Conference Program

Background

Cyber-Exercises are an important part of national and international cyber-crisis-management within several communities. In this talk we present our 3J4E concept, which adresses the following three challenges of (international) cyber exercises. Encouraging international / inter-community information sharing within cyber-exercises keeping in mind the expectations of players(JIGSAW) Optimizing utilisation of limited exercise-time (JUMPSTART) Adressing top crisis management level within an international exercise (JUNCTURE)

Methodology

The 3J4E concept is modulary, which means that the three parts can be used independently. It consists of three modules presented below.

JIGSAW

One often-seen showstopper for information sharing in international operational cyber-exercises is the fact, that all participating teams get the same set of information from the scenario. As all players hold the same information there is no need or desire for information sharing. Another problem regarding to inforamtion sharing are the different levels of involvement and expectations among the playing teams. Players with a low involvement often don't share information actively so that the whole exercise due to the lack of participation of single playing teams. Our JIGSAW module tries to solve these two challenges of information sharing by separating the scenario into several so called JIGSAW-pieces and providing them to the players regarding to their level of participation and expectation. Besides scenario elements also the players need to be clustered regarding to their level of involvement. The idea behind JIGSAW is that each player just holds a little piece of information and just by sharing with others the whole situational picture becomes visible. Sharing should take place regarding the level of involvement and expectation. To split up the Scenario in pieces and clustering the players regarding their expectation we present a concept that we call the Multilevel Clustered Exercise Framework.

JUMPSTART

A well known problem of cyber exercises is the limited time frame for the exercise play. This problem even increases if strategic top level decision makers participate. A crisis timeline follows the five phases Pre-Crisis, Detection, Reporting / Alerting, Response and Wrap-Up, while the exercise timeline consits of three phases, Pre-Ex, Ex-Play and Post-Ex. In a classic exercise setup often the two timelines are aligned that way, that the Ex-Play phase covers the Detection and the Reporting / Alerting Phase of the crisis timeline. The Response phase often is just touched slightly or even not played at due to the limited playing-time. For a JUMPSTART into the exercise it is neccessary to align both timelines that way that the begin of the Ex-Play (StartEx) is aligned with the end of the Reporting/Alerting Phase. This means that the players directly start within the Response phase and can initiate the crisis management procedures right away. To reach this aim, the JUMPSTART concept shows ways how to create exercise material to cover the first three phases of crisis mangement before StartEx. This requires a more detailed preparation among planners and players but leads to a strong involvement of the stakeholders in the exercise right at StartEx. To illustrate the benefits of the JUMPSTART concept we use the well known OODA loop (Observe, Orient, Decide, Act) and activity diagrams showing national and international crisis management play.

JUNCTURE

The aim of the JUNCTURE module is to design scenario elements which reach the strategic top level of crisis manangement within an operational exercise. Besides the strategic top level decision makers this also includes staff dealing with strategic decision preparation. To reach this aim, we developed two ways of creating scenario elements, that reach the intended strategic management level: „By Aggregation“ and „By Singularity“. While the „By Aggregation“ approach deals with a large number of incidents that lead to a crisis, the „By Singularity“ approach focuses on one single high impacting incident which triggers top-level management decisions. To design scenarios which fit to one of these two approaches, we recommend a technique, which we call Consequence-Backtracking. In this method consquences of top management decisions in real crisis situations (cyber and non-cyber) are analysed to understand which level of impact is neccessary to trigger decisions on the particular mangement level. Based on this backtracking in the following step cyber scenario events are developed, which imply the same consequences as the examined real crisis.

Impact

The overall quality of cyber exercises both in governemental and business context is improved. Satisfaction of top management players will be improvend.

Significance for the audience

The audience is able to understand the three concepts and see the advantages for future cyber exercise. Due to the given implementation examples the audience is able to generate ideas for own implementations.

Incident response expertise is a rare and valued resource. Expert incident responders are expensive to hire, difficult to find, and competition for their services is fierce. Governments, the private sector, and non-profits all need experienced incident responders with the proper skills and training in order to respond to effectively to increasingly sophisticated cyber attacks.

We performed a cognitive study on expert incident responders after being inspired by existing research studies on experts in non-security domains. Our goal was to extract the conceptual frameworks or schemata that expert incident responders use to make their decisions and to represent their schemata in a form that could be understood and used by non-experts.

Our presentation will include background information on the four expert incident responders who participated in our study, the real-world proprietary stimulus materials our experts used to decide the best responses to the incidents we gave them, our methodology, and our data analysis. Next, our presentation will describe the results of our study--the schemata our expert incident handlers used to make their decisions, and what our results reveal about the incident response field when compared to the findings of researchers studying expertise in other domains such as business and military decision making.

Last, we will discuss the implications of our results in light of the current societal and business trajectory toward greater technology dependence and the ever-growing demand for incident response expertise.

Building a cyber threat intelligence program can be a daunting task given the firehose of information which could be consumed. Many organizations don't know where to even start, but the truth is it probably has already started...

• Are you monitoring the news for open source information (OSINT) and consider how a similar attack might affect your own organization?
• Do you seek out indicators of compromise (IOCs) for said incidents and apply controls or alerting to firewalls, proxies, endpoints, IDSs, etc?
• Do you collaborate with colleagues outside your organization and share information about techniques, tactics and procedures (TTPs) hackers may be using?
• Is your organization a member of FIRST, an institutional ISAC, or have a relationship with an outside security services vendor?

Those are all beginning elements to a cyber intelligence program, but the question then becomes how to mature and manage information flow past OSINT. This presentation will discuss "a day in the life" of cyber threat intelligence work, including:

• relationship building,
• bi-directional IOC sharing,
• making IOCs actionable within operational systems,
• managing the onslaught of information,
• brand protection & takedowns,
• awareness for users, engineering & management,
• pitfalls to avoid,
• and taking steps towards automation.

It will also discuss staffing considerations in a small or growing intelligence team.

This presentation will explain the process of transitioning the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) from technical specifications sponsored by the US Department of Homeland Security into formal international standards, explaining decisions made along the way and discussing lessons learned during the development, refinement, and transition process.

As pivotal ingredients in the future of automated, structured information exchange between CSIRTs, STIX and TAXII need to "land" in the right standards body with the right amount of support from public and private sector partners to help shepherd them through the process of becoming international, voluntary standards while preserving their functionality and compatibility. Nothing good comes easy, and the path to transition was full of difficult decisions.

In this session, participants will learn key considerations for engaging with international standards bodies; different roles and governance models for the various standards organizations that CSIRTs may interact with; and how to ensure international standardization of our common practices and tools has a positive and lasting impact on the CSIRT community and the constituencies we serve.

The Cyber Green Project begins with a very simple premise - that cyber health provides a broader conceptual basis for achieving a secure cyberspace. The health of the Internet, broadly defined as its ability to perform as expected and so that we can perform day to day tasks without fear of becoming the victim of an attack, has a direct impact on the security of the Internet. To that end, Cyber Green aims to measure the health of the Internet by aggregating data sets of key risk factors, and to facilitate understanding of how we might improve it for all. Central to this understanding is a set of statistically rigorous data sets, enabling comparisons over time and around the world to different geographies.

Cyber Green strives to provide CSIRTs and eventually other actors around the globe information to enable them to act as they see fit to improve cyber health. The Cyber Green Project aims to provide them with the data and insights to make the best use of their limited time and resources in order to accomplish their mission and increase the security of cyberspace.

This presentation will give an overview of the models and historical underpinnings that motivate the effort, and give details of the project's methodology for metrics, analysis, and goals.

Webshell is backdoor program which is used for web hacking most commonly

We can determine the features and methods of hacker groups easily if we know the with the unique features of webshell

For example, DMC webshell used in Dark Seoul case is used by specific hacker groups. And other hacking case, the systems DMC webshell installed are having similar methods of attacking from same IPs.

There are some cases of applying analysis disturbance techniques such as obfuscation method by stages for some attackers. So, it should be very helpful to analyze the webshell if we know the history of that.

'KrCert/CC' has about 400 cases of webshell analysis from the intrusion for Korea in 2014 and research how to classify the cases.

The followings are agenda for this presentation.

• Introduction of webshell and its feature
• System of webshell categorization and the correlation of intruders

• How to classify webshell

  1. By function
  2. By the length of webshell source code
  3. By the method of source code encoding
  4. By detection evasion
  5. By analysis disturbance
  6. By file name
  7. By concealment method
  8. By the fingerprint and transformation of webshell
  9. By the language

• Conclusion

Talk title: Adventures in Fighting Cybercrime

Presenter: Piotr Kijewski CERT Polska/NASK

The talk will cover various cybercrime operations analysed by CERT Polska in the last 1-2 years. These primarily involved various forms of malware and botnets that used Polish network properties for C&C purposes or that were specifically targeting Polish users. Many of these include banking trojans (such as VMZeus/Gozi2/Kronos), specifically web-inject malware. We will show how these evolve and use more and more sophisticated social engineering techniques to fool users into losing their money. We will also cover other cases as well that did not involve malware, but that employ similar social engineering tricks - such as mass hackings of home routers for financial gain. We will explore some cases unique to the Polish scene, including the rise of Banatrix (a relatively simple malware that is surprisingly effective in stealing money by substituting bank account numbers when these are rendered by the browser) and its friends. We will present specific case studies on how our team counters these threats and on how effective these cybercrime campaigns really are.

Relevance to audience: Talks that cover case studies on actual malware (and other cybercrime related cases), its true scale of infection and effectiveness, and how specific cases where dealt with (including sinkholing techniques), are unfortunately still rather rare in the CERT community. Sharing knowledge and experience learned will be beneficial both to the audience and the speaker ;). We will try to cover the most recent cases and some interesting older ones.

Technical level: Medium - we will cover some technical details but concentrate more on trends and how threats evolve rather than going very deep into malware internals.

Target audience: Security specialists and management with technical background.

This presentation describes barriers to information sharing and pathways to improving the effectiveness of cybersecurity collaboration. The presentation is based on research conducted by George Mason University, Dartmouth College and Hewlett-Packard under a three-year research grant from the U.S. Department of Homeland Security, the Netherlands and Sweden. Barriers to cybersecurity information sharing were identified through interviews and focus groups in dozens of public and private organizations in Europe and the United States, and through surveys of cybersecurity professionals conducted in 2014 and 2015. Building on the findings of other researchers, we present an overview of information sharing barriers within CSIRTs, C-CERTs, and M-SIRTs; between these teams and their larger organizations, and between the organization and the outside world. We also describe ways to break down barriers and promote information sharing.

The BetterCrypto Project started out in the fall of 2013 as a collaborative community effort by systems engineers, security engineers, developers and cryptographers to build up a sound set of recommendations for strong cryptography and privacy enhancing technologies catered towards the operations community in the face of overarching wiretapping and data-mining by nation-state actors. The project has since evolved with a lot of positive feedback from the open source and operations community in general with input from various browser vendors, linux distribution security teams and researchers.

This workshop will give a concise guide on how to properly deploy networked services in a secure fashion that is applicable today. We will also give an update on the project as well as new development on the front of cryptography, attacks and TLS protocol standardization.

In addition, the workshop will touch on the basics of cryptography. However, this part can only give a gentle intro and a historical view on cryptography.

The core idea behind the project is to use the skills of his authors to build an open-source guide for system administrators who need to securely configure their systems. The document is then split into two parts:

• the first one propose state of the art configuration for as much as possible different systems;
• the second part explains why certain settings through a theoretical approach.

The configuration part, try to offer configuration that could be copy/pasted to offer a valid usage of cryptography. As clear-text should protocols should be avoid, we tried to cover as many different systems and usage as possible. For instance, we cover the following technologies and implementations:

1. web server: Apache, Lighttpd...
2. mail server: Postfix...
3. remote session: SSH
4. mail encryption: PGP/GPG
5. secure chat:
6. ...

The theoretical part will cover algorithms, key size, mains concepts and properties that need to be used. It addresses the major discussions like

• algorithms to be used;
• key size;
• asymetric and symetric cryptography;
• perferct forward privacy;
• ...

Made with the open-source spirit in mind (all the document is written in Latex and published in open-source on git), our work is open for comments. We are looking for any new contribution that will be welcome.

Our goal is also to continue to complete the guide with others tools from other vendors. We also dream of a configuration tool that could help people to automatically generate the configuration they need for their systems...

Our workshop at FIRST would cover

• a description of the project and the need for such a work;
• a short introduction to cryptography and the main concepts;
• some description of what proposed configuration looks like and the results on some online
• validation tools;
• a step-by-step demonstration of the usage of GPG in command line to what's really behind the hood;
• a call for collaboration and help: we are open and the more we are, the best our work will be!

In attachment, we propose a draft presentation using previous works. This to demonstrate the type of content we would like to propose.

Just as incident response teams thought they were finally getting a handle on Bring Your Own Device (BYOD), whether they know it or not they now face a new challenge of dealing with IoT (Internet of Things). It is no longer just laptops and smart phones being connected to the corporate network. It now includes everything from surveillance cameras to smart light bulbs, smoke detectors, and sprinklers with wireless connectivity - not forgetting the coffee machine. On the surface this may seem like a low risk, but we have already seen numerous data breaches due to third party vendors. Target e.g. admitted the initial break in was due to their HVAC vendor.

We’ve seen researchers focusing on discovering vulnerabilities in SCADA / ICS, smart phones, routers and access points, and within the past couple of years, we’ve seen them focus on surveillance cameras. Now they’re branching out and focusing more on IoT in general. At this point, most of the IoT hacks that we’re seeing are currently lame when it comes down to it. They require physical access or are minor issues. However, the potential real world impact is scary, impressive, and very important to pay attention to, as we’ve seen with other consumer devices.

Is your organization ready to deal with new exploits for IoT devices on your network? Do you have solid policies in place for dealing with how these devices are securely connected to the network, properly protected, and how any compromises involving them should be handled?

This talk will cover a sample of vulnerabilities that currently have been published in various IoT devices and discuss the challenges and concerns organizations need to understand. It will fully discuss the capabilities of IoT vendors to even deal with vulnerability reports and ultimately help ensure that once IoT really enters your enterprise, you’re ready and equipped to deal with it.

The number of significant and dangerous incidents related to the energy sector companies is growing. The last year cases related to the activities groups like Dragonfly or Sandworm and attacks like BlackEnergy are the best prove that this sector became the very common aim of the cyberattacks. The political and military tension in the Eastern Europe is fostering this trend. This situation has forced the energy sector companies to work more actively on their cybersecurity systems including building capabilities of the efficient incident response process. During the presentation the issue related to the process of the building of CERT team in the energy sector company will be presented. Such process is specific due to the special requirements related to the existence of CERT in the large energy company. This kind of company is usually organisationally widely distributed. This distribution affects also the technical infrastructure what create a special challenges for the infrastructure protection. Another challenge is the fact that the responsibilities for maintaining the technical infrastructure is shared by many entities including outsourced parties. All these specifics makes the process of building the CERT team very challenging and during it both - technical and personal relationships aspects are very important. The presentation of the process of the CERT creation will be enriched by the presentation of the experiences from the process of responding to the incidents. The most interesting incidents will be presented in the reaction to the established and implemented CERT processes. So attendees will be able to learn how the specific structure of CERT is prepared and able to effectively response to them. The presentation will base on the real case study of the CERT creation in the energy sector company as the author is involved in such process. Also real and anonymised computer incidents will be used in the speech. The attendees will learn: - hot to prepare and conduct the process of building CERT in the large company - what are the most common incident in the energy sector company - what is the influence of the CERT operational model on the effectiveness of the incident management process - how to use experiences form the energy company in own organisation - what is universal, what is specific

One of the goals of the Microsoft sponsored Coordinated Malware Eradication program is to use lessons learned from current and past malware eradication campaigns to inform new campaigns. To improve the efficiency of antimalware campaigns, our tactic is to distill the collective experience of past campaigns into playbooks that contain templates and guidelines that the entire community working to eradicate malware can directly incorporate into future campaigns.

This presentation will show the playbooks we’ve created, how participants have used them, and ideas for new playbooks we’d love to build with the help of the community to more effectively fight malware together.

Examples of playbooks are:

• Creating an eradication plan—what deterrence and eradication techniques make sense for this operation?

• Abuse reporting to vetted and to previously unknown entities— what do you say when you don’t know if you can trust the recipient?

• Conducting a postmortem—why is it one of the most critical steps, what questions should you ask?

The aim of the presentation is to introduce the audience to the Malware Information Sharing Platform (MISP) and give a glimpse into how it can help them turn their analysis into instant protection for both them and their partners.

In a world where cyber threat information sharing via e-mail, a lack of interoperability between defensive and analysis tools and replication of effort during analysis among partners is still a reality for many, MISP offers an easy to use, powerful, free, actively maintained, open-source solution.

The scope of the presentation includes a general high-level overview of the issues that MISP tries to tackle as well as a more in-depth presentation about its capabilities and features, divided into four main topics (sharing and collaboration, populating MISP with data, exploiting the data for analysis and building automated defenses). The final portion will talk about integrating MISP into the audience's workflow by using the built in interfaces, building custom import/export modules or tools that utilise MISP.

As for the technical level of the presentation, it is assumed that the audience is generally familiar with the issues that MISP tries to offer a solution for, but the plan is not to go too deep into the technical solutions (intermediate level).

When Edward Snowden leaked classified information from the NSA in June 2013 all government initiatives on monitoring and data correlation became suspicious. NCSC had just started the pilot preparations at a government data centre aimed at automatically sharing indicators and incident related information, giving a boost to the operational situational awareness of it’s CSOC. Many challenges had to be overcome. As of December 2014 government organizations as well as critical infrastructure partners have started the new sharing collaboration successfully. In his presentation Michael will discuss the prerequisites, technical but mostly non-technical, needed to create this Dutch habitat in which organizations can share information safely on a voluntary basis. Also Michael will share the outcome of the evaluation held in June 2015.

The daily business of Computer Incident Response Teams (CIRT) is preventing incidents and handling breaches. Sharing information is crucial for time efficiency and for the prevention of unnecessary double work. Automated handling and processing of Cyber threat intelligence is im- perative. Currently there are a number of emerging tools, but to date none of them, in our opinion, sufficiently satisfies the needs of computer specialists working in the domain of incident response. The main needs include the following: ease of use, adequate handling of data structures, interfaceability and automated data enrichment.

In this presentation the benefits of using structured data and automated systems will be out- lined. Advantages and problems of relevant standards and available tools will be briefly discussed. In consequence our ongoing work on ce1sus, an open source platform that fulfills all the identified needs while circumventing known problems, will be presented. celsus uses a widespread standard (STIX) and allows for interoperability with existing tools.

Ce1sus is available as free open-source software at:

https://github.com/GOVCERT-LU/ce1sus

In this talk I will describe our efforts to collect, analyze and visualize DNS as part of our HP ArcSight SIEM infrastructure. DNS is important for security for many reasons. If the DNS infrastructure can be brought down, many networking tasks would be impossible to complete. If the integrity of the mapping between domain names and IP addresses is compromised, attackers can redirect users undetectably to IP addresses of their choosing. And malware of many types must in one way or another use the DNS infrastructure as part of their operations. For example, botnets often use fast flux techniques and domain name generation algorithms to rendezvous with command and control servers.

Collecting DNS is a significant challenge. In HP, our core internal DNS clusters process approximately 16 billion DNS packets every day. Ideally, we would like to turn each and every one of those packets into an event for our SIEM. However, HP is currently the largest commercial deployment of ArcSight and we would have to grow our SIEM by a factor of six to collect this data. Moreover, traditional logging has a substantial performance impact on the DNS infrastructure, and therefore from an operational perspective enabling logging is also impractical. Finally, DNS servers generally do not log the information necessary to detect many security problems.

To deal with these problems we collect and filter this traffic using hardware network packet sniffers, which have no impact on the performance of the DNS servers and allows us to collect all of the information we need for security purposes. We model known good traffic, and discard it, keeping only anomalous data.

We developed a custom analytics engine, which analyzes this data looking for evidence of botnet infections, blacklist hits, cloud platform abuse, beaconing, data exfiltration, and cache poisoning attempts. The results of these analyses is turned into a set of alerts which are sent to our Security Operations Center (SOC). We’ve also developed a usable dashboard and visualizations to help analysts explore the data.

The system has been up and running in HP since June 2014. The SOC processes on average about 20 of our alerts per day, with very low false positive rates. We’ve worked closely with the SOC to make sure the tool is fully integrated into the workflows that the SOC analysts use and meets the needs of the analysts.

One of the parts of intrusion response that rarely gets attention in DFIR circles, though huge attention outside them, is the customer facing victim companies communication to their own customers. This is almost always the only real information the public gets of your intrusion and communicating what happened effectively is crucial to minimizing damage, both to customers and to your organizations reputation.

Using lessons pulled from professional public relations specialists combined practical experience in operations and security incident response we'll review the five keys to good crisis communications. We'll walk through multiple examples of good and bad crisis communications and develop an understanding of what information people need to know when and why they should get it from you and not the media. We'll also discuss building a comprehensive incident communications plan.

Project Details: By analyzing documentation, observing actual CSIRT activity, convening focus groups, and using pre- and post-incident interviews, our team from Dartmouth College, George Mason University and Hewlett-Packard is recommending ways to improve the skills, dynamics and effectiveness of CSIRTs. Through the end of 2014, the team has interacted with 45 CSIRTs, conducted 28 focus groups, and interviewed 117 team members and several dozen team leaders; this data collection continues in 2015. Funded by agencies in the U.S., Sweden and the Netherlands, the project findings reflect CSIRT members in over a dozen countries and in academic, corporate, national and international organizations. This basic research is determining and validating principles for creating, running and sustaining an effective CSIRT. The output includes descriptions of needed knowledge, skills and abilities for key CSIRT roles, viewed from individual, team and multi-team system perspectives, plus recommendations for improving CSIRT performance. Evidence-based decision aids are being developed and used commercially, and technology transfer of results is being accomplished not only in publications (e.g. a special issue of IEEE Security & Privacy magazine, a handbook, and academic publications) but also by participating in existing CSIRT training sessions and by presenting findings to CSIRT members and managers in a final project workshop co-located with FIRST 2015.

Proposal Details: Our team proposes a series of linked workshops and presentations at FIRST 2015 in Berlin:

• Sunday, June 14: An all-day workshop at the Intercontinental Hotel in Berlin. At this experiential, interactive project workshop, our team will work with attendees (CSIRT team members and leaders) in two ways: After we present several key project findings, the attendees will take part in activities that help them identify which findings are directly relevant to their particular CSIRT structures, goals and talents, and then learn and apply techniques to address the most important areas for improvement. For more information about this free workshop, please contact Julie Steinke, at jsteinke@gmu.edu

• Monday, June 15: Project-related presentations at FIRST by our project team members. Presentations to FIRST will be made by Julie Steinke and her colleagues (George Mason University) on information sharing to improve CSIRT effectiveness, and William Horne (Hewlett-Packard) on applying our findings commercially.

• Tuesday, June 16: 90-minute workshop at FIRST on feedback and next steps toward CSIRT effectiveness. This workshop will present an overview not only of the project and its findings but also of techniques useful in immediate CSIRT improvements. In an interactive discussion, our team members will elicit examples from attendees of our findings’ utility and of other areas ripe for investigation and improvement that we have not yet addressed in our research.

Audience: Members/leaders of CSIRTs, members/leaders of other teams that interact with CSIRTs.

Expected Outcomes: Attendees will leave with descriptions of what works well in an incident response team; descriptions of what can be improved; descriptions of lessons learned from incident response teams; suggested pathways from improvement opportunity to actual improvement, based on lessons learned and on research findings; possible descriptions of areas/questions needing significant attention from researchers.

With the release of Common Vulnerability Scoring System version 3 (CVSSv3), security teams need to understand how the classification and rating of vulnerabilities has changed. Version 2 has become a de facto standard over the last decade, and v2 scores are commonly used to quickly communicate severity.

However, research presented at FIRST 26 showed that ~70% of published vulnerabilities could be described by applying only 10 combinations of metrics. This lack of variety left many characteristics of vulnerabilities poorly described or omitted by v2 classification, which in turn led to clusters of scores that flattened out the standard's usefulness for rating and responding to vulnerabilities.

Version 3 corrects this condition without a net increase in metrics, by updating descriptive language, reducing subjective choice, and providing tools for an analyst to describe environmental mitigations (such as EMET, sandboxing, etc.) which reduce impacts or hamper exploitability in their organizations.

This course is designed to give analysts hands-on training in applying the new CVSS v3 metrics, following the new decisions and descriptions for rating with v3, and exploring the new capabilities of Environmental Mitigations and Vulnerability Chaining. Attendees will work interactively with the facilitator to practice and apply the approach, rate "tough" vulnerabilities, and gain confidence in the new techniques necessary to help their organizations adopt the next standard for vulnerability scoring. It assumes passing familiarity with CVSS v3, such as reading the metrics section of the standard, and looking at the supplemental materials like the example vulnerabilities and scoring calculator; it will not be an in-depth review of those materials, but rather an application of them. Experience with CVSS v2 will be helpful, but is not necessary.

It is intended for a technical audience, particularly for an analyst producing, supporting, or consuming vulnerability characteristics and ratings. Materials are designed for an analyst that is comfortable discussing vulnerability characteristics and foundational information security topics like authorization, privilege escalation, and the like. It may delve into discussion of common or emerging exploitation techniques (at a high level) but should be accessible to anyone comfortable with reading vendor or community produced vulnerability reports.

In last years the attacks targeting financial institutions have evolved and are becoming more sophisticated. In fact, recent studies show that cyber-attacks have caused billions of dollars in losses, among personal data, company records or files, and any other sensible information; which has provoked a falling in consumer confidence and irreparable damage to the brand, right like what happened to Target, Home Depot and J. P. Morgan security breaches.

Due to the growing of the number and complexity of cyber-attacks Mnemo-CERT was created. A financial Computer Emergency Response Team, which works together and closely with banks to timely respond to any kind of information security incidents and also to strengthen their security mechanisms in order to minimize damage from attacks and intrusions.

In this presentation, Mnemo-CERT will speak about two study cases, actually very real threats to financial institutions:

A. Financial fraud (internal threat). Staff represents a potential threat by virtue of their knowledge of and access to organization’s own systems and their ability to bypass security measures through legitimate means. In this case, the results obtained through Digital Forensics Analysis and Cyber Intelligence allowed us to identify who, when and the modus operandi upon this cyber fraud.

B. Malware targeting ATMs (external threat). Ploutus malware detected on ATMs in Mexico was designed to steal cash without requiring any access to the credit or debit cards used by customers. This malware was analyzed in Mnemo Labs by using reverse engineering techniques and the obtained results will be explained. A few months later, Mnemo-CERT team received another malware Ploutus sample and, despite its double obfuscation, similar results were found.

This session will consist of a technological exploration of commercial and open-source threat intelligence feeds that are commonly offered as a way to improve the capabilities of incident response teams. While not all Threat Intelligence can be represented as "indicator feeds", this space has enough market attention that it deserves a proper scientific, evidence-based investigation so that practitioners and decision makers can maximize the results they are able to get for the data they have available.

We will present a data-driven analysis of a cross-section of threat intelligence feeds (both open-source and commercial) to measure their statistical bias, overlap, and representability of the unknown population of breaches worldwide, in addition to some tidbits as indicator age and uniqueness across feeds. All the statistical code written and research data used (from the publicly available feeds) will be made available in the spirit of reproducible research. The tool itself (tiq-test) will be able to be used by attendees to perform the same type of tests on their own data.

We will also provide an additional open-source tool (combine) for attendees to extract, normalize and export data from threat intelligence feeds to use in their internal projects and systems. It will be pre-configured with a good mix of current publicly available network feeds and easily extensible for private or commercial feeds.

All too often, CSIRTs and SOCs are realizing in the middle of high impact cybersecurity incidents that more could have been done to proactively monitor, detect, and respond to threat actor activity.

While logging and monitoring "all the things" may be attainable for some organizations, many organizations must develop and execute a meaningful logging and monitoring strategy that balances coverage, efficacy, and cost. This presentation will cover the following elements to help organizations assess security monitoring capability maturity in a structured manner that enables continuous improvement and benchmarking with industry peer groups for detecting and responding to cybersecurity incidents relevant to their risk profile:

• How to crosswalk security monitoring practices specified in key guidance such as NIST SP 800-53, PCI DSS 3.0, and the Council on CyberSecurity's Critical Security Controls to ensure a minimum security monitoring capability is in place.

• How to use CERT-RMM and the recent derivatives created with DHS (CRR) and DOE (C2M2) to assess security monitoring capability maturity.

• How to develop security monitoring use cases to support cybersecurity incident investigations and continuous monitoring.

• Recommendations for key monitoring sources CSIRTs and SOCs should ensure are collected, retained, and are searchable.

• How to maximize pre-existing monitoring sources and augment with open source/low-cost monitoring sources.

• Recommendations for logging configuration settings and retention.

• Recommendations for utilizing threat intelligence to enrich cybersecurity incident investigations and continuous monitoring.

US-CERT receives a large volume of incident reports, but the reports often vary in quality and completeness. We explored multiple years' worth of reports looking for patterns and found that this data is rich with useful information. Rather than trying to enforce a structure on the data based on response team activity against a given incident, we took an entirely data-driven approach to structuring the information. This resulting structure can be used to complement the expertise of incident responders and answer tough questions from decision makers.

Our method treats incident reports as observations of a large set of unknown real-world activities including malware campaigns, incident response procedures, or simply the daily operations of a reporting entity. We use co-occurrence patterns of indicators in tickets to estimate the strength of associations between indicators and infer potential 'real-world activity groups' that correspond to actual events. These patterns are useful building blocks to answer questions about incident status, investigation progress, threat families, trends and incident predictability. The benefits to CSIRTs include increasing shared situational awareness, better tailoring of incident response services for constituents, increased detection of emerging threats, better visualization of threat activity and better understanding of threat activity against specific constituent types.

This presentation will summarize our methods and discuss ongoing work in visualizing and expanding indicator communities to allow feedback from analysts, integration of additional data sources, improved statistical learning algorithms and richer feature extraction from ticket data. All CSIRT members and managers are encouraged to attend and discuss data-driven information extraction techniques from large bodies of diverse and unstructured incident reports.

A major challenge of incident response today is the overwhelming load of incident reports, along with the complexities of consistently collecting incident data, analysing it thoroughly, and monitoring the status of a large number of reported incidents.

We will present an initiative to automate incident response workflow with the Decision Support and Monitoring System (DSMS) jointly developed by HKCERT and CSIRT Foundry.

The DSMS is designed with the prime objective to automate the most labour-intensive and unmanaged parts of incident response. By storing analysis results in a central repository that is accessible via a management interface, incident analysts may focus on higher value tasks. DSMS can also provide some capabilities that were not available before.

Major Benefits of DSMS:

• Provide a centralised registry of monitored targets
• Provide a centralised repository to collect and consolidate monitoring results
• Perform actions according to analysis results from a remote Monitoring Subsystem, based on action criteria listed in incident profile
• Automate a team’s analysis workflow for different types of incident
• Choose best-of-breed analysis tools, so that each analyst has access to the same tools
• Perform 24-hour scheduled, ongoing checks, and stores any changes in status found
• Operate in a geographically distributed manner
• Provide a collaborative environment for analysts
• Provide a standard way to customise workflow and use new tools as circumstances evolve
• Provide an API for other systems to consume the functions of DSMS, generate management reports on the usage of input systems and external analysis systems, and provide statistics of malicious objects or malware.

DSMS is built with existing powerful open source tools, and embraces the power of existing security monitoring services (e.g. malware analysis systems and Internet resources lookup APIs). Its architecture is composed of a Core, Broker and several Agents.

• DSMS Core: schedules monitoring jobs for dispatch, processes incoming analysis results, provides web interface, web API, and datastores services;
• DSMS Broker: provides a message queue, providing a communication channel between the Core and the Agents, as well as facilitating file transfers;
• DSMS Agent: responsible for running analysis tasks, interfacing with external services, such as whois and other external vendor analysis services.

The speakers will share the design of DSMS and problems faced, for example, integration of modules, anti-fingerprint by malicious content hosting. HKCERT will share its experience in integrating DSMS with the cyber threat intelligence system (IFAS) and incident report management system (IRMS).

Background: Effective team leadership often comes with experience but there are ways to expedite the experience cycle. One such method is the debrief process used by militaries, primarily aviators, all over the world.

Summary: Debriefing is simply reconstructing and evaluating an event to determine how to replicate success and avoid repeat mistakes. A successful debrief depends on the ability to critically analyze events and the willingness to admit mistakes. The debrief process should encompass a review of events, identification of problems, determination of root causes and development of lessons learned. Critical self-analysis in the debrief process applies at the individual level as well as the organizational level. Debriefing is not a strategy for protecting a network. It is a method that should be used to evaluate how well you are performing a function, job or mission and provides the tools for constant improvement.

Impact: The USAF aviation and special operations communities have been using the debrief process for decades with tremendous success. Over the past several years, the USAF has applied those same principles to cyber warfare. By institutionalizing the debrief into daily operations, the USAF has observed significant gains in mission effectiveness.

Significance: The debrief process is the US DoD standard on how to perform a function, job or mission more effectively every time the function, job or mission is performed. The principles are straightforward and easily applied to non-military environments.

Technical level of the presentation: Low Recommended target audience: Primarily team leaders and organizational leaders

We take it as a given that cyber threats continually evolve and grow in sophistication, but to defend against this, too many organizations rely on static technologies, rigid organizations, and analysts with narrow skillsets. For defenders, every day brings entirely new problems. It takes innovation to defeat sophisticated, dynamic threats. Teams must innovate to solve the right problems. They need to have right visibility to know what the problems are, and have real data to train solutions against. Organizations need a smaller pool of higher skilled, well rounded analysts, and build organization around collaboration and fostering creativity. Need analysts and developers together to innovate side by side, in concert. The role of analyst vs developer must blur. Need to apply that innovation across the enterprise to make a difference. Innovation in a lab is great, but innovation as an enterprise solution actually stops the threats. Furthermore, innovation across a community of like-minded organizations makes a worldwide difference.

ENISA has performed for the third time a comprehensive threat assessment based on publicly available information.

The assessment consists of:

• Information collection
• Information collation
• Threat analysis
• Creation of context and
• Dissemination

The ENISA threat landscape contains information about:

• Current threats
• Threat Agents
• Attack vectors and
• Emerging threats

Besides the contents of the ENISA threat landscape, experiences about the process of threat intelligence collection will be discussed.

Knowledge and identification of Malware binaries is a crucial part of detection and incident response. There was a time when using MD5s was sufficient to ID binaries. The reverse engineering analysis conducted once would be useful anytime that same MD5 hash was seen again. This has rapidly changed in recent years. Polymorphic samples of the same specimen change the file hash (MD5, SHAx etc) without much effort by the attacker. Also, cyber criminals and advanced adversaries reuse their codebase to create newer versions of their malware, but changes in the file hash disallow any opportunity to connect and leverage previous analyses of similar samples by defenders. This gives them an asymmetric advantage.

In recent years, there has been research into “similarity metrics”— methods that can identify whether, or to what degree, two malware binaries are similar to each other. Imphash, ssdeep and sdhash are examples of such techniques. In this talk, Bhavna Soman, Cyber Analyst at Intel Information Security will review which of these techniques is more suitable for evaluating similarities in code for APT related samples. This presentation will take a data analytics approach. We will look at binary samples from APT events from Jan- Mar 2015 and create clusters of similar binaries based on each of the three similarity metrics under consideration. We will then evaluate the accuracy of the clusters and examine their implications on the effectiveness of each technique in identifying provenance of an APT related binary. This can aid Incident responders in connecting otherwise disparate infections in their environment to a single threat group and apply past analyses of the the abilities and motivations of that adversary to conduct more effective response.

When an incident occurs or a vulnerability is disclosed, the appropriate CSIRT(s) can deliver actionable information to counterparts and users firsthand. This exchange of information has become commonplace, based in part on reciprocal trust.

As the CSIRT community has matured, so too has coverage of cyber issues in the media. Yet in an era when anyone can be a content publisher, "it's public" does not mean information has been depicted accurately or disclosed responsibly. As a result, the appropriate course of action for a CSIRT to take in response can be unclear.

This presentation explores constraints that may prevent a CSIRT from sharing information, assumptions partners can consider when information seems to be withheld or mishandled, and a set of principles to guide communication in response to uncoordinated disclosure. Developed from lessons learned by US-CERT, the content will enable CSIRTs to approach similar engagement in a manner that minimizes uncertainty and stimulates trust. It is recommended for managers and policy makers responsible for CSIRT processes and workflow.

If Operation Aurora in 2009-2010 wasn't a wake-up call to enterprises that foreign entities could and did infiltrate some of the enterprises that were all running best in-class network defenses and monitoring solutions, then certainly the recent string of intrusions and data breaches from big box stores like Target and The Home Depot and major financial institutions including JP Morgan Chase should be. Once the intelligence crosses the desk of enterprise incident responders, assuming you're collecting the data to begin with, is that there is simply too much data to sift through to determine whether we have a problem or not. This talk aims describe manners in which we have addressed this problem.

Over the past few years, we have built up our own data warehouse, analytics and security business intelligence (SBI) capabilities. We started by taking a look at our "big six" event sources that we believed offered the biggest return on our investment and able to answer questions about what happened and when. Those event sources were SMTP headers, web proxies, active directory, DHCP, VPN, and DNS. We invested in technologies that would allow us to ingest large volumes of data, keep it for a relatively long period of time, and allow us to query those archives with great speed.

In this talk, we will review the painful history of trying to pull logs before our SBI capabilities were put into place, how data warehouse solutions provided improvement, and how we turned some lunchtime conversations into enterprise-class search capabilities that have reduced our time to know about industry-reported incidents by more than 95%. We will conclude with how we are further automating the capabilities and, in an unconstrained world, where they could be taken.

Government initiatives from the European Union and the US have been working on standardizing frameworks for cyber security resiliency and information sharing initiatives. The Internet and Jurisdiction project has been working on a global multi-stakeholder framework for multinational due process for combatting cyber crime. The IETF has been standardizing protocols and mechanisms to utilize security related posture and threat information to automate protecting endpoints. This talk will provide an updated and consolidated view of the standards the international government, law enforcement, technical and operational communities are creating to more effectively combat cyber related crime and automate mitigation processes.

Network Forensics and Network Security Monitoring (NSM) are becoming increasingly important practices for incident responders in order to detect compromises as well as to trace the steps taken by intruders. In this interactive hands-on tutorial, participants will learn how to perform network forensic analysis in an incident response scenario. They’ll be provided with a virtual machine and a set of PCAP files containing network traffic captured at the network perimeter of a made-up corporation. The PCAP data set was captured specifically for the FIRST 2015 Conference from a real Internet connected network.

Who should come?

• Attendees who want to improve their skills at finding evil stuff in full content packet captures

Who should NOT come?

• Attendees who are afraid of using the Linux command line

Prerequisites:

• Laptop with 64 bit operating system
• 30 GB free disk space
• VirtualBox (64 bit) installed (VMWare will not be supported in the workshop)

The VirtualBox VM will be distributed on USB flash drives during the workshop. However, in order to get a quick start, we recommend attendees to download the zipped virtual machine from the link below in time before the workshop.

This session will provide a quick but deep dive into penetration testing iOS applications. Using a jailbroken device, security testers are able to actively prove an app's run-time environment to probe, discover, and exploit potential architectural weaknesses in iOS apps. In this session, we'll explore how these testing techniques can be used after an incident occurs, in order to determine possible points of system compromise that occurred during the incident. The same techniques can be used to perform dynamic analysis of iOS incident artifacts.

If you would like to prepare for the session, please download the ZIP file for your convenience. (The tools are iExplorer and pre-compiled “class-dump-z”.) You can download the tools from http://krvw.com/iTools.zip

The download is optional of course, but you may find them useful for the hands-on portions of my class.

Consider this scenario: you are a leader of an incident response team. Threat intelligence sources indicate that a trusted insider has leaked confidential network diagrams, and a competitor or hacktivist may have discovered a vulnerability and is planning an attack. Your boss demands evidence of adequate preparations to ensure threat management systems are performing optimally. In defense of your operations, and possibly your job, now more than ever you must demonstrate your incident response team's value.

Thankfully, you have already deployed security monitoring technology throughout the network, and have been measuring operations, tuning systems for false positives, and tweaking processes for improvement over time.

In this presentation, we will:

• Use a science fiction film as a metaphor for incident response
• Show how to obtain the usable metrics
• Describe how to interpret the metrics
• Discuss the back-end requirements for producing good metrics
• Demonstrate how to use the metrics to prove efficacy and plan for future capabilities

Incident response teams, managers, and security architects can use the lessons divulged in this session to improve their own incident response processes and systems. They should come away with knowledge on how to measure their own performance and prove their success.

Asset owners who have vulnerable systems, or who are victims of compromise are often unaware of the situation. This talk will focus on how to go about informing industrial system owners of the situation. How can we reach out to many at the same time, how can we inform vendors of vulnerabilities, and how can we inform asset owners that their networks and devices are exposed.

Between the two speakers thousands have been informed in this manner. They will discuss the methods, the bedside manner, and the outcomes. They will discuss industrial systems on the internet and CERTs (a couple thousand), vendor vulnerability notifications (20), Havex notifications in Norway's Oil and Gas and Energy sectors (550).

During the summer of 2014 the Norwegian Oil and Gas and Energy sector was subject to a large coordinated cyber attack where selected recipients were targeted in a spear-phishing campaign that contained Havex. Due the severity and extent of the campaign NSM NorCERT decided to initiate a large warning distribution, reaching out to a total of 550 Norwegian companies.

Since NorCERT did not have a complete contact list of all the potential victims in these sectors this broad distribution was achieved by the CERT working together with the respective sectoral authorities.

NSM NorCERT issued an alert to The Petroleum Safety Authority Norway (PTIL),The Norwegian Water Resources and Energy Directorate (NVE), FinansCERT (Industry CSIRT for the financial sector in Norway) and directly to companies that were already cooperating with NorCERT within the Oil and the Energy sector. The respective authorities then forwarded this information to all affected parties. Letters were sent to targeted companies that were not covered by NVE and PTILs authority.

The alert contained a list of indicators of compromise and a recommendation to search their systems. This resulted in a significant number of new findings. NSM NorCERT worked directly with the companies that had findings, assisting them with artifact analysis and incident handling coordination.

The outreach campaign also attracted media attention, this created some noise and questions asked at higher levels in the targeted organizations. To reach out and build awareness and answer some of these questions a bigger conference meeting was arranged for the alert recipients in the fall of 2014.

This session takes apart Operation SMN and the threat group Axiom, and examines in-depth how over 10 private industry companies banded together to address a single threat groups entire tool set. We will cover some of the events that transpired during Operation SMN including identifying and onboarding security vendors, handling sensitive evidence, creating novel analysis techniques, and fusing all that information into various reports for consumption by the public as and industry. During this presentation we will also cover some of the strategic goals for the operation and how we went about executing against those goals and some of the results and measurable impacts we have had. We will also review the strategic reasons why and the tactics of how these industry partners shared their knowledge with one another to achieve their common goal.

Attendees in this session will learn:

•History and background of related coordinated efforts.

•Learn some of the basic lessons learned and how to apply them to your own operations

•Ways to group and characterize a common threat, and examples how this team completed that task and leveraged that insight

•Discuss working with ecosystem owners to leverage their own capabilities to remove threats from the ecosystems they maintain using existing programs, as well as encouraging the creation of new programs

•What things were important to look for and capture

•Looking forward: what we would have done differently, and what we want to see this evolve into

Abstract— Many computer-based devices are now connected to the internet technology. These devices are widely used to manage critical infrastructure such energy, aviation, mining, banking and transportation. The strategic value of the data and the information transmitted over the Internet infrastructure has a very high economic value. With the increasing value of the data and the information, the higher the threats and attacks on such data and information. Statistical data shows a significant increase in threats to cyber security. The Government is aware of the threats to cyber security and respond to cyber security system that can perform early detection of threats and attacks to the internet. The success of a nation's cyber security system depends on the extent to which it is able to produce independently their cyber defense system. Independence is manifested in the form of the ability to process, analyze and create an action to prevent threats or attacks originating from within and outside the country. One of the systems can be developed independently is Intrusion Detection System (IDS) which is very useful for early detection of cyber threats and attacks. The advantages of an IDS is determined by its ability to detect cyber attacks with little false. This work learn how to implement a combination of various methods of machine-learning to the IDS to reduce false detection and improve the accuracy in detecting attacks. This work is expected to produce a prototype IDS. This prototype IDS, will be equipped with a combination of machine-learning methods to improve the accuracy in detecting various attacks. The addition of machine-learning feature is expected to identify the specific characteristics of the attacks occurred in the country’s/region’s internet network. Novel methods used and techniques in implementation and the national strategic value are becoming the unique value and advantages of this work.

This presentation dives into the open source programming language of R. R has primarily been used for statistical computing and graphics in the past. We attempt to bring a new programming language to the incident response community by teaching responders the basics of using R and how it can be leveraged during live incident response. The session will be focusing on reading/writing data, graphing incident data, data manipulation, and data modeling. We will be walking through several log analysis scenarios while using R to quickly identify the data we are interested in analyzing. This session aims to provide an introduction to the language of R as well as touch on a few advanced topics.

Workshop Information: https://www.iab.org/activities/workshops/caris/

Numerous incident response efforts exist to mitigate the effects of attacks. Some are operator driven focused on specific attack types, while others are closed analysis and sharing groups spanning many attack types. Many of the operator driven models work with members to mitigate the effects of such attacks for all users, but how to contribute information to these efforts is not always known or easy to discover. Sharing within closed community analysis centers is only practical for very large organizations as a result of resource requirements even to be able to use shared data. Without coordination, these efforts are not only duplicated, but leave out protections for small and medium sized organizations. These organizations may be part of the supply chain for larger organizations, a common pathway for successful attacks.

This workshop aims to bring together operators, researchers, CSIRT team members, service providers, vendors, information sharing and analysis center members to discuss approaches to coordinate attack response at Internet scale.

The day-long workshop will include a mix of invited and selected speakers with opportunities to collaborate throughout, taking full advantage of the tremendous value of having these diverse communities with common goals in one room.

Submission Instructions: Attendance at the workshop is by invitation only. There is no fee to attend the workshop.

For existing attack-mitigation working groups, the survey at https://internetsociety2.wufoo.com/forms/caris-workshop-organisation-template/ should be completed by those organizations whose mitigation efforts or use case analyses apply. The data gathered through this questionnaire, including how to participate or contribute to your attack mitigation working group, will be shared with all of the participants at the workshop to better enable collaboration with your effort.

This workshop will cover

• Why IPv6 is an extensive security topic
• Overview of the differences to IPv4 - relating to security
• Deep dive into selected protocol details and their accompanied attacks (incl. demonstrations)
• What are the latent security risks for organizations today
• Recommended IPv6 Security Resources and Tools

Presentation Time: 14:00 - 17:30

While Targeted Attacks are one of the main concerns in cyber security in recent years, many CSIRTs are still struggling with malicious websites such as defaced websites and phishing sites.

This presentation intends to cover some noteworthy features seen in HTML/Javascript used in actual website defacement cases including SQL injection and watering hole attacks. It will also introduce a new tool “ChkDeface”, created and implemented at JPCERT/CC, and share its secure and efficient monitoring method utilizing malicious site characteristics, such as signatures.

JPCERT/CC is planning to share the source code of this tool to some CSIRTs within the community, with the hope that the signatures and the tool can be practically utilized to trigger deeper discussion among the many security experts about more precise detection methods.

The cybercrime techniques, tactics and procedures (TTP) have evolved towards the mobile apps world. Adware, spyware, RATS, APTs and any other malicious code infect apps trying to raid the security of the mobile systems. These smartphones and other mobile devices are, actually, the containers of our digital lives. In them we store credentials and personals data and, using them, we interact with different digital services. So, attacking the security of a mobile device means not only go beyond the users’ privacy but also construct a profitable way of commit fraud. The reason of this evolution lies in the high dynamism of the applications stores and the incredibly fast rate of appearance of new applications in them. Part of this particular dynamism has brought the traditional countermeasures to the edge of failure in their fight against malicious developers. New strategies are needed.

In this talk, I will show how to perform a continuous investigation of a vast number of apps in different Android stores. This analysis is complemented with several open sources, consumed in real time, to bring up a powerful tool which can equip security analysts in this new battlefield.

The Dutch National Cyber Security Centre (NCSC-NL) continually monitors both public and private sources for digital threats, vulnerabilities and ICT security developments. These sources provide a large amount of news items that are analyzed for both operational threats and tactical/strategic developments and trends.

For the operational process, NCSC-NL has a clustering solution in place to combine common news items, but this solution is less suitable for a longer term analysis of these developments by the analysts of NCSC-NL. Determining the main stories, topics and developments over a time period of e.g. a week, a month or a year is still carried out manually and is therefore time-intensive and error-prone.

NCSC-NL started a project with the Dutch National Forensic Institute (NFI) to explore ways to analyze the available information more effectively and more efficiently, especially over longer periods of time. In this project, the expertise of the NFI in big data analytics and text mining was combined with the available data, requirements and analysis expertise of the specialists at NCSC-NL. At the start of the project, the process that analysts follow and the data available were explored and ways in which an automated system could support in this process were identified. Then, two of the possible solutions (automatic relevance determination and automatic dossier suggestions) were studied in depth and, based on an agile scrum approach, proof-of-concepts were developed.

These project results will now be used to develop a production-ready solution, that is likely to be integrated with the tooling used by NCSC-NL. As other organizations within the community are facing identical operational challenges and are using similar tools to gather information, the project results will not only be useful for NCSC-NL but are also significant for the community as a whole.

CFC (Cyber Force Center) is one of the special task forces in the High-Tech Crime Technology Division in the National Police Agency of Japan. CFC deals with technical matters for prevention of cyber crimes and provides technical support for local police task force. CFC has two main roles, that is, counter cyber intelligence and counter cyber terrorism. From the standpoint of counter cyber intelligence, we'd like to talk about the malware analysis case study. From the standpoint of counter cyber terrorism, we'd like to talk about the live forensics for ICS (Industrial Control Systems).

1. Malware Analysis Case Study

CFC is engaged in the malware analysis mainly in the case of cyber intelligence. In our presentation, we'd like to talk about the techniques used in the malware that tageted a Japanese private company from the technical perspective. It has a unique encoding scheme for communication between the attacker and the victim and some anti-analysis techniques. We'd like to explain these techniques as a result of our analysis.

2. Experimental Evaluation on the Applicability of Live Forensics for Industrial Control Systems

Now, ICS is one of the main targets by cyber terrorism. CFC is responsible for the emergent measures to mitigate the damage caused by cyber terrorism. In order to accomplish the job, we are engaged in a research for effective digital forensic tools for the ICS which automatically execute a command for the evidence preservation after an incident has occurred. This research focuses on measuring the latency time by the command on the experimental environment.

Malware within SCADA environments is becoming more prevalent. Unfortunately, this trend is increasing, and becoming more worrisome. SCADA related malware and their motives are typically complex, and we will cover motives behind several SCADA related attacks. We will cover the current state of SCADA related malware and their affects on systems and environments. In addition, we will be infecting a live ICS lab and monitor what the malware is doing and why. This talk will cover never released details about SCADA attacks and malware behind those attacks.

Background: Today’s threat intelligence typically varies significantly from source to source. These differences sometimes manifest themselves in easily quantifiable ways, such as structure & format, but also in much more complex and subtle ways such as context, ontology, overlap, reputation of the provider, reliability of the data contained in all or part of the feed, and distribution mechanisms Threat analysts and security operations staff are faced with a plethora of feed choices offering differing values to their particular organization or threat landscape. They also are faced with making critical and rapid risk decisions based on sometimes incomplete and untrusted threat intelligence information. Is there a better way to utilize this intelligence to improve incident response efforts?

Abstract: This presentation will highlight the outcomes of an analysis of threat intelligence feeds and their use in security operational environments. We will present the limitations and challenges that exist but also will describe the effective aspects each intelligence feed offers. We will also discuss on the myriad of challenges associated with working with threat intelligence feeds in a security operational environment.

In addition, we will then explore how security operations/threat analysts can use threat intelligence feeds more effectively in order to move towards a more automated approach to the intel -> incident response lifecycle. Lastly we will explore what analysts should expect in threat intelligence feeds and their use inside a security incident environment.

Audience: The intended audience of this presentation are threat analysts or security operations personnel or incident responder decision makers responsible for the use of threat intelligence in their security toolkit.

Ukraine's been witnessing tremendous economic, political and social problems during last year or so. In all those bad circumstances the question of cybersecurity became even more important than ever - bad gays try to take advantage of this situation all the time. At the same time the shortage of financial resources is observed, that negatively affects process of improvement. That's why CERT-UA decided to accept the challenge and tried to fix the situation. The goal of main concern - TO PROVIDE PROTECTED NATIONAL IT INFRASTRUCTURE - was gained. The presentation will cover developed and deployed technical solutions that were appropriately applied in GOV and nonGOV networks. Also, it's planned to give short overview of CYBERTRENDS 2014 in Ukraine and demonstrate real cases solved (some even brand-new ones for us). The talk touches the following topics: tools used for response and investigation, information sharing process, cooperation with stakeholders, threats. As epilogue for presentation we will try to estimate the effectiveness of approaches used while protecting national cyberspace.

• Characteristics of the Spread of Korea Target Malwares
• Needs for analyzing Hackers as a Malware Analyst
• Introduction of Malware Analysis System based on yara project

Korea faces lots of malwares becuase it is an attarctive place from hackers' point of view. Koreans can transfer money in a few seconds because Internet Banking process is so fast. Hackers use this fast transfer system for earning money. They intercept Security numbers, Korean's Identity Numbers, Account Numbers and etc. They pretend like they are normal users using these informations and transfer money to their accounts. KrCERT/CC has analysed these hackers, and could know the same hackers who had stealed game accounts and passwords for gaining game money have started stealing information related to internet banking.

National cyber attack is ongoing in Korea also. Hackers spread malwares through ActiveX vulnerabilites, changed update module of WebHard program, email attachment and etc. Malwares in infected PCs send information related to organization, system, and etc to hackers. Hackers manage Zombie PCs and use those Zombies for several campaigns. If there are PCs belonging to target organization, hackers install more complicated malwares and control the system. In case of National cyber attack, KrCERT recognized that hackers spend long time studying target organization to spread malwares in local network.

Through many experience attacking Korea organization, KrCERT/CC developed system(PoC) filtering malwares which is related to specific hackers based on yara project. KrCERT/CC is planning to update yara patterns and upgrade performance.

Internet is still composed of a significant number of devices (e.g. industrial control devices, network equipments or smart devices) with obvious vulnerabilities. The role of a incident response team, especially at a national level, is to know the current level threat against such vulnerable equipments and the associated risks to the exposed equipments. Incident response team might find legal issues to pro-actively scan such equipments or for such vulnerable. This research overcomes these limits by focusing on existing data collected by other organisations and discover passively the vulnerable systems (and the owner of the systems which might be a challenge to incident response team). The passive data collection includes significant datasets like X.509 certificates, Passive DNS records, public Internet-Wide scans.

Appropriate Incident Response is critical to your entity’s longevity and wellbeing, and yet practically preparing for it is often undervalued. This discussion will cover critical factors that, when the groundwork is laid in advance, will facilitate swift, organized, and clean incident response.

Key factors will make or break your response and containment: • A small team of fully authorized key players • Up-to-date maps of your servers, connections, software, and analysis capability • A communication plan for red alerts and private information sharing • Update, Meet, DRILL

While the keys I specify here may sound simple and easy, most organizations take for granted that they can put their fingers on such information quickly (often times they cannot, particularly during incident containment), create an incident response network team on the fly (anxiety can hinder effectiveness), and automatically know what they need to look at and how to do so.

Key factors will be elaborated during the discussion: • Who should be on the team and how to appropriately authorize them. • Examples of data needed to be up-to-date and properly maintained to determine where to close loops upon incident. • What needs to be included in the communication plan, including specifics such as phone contacts, emails – have your incident response email / contact group already created – and maintain a private info sharing channel for this security. • Details for how to stay updated and drill for incident response.

Incident response is sometimes regarded as harmful to privacy, since it frequently involves processing e-mail address, IP addresses and other information that may be privacy sensitive. However European privacy law, among the strictest in the world, actually promotes incident response. This talk will highlight the privacy benefits of incident response, suggest practical guidelines that IR teams can use to ensure their activities are and remain privacy-protecting, and show how this approach should satisfy the requirements of European law.

With organizations under constant threat of losing sensitive data and experiencing network disruptions during cyberattacks, it’s no secret that they are turning to threat intelligence for a real-time cross-industry look at attacks that are happening now and could be hitting them next.

With literally thousands of threat intelligence feeds to pull from, the key isn’t quantity but quality. Is the data you’re feeding into your security appliances important or just noise, and can the data be formatted to meet your security infrastructure’s requirements?

In this session, learn how to achieve truly interoperable cyberthreat intelligence. Get a special inside look at the challenges and opportunities of implementing and leveraging actionable data. What are the common barriers to full interoperability? How can organizations leverage intelligence no matter what security appliances they currently use? What are the challenges to receiving real-time, machine-to-machine information?

IID’s Rod Rasmussen will discuss how to consolidate the dozens of different formats primarily required for various security appliances and prioritize certain threat indicators from others.

According to Cisco's annual report, 99 percent of all mobile malware intended to compromise a device is targeted at Android devices. In Korea, in particular, hackers distribute SMS phishing(Smishing) apps predominantly through spam messages. This activity has resulted in large numbers of Korean Android users being harmed financially. Further, the policies designed by the South Korean government against these threats have had some weakness because the malicious apps are bypassing them.

This presentation will describe the policy methods for mobile banking in Korea and the attack methods used by hackers. Among the attack methods utilized are stealing of certification, pretending to be legitimate banking apps that require the security numbers issued to users when they opened their accounts, and Automatic Response Service (ARS) phishing attacks in conjunction with Call Forwarding. Other methods include requesting One Time Password (OTP) number and Internet of Things (IoT) hacking cases in which routers are attacked; in this case, both smartphone and PC users are targeted simultaneously. I will discuss the activities of KrCERT/CC in response to these malicious mobile apps.

1) Evolution of malicious malware dissemination methods

In South Korea, 90% of malicious apps are distributed by Smishing. In these scenarios, attackers use social engineering to convince people to divulge sensitive information, using topics that change in accordance with the times. For example, following the Sewol Ferry Disaster, attackers sent SMS messages that referenced it for about 15 days and distributed associated fraudulent banking apps. Malicious apps have even recently used the film “The Interview,” from Sony Corporation, as a lure. There are even malicious apps pretending to be from KrCERT/CC security, Google marketplace, mobile antivirus software companies, well-known delivery companies, domestic popular Internet portals, prosecutors, and police. They use various distribution means, such as the official app market, hacking of mobile web servers, sending emails to specific targets, and inducing APT to install the malicious app.

2) Types of malicious apps

There are many apps that not only want to uncover users’ financial details but also to spy on users. Such apps are used to tap cell phones and send users’ personal data to Command and Control (C2) servers on a regular basis. There are even cases of hackers trying to steal a popular Korean mobile messenger’s database and users being affected by mobile ransomeware as a result of malicious apps. Thus, it is clear that malicious apps are evolving continuously.

3) How malicious apps transfer users' data to attackers

Traditionally, attackers obtained users’ data via HTTP or FTP connections. Nowadays, however, they can obtain the data simply by sending an email through SMTP or posting data on a bulletin board system.

4) Mitigation

o Technology based mitigation

We have an SMS spam detection system that ascertains whether it has an APK’s abbreviated URL or not. The system analyzes the APK file and, if a malicious server address is found, it is blocked and a notification is sent to the infected mobile phone user. Monitoring is being carried out both in the Google Play Store and some black markets.

o Policy

Once an Android user agrees to install an app from an untrusted source, permission is never sought again. Because numerous malicious apps are distributed through unofficial app markets and web servers, we recommend that mobile phone manufacturers change their UIs to include a new option wherein Korean mobile phone users will have to explicitly decide whether to allow installation of apps from untrusted sources at all times.

Targeted Attacks, which the media refers to as APTs, are threats that must be addressed by any organization requiring networked computers to do business, regardless of industry.

In this session we will go over the run book techniques used by these threat actors and then go over strategies for mitigating those attacks.

We obtained knowledge of these run book techniques from trusted advisors, peers in the industry and from our own observations.

Our own observations included information from our CSIRT, our security products in the field as well as our internal phishing awareness campaign.

After studying these techniques we devised strategies to mitigate them. Those strategies were then tested and deployed throughout our ecosystem.

The mitigation examples will include the most common platforms in use in Information Technology today. In each example we will outline the platforms available security controls and then prioritize mitigations for breaking the run-books targeting those platforms.

Example Platforms include:

• Windows Operating systems, Pass the Hash and Shared Directory Environments
• Virtual Machine Hosting Environments
• Linux/Unix operating systems
• Mail Server Infrastructure
• Application Credential Management

Even though there is an explosive growth of Internet and information technology usage in Sri Lanka, many Sri Lankan organizations are ill-prepared to overcome potentially catastrophic cyber?attacks that may affect their infrastructure detrimentally and subsequently result in a loss of reputation. Simultaneously, many Sri Lankan organizations are in the process of moving into complex IT systems and technologies to provide better, more effective services to their customers. With the increase of sophistication of these systems, there has been a corresponding growth in the number and severity of threats associated. Unfortunately, many organizations start reacting to security incidents after the fact. In the past five years, cyber-attacks and threats on corporate IS systems dominated news headlines worldwide. Therefore, it is essential for Sri Lankan organizations to be prepared to carry out successful cyber counterattacks, in the best interest of their customers and the IT industry as a whole.

Considering the above facts, TechCERT, in collaboration with the Department of Computer Science and Engineering of the University of Moratuwa, conducts annual cyber security drills for Sri Lankan organizations. “TechCERT Cyber Security Drill” has been an annual event for Sri Lankan organizations since 2011. It was initially introduced to the banking sector and then to the financial and insurance sectors respectively. Since 2013, TechCERT has been able to expand this exercise to a wide range of sectors by including telecommunication service providers and Internet service providers with the assistance of the Telecommunications Regulatory Commission of Sri Lanka (TRCSL). At present, TechCERT is conducting three (03) cyber security drills annually for different sectors. They are:

1. Banking and finance sector
2. Telecommunication service providers and Internet service providers
3. Insurance and other leading professional institutions

The cyber drill will simulate a potential cyber-attack and evaluate the competence of the information security team of the relevant organization in successfully defending against the attack within a minimum time period. The attack scenarios for the drill will be based on the latest cyber-attacks in the relevant industry.

A cyber security drill of this nature is highly beneficial for an organization to determine its readiness to mitigate possible cyber-attacks. The main objective of the cyber drill exercise is to provide the opportunity for participating organizations to:

Train their IT staff to successfully overcome a cyber-attack Test the communication contact points Check the contingencies of their IT processes and procedures Test their technical competency in dealing with cyber attacks Coordination between relevant stakeholders to mitigate the attack

This presentation will discuss how TechCERT conducts annual cyber security drills, the resources used, the progression of the drills and lessons learnt.

The current security operations model is an alert-driven one. Alerts contain a snapshot of a moment in time and lack important context, making it difficult to qualify the true nature of an alert in a reasonable amount of time. On the other hand, narratives provide a more complete picture of what occurred and tell the story of what unfolded over a period of time. Ultimately, only the narrative provides the required context and detail to allow an organization to make an educated decision regarding whether or not incident response is required, and if so, at what level. This talk presents the Narrative-Driven Model for incident response.

Introduction

7 years ago, in 2008, the anti-Malware engineering WorkShop (MWS) started in Japan. The main objective of MWS is to accelerate and expand the activities of anti-malware research and countermeasure. To this end, MWS aims to attract new researchers, engineers of academic, private (enterprise) and public domains. Also stimulate new research for addressing latest cyber threats. To achieve this objective, MWS established the community based sharing scheme of the datasets for anti-malware research and countermeasure and organized research workshops where researchers can freely discuss their results. This paper describes the MWS community, MWS data sets, MWS workshop and the lessons learned from our experiences over the past seven years.

MWS activities

MWS has the community based sharing scheme of the datasets for anti-malware research and countermeasure. Also this scheme has three parts to achieve our objective.

• MWS Dataset: The datasets sharing for anti-malware research and countermeasure; Research sections in academic, enterprise and public domains prepare and analyze data sets.
• MWS: The research interests sharing; MWS organized research workshops MWS2008 - MWS2014 which were held in conjunction with CSS2008 - CSS2014 (Computer Security Symposium) of the SIG-CSEC, IPSJ.
• MWS community: The environment to work hard together; The academic researchers and the enterprise researchers/engineers work hard together for anti-malware research and countermeasure.

MWS Community

Currently MWS Community has organizations of public domain, academic domain and enterprise domain in Japan. In organizations of public domain, JPCERT/CC, IPA, AIST and NICT joined MWS community. Also many organizations of academic/enterprise domain joined. Our community scale is larger each year.

MWS Data sets

The MWS Datasets cover three categories, i.e., probing, infection, and malware activities.

MWS Workshop

This workshop task is to improve an anti-malware research environment such as the detection, the monitoring and the analysis of malware. Also it was to build the collaboration community between the academic field researchers and the enterprise field engineers for the malware countermeasures. MWS includes workshop and competition. Also it has conjunction with CSS (Computer Security Symposium) of the SIG-CSEC, IPSJ. The launch of MWS has significantly contributed to the increase in the number of anti-malware research papers. Interestingly, not only the number of papers presented at the MWS sessions but also the number of papers presented at other sessions has increased.

Conclusion

In late October, ThaiCERT, a member of ETDA (Electronic Transactions Development Agency), and JPCERT/CC organized an event "Malware Analysis Competition 2014 (MAC 2014)" in Bangkok, Thailand. We gave a talk about MWS in Japan. The format of MWS, especially MWS cup was referred to by MAC 2014. These events are very useful for technical transfer and raising awareness as well as information sharing in the academic, enterprise and public domains for anti-malware research and countermeasure. We believe that our experiences can assist other research communities that have a similar vision and comparable objectives. So we are hoping to continue the effort and also to extend it to more relationships for anti-malware research and countermeasure.

In today's world we are consuming an ever-increasing variety of volatile data streams for processing and analysis.

Integrating and using new or modified streams of data is a time-consuming and complex process requiring a different tool at each stage of data capture, processing, analysis and storage. A solution is needed which simplifies and automates integration of open source data in applications and allows developers to share integration algorithms across the community.

After looking ourselves how better improve our investigations and tools and also finding out that many good security analyst does not have enough technical skills we wanted to simplify it and started our own project. We want to help Security analyst to focus on their investigations and make easier their work while putting them a good platform. From the beginning we want it to count with the community and would like to take the opportunity to offer it to other CERT’s teams and share with them our experience and how we do our investigations.

We would make an introduction of our tool and explain it showing how it works and how easily you can conduct a complex investigation.

Sinfonier provides an open environment to graphically build high-level Apache Storm topologies and execute and share them for a definable period of time.

Sinfonier is a change in the focus in respect to current solutions in the area of processing information in real-time. We combine an easy-to-use interface, modular and adaptable and we integrate it with an advanced technological solution to allow you to do the necessary tune up suitable for your needs in matters of information security.

Sinfonier puts at your disposal the ability to collect information from multiple sources, process it and enrich it in a continuous and dynamic way. It will be up to you, the users, to provide the algorithms with content in the form of topologies and get the most out of this information.

Sinfonier provides you capacity to create new knowledge from any of the information you have or can achieve. Sinfonier is not a black box solution implementing a few algorithms, is an open platform to be used and shared multiplied capacities and possibilities.

Because Sinfonier is a high-level design and have facilities to use it, is trying to join Security Analyst, Developers and Researchers. So its target is open to people that need to create new capacities or people to use current capacities.

http://sinfonier-project.net

Threat Intelligence was once the domain of nation-states. With the increasing attacks on corporations - more and more this is being built in-house. We will cover one organizations approach to building out this function. What worked well - what didn't work at all to help others as a reference example

The world of cyber incident response is rife with distractions, confusion, conflicting expectations and a plethora of limitations; but timely, accurate response is critical even when data sets seem overwhelmingly large and complex.

This presentation will describe a streamlined approach to media triage and initial case assessment of cyber incidents. Cyber incident response team members, CSIRT managers and anyone interested in learning more about processing digital media and potentially harmful binaries prior to traditional deep dive analysis or reverse engineering are encouraged to attend.

The following issues and techniques will be addressed:

*Focused approaches to case scoping

*Data set carving, i.e., making mountains into molehills

*Setting expectations with victims and incident managers

*A framework for rapid initial forensic and malware analysis and identification of immediately actionable Indicators of Compromise

*Handling and packaging of casework for transition to deep dive analysis and sharing with incident response partners

Bringing an update to the innovations that have happened in the last year, this presentation is about real world human to human and machine to machine information sharing. This presentation will help you avoid pitfalls while increasing your circle(s) of trust and increasing your speed of defense. We will discuss real implementations (FS-ISAC, US-CERT, DSIE, and others) of information sharing and some of the standards (STIX/TAXII) and automation (Soltra Edge and CRITS) involved. Technologies are advancing and we’re learning more about what it takes to put these technologies and processes into practice. Historically, information sharing in the Cyber Defense world has been a tremendously manual and isolated process. While formal and informal networks of incident responders have sprung up to provide defenders some leverage in mitigating attacks three major factors have complicated our jobs:

1. Economic forces have favored the attack side while;
2. Several factors (principally our inability to scale “trust”) have hindered sharing on the defense side.
3. Moving data faster hasn’t helped humans identify the most important data to act upon – and now more data is moving even faster – how do we help humans find the most important information for their particular organization at the right time?

Exploits built to target a specific sector/industry can be broadly employed to provide a significant return on investment due to slow and uncoordinated responses across that sector/industry. Yet, we’re starting to turn the odds in the defense’s favor. The financial sector has recognized that it is imperative to change the economics of the attack/defense model in order to change the balance of power. Financial institutions, through the Financial Services Information Sharing and Analysis Center (FS-ISAC), have been developing and maturing the process of information sharing among its constituents to increase the speed at which defense spreads across the entire financial sector. Several key factors have contributed to the success so far, including:

• Ability for users to post anonymously
• Analysts add value to each posting and users find the information valuable
• Creation of a clear guideline for information dissemination
• Maturing a trust model
• Providing an infrastructure to allow analysts across companies and sectors to collaborate
• Automation to move machine readable Mitigations/Courses of Actions to move at the speed of trust

To date, human to human interaction has imposed limits on the speed and volume of data shared because people were performing tasks that could be more effectively performed by machines. At the same time many companies could not find or afford the talent to identify malicious activity and so relied on computers to do the job best suited to humans.

To maximize the value of the Human in the Loop, the finance sector has made the commitment to move to the automated sharing of threat information by using standardized protocols (STIX and TAXII) and mark-up automation in order to change the economics of cyber-attacks more in favor of the defenders. This presentation will describe critical success factors that are generating initial trust necessary to drive collaboration and the work being done in automating information exchange so that analysts can concentrate on value-added analysis rather than spending their time on manual processes.

KrakenBOT is a fully commercialized RAT (Remote Administration Tool), which is distributed throug advertising on several criminal focused underground forums.

Despite the fact that the price for the standard package is low (approx. 270 US dollars), the complexity and increasing number of various functions and add-ons continue to be implemented. For these reasons, KrakenBOT is slowly becoming a cheap and very effective crimekit and the choice of many criminal groups.

As new versions of KrakenBOT are constantly being released by the author, development is assumed to continue and is likely to affect even more victims in the future.

This research will focus on the economy behind KrakenBOT. It will provide insight on the different functions and modules, give a technical rundown on the KrakenBOT C&C software and look at the binary code generated by the Kraken crimekit.

Finally, the purpose of this research is to identify the individuals behind KrakenBOT and document how it has been systemically abused to steal valuable data from unknowing victims.

In this presentation we will show our view of how cybercrime in Brazil is evolving and adapting in terms of tactics and techniques, with special focus to events that took place in 2014 and 2015. This includes exploring the most prevalent threats and actions that have been aiming at some of the high profile Brazilian organizations, their customers, and the population in general.

This presentation also points out the strategic role played by the Threat Intelligence approach to information security in this new scenario and the possibilities it brings to the table, with some real cases of success.

In recent years, the global supply chain has become the new "playground for hackers". With supply chain inherently having numerous links (from suppliers to manufacturers to distributors), the number of potentially exploitable relationships makes it an attractive target. This presentation describes the deconstruction of one such campaign dubbed 'Daily Show' that is believed to be targeting the global supply chain for multiple industries. The presentation also offers insight into potential attacker motives and implications of supply chain intelligence falling into the wrong hands.

In incident response situations, time is short. One of the biggest problems is that it is difficult to determine what happened to which system, and - if possible - when it did happen. The challenge is almost always to identify compromised systems without wasting too much time on examining those who turn out to be unaffected.

Network forensics can help to pinpoint infected nodes, so that system forensics tasks can be focussed on those systems. The problem with network forensics is that it requires a certain amount of preparation (the more the better), and skill/experience to identify malicious patterns. This talk will focus on where network forensics can help with incident response, where the challenges are, and what tools to leverage.

Based on Siemens CERT's experiences with developing and operating the Open Source MANTIS Cyber-Threat Intelligence Framework, this talks will provide and overview of central issues with cyber-threat intelligence management using STIX and CybOX:

• Finding correlations

With more and more data sources based on STIX and CybOX becoming available, finding correlations in the supplied data becomes essential. We will present work in progess on finding correlations.

• Information tagging

Because the same basic observation (e.g. an IP address) may give rise to many distinct CybOX observables, information tagging on the object level is insufficient for many use-cases. We will present on MANTIS's approach towards information tagging: by tagging atomic facts rather than objects a single tagging action applies to all relevant objects.

• Managing actionable threat intelligence

In theory, it should be easy to manage and extract actionable threat intelligence from STIX/CybOX data for use in detection and prevention systems. In practice, this proves surpringly hard. We will present on our approach towards this problem.

Collaboration and sharing have become motive forces from startups to web-scale global companies. However, security in general and particularly in incident handling at the enterprise level information sharing is still in its infancy. This panel presentation and discussion will briefly outline efforts in the public and private sectors such as NIST's Draft Special Publication 800-150 on Guide to Cyber Threat Information Sharing and European efforts on improving threat data exchange among CERTs and other private sector initiatives. Specifically, the panel will discuss the following topics and questions: 1) Overview of sharing architectures and trust issues 2) What are the present sharing capabilities, technical mechanisms (e.g.identity, access control, etc) and barriers to sharing and using threat information 3) Advice on how to create, maintain, and enhance sharing relationships 4) Specific technical and policy recommendations in the astute use of shared threat information and 5) Discuss specific incident scenarios (nation state malware attacks on an industry sector, distributed denial of service attack against an industry sector,and how sharing could work in that scenario etc)

The superficially simple and straightforward Traffic Light Protocol, originally developed at the UK's Center for Protection of National Infrastructure to encourage information sharing with and among the private sector, has achieved more widespread adoption around the globe than its creators may have imagined. In regular use by all manner of CSIRTs, operational trust communities, information sharing analysis organizations, government agencies, private researchers, and beyond, TLP may have reached the point where it needs to evolve and adapt to support today's needs. As such, it seems that it may be time for the FIRST community to consider "taking on" TLP as a standardization project, to ensure that interpretations are consistent and that TLP is leveraged appropriately and with clear expectations by all.

Rather than having TLP interpreted separately by different communities, or governed as a de facto standard by specific government or CSIRT organizations, TLP could become a FIRST standard similar to CVSS, governed for the benefit of the worldwide CSIRT community and our operational partners. This BOF will seek to explore the level of interest in FIRST in potentially establishing a SIG to standardize, translate and - as necessary - evolve the Traffic Light Protocol in an independent, fair and transparent fashion.

Register for Train the Trainers at: https://registration.first.org/registration/2015/t3-berlin

This training is about learning how to become a (better) trainer. It is not specifically aimed at any CSIRT training framework, but applies to any training (and even presentation) you may want to give in the future.

The materials have been developed by Jim Buddin (GÉANT) and Don Stikvoort, and have also been source materials for ENISA's recently published trainer's guide.

Successful conclusion of this 1-day training will be documented by means of a signed certificate. This certificate will help you become a registered trainer of training frameworks like TRANSITS or FIRST's.

The trainers together with FIRST reserve the right to decide on entry - but our aim is to allow as many of you in as possible. We definitely need more good trainers in the CSIRT community, worldwide.

Cyber attacks today are becoming more sophisticated and transnational in threat landscape, challenging CERT’s incident response capability. CERTs need to be efficient in terms of having strong foundation, readiness, sophisticated tools, up-to- date Standard Operating Procedures (SOP) to respond the ever-growing incidents in the cyber space. Cyber Exercises at national level or multilateral level has now become essential and an integral part of any Incident Response that can be used to assess the readiness of the Team. It has laid strong foundation in an Incident Response procedure for responding and mitigating cyber threats. A multilateral Cyber Exercise brings various teams from different countries, unified together, building common goals and work together to understand, respond and mitigate threats in cyber space. A lot has been said about Multilateral Cyber Exercises that are conducted every year at various locations or regions around the world. However, the question is, are they really effective in overcoming the challenges in responding to cross border incidents and how various Teams from different countries can possibly come together to respond, mitigate cross border incidents? Malaysia CERT has long been engaged in various multilateral cyber exercises. We had played the roles as Coordinator, Player and Excon, significantly, in three different multilateral Cyber Exercises conducted annually. They are the Asia Pacific CERT Cyber Exercise, South East Asian Cyber Exercise and the Organization of Islamic Country CERT Cyber Exercise. In this presentation we would like to share our case study and experiences in participating in the above multilateral Cyber Exercises. The significance or uniqueness of our Team is that we engage in three different multilateral Cyber Exercises, annually, and we play active role in them. In this presentation, we would like to share our case study and experiences engaging in three different Multilateral Cyber Exercises, as below: 1) How Multilateral Cyber Exercise has contributed successfully in responding and mitigating cross border incidents efficiently. 2) Sharing our own in-house developed tools and applications that assisted in developing scenarios, crafting injects, artifact analysis and developing dashboard for status updates of the Multilateral Cyber Exercise. 3) Sharing knowledge of how we customized some of the existing applications and tools for the Multilateral Cyber Exercise purposes. 4) How communication using multiple platforms played an effective way of communication among Coordinators, Players and Excons during a Multilateral Cyber Exercise. 5) Overall observations, team’s expectations and lessons learnt from the Multilateral Cyber Exercise that can be used for future improvement. 6) To show that Multilateral Cyber Exercise is not a costly job. How in-house developed tools can be cost-effective and economical during the exercise. In conclusion, the findings from the presentation can be a benchmark or a beginning point for CERTs or any organizations to get engaged in Multilateral Cyber Exercises. The presentation also concludes that Multilateral Cyber Exercise need to be part of any Incident Response procedure as a foundation, for the purpose of responding and mitigating cross border incidents, in efficient manner.

Threat Intelligence has been a hot item for the past year or two now – everyone sells it and has it drive their products and solutions – but how do you really tell if it’s really making a difference? Several other recent presentations at industry conferences have dealt with trying to measure vendor offerings – but how do you measure your own internal content and processes? How do you know if the Threat Intelligence and Indicators you are creating and consuming are worth your investment of resources? And how do you make them better if they are not?

This presentation will discuss several ways that you can implement measurement of indicator efficacy and feedback loops in your organization to measure and improve your operationalized threat intelligence. You want to make sure that what your organization is using is the most potent, current, and viable intelligence out of the many sources that may be available – and also identify when certain types or sources of intelligence no longer have value.

This presentation will cover best practices derived from real world environments at a high level that can easily be applied in common operational situations, as well as a variety of lessons learned. It will not be limited to specific technologies and/or products, and only classes of products or Open Source technologies (versus specific vendors or products) will be mentioned to avoid any conflicts of interest. It will cover simple tests and workflows that can be applied to a variety of indicator types without being specifically tied to one particular type of intelligence or threat detection.

Attendees will learn about processes that they can put in place to gather metrics from their SOCs/CIRTs and/or other operational environments, and then how to best apply that to an indicator generation and maintenance workflow. Mature organizations may likely have some of these practices in place, but emerging or new organizations will hopefully find this information saves them time and makes their use of threat intelligence more efficient and effective. The presentation will not be deeply technical in nature, but will be useful to technical teams trying to better operationalize threat intelligence and/or aggregate collections of threat indicators.

Ideal attendees will be teams and management focused on implementing or adopting threat intelligence into an operational form for enterprises small and large.

Like most ontological exercises, defining what exactly constitutes a software vulnerability turns out to be at least somewhat subjective. Vulnerability databases use different definitions, scopes, identification systems, and data formats. There are some well-known, comprehensive(-ish) databases like Common Vulnerabilities and Exposures (CVE) and the Open Sourced Vulnerability Database (OSVDB), and more narrowly-scoped databases like Japan Vulnerability Notes (JVN) and vendor security advisories. Differences in scope and how vulnerabilities are defined and identified lead to difficulty counting, tracking, and responding.

The FIRST Vulnerability Reporting and Data eXchange Special Interest Group (VRDX-SIG) was chartered to study existing practices and develop recommendations on how to better identify, track, and exchange vulnerability information across disparate vulnerability databases.

What are the key similarities and differences across databases?

Should there be a global vulnerability identification system, and what would it look like?

This talk will present results of the VRDX-SIG's work, including a survey and catalog of vulnerability databases, a comparison of identification systems, and recommendations on how to globally identify vulnerabilities.

There is a delicate balancing act of maintaining an effective incident response team in the maelstrom of cyber attacks amid limited resources and tools. An IR team must overcome obstacles such as limited network visibility and systems access to lack of training and proper tools. The cost of an incident is increasingly difficult to determine. Is it the impact to customers or corporate brand? The loss of revenue or regulatory fines? How does an organization measure the risks and costs of a cyber event as it relates to the experience of the incident handler in terms of event discovery to containment? How can we leverage this information to build a business case to fill the gaps in our incident response capabilities?

This talk focuses on common impediments to an effective incident response and tools to improve IR processes. The presenter will use real incidents and case studies to illustrate common gaps in IR procedures & event handling. We will discuss how to fine-tune the IR program to detect compromises earlier and how to lower the costs incurred with an organization suffers an intrusion.

If you have worked in Africa we want to hear your perspective and lessons learned on the best to ways to develop and improve the successes of African CSIRTS and cybersecurity capability. CERT/CC will lead a discussion to facilitate an understanding of the issues that present challenges to the people, governments, international organizations and non-governmental organizations that are working on cybersecurity and CSIRTs in Africa.

Global economic advancement and future opportunities depend upon broadly connected systems, and international cooperation is essential to ensuring open and reliable access. The number of Cyber initiatives in Sub-Saharan Africa in recent years is promising but the efforts have been and continue to be disparate and of differing degrees of success.

CERT/CC believes that information sharing is not sufficient to overcome these threats, and that a key success factor for managing incidents are Computer Security Incident Response Teams that have responsibility to coordinate across the government and private sector entities in each country. Cultural, geographic and governmental differences create divergent cybersecurity concerns and thus different CSIRT service needs from country to country. We believe that forthcoming capacity development efforts should pay particular attention to the unique needs of local stakeholders that will create an engaged constituency as a key enabler for effective CSIRTs.

We conducted a research project in order to gain insight into CSIRT capacity in Africa, with a specific emphasis on facilitating the long term stability and success of African CSIRTs and cybersecurity capabilities. The informational perspective of this paper aimed to provide a better contextual understanding of the Sub-Saharan CSIRT environment, and to serve as a starting point for more targeted initiatives or collaboration. We believe that our research is a good first step, but that having perspectives and hands on experience will be essential for long term success.

CERT/CC would like to meet with FIRST members and stakeholders that have participated in capacity development in Africa in order to gain greater insight and knowledge on identifying new, viable, cost effective, and culturally appropriate CSIRT development frameworks.

This presentation will be about the current situation in Japan in regards to preparation for the Tokyo 2020 Olympics, and lessons learned from our research about the past major events including the Olympics and other major events in different countries, in which we have researched under contract of the Japanese government and other major Japanese companies.

In comparing the 2012 London Olympics and 2020 Tokyo Olympics, the following are some major differences that we have gained from our research:

Communication (network) interception - London 2012 – Intelligence agencies and law enforcement implement according to anti-terrorism laws (intelligence agencies and law enforcement have response capabilities against potential threats) - Tokyo 2020 – Law enforcement implement according to court order (response capabilities of law enforcement depend on detection, judgment and response capabilities of targeted organizations)

Mobile devices and Wi-Fi traffic - London 2012 – Since it was the transition phase of dramatic increase smartphone and tablet use, amount (increase) of Wi-Fi traffic was within expectations. - Tokyo 2020 – In addition to smartphones and tablet devices, there is expected to be a rapid increase in the usage of cloud applications and wearable devices, and is extremely difficult to estimate the amount of traffic.

Terrorist organizations and cyberspace - London 2012 – Illegal activities using cyberspace was only somewhat limited. - Tokyo 2020 – There is expected to be rapid increase in illegal activities using cyberspace (an easily accessible environment is being continually being built at an accelerating pace)

Impact of cyber attacks on businesses - London 2012 – Legacy systems were intermixed, so business impact was limited. - Tokyo 2020 – There will be fewer legacy systems, and it is likely that there will be dependency on extremely efficient or highly productive systems, so therefore business impact will be extremely high.

In the presentation, I will further explain some possible cyber attack scenarios according to the factors above. Also, Japan has several unique issues they would have to deal with; for example, earthquakes and nuclear power plants, which relate to dealing with physical security along with cyber security, in considering unified security at the time of the Olympics.

Currently as of 2015, there are more information sharing frameworks being established, like the Japanese Financial ISAC or Cyber Defense Council of MOD and J3 (Japan Cybercrime Control Center, Japanese version of NCFTA), and large scale cyber exercises taking place in preparation for nation-wide massive events such as the Tokyo Olympics. The most updated information will be given in June 2015. I would also like to discuss and explore possibilities of other countries working together with us toward making such massive event secure and successful.