Program Overview

• Beyond 400 Gbps: Abusing NTP and Other Protocols for DDoS

  Mr. Christian ROSSOW (Vrije Universiteit Amsterdam)

  In amplification DDoS attacks, an adversary abuses the fact that public servers of UDP-based network protocols respond to requests without further validating the identity of the sender. In Feb 2014, attackers abused the NTP protocol to launch the largest-ever DDoS attack to-date (about 400 Gbps attack traffic volume). This talk describes amplification vulnerabilities in 14 network protocols. We raise a discussion of what can be done to counter such vulnerabilities.

  April 8, 2014 15:45-16:30

  rossow-christian-slides.pdf

  MD5: e3f54ea0250ed69d9b2f78c3b3ce3516

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1012.7 Kb

• Beyond Zone File Access: Discovering Novel Domain Names Using Passive DNS

  Henry STERN (Farsight)

  Security practitioners make use of data about domains obtained through Zone File Access to find newly-registered malicious domains. This is limited in scope by the number of registries offering such access and by the participating registries’ limit of one download per 24-hour period. This talk will demonstrate a method of extracting novel domain names from passive DNS data in real time, will present historical data about domain registrations per TLD over time, and will discuss the advantages and disadvantages of using passive DNS data versus downloaded zone files for research.

  Estimated time: 45 minutes

  April 7, 2014 09:15-10:00

• CERT Portal Demonstration & Snowshoe Spamming

  Carel VAN STATEN (Spamhaus)

  Carel van Straten is an investigator at The Spamhaus Project, where he finds out what makes the spammers' infrastructure tick - and makes sure it stops ticking. He investigates malware, snowshoe spam, DNS, abused free services, domains, their owners and anything in between. This talk will cover two topics:

  Part 1: A demonstration of the CERT portal and the data available there. Part 2: A look at snowshoe spamming and (abandoned) network hijacking.

  April 7, 2014 15:30-16:30

• CSIRT Playbook 2.0: Choose Your Own Misadventure

  Jeff BOLLINGER (CISCO), Matthew VALITES (CISCO)

  Cisco's CSIRT has evolved beyond the traditional SIEM based incident response model towards a data-centric log mining approach. CSIRT calls this approach and its associated techniques, ”The Playbook".

  This presentation will detail our progress in reducing the complexity of our old systems into basic, functional elements that can be incorporated into any incident response team's incident handling strategy.

  We will share Cisco's lessons learned in redefining our incident detection strategy, outline our modular framework, and provide some real examples of successful “plays” along with a discussion about what makes them effective. We believe any IR team can effectively use this approach, and we want to change how you think about incident detection and response.

  Estimated time: 60 minutes

  April 8, 2014 09:30-10:30

• CVSS v3 – This One Goes to 11

  Seth HANFORD (CISCO)

  Software vulnerabilities — love em or hate em, they're crucial to your job. Likewise, you may have a love/hate relationship with vulnerability classification and severity scoring (like CVSS v2 or any number of proprietary methods). In this talk we will look at statistics and characteristics for thousands of vulnerabilities to see if we can determine what CVSS v2 did wrong, what it did right, and what we (the CVSS v3 Special Interest Group) intend to do to fix it. We will also come away with a better understanding for why systems like CVSS are important to security practitioners, even those who'd rather be popping shells than pushing off patches whose scores are "too low to care about".

  Estimated time: 45 minutes

  April 8, 2014 11:00-12:00

• DNS TTL Project

  Levi GUNDERT (CISCO), Armin PELKMANN (CISCO)

  DNS open resolvers are regularly leveraged by threat actors to create un-attributable distributed denial of service (DDNS) attacks against unsuspecting (and often helpless) victims. It's time we use open resolvers for a positive purpose to the benefit of the good guys. We discuss the underlying methodology and details related to our new free tool, which is intended to provide law enforcement and security researchers with a better understanding of specific domain resolution activity. Provide an input domain, and find out how we triangulate general victim and/or attacker locations.

  April 8, 2014 15:00-15:45

• dnstap: High Speed DNS Logging Without Packet Capture

  Henry STERN (Farsight)

  The DNS protocol presents interesting logging challenges. Common approaches to DNS logging include instrumentation internal to the DNS server which generates textual log messages ("query logs"), and external passive observation of DNS network traffic ("packet capture"). This presentation will outline some of the strengths and weaknesses of these two approaches and will showcase a hybrid vendor-neutral logging implementation, "dnstap", that can provide at high speed the high quality data needed for DNS monitoring applications such as passive DNS replication and query logging.

  Estimated time: 30 minutes

  April 8, 2014 09:00-09:30

• Ingesting 1.2 Million Network Packets per Second Using HBase in Real Time

  Michael BURG (CISCO), Pablo SALAZAR (CISCO)

  Real time network packet analysis is extremely critical for any network security. Ability to collect all the network traffic and analyze it in real time is an elephantine challenge. Especially, during Denial of Service attacks, there could be millions of packets travelling over network per second. Not many systems can capture, analyze, store and provide alerts/insights at this rate. We at Cisco and Hortonworks together built a solution named OpenSOCthat can capture, deeply inspect and analyze these packets; at the rate of 1.2 million packets per second in real time. This talk covers the use case and our use of HBase alongwith Kafka-Storm–ElasticSearch to ingest 1.2 million network packets per second in real time. Specifically, we discuss how we started with just 5K packets per second and scaled the system to handle 1.2 million packets per second, the solution choices, different techniques and strategies, traditional and innovative approaches that made the performance jump through the roof. Attendees can take away learnings from our real-life experience that can help them understand various tuning methods, their tradeoffs and apply them in their solutions.

  April 8, 2014 13:00-13:45

• On the Actors Behind Sefnit / Mevade

  Feike HACQUEBORD (TrendMicro)

  The number of Tor users dramatically increased in August 2013. This was shown to be caused by a botnet called Sefnit / Mevade. In this talk we present explicit evidence that an adware company has been behind Sefnit / Mevade malware for years.

  April 7, 2014 13:30-14:00

• SecAdmin – Mitigating Attacks Targeting Administrator Credentials

  Dave JONES (CISCO)

  How do we do administration of critical infrastructure with something more than just passwords? This talk will go into details about mitigations for that problem such as:

  • How to solve problems with multi factor authentication such as
  • How to require multi factor authentication for critical infrastructure that doesn’t support it
  • Ideas for multi factor on a budget
  • Creation of Administration boundaries to limit where administration can be done from
  • Separation of duties in your daily life

  Critical infrastructure examples will span across multiple operating systems (Linux, BSDi, Windows, IOS) and virtual environments (VMWare, OpenStack/KVM) with real examples of each.

  Estimated time: 45 minutes

  April 7, 2014 11:30-12:30

• Targeted Attack Case Study

  Gavin O'GORMAN (Symantec)

  Most 'targeted' attacker groups tend to target a number of industries and have quite a wide range of victims. There are however, a number of more discreet attackers active who focus on very specific targets and have done so for a number of years. This presentation will describe one of those groups, how they work, who they target, and how long they have been active.

  April 7, 2014 14:00-15:00

• The Internet of Everything (Compromised)

  Martin LEE (CISCO)

  Advances in integrated circuits mean that processors are becoming more powerful in terms of functionality, yet consuming less power, and becoming smaller in size. These features coupled with the ubiquity of internet connectivity means that all sorts of devices are being connected to the internet. The ability to remotely monitor and react to changing conditions may bring advantages in terms of reducing waste and increasing efficiency. But what are the implications from a security perspective?

  Unpatched devices, running obsolete code, communicating with insecure protocols to lowest price remote facilities management centres enable many new and interesting means by which miscreants can attack organisations. In this session we shall discuss the implications of the “internet of everything” and how security professionals need to consider and manage the risks entailed.

  April 8, 2014 13:45-14:30

  lee-martin-slides.pdf

  MD5: f4eb5e39a9d359dd9af9ea2e9b82ee8b

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 8.09 Mb

• Threat Actor Techniques

  Jeremy JUNGINGER (CISCO)

  Demonstrate leveraging real world configuration flaws to compromise an example "Acme Corporation." Specific techniques will include cross-site scripting, phishing, client-side exploitation, pivoting, token impersonation, lateral movement and data exfiltration techniques. The presentation will consist of powerpoint slides and live demos with videos to be used if the demos go awry.

  Estimated time: 45 (to 60) minutes

  April 7, 2014 10:00-11:00

• Using the Big Data Ecosystem to Look for Evidence of Botnets.

  Steven POULSON (CISCO)

  Over 15 Billion HTTP request a day pass thru Cisco’s Web Security infrastructure. This creates both opportunities and problems in looking for the footprints of botnet activity. The opportunities are that this huge amount of data allows us to better separate signal from noise and events that previously seemed random now start to show a pattern. The problems are that this amount of data in itself is difficult to search thru and this is further compounded by the fact that analytics of choice require higher order processing such as distance measures, differencing and so forth. As such this processing is unfeasible on traditional systems.

  Fortunately, in recent years developments such as Hadoop and its ecosystem allow the processing of this data to be decomposed into a large number of smaller problems on distributed hardware that can be recombined to give the solution. We show how this approach is used and how analytics can be applied to look for certain signs of botnet activity such as identifying common hosts on infected machines and unusual numbers of posts.

  April 7, 2014 16:30-17:15

• Amsterdam 2014 FIRST TC
  • Program Overview
  • Hotel Information
  • Travel Information