GeekWeek

GeekWeek offers a unique opportunity for participants to focus time and resources to conduct intensive research and development in the prevention, analysis and mitigation of cyber threats. The event enables representatives from Critical Incident Response Teams (CIRTs), Critical Infrastructure Partners (Government, Finance, Health, etc.), academia, and international cyber security partners to collaborate in new ways and improve the overall cyber security landscape.

GeekWeek has been held annually since 2014 and has delivered over 80 projects that have contributed to major innovations in the fields of malware analysis and detection, cyber health, network traffic and log analysis, to name a few.

Note that because of the technical nature of the workshop, GeekWeek is an invitation-only event.

History

GeekWeek started when the Canadian Cyber Incident Response Centre (now part of the Cyber Centre) identified a need to foster stronger collaboration within the cyber security community. The solutions oriented workshop was created to be an environment where participants work together on projects that drive innovation in cyber security.

With very modest aspirations, the first edition captured the attention and interest of both federal and industry organizations with triple the expected number of attendees. Since then, the event has grown from a 3-day workshop to an 8-day event. The 2018 event welcomed 200 participants who collectively worked 18,000 hours researching, developing and implementing new and innovative ideas. That’s the equivalent of 9 employees working full-time for a year!

Results

GeekWeek has produced innovations and advances in the following areas:

• Malware detection,
• Spam and log analysis,
• Mobile malware analysis systems,
• Anti-ransomware,
• Tools and techniques to detect cyber threats,
• Information sharing technologies and standards,
• Cyber sovereignty/geographic data flows,
• Cyber health and forecasts,
• Botnet traffic analysis,
• Hardening of IoT devices,
• Industrial control systems assessment,
• Fly-away kit/laptops,
• Enforcement processes,
• Automated malware analysis.

Why Attend GeekWeek?

Participants attending GeekWeek benefit from:

• A unique environment of knowledgeable cyber experts to address concerns and challenges within the community.
• Access to advanced tools, and millions of samples of spam emails, malware, and analysis reports.
• Increased awareness of resources and solutions currently available to cyber security professionals.
• Moving forward new ideas, innovative solutions and information sharing.
• Increased collaboration and information sharing between partners.
• Networking with cyber security community of experts and development of professional relationships.
• Better understanding of challenges faced by peers in the industry.

GeekTalent Program

GeekWeek’s GeekTalent program allows students and new graduates to work alongside cyber security experts, giving them opportunities to expand their skillsets, gain valuable knowledge and network with some of the industry’s leading practitioners.

Benefits

Attending GeekWeek enables students and new graduates to:

• Put into practice what they have learned through their education;
• Use cutting-edge cyber security tools;
• Acquire tools and material to enrich portfolios;
• Access millions of samples of spam emails, malware, and analysis reports for academic projects;
• Network with and work alongside cyber security professionals; and
• Display skills to potential employers on the lookout for new talent.

Who can apply?

Anyone with skills in programming, computer networks and/or data analysis and manipulation can apply. We are committed to working with universities to offer flexibility to students who wish to participate. While we encourage applicants to become full-time participants, we also accept part-time candidates, provided they be present at least four (4) days throughout the event, which runs from November 14 to 22, 2019 (including the weekend).

The reviewing committee will select participants through an interview process, based on qualifications and enthusiasm.

Conditions

In order to be eligible for GeekTalent, you must fulfill the following conditions:

• Be present for at least four (4) days during the event;
• Bring your own laptop, as well as any other tools you may need;
• Sign a non-disclosure agreement (NDA);
• Be fully engaged and contribute to your team’s efforts; and
• Be responsible for the cost of travelling to Ottawa and to the event location.

How to apply

Send an email to geekweek@cyber.gc.ca and use the following subject line: “GeekWeek 6 – GeekTalent Program – APPLICANT NAME”

Please include the following information:

• Brief explanation for why you want to participate;
• Resume; and
• School transcript.

GeekWeek brings together key players in the field of cyber security to generate solutions to vital problems facing the entire community in an innovative and collaborative format. Participants have the opportunity to pick which area they’d like to focus on, based on the themes and sub-themes listed below. Teams will then be formed according to these preferences. Participants are also encouraged to suggest projects associated to each of the themes and sub-themes listed below. We value the community’s expertise and encourage participants to share their ideas with us.

If you have a specific area of interest or theme you would like to work on, please indicate the number associated with it, as per the list below, in your application or once you receive your acceptance email. Each sub-theme will have an area of cybersecurity associated to it, but you should keep in mind that most themes will still touch several areas, giving you exposure to a multitude of subjects. For example, as this is a cybersecurity workshop, a theme focused on programming will also touch on cyber data analysis activities.

Areas listed in the sub-themes:

National Impacts and Outcomes

The creation of the Canadian Centre for Cyber Security provides an opportunity to focus national efforts and create centralized systems where Canadians and Canadian industries can report and exchange information to strengthen the health of the Canadian cyber ecosystem.

1.1 National Domain Name System (DNS) [D]

Significant cyber security issues stem from the abuse of DNS. Every day, large numbers of domains are registered, often for illegitimate reasons. How could we develop analytics and information sharing processes to automatically flag malicious domains to protect industry and government partners, as well as private citizens, from unintentionally accessing these malicious domains?

1.2 Anti Impersonation Email [D | N]

Well-crafted emails using identity spoofing and social engineering are key for successful phishing attempts. Available Domain-based Message Authentication, Reporting and Conformance (DMARC) aggregate-reports contain information about the source and legitimacy of emails using Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF). How could we promote the usage of DMARC, SPF and DKIM protocols? How could we develop analytics on DMARC report data to identify spoofing attempts? Further, how could we use the gathered intelligence on a national scale to better understand trends and techniques used in spam and phishing campaigns?

1.3 Cyber Sovereignty [D]

One would expect that communications between Canadian endpoints do not need to be routed outside of the country. However, for efficiency purposes or other practical reasons, this is not always the case, which can pose security risks. The Border Gateway Protocol (BGP) manages routes followed by internet communications from its source to its destination. By manipulating BGP, data can be rerouted in cyber attackers’ favour and allow them to intercept or modify traffic. How can we develop analytics to detect malicious behaviours and changes in traffic routes in real time? How can we prevent traffic hijacking to help protect Canadian communications?

1.4 Levelling-up Cyber Infrastructure [N | P]

Outdated systems and protocols are usually more vulnerable to cyber threats. For example, an old version of the SSL protocol may be exploited by cyber threats actors to conduct a Man-In-the-Middle attack. Using Canada as an example, how could we assess an ecosystem’s implementation and configuration according to cyber best practices such as HTTP vs. HTTPS, SPF, DMARC, DNSSEC, TLS, etc.?

Cyber Threat Hunting

Staying ahead of the curve in the ever evolving world of cyber threats is of the utmost importance. To that end, we need better, faster and more creative ways to detect malicious code. Building more credible analysis environments could allow us to fool additional malicious samples into revealing their true identity.

2.1 Detecting and Decoding Advanced Persistent Threat (APT) Malware [R | P]

Malicious APT artifacts are usually stealthy, well-crafted and possess strong anti-analysis and evasion techniques, making their detection and decoding complex. Using knowledge gained from in-depth reverse engineering of a chosen APT malicious sample, how could we build tools in order to detect malicious activity from these samples in local environments? Also, how could we develop the ability to evaluate IPv4 spaces for the presence of APT implants?

2.2 Honeypots [N | P | D]

Cyber threats are constantly evolving and malicious actors keep finding innovative ways to infect a system. Honeypots are systems that mimic real environments to fool threats actors and gather intelligence on emerging infection vectors. To be effective, honeypots need to keep up with the latest infection techniques. How could we leverage new concepts like machine learning, the cloud, or improve the honeypot response rates to collect sophisticated malicious artifacts and emerging threats?

2.3 Retro-Hunting [R | P]

Even for the most seasoned reverse-engineer, drafting the perfect YARA rule for a malicious sample is a challenge. Retro-hunting allows analysts to assess the quality of their file signatures at scale. Tools like BigGrep can be used to search for malicious samples in the past that would have triggered a given signature by indexing a large quantity of binary files. How could we optimize the speed, size and results of retro-hunting tools to improve our Cyber Threat Intelligence capabilities?

2.4 SPAM [D | P]

Analyzing SPAM emails sent from botnets and storing them in a database allow us to manually extract Indicators of Compromise (IOC). How could we develop techniques to find and extract relevant and actionable information from billions of SPAM emails in real time? Further, how could we develop analytics to identify SPAM campaigns?

Cyber Threat Automated Analysis

Once artifacts are gathered, in-depth behavioural analysis can take place. Mobile or Internet of Things (IoT) sandboxes and Bare-Metal environments allow us to study these recent threats.

3.1 Memory Analysis [O | P]

onfigurations embedded in malware artifacts are a wealth of actionable information that can be leveraged in further analyses. For example, the configuration of many malware families contains the addresses of their Command & Control servers. How could we leverage the configuration information that is available at runtime in order to derive valuable forensics data about the state of the system? How could this process be structured in a framework to permit automation and scaling (e.g., using tools like CAPE or malscan)?

3.2 Bare-Metal [O | R | P]

Malware authors invest time and effort developing evasion and anti-reversing techniques to detect the analysis environment. To avoid virtual machine detection, one of the most robust solutions is to use a physical machine (Bare-Metal machine), but this method has its own challenges. How can a machine be rapidly restored to the state it was in prior to running malicious software? Is it possible to build a Bare-Metal analysis environment for emerging threats targeting IoT and mobile devices?

3.3 Improving Network Emulator [N | P]

It is not always possible to let malware communications use the Internet when performing dynamic analysis. Although Inetsim is an Internet emulator that could be used to address this problem, it was developed more than 10 years ago and does not leverage the capabilities of the latest technologies. How could we develop a new and better Internet simulation for isolated dynamic malware analysis tools (not only simulating services, but also content)? How could we also simulate Industrial Control Systems and user interactions?

Landscape and Cyber Health

When trying to evaluate the posture of an organization or an environment in regards to cyber health, criteria can help us predict trends, and aggregated information can provide a complete picture of the cyber health of an ecosystem, such as the Canadian cyber space.

4.1 Assessment Tools [D | P]

With so many new malicious threats emerging every day in the cyber environment, even if there is a lot of raw data available, it is difficult to extract valuable information to have an overall vision of the situation in real time. How could we automatically distill actionable intelligence from the vast sources of available data to develop and improve cyber health assessment tools? How could these insights be automatically formatted to be communicated to different audiences?

4.2 Cyber Neighbourhood Watch [P]

It is not always easy to accurately validate the maliciousness of an indicator, and evaluate the possible negative side effects of blocking the traffic accordingly. During a previous Cyber Centre event, an initiative was developed in collaboration with Canadian telecommunication companies to create a method in which different organizations can communicate useful information regarding network traffic to other partner organizations, using MISP. Could we democratize determining indicator quality and relevancy through a member voting system? How could we create a system supporting such a community? Further, how could this knowledge be used to enrich a national DNS?

4.3 Malicious Infrastructure and Threat Hunting [P | R]

There are many cyber threats in the wild, and it can be difficult to automatically recognize malicious infrastructure and phishing attempts from the large amounts of data. One method of detection is by switching the path section of a URL with another path known to be associated with malicious infrastructure. How could we distill data to identify recipes we can use to find rules that will, in turn, find more data and/or add value to the existing data? How could we validate that our recipes for rules are correct? How could we automatically recognize and attribute gathered malicious data and infrastructure?

4.4 Cloud monitoring and analytics [D]

As more and more government services move to the Microsoft Azure cloud, it becomes essential for the Cyber Centre to understand how users can secure and monitor their cloud tenancies, as well as its physical infrastructure. Microsoft Azure provides logs for a client to monitor their cloud activities and resources. How could we create a framework to extract, analyze and visualize cloud logs into actionable information? How could we derive a set of good practices for Microsoft Azure cloud users and work with cloud providers to improve their services?

Cyber Operations

Even if it is not easy to exchange information within the boundaries of everyone’s different mandate, close collaboration between industry partners, law enforcement agencies and government is vital in addressing cybercrime. Industry partners work closely together with law enforcement agencies to build cases against malicious actors, and increase the cost of operations for malicious actors. There may be value in researching specific threats with specific hunting skills (e.g., focusing on a specific malware case or specific malicious threat actor case).

5.1 Infrastructure Mapping [R | D]

To be able to devise a proper response to malicious actors’ wrongdoings, it is necessary to start by understanding the malicious infrastructure they are leveraging. How could we pool IOCs from industry, government and law enforcement agencies and enrich them to their fullest degree to determine the architecture of the malicious infrastructure?

5.2 Operationalize Hunting Malicious Sample [R | D]

Operational hunting is different from typical IOC hunting. It specifically looks for actionable intelligence that can be utilized to build a case against the malicious actor behind a sample. How could we effectively hunt samples (through host analysis, surface analysis, reverse engineering, etc.) to determine the internal composition of the cyber threat?

5.3 Actor Attribution [R | D]

To be able to take action against malicious actors, a strong case must be built, with backing admissible evidence that clearly identifies the individual or individuals responsible for the cyber threat. How could we identify specific individuals behind the attacks by researching IOC and actor monikers?

5.4 Cross Organization Data Harvesting and Analytics [D]

One of the biggest issues behind cross-organizational collaborative hunting is attempting to find a mutual method for sharing, storing, normalizing and visualizing the data. How could we ingest the vast data on the malicious infrastructure, the malware and the actor attribution? How could we leverage the activities done by the other GeekWeek teams to produce actionable output?

Cyber Community Building

The entire cyber community, in Canada and abroad, is facing similar challenges. By connecting systems and learning more about other organizations, we can avoid starting from scratch and leverage the community’s toolset to improve cyber defences more efficiently.

6.1 Information sharing [D | P]

Automated tools crawl the internet and identify credential phishing web sites, malware control panels, etc. Once shared with partners, these tools can help them protect their brands and networks. How could we vet the IOCs collected from automated systems and share them with partners in real time? How could we collaborate with the appropriate authorities to facilitate action against those vetted cyber threats?

6.2 Malware Intake [P]

When looking for help on malicious cyber activity, it is hard to pinpoint the appropriate entity to escalate to. A single point of contact would make cyber event reporting more approachable and user-friendly. How could we develop an automated, centralized system that would allow all incoming reports of malware, spam and phishing to be sorted by point of origin and dispatched automatically to the proper addressing authority?

6.3 Contributing to Community Tools [P]

Open source tools and services built by the cyber community play an important role in making cyber security more accessible, therefore strengthening our response capacity against cyber threats. For instance, how could we work together to improve community services and tools, such as MISP, Malpedia or Ghidra, and connect more people to those services? How could we contribute to open source tools with code that could benefit the entire cyber community?

Research and Development

Some research topics are complex and will not be completed over an event, or even many events. However, they have the capacity to change the future of cyber security for the better. GeekWeek is also an opportunity to invest in the future and dedicate time to further research projects using the expertise, tools and datasets available during the event. Needless to say, GeekWeek encourages all its participants to bring forward their own innovative ideas.

7.1 Advanced Genetic Malware Analysis [R | P |D]

“Information Retrieval” is an emerging malware analysis and reverse engineering technique that decomposes new unknown malware into existing known components and wheels from the existing data. The existing tools, such as Intezer, rely on exact code matching algorithms and cannot retrieve information that slightly differs from the original code. How could we develop an information retrieval system able to perform inexact matching and able to adapt to different CPU architectures? How could we leverage existing tools, such as Kam1n0 and Ghidra, to design a system both flexible and scalable?

7.2 Advanced malware clustering [P]

New malware is discovered everyday, but a majority of discoveries are variants of existing malware. How can we automatically cluster those variants based on their behaviour, and then group them with their affiliated family? How can we extract shareable IOCs and signatures from a cluster of similar malware?

7.3 Advanced malicious infrastructure clustering [P]

Malicious infrastructure changes constantly and makes significant efforts to hide its affiliation. Similarly, new phishing websites that impersonate companies are created every day, always containing minor differences to evade automated detection. How could we use machine learning and image recognition algorithms to automatically cluster and attribute malicious infrastructure and websites?

7.4 Advanced Sandboxes [P | O]

Virtual environments are well equipped to analyze malware on popular operating systems (Windows). However, malicious actors are always improving their anti-sandbox detection techniques, making analysis in virtual environments more challenging. In addition, the amount of malware targeting other operating systems is growing and sandboxes need to be adapted to those new types of samples. How could we improve the existing sandboxes tooling to avoid detection and gather additional IOCs? How could we virtualize several IoT devices for malware analysis? For this project, we will be using Docker.

7.5 Validation of analysis [P]

As malicious actors change and relocate their infrastructure to avoid detection, we need to constantly verify that our data is still valid. How could we build a system that regularly browses the Internet to validate the information on malicious infrastructure and ensure it is still active?

7.6 Streaming [P]

Currently, it is easier to conduct cyber threat analyses using batches processed at regular intervals. However, tools such as Kafka now permit analysis in streaming. How could we develop a language and rules to analyze the data in real time? How could we adapt existing tools and systems to streaming technologies?

7.7 Automated Knowledge Extraction (a.k.a It is all about graphs!) [P]

A cyber threat story usually starts with only a handful of indicators. The analyst then has to manually create relationships with other information sources to complete the story and discern the full picture. How could we automate this process? How could we automatically draw a graph of indicators that shows the analyst the entire story without manual processing?

Frequently Asked Questions (FAQs)

The following organizations are just a few who will be participating in GeekWeek 6. The Cyber Centre would like to thank all organizations attending this year. Cyber security is a team sport, and this type of event could not be possible without the help of all participants.