DOJO Details
One day DOJO on March 18, 2024 (Monday)
Attendance:
In-Person Only.
No digital recording will be provided after the fact or permitted during the instruction
Last Updated February 21, 2024
DOJO Abstract
Whether performing an in-depth investigation or merely quick research, the investigator (or researcher) and the investigation itself are exposed to certain risks.
This workshop focuses on security and safety issues pertaining to online research and investigations. It covers different areas of the investigative process and how tools and particular techniques can leak information detrimental to the case or the investigator.
The workshop focuses on both the technical and soft - intelligence and counterintelligence aspects of OPSEC, thus it is useful to both technical investigators as well as non-technical folks, like mainstream journalists and lawyers.
From a technology point of view, the workshop covers different browser and infrastructure fingerprinting techniques, ad platforms, browser hooking, instant messaging programs, email security, and tracking.
On the investigative side, the workshop focuses on deception techniques and their application in intelligence and counterintelligence.
Furthermore, it goes deeper into how investigators and blue teams can be profiled and targeted. Those can be either a direct attack against their computer or supporting infrastructure, their person or the investigation, which in turn may be as subtle as steering it in the wrong direction or making the evidence inadmissible in court.
As it covers the dangers, this workshop provides a series of countermeasures and mitigations, which can help the investigator increase their level of safety and security and decrease their digital footprint.
In addition, the workshop introduces containerization and how it can be used to segment and streamline the process.
In more details, the agenda roughly looks as follows:
DOJO Outline
Introduction
Discussion about OPSEC and what it means to different groups. Specifically from an intelligence and counterintelligence perspective.
A brief discussion about consequences - personal and investigation
Contemporary examples: NSO group vs Citizen Lab, Israel vs Hamas, Mandiant leaks, and some booters who turned into swatters and then murderers.
A personal example of an OPSEC failure
The observer effect and investigations
Google and other search engine queries and consequences
Ad platforms
Overview of tracks we leave as investigators.
Usage of DNS for investigations
DNS queries leaks/usage of passive DNS.
iTerm leaks
Passive DNS
Recursive DNS server interrogation
Other tools leaks
Vim exploit
Chat programs and data leaks
Perils of VPN and TOR
Online services leaks
GMail and GSuite issues
Others
URL shorteners
Inband exploitation
Teredo tunnel pitfalls
VirusTotal leaks
BeEF
0-days and 1-days
Mitigation techniques.
Personas
Containers and VMs
Setting up tripwires on your system
Privacy plugin pitfalls (not covering privacy plugins as it’s out of scope).
Hardware Requirements
To be added at a later date.
Software Requirements
Requirements: Students must bring: VMWare Player or VBox. (*Note the latter does not perform as well.)
About the Instructor: Krassimir Tzvetanov
For the past four years Krassimir Tzvetanov has been a graduate student at Purdue University, focusing his research on Homeland Security, Threat Intelligence, Operational Security Research, and Social Media Influence Operations in the cyber domain.
Before that, Krassimir was a security architect at Fastly, a content delivery network (CDN) designed to accelerate content delivery and serve as a WAF and a shield against DDoS attacks. His current focus is on incident response and investigations, threat intelligence, and security systems architecture.
In the past, he worked for hardware vendors like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation features, product security and security software development best practices. Before joining Cisco, Krassimir was a Dedicated Paranoid (security) at Yahoo!, Inc., where he focused on designing and securing the edge infrastructure of the production network. Part of his duties included dealing with DDoS and abuse. Before Yahoo! Krassimir worked at Google, Inc. as an SRE for two mission-critical systems, the ads database supporting all incoming revenue from ads and the global authentication system which served all of the company applications.
Krassimir is very active in the security research and investigation community, has a number of contributions to FIRST SIGs, and participates in the Honeynet Project.
In addition, Krassimir ran the BayThreat security conference and has contributed to a number of other events like DefCon, where he ran the Radio Communications group, and ShmooCon and DC650.
Krassimir holds Bachelors in Electrical Engineering (Communications), Masters in Digital Forensics and Investigations, and Masters in Information Technology with a focus on Homeland Security.