingly agile in deploying new infrastructure and using specific tools in each incident. These capabilities highlight a reality that forces defensive teams to act treating observables (IP addresses, domains, files, etc.) as elements with an increasingly shorter life cycle and with less capacity to detect offensive actions, precisely because of their high linkage to specific incidents in a very specific time frame.

The trend already observed by our own teams is motivating threat modelling by increasingly considering behavioural indicators in the form of attack patterns and tools used to describe the behaviour of malicious actors linked to both common cybercrime and advanced persistent threats.

Thus, the use of terms such as TTP, attack patterns or threat modelling schemes using standards such as STIX 2.1 will become more and more trendy and the generation of intelligence that allows teams to anticipate in the defence of infrastructures will become more and more important.

The cryptocurrency ecosystem: cybercrime does not lose focus

During the workshops, real cases of actual fraud against the backdrop of cryptocurrency investment were presented. In this regard, among the workshops held during the first day, a session was dedicated to the tracking of cryptocurrency and NFT transactions.

In this regard, the capacity of specialised companies to trace cryptocurrency transactions in general and non-fungible tokens (NFT) in particular was highlighted. Specifically, those projects that do not implement privacy and anonymity concepts from the design stage, which is still the case in most projects related to cryptocurrencies, have been highlighted.

Among the most relevant trends observed is the large volume of operations identified in 2022 associated with DeFi (decentralised finance) environments, as opposed to conventional centralised exchangers

The main vehicles for carrying out scams and extortion in the NFT ecosystem are not necessarily new (social engineering remains an ideal vehicle in a particularly technically complex environment), but they have the particularity that monetisation for an adversary is much more direct if they manage to directly steal the tokens.

The effectiveness of the use of digital beacons and reverse social engineering has also been demonstrated, using different models of interaction with suspected fraudsters as a lure to track money by deploying decoys under the pretext of making a new investment and obtaining information from the attacker that can facilitate tracking, such as IP address or ASN, among others.

Along the same lines, the new component of cryptocurrencies does not escape the security flaws that may occur in smart contracts. Smart contracts are still programmed applications and, therefore, subject to weaknesses and programming errors. Thus, our colleague from Telefónica Digital, Pablo González, gave a workshop in the afternoon in which he outlined the basic principles for identifying some of the most basic exploitable weaknesses and how to set up a working laboratory to carry out security audits on Ethereum smart contracts.

A particularly practical session in which technologies and work methodologies were identified for those who want to enter a world with a lot of room for improvement that shows that the inertia points to the fact that fraud related to this technology will still be very present in 2023.