Doing anything at internet scale is hard.

It's also particularly hard to cooperate internationally with out measures of success or failure.

Two of the internet's gentleman scholars want to bring you a variety of metrics they find useful. Metrics that mean things to bitshifters, internauts, and incident responders. Quantifications that help them explain things to policy makers, but also make sense to technicians. Measurements they use to communicate risk to the world, and the visualisations that capture internet cartography.

This session will provide a variety of novel metrics devised during experiments by two of the world's gentleman scholars. They will demonstrate a variety of tools and toolsmithing techniques relevant to the respected audience of the international FIRST community.

Microsoft Exchange infrastructure systems are huge targets for APT attackers. These systems are very active, often process user and domain administrative credentials, and general sit on an organizations internal trusted network while being accessible over the Internet. As a result, for the last five plus years, they have become increasing leveraged for persistence and access into victim networks. Attackers are using these mail systems to maintain a foothold into networks and to exiltrate data and e-mail right under the nose of system administrators and security teams. 

This presentation will look at several different methods attackers are using to exiltrate data and remain undetected. This will cover everything from an attacker logging directly into Outlook Web Access to the use of advanced backdoors to facilitate bulk theft of user mailbox data. The presentation will also explore methods to detect and combat these threats.

This session illustrates new ways to investigate—and get ahead of--threat actors, using OSINT (Open Source Threat Intelligence) such as domain registration data, IP address data, MX records, geolocation, and more. Using examples from high-profile cybercrime/espionage cases, Tim Helming of DomainTools will demonstrate how threat actors can be identified or accurately profiled, and how their webs of connected holdings can be mapped for defensive (or offensive) purposes. The techniques shown are used effectively by leading-edge private sector, government, and law enforcement experts to fight cybercrime globally. Effective adversary analysis pays off in all phases of a continuous security model, from monitoring to detection to response to prevention.

From this session, attendees will be able to:

1. See how domain-based OSINT has helped investigators glean important information about attackers in high-profile as well as routine threat triage and investigations.
2. Identify fruitful sources of open source intelligence (OSINT) to conduct adversary analysis during known or suspected breaches or attempts--and apply the findings to all phases of the continuous security model.
3. Create forensic domain maps--conceptual maps of threat actor infrastructure (domains and IP addresses) that can help the security pro defend against current and future attacks from a given threat actor.
4. Use easily-discoverable information about threat actors to triage indicators of compromise (IoC) during known or suspected breach activity.
5. Learn how to “look back in time” and discover dwell time of malicious actors by correlating previously-seen with currently-seen domains (from the forensic domain map), thereby detecting earlier interactions that may have looked innocuous at the time; and how to use monitoring of threat actors to defend against new attack infrastructure.

This presentation will introduce the approach and outcome of “AOKI” – a DNS sinkhole by JPCERT/CC. Through AOKI, we have observed trends of targeted attacks in the Asia Pacific region and various related threat information. We will also present our information sharing efforts and the outcome in this regard.

JPCERT/CC launched AOKI in June 2015 with the aim of conducting threat analysis of incidents reported to JPCERT/CC, as well as identifying the extent of damage caused by malware, etc. Using AOKI, we also analyze Command and Control Servers (hereafter “C2 Servers”) that the malware communicates with for advanced targeted attacks.

Through AOKI, we observed incidents not only in Japan, but also cross-border among countries and regions. For example, we analyzed a certain C2 Server and found that it links to an attack targeting governmental organizations in some of the specific economies in the Asia Pacific.

JPCERT/CC is exploring ways to effectively share such threat information and related IOCs (Indicators of Compromise) obtained through AOKI, and have started sharing information with some of the economies already. We would like to introduce our approach to FIRST and expand the information sharing coverage beyond the Asia Pacific region, with the hope that it will contribute to the security around the world.

Emerging Threat: Well-funded adversary’s target developers at software companies in order to embed back doors and other malware into their products while leveraging that companies trusted software distribution infrastructure to deploy those pathogens to their customers. Customers will then install these backdoors along with actual bug fixes while believing all is well.

As a recurring theme, the Windows operating system is still the most common beachhead that is established for this attack to succeed.

In this talk we will discuss this emerging threat and move on to new advanced detection capabilities to stop those adversary’s from infecting those software companies as well as your organization in the first place. These new detection capabilities are focused on enhancing technologies already part of the Windows operating system.

As a bonus, each attendee will leave with a copy of the instructions for deploying these advanced Windows detection capabilities.

Attackers are always trying their best to breach your network to steal the secret sauce hidden inside. This session will delve into the attacker's tool set and focus on the types of attacks that are being leveraged against companies today. I will examine tools, case studies and my own war stories.

According to Virus Total they received over 500,000 samples of potential malware per day. At times this has peaked to over 1,000,000. The shear deluge of unique malware samples makes it difficult for incident responders to keep up to protect their networks. Even more difficult is the task to investigators and law enforcement to keep up with the size and number of command-and-control networks and criminal operations.

Barncat was designed to help deal with this problem. This system analyzes incoming streams of malware to identify known RATs and other known malware and then strip out the configurations from them to produce near time intelligence of known command-and-control hostnames and IP addresses.

The aspiration is to great automated surveillance tools that can monitor criminal infrastructure to make it easy for incident handlers to identify problems on their network, for security analysts to protect their networks and for law enforcement to have reliable near-time information for their operations.

This talk will discuss how the tool generates information and what the possibilities hold for this kind of analysis.

Access to the database via MISP is given free of charge to CERTs, law enforcement and trusted industry partners.

Responding to a over a dozen major incidents every year, US-CERT has observed significant similarities in breaches and intrusions across a range of different institutions. US-CERT also provides a comprehensive set of services as part of our incident response activities, leading to enhanced understanding of how breaches occur, what can be done to minimize the impact, and what works (and what doesn't) in crisis communications. Several of our incident response engagements have taken over two months to close out, providing a wealth of experience to share with the CSIRT community as we deal with ever more frequent and severe intrusions into our constituent and customer networks.

This presentation will discuss incident response trends from US-CERT's perspective as well as best practices prior to, during, and after response to major incidents. Common missteps, lessons learned and our top five preventative measures for organizations to take will also be described in detail, with a focus on recent experiences dealing with Bulk PII compromises.

As CSIRTS, ISACs/ISAOs, commercial vendors and others plug into existing and emerging automated Cyber Threat Intelligence ecosystems, the next logical question is “what should we do with all this data?” This talk will explore successful existing applications of CTI and where the CSIRT/IR community is heading based on these interconnected networks. The emphasis will be on approaches that deliver fundamental improvements in defensive cybersecurity operations - at scale. We’ll also ask some thorny questions about how automated CTI ecosystems might disrupt long-standing processes and even beliefs within the security operations community. Finally, promising new uses of CTI will be highlighted and the audience will gain insights into emerging focus areas including: • Prevention at the scale of millions of endpoints simultaneously • Rapid correction of false positives through automated feedback loops • Advanced analysis and meaningful data-driven visuals

Historically the organizations of the United Nations Common System did not have a meaningful way to communicate cyber security information amongst themselves, nor has there been a presence in the greater infosec sharing communities. Starting in September 2015, there has been a concerted effort to address both problems.

The United Nations International Computing Centre, under directive of the UN Secretary General and mandate by a steering committee comprised of United Nations CISOs, has taken on the initiative to invest in and build a program dubbed "Common Secure" which all UN and UN "Family" organizations may subscribe to (similar to an ISAC.) However the difference between a traditional ISAC and Common Secure is that an ISAC is more focused on a vertical market, which typically means similar threat actors and some shared threat landscape. Contrary to that, within the UN the "market" is more horizontal in that the breadth of constitutents runs the gammut from world critical infrastructure concerns (IAEA, WHO, OPCW) to more humanitarian efforts (UNICEF, UNESCO.)

This presentation will discuss the genesis of Common Secure, including how we've socialized the solution, challenges faced, partnerships, and more.

Most CSIRTs today know the value of planning, training, and drilling. Indeed, most have elaborate standard operating procedures describing how they will respond to various types of incidents, as recommended by NIST's SP 800-61.

While that's all well and good, often times those plans focus too much on the technical aspects of incident response, or they fail to adequately address the business or involve the various interdisciplinary key stakeholders in an organization.

In this practical session, Ken van Wyk will describe how to design and run an interdisciplinary tabletop drill in modern medium- to large-sized organizations. The session will cover who to involve in the tabletop drill, what their roles and responsibilities should be, and how to effectively engage with them during the drill. Additionally, it will give practical guidance on how to construct realistic scenarios that draw various business departments into resolving the simulated incidents. These often include corporate communications, legal counsel, human resources, and other organizations that aren't typically direct components of an incident response team, yet are nonetheless key stakeholders during many real world incidents.

Getting the right executive decision makers together for a tabletop drill is challenging enough, and chances are you'll only have their attention for a brief period of time. Designing the right tabletop drill for them to understand not just the basics of your CSIRT's processes but also why their own roles are so vital during real world incidents is crucial to the drill's success.

Van Wyk has built such drills and involved executive teams in dozens of multi-billion dollar corporations. This session will present the practical aspects of making those drills work effectively in your organization.

What would POS Terminal cybercriminals do if they didn’t know you were watching? Find out in this demonstration in which researcher Kyle Wilhoit will use a combination of physical and virtual honeypots to track POS attackers from the initial infection to the exfiltration and resale of data. This session will provide you with the insights you need to better protect your organization that may be using POS terminals.

RAT (Remote Access Tool) type of malware called Emdivi was shook Japan in 2015. Now also it has been observed continuously. In this presentation, we introduce the results of the attacker's tool that seems to be used, the command that seems to be executed, as well as TTPs (Tools, Techniques, and Procedures), pivoting technology, and clustering analysis of samples. Finally, we try to infer what the attackers are looking for.

In recent years threat intelligence awareness has grew rapidly not only with the Fortune 500, but with medium-sized companies as well. There are dozens of threat intelligence IoC feeds by excellent cyber-security companies, start-ups, and by great open and closed communities as well.

But recent researches published on this issue show that even all feeds combined still barely scratching the surface of the malicious threat actors out there. On the other hand, the opposite problem for some organizations is that they are overloaded with security events, this problem exists even if we assume that the IoC feeds are of high quality and have low false-positive rate.

On this talk we'll discuss how to choose your battles and how to fight the right wars in your own enterprise network. How to prioritized the incident handling and focus on the most important ones. This is accomplished by running statistical analysis on your network and creating your own customize threat intelligence feed, and by consolidating all of your available threat intelligence resources, open-source intelligence (OSINT) and your own internal security events. By this you maximize your protections against future potential attack.

We'll demonstrate that this task is relatively simple to perform, but the added revenue of doing so is extremely high. The security gain is even greater when mutual sharing the home-made feed across the relevant community. The demonstrations would be on the recent and actual campaigns.

Traditionally fighting the effects of cyber crime was left to CERTs. But criminals missus an entire value chain for their malicious purposes. Endusers, ISPs, webhoster, registrars and domain holders, just to name a few are among the victims. In Switzerland we follow a holistic approach to break the cyber crime value chain in multiple places, by collaborating with all stake holders, national and international and calling them to do their share.

Phishing campaigns, drive-by attacks, spam-runs to install malware are more and more local and target only users in Switzerland. Information about cybercrime targeting Swiss Internet users is collected by the various players and shared on a national level to clean up and mitigate risks to Internet users in Switzerland. Drive-by, C&Cs and Phishing sites are cleaned up asap, infected users are notified by their ISPs and data to directly mitigate risks via RPZ or Filters are distributed to the ISPs to help them protect their customers.

Despite these efforts end-users will click on malicious attachments and surf on infected websites. To support these victims the Swiss Internet Security Alliance, a collaboration of Swiss ISPs and Banks was founded. SISA offers a free check that finds and remedies infections as well as awareness. All participants, banks and ISPs send their infected customers to the same place: SISA. This makes sure hear the same message.

We show the critical success factors that allowed us to make Switzerland one of the safest places in the Internet.

Organizations are bombarded with threat intelligence in the forms of feeds, long form reports and shallow guidance, yet none of these impart the wisdom of the analyst who helped derive the content. Using years of analyst experience, Steve and Brandon from PassiveTotal have created a platform that not only aids in the discovery of new potential threat infrastructure, but also distills their years of subject matter expertise into analyst guideposts that even a junior analyst could follow in order to action data provided from 3rd-party providers.

In September 2015, PassiveTotal was acquired by RiskIQ and with that brought years of Internet-scanning data that RiskIQ had collected by crawling the web. In this talk, we want to move beyond the popular sources of infrastructure connection like WHOIS and passive DNS and instead, focus on the non-traditional points of correlation derived from the data found within the RiskIQ repositories. Our demonstration will not only show that these non-traditional sources find data WHOIS and passive DNS miss, it will also identify subtle mistakes in an attacker's operational security.

Attendees should expect to walk-away with knowledge of new datasets, some of which could be collected on their own, and how they could aid them in discovering additional pieces of infrastructure. Additionally, a demonstration will be done highlighting how an analyst could operationalize the data in order to make discoveries by using the PassiveTotal platform or command line tools using the free API. Threats have become more advanced, yet our ways of making connections have largely stayed the same. By giving the analyst more tools and ways of surfacing malicious content, we hopefully succeed in making it harder for attackers to be successful.

Cyberspace, including the Internet, has become an indispensable part of modern life. While development in the field of ICT allows for enormous gains in efficiency and productivity, it has created opportunities for those with devious ambitions to cause havoc and harm. The potential for catastrophic cyber attacks that can cripple the operations of critical infrastructures of nations is worrying. Critical National Information Infrastructure (CNII) is deemed critical to the nation; because disruption of the systems and communication networks could significant affect the nation’s economic, political, strategic and socio-economic activities. The capability to have a functional enterprise CSIRT is seen as closely connected to the idea of critical infrastructure protection. This paper proposes for CNII organizations to establish Computer Security Incident Response Team (CSIRT), which provides a systematic guidance for the organization's information security risks management to an acceptable level.

Over the last 18 months, US-CERT has responded to many major security breaches at government agencies and in the healthcare sector. This presentation will describe how US-CERT leverages discoveries from incident response engagements in developing new indicator products, as well as using known cyber threat information to better understand the Modus Operandi and tactics, techniques and procedures of the intruders. US-CERT's procedures for implementing CTI in incident response and lessons learned from real world engagements will be explained, as well as an overview of our information sharing program and how attendees can get involved.

Cybersecurity of global big events such as Olympic/Paralympic Games is a great challenge for concerned incident response teams. To secure such kind of events requires to build coordination of many and various stakeholders, to consider extremely enormous and sophisticated attacks, to analyze variety of international and social background issues and to adapt the solutions to never-ending technological innovations. The author's presentation will depicts the challenges and how the government of Japan try to address them in terms of preparation the cybersecurity readiness for Tokyo 2020 Olympic/Paralympic Games.

Since 2005, there have been over 18,000 data breaches exposing approximately 4.5 billion records. The total cost has been astronomical and it has come to a point where it is embarrassing that organizations have not figured out how to prevent even the most basic breaches from happening. More importantly, organizations have not learned how to respond to incidents appropriately.

This presentation dissects some of the most interesting and worst breaches of the past several years. The focus of the talk will be on the cause, impact, cost, and poor incident handling that resulted. We will go over what could have been done to better respond to many of these incidents.

Based on the knowledge and insight gained from this discussion, attendees will be better prepared to learn from other people's mistakes, better understand data breaches, and ultimately how to better prevent them from happening.

DDoS has emerged as a major problem affecting the health of the entire Internet. Very little highlights the asymmetrical nature of cyberwarfare more than DDoS attacks. It has become so easy that children lacking technical skills can shut down online services used by millions of people.

For five dollars, an attacker can purchase an attack that would cost thousands to mitigate. For some, the solution is to hide behind DDoS protection services. But this is a short term solution. The root of the problem is easily exploitable devices on the Internet, and the people who exploit them.

This talk discusses the tactics and strategies used by those working on the long term solution, and concrete examples where information sharing can bring down criminal enterprises without bringing any additional risk to the victims.

Incident Response at Adobe started off 10 years ago when the Product Security team was first formed – mostly coordinated disclosure (called ‘responsible disclosure’ back then) of vulnerabilities from security researchers and partners. After a couple of years, coordinated disclosure practices became more challenging – when exploits in the wild against Adobe runtime products began to proliferate. As the product and threat landscape evolved further, with hosted services entering into the mix, we began to see that vulnerability response and traditional network incident response were overlapping, and a new approach was required. We’ll talk about our journey, lessons we've learned along the way, and where we see incident response at Adobe going in the future.

Detecting "lateral movement" – the spreading of an infection after the initial compromise of an internal network – in APT attacks is extremely challenging. This presentation will focus on “Active Directory event log” and introduce our unique visualization of the related activities utilizing event logs, and how to effectively detect attacks. We will also present case studies and findings of JPCERT/CC’s incident analysis. Lastly, through collaborative trial studies with Industrial Control System (ICS) asset owners, we found that this methodology is also effective for principal Windows in ICS, even under an environment where Active Directory is not utilized. The presentation will also discuss results of these studies.

In 2015, Japan faced numerous advanced attacks. Under this situation, JPCERT/CC gained the cooperation of some of the victim organizations and conducted investigations on the malware and related logs. Through our analysis, we found several cases of lateral movement where the attacker had taken over the user account of Domain Controller administrative privileges under the Active Directory environment. In this presentation, we will cover event log settings and key items that are highly useful in detecting such attacks, and more.

Risk scoring of IP addresses and other technical indicators are crucial to running an efficient IT / network security operation. Currently, traditional threat lists are compiled from information provided by honeypots, analyses of log files, and similar sources. This research shows a new approach that uses contextual information derived through text analysis (Natural Language Processing) of documents sourced from the open web, forums, paste sites, and onion sites. The methodology is illustrated by an analysis done on 12 months of historic data from open web sources, forums, and paste sites, showing how a set of IP addresses can be identified as potentially malicious based on their aggregated context from a large number of documents. This presentation contains information e.g. on planned attacks (including lists of target IP addresses that should be scanned for vulnerabilities, and results of such scans) and discussions about how to configure malware with different C&C servers. In conclusion, this new approach provides a higher proportion of malicious outbound IP addresses when compared to traditional threat lists. As a result of this analysis, operational defenders will gain another valuable source of complementary threat information.

As an analyst with the Cisco Computer Security Incident Response Team (CSIRT), I have observed and responded to numerous compromises resulting from the exposure of hacked websites. These attacks, growing in popularity, are difficult to detect. Reputation-based scoring doesn’t work, zero-day malware is frequently used, and there are no visible signs of compromise. Regardless of the difficulty, we cannot sit around and wait for hacked machines before discovering the root cause. My job as a practitioner is to create detection capabilities that increase our coverage of the threat landscape, and I would like to discuss how incident response teams can proactively generate their own threat intelligence related to targeted web compromises.

The main focus of this discussion will be a custom web crawler that detects malicious modifications to websites including iframe redirects, spam injection, and website defacement. Cisco CSIRT is actively taking steps to open source this tool and targets a release date of June 12, 2016. Upon release, incident response practitioners can use this tool in two ways:

Website monitoring tool – Add your organization’s domains to the crawler’s list of sites to be regularly monitored. An alert will be generated if anything suspicious is found.

External monitoring solution – Proactively generate your own threat intelligence by scanning potentially compromised websites.

The web crawler employs variety of detection techniques: it inspects the Document Object Model of each page, calculates the position and size of iframes, analyzes anchor tags using threat intelligence, and calculates differences in screenshots and ssdeep hashes. These capabilities allow detection of iframe redirects, vbscript injection, spam injection on blog posts, raw pastebin injection, email disclosure, and website defacement. Case studies of actual compromises and alerts will be presented at the conference.

The web crawler was built using three open-source technologies: Scrapy, PhantomJS, and Django. Scrapy is a web scraping and crawling framework written in Python, which serves as the basic foundation of the web crawler. PhantomJS is a headless web driver; in other words, a browser without a graphical user interface (GUI). PhantomJS allows the crawler to load dynamic page content and “browse” websites just like a human would. Django is a Python web framework and was used to build out a web interface so practitioners can easily add/remove domains to crawl and view alerts.

Finally, the web crawler can be integrated with log aggregation technologies such as a Splunk and ElasticSearch, allowing industry practitioners to search logs for alert data.

Today most incident response teams rely on vendor threat feeds to gain additional intelligence about the attacks against their network. Yet vendor threat intelligence alone is limited -- if the IOCs, signatures, or other feeds don't match what investigators have found in their network the investigation itself can come to an abrupt end. In this presentation, “DIY Threat Intelligence With Real-Time Data,” Dr. Paul Vixie, an Internet pioneer inducted into the 2014 Internet Hall of Fame for his work related to DNS, will demonstrate how digital investigators can go beyond threat indicators to create their own threat intelligence using real-time data from the Global DNS. For example, using real-time DNS observations, a domain name might lead you to a list of IP addresses and perhaps a list of name servers. Following those IP addresses and name servers will often lead to more domain names of interest, etc. When you're done investigating, you'll have an excellent picture of "what's connected to what" and have created threat intelligence specific to your own incident leading to faster response and mitigation.

The demand for insurance against cyber attacks is rapidly increasing and insurance companies are entering the field as actors in the incident response food chain. Businesses that want to use cyber insurance as a risk management strategy need to understand the risk they are facing, and how cyber insurance can reduce this risk. This implies a need to understand and evaluate cyber insurance policies. Insurance companies, on the other hand, need to be able to differentiate between potential clients based on the risk they are facing, so as to reduce the risk of adverse selection. They also need to understand the needs of the various market segments, in order to offer cyber insurance products that are relevant.

For both the supply and the demand side it is important to understand and document costs related to cyber-incidents, in order to agree on a compensation in case there is an incident. Insurance companies are currently partnering with security consultants, managed security service providers and incident response teams to evaluate the cyber security posture of potential customers, and to provide rapid incident response services aimed at minimising damage and cost of cyber incidents. However, this is yet an immature area and more research is needed to establish a cost-benefit framework for cyber insurance and better understand the underlying factors that influence the costs associated with cyber attacks.

SINTEF has performed a study identifying knowledge gaps in using cyber insurance as a risk management strategy [1], and performed interviews with several insurance companies that offer cyber insurances to the Norwegian market. This spring we will continue this qualitative research with further in-depth interviews with insurance companies, insurance company contractors and customers.

Some of the key issues that will be discussed in this talk are:

• Where do insurance companies best fit in to the incident response lifecycle?
• How can CERTs collaborate with insurance companies to mitigate and minimise costs of cyber incidents?
• What language do CERTs need to speak to interact efficiently with insurers?

[1] I. A. Tøndel, P. H. Meland, A. Omerovic, E. A. Gjære and B. Solhaug: Using Cyber-Insurance as a Risk Management Strategy: Knowledge Gaps and Recommendations for Further Research. Technical Report

In March 2014, researchers found a catastrophic vulnerability in OpenSSL, the cryptographic library used to secure connections in popular server products. While OpenSSL has had several notable security issues during its 16 year history, this flaw---the Heartbleed vulnerability---was one of the most impactful allowing attackers to read sensitive memory from vulnerable servers. As researchers, we analyzed the impact of the vulnerability and tracked the server operator community's responses. While this work gave a detailed view into global patching behavior, perhaps the most interesting lesson from our study of Heartbleed is the surprising impact that direct notification of network operators can have on patching. Even with worldwide publicity and automatic update mechanisms, Heartbleed patching plateaued two weeks after disclosure with 2.4% of HTTPS hosts remaining vulnerable. We emailed network operators about the unpatched systems in their address spaces, in two groups a week apart. Surprisingly, we observed that during the period when only the first group had been contacted, the rate of patching was 47% higher for those notified.

Although Internet-wide measurement techniques have enabled the mass detection of both vulnerable and compromised systems, many researchers (including us) had assumed that performing mass security notifications for any global incident would be either too difficult or ineffective. Our findings challenge this view. As a result, we now believe more work is needed to understand what factors influence the effectiveness of mass notifications and to determine how best to perform them.

In this talk, we will briefly summarize our experiences with mass notifications and solicit the community's feedback on our ongoing efforts to answer several core research questions. For example, how do response rates vary for a range of types of security events with varying characteristics and user demographics? What is the best means of reaching the people responsible for managing these systems, and what role do organizations like CERTs play? Finally, how do we construct a notification message for maximum effectiveness? By answering these important questions, we hope to make automatic, measurement-driven mass notifications an important tool in the defensive security arsenal.

This presentation outlines the actions of a criminal group that created a new phishing kit allowing them to make automated money transfers.

This tactic has forced us to review the procedures that we use to ensure we are adequately preventing fraudulent activities.

This presentation will outline how CERT-GIB has achieved automated identification of new phishing pages created by this group.

In addition, we will also display how we perform automated analysis of compromised credit cards in real-time, and what procedures have been taken to prevent fraud, even when cybercriminals have fell off of our radar.

Researchers at security firm often face the two scenarios: After the security incident happened, tracing back the data in house, they found that some of the relevant data have been in existence for nearly half a year, some even almost a year. The presence of these data didn’t raise any noticeable alert to researcher; Another scenario is that facing huge data every day, hundreds of thousands of suspicious program, tens of thousands of indicator of compromise (IOC) records, researchers need to spend a lot of time to investigate and identify the severe and actionable relevant data using a variety of tools. The data dilemma for researchers always seems too much data or too less data. Researchers need a unified platform to raise the potential high risk threat alert from the mass of data in time. Security researchers can immediately investigate, monitor and further strengthen the collection of the data from targeted sensors and source, thus reduce the investigation cycle to track down of the threat, to find the needle from the hay.

In this talk, I want to share with you a threat intelligence analysis platform via going through two china focused threats ‘s deep dive, share how it helps to gather scalable threat data, provide an interactive unified analysis platform to our researchers, helps researchers to reduce threat analysis cycle, reduce assessment time of the threat infrastructure capability and produce actionable IOC based on threat’s tactics, techniques and procedures (TTP).

Currently there is no system that is designed to assess the severity of cyber incidents at a national level. Many systems and schemas, including NIST 800-61 r2, provide excellent guidance within the scope of a single entity’s Security Operations Center (SOC) however these system do not address this risk within the national paradigm. Large scale and national cyber operations centers like the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) need to assess risk to accommodate external parties across a diverse set of private critical infrastructure asset owners/operators and USG Departments/Agencies. The NCCIC Cyber Incident Scoring System (NCISS) is designed to provide a repeatable and consistent rating mechanism for evaluating the risk of an incident in this context.

The NCISS was based on NIST 800-61 r2 and tailored to include entity specific potential impact categories that allow NCCIC to evaluate the severity and prioritize on a national scale. This allows for a similar incident at two different stakeholders to have a significantly different score based on the national level potential impact of the entity.

The functional methodology uses a weighted average that ultimately produces a score from 0 100. The severity/risk score drives NCCIC processes and determines the necessary incident response prioritization and service level for each individual case. The system is not designed to support cases where multiple correlated incidents may increase severity (i.e., raise the priority).

The inputs to the scoring system are a hybrid of discrete and analytical assessments that will generate a score approximating the relative risk of the incident. While every attempt to minimize this effect via training and exercise, different individual scorers will have slightly different perspectives on analytical responses to the scoring questions. The use of discrete, verifiable inputs lessens the impact or sway from any individual analytical factor, increasing the overall precision of the system. Ultimately the system is designed to provide a repeatable risk estimation that provides guidance for evaluation by incident response managers rather than set a hard line.

Mutation and rootkits are two very powerful techniques commonly used by malware authors to maximize the lifespan of their malware by hindering the detection and analysis process. Many cases of mutation powered malware have been seen in the wild, however, very few (if at all) cases of rootkits have been spotted which are powered by in-built mutation engine (unlike new variants coming from malware author directly). The talk will focus on design and construction of a metamorphic engine which can be used to mutate loadable kernel modules for recent versions of LINUX kernel. The metamorphic engine operates at object code level, and therefore, object code is mutated, and then linked to generate final kernel object. It supports common mutation techniques like instruction swapping, junk insertion and detection, instruction reordering etc. Possible detections and mitigations will also be discussed.

Our talk will be focused on Domain Shadowing from a unique perspective (being on the registrar end as well as the vendor end of the spectrum). During this 40 minute long presentation we will be showing the history of the threat not only from our point of view but also from the attackers’ methods we observed first-hand. This leads us to showcasing some of the threats associated with this activity including but not limited to malicious traffic distribution, exploit kits, fake tech support scams and other fraudulent activity.

In addition, we will discuss what it would take in order for any type of mitigation efforts to be taken, and why nothing significant has been done to disrupt this threat since 2010.

This presentation examines several case studies of critical infrastructure compromises in Asia-Pacific and Eastern European regions, covering in-depth details of identified attacker techniques, procedures and attributes, giving insight of intial detection each incident, timeline of the events, detailed forensic analysis, attribution details, impact on compromised infrastructure as well as discusses primary reasons why, in each case, the initial breach was possible and was not detected for given period of time. The presentation will also walk through set of custom and off-shelf tools, which presenters developed, or used during each investigation.

Geopolitical relationships between countries are complex and sometimes full of contradictions. Governments that seem to be friendly and cooperative in public, often pursue parallel agendas that are less than obvious. This talk describes systematic espionage aimed at the government and critical infrastructure sector of Myanmar. It specifically focuses on how campaign milestones align with important geopolitical and economic events and outlines the campaign development and the malware being used since 2012, of which nothing is publicly known.

The uncertainty surrounding cyber incident response presents an opportunity for CIOs to educate the executive team on cyber resilience—the coordinated set of enterprise wide activities designed to help organizations respond to and recover from a variety of cyber incidents, while reducing the cost, impact to business operations, and brand damage.

This session will provide a case study of bringing Incident Response together across multiple lines of business in multiple countries with a shared responsibility—not one that falls on the CISO’s shoulders alone. This includes coordinated response efforts across legal, communications, HR, and other functions in a case study of building cyber resilience.

Despite of high technologies that we have reached in securing cyber space starting from next generation firewall, UTMs, Anti Malware and others, Human stay the main asset in Information Security System. Finding a cyber security professional that you can trust to secure your infrastructure became a very hard job.Today there is a severe shortage in cybersecurity workforce. According to Cisco Annual Report in 2014, world suffers a shortage of one million cybersecurity job openings.The shortage of cybersecurity talent might explain why salaries of cybersecurity professionals are expected to rise in the coming five years. Governments, Security agencies, large enterprises are, all, desperately searching for cybersecurity talents that can cope with latest cyber security risks and threats in cyber world. Different governments are working on finding solutions to increase the number of cybersecurity workforce and cybersecurity professionals either by funding cybersecurity professional training, Masters or others. Moreover, Cyber Security is not an entry level position. students or graduates must have some knowledge / experience in programming or network field for example to start working on network security field or application security. Today, with the expansion of the attack surface, students/graduates must have basic knowledge in control systems to work in Industrial Control systems or SCADA system or IOT security.

However, An important point is missing that cybersecurity is not only a book to read, a certificate to gain or training to attend.Most of Black hat hackers didn’t take any sans / EC Council training or certificate , They might not even joined one of the top ranked universities. you might find a young kid with an age of 13 years old who hacked to a CIA Director mail or a 15 years old who attacked the British broadband and telephone provider TalkTalk website and many others, the examples are endless.So, what is the equation? what is the formula for discovering Cyber Talents

In this session, we will proof that cybersecurity is a talent. Second, We will share our experience in discovering Cyber talents in different universities. Third, We will present the formula that will help different countries, governments, universities and of course companies to build the workforce they need, the equation that balance the white hat hackers and black hat hackers in our cyber world. Also, The Session will include a demonstration for tools we developed to assess and measure cyber talents

Finland is often said to have the cleanest networks in the world. That is not only because of an active CERT, but because of right tooling, right timing and cooperation. Presentation will focus on how we've developed our tools, sometimes on-demand and sometimes during a longer phase.

The right tools and quick adaptation of available methods have been in many cases the success factor in both mapping threats and responding to large scale incidents. Tools have everything to do with how building automation enables the teams to focus on more important and non-trivial cyber security issues.

However, tools are not the only thing you'll need. The team, the flow of information inside is the key to success. I will open up how NCSC-FI's team works on daily basis and share some experiences what sort of things you need to take into account when your team triples in size.

Insider threats are complex and require planning to create multi-year mitigation strategies. Each organization should tailor its approach to meet its unique needs. The goal of this paper is to provide relevant best practices, policies, frameworks and tools available for implementing a comprehensive insider threat mitigation program. Security practitioners can use this paper as a reference and customize their mitigation plans according to their organizations’ goals. The first section provides reference frameworks for implementing an insider threat mitigation program with the Intelligence and National Security Alliance (INSA) Insider Threat roadmap, Carnegie Mellon University's Computer Emergency Response Team (CERT) insider threat best practices, CERT insider threat program components, National Institute of Standards and Technology (NIST) Cybersecurity Framework, and other relevant guidance. This section provides an implementation case study of an insider threat mitigation program for an hypothetical organization. The second section of this paper will present example use cases on implementing operational insider threat detection indicators by using a risk scoring methodology and Splunk. A single event might not be considered anomalous, whereas a combination of events assigned a high-risk score by the methodology might be considered anomalous and require further review. A risk scoring method can assign a risk score for each user/identity for each anomalous event. These risk scores are aggregated daily to identify username/identity pairs associated with a high risk score. Further investigation can determine if any insider threat activity was involved. This section explains how to implement a statistical model using standard deviation to find anomalous insider threat events. The goal is to provide implementation examples of different use cases using a risk scoring methodology to implement insider threat monitoring.

Linux is growing in its popularity and with servers and embedded applications running Linux, it has become target for malware attacks. When an organization is infected with Linux malwares, responding to such incidents become important. To determine the capabilities of Linux malwares, its associated indicators and to establish better security controls, Today there is a need for automated analysis of Linux malwares.This presentation focuses on the analysis of real world Linux malware samples using Limon sandbox. Limon is a sandbox developed to automatically collect, analyze and report on the runtime indicators of linux malware.The presentation covers the details of inspecting the Linux malware before execution, during execution and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using Limon. It covers details of determining the malware's process activity, interaction with file system, network activity and other advanced techniques used by the Linux malwares to bypass live forensics and system administration tools.The presentation also touches on the implementation details of Limon sandbox and will present video demos showing the analysis of a real world Linux malware samples.

With the increasing connectivity to the internet in the health sector including electronic medical records, medical applications on smartphones and medical devices, the risks of compromise are rising astronomically. When you take into account that most healthcare systems do not have a CISO or a SOC and spend less than 3 percent of their IT budget on security, the risk magnifies. This session will cover the various threats seen in the medical sector - including specific cases; the threat surface; the challenges that the sector faces; the current activity around medical device security including MDRAP a risk assessment program for medical device security, and a common vulnerability reporting structure for medical devices; and information sharing practices including STIX and TAXII usage in the sector, citing specific examples. Discussion will also cover how the sector is collaborating and work being done on a playbook for sector incident response.

Java’s “write once, run anywhere” capabilities make it a popular platform for attackers. This talk will perform a deep examination of popular Java malware families capabilities and indicators and will reveal uncommon analysis techniques to immediately help you with investigations. Analysis of Java malware families' behaviors and infrastructure will be delivered to aide with the creation threat intelligence and provide an understanding of the current threat landscape.

Note: This session will be in Korean with simul-interpretation service.

Coming soon.

Sophisticated attackers in the digital world have become extremely innovative in the past decade. As a result of their investments for innovation, many top criminal and state-sponsored cyberattack groups have achieved their financial or strategic goals at the expense of businesses, governments, and private citizens. In addition to global cooperation among FIRST responders, we need to continue to foster disruptive innovation for security. What are some of the characteristics of disruptive innovation? What are some of the exciting new areas we can expect to see in the next 3-5 years in security? What role can each of us play to foster innovation that disrupts our adversaries?

Coming soon.

The Internet is around fifty years old. There are over three billion Internet users today, and we expect the number of the Internet users to double in the next two decades to six or seven billion. We call the current Internet users as "First Billion", and the new Internet users in the coming decade as "The Other Billion." We review the history of the Internet and computer, and address issues we would face in the coming decades.

In this talk we will discuss a practical approach to maintaining an inventory of 3rd party sinkhole operations, and applying that knowledge to intrusion analysis. DNS analysis and sinkhole operations have become an essential part of the anti-abuse ecosystem, figuring prominently in network compromise, malware research and in botnet takedowns. But for various reasons, not all organizations have the capacity to maintain their own sinkholes or directly take advantage of the data collected from third party operations.

We will discuss the need for the identification and tracking of third-party sinkhole operations. We will then address how the third-party sinkhole data can be indirectly leveraged for situational awareness and threat intelligence, local perimeter defense and intrusion analysis, as well as the support of research malware analysis efforts. We will describe a practical methodology for identifying and tracking sinkhole operations, and then share a few success stories identifying previously unknown compromises on a real network. Finally, we will argue the need for a larger collaboration effort in tracking third party sinkhole operations and in doing so we will describe how that effort could benefit the larger community.

Apple devices are becoming increasingly more common in personal and enterprise computing environments. It's time to bring modern, scalable techniques for analyzing Apple malware. Early tools for analysis are either very costly, closed-source, or difficult to extend, and none of the available tools focus on extracting key data from binaries to enable collaboration and big-data analysis.

After a brief overview of the Mach-O (Apple binary) file format, we'll take a look at Mach-O Libre, a python-based Mach-O binary metadata parser we've been building and will be sharing publicly for the first time. Where many tools have different approaches to enabling individual analysts, Mach-O Libre extracts and calculates key metadata and outputs it into an extensible, big-data and sharing-friendly format. With our shiny new analysis tool in hand, we'll explore its current features on some real malware samples and discuss how it can automate the process of identifying and dissecting Apple malware at scale. We'll finish with lessons learned and obstacles we had along the way, planned future development, and our vision for Mach-O Libre going forward to enable further attribution and collaboration features.

Portable Document Format (PDF) has become widely-accepted format since its invention by Adobe Systems in 1993. This is because PDF documents are totally independent of operating system, hardware, and software. Although all of these features simplify the handling of documents using computers, they also have made PDF one of the most fascinating vehicle for exploitation by malware writers. As a result, the number of PDF attacks has tremendously increased in the past years. Once the systems have been exploited, they may be used in a class of targeted attacks called Advanced Persistent Threats (APTs) whose goal is espionage on government agencies, financial sectors, and individuals. They might also be used in nontargeted attacks such as worms and botnets. The attackers exploit vulnerabilities in PDF files to inject other malicious files such as JavaScript, portable executable (PE) files, HTML, images, or other malicious PDF files inside PDF documents.

To gain the advantages of using PDF documents with minimum drawbacks, several research efforts have been introduced to detect and/or prevent malicious PDF documents. The existing tools such as intrusion detection systems (IDSs) and antivirus packages are heuristic and signature-based techniques. However, these techniques are inefficient because they need regular updates with the new malicious PDF files which are increasing every day. In addition, there exists limited number of researchers concerning with creating signatures for the new malicious PDF files. Accordingly, there has been an urgent necessity for alternative techniques to detect malicious PDF.

In this research a new technique is presented to overcome the drawbacks of these techniques. The proposed algorithm combines one of the optimization techniques called Improved Binary Gravitational Search Algorithm IBGSA as a feature selection algorithm and set of classifiers such as Random Forest and Decision Tree to detect the malicious PDF files. A large data set of malicious and benign PDF files are gathered. To have balanced training set, the number of malicious and binging PDF files in the training data set are the same. A total of 22000 malicious and benign PDF files with no duplication in the data set are obtained from the EG-CERT. The data set is partitioned into three subsets: training, evaluating, and testing. The training and evaluating sets are used to obtain the most effective attributes. The testing set is used to measure the performance of the proposed system over unseen PDF files. The procedure of selecting the training set is based on 10-fold cross-validation Experimental results show that the proposed algorithm can achieve 99:8% detection rate, 99:8% accuracy, and less than 0:2% false positive rate. The proposed algorithm can achieve better performance compared to antivirus packages. In addition, the proposed algorithm is flexible either to integrate it with antivirus packages or a stand-alone tool. The proposed algorithm also can be used with any type of PDF files. For future works, the proposed system can be improved to achieve better false positive rate by combining it with the dynamic analysis algorithms. In addition, the proposed algorithm will be tested against classifier evasion techniques and the mimicry attacks in which malicious PDF files mimic the structure of benign PDF files.

The session will provide a high level overview of STIX/TAXII. How organizations are leveraging tools like Soltra to automate threat intelligence collection, de-duplication and threat mitigation. Reference to JHU APL study on automating cyber defense which shows how leveraging STIX/TAXII allowed organizations participating in the study to reduce the time from threat identification to action from hours to minutes. The session will include a demonstration from a security analyst point of view, how they use collaboration tools (X-Force Exchange) to develop threat intelligence collections. The demonstration will show how Soltra can be configured to automatically ingest those threat intelligence collections into Soltra. The demonstration will also show how the SIEM (QRadar) should be configured to automatically ingest threat intelligence from Soltra and relevant security rules to leverage the threat intelligence.

Forensic readiness is a crucial aspect of incident response. Failure to apply forensic practices throughout the entire lifecycle of an incident can prevent a threat actor (both external and internal) from being held accountable. Forensic readiness can also be used to improve the quality of decision making, quality of threat intelligence, and lead to efficiencies in investigating an incident. Whilst many incident responders are aware of the principles of forensic readiness, some organisations struggle to effectively implement those principles. We will demonstrate a variety of novel techniques which we have found to improve the forensic readiness of our incident response capability. Whilst each technique does require some resource to establish, they tend to have minimal resource impact during an incident. We will also demonstrate some case studies where these techniques have been utilised to portray their effectiveness.

As Japan prepares for the Tokyo 2020 Games, we face challenges one after the other - from reconsidering the design of the new Olympic Stadium and the Olympic logo to short distance mass transport in a densely populated area, installing new public Wi-Fi, security cameras, drones, V2V (Vehicle-to-Vehicle) communication, IoT, other unpredictable new tech, etc etc...

Even before the Tokyo 2020 Games, Japan is hosting the 2019 Rugby World Cup, to be held in 12 cities. Also the 42th G7 summit is coming up on May 26-27, and will be held in Mie Prefecture of Japan. In preparation for the G7, many organizations are busy trying to raise situational awareness for cyberterrorism, and are conducting cyber exercises. The preparation for the Tokyo 2020 Games for the next few years is expected to be a continuation of this movement.

In 2015, we have been conducting further research focusing on public transportation and anti-cyberterrorism in preparation for the Tokyo 2020 Games. 28 out of 33 venues will be built around a 8km radius of the Olympic village, and there is expected to be 920,000 visitors plus about 8.5 million regular metro users per one day, all moving in a close vicinity. Bullet trains, buses, cars are another challenge. In Japan, airports are not considered critical infrastructure.

I will be talking about the current status of the preparations for the Tokyo 2020 Games, this time focusing on public transportation.

For the last 18 months, MLSec Project and Niddel collected threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. In this talk, we have gathered aggregated usage information from intelligence sharing communities in order to determine if the added interest and "push" towards sharing is really being followed by the companies and if its adoption is putting us in the right track to close these gaps. We propose a new set of metrics on the same vein as TIQ-test to help you understand what does a "healthy" threat intelligence sharing community looks like, and how to improve the ones you may be a part of today! We will be conducting this analysis with usage data from some high-profile threat intelligence platforms and sharing communities.

Phishing is effective, but predictable. A drive-by (watering hole) campaign paired with a zero-day exploit also accomplishes the objective, but identifying and compromising the correct website(s) for specific victim redirection is tricky and time consuming. Contrast those attack vectors with web shells. Identifying a target’s vulnerable web server and implanting a web shell is relatively straight forward and perhaps unexpected. Most organizations maintain a web presence full of application layer software which presents a wide attack surface. Enter the web shell - a tool of convenience that is increasingly being parlayed into an effective and persistent adversary communication mechanism. Web shells are preferred by specific threat actor groups for their small size and ability to maintain unauthorized access. Using numerous web shell samples and natural language processed (NLP) data from the Web, this presentation focuses on malicious web shell attack trends, the current web shell taxonomy, and specific guidance for operational defenders on detecting web shell attacks.

Home routers are enter point to home network but still do not get appropriate attention. With often outdated software and wrong settings they are very vulnerable device which immediately affects all the devices connected to it. In just last year number of vulnerable home routers were detected which immediately put into risk hundreds of households. Since the router was usually provided by ISP it was rather difficult to determine who should be hold responsible for patches adn rather confusing for end users. That has put end users in the struggle between ISP and router vendor with long windows until the patch was delivered. CZ.NIC has decided to launch a research project of home router that would have build in firewall with weekly updates. 2000 fully open-source routers (SW and HW) were distributed in Czech household and households became integral part of the research. Greylists created upon the anomalies from the routers along with the recent lists of IPs hosting botnets, phishings and other malicious activities are send to routers regularly and monitored whether any home devices are connecting to them. This research projects already helped number of users to detect malicious files in their network without their previous knowledge. The main reason for delivering the presentation lies in crucial need for focus of security community on SOHO routers. With the rise of IoT SOHO routers will play crucial role in securing the home network. More information about our Turris research project are available here: https://www.turris.cz/en/. Greylists as a data source are available here: https://www.turris.cz/en/greylist

With the increase of cyber security incidents in recent years, there are a number of companies and organisations in Japan that launch a CSIRT. To assist those organisations in its better management and information sharing opportunities, Nippon CSIRT Association (NCA) has been established by JPCERT/CC and other internal CSIRTs, which now embraces 106 members (as of December 2015).

Since there are CSIRTs from diverse sectors existing in the Association, NCA is seeing a huge difference in tasks handled by each team. Consequently, the definition of “CSIRT activities” is now becoming unclear, and there are some “CSIRTs in name only”, which do not possess enough functions as a Computer Security Incident Response Team. In order to examine the current situation in CSIRT activities, JPCERT/CC, NCA and the University of Tokyo jointly conducted a survey based on SIM3 and other original questions.

This presentation will provide the observations gained through the survey on CSIRT activities and its maturity level, hoping to trigger further discussions at an international level.

Knock Knock … wake up, Neo.

Have you ever considered taking the Blue Pill? Being fully compliant, ignoring threats of real life, enjoying warm & fuzzy cyber banalities and just sitting back hoping for trust? Would that not just fix all of our IR problems?

Swisscom has been there. We felt good, until our new boss has forced us to try the Red Pill … and we realised how deep the rabbit-hole goes.

The Swisscom CSIRT has been redesigned from scratch in 2014, to diverge from a compliance-driven to a threat-driven approach. This has led to new ways of thinking, questioning established methods and introducing innovative ideas.

During this presentation we'll cover organisational as well as technical aspects. This includes pDNS, Red Teaming, Bug Bounty, ChatOps, Threat Intelligence and others. We will share our various experiences, illustrate possible pitfalls and reveal the vulnerabilities of Agent Smith.

Bringing run-time information into IDA is not a new concept, but has been a need for some time. Taking run-time behavior and coupling that with other IDA-based tools can give new insight into how a malware behaves and give a malware analyst more insight into where the "interesting" pieces of the malware may lie. This presentation will cover TACO, a recent IDA plugin that aims to incorporate metadata logged during Cuckoo Sandbox tasks in order to speed up the malware analyst's job of discovering key behaviors used by the malware.

Abstract Google, Yahoo, YouTube & Forbes are some of the big names that recently fell victim to Malvertising. Actually, in the past year, Malvertising became so common and effective that it has been functioning as the main source of traffic to Exploit Kits. In this presentation we will present our Malvertising research and follow the steps of cybercriminals in the world of the online advertising industry. We will show the unbearable lightness of setting up a malicious ad campaign and the endless possibilities that ad networks provide to cybercriminals to achieve the best ROI all the way to vulnerable victims.

Outline Recent forecasts predict that in 2016 for the first time, advertisers in the U.S. will have spent more money on online advertising than they have on television advertisements. This is good news for online ads networks and online advertisers, but with great power comes great responsibility- as online advertising increases, so does online malicious advertising or, in short, Malvertising.

The first part of the presentation will quickly cover the recent incidents of high-volume web sites, which unknowingly served malware through hosted ads. Then we will introduce the audience with the basics of online advertisements and all of its aspects: advertisers, publishers and ad-networks.

The second part of the presentation will explain what Malvertising is and why it is a preferred attack vector by cyber-criminals costs and coverage. We will list the different types of Malvertising and the techniques used by cyber-criminals to achieve the best ROI.

The third part will present our research of setting up a pseudo-malicious ad campaign with its amazing results and the different mitigations of ad networks to avoid Malvertising, as well as techniques used to bypass them.

Takeaways The attendees will be exposed to the cybercriminal's perspective of the benefits that online advertising industry offers to spread malware affectively. We will discuss the various possible methods to reduce the attack surface used by cybercriminals.

Cybersecurity issues have risen to the attention of many different political actors: regulators, diplomats, legislators, special interest groups. As a result, CSIRTs and their members are coming into increasingly frequent and consequential contact with policymakers and governmental institutions. While CSIRTs should remain non-partisan, as cybersecurity and cryptography become increasingly political, our teams and our community of practitioners will play an important role in informing policy discussions, by providing accurate technical guidance and encouraging decisions that help, not harm, our stakeholders.

In the years to come, issues of regulatory policy, privacy, law enforcement, and diplomacy will demand greater attention and input from CSIRTs of all stripes -governmental, commercial, academic, and NGO - not only because the wrong decisions could make it more difficult to do our jobs, but because we owe it to our leaders, our constituents and our partners to help make the right choices that will help the Internet become a safer place for all. This presentation will discuss experiences in dealing with the growing policy implications of CSIRT operations, survey recent research and publications covering political aspects of CSIRT and cybersecurity work, and share some first-hand lessons learned about navigating unfamiliar territory and contributing effectively in political spaces and contexts.

This part of the presentation will outline the changes in banking Trojan functionality for the Android platform over the past year.

Additionally, we will outline the reasons why in 2014 mobile Trojans were not a serious threat for the clients of European and American banks, but why 2016 will be the year of explosive growth associated with these kinds of threats.

We will speak about the economic indicators related to mobile Trojans, show their control systems, and describe the basic schemes used to commit fraud, which we forecast to be used extensively in the near future.

For professional e-crime researchers, it should be little surprise that we oftentimes observe overlaps in various criminal operations and criminal actions carried out by individuals.
When digging deeper into analysis of both malware and infrastructure of the criminal operations, we can sometimes even document and attribute different operations to individuals. The goal of this presentation is to draw a link between Neverquest, Shifu and Gotkit, i.e. malwares that have already caused significant losses to online banking primarily in Europe. In fact, the potential for even higher short term losses is easily predictable, as will be shown in our presentation..

Our investigation will furthermore uncover and illustrate the criminal infrastructure, the modus operandi and cooperation with other criminal gangs and freelancers. This is the soul of e-crime research.

What is the relationship between threat intelligence, incident response and risk management? Many treat them as separate disciplines with separate teams and separate deliverables, but is that the way it should be? We make the case that intelligence and response isn’t just tracking bad guys and putting out fires. Rather, these tactical functions play a critical role in informing strategic decisions to assess and manage risk to the organization's information assets. I'll discuss exactly what that role is and provide intel and IR analysts with practical recommendations on how to interface with and influence risk managers and decision makers in their organizations.

In this talk we will discuss our efforts to develop a methodology to assess the quality and potential operational value of a threat intelligence data feed being considered for adoption. During the past several years, we've witnessed security operations and commercial vendors move away from traditional detect and respond models toward an intelligence-oriented approach to network defense that emphasizes information sharing and the synthesis of many data sources in order to paint a multi-faceted, higher-level picture of threats. However, evaluating the usefulness of this approach (and the feeds themselves) has remained an open problem.

We will propose a series of practical metrics to assess data quality, the rationale behind their use, and then apply them to a number of data feeds, including those available in the public domain. Next, we will cover case studies where we look at the potential overlaps across different types of threat intelligence feeds, including bulk reputation data, selective IoCs for specific threats, and vulnerability information. This will be an initial step to evaluate the usefulness of threat intelligence feeds in characterizing the threat landscape. A reference implementation of tools will be released enabling evaluation of data feeds.

This work is being done in coordination with the efforts of a working group initiated at the 2015 Annual Technical Meeting for CSIRTs with National Responsibility (http://www.cert.org/natcsirt/).

Space is limited (no fee to attend) and pre-registration required at https://registration.first.org/registration/2016/t3-seoul.

There will be a 2 hour break for closing remarks and lunch.

Besides the significant progress in automating sharing of Cyber Threat Intelligence, e.g. using Threat Information Sharing Platforms (TISPs), much actionable or contextual Threat Intelligence still requires human analysts for its creation, validation or consumption.

Existing work has mostly focused on data formats, what data to share and on data quality. There is no good understanding yet of the value-proposition for end-users of a TISP. However without high quality user contributions TISPs won’t live up to their promise of collaborative defense against sophisticated attacks, e.g. because lower level observables alone do not carry enough context. In response we recently initiated the systematic study of the human elements of participating in a TISP. We approached this problem from one of the primary HCI and UX methods | personas. Using observational study and open-form interviews we constructed representative profiles of different classes of end-users, known as Personas. We have constructed personas for Level 1 analysts, Incident Responders and CTI analysts. We also recently added personas for CSIRT managers and CISOs.

Building on this prior work that focused on identifying user needs in this will talk present novel solutions that address the requirements identified using personas. For example our work shows that the personas differ significantly in the type of information they contribute and consume from a TISP. We show how to optimize TISP features and the data they provide for these different user groups to maximize their respective contributions and the value they receive. One technique is to turn “raw intelligence” into relevant and useful intelligence based on user type. We also designed UIs that make TISP use simple for novel users but offer advanced capabilities to power sharers.

Another insight from our personas research is that in order to maximize sharing, TISPs should not only maximize user’s corporate (i.e. their organization’s) motivations but also their personal motivations. For example, younger analysts are keenly interested in advancing their career, enhancing their skill level and building a professional network. To serve these needs we designed a system of badges users can earn based on their TISP activities. Badges attest to analyst’s skill level (e.g. ‘Malware Expert’), personal achievements (“Top TISP Contributor”), social validation (“Trusted User”) etc. Users can add badges to their TISP profile and use them as credentials for promotions and interviews. We are currently running a trial in a large SOC and will present the results in the talk. Our solution also addresses the privacy and confidentiality concerns that arise.

A remaining question for future research is how to establish a badging system in a cross-organizational and cross-TISP context and to develop mutually recognized criteria.

Based on the FIRST 2015 presentation “A Study on the Categorization of Webshell” (Lee, Lee, Jeong, & Park, 2015) we show an automated process to classify webshells and our evaluation results based on real world data obtained from a commercial application over the period of 26 months. Lee  et.  al  defined  webshell  as  a  “backdoor  program  which  is  used  for  web  hacking” and  proposed  a  schematic to classify webshells based on multiple indicators like language, function, fingerprint etc. We have  focused  specifically  on  the  aspect  of  function-­based  classification  and  developed  a  system  for  automatic classification. The  most  common  method  for  malware  classification  still  is  signatures.  Yet  due  to  polymorphism,  obfuscation and simple transformation of webshells, detection and classification rates are low. We aim at  multi-class classification  through  the  combination  of  two  machine-learning  stages.  In  stage  one  we  classify sample data into a malicious and a benign category using SVMs. Stage two further improves classification with 8 function categories based on an adapted k-NN algorithm. In  2015 we  successfully  employed  this  concept  across  multiple  enterprise  web  server  environments.  Resulting data shows that our webshell focused machine learning produces false positive rates below 0.1%.

During this talk we will present:

Do you deal with externally reported vulnerabilities in your organization's products and services Coordinate vulnerability reports on behalf of others? Not sure how or when to assign CVE IDs? Considering offering a bug bounty?

This tutorial is intended to help vendors, providers, and CSIRTs grow their capability to handle vulnerability reports from external researchers. Drawn from a longer course, material is based on the CERT/CC's decades of experience working with vendors, security researchers, CSIRTs, and other stakeholders towards coordinated vulnerability disclosure.

Topics include:

Coordinated vulnerability disclosure process overview, vulnerability lifecycle

Terms and definitions, process stakeholders

Receiving and triaging vulnerability reports from external researchers

Publishing advisories, deploying fixes and mitigations

Multiple vendors, services, libraries, and other supply chain complications

CVE, CWE, CVSS, CVRF. Oh, and CPE, SWID, SPDX?

Community norms and expectations, reputation, public relations

Dealing with researchers, bug bounties, legal concerns

Working with other coordinators and CSIRTs

Organizing and building a team, personnel, tools, and infrastructure

Commercial research, bug bounty, and coordination options

References to international standards on vulnerability disclosure (ISO/IEC 29147) and vulnerability handling (ISO/IEC 30111)

Hands-on Exercises!

This session is designed for vendors, providers, and CSIRTs who are looking to start or expand coordinated vulnerability disclosure capabilities. More experienced teams are welcome but may not benefit as much from the more introductory material.

In Incident Response, we frequently want to collect live information from systems in order to determine if they are part of an incident. Knowing information such as current open network connections and running processes helps determine which systems to focus forensic analysis on. This collection frequently requires getting console access to the system, either locally or remotely. We can also frequently obtain this information remotely using built-in remote management features of Windows that provide a cleaner and easier way to obtain even more information than was possible from the console. Using WMIC, PowerShell, and other remote management features that are already present on standard Windows workstations, we will show how to remotely triage systems and collect data useful to forensic analysis.

During FIRST 2015, Capt Sparks gave a presentation on how cyber warfare operators are trained to lead crisis response teams and consistently improve IR practices through a process called debriefing. Debriefing consists of reconstructing and evaluating an event to determine how to replicate success and avoid repeat mistakes. The debrief process encompasses a review of events, identification of problems, determination of root causes and development of lessons learned. Debriefing is not a strategy for protecting a network. It is a method that should be used to evaluate how well you are performing a function, job or mission and provides the tools for constant improvement. The most common feedback item from 2015 was that the attendees would like a hands-on demonstration of the techniques. Based on that feedback, Capt Sparks is offering a 3 hour hands-on session in 2016. The session will be a deep dive of leadership training with practical scenarios and real-world vignettes.

MISP is becoming a key open source package for indicator and threat sharing in the information security community. MISP improved its modularity in the recent versions and propose various ways to use and extend the platform. The workshop will introduce developers and contributors on how to tame the MISP platform and customize it for your needs.

The following practical examples will be described:

• Overview of the APIs and developer tools available. Practical examples of existing integration of MISP with reversing platforms like Viper Framework. Simple programming examples on how to use MISP for automatic expansion, import and export of indicators.

Workshop Slides: https://www.circl.lu/services/misp-training-materials/#first-2016-misp-workshop

Virtual machine to be used during the workshop: https://www.circl.lu/assets/files/misp-training/misp-training2.ova

https://github.com/MISP/MISP https://www.circl.lu/services/misp-malware-information-sharing-platform/

This session goes over the main types of attacks being used at present, why they are effective, what part of the system they affect and how to mitigate them successfully with a reasonable amount of resources.

In addition it covers some of the tools used by the underground and allow the participants to used them and observe live traffic from them.

This lab exercise explores the power of NLP in the Web across seven different languages and allows participants to successfully discover, profile, and prioritize adversaries based on TTP recognition.

Participants will create intelligence by walking through multiple information gathering exercises. This lab will cover proactive and reactive topics including terrorism, virtual currency, and criminal/hacktivist/nation state activities and corresponding TTPs.

The objective is to highlight the value of intelligence derived from programmatic NLP in the Web. For operational defenders, the value is in general and quick attribution of malicious events, for the wider business, the value is in reducing operational risk, and for law enforcement, the value is in proactively identifying useful leads for criminal prosecution.

Yara is a tool with many uses, including malware analysis, memory analysis, and packet capture analysis. This talk will focus on using Yara for malware analysis to an audience new and curious about the tool. The talk will cover Yara basics, example rule sets, discovering new variants of an APT malware family, and how to apply Yara files to enterprise network defense.

Its sole purpose is to take your money. Vawtrak, aka Neverquest, is considered to be one of the most dangerous pieces of financial stealing malware detected.

Among its sophisticated capabilities is the ability to bypass authentication by injecting itself into user initiated sessions to banking, finance, payroll services, and insurance sites. In addition, Vawtrak can surreptitiously modify data in encrypted web traffic, turn off antivirus applications and even intercept warning notices about fraudulent activity from online banking sites. Vawtrak's nefarious methods of stealing personal data have established it as a premier provider of Crimeware-as-a-Service in the underground banking fraud market.

For the incident responder, the deceptive techniques deployed by the malware makes it critical to acquire memory and network data during an investigation, when possible. As you are guided through the Vawtrak network, various forensic methodologies will be presented to detect indicators of compromise within memory samples and images that are associated with the banking trojan. Mitigation techniques targeting the attack vectors of the trojan will also be discussed.