Report for the Forum 2024 Cert-IST conference

Date : November 07, 2024

On December 11th, 2024, the Cert-IST held its annual Forum, in Paris.

This year, the theme of the day was:

25 years of Cert-IST - Between the complexity of architectures and the structuring of attacker groups, where do we stand?

Here is a report about the presentations. The full agenda and the slides for some of the presentations are available on our private web site.

 

Securing the attack surface / a look at scanning solutions
Maxime ESCOURBIAC – Michelin

This talk explains the tools that Michelin uses to identify and monitor all the vulnerabilities present in its information system.

The speaker begins by showing the complexity of the task through a comparison between the ‘old world’ (the fortress model) and the modern world (the Cloud model). For most companies, today's IT systems is the sum of these two worlds.

He then analyses the strategies that can be put in place, taking into account:

  • Shadow-IT: security teams are only aware of part of the systems exposed to attack,
  • Attackers' points of interest.

This results in the drawing of a 2-dimensional picture (with attackers’ interests on one axis, and the space from known systems to unknown systems on the other) on which the speaker shows where, each of the monitoring tools put in place by Michelin, fits in.

One of these tools has been developed specifically by Michelin: it is called Redscan and is available on GitHub.

Notes:

  • LeMagIT.fr published an article in August 2024 about a similar presentation made by Michelin on this subject.
  • In the slide #11, the DNS item represents attacks on domain names.

 

Securing and Modernising Active Directory at VINCI
Vincent LE TOUX - VINCI

This presentation presents experience feedback on securing the AD. In the context of a large company, this represents several hundred domains spread across the group's various organisations. Moreover, mergers and acquisitions constantly bring in new domains that need to be integrated.

As a central CERT for the VINCI Group, the decision made was to supervise the level of security of the ADs, but not to impose a model (e.g. a central AD or forests), given each entity's technical autonomy in this area. The central CERT acts at three levels:

  • Defining the group's security policy,
  • Monitoring the security level of the ADs (using the Ping Castle tool),
  • Pen testing.

Here are the points we noted in this feedback:

  • Each entity manages its own isolated AD (with no trust between ADs) and collaboration is achieved through sharing mechanisms (not detailed) between the EntraIDs of each entity.
  • Rather than trying to improve the security of all ADs, it is better to concentrate efforts on the most critical ADs, for example those that manage the largest number of users.
  • Migration to EntraID (formerly Azure Active Directory) is inevitable. We will gradually move from an (old) model where Active Directory was the heart of authentication (EntraID synchronised with the AD) to a model where EntraID will be the central element (DCs will contact EntraID for authentication). However, this technological migration will take a very long time (10 years?).
  • Incident management has become less complex at AD level, thanks to the experience acquired over the years. For example, it is no longer necessary to make a full rebuilt of the AD because the team now perfectly known how to properly manage the renewal of AD’s secrets.

 

Trust does not exclude control (Experience sharing)
Jérôme FRANCILLON - Orange CERT-CC

No report because this presentation is classified TLP:RED

 

Adding value to a CTI programme: the indicators that make the difference
Thomas JEANTELLET - Engie

The speaker began by presenting the general concepts for a CTI programme:

  • The activities involved (Monitoring, Intelligence, Enrichment, Hunting and Reporting),
  • The CTI production life cycle.

He then showed that this activity can progress in terms of maturity and proposed three levels:

  • Basic: Use the tools published by others to initialise the activity,
  • Advanced: Customise these tools or develop new ones,
  • Mature: Focus on automation and continuous improvement.

Finally, he focused on defining KPIs to measure the activity and monitor its progress.

 

25th anniversary: Four Weddings and a Funeral
Didier GRAS – BNP Paribas/CESIN

2024 is the 25th anniversary of Cert-IST, and Didier Gras (who is making this presentation on behalf of CESIN) is taking this opportunity to look back over 25 years of cyber security: what is working well (the 4 weddings) and what is still difficult (1 funeral).

In his opinion, the 4 key successes in cybersecurity are:

  • The risk culture: There is a great culture on risk assessment in France (with methods such as Mehari, EBIOS, etc.) and more generally in Europe. However, we must be careful not to let rating agencies that are unfamiliar with this culture impose us their one assessment scales.
  • The culture of secrecy: In a world where confidentiality is declining (with social networks, for example, or increased surveillance), the protection of secrecy (for sensitive data) remains essential.
  • The culture of reaction: Large organisations have developed their reaction capabilities to a very large extent (crisis management, incident response, SOC, etc.). Smaller organisations, on the other hand, do not yet have this capacity.
  • The culture of control: In some areas (banking, for example) this culture is highly developed, with models of control with several lines of defence. There is even sometimes an excess of control (we sometimes spend more time controlling than doing) and there is a need here to introduce more of the human element: relying on trust and exchanges rather than on control grids.

On each of these subjects, the speaker presents in his slides the trade-offs that must be made when managing these activities. For example, risk management involves defining an appropriate balance between refusing to take risks and accepting them.

According to the speaker, the fifth area, which remains difficult despite 25 years of experience, is vulnerability management and above all the never ending flow of patches released by software publishers. He called for these publishers to be held responsible and for a form of accountability to be introduced.

In his conclusion, the speaker promote that the key success factor for cyber security is the acculturation process (i.e. the process of developing a culture), which enables individuals to progress in their proficiency on cyber security topics.

Note: For a description of the six stages in the acculturation process, see this article.

 

The most significant threats in 2024 (and 2025)
Philippe BOURGEOIS - Cert-IST technical team

This presentation reviews the year 2024 to highlight the most significant elements. As an introduction, the speaker comments on the three most striking events of 2024 from a cyber-point of view:

  • The Paris Olympic and Paralympic Games
  • The outages induced by Crowdstrike in July 2024
  • The attacks on edge devices

He then, discusses the following topics in more detail:

  • Ransomware: where do we stand?
  • Attacks on edge devices (VPN, etc.)
  • Attacks on the Cloud
  • XZ-Utils attacks and the software supply chain
  • Liability: should we held publishers responsible for vulnerabilities?

In conclusion although the threats remain very present, several elements seen in 2024 are very positive:

  • The success of the Paris 2024 Olympic Games,
  • The increase of the number of law enforcement operations,
  • The introduction of a regulatory framework in Europe (NIS2, CRA).

In 2025, we can expect a continuation of the trends seen in 2024:

  • New attacks on edge devices,
  • Increase in attacks on the Cloud,
  • Works to adapt to the coming changes in the regulatory framework (NIS-2 and CRA).
Previous Previous Next Next Print Print

© 2024 Cert-IST