CIRCL at Troopers conference

The 9th edition of TROOPERS took place in the week of March 14th, with two days of trainings and hands on experience, followed by a two days of multi-tracks’ conference. TROOPER16 is a “great IT-Security Conference, Where the World’s Leading Experts and Hackers Present Their Latest Research”. One of the highlights of the conference, named “THE KINGS IN YOUR CASTLE - All the lame threats that own you but will never make you famous” was presented by Marion Marschalek, Security Researcher and Raphaël Vinot, CERT operator at CIRCL.

What was the talk all about?

How many people in the room can tell their machine or network is currently not compromised? No hand has been seen to rise in answer. APT has been fashion five years ago and still rocks the most-feared charts on every cyber threat survey. While tabloid press is generally after the latest most-sophisticated-threat, the analyst community has long resorted to talk about threats that are advanced and persistent. In terms of sophistication targeted attacks show all shades of grey, on average though tend to be rather shallow. On the other hand, security products all have a single weak spot in common that they will always rely on patterns; whether patterns that are there, like signatures, or patterns that are not there, like anomalies. This enables attackers to evade detections with shallow, but unknown tools, which manage to fly under the radar.

The talk tackled the APT myths by formulating hypotheses based on a set of APTs documented in the MISP platform. MISP stands for Malware Information Sharing Platform and is used by hundreds of organizations to share data on APT events. It is possible to split the content of the information shared between reports of vendors and events seen by the users of the platform.


Marion Marschalek is a Security Researcher, focusing on the analysis of emerging threats and exploring novel methods of threat detection. Marion started her career within the anti-virus industry and also worked on advanced threat protection systems where she built a thorough understanding of how threats and protection systems work and how both occasionally fail. Next to that Marion teaches malware analysis at University of Applied Sciences St. Pölten and frequently contributes to articles and papers. She has spoken at international conferences around the globe, among others Blackhat, RSA, SyScan, and Troopers. Marion came off as winner of the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. She practices martial arts and has a vivid passion to take things apart. Preferably, other people’s things.


Raphaël is a CERT operator at CIRCL, the CERT for the private sector, communes and non-governmental entities in Luxembourg. His main activity is developing or participating to the development of tools to improve and ease the day-to-day incident response capabilities of the CSIRT he works for but also for other teams doing similar activities. Another big part of his activities is to administrate the biggest MISP instance in Europe with >150 companies, 400 users and more than 250.000 attributes. This is the source used in this research project.