Going to the Security Analyst Summit #TheSAS2016

Recently Tim was invited to visit the Security Analyst Summit of Kaspersky Labs (#TheSAS2016) which took place on Tenerife (Canary Islands) in february this year. In this post he shares his experience and wants to give a short overview of interesting topics (for the security research community).

TL;DR: #TheSAS2016 was a great experience and Tim learned a lot, because every day was filled with adventures or learning and seeing new things! The location was very nice, the atmosphere was amazing, the people were friendly - all in all everything was excellent!

First of all, for those who may not have seen #TheSAS2016 in their Twitter-Timeline, media or have no idea what SAS is about:

SAS stands for “Security Analyst Summit” and is an invite-only security event organized by Kaspersky. This year the SAS was on Tenerife (Canary Islands):

People from the security research community, law enforcement agencies and CERTs meet each other in order to debate and share their ideas how to secure the cyberworld and fight cyber-crime. This year there had been together more than 330 participants. The topics of talks are widely dispersed from cyber-espionage over webhacking, security/safety, malware analysis until ICS Hacking.

This year the keynode was held by John Lambert @JohnLaTwC. He is leading the Threat Intelligence Center of Microsoft and his talk was about “Changing the Physics of Defense”. Due to the fact that we at Internetwache.org are often in the position of an attacker and break applications of companies, this talk was really an eye-opener. On the one hand it showed how hard it is to secure systems or applications and on the other hand there were a lot of ideas how to achieve security through new approaches.

John published his slides on Onedrive. We highly recommend you to take a look at it if you want to know how cutting-edge security concepts should look like and how Microsoft improves the security of their software and kills zerodays.

Besides some interesting talks about offensive and defensive security, there were a few revelations about interesting APTs (advanced persistent threats) and criminal tools like the “Poseidon APT” and “Adwind” and many others. We will summarize those two and link to interesting resources - for more information you should take a look at the SAS2016 articles on securelist.com.

Poseidon APT

Researchers of the Kaspersky GREAT Team detected the first Portuguese-speaking targeted attack group which presumably has been operating for a decade. The attackers are quite clever in concealing their traces. They use infrastructure of diffrent companies to attack other companies. The “Poseidon”-name comes from the compromise of the satellite communications infrastructure meant for ships on the sea. In some cases they made use of old wri-files (Windows Write Document) to bypass filter restrictions in combination with social engeneering. This group is probably still active. Tim wrote the first german blogpost about that APT on golem.de


Malware-as-a-service seems to be a very successful business for cybercriminals. With “Adwind” Researchers of Kaspersky revealed a very popular cross-platform RAT (remote administration tool). It is completely developed in Java and thus runs on every platfrom (like Windows, Linux, Mac, etc.). The researchers found out that there is a kind of an online subscription model for the tool. This is the reason for the malware being used in diffrent APTs and spam campaigns.

There were a lot more good talks - for example about:

The blogpost would not come to an end if Tim had to mention all the awesome talks and good work behind it - sorry about that :)

On the second day, Tim was very interested in the talk from Kymberlee Price @Kym_Possible from @bugcrowd and Katie Moussouris @k8em0 from HackerOne.

Background info, why Tim was so interested in the talks (for those who don’t know us for a long time): We (at Internetwache) have been doing bug bounty hunting and responsible disclousure since 2012 - Back then there were not many companies who had such programs (in europe it felt like there was not even one bug bounty program). So we appreciated the rise of companies like Bugcrowd or HackerOne who help with vulnerability disclosure and hope that the idea behind open security processes will expand. We have been quite active on both platforms from the beginning on: @Internetwache on Bugcrowd and @Internetwache on HackerOne . We’ve been bughunting as a team from the beginning, which isn’t seen often.

Back2Topic to the #TheSAS2016 talks:

In her talk Kymberlee pointed out that not the vulnerability disclosure policy itself is a problem (they are often designed well) but the missing trust between the researchers and companies. We agree on that and think that “trust” is essential for every bug bounty program. Researchers have to trust companies, but often companies don’t blindly trust researchers. We all have to work on that “trust” - perhaps there will be a blogpost in the future about that topic. She used a very fancy slide from David Lenoe to point out that researchers should be handled with care and that the security community should stick together:

Katie @k8em0 also pointed out the importance of hackers in general with the statement “the world needs hackers”.

Her talk was about export controls and modern security. For researchers or security companies the problem of traveling with knowledge (like zero-days) often arises. The “Wassenaar Arrangement” makes it hard to travel with such information because “intrusion software technology” was set on the list of controlled goods - Katie wants that the “Wassenaar Arrangement” get changed because exemptions are not enough to ensure that infosec companies and researchers can work as they want to.

The last day of #TheSAS2016 was an entertainment day. We did a safari tour, visited the Teide National Park and the Observatorio del Teide :) and relaxed a bit … it was awesome to see the landscape and beeing on top of the Teide.

Safari Tour

Safari Tour

Top of Teide

This blogpost does not cover a few other nice events at #TheSAS2016 like the gala dinner or some nice conversations Tim had on SAS2016 - but that’s all for today. If you want to know more about #TheSAS2016 you should take a look at Eugene Kaspersky’s Blog or his pictures on his Flickr

All in all: For Tim it was really impressive to meet some of the people you had only seen on Twitter or in the web and hear their ideas about security. There was only one sad thing: Some talks with month or year long research were presented in just 30 minutes - in some cases you really wanted to hear the full story. Nevertheless the event was great! It would be even nicer if more researchers were there - so if you ever get an invite to SAS it should be a no-brainer to make use of the great opportunity!

Hopefully we’ll meet at #TheSAS2017 :)

The team of internetwache.org

PS: In Tim’s memories there will always be a “dick-pic guy” :) - But Tim will never reveal him. Remember, what happens at #TheSAS stays at #TheSAS!