News & Regulations

Microsoft Azure Sentinel:
Use Cases for ATT&CK-based Detection and Mitigations

A field guide for deployment of Azure Sentinel’s Log Analytics and Implementation of Logic Apps as Automation playbooks for response

Azure Sentinel Use Cases

Webinar: A follower’s handbook: C-RAF 2.0
(4 Feb 2021 Cantonese Session & 5 Feb 2021 English Session)

The Hong Kong Monetary Authority (HKMA) announced on 3 November 2020 the launch of an upgraded Cybersecurity Fortification Initiative (CFI) 2.0, following industry consultation. The initiative is underpinned by three pillars: the Cyber Resilience Assessment Framework (C-RAF), the Professional Development Programme (PDP), and the Cyber Intelligence Sharing Platform (CISP).

As a long term follower of the initiative, I spent some time to study on what are actually changed on the CFI 2.0, or mainly the C-RAF 2.0. I have studied the official document and all referenced materials to prepare this follower’s handbook as quick reference for my friends in financial industry. I have also created an Excel spreadsheet (C-RAF 2.0 Technical Implantation Tool) which contains the 7-Domains dive into the respective 26 Control Components of the Maturity Assessment with my implementation guides for my own easy reference.

In this webinar, I shall share out and discuss on how to use my C-RAF 2.0 Technical Implantation Tool together with my recommended implementation guidelines on the Maturity Assessment Domain 4, 5 and 6.

On Jan 18, Monetory Authority of Singapore (MAS) has issued a revised Technology Risk Management Guidelines (TRM) to keep pace with emerging technologies and shifts in the cyber threat landscape. I have further updated the C-RAF 2.0 Technical Implantation Tool by mapping the relevance sections to the security frameworks such as TRM, FFIEC and CIS.

Webinar: The 2021 Blue Team Challenges
Security Predictions for Hong Kong

Five years ago, I put 1 or 2 slides for the HKU MSc Malware Analysis courses in the first lecture. I usually download prediction reports and pick 1 or 2 for my students for their side reading. Sometimes, I even converted the predictions as part of a short exam questions. In 2020, I started writing a Weekly Intelligence Summary which forced me to monitor all cyber threats or incidents that may have significant impacts to the financial industry in Hong Kong and APAC regions. A few days ago, a friend of mine gave me an urgent call early in the morning. He asked me to provide him the most critical incidents in Hong Kong because he is reviewing on how to allocate cybersecurity resources for his organization. I have to re-read all of my Weekly Intelligence Summary again and prepared a list for him (see attached). I don’t have a crystal ball to tell me what will happen in 2021 but reviewing past year incidents allow me to have a sense of what may happen in Hong Kong this year. In 2020, we participated quite a number of cyber forensics and IR investigations. I can’t share the details of my investigations, but I have a strong feeling of the pain points how the blue teams faced. Therefore, I think it may be a good opportunity in the beginning of 2021 to share my views on the security predictions specially for the community.

Slides: 2021 Security Predictions

Threat Intelligence Summary

August to December 2020

Threat Intelligence Summary

April to July 2020

Cybersecurity Alert

CEO Scam or Business Email Compromise (BEC) has been around for many years and we always have an impression that email spams are well controlled. However, phishing and BEC attacks require special attention as an increasing number of organizations move their email service to SaaS1 services, such as Microsoft Office 365 or Google G Suite.

Phishing IR Playbook v1.0

Cybersecurity Alert

Ransomware is a very simple, but effective malicious software that affects both home users as well as government departments, courts, hospitals, universities, large enterprises, small medium enterprises or even non-government organizations (NGOs). Since 2013, it has become a key financial campaign of choice for cybercriminal organizations. It performs malicious actions to encrypt personal files (such as images, movies, documents, or text files) on the infected systems, encrypt files on shared network drives (including connected NAS or storage devices), lock systems’ access, crash systems, or even display disruptive and indecent messages containing pornographic images to embarrass users and force victims to pay a ransom through bitcoin (or other crypto-currencies) by using elaborate techniques.

Ransomware Playbook v3.3

Cybersecurity Alert

The vulnerability is believed first found by National Cyber Security Center (NCSC) in UK. ( As of May 17, NCSC observed no exploit of this vulnerability, however, they pose it as a serious threat. Microsoft have taken the unusual step of providing a security updates for all customers to all customers to protect Windows platforms, including some out-of-support version of Windows, including Windows XP and Windows Server 2003. As of May 23, 2019 McAfee, Team was believed to have the exploit called bluekeep[.]exe.


Cybersecurity Alert

The Computer Security Incident Response Team from Dragon Advance Tech is aware of the trend of ransomware incidents in Hong Kong. Since 2017, more than 20 attacks by a ransomware called “Crysis” have been identified in Hong Kong. This kind of RDP brute force is still a popular approach to gain access into a system. The attackers have used similar tactics, techniques, and procedures (TTPs) to compromise a system. However, our incident response team has discovered that attackers may use some advanced attacking tools “in the wild”—meaning threats spreading among real world computers, as opposed to test systems—to compromise a system. The old Microsoft Windows 2003 or Windows XP systems are most vulnerable to attack.


Cybersecurity Alert

Business Email Compromise (BEC) is a form of cybercrime threat that has become more prevalent in recent years, prompting the attention and concern of businesses and organizations worldwide. More than US$195.3 million was defrauded from companies in Hong Kong and overseas in the first 10 months of 2018, and the trend will likely keep growing in 2019. The most common path for the stolen money is through a wire transfer to Hong Kong or China, so unless there is quick intervention by domestic law enforcement, foreign victims will find it almost impossible to recover their money swiftly. As a quick reference guide to help Hong Kong organizations select their anti-phishing or BEC solutions, Dragon Advance Tech reviewed several common commercial solutions to defend against BEC threats.

Security White Paper on BEC

Cybersecurity Alert

Business Email Compromise (BEC), sometimes known as CEO scam, has been an effective way used by attackers to deceive money from victims. Attackers usually begin by researching the Linkedln profiles of the victim’s organizations executives, followed by sending spear-phishing emails to trick the recipients into remitting funds to money-mules overseas. Even though crime prevention tips are published, there is still a significant increase in the number of similar incidents. We propose corporate’s Cybersecurity team to set up monitoring solutions to detect and set alerts of such spear-phishing emails.

Business Email Compromise (BEC) Report

Cybersecurity Alert

Cybersecurity landscape is changing. Hospitality industry needs to be aware of POC malware and “third party” or “Supply-Chain” attacks. Business entities in Hong Kong should perform security risk assessment on their outsourced IT operations. Attacks can also be caused by insiders.

Hospitality industry and outsourced IT operations Report

Cybersecurity Alert

Many SMEs in Hong Kong outsourcing their IT support to external IT service companies. Those ad hoc IT teams tend to deliver their IT maintenance services through RDP (Remote Desktop Protocol) to the clients’ computers from their Internet facing devices. We observed that many Internet facing RDP connections are subject to brute force attacks and compromised systems were planted with ransomware after sufficient data has been collected.

Firewalls and anti-virus solutions are insufficient and ineffective in protecting against these threats, especially if they are misconfigured. We advise Hong Kong SMEs to put additional cybersecurity countermeasures such as security incident monitoring to defend their critical computer networks and systems and identify the source of the attacks. Otherwise, recurring attacks might happen.


DAT Pro Bono Cyber Defense Program (Advanced attacks)

  • Providing Pro Bono protection to NGO in Hong Kong
  • Registered members receive free preliminary security assessment and free use of host-based compromised assessment tool

Pro-Bono Program Details

Industry 4.0 will bring about highly connected and digitized global industry supply chain. Yet the accompanying cyber security risks should not be ignored.

The "Cyber Security for Industry 4.0 International Conference -- Connecting to Tomorrow's Global Supply Chain" aims to bring together international experts to transfer knowledge, international experiences and best practices in managing change of paradigm to the industry of Hong Kong, and the IT service providers supporting the industry.

The target audience of this two-day conference are the manufacturing industry, implementation and control units from factory including automation device suppliers, management of IT procurement, IT vendors and system integrators that provide service to factory, information security professionals and IoT suppliers and those who are interested in developing in Industry 4.0.

The conference includes technical seminar sessions by presented by overseas and local cyber security experts and technology showcase / demonstrations by technology solution providers.

The Securities and Futures Commission (SFC) today released Guidelines to Reduce and Mitigate Hacking Risks Associated with Internet Trading (Guidelines) issued under section 399 of the Securities Futures Ordinance. The Guidelines set out 20 baseline preventive, detective and other control requirements for the industry to improve cybersecurity resiliency.

Press release

Our Mission

to assist our clients to identify, manage, monitor, block, and investigate cyber attacks effectively by referring to reliable cyber threat intelligence

Our Story

In 2017, our founders see clearly the increasing demands from organizations who want to enhance their cyber security defenses against the most dangerous and sophisticated attackers. Moreover, leaders at the highest levels of any enterprise now require deeper and more precise awareness of cyber threat dynamics and their potential consequences. However, most businesses still find it challenging, sometimes impossible, to identify competent and trustworthy experts to help leaders guide their organizations to a robust security posture.

Data leakage and service disruptions are escalating at an alarming rate, such that every leading organization can become the next target. Meanwhile, most advanced economies are tightening their regulations around mandatory breach reporting, while the market and courts are growing less forgiving towards firms whose partners and customers incur harm or costs because of successful intrusions.

Ensuring world-class cyber security and resilience is a difficult and complex endeavor at which only a rare few organizations have yet succeeded in even partial and relative terms. We realized that organizations’ internal resource constraints are one of the most common reasons for persistent insecurity. In-house information security or incident response teams are usually only provided with limited resources and often even less time to handle investigations and forensic needs. They rarely, if ever, have opportunities to evaluate the merits of next-generation technologies or to explore the many ways in which cyber threat intelligence can assist them in honing their proactive defenses for maximal protective effect.

Because our founders have solved these problems successfully in varied contexts as we accrued many years of experience as cyber security professionals, we decided to establish Dragon Advanced Tech. To do this, we have gathered some of the smartest, most diligent information security practitioners in the area to deploy effective and feasible solutions, encompassing technology, analysis, and polished client engagement. Our goal is to work as trusted advisors to our clients, working together to narrow the advantages now enjoyed the sophisticated adversaries we all face in this asymmetric war of information and economics.

Our service covering HongKong/Macau, Singapore, Malaysia, Philippines and U.K.

Leadership and management

Visionary security professionals
with extensive experience

Frankie Li – VP of Finance and Alliance

Cypri Yu – Business Development

Ken Ma – Security Engineer

Ken Wong - Security Analyst

Frankie Li

An independent malware analyst

Speaker in various security conferences, such as Blackhat US, HITCON, HTCIA

Founder of Dragon Threat Labs ( and DragonCon (

Researching topics:

  • Malware Analysis
  • Cyber Threat Intelligence
  • ATM Malware
  • IoT Security
  • SCADA/ICS Security
  • SOC and Security Analytics

Cypri Yu

Cypri Yu is an expert in Information Protection, Cyber Security, and Digital Investigation, with over 15 years of experience advising clients in both the private and public sectors, including various law enforcement agencies in Asia Pacific, notably Hong Kong, Singapore, Thailand, and Macau.

Cypri has worked at a large Enterprise-Solution company in Hong Kong, where he was responsible for designing solutions related to information security and data centers for clients, such as firewalls and VPNs, anti-virus and anti-spam, web content filtering, employee computer-behavior monitoring, Digital Video Recording, biometric door access controls, etc.

Cypri was also an Information Security Consultant for a global risk consulting firm across Asia Pacific, and later on was employed by one of the big 4 accounting firms working on Data Analytics and Forensic Technology. He was responsible for a variety of Computer Forensic investigation projects and information security projects, which covered lawful on-site digital evidence acquisition, computer and mobile phones forensics investigations. He also advised clients on sensitive information protection, credit card processing systems audit and information security, and computer networks vulnerability assessment.

Before joining Dragon Advance Tech, he was hired by a global leader of IT security risk and compliance management solutions provider, and was responsible for the Information Risk Assessment and the Regulatory Compliance market in the Greater China and the Asia Pacific region.

Cypri regularly trains various law enforcement agencies in Asia, including Singapore Police Force (SPF), the Attorney General's Chambers (AGC) of Singapore, the Royal Thai Police, Thailand Anti Money Laundering Office (AMLO), Hong Kong Police Force, Hong Kong Customs and Excise Department, Hong Kong Immigration Department, Independent Commission Against Corruption (ICAC) of Hong Kong, Securities and Futures Commission (SFC), the Macau Anti-Corruption unit (“CCAC”). Cypri speaks fluent English, Mandarin, and Cantonese.

Professional Qualifications:

  • Certified Information Security Professional (CISSP)
  • Certified Information System Auditor (CISA)
  • EnCase Certified Examiner (EnCE)
  • Nuix Certified Examiner (NCE)
  • Nuix Certified Trainer
  • Nuix Certified Technical Engineer (NCTE)
  • Cellebrite Certified Physical Analyst (CCPA)
  • High Technology Crime Investigation Association (HTCIA) – China Liaison Officer
  • Payment Card Industry Data Security Standard Qualified Security Assessor (PCI DSS QSA)
  • Payment Card Industry Data Security Standard Qualified Payment Application Security Professional (PCI DSS QPASP)
  • QualysGuard Certified Specialist
  • Cisco Certified Network Associate (CCNA)

Ken Ma

Ken Ma is an experience Tier 2 Security Analyst and a cybersecurity incident responder. He possess solid experience and knowledge in red (attack) team TTPs, he is currently managing the company’s Security Operation Center (SOC) and building up the company’s Purple team capability, which helps our clients to defend against the ever-changing advanced cyber attacks.

He has over 16 years of professional information technology experience covering various industry sectors including the financial services industry, Ken Ma is trusted security advisor to our banking and finance customers.

He graduated from the Hong Kong University of Science and Technology with a Master of Science in Information Technology and Hong Kong Polytechnic University with a Bachelor of Arts in Computing.

Professional Qualifications:

  • GIAC Certified Incident Handler (GCIH)
  • Offensive Security Certified Professional (OSCP)
  • GIAC Penetration Tester (GPEN)
  • AlienVault Certified Security Engineer (ACSE)
  • Cisco Certified Network Associates (CCNA)
  • Microsoft Certified System Engineer (MCSE)

Ken Wong

Ken Wong joined Dragon Advance Tech as a cyber security analyst, with solid experience in both the red (attack) team and the blue (defense) team. Since 2011, he has been researching on various cyber security related topics such as mobile application development and testing, efficient migration of information system, IoT (Internet of Things) application and security which including unmanned drones, network cameras, and smart home devices. Recently purple teaming (operating blue teams with red teams knowledge and intelligence) becomes his main research area, including malware analysis, malware reverse engineering, cyber security monitoring and operation, cyber attacker’s TTPs (tactics, techniques, and procedures), cyber threat intelligence, big data analytics, protocol reverse engineering, cyber security incident response, and digital forensics.

Ken Wong graduated from the University of Hong Kong with a Bachelor of Engineering and a Master of Science, both in Computer Science. He speaks fluent Cantonese, English, and Mandarin.

Professional Qualifications:

  • Offensive Security Certified Professional (OSCP)
  • Certified Information Security Professional (CISSP)
  • Certified Information System Auditor (CISA)
  • Information Technology Infrastructure Library (ITIL) Certificate
  • AlienVault Certified Security Engineer (ACSE)
  • EC-Council Certified Security Analyst (ECSA)

Our Services

Incidence Response

We can help you to identify quickly, contain efficiently and eradicate advance cyber attacks

Our experienced incident responders can provide on-site and cloud base emergency reponse service

Forensics & Investigations

Applying business analytics, our digital forensics and data acquisition services can help you resolve disputes, identify fraud and performing regulatory investigations more accurately

Security Monitoring and Management

Our SOC can help you to proper manage possible attacks by monitoring you computer systems and networks facilities

Cyber Threat Intelligence

Our threat analysts can provide effective insights on various threat actors by aggregate and correlate their TTPs and collection of malicious activities from selected endpoint technologies

Customer can get access to and supported by our unique threat intelligence to quickly identify possible attacks

We are a strong supporter of open source tools therefore we developed #Maltelligence and support the development of #ThreatMiner

Penetration Testing

Our experts are most qualified and extensively trained red team who can quickly identifying your systems or network vulnerabilities, but also equipped with mind sets of blue team to provide recommendations to replace the identifies loopholes


We offer bespoke, hands-on training programs to strengthen cyber security professionals at any level with the knowledge, skills, and live experience to handle the most adverse attack situations, all reflecting real-world dangers they will confront every day

Frankie an Instructor of Application Security classes of HK Police CSTCB and a guest lecturer in HKU MSc Reverse engineering and malware analysis classes

DAT Careers

Dragon Advance Tech (DAT) offers immediate opportunities in our Team.

Technical Intelligence Analyst

DAT has an immediate opening for a Technical Threat Researcher to join our team. The position provides an opportunity to develop the skill set to provide supports to our esteemed clients to defend their computing systems and networks from a range of cyber threats include Advanced Persistence Threat groups and cyber criminals/gangs:

This candidate is expected to have these qualifications:

  • Bachelor degree or equivalent
  • Proactive and self-motivated
  • Be able to work in an environment with little supervision
  • Knowledge of cyber threat landscape
  • Experience with:
    • Malware reverse engineering
    • Collection and analysis of technical security data (e.g. IOCs)
    • Authoring of threat research reports (technical parts)
    • Development of threat intelligence sharing platforms

General Responsibilities

  • Threat research and malware reverse engineer, under supervision of higher levels of strategic intel and CTI professionals
  • Implementation and integration of threat research in analysing attack incidents
  • Malware analysis
  • Network traffic analysis
  • Memory Analysis
  • Detection rule writing to hunting adversary’s attack indicators

Please feel free email to if you are interested in the opportunity.

Cyber Security Analyst

DAT has an immediate opening for a Cyber Security Analyst to join our CSOC team. The position will involve a mix of technical security desgin, opeation, assurance and review in addition to maintenance of process/procedures/tools to demostrate security controls that are embedded across our clients' computing systems and network.
Curiosity, imagination and cold-headed judgement are as important as technical skills.

This candidate is expected to have these qualifications:

  • Bachelor degree or equivalent
  • Proactive and self-motivated
  • Be able to work in an environment with little supervision
  • Knowledge of cyber security ecosystem and the latest cyber security landscape
  • Experience with:
    • Familiar with the security practices on patch/change management, vulnerability scanning, system hardening and malware detection
    • Good knowledge in security features of firewall, IDS/IPS, database, web server/applications and Windows/Linux platforms
    • Perferrable to have hands on experience in SIEM, HIDS, NIDS/NIPS, netflow anlaysis
    • Best to be a CISSP, CEH, GIAC, OSCP or similar certifications
    • Knowledge in programming languages such as: C, C++, Python

General Responsibilities

  • Familiary with security management principles and practies
  • Experience of managing security incidents
  • Log collection/analysis, network security monitoring and incident investigation/response
  • Perform tactical analysis on core network services profiles (such as: SMTP, DNS, HTTP, and HTTPS)
  • Explain, critically analyze, compare on how to build effective alerts by collecting variety of events or incidents collected or use cases analyzed.

Please feel free email to if you are interested in the opportunity.

Penetration Testers

DAT has two immediate openings for a Penetration Tester to join our team. The position provides an opportunity to develop the skill set to provide supports to our clients, especially in the financial sectors, to defend their computing systems and networks and to help them to implement the proposed CFI imposed by HKMA in May 2016:

This candidate is expected to have these qualifications:

  • Bachelor degree or equivalent
  • Proactive and self-motivated
  • Be able to work in an environment with little supervision
  • Knowledge of cyber threat landscape
  • Experience with:
    • General security practice in the banking industry
    • Working with strategic intel and CTI professionals
    • Special focus on cyber resilience, data protection in cyber security governance
    • Assessing the network and application security in a wide range of industry sectors
    • Working with clients to understand their testing requirements
    • Collaborating with the testing team to share knowledge and expertise

General Responsibilities

  • CREST CPSA or CRT or OSCP certification
  • CCASP Tester (Infrastructure) or CCASP CRT
  • 2+ years’ penetration testing experience
  • Proven ability to perform security assessments or vulnerability assessments
  • Experience in web and mobile app testing
  • A highly analytical mindset

Please feel free email to if you are interested in the opportunity.