- A Distributed Intrusion Detection System Based on Passive Sensors
- A Framework for Effective Alert Visualization
- A Strategy for Inexpensive Automated Containment of Infected or Vulnerable Systems
- Automated Extraction of Threat Signatures from Network Flows
- Behavioral Study of Bot Obedience using Causal Relationship Analysis
- Botnets as Vehicle for Online Crime
- Building and Deploying Billy Goat: a Worm-Detection System
- CarmentiS - a German Early Warning Information System - Challenges and Approaches
- CERT's Virtual Training Environment: A New Model for Security and Compliance Training
- Counter-Forensic Tools: Analysis and Data Recovery
- Designing and Developing an Application for Incident Response Teams
- Design Your Network to Aid Forensic Investigation
- Effectiveness of Proactive CSIRT Services
- Evaluating CSIRT Operations
- Honeypot Technology: Principles and Applications
- If You Don't Know What You Don't Know
- Keynote: Building Effective Relationships between CSIRTs and Law Enforcement
- Keynote: Computer Security Incident Response - Past, Present, Future
- Keynote: Fixing Internet Security by Hacking the Business Climate
- Maximizing the Benefits of Intrusion Prevention Systems: Effective Deployment Strategies
- Netflow Tools NfSen and NFDUMP
- Proposal of RSS Extension for Security Information Exchange
- RAPIER - A 1st Responders Info Collection Tool
- Reliably Determining the Outcome of Computer Network Attacks
- Risk Analysis Methodology for New IT Service
- Secure Coding in C and C++
- The Impact of Honeynets for CSIRTs
- The Network-Centric Incident Response and Forensics Imperative
- The Survivability and Information Assurance (SIA) Curriculum
- Threats of P2P File Sharing Software - a Japanese Situation About "Winny"
- Time Signatures to Detect Multi-headed Stealthy Attack Tools
- VisFlowConnect-IP : A Link-Based Visualization of NetFlows for Security Monitoring
- Worm Poisoning Technology and Application
A Distributed Intrusion Detection System Based on Passive Sensors
Technical Track
Wednesday – June 28th, 16:00SURFnet is a very high-speed network which connects the networks of Dutch universities, colleges, research centers, academic hospitals and scientific libraries to one another and to other networks in Europe and the rest of the world. SURFnet handles many computer security incidents in which a SURFnet...
Authors & presenters: Rogier Spoor
(SURFnet-CERT – SURFnet, NL)A Framework for Effective Alert Visualization
Technical Track
Friday – June 30th, 14:30Any organization/department that provides security typically deals with a large volume of alerts and logs generated from a variety of sources. These could originate from firewalls, intrusion detection/prevention devices and agents, vulnerability scanners, etc. It would seem like a good idea to apply...
Authors & presenters: Jon Ramsey, Uday Banerjee
(SWRX CERT – SecureWorks, US)A Strategy for Inexpensive Automated Containment of Infected or Vulnerable Systems
Business/Management Track
Wednesday – June 28th, 15:00Early warning and detection mechanisms including distributed intrusion detection systems and honeynets are often deployed to detect new worm and virus infected machines. In a large enterprise network, especially in universities with more than 30,000 online nodes, it is often a challenge to cost-effectively...
Authors & presenters: Steven Sim Kok Leong
(NUSCERT – National University of Singapore, SG)Automated Extraction of Threat Signatures from Network Flows
Technical Track
Wednesday – June 28th, 14:30The paper describes methods of automated threat signature generation from network flows. These methods are being implemented as part of the CERT Polska early warning ARAKIS project, and the paper is a follow up to the ARAKIS talk given at the FIRST 2004 Budapest conference. The paper identifies what...
Authors & presenters: Piotr Kijewski
(CERT POLSKA – Research and Academic Computer Network in Poland, PL)Behavioral Study of Bot Obedience using Causal Relationship Analysis
Technical Track
Wednesday – June 28th, 15:00Botnet discovery can be difficult, since the existence of a network is often discovered only after it used for widespread activity such as a DDoS or a phishing scam. Sharing intelligence on a potential botnet traffic is also problematic mainly due to data privacy issues.
In this paper, we...Authors & presenters: Lari Huttunem, Pekka Pietikäinen
(University of Oulu, FI)Botnets as Vehicle for Online Crime
This presentation goes beyond simple explanation of what a botnet is and dives into specific bot technologies and how they are used in the commission of online crime. When the presentation is complete, attendees will have a better understanding of botnet technologies, how these technologies are leveraged...
Authors & presenters: Aaron Hackworth
, Nicholas Ianelli (CERT/CC – Carnegie Mellon University, US)Building and Deploying Billy Goat: a Worm-Detection System
Technical Track
Thursday – June 29th, 14:00Billy Goat is a worm detection system widely deployed throughout IBM and several other corporate networks. We describe the tools and constructions that we have used in the implementation and deployments of the system, and discuss contributions which could be useful in the implementation of other similar...
Authors & presenters: Diego Zamboni, James Riordan
, Yann Duponchel (IBM MSS – IBM Zurich Reserch Laboratory, CH)CarmentiS - a German Early Warning Information System - Challenges and Approaches
Business/Management Track
Thursday – June 29th, 14:00In the last quarter of 2005, the German CERT-Verbund has started to implement an early warning information system (EWIS) called CarmentiS. Like in any known early warning information system, one building block of CarmentiS are decentralized sensor networks, which are building the backbone of the system....
Authors & presenters: Jürgen Sander
(PRE-CERT – PRESECURE Consulting, GmbH, DE)CERT's Virtual Training Environment: A New Model for Security and Compliance Training
The CERT Virtual Training Environment (VTE, online at https://www.vte.cert.org) provides self-paced remote access to CERT’s suite of Information Assurance and Computer Forensics training material in virtual classroom and knowledge library formats. VTE follows a ‘read it, see it, do it’ instructional...
Authors & presenters: James Wrubel
(CERT/CC – Carnegie Mellon University, US)Counter-Forensic Tools: Analysis and Data Recovery
Business/Management Track
Thursday – June 29th, 14:30Among the challenges faced by forensic analysts are a range of commercial 'disk scrubbers', software packages designed to irretrievably erase files and records of computer activity. These counter-forensic tools have been used to eliminate evidence in criminal and civil legal proceedings and represent...
Authors & presenters: Matthew Geiger (CERT/CC – Carnegie Mellon University, US)
Designing and Developing an Application for Incident Response Teams
Business/Management Track
Wednesday – June 28th, 16:30Computer security incident response teams need to track incidents as they develop. To support day-to-day operations, teams need to be able to generate quick overviews of ongoing incidents, and they must be supported in their daily work by automating as much routine work as possible. AIRT is a web-based...
Authors & presenters: Kees Leune
, Sebastiaan Tesink (Tilburg University, NL)Design Your Network to Aid Forensic Investigation
Technical Track
Monday – June 26th, 14:00Although security and related tools have improved over the years, all too often the first signs of a compromise appear in the form of a trouble ticket or problem report. Even though many monitoring methods are available, when deployed, security teams quickly find themselves buried in data or very busy...
Authors & presenters: Robert Sisk
(IBM MSS – IBM Corporation, US)Effectiveness of Proactive CSIRT Services
Business/Management Track
Friday – June 30th, 14:00Background
For the FIRST 2005 conference we put together a paper researching limitations related to the reactive CSIRT services, mainly the response to low priority incidents. As the PhD research project of Johannes Wiik continued [Wiik et al. 2005], the scope was broaden to study the limitations...Authors & presenters: Johannes Wiik, Jose Gonzalez (Agder University, NO), Klaus-Peter Kossakowski
(Software Engineering Institute, DE)Evaluating CSIRT Operations
Business/Management Track
Monday – June 26th, 14:00This tutorial will discuss the reasons, outcomes, and benefits of evaluating incident management capabilities such as CSIRTs.
Four different methodologies will be presented that can be used to evaluate various aspects of incident management capabilities.
During the tutorial,...Authors & presenters: Audrey Dorofee
, Chris Alberts, Robin Ruefle (CERT/CC – Carnegie Mellon University, US)Honeypot Technology: Principles and Applications
Technical Track
Tuesday – June 27th, 14:00A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. Based on this definition, we will introduce the topic with an overview of the evolution of this technology, from the beginning to the latest advances.
This tutorial will cover in...Authors & presenters: Franck Veysset
, Laurent Butti (France Télécom R&D, FR)If You Don't Know What You Don't Know
IT Security has per definition always been a re-active business. It is like having a castle, protecting the crown jewels with locked gates (firewalls) intrusion detection (the watch) and intrusion prevention methods (hot oil and peck, arrows, stones, dead horses etc) Preventing anyone unauthorized to...
Authors & presenters: Arjen de Landgraaf
(Co-Logic Security, Ltd, NZ)Keynote: Building Effective Relationships between CSIRTs and Law Enforcement
Authors & presenters: Brian Nagel
(Assistant Director, Office of Investigations, U.S. Secret Service, US)Keynote: Computer Security Incident Response - Past, Present, Future
Authors & presenters: Richard Pethia
(CERT/CC – Carnegie Mellon University, US)Keynote: Fixing Internet Security by Hacking the Business Climate
Authors & presenters: Bruce Schneier
(Counterpane Internet Security, Inc., US)Maximizing the Benefits of Intrusion Prevention Systems: Effective Deployment Strategies
Business/Management Track
Wednesday – June 28th, 16:00This paper discusses general intrusion prevention systems concepts and provides a context-based analysis of the techno-economic imperatives as the driver of this technology. Further, in light of the Gartner 2004 recommendations, the paper examines the security needs and functional requirements for enterprise...
Authors & presenters: Calvin Miller, Charles Iheagwara, Farrukh Awan
, Yusuf Acar (District of Columbia Government, US)Netflow Tools NfSen and NFDUMP
Technical Track
Wednesday – June 28th, 16:30For network security teams of any size, an accurate analysis of the traffic situation is essential. The well-known traffic graphs, do not give enough information especially to investigate security related incidents. To work with netflow data turned out to be a good balance between collecting and processing...
Authors & presenters: Peter Haag
(SWITCH-CERT – The Swiss Education and Research Network, CH)Proposal of RSS Extension for Security Information Exchange
Business/Management Track
Friday – June 30th, 14:30Unauthorized access intending to spread malware has been active and causing a lot of damage worldwide. In order to eliminate vulnerabilities and prevent unauthorized access, it is necessary to improve the way to distribute security information about computer software and hardware. When a new vulnerability...
Authors & presenters: Masato Terada
(HIRT – Hitachi, JP)RAPIER - A 1st Responders Info Collection Tool
Technical Track
Thursday – June 29th, 14:30Topic
RAPIER (Rapid Assessment & Potential Incident Examination Report) is a security tool built to assist in malware collection and analysis. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates...Authors & presenters: Joseph Schwendt
, Steven Mancini (IFT – Intel Corporation, US)Reliably Determining the Outcome of Computer Network Attacks
Technical Track
Wednesday – June 28th, 14:00Organizations frequently rely on the use of Network Intrusion Detection Systems (NIDSs) to identify and prevent intrusions into their computer networks. While NIDSs have proven reasonably successful at detecting attacks, they have fallen short in determining if attacks succeed or fail. This determination...
Authors & presenters: Barry Mullins, David Chaboya
, Richard Raines, Rusty Baldwin (AFCERT – Air Force Institute of Technology, US)Risk Analysis Methodology for New IT Service
Business/Management Track
Wednesday – June 28th, 14:00This research intends to provide a new risk management methodology that predicts the security of future oriented IT services and help to create a counter strategy in advance. The proposed methodology is founded on domestic as well as foreign methodology and information protection reference model ITU-T...
Authors & presenters: Jun Heo
, Yoojae Won (KrCERT/CC – Korea Information Security Agency, KR)Secure Coding in C and C++
Technical Track
Monday – June 26th, 09:10Secure Coding in C and C++ provides practical advice on secure practices in C and C++ programming. Producing secure programs requires secure designs. However, even the best designs can lead to insecure programs if developers are unaware of the many security pitfalls inherent in C and C++ programming.
Authors & presenters: Robert Seacord
(CERT/CC – Carnegie Mellon University, US)The Impact of Honeynets for CSIRTs
Business/Management Track
Wednesday – June 28th, 14:30For the daily work of a CSIRT it is of major importance to know which vulnerabilities are currently abused to compromise computers and to timely warn the constituency if a zero-day exploit is found. Besides the traditional incident response work, honeypots have shown to become more important to follow...
Authors & presenters: Jan Kohlrausch
, Jochen Schönfelder (DFN-CERT – DFN-CERT Services GmbH, DE)The Network-Centric Incident Response and Forensics Imperative
Business/Management Track
Friday – June 30th, 15:00Security staff often take a host-centric approach to determining the scope and damage of computer intrusions. Standard forensics techniques are hard-drive centric, with collection and analysis of live data only gradually being adopted. This presentation offers a complementary set of practices focusing...
Authors & presenters: Richard Bejtlich
(TaoSecurity, US)The Survivability and Information Assurance (SIA) Curriculum
Today’s professional system and network administrators are increasingly challenged to make computer and network security a greater part of their overflowing set of daily activities. In response to this trend, the Software Engineering Institute (SEI1), specifically the CERT® Program2, has designed a three-course...
Authors & presenters: Lawrence Rogers
(CERT/CC – Carnegie Mellon University, US)Threats of P2P File Sharing Software - a Japanese Situation About "Winny"
Business/Management Track
Wednesday – June 28th, 17:00Information leakage incident (especially for important confidential one) has been increased in Japan. Most of those incidents are caused by a virus named "Antinny" which is a name of virus developed for P2P file sharing software "Winny". Winny is a name of P2P file sharing software. In this presentation,...
Authors & presenters: Keisuke Kamata
, Yuichi Miyagawa (JPCERT/CC – JPCERT Coordination Center, JP)Time Signatures to Detect Multi-headed Stealthy Attack Tools
Technical Track
Friday – June 30th, 15:00In this paper, we present a method to detect the existence of sophisticated attack tools in the Internet that combine, in a misleading way, several exploits. These tools apply various attack strategies, resulting into several different attack fingerprints. A few of these sophisticated tools have already been...
Authors & presenters: Fabien Pouget
(CERTA – French Government, FR), Guillaume Urvoy-Keller, Marc Dacier (Institut EURECOM, FR)VisFlowConnect-IP : A Link-Based Visualization of NetFlows for Security Monitoring
Network traffic dynamics have become an important behavior-based approach to assist security administrators in protecting networks. In this paper/presentation we present VisFlowConnect-IP, a link-based network flow visualization tool that allows operators to detect and investigate anomalous internal...
Authors & presenters: William Yurcik
(NCSA-IRST – National Center for Supercomputing Applications, US)Worm Poisoning Technology and Application
Technical Track
Friday – June 30th, 14:00Current strategy against Internet worms is similar to capturing mouse using mousetrap, that is, to clip the occasionally passing mouse and never release until it dies. However, this strategy is less effective than that of spreading pest control chemicalst to cause a plague among cockroach group. For...
Authors & presenters: Cui Xiang
, Wu Bing, Yonglin Zhou, Zou Xin (CNCERT/CC – National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)
