Conference Program

For additional pre and post conference programming, please check the Additional Programming page. Separate registrations apply.

This is a working draft agenda. Agenda is subject to change. The program is also available for download in PDF format.

•  US

  ::1 The Official Home for IPv6 Attacks

  Josh Porter (McAfee, US), Marco Figueroa (Intel, US), Ronald Eddings (Intel, US)

  Ronald Eddings is a Cyber Fusion Analyst with a diverse background in Network Security, Threat Intelligence, and APT Hunting. Mr. Eddings has created a wide variety of security tools in efforts to automate the identification of malicious activity. Additionally, Mr. Eddings has leveraged user behavior analytics to identify and track anomalous network activity.

  Marco Figueroa is a senior security analyst at Intel whose technical expertise includes reverse engineering of malware, incident handling, hacker attacks, tools, techniques, and defenses. He has performed numerous security assessments and responded to computer attacks for clients in various market verticals. A speaker at Defcon, Hope and other Security and Hacker Conference.

  Josh Porter is a Software Engineer at McAfee with a specialty in building data-driven threat intelligence applications. He has a passion for Ruby on Rails and has built numerous tools and applications for analysis and consumption of threat intelligence and security data.

  Since the exhaustion of public IPv4 address space, the deployment of IPv6 is accelerating at a rapid pace. According to Internet Society, 70% of Verizon Wireless’ mobile network is comprised of IPv6 enabled devices. It is mandatory that organizations develop strategies to adopt IPv6 to create new public content on the Internet. Unfortunately, security is often overlooked when deploying new network technologies such as IPv6. IPv6 provides several options for node and service discovery without employing extensive port scans. Without proper protection, an attacker can trivially enumerate and potentially launch attacks on IPv6 networks.

  This talk presents insights into how an attacker may leverage IPv6 to enumerate and attack an IPv6 enabled network. Additionally, a new modular framework will be presented to identify if an IPv6 enabled network is susceptible to be enumerated and attacked.

  June 16, 2017 11:15-12:45

  1-The-Official-Home-for-IPv6-Attacks.pdf

  MD5: 7f38556cd7828f281060e202bdf11a4e

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 625.12 Kb

•  IL

  A Look into the Long Tale of Cyber Threats

  Eyal Paz (Check Point, IL), Gadi Naveh (Check Point, IL)

  Eyal is a technology leader and security researcher at Check Point. During the past six years, Eyal has been doing application and malware research developing new methods to track risks and anomalies on corporate enterprise networks. Eyal holds a B.Sc. in Software Engineering and currently working on his master’s degree in Computer Science.

  Gadi works closely with Check Point's Threat Intelligence and Research & Development teams to help customers understand the current threat environment and how they can prevent attacks. With more than 15 years of Information Security experience, Gadi has been involved with cybersecurity solutions ranging from endpoint to network architecture models.

  Use of the phrase “the long tail” theory in business as "the notion of looking at the tail itself as a new market" of consumers was first coined by Chris Anderson, editor-in-chief of Wired Magazine. We found that the Long Tail theory is relevant for threats coming from the internet. Every day there are hundreds of thousands of new domains registered, many of which are used for scamming and cyber attacks. Only a small portion of those will make it into one of the dozens threat intelligence community or commodity feeds. The feeds collectively still hold only a portion of the attacks seen and analyzed by security professionals on a daily basis. The feeds creators do not encounter most of the long tail of cyber threat indicators, since the campaigns are built from low-visibility domains which, by definition, are very uncommon. In our research, we monitored a large set of newly registered sites as soon they were registered, and kept monitoring them on a daily basis. The monitoring process checked for activity in the domain, such as: IP registration, HTML content, OSINT tracking, who resolved the domain and from which geo-locations.Then we analyzed our results and came up with surprising facts on the statistics of usage of newly registered domains. We also compared different top-level domains for the purpose used by these newly registered domains, in addition to the different statistics for each one. Our set aim was to validate the long tail theory for cyber threats, and paraphrasing the Long Tail claim: "We saw more threats today that weren’t seen at all yesterday, than the threats we saw today that were indeed seen yesterday." Following our claim a key question raises: how effective are indicator blacklist and should we keep using them? The question reminds a similar question: is the AV dead? We’ll present our views and thoughts based on our research.

  June 14, 2017 14:00-14:45

•  FR

  Active Directory : How To Change a Weak Point Into a Leverage for Security Monitoring

  Vincent Le TouxVincent Le Toux (VINCI, FR)

  Vincent Le Toux is the "incident prevention, detection, response manager" at the corporate level of Engie, a large energy company, managing SOC / CSIRT activities. On a personal side, he's the author of the DCSync attack included in Mimikatz and writes many papers in the French review MISC. He designed the PingCastle tool (https://www.pingcastle.com).

  There are a lot of scary presentations made by pentesters on security conferences. Some advices are communicated but they are technical ones and CISO, CERT, ...have difficulties to change the situation.  

  As the author of the DCSync attack (included in Mimikatz & powershell empire) and working at the corporate level of a multinational, I was facing problems nobody could answer. How much domains do we have ? Why auditors were able to list our accounts without any account on our domain ? Are we secure ? (especially with these new attacks)

  Asked to solve the "AD situation" I decided to create a methodology that I'm sharing here. The idea is not to focus on the technical side, but to get the management support (and budget) by being able to translate the technical situation into risks. And to make the infrastructure guys aware of their problems so they can solve it (with a lot of management pressure ;-)).  

  The presentation is in 4 parts: 

  • Context. Why this project had to be managed at the corporate level ?

  • General vulnerabilities of the Active Directory. How bad is the situation ?

  • Methodology presented. How to make the link between attacks and risks to get management support?

  • Trying to secure the AD. Are monitoring / hardening tools available on the market efficient ?

  • Conclusion

  Key findings: 

  • You have more AD than you think (multiply by 2 or 3)

  • You have trust with external companies with no protection!

  • You can act right now by discovering many problems even without an account on the domain to audit

  • You will show to the management contradictions between local management and corporate management.

  Reminder: ALL domain administrators in a forest can own the forest !

  June 12, 2017 12:00-12:45

  Active-Directory-How-To-Change-a-Weak-Point-Into-a-Leverage-for-Security-Monitoring.pdf

  MD5: 879eccfe79bc2c21531f01e550c845db

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 3.48 Mb

•  CH

  Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)

  Tom Ueltschi (Swiss Post, CH)

  Tom Ueltschi has been working for Swiss Post CERT (SOC / CSIRT) for over 9 years. He has presented about Ponmocup botnet at SANS DFIR summit, DeepSec and BotConf twice. He is a proud member of many closed trust groups and communities. He is active on Twitter (@c_APT_ure) and has been blogging in the past (http://c-apt-ure.blogspot.com/)

  Enterprises and organizations of all sizes are struggling to prevent and detect all malware attacks and advanced adversary actions inside their networks in a timely manner. Prevention focused technology hasn’t been good enough to prevent breaches for years and detection has been lacking in many ways.

  This presentation will give an overview and detailed examples on how to use the free Sysinternals tool SYSMON to greatly improve host-based incident detection and enable threat hunting approaches. Splunk is just an example of a SIEM to centralize Sysmon log data and be able to search and correlate large amounts of data to create high-quality alerts with low false-positive rates. The same could likely be done using another free or commercial SIEM.

  The main goal is to share an approach, a methodology how to greatly improve host-based detection by using Sysmon and Splunk to create alerts.

  One main topic throughout the presentation will be how to find suspicious or malicious behaviors, how to implement search queries and how to reduce or eliminate false-positives. Examples will cover different crimeware malware families as well as tools and TTPs used by Red Teams and advanced adversaries.

  For the latter, a commercial tool (Cobalt Strike) was used to test different privilege escalation and lateral movement techniques and develop queries for detection. Sysinternals Process Monitor and Sysmon tools were used to analyze behaviors on the endpoints involved.

  Any Blue Team member should be able to take away some ideas and approaches to improve detection and incident response readiness in their organization.

  June 13, 2017 14:00-14:45

  Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf

  MD5: dff598e89db5d4e80da624c8f43a9bc2

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 4.94 Mb

•  LU

  AIL Framework - Analysis Information Leak Framework

  Alexandre DulaunoyAlexandre Dulaunoy (CIRCL, LU), Steve Clement (CIRCL - Computer Incident Response Center Luxembourg, LU)

  Alexandre Dulaunoy works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL in the research and operational fields. He is also lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. Alexandre encountered his first computer in the ’80s—and promptly disassembled it to learn how the thing worked. Previously, Alexandre manager of global information security at SES, a leading international satellite operator, and worked as senior security network consultant at Ubizen (now Cybertrust) and other companies. He also cofounded Conostix, a startup that specialized in information security management. Alexandre enjoys working on projects that blend “free information,” innovation, and direct social improvement. When not gardening binary streams, he likes facing the reality of ecosystems while gardening plants or doing photography. He enjoys it when humans use machines in unexpected ways.

  Steve Clement is a security researcher at CIRCL. He is also active in the hackerspace community at large and promoting cyber security worldwide.

  AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin, "darkweb" or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine sensitive information.

  CIRCL regularly discovers information leaks using AIL. The presentation will include an overview of the open source framework and its design and implementation.

  As the tool can be used by any CSIRT, the integration of the tool within CSIRTs will be explained along with the process of victim notification. The information gathered can be also used for incident response or cyber security exercise, an overview will be given to the audience.

  https://github.com/CIRCL/AIL-framework https://www.circl.lu/pub/tr-46/#reference-of-leaks

  June 12, 2017 16:30-17:00

  AIL-Framework-Analysis-Information-Leak-Framework.pdf

  MD5: 10d161a44f84874b1bdb64a3c318465f

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.57 Mb

•  JP

  APT Log Analysis - Tracking Attack Tools by Audit Policy and Sysmon -

  Shusei Tomonaga (JPCERT/CC, JP)

  Shusei Tomonaga is a member of the Analysis Center of JPCERT/CC. Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. In addition, he has written up several posts on malware analysis and technical findings on JPCERT/CC’s English Blog (http://blog.jpcert.or.jp/). Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He presented characteristics of major targeted attack operations in Japan at CODE BLUE 2015.

  Typical network intrusion in APT is followed by lateral movement. For effective incident response, investigation and detection of the lateral movement phase is critical. However, evidence of tool execution during the phase is not always acquired under default settings of Windows. JPCERT/CC, therefore, conducted a study on the necessary log configurations to acquire evidence of tool execution in the lateral movement phase and closely examined what has been logged. This presentation will explain some attack patterns and tools which are commonly used for APT. JPCERT/CC analyzed the incidents that they have handled, and discovered that there are common patterns in the use of methods and tools in the lateral movement phase. It will also introduce techniques to detect or investigate such incidents by using Audit Policy (a Windows function) and Sysmon (a tool provided by Microsoft).

  June 16, 2017 11:45-12:15

  APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf

  MD5: 991b3bd1fd32db8f9239916f20058f5b

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.68 Mb

•  ES

  Are West African Cybercriminals on Safari in your Network?

  David Sancho (Trend Micro, ES)

  David Sancho joined Trend Micro in 2002, having fulfilled a variety of technical security-related roles. Currently, his title is Senior Anti-Malware Researcher, and he specializes in web threats and other emerging technologies. In his more than 19 years of experience in the security field, David has written and published a number of research papers on malware tendencies, has been featured in the media, and has participated in customer events where he has presented on business issues and malware-related topics. His interests include web infection methods, vulnerability exploitation, and white-hat hacking in general.

  While cybersecurity professionals have focused mostly on protecting their organizations against the better-known Russian and Chinese criminal underground economies, West African cybercriminals have continued to hone their skillsets and arsenals to slowly but surely inch their way to form their own community. This session will reveal the results of a recent research study that traces the evolution of West African cybercriminals and how their current focus on advanced malware make them a threat to individuals – and organizations – in Europe and the US. Find out how these criminals are executing Business Email Compromise (BEC) attacks as well as newer variants to scam both large and small organizations.

  The presenter will review the West African threat landscape, the tools that these cybercriminals most often utilize when infiltrating critical business data, and what cybersecurity experts must know to mitigate this risk. The presentation will highlight effective methods of protecting organizations from these cybercriminals and share best practices citing case studies from the criminal's perspective. Don’t miss important warning signs that West African cybercriminals are on safari in your network.

  June 12, 2017 14:45-15:30

•  FI

  Best Practices for Building a Large Scale Sensor Network

  Juhani Eronen (NCSC-FI / FICORA, FI)

  Juhani "Jussi" Eronen is a chief specialist at the Finnish National Cyber Security Centre (NCSC-FI), situated within the Finnish Communications Regulatory Authority (FICORA). For over 15 years he has been intimately involved in research, discovery and coordination of security vulnerabilities and in incident response. Starting from his previous position at the Oulu University Secure Programming Group (OUSPG) he has been handling vulnerabilities with profound impact on the safety and security of the people and the critical infrastructure. After joining NCSC-FI in 2006 his responsibilities have expanded to the automation of the nationwide handling of security incidents and information assurance with objective to keep the Finland as the one of the safest nations in the world.

  Network security monitoring is an essential part of securing any modern systems. While commercial and open source monitoring solutions do exist for many deployment scenarios, they do not address the needs of very large organisations or nation states. This presentation walks through the challenges faced by the Finnish National Cyber Security Centre (NCSC-FI) while building the HAVARO network security monitoring system. Lessons learned, both for processes and in technology, during five years of incremental development are highlighted.

  HAVARO is the Finnish national monitoring system for critical infrastructure actors and governmental entities. HAVARO aims to detect serious incidents such as APT attacks using threat intelligence shared among partners. HAVARO has a modular and extendable architecture in order to be able to react to novel threats with new detection mechanisms. It uses a decentralised model where the constituents retain control and ownership of their data while minimising the privacy implications of the monitoring to the end users.

  HAVARO is complementary to the existing detection systems and services that protect against generic threats. The presentation concludes with a model of open monitoring system design that enables public and private entities to collaborate in defending the constituents. Central components of this model include a REST API and a simple data format to enable easy integration into monitoring systems.

  June 12, 2017 14:45-15:30

•  US

  Beyond Matching: Applying Data Science Techniques to IOC-based Detection

  Alex Pinto (Niddel, US)

  Alex Pinto is the Chief Data Scientist of Niddel and the lead of MLSec Project. He is currently dedicating his waking hours to the development of machine learning algorithms and data science techniques to automate threat hunting (I know) and the making threat intelligence "actionable" (I know, I know). If you care about certifications at all, Alex is currently a CISSP-ISSAP, CISA, CISM, and PMP.

  There is no doubt that indicators of compromise (IOCs) are here to stay. However, even the most mature incident response (IR) teams are currently mainly focused on matching known indicators to their captured traffic or logs. The real “eureka” moments of using threat intelligence mostly come out of analyst intuition. You know, the ones that are almost impossible to hire.

  In this session, we show you how you can apply descriptive statistics, graph theory, and non-linear scoring techniques on the relationships of known network IOCs to log data. Learn how to use those techniques to empower IR teams to encode analyst intuition into repeatable data techniques that can be used to simplify the triage stage and get actionable information with minimal human interaction.

  With these results, we can make IR teams more productive as soon as the initial triage stages, by providing them data products that provide a “sixth sense” on what events are the ones worth analyst time. They also make painfully evident which IOC feeds an organization consume that are being helpful to their detection process and which ones are not.

  This presentation will showcase open-source tools that will be able to demonstrate the concepts form the talk on freely available IOC feeds and enrichment sources, and that can be easily expandable to paid or private sources an organization might have access to.

  June 12, 2017 11:15-12:00

•  LU

  Blackhole Networks - an Underestimated Source for Information Leaks

  Alexandre DulaunoyAlexandre Dulaunoy (CIRCL, LU)

  Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing worked. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix specialized in information security management, and the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at the national Luxembourgian Computer Security Incident Response Team (CSIRT) in the research and operational fields. He is also lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg.

  Common approaches for measuring attacks are honeypots and blackhole networks. Honeypots on one side are resources designed to be attacked, are popular to measure attacks. On the other side there are blackhole networks, which are monitored announced unused IP-address-spaces, which are currently popular for measuring botnet activities as recently, the activities of the Mirai IoT botnet. Other observations on both can be backscatter traffic and misconfigured systems, as for example servers and routers, which often include default routes to the internet and have been forgotten to be removed or reconfigured. Different metrics are discussed in this work to assess misconfigured systems in raw packet captures.

  In this experimental research activity, a framework will be presented to measure these misconfigurations in near real time. A survey of information leak categories will be presented, pinpointing the protocols that need special care while being configured. The evaluation of the various detection techniques and heuristics will be presented with major focus on pcap processing tools.

  June 15, 2017 14:00-14:45

  Blackhole-Networks-an-Underestimated-Source-for-Information-Leaks.pdf

  MD5: 779e35eec08608342ca189cfb4140b37

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.23 Mb

•  US

  Building a High Performing Cyber Security Team on the Cheap

  Christopher Payne (Target, US)

  Chris is a Director of Cyber Security at Target. In his role, Chris has responsibility for Incident Response, Compliance Monitoring, Adversary Simulation, and Cyber Hunting across the Target enterprise. In addition, Chris founded the annual cyber security conference GrrCON. Chris is a former adjunct professor and has earned a Master’s degree in Information Assurance, a Bachelor’s degree in Network Security, a Bachelor’s degree in Computer networking, and is currently finishing his MBA in Strategic Management from Davenport University. Chris has also achieved a myriad of industry certifications. Chris is an international speaker on information security topics and has been featured by multiple television, radio, internet and print organizations.

  The demand for cyber security professionals has not kept pace with the sophistication and velocity of cyber criminal activity; and from all accounts the problem is going to get worse. The shortfall of cyber security skills is a major challenge to prevent, detect, and respond to these cyber attacks. To compound the problem, training programs and educational institutes fall further behind the demand every year, making our ability to find the right talent a difficult challenge that will likely continue for years to come. Creating a high performing cyber security team is an expensive and daunting task, but maybe it doesn’t have to be. In this presentation I will walk you through a 4 part professional development program that will help you pick, train, and retain the right people. Learn how to build a robust and sustainable cyber security talent pipeline without blowing your budget using the following framework. Framework:

  • Battle Roster Assessment
  • Map of skills by position
  • Internal training & challenge schedule
  • Individual Development Plan

  Battle Roster Assessment - The cyber security professional development plan consists of comprehensives lists of demonstrable skills required to successfully meet the standards of each position within Cyber Security. Team members are expected to work with their up line to document how they have demonstrated meeting each skill. Future work will include skills required for advancement into other teams. The quantitative assessment (Gauntlet) and a qualitative assessment (Capacity Index) of team member’s capacity to achieve expected development goals. The percentage of points awarded in each area of the gauntlet is recorded and plotted to provide tactical guidance as to which trainings would be most advantageous for the team member to complete in order to meet current standards as well as career growth goals.

  Map of skills by position- The Gauntlet is broken into 5 skill groups that have been identified as critical to the Cyber Security program. These skill groups include: Reverse Engineering, Host Analysis, Network Analysis, General InfoSec, and Incident Investigations. These skills are outlines as demonstrable, not ethereal concepts.

  Internal training & challenge schedule - A large number of internal training opportunities and technical challenges are developed and provided to the team member to go above and beyond assigned development activities each year.

  Individual Development Plans - Individual development plans are developer for each team member to either address deficiencies or reinforce strengths. These plans will assist team members to have access to the training they need to be successful.

  June 12, 2017 14:00-14:45

•  CA

  Building a Product Security Team – The Good, the Bad and the Ugly - Lessons from the Field

  Peter Morin (Grant Thornton, CA)

  Peter is a frequent speaker on the subject of critical infrastructure protection, risk management, penetration testing, malware analysis and forensics and has presented at numerous events held by the HTCIA, Black Hat, PMI, Computer Security Institute, Interop, SANS, and ISACA. Peter is a frequent guest lecturer at numerous colleges and university throughout North America and has also been featured in numerous newspapers and publications including SC Magazine. Peter is a Principal Cyber Engineer and Security Evangelist with Forcepoint, a Division of Raytheon where he is responsible for the overall security of their commercial and federal products. Peter is responsible for assisting in the architectural direction of Forcepoint’s products and also manages their Product Security Incident Response Team. Peter has over 20 years of in-depth information technology experience in the fields of enterprise computing and networking with an emphasis on IT security, application development, business continuity, incident response and forensics and has held senior management positions with Bell Canada (BCE), KPMG LLP and Ernst & Young LLP as well as worked with numerous tech start-up companies and various government and military agencies.

  Peter holds numerous security-related designations including the CISSP, CISA, CGEIT, CRISC, and GCFA

  Ensuring that the products and services we build and deliver are as threat resistant as possible is extremely important today. Meeting this challenge is not just about building secure applications since we all know that rapid development of software as well as the evolution of threats and vulnerabilities can see our applications as secure today but vulnerable tomorrow. That is why having an established product security team and response capability is extremely important.

  During this discussion, I will discuss, using real-world examples, including that of my own, how organizations can meet the demands of product security including:

  • Building a culture of security within your organization beyond firewalls and anti-virus
  • How to “sell” security to executive management and explaining what product security does and doesn’t do (i.e. staffing, budgets, etc.)
  • Building and deploying software using the "DevOps" approach
  • The difficulties of wearing multiple hats, with security being one of them
  • Embedding “security” in the software development life cycle (SDLC)
  • Establishing a proper security “response” program
  • Product vulnerability transparency and developing a disclosure policy
  • How to measure the success of your program
  • Establishing a bug bounty program

  June 12, 2017 14:45-15:30

  Building-a-Product-Security-Team_The-Good-the-Bad-and-the-Ugly-Lessons-from-the-Field.pdf

  MD5: 95ae85f2efe455d823091eb39aff3123

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.75 Mb

•  US

  Building a Threat Hunting Framework for the Enterprise

  Joseph Ten Eyck (Target Company, US)

  Joe Ten Eyck is currently a Lead Information Security Analyst in Target CSIRT, where he leads the efforts to build and improve their threat hunting project. Previous to joining Target he spent 15 years in the U.S Army, the first 10 years of which he spent as a physical security expert before transitioning into Information Technology. He currently holds the following certifications, OSCP, GPEN, GWAPT, GCIH, and CISSP.

  The raw truth is that our adversaries continually change, grow, and modify their TTPs and with each iteration we have to grow with them. This inherently puts defenders behind the curve in catching our adversaries, we can't catch what we don't know about. This necessitates a way to promote the ability to rapidly modify and adapt our abilities to interact with attackers. Engaging attackers is often an expensive proposition, not only monetarily but also in context to time and resources. With out the ability to quickly iterate, provide lessons learned, and implement detection we will likely remain in a place of being too far behind. The solution often revolves around building a method for looking at truly unknown IOCs. However if we can take our hunt processes and define a framework around those IOCS that enables rapid adaptions of the knowledge gained then we can quickly close the gaps as attackers pivot. This talk features a framework for leveraging a Maturity Model focused on building an advanced hunting infrastructure. First it uses existing open source materials that create data sets and utilizes past instances to strengthen hunting procedures while leaving room for analyst growth. Second it defines a process to follow in applying knowledge, real time intelligence, and situational awareness while remaining flexible enough to catch emerging threats. Third it provides metrics and guidelines on how to grow the process in order to scale as the organization changes.

  June 13, 2017 14:45-15:30

  Building-a-Threat-Hunting-Framework-for-the-Enterprise.pdf

  MD5: 21010020d2a12a11a04bb8c7da4acb13

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.35 Mb

•  CA

  Canaries in a Coal Mine…

  Peter Morin (Grant Thornton, CA)

  Peter is a frequent speaker on the subject of critical infrastructure protection, risk management, penetration testing, malware analysis and forensics and has presented at numerous events held by the HTCIA, Black Hat, PMI, Computer Security Institute, Interop, SANS, and ISACA. Peter is a frequent guest lecturer at numerous colleges and university throughout North America and has also been featured in numerous newspapers and publications including SC Magazine. Peter is a Principal Cyber Engineer and Security Evangelist with Forcepoint, a Division of Raytheon where he is responsible for the overall security of their commercial and federal products. Peter is responsible for assisting in the architectural direction of Forcepoint’s products and also manages their Product Security Incident Response Team. Peter has over 20 years of in-depth information technology experience in the fields of enterprise computing and networking with an emphasis on IT security, application development, business continuity, incident response and forensics and has held senior management positions with Bell Canada (BCE), KPMG LLP and Ernst & Young LLP as well as worked with numerous tech start-up companies and various government and military agencies. Peter holds numerous security-related designations including the CISSP, CISA, CGEIT, CRISC, and GCFA

  The same way canaries have been used to detect toxic gases in mines, the cyber-canaries are invaluable in detecting lateral movement on enterprise networks. With the constant barrage of breaches occurring today, organizations must focus on early detection beyond the walls of their network perimeter if they are to stave off attacks and further data loss.

  This presentation will discuss the following:

  • Provide information on the use of honeypots, specifically Canaries to detect lateral movement on networks following a breach.
  • Difference between traditional honeypots such as honeyd and canaries
  • Use-cases using OpenCanary with demonstrations and examples of attack scenarios including some well known breaches such as Target or Home Depot.

  June 15, 2017 11:15-12:00

  Canaries-in-a-Coal-Mine.pdf

  MD5: e82565aa8333fc3ab7a9e7b0dea5df32

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.26 Mb

•  US

  Change is the Only Constant: The Progression of Detection and Response at Google

  Fatima Rivera (Google, US)

  Fatima is a Senior Security Engineer at Google and has been a member of the Security Team for the past 5 years. She leads the effort to bring Google level monitoring to acquisitions and Alphabet companies.

  Prior to joining Google, Fatima completed dual Masters in Computer Science and Information Security at The Johns Hopkins University. When she’s not defending the castle, she’s most likely trying to bake the perfect loaf of bread or binge watching TV.

  Detecting and responding to network anomalies is something that is done differently at every company. This talk gives an end-to-end overview of Google's approach, which relies heavily on dynamic in-house infrastructure and analytics for intrusion detection. This talk focuses on how Google processes data for intrusion detection, how this data is used across the different teams and how we use internal pentesting to strengthen our security posture. It also discusses how Google’s approach compares to industry practices and trends, and discusses how we expect the art and science of detection to evolve in the future.

  June 13, 2017 11:15-12:00

•  MY

  Collaborative Information Sharing Model for Malware Threat Analysis

  Aswami Ariffin (CyberSecurity Malaysia, MY)

  DR. ASWAMI ARIFFIN is a digital forensic scientist with vast experience in security assurance, threat intelligence, incident response and digital forensic investigation. Aswami is active in research and one of his papers was accepted for publication in the Advances in Digital Forensics IX. Currently, Aswami is a VP of CyberSecurity Responsive Services Division at CyberSecurity Malaysia.

  In a threat landscape that is evolving rapidly and unpredictably, we recognize that many organizations need to protect their entire ICT environment against both external and internal threats. Cyber criminals utilize various approaches to compromise their targets, such as sophisticated mixes of phishing, social engineering and malware to name a few.

  Critical National Information Infrastructure (CNII) is crucial to a nation because the disruption of systems and communication networks could significantly impact the nation's economic, political, strategic and socio-economic activities. Successful cyberattacks on CNII organizations can have serious and cascading effects on others, resulting in potentially catastrophic damage and disruption. For many organizations, CSIRT/CERT is responsible for responding to cyber security incidents in order to minimize the effects of cyberattacks.

  In view of this, CSIRT/CERT around the world should collaborate in responding to incidents in a timely and coherent manner. One possible approach is to have a collaborative initiative in malware research and a threat information sharing system. CyberSecurity Malaysia has introduced the Malware Mitigation Project as a joint effort among Asia Pacific CERT (APCERT) and Organization of Islamic Cooperation (OIC) member countries to mitigate malware threats.

  This paper presents a case study on collaborative malware research and a threat information sharing initiative amongst APCERT and OIC member countries. The case study presented in this paper highlights a malware threat analysis and findings from the Malware Mitigation Project led by CyberSecurity Malaysia.

  Such analysis provides early malware detection, whereby CNII organizations can take appropriate measures to react against malware threats. In addition, a trend landscape report is produced, which provides useful information for relevant stakeholders to protect their countries against the detrimental effects of malware intrusions and attacks.

  June 13, 2017 16:30-17:00

  Collaborative-Information-Sharing-Model-for-Malware-Threat-Analysis.pdf

  MD5: dd890ef237cb8c51d94372c2dd380714

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 4.87 Mb

•  US

  Communicating Risk: A Comparative Approach to Vulnerability Remediation

  Mark-David Mclaughlin (Cisco, US)

  Mark-David J. McLaughlin, (MD) is the team lead of the Product Security Incident Response Team’s core group. In his 9 years with PSIRT, he has investigated thousands of security issues in Cisco products and services. In his current role, MD ensures the consistent execution of PSIRT processes while helping define the processes Cisco will use in the future to investigate and disclose security vulnerabilities in their products and services. When he is not working on PSIRT issues, MD can be found working on his PhD dissertation or teaching security concepts to undergraduate and MBA students. His research focuses on how organizations ethically respond to security incidents and his work has been published in books, academic journals, and presented at various conferences worldwide.

  Often, security teams do not have responsibility to remediate the vulnerabilities they discover and they must rely on other stakeholders to remediate them. Information Security (InfoSec) teams, Computer Security Incident Response Teams (CSIRT) and Product Security Incident Response Teams (PSIRTS) all must convince these stakeholders to commit some of their resources to perform security related tasks. For example, during the final stage of testing and bug fixing for a new software release, engineering and release management teams tend to emphasize reducing the backlog of key bugs, which include:

  • Showstoppers
  • Teststoppers
  • Severity 1 bugs
  • Operationally-impacting bugs
  • Customer-found bugs
  • Highly vulnerable security bugs. Since key reliability bugs are far more frequently discovered than high impact security bugs, the tendency among our industry's engineering and release management teams (and, often, quality assurance teams) is to primarily focus on reliability, rather than security (except for the most critical security bugs). Inadequate fix prioritization of known security bugs that have not reached critical status is common among development teams in the software industry. ("Critical," here, is defined in terms of the likelihood of exploitability and resulting deleterious impact of the exploit). To ameliorate this situation, in May of 2015, Cisco PSIRT developed a Risk Index model to evaluate the visibility of each known vulnerability that has not yet been fixed. The calculations from this model are displayed on a risk dashboard and PSIRT started delivering regular risk reports to engineering Directors, VPs and SVPs regarding the status of outstanding security defects in their organization. These reports are sent to raise awareness about risk and enable business owners to take appropriate action to either mitigate or accept the risk based on valid business justifications. This initial Risk Index model includes, in addition to the CVSSv2 score, a linear combination of several other factors: Age of the bug, whether the bug has already been publicly disclosed, and the product type. The coefficients of all four of these independent variables in the model are based on executive opinion of business priorities, and have been empirically validated by comparing the outcome with the evaluation of vulnerabilities by senior incident responders. The risk communications initiative has worked well in practice and has resulted in a 50% reduction of unresolved product security defects across Cisco.

  While this session most directly helps vendor PSIRT teams communicate risk to product teams, other security teams such as InfoSec or CSIRT teams can use the information build similar metrics to help prioritize unpremeditated security vulnerabilities in IT assets, cloud services and/or architectures. After explaining the problem we were trying to solve, we start the meat of the session with an explanation of our risk index formula, how it is calculated, and the data modeling efforts that have gone into place to validate and extend the formula. As stated, the risk index parameters (severity, age, public knowledge, potential impact) are generic enough that they can be measured by several different factors which are relevant to the audience’s specific organization. We then talk about how we calculate the aggregate risk across the company in order to compare of diverse business units (i.e. does a product with 300 low severity bugs have a lower security posture than one with 3 high severity vulnerabilities). This presentation concludes with a discussion of how the risk communication has been perceived by engineering teams, the impact it has had at Cisco, and how Cisco’s recent adoption (Jan 2017) of Common Vulnerability Scoring System, version 3 (CVSSv3) has impacted the risk communications.

  June 13, 2017 11:15-11:45

•  DE

  Countering Innovative Sandbox Evasion Techniques Used by Malware

  Carsten Willems (VMRay, DE), Frederic Besler (VMRay, DE)

  Frederic Besler received his MSc in computer science / IT-security at the Ruhr-University of Bochum. Since the formation of VMRay in 2013 he is actively researching sandbox evasion techniques found in-the-wild, novel detection methods, and remedies to prevent detection. His personal interests lie in reverse engineering, vulnerability research, and symbolic execution.

  Carsten Willems is the original developer of CWSandbox, a commercial malware analysis suite that was later renamed to GFI Sandbox, and now Threat Analyzer by ThreatTrack Security. He is a pioneer in creating commercial software for dynamic malware analysis, and is one of the experts in this field worldwide. He achieved his Ph.D. in computer science / IT-security at the Ruhr-University of Bochum in 2013 and has more than 15 years of experience in malware research and software design. He already founded several companies, assisted many companies in IT-security related operations and regularly gives presentations at academic and industry conferences.

  Automated behavior-based malware analysis is the core function of security solutions defined as “network sandboxing”. It came to the fore for analyzing and detecting advanced threats over a decade ago. Back then, malware authors had already found ways to evade tools like traditional antivirus, which rely on static analysis, by using techniques such as polymorphism, metamorphism, encryption, obfuscation and anti-reversing protection. Malware analysis sandboxes are now considered the last line of defense against advanced threats.

  It is important to note, however, that the success of behavior-based malware detection hinges on the behavior exhibited by the file during analysis. If, for some reason, no malicious operations are performed by the file during the analysis, the sandbox concludes that the file under examination is benign. Malware authors are always looking for new, innovative ways to evade sandbox detection by concealing the real behavior of malicious files during analysis.

  In order to cope with the omnipresent threat posed by malware, we must upgrade our defensive tools to succeed in the ongoing cat-and-mouse game of evasion and detection. We therefore must understand what evasion techniques are successfully employed in the wild.

  This presentation provides an overview of the state-of-the-art evasion approaches used by malware. We divide these approaches into three categories and explore the various evasion techniques associated with each of these:

  1. Evasion by detecting the presence of a sandbox: The first approach uses several techniques to detect the existence of a sandbox. Once a malicious file determines that it is being executed in a sandbox, it alters its behavior in an effort to avoid being detected.

  2. Evasion by exploiting weaknesses in the underlying sandbox technology: The second approach directly exploits weaknesses in the underlying sandbox technology or in the surrounding ecosystem.

  3. Evasion using time, event or environment based triggers: The third approach exploits the natural shortcomings arising from the fact that sandboxes are automated systems. In an effort to deal with the sheer volume of malware, sandboxes usually only spend a few minutes analyzing each file. By delaying the execution of a malicious payload by a certain amount of time, only becoming active on certain triggers, etc., malware can remain undetected.

  June 13, 2017 17:00-17:30

  Countering-Innovative-Sandbox-Evasion-Techniques-Used-by-Malware.pdf

  MD5: 876782717de473bafad0f84dc5d33e41

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.09 Mb

•  AE

  CSIRT Under Attack

  Riccardo Tani (Si Cyber Consult, AE)

  Riccardo is currently Head of SI-Consult DFIR Middle East Practice. As a seasoned and passionate Cyber Security Expert, he possesses over 15 years of combined experience in Cyber-Physical Security Operations with focus on Digital Forensics, Incident Response, Security Monitoring and OSINT.

  Riccardo’s prior experience includes leading the McAfee Global SOC in Ireland and USA, CSIRT Manager servicing the Italian National Social Security Institute, and Digital Forensics Expert Witness for Various Law Enforcement Agencies and Courts in Italy.

  After weeks working on a complex Investigation, an apparently ordinary IT problem will suddenly shake the Incident Response Team with one of its members directly targeted by a Criminal Organization. A real Cyber Attack narrated from the eyes of the Incident Handler to show the CSIRT reaction in case of an out-of-the-playbook Incident.

  June 12, 2017 11:15-12:00

•  US

  Cyber Terrorist Activity: The New Way to Cause Chaos

  Kyle Wilhoit (DomainTools, US)

  Kyle Wilhoit is a Sr. Security Researcher at DomainTools. Kyle focuses on research DNS- related exploits, investigate current cyber threats, and exploration of attack origins and threat actors. More importantly, he causes pain to cyber criminals and state sponsored entities worldwide. Prior to joining DomainTools, he worked at Trend Micro as a Sr. Threat Researcher with a focus on original threat, malware, vulnerability discovery/analysis and criminal activity on the Internet.

  Previous to his work at Trend Micro, and he was at Fireeye hunting badness and puttin' the bruising on cyber criminals and state sponsored entities as a Threat Intel guy. Kyle is also involved with several open source projects and actively enjoys reverse engineering things that shouldn't be.

  Kyle has spoken on 4 continents at professional conferences such as, Blackhat US, Blackhat EU, FIRST, and Hack in the Box. He has been featured as an industry expert on several news outlets including ABC, CNN, CBS News, NBC News, BBC, The Guardian, and many additional outlets.

  Terrorists have found novel ways to circumvent typical security controls. Examples of these activities come in many forms and can be found everywhere—from using vulnerabilities in software, websites, and web applications as attack vectors, defacing websites to further their political or idealogical viewpoints, all the way to utilizing social networks to convey their messages. No matter what technology or service rolls out in the future, there will always be room for abuse. Terrorist organizations, while taking plays from organized cybercrime or state sponsored entities, are completely different then their counterparts in their methods, ideologies, and motivational factors.

  Looking closer at terrorist ecosystems, we attempt to understand terrorist organization's abuse of technology and online platforms to benefit their cause. We will focus on their methodologies, their use of the "darkweb", the services they abuse, and the tools they’ve homebrewed to streamline said abuse so that their followers can facilitate their activities much more easily. We will also track financials on the "deep web" attempting to locate financial records of these organizations while also attempting to understand how these organizations are leveraging the "deep web." We will dive deeply into each of the technologies and how they are used, showing live demos of the tools in use. 

  June 12, 2017 14:00-14:45

•  US

  Deep Learning for Incident Response: Predicting and Visualizing Cyber Attacks Using Open Data, Social Media and GIS

  Anne Connell (CERT, US)

  Anne Connell received her MS from the Carnegie Mellon University School of Computer Science and is a cybersecurity engineer and researcher at the Software Engineering Institute. She has made a significant impact in certifying the already remarkable reputation the SEI and CERT enjoy among the federal law enforcement community. Anne’s focus is to build methodologies, design applications, define workflows and frameworks that are suited to the needs of SEI sponsors.

  The wealth of information provided by the continuous streams of data has paved the way for life-changing technological advancements, improving the quality of life of people in many ways, from facilitating knowledge exchange to monitoring of all aspects of behavior and health. Moreover, the analysis of anonymized and aggregated large-scale human behavioral data offers new possibilities to understand global patterns of human behavior and help decision-makers tackle problems of society. There have been some incredible applications of Deep Learning with respect to image recognition and machine translation, but in this presentation, we propose the societal benefit of public safety derived from Deep Learning applications with a focus on cyber attack prevention. First, we introduce the developing new research area of Deep Learning for Incident Response and in particular, how it can be used to fight cyber attacks in Chicago, Illinois. The great advantage about Chicago is that it is an open data city, which means anyone can access city data ranging from transportation information to building maintenance records, and many other publicly available city-specific datasets to employ. Next, we detail a case study of tackling the problem of cyber incident hot-spot predicting, i.e. the projection of which agencies, organizations, or services in a city are more or less likely to witness cyber incidents based on past data. In the proposed approach we use historical cyber incident data from Chicago and joined this data with other external data, such as weather and socioeconomic factors, along with human mobility characteristics as derived from anonymized and aggregated mobile network infrastructure, in combination with basic demographic information. Then, we reveal our application, “Pronto”, which provides a visualization of the many data feeds to filter and map the activity and allow the patterns to emerge. The hypothesis that historic crime data (filtering for cyber incidents), socioeconomic factors, aggregated human behavioral data captured from the mobile network infrastructure, in combination with basic demographic information, can be used to predict cyber incidents is supported in our findings. Our model builds on and is evaluated against real cyber incident data from Chicago, and obtains an accuracy of almost 74% when predicting whether an area in the city will be a cyber event hotspot in the following month.

  I. Introduction The transition of data from being a scarce resource to a massive and real-time processed stream is rapidly changing the world we live in, challenging and often subverting long lasting standards in a broad rage of domains. In the areas of finance, economics, politics, journalism, medicine, biology, healthcare, research, etc., have all been affected by deep learning. The almost universal adoption of the mobile phone and the exponential growth of internet services has led to the existence of unprecedented amounts of data about human behavior. In this context, it is important to distinguish between two use cases when it comes to deep learning: the first is personal data applications, where data of (anonymized) individuals are analyzed at the individual level to build computational models of each person to provide personalized services or adapt to the interaction. In this use case, privacy, transparency, and accountability are key elements that need to be taken into account; the second is aggregate data applications, where aggregated and anonymized data of individuals are analyzed collectively to be able to make inferences about large-scale human behavior. In our scenario, as long as the level of aggregation is sufficiently large, no data can be traced back to any individual and hence there are minimal privacy concerns. The effort presented in this paper falls into the context of aggregated data within the developing research of Deep Learning for Incident Response to positively affect policy and society.

  Although still in its developing stage, the area of Deep Learning for Incident Response has gone through a rapid phase of maturation in a short period of time, driven by key research studies on mapping the propagation of diseases such as the Zika virus , monitoring socio-economic deprivation , predicting human emergency behavior, detecting the impact of natural disasters such as floods, and also driven by organizations such as the United Nations Global Pulse, Data-Pop Alliance, and Flowminder.org. A recent report from the United Nations Global Pulse discussed the challenges and opportunities of using Deep Learning for societal challenges and proposed a three-tier taxonomy of uses: “real-time awareness”, “early warning”, and “real-time feedback” . A subsequent paper on the specific case of Big Data for conflict prevention distinguished its ‘descriptive’ (i.e. maps), ‘predictive’ (i.e. forecasting), and ‘prescriptive’ (i.e. causal inference) functions .

  June 16, 2017 11:15-11:45

•  US

  Defensive Evasion: How APT Adversaries Bypass Security Controls

  Aaron Shelmire (SecureWorks, US)

  Aaron Shelmire began his professional security career when he was pulled into responding to the Stakkato incident. Since then he slapped together some open source IDS stuff, attended graduate school for information security at Carnegie Mellon University, worked at CERT/CC, then SecureWorks, then some startups, and now SecureWorks, again. He is driven by the challenge of computer-to-computer combat, and revels in evicting adversaries.

  Counter Threat Unit researcher Phil Burdette showcases the top 5 ways targeted threat actors dodge, dip, duck, dive, and dodge traditional security controls. Participants are exposed to real world examples from incident response engagements where adversaries explicitly try to avoid and hide from network defenders during actions on objective. They do this by “living off the land” using native Windows tools like PowerShell and WMI to move laterally and launch in memory only implants. Threat actors will also operate in blind spots by deploying virtual machines that lack security controls or collection instrumentation. To cover their tracks, adversaries will delete forensic artifacts from the registry and clear web or event logs from the system. Would you detect these defensive evasion and forensic countermeasure tactics in your environment?

  June 13, 2017 14:45-15:30

  Defensive-Evasion-How-APT-Adversaries-Bypass-Security-Controls.pdf

  MD5: d2f13bb8f900bf40b859bf4fbb2ca332

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.08 Mb

•  US

  Digital Supply Chain: The Exposed Flank In 2017

  Martin McKeay (Akamai, US)

  Martin McKeay is a Senior Security Advocate at Akamai, joining the company in 2011. Martin is a senior editor of Akamai’s State of the Internet Security Report, Akamai’s quarterly report on DDoS and other threats. Three years ago Martin moved his family to the UK in order to help Akamai reach the European audience.

  With over fifteen years of experience in the security space and five years of direct Payment Card Industry work, Martin has provided expertise to hundreds of companies. He has spoken at events in the US, Europe, Asia and Australia, including RSA, Black Hat, Defcon and FIRST. He is a member of Europol’s European Cybercrime Center Internet Advisory Committee.

  This talk will speak to the issues pertaining to supply chain security as is relates to global organizations and the highly interconnected nature of suppliers and corporations. The presenter will pull from personal war stories of incidents that he lived through to help illustrate the need to not just worry about the main corporate security perimeter, but to address the extended perimeter and the exposures and risks that arise from the supply chain. Aspects of an exposed supply chain include trading partner networks, code developed by offshore development centers, and outsourced help desks and the assorted pirates that prowl the digital expanse.

  June 12, 2017 16:30-17:00

  Digital-Supply-Chain-The-Exposed-Flank-In-2017.pdf

  MD5: 1fae53092715787180ffbcff3695d7af

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 3.84 Mb

•  DE

  Dismantling the Avalanche Botnet

  Kaspar Clos (CERT-Bund / BSI, DE)

  Thomas Hungenberg studied Applied Computer Science and Communications Technology at the Bonn-Rhein-Sieg University of Applied Sciences in Germany and graduated in 2001 as Diplom-Informatiker (FH). Thomas work as an IT Security and Malware Analyst for Germany's national CSIRT CERT-Bund.

  Kaspar Clos studied computer science at TU Darmstadt. After his diploma thesis on verifiable internet voting at TUD he started to work as a network engineer. Kaspar now works for CERT-Bund's covering a broad array of topics. Tasks include CERT-Bund's international engagement as well as the improvement of IH and information sharing processes.

  Right on the spot for FIRST 2017's submission deadline, after more than four years of investigation, a long planned and truly international cooperation effort initiated by German prosecutors, supported by numerous LE agencies, and many, many global partners from the public and private sector, dismantled the ‘Avalanche’ botnet.

  We will talk about the challenges of a cross-jurisdictional botnet takedown and present how CERT-Bund and BSI supported the operation. In this context we will specifically cover the analysis effort, Avalanche's internals, as well as establishing processes and the 'machinery' behind that helped us to

  • seize, sinkhole or block 800 000 fast flux domains and
  • report sinkhole data to national + international network operators/providers

  We will further explain how abuse automation systems maintain a crucial role in order to facilitate botnet takedowns and specifically cover the current status of our IntelMQ setup.

  June 13, 2017 14:00-14:45

•  FI

  Disrupting IoT Worms in Finland (2016 Edition)

  Markus Lintula (NCSC-FI / FICORA, FI)

  Markus Lintula has worked for the past four years as a duty officer and a malware analyst at the National Cyber Security Center of Finland.

  This talk presents an inside look of a national CERT team during a widespread IoT worm outbreak leveraging a zero-day vulnerability in DSL modems. On 25th of November 2016 the Mirai botnet started exploiting a zero-day vulnerability in TR-064 implementation on certain CPE-devices. The infection levels of Mirai in Finland went from hundreds to tens of thousands in a matter of days.

  June 13, 2017 14:45-15:30

  Disrupting-IoT-Worms-in-Finland-2016-Edition.pdf

  MD5: 372c68fcab2e88b8ba4c9c2d862ba6ec

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.73 Mb

•  US

  DNS is NOT Boring! Using DNS to Expose and Thwart Attacks

  Rod Rasmussen (Infoblox, US)

  Rod Rasmussen, joined Infoblox in 2016 as Infoblox’s VP of Cybersecurity as part of the acquisition of the cybersecurity company IID. Rod co-founded IID and served for over 10 years as its President & CTO. He is widely recognized as an expert on the abuse of the domain name system by criminals and other malicious actors. Rasmussen is co-chair of the Anti-Phishing Working Group’s (APWG) Internet Policy Committee, and is a member of ICANN's Security and Stability Advisory Committee. Rasmussen is a member of the Online Trust Alliance’s Steering Committee. He is a Steering Committee member, and has served multiple times as a workgroup co-chair on FCC's Communications Security, Reliability and Interoperability Council (CSRIC). Rasmussen is also a member of M3AAWG, DNS-OARC, and serves as IID's FIRST representative. Rasmussen earned an MBA from the Haas School of Business at UC-Berkeley and holds two bachelor's degrees, in Economics and Computer Science, from the University of Rochester.

  While almost every major organization in the world is being continuously attacked over the Internet from a wide variety of actors, tools, and methods, the vast majority of them are sitting on a gold mine of data that could expose and thwart those attacks and don’t even know it. That data is in the very mundane task of resolving names to network addresses otherwise known as Domain Name Service (DNS).

  This session will explore how to dig data out of your organization’s DNS queries and responses, find activities like data exfiltration using DNS tunnels, malware activities, and other attacks leveraging the DNS, and provide some thoughts on how to use the organization’s DNS infrastructure itself to protect from these threats.

  June 15, 2017 11:15-12:45

  DNS-is-NOT-Boring-Using-DNS-to-Expose-and-Thwart-Attacks.pdf

  MD5: 1913e8825968dfd07b7e3e70acd26e47

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 6.15 Mb

•  GB NO

  Embodied Vulnerabilities: Compromising Medical Implants

  Éireann LeverettÉireann Leverett (Concinnity Risks, GB), Marie Moe (SINTEF, NO)

  Marie Moe cares about public safety and securing systems that may impact human lives, this is why she has joined the grassroots organisation “I Am The Cavalry". Marie is a research scientist at the independent research organisation SINTEF, an associate professor at the Norwegian University of Science and Technology (NTNU), and has a PhD in information security. Marie has experience as a team leader at NorCERT, the national and government CERT team of Norway, where she protected critical infrastructure against cyber attacks. She is currently doing research on the security of her own personal critical infrastructure, an implanted pacemaker that is generating every single beat of her heart. Marie loves to break crypto protocols, but gets angry when the weak crypto is in her own body.

  Éireann Leverett once found 10,000 vulnerable industrial systems on the internet. He then worked with Computer Emergency Response Teams around the world for cyber risk reduction. He likes teaching the basics, and learning the obscure. He continues to be fascinated by computer science, cryptography, networks, information theory, economics, and magic history. He studies zero knowledge proofs, firmware and malware reverse engineering, and complicated network effects such as Braess' and Jevon's Paradoxes. He has worked in quality assurance on software that runs the electric grid, penetration testing, and academia. He likes long binwalks by the hexdumps with his friends.

  This talk will be about medical device security and privacy, in particular for connected medical devices like implanted cardiac devices with remote monitoring functionality.

  Gradually we are all becoming more and more dependent on machines. We will be able to live longer with an increased quality of life due to medical devices and sensors integrated into our bodies. However, our dependence on technology grows faster than our ability to secure it, and a security failure of a medical device may cause patient harm and have fatal consequences.

  Medical errors are estimated to be the third leading cause of death in the US, according to a recent study published by BMJ (http://www.bmj.com/content/353/bmj.i2139). Medical errors are often associated with human errors, but patient safety is also threatened by security failures of medical devices. Loss of availability or integrity of patient data may indirectly cause patient harm, due to wrong diagnosis or treatment decisions based on incorrect data. However, there are no good statistics on the number of deaths caused by medical device security failures. Medical devices are collecting personal data on a big scale without any transparency on how the data is collected and how the information security and privacy of patient information is ensured by the medical device manufacturers. Additionally, patients are in many cases deprived from access to their own data generated by sensors and devices implanted in their body. The medical devices appear as “black boxes” with little information about their data collection capabilities and implementation of security and privacy features.

  Marie's life depends on the functioning of a medical device, a pacemaker that generates each and every beat of her heart. This talk is about Marie's personal experience with being the host of a vulnerable medical implant, and why she decided to start a hacking project together with Éireann Leverett, investigating the security of her own personal critical infrastructure. Marie and Éireann will give a status update on their work in progress, including the lessons (not) learned, and comment on the recent advances seen in the field of medical device security, also with regards to ethical and legal aspects.

  June 15, 2017 14:45-15:30

•  DE

  Experiences and Lessons Learned from a Siemens-Wide Security Patch Management Service for Products

  Manuel Ifland (Siemens AG, DE)

  Manuel Ifland has been with Siemens since 2008. As an IT Security Consultant Manuel conducted various cyber security assessments and penetration tests for Siemens products and solutions. Manuel used to train IT security experts in awareness workshops and moderated numerous threat and risk analyses. Today, Manuel is a Senior IT Security Consultant in the Siemens ProductCERT. He is responsible for a Siemens-wide service to support product teams in timely patching of security vulnerabilities in third-party components used in Siemens products and solutions. Manuel is doing research in the field of third-party component security and works closely together with product development teams.

  In software development, using third-party open-source as well as proprietary software components has become the de-facto standard. These pre-made building blocks enable faster time to market and lower development costs by providing out-of-the box functionality, allowing developers to focus on product-specific customizations and features. However, decision makers and developers must be aware that they possibly inherit the security issues of components they incorporate and that they have to care. Based on experiences from a Siemens-wide self-operated, self-developed security patch management service for products in the critical infrastructure space, the presentation will discuss lessons learned and give insights into pitfalls and how to tackle them.

  June 13, 2017 12:15-12:45

  Experiences-and-Lessons-Learned-from-a-Siemens-Wide-Security-Patch-Management-Service-for-Products.pdf

  MD5: 0d9227e521114a6b0c9ad161ed0b1808

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.99 Mb

•  DE

  Experiences in Threat Data Processing and Analysis Using Open Source Software

  Morton Swimmer (Trend Micro, Inc, DE)

  Bio for Morton Swimmer

  Morton was born in New York City and was raised and educated in New York, USA, Brighton, UK and Hamburg, Germany. I received my Master's and Doctor's degree from the University of Hamburg, Germany. In 1996, Morton joined IBM Research's Massively Distributed Systems Research department to work on the IBM Digital Immune System and IBM Antivirus. Previously he had been involved with antivirus research at the Virus Test Center, University of Hamburg under Prof. Dr. Brunnstein from it's beginnings in 1988 and was a co-founder of S&S International Deutschland GmbH, an antivirus and data recovery company now owned by Intel, Inc. After taking a professorship at CUNY's John Jay College of Criminal Justice, teaching computer forensics, he is now working for Trend Micro, GmbH, in Germany.

  His Master's thesis was on dynamic virus analysis system, called VIDES, that became a major component of the Digital Immune System and is the first known Malware sandbox system. His PhD thesis was on Malware Intrusion Detection, where the fields of malware detection and intrusion detection were merged and a new model of Malware and attack defence was introduced as the advanced autonomic defense architecture. Recent research at Trend Micro revolves around processing massive amounts of data to extract threat intelligence.

  Bio for Vincenzo Ciancaglini

  Dr. Vincenzo Ciancaglini got a M.Sc. in Telecommunications Engineering from the Politecnico of Turin and a M.Sc. in Electrical Engineering, Wireless Systems, from the Royal Institute of Technology in Stockholm, Sweden.

  For some years he has worked as a developer in a travel IT company in Sophia Antipolis, France, a period during which he also took part in the foundation of a research and innovation lab within his company, where he was responsible for analysing new upcoming technologies and their potential business developments.

  In the period 2009-2013 he obtained his Ph.D. from the National Research Institute in Automation and Computer Science (INRIA) in Sophia Antipolis, with a thesis about peer-to-peer networks interoperability and next-generation internet protocols.

  Since 2012 he works in Trend Micro as a research scientist within the Forward-Looking Threat Research team (FTR), a team distributed all over the world, responsible for performing technological scouting and investigation on cyber-criminal activities, and their potential development in the coming years.

  His duties in the team go from the development of new data analytics prototypes to identify targeted attacks to the research on new encrypted networks (Darkweb), ad also research on the Internet of Things (IoT).

  With the abundance of data feeds from threat research as well as Internet infrastructure telemetry, the threat researcher potentially can understand the context of incidents and attacks much better than ever before. The downside though is that both the hardware requirements for processing such large datasets as well as finding an architecture that supports the researcher's objectives becomes much more challenging. Adding to this problem is the complexity of dealing with diverse types and quality of data so that useful results can be had.

  In this presentation, we show how we, the FTR Team in Trend Micro, Inc., processes our data effectively. The most important requirement was that we needed a single platform that was good enough for most datasets, under the added constraint of having to support diverse use cases, from day-to-day actor attribution to one-off extended researches. While there exists proprietary platforms for threat data analysis, we chose to use a stack based on Elasticsearch, itself based on the open source Lucene engine, and this has proven very effective.

  Early on, we used traditional databases, but found that they are fairly rigid in structure and require refactoring if new, unanticipated queries pop up or the data structure of the feeds drifts over time. They also don't always scale well without expensive hardware. We also experimented with various NoSQL databases, which are very promising but often lacked the upper layers of the stack that we'll get back to later in the presentation. Graph databases are very tempting as they are often an excellent fit for our data, and essentially provide total indexing, but they don't scale out as advertised and have hefty preprocessing requirements. Some data, for instance, time-series data, does not fit well to the graph model.

  The most important principle that guided us was the principle of 'no surprises' and 'good usability' in data labeling, i.e. the field names need to have some consistency and the values need to be always consistent in representation when there exists multiple ways of expressing a value, such as is the case with IP addresses. This guarantees that the experience a researcher gained while working on a given index remains useful when working with other datasets. We define a pipeline that comprises of data acquisition using appropriate scripts and preprocessing in Streamsets, which allows us to define the data mutations needed to homogenize the data and track data drift. The data terminates with Elasticsearch at which point a postprocessing step enriches the data, by, for example, adding geo information to IP addresses.

  The beauty of using Elasticsearch as a platform is the community that has sprung up around it and has already provided multiple user interfaces, from Elasticsearch's own Kibana, through Jupyter Notebooks and native scripting. As the use of Elasticsearch grows, we are able to include other Elasticsearch clusters without our organization in our search giving our researchers more reach from the same user interface.

  It is important to realise that this is not a solution that will ever be ideal, but it represents a way of handling most datasets we throw at it adequately well. We have been able to use if for a number of papers released in 2016. We've found this setup to be at the very least, a good start to an analysis, and at best fully adequate to all the researcher's needs.

  June 16, 2017 12:15-12:45

  Experiences-in-Threat-Data-Processing-and-Analysis-Using-Open-Source-Software.pdf

  MD5: 1893d43ea26328254d83a0fcddd8916d

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 5.22 Mb

•  CH

  Finding An Intruder in a 10TB Haystack: The Benefits of Similarity Searching

  Thomas Dullien (Google, CH)

  Thomas Dullien (aka Halvar Flake) started work in reverse engineering and digital rights management in the mid-’90s and began to apply reverse engineering to vulnerability research shortly thereafter. He pioneered early Windows heap exploitation, patch diffing/bindiffing, and various other reverse engineering techniques. In 2004, Halvar started zynamics, a company focused on reverse engineering technologies. He continued to publish about reverse engineering, ROP gadget search, and knowledge management technologies in relation to reverse engineering. In 2011, zynamics was acquired by Google, and Halvar spent the next few years working on defensive technologies that leveraged the then-hot buzzwords big data and machine learning. In summer 2015, Halvar received the lifetime achievement Pwnie and decided to take a year off to travel, read, and surf.

  A surprising number of technical questions during a larger intrusion cleanup can be phrased as "given this Y, can you find similar other Xs in this huge pile of data?". This can range from "given this malware, can you find a similar malware in this group" to questions like "given this memory page, can you find similar memory pages?". This talk will discuss areas where similarity searching is useful, and discuss why "rare" features, e.g. properties that hold only for a small number of data items, are of particular interest to the investigator.

  June 13, 2017 16:00-16:45

•  FI

  From Bullet Journal to Lessons Learned: How to Manage Coordination and Cooperation Development in Ad-hoc Working Environment?

  Jarna Hartikainen (NCSC-FI, FI)

  Jarna Hartikainen is Head of Cooperation and Coordination in NCSC-FI at FICORA. She has been working for Finnish Communication Regulatory Authority foreht past ten years giving her wide view of Finnish information security environment. Developing coordination has been her main focus for several years. She has experience from several viewpoints: she started as the first situation coordinator at NCSC-FI, moving on to team leader of situation awareness and now managing the function.

  In a CERT function and situation awareness cases come and go quickly. Fast reactions and quick decisions are a basic requirement to keep the work going with results. The challenges are how to keep up with the level of cooperation and communications in a level of already met expectations and still develop it further on in an always changing environment? Our solution is to manage our days in the bullet journal style and wrap the month in the lessons learned session. The calendar style offers a quick way of going through the wide information security phenomenon scheme monthly, still offering freedom for ad-hoc decisions to new incidents coming up daily. Lessons learned sessions are used to go through improvements gathered from the employees' to develop their work. Even mistakes are welcome, cause you can learn from them! The structure is nowadays base of our regular communication of cooperation groups and public bulletin, luckily enabling continuous developing. The winning party is everyone. It is easy for the management to follow with pre-set deadlines and motivated staff. For coordinators and duty officers structured days, weeks and months balance work load and result expectations, still giving time to react to ad-hoc incidents with passion. Last but not least, the customers know what to expect from our communication and when, yet having trust to our quick reactions. The presentation shows: • Monthly, weekly and daily type of bullet journals • Use of lessons learned session regularly to develop the cooperation and communication • Results of the used method from over one year of experience

  June 13, 2017 16:30-17:00

  From-Bullet-Journal-Lessons-Learned-How-Manage-Coordination-Cooperation-Development-Ad-hoc-Working-Environment.pdf

  MD5: 081b3aa7bbd9d0cd24e5ae441bdbefe0

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.98 Mb

•  US

  Going Undetected: How Cybercriminals, Hacktivists, and Nation States Misuse Digital Certificates

  Kevin Bocek (Venafi, US)

  Kevin Bocek is Vice President of Security Strategy & Threat Intelligence at Venafi. He brings more than 16 years of experience in IT security with leading security and privacy leaders including RSA Security, Thales, PGP Corporation, IronKey, CipherCloud, nCipher, and Xcert. He is sought after for comment by the world’s leading media such as Wall Street Journal, New York Times, Washington Post, Forbes, Fortune, BBC, Süddeutsche Zeitung, USA.

  Recently, Mr. Bocek led the investigation on Secretary Hillary Clinton’s email server and previously he led Venafi’s investigation into how Edward Snowden used cryptographic keys and digital certificates to breach the NSA. His early success securing critical systems included designing and engineering cutting-edge Java and smart card–based encryption and PKI applications for the U.S. government.

  Kevin has authored several books, including PCI Cardholder Data Protection for Dummies and Laptop Encryption for Dummies and co-authored research projects with The Ponemon Institute including the Cost of Data Breach, Cost of Failed Trust, and Worldwide Encryption Trends reports. Mr. Bocek has a B.S. in chemistry from the College of William & Mary and an MBA from Wake Forest University.

  Christine Drake has been involved in IT security for over 14 years. She currently works for Venafi, an industry leader in cryptographic key and digital certificate security, and conducts security surveys and research to complement forensic research conducted by the Venafi Labs team. Before Venafi, she worked for Trend Micro and for MailFrontier as a research analyst.

  Christine is an author on pending patents, papers accepted at peer-reviewed IT security conferences, and security blogs. She has her B.A in Social Ecology and a J.D. from Hastings College of the Law. She is particularly interested in how IT security overlap with industry regulations and privacy laws.

  Experts say the next black market is digital certificates. But most businesses don’t fully understand how these digital assets are used by cyber criminals, hacktivists, and nation states to infiltrate and remain undetected. In addition, expired certificates can also cause outages, negatively impacting reliability and availability. However, Security Operations and Incident Response teams often do not look to cryptographic keys and digital certificates as one of the core instruments for attacks or outages. Or if suspected, a lack of visibility and control delay recovery.

  In this presentation, you’ll learn how certificates are misused in attacks and the frequency and impact of certificate-related outages, including guidance on how to use this knowledge to develop an incident response program that enables both preventive and corrective actions.

  June 14, 2017 14:45-15:30

  Going-Undetected-How-Cybercriminals-Hacktivists-and-Nation-States-Misuse-Digital-Certificates.pdf

  MD5: bce735baddcab9f6d0a32c014caccbf6

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 7.64 Mb

•  GB

  Hajime & the Mainline DHT

  Kevin O'Sullivan (BT Plc, GB)

  Currently a BTCERT Investigator, I have a keen interest in web application security and the Internet of Things. Before working in BTCERT I was on the frontline SOC in BT, and before that spent some time as a web developer creating security systems.

  The dawn of the Internet of Things means we are set to see a huge growth in the numbers of internet connected devices. As we all know – where there is use, there is also misuse and our Internet-connected refrigerator bears no exception to this.

  These devices are often seen as soft, easily broken targets due to lack of security features enabled by default or simply due to the poor security standard of the embedded software. Their wallet-friendly price-tags however appear to remain an attractive solution for the everyday consumer. The most common method of compromise for these devices is also the simplest. Manufacturers will often ship a product with an administrative interface that is left open by default. Worse still, the interface is configured with a standard password (something like admin:admin) and is often positioned facing the Internet.

  The number of these devices present on the Net, and the simplicity of compromise has given rise to a new kind of botnet – that of which entirely consists of DVRs, CCTV systems and the like. This presentation will look at the make-up of recent Internet of Things (IoT) botnet Hajime.

  We will consider the Peer-to-Peer Bit-torrent DHT (Distributed Hash Table) architecture used in this botnet to distribute updates, payloads and configuration files. We will also discuss how we have been using the Bit-torrent network to track the spread and growth of this botnet.

  We will discuss the lessons we have learnt from Hajime, as well as sharing key statistics on the area of spread. We will discuss how this intelligence assisted us in responding to protect our customers. We will also explore some theoretical attacks on the botnet's architecture. We will share Indicators of Compromise from these botnets as well as advice on how you can detect the malwares presence on your own networks and how to mitigate the threat of infection altogether.

  This talk will be focused on CSIRTs and will be presented at a intermediate technical level.

  June 13, 2017 16:00-16:30

  Hajime-the-Mainline-DHT.pdf

  MD5: ba79f8af86a30398fef193db044dc57c

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 4.7 Mb

• Handling an Incident in CERT-EU

  Emilien Le Jamtel is a security analyst working for CERT-EU.

  CERT-EU is the Computer Emergency Response Team (CERT-EU) for the EU institutions, agencies and bodies. It provide support for around 60 organisations regarding targeted cyber threat.

  In this presentation we will go through an incident based on real cases and details how the teams in CERT-EU works internally and interact with constituents, peers and partners.

  The focus is made on processes, tools and information sharing including:

  • Cyber Threat Intelligence database and sharing
  • Threat Hunting on constituents networks
  • Security Operation Center
  • Tools and resources provided to EU institutions, agencies and bodies
  • Relations with peers and partners
  • Documents and analysis provided by CERT-EU

  June 14, 2017 14:45-15:30

  Handling-an-Incident-in-CERT-EU.pdf

  MD5: 084af39fa662a7bfc60d38a4af1b7cb4

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 3.69 Mb

•  DE

  Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification

  Ben Stock (CISPA, DE), Christian Rossow (CISPA, DE)

  Ben Stock: PostDoc researcher at CISPA, Saarland University. Graduated at FAU Erlangen, Germany. Expert in Web security.

  Christian Rossow: Professor of IT Security at CISPA, Saarland University. Graduated at VU Amsterdam, The Netherlands. Next to Web security also involved in research on Denial-of-Service and malware.

  We systematically examine the feasibility and efficacy of large-scale notification campaigns. For this, we comprehensively survey existing communication channels and evaluate their usability in an automated notification process. Using a data set of over 44,000 vulnerable Web sites, we measure success rates, both with respect to the total number of fixed vulnerabilities and to reaching responsible parties, with the following high-level results: Although our campaign had a statistically significant impact compared to a control group, the increase in the fix rate of notified domains is marginal. If a notification report is read by the owner of the vulnerable application, the likelihood of a subsequent resolution of the issues is sufficiently high: about 40%. But, out of 35,832 transmitted vulnerability reports, only 2,064 (5.8%) were actually received successfully, resulting in an unsatisfactory overall fix rate, leaving 74.5% of Web applications exploitable after our month-long experiment. Thus, we conclude that currently no reliable notification channels exist, which significantly inhibits the success and impact of large-scale notification.

  June 13, 2017 11:45-12:15

  Hey-You-Have-a-Problem-On-the-Feasibility-of-Large-Scale-Web-Vulnerability-Notification.pdf

  MD5: 794aaa3b3b6f6b51ed395b7b590dd414

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 6.19 Mb

•  US

  HIRT Locker 2.0 - Next Generation Hunting

  Christopher Butera (US-CERT, US)

  Mr. Christopher Butera serves as the Director of the Hunt and Incident Response Team for NCCIC/US-CERT. In this role, he has led response efforts to many large-scale data breaches in both the private sector and federal government, several of which you may have read about in the news. His focus is on discovering and analyzing new forensic artifacts and finding new security controls to prevent APT intrusions and create or enhance opportunities for early detection and containment. Mr. Butera is a graduate of the University of Notre Dame and has a Master of Science Degree in Computer Science from the University of Chicago. He holds CISSP, GSEC, and GCED certifications.

  The cyber threat landscape is continuously changing. Attackers develop new tactics, techniques, and procedures (TTPs) to breach and compromise systems. This requires incident response teams to be able to adapt and respond to agile, dynamic threats on a daily basis. The National Cybersecurity and Communications Integration Center’s (NCCIC)/ United States Computer Emergency Readiness Team (US-CERT) Hunt and Incident Response Team (HIRT) is the primary source of incident response and hunt services to the entire federal civilian network space and much of the Unites States critical infrastructure. In this capacity, it is necessary for HIRT to assess and adapt to the myriad of operational hurdles caused by the dynamic nature of an adversary and the uniqueness of every client network that it encounters. Foremost, a sound methodology for ad hoc deployment to client networks must be established. This methodology will serve as the foundation for all hunt and incident response operations. Integration and correlation of data from disparate sources must occur for success to be achieved. Data from hosts, network flow, infrastructure devices, and intelligence sources must all be utilized to achieve success in the field. HIRT must utilize custom hardware and software solutions and accompanying analysis and deployment methodologies for all components of the mission to work seamlessly. Next-generation incident response kits, methodologies, and workflows have been developed to combat this constantly changing threat landscape.

  June 12, 2017 16:30-17:00

•  NL PL

  How to Become a Mature CSIRT in 3 Steps

  Don StikvoortDon Stikvoort (Open CSIRT Foundation, NL), Mirosław Maj (Open CSIRT Foundation, PL)

  Don Stikvoort is a theoretical physicist who was one of Europe's Internet pioneers since 1988. Since 1992 he has been a member of FIRST in various capacities - right now he is Liaison Member, and the co-chair of the TLP SIG. Together with Klaus-Peter Kossakowski he started the European cooperation of CSIRTs in 1993 that later led to TF-CSIRT and the Trusted Introducer. Don leads his own company, specialising in security management and community building - but is also a certified master trainer and executive coach. His CSIRT specialty is the topic of governance and maturity - he is the lead author of the SIM3 maturity model. Don is the Chairman of the Board of the Open CSIRT Foundation, and regularly gives keynote talks, in which he challenges his audiences to think outside the box and assume full responsibility for their work, in the context of society and the humans that make up society.

  Miroslaw Maj has almost 20 years of experience in ICT security. Founder and president of the Cybersecurity Foundation, CEO of the ComCERT company, a former leader of CERT Polska team. Initiator of Polish Civic Cyberdefence organization. He cooperates with Polish Government on the field of cybersecurity and CIIP. He is a member of the Trusted Introducer team being responsible for Accreditation and Certification of CERTs. Co-author of many ENISA publications including CERT exercises and papers on improvement the CERT coordination. He organized cyber exercises in Poland and Georgia for energy, banking and telecommunication sectors. Speaker on many international conferences including the FIRST conferences. He is also the orgniser of four editions of the cyber exercises Cyber-EXE™ Polska.

  We have seen almost 30 years of CSIRT history now. From the very beginning, teams have developed not only their technical skills but have also worked on developing the best organisational and strategic models for their operations. The natural facilitators for that development are internal needs, expectations from others teams (like members of cooperation initiatives like FIRST, TF-CSIRT or APCERT) and external regulations or expectations such as the recent NIS Directive in Europe.

  The best recognised framework for CSIRT maturity is SIM3 (Security Incident Management Maturity Model). It defines 44 parameters in the areas of organisation, human aspects, tools and processes - plus a scale and methodology by which to measure these 44 parameters, that way evaluating the overall CSIRT maturity and operational capability.

  In 2009 this model was adopted by TF-CSIRT as their Certification schema for CSIRTs in Europe. Later on, SIM3 got picked up by more regions in the world, often for self assessment purposes, with an increasing interest to apply it to accreditations, membership procedures and certifications.

  Now - in 2016 - this model has been enhanced with a proposal on how to reach increasing CSIRT maturity in three steps. The first step is to reach the "basic" level, followed by the "intermediate" level. The third step leads to the "certifiable" level, which is meant to be sufficient to reach existing Certification(s). It says "certifiable" and not "certified" as for the latter an independent assessment would be needed, and this could be different in different regions or sectors.

  During the presentation, the authors will briefly explain the SIM3 model, its parameters and how to use it in practice. The focus will however be on explaining how to do the three step maturity improvement process, what it will take and how useful this is for the team. After the presentation, participants will know how to prepare their team for their development towards higher CSIRT maturity.

  June 15, 2017 11:15-12:00

•  PL

  How To Ruin Your Weekend (And Business) In Few Simple Steps

  Przemek Jaroszewski (CERT Polska/NASK, PL)

  Przemek Jaroszewski is a member of CERT Polska (part of Research and Academic Computer Network in Poland) since 2001, where his current position is the head of the team. He started his education as a programmer at Warsaw University of Technology, to eventually get his master's degree in Social Psychology from University of Social Sciences and Humanities in Warsaw. Przemek was involved in a number of projects on data exchange and collaboration of incident response teams. He was also a co-author and teacher of trainings for incident responders, including ENISA CERT Exercises and TRANSITS.

  The talk is an anonymized story of a real incident investigated by CERT Polska. On one sunny summer weekend, things started to go wrong for FastForward - a major logistic company. An apparent IT security incident led to a complete suspension of the company operations, and consequently ruined chain of supply for dozens of its customers. A thorough investigation revealed a number of minor shortcomings that could have been easily prevented. Combined, they triggered a sequence of events that resulted in a disaster causing major financial and reputational losses. The investigation results raised important questions about management of IT security and incident response in an enterprise that outsourced most of its IT operations, as well as about responsibilities of different business entities who contributed to the incident's root causes. It also demonstrated the often overseen benefits of network monitoring and information exchange. During the case study I will show steps that led from (scarce) evidence to conclusive opinions. Learning from FastForward's mistakes, security officers and incident responders will learn valuable lessons in the areas of risk assessment, contingency planning, security monitoring and communication. Proposed structure of the presentation:

  1. Publicly visible signs of the incident
  2. Identifying primary cause
  3. Gathering evidence on contributing factors
  4. Verifying hypotheses
  5. Preventive measures that were not there
  6. Aftermath & Public Communication
  7. Conclusions

  June 14, 2017 14:00-14:45

  How-To-Ruin-Your-Weekend-And-Business-In-Few-Simple-Steps.pdf

  MD5: 00370424f04bf0ba196cf141a73e36d5

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.51 Mb

•  TW RU

  Hunting for Threats in Academic Networks

  Fyodor YarochkinFyodor Yarochkin (Trend Micro, TW), Vladimir Kropotov (Trend Micro, RU)

  Vladimir recently joined Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at some of Fortune 500 companies, was head of Incident Response Team at Positive Technologies since 2014, and holds a university degree in applied mathematics and information security. He participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, and many others.

  Fyodor is a researcher with TrendMicro Taiwan as well as a Ph.D. candidate at EE, National Taiwan University. An early Snort developer, and open source evangelist as well as a "happy" programmer. Prior to that, Fyodor professional experience includes several years as a threat analyst at Armorize and over eight years asa information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organisations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.

  In this presentation we will share our experience with analysing a year of academic network flow data. We sampled data from a number of border routers in academic network in Taiwan. An academic network has a particular characteristic of being extremely noisy and detection of malicious activities can be very false-positive prone to due to nature of activities frequently conducted by network users. In addition to that the sampled network flow data provides only limited information regarding the nature of network traffic that traveled through the network segments. Therefore we had to engineer additional algorithms for anomaly detection, data enrichment and data cross-referencing in order to effectively identify ’true-positives': from denial of service attacks, to malware operations, network scanning and attacker’s lateral movements.

  June 13, 2017 11:15-11:45

  Hunting-for-Threats-in-Academic-Networks.pdf

  MD5: 634d71f6ed2ec484cb3b926c06fcc96e

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 8.92 Mb

•  BR

  Implementing a Country-wide Sensor Infrastructure for Proactive Detection of Malicious Activity

  Edilson Lima (RNP, BR), Rildo Souza (RNP, BR)

  Rildo Souza – Rildo holds a Bachelor degree in Information Systems and a post graduation title in Computer Networks at UNICAMP (University of Campinas, Brazil). With more than six years in IT and five in security area, Rildo currently acts as a Security Analyst at CAIS/RNP, the Brazilian Academic and Research Network CSIRT. His major interests include Incident Handling, Vulnerability Analysis and Network Monitoring. In the last years, he leaded various security projects in order to facilitate the day-to-day of academic IT staff and to raise the security awareness among this community. Rildo has also delivered lectures and training courses in national and international events.

  Edilson Lima - Edilson holds a Bachelor degree in Information Systems and a MBA in Information Security Management. He is a certified professional in ISO 27002 and COBIT. With 10 years of experience in Information Security area, Edilson has leaded several projects and has coordinated various security teams. Currently, he acts as the Security MAnager of the Incident Handling team at the Brazilian Academic and Research Network CSIRT

  Liliana Solha - Liliana holds a Bachelor degree in Industrial Engineering at University of Lima (ULima), Peru, and a Post Graduation title in Computer Networks at the University of Campinas (UNICAMP), Brazil. She has been involved in security area since 1996. Working at the RNP, the Brazilian Academic and Research Network since 2000, she currently acts as the General Manager. Liliana also served for three continuous two-year elected position as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST) organization – becoming the first Latin American representative on this board. In the last years, she has actively worked for the security awareness dissemination in Brazilian and Latin American academic networks, impelling the development of CSIRTs in the region. She has acted for four years as the Chair of "RedCLARA - Cooperation of Latin America Research and Academic Network - Security Task Force (GT-Seg)". Liliana has recently assumed the coordination of the FIRST ACAN BoF, a Special Interest Group that brings together all the academic organizations at FIRST community. Currently, she is also a member of the Security Study Group of Global Research and Educational Network CEO Forum, initiative that includes CEO representatives from a group of NRENs (National Research and Educational Network) around the world. Liliana has also participated as a speaker and trainer at several Brazilian and international security events (FIRST, COLARIS, LACNIC, OAS, TICAL, CLARA-TEC, SCI/RNP, etc).

  Driven by the need for a greater autonomy in detecting malicious activity at Brazilian academic networks, CAIS/RNP, the Brazilian National Academic and Research Network CSIRT - who serves to a constituency of approximately 600 institutions - developed its own monitoring solution based on an open source Network IDS/IPS (Suricata) using a master-engine model and incorporating additional features and customizations in order to obtain an efficient, easily-managed and complete solution for proactive detection of network security incidents, thus facilitating the day-to-day of incident handlers and strengthening the CSIRT incident handling capability, which is one of the core services of any CSIRT.

  This presentation aims to provide details on the implemented solution and challenges, and mainly to share this initiative with FIRST community in order to benefit other CSIRTs.

  June 16, 2017 11:45-12:15

  Implementing-a-Country-wide-Sensor-Infrastructure-for-Proactive-Detection-of-Malicious-Activity.pdf

  MD5: aca3373cb866cc202af9802f840a46df

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.97 Mb

•  HR

  Improving Network Intrusion Detection with Traffic Denoise

  Miroslav Stampar (Information Systems Security Bureau, HR)

  IT Security Advisor - Expert at Croatian Government's CERT, part of the Information Systems Security Bureau (ZSIS). Born in 1982, writing and breaking computer code for as long as he can remember. A PhD candidate with Master's Degree in Computer Science at Faculty of Electrical Engineering and Computing (FER), University of Zagreb, Croatia. Also, open source contributor (sqlmap, Maltrail, tsusen, ipsum, etc.) and Croatian Chapter Lead for The Honeynet Project.

  Online systems are constantly exposed to a substantial amount of network traffic "noise". In network intrusion detection, any kind of network traffic that can be ignored altogether, while otherwise causing false-positive (or irrelevant) events, can be considered as noise. Most common noise generators are mass (research) scanners, UDP amplification probes, open proxy scanners, service attackers, unroutable packets, etc. If we could somehow reduce the traffic noise (denoise), network intrusion detection would immediately become more effective and front-end report panels would suddenly become more comprehensible.

  Basic idea is the collaborative collection of data at dispersed unused nodes (i.e. sensors) where any kind of incoming traffic can be considered as noise. Final result should be a list of IP addresses that are known sources of (Internet) noise and which could either be ignored at intrusion detection systems or whose incoming traffic could be dropped altogether.

  To make the data more relevant, only sources found by at least two (or more) nodes should be taken into the consideration, as there is no source that should by any mean contact more than one dispersed inactive node on the Internet. Also, this would prevent the potential false-positives that could be generated by noise (e.g. caused by hardware bit-level “glitches”) inside the collected noise.

  As part of the presentation, there will be an introduction into the used experimental methodology and online collected data, along with quick analysis of gathered noise. Also, there will be a comparison of a real world intrusion detection system report with and without the noise, so the audience could get the feeling of a practical usability of suggested method.

  June 15, 2017 14:45-15:30

•  US

  Improving Useful Data Extraction from Cybersecurity Incident Reports

  Samuel PerlMatthew Sisk (The CERT Program in the Software Engineering Institute at Carnegie Mellon University, US), Samuel Perl (CERT/CC, US)

  Matthew Sisk is a member of the Situational Awareness group within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. He has been at CERT since 2007 working as a software engineer and network defense analyst developing automated solutions across massive data sets. Prior to CERT, Sisk gained over 10 years experience as a developer specializing in network security for a major corporation in the oil and gas industry. Sisk holds a B.E. in Electrical Engineering and Computer Science from Vanderbilt University.

  One of the central services of Computer Security Incident Response Teams (CSIRTs) and Security Operation Centers (SOCs) is the receipt of incident reports from their constituency. Some teams have large constituencies and receive tens of thousands of incident reports per year. Some teams have turned to automation, when dealing with large volumes of incident reports, to assist analysts with incident prioritization, workflow assignment, and more. This is a complex process because incident reports often have a unique 'form.' This ‘Form” is typically a mixture of header/identifying information, structured information, free text narrative, cybersecurity jargon terminology, and uniquely transformed information such as 'defanging' of potentially dangerous information.

  Over the past few years we have worked in collaboration with US-CERT on exploratory analysis of incident data and reports. The focus has been on improving the quality and amount of useful information that can be extracted from incident reports and used for correlation, trending, situational awareness, and eventually predictive analysis. A recent part of this work has focused on developing a method for improving the use of regular expression searching for the extraction of indicators and other useful information.

  In our method, we first assemble a set of ground truth incident reports with the information manually extracted. We then identify false positives and indicators that were not being extracted. We also developed a framework to measure the improvement that a given extraction method has had using the ground truth data. This allows us to monitor the affect a change in the regular expression has had upon extractions of the larger corpus.

  This presentation will discuss our method, challenges teams can expect to encounter when automating extraction from incident reports, our lessons learned during the creation of the ground truth data (such as other useful types of information we noticed in the incident reports and future ideas for extracting it), our testing process, and some initial observations related to our results.

  June 16, 2017 11:45-12:15

  Improving-Useful-Data-Extraction-from-Cybersecurity-Incident-Reports.pdf

  MD5: dd30b155acdc1b34e918b481f693565c

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 655.32 Kb

•  GB AT

  IoCannon: Blasting Back on Attackers with Economics -or- How do we Improve the Power of IoCs?

  Éireann LeverettÉireann Leverett (Concinnity Risks, GB), Marion Marschalek (Independant, AT)

  Marion is dangerous. Eireann is pretty. So, pretty.

  IoCs (Indicators of Compromise) are a state-of-the-art method to describe the technological aspects of an incident. Currently, we see IoCs composed of rather "cheap" indicators; file hashes, domain names, IP addresses. All have different "cost" attached, in other words we can put two price tags on each indicator: costly for the attacker to change and costly for the defender to apply.

  Some IoCs are harder to change for the attackers than others, and we rank such indicators in our presentation, along with the reasoning and experiments that demonstrate this. Some IoCs though are harder for a defender to deploy than others, we analyse and rank these with the rigor you've come to expect from such buccaneers of bitshifting as ourselves. Finally, IoCs naturally also have an associated expiration date, rendering them useless as soon as the attacker managed to adapt. The goal of this research is to build smarter indicators. We aim for indicators, easy thus cheap to extract, but expensive to change. We will present a proof of concept, showing how to extract a plethora of metrics from malicious binaries using a disassembly framework and graph analysis tools, which relate to malware complexity rather than describing meta information. We will discuss each of the metrics, how expensive they are to extract, how resilient they are against changes applied by the attacker, how much information they carry, how closely they are tied to the cost of the actual attack.

  Next we analyze the frequency of indicators found in the MISP platform, and compare it to a theoretically ideal ranking. One that would be much more valuable if the indicators were less ephemeral for the attacker and more easily deployable for the defenders. We build our research on the assumption of MISP being the de-facto standard of how indicators are being stored and shared.

  Lastly, we go over the MISP taxonomy of IoCs and discuss what indicators we might prefer for the future. This will hopefully lead to further proposals for more indicators in the future, and we'll make sure the audience knows how to propose them in the future.

  We'll conclude with a discussion of how cybercovigilance, and post market surveillance are the types of measurement we need most in the community going forward. The frequency of individual technologies vulnerability and exploitation are currently missing from most debates. This is something we hope will change substantially both from this work, and the work of others.

  June 12, 2017 12:00-12:45

•  NL

  Keynote: 18 Years Old, it's Time to Become Mature

  Martijn de Hamer (NCSC-NL, NL)

  Martijn de Hamer is head of the National Cyber Security Operations Center (NCSOC) at NCSC-NL. After having had various roles in the field of information security, Martijn first started working for NCSC-NL (previously GOVCERT.NL) in 2005. Additionally, he is active in the field of CSIRT maturity and other aspects of CSIRT capacity building.

  Coming of age is something that you should never do alone. It’s the task of the older sibling to help the younger ones recover from the mistakes they make. Existing and established CSIRT teams have combined their efforts to pave the way for new and future teams by providing materials, guidance and a roadmap. In gaining maturity, self-assessment becomes a necessary and sometimes painful step. That is why those existing and established teams will also benefit from reflecting on their own work.

  June 15, 2017 09:45-10:45

•  AU

  Keynote: A Decade of Lessons in Incident Response

  Darren Bilby (Google, AU)

  Darren is a manager in Google's Enterprise Infrastructure Protection team, a staff Security Engineer and self described Digital Janitor. A 10 year Google veteran, Darren was the tech lead for Google's Global Incident Response team for 6 years, managed Google's European detection team in Zürich for 2 years and has also worked as a software engineer building out Google's security tools. He was also the founder and a core developer of the open source GRR Incident Response project. Prior to joining Google, he worked for 8 years in security consulting in the banking and telco sectors.

  This talk will discuss the key lessons learned in incident response at Google over the past 10 years. In that time we have evolved from some bad ideas and some hastily written bash scripts, to a globally distributed, cross functional organization, ready to face whatever comes our way. We will discuss the things that have made the team successful, but more importantly, the lessons we learned the hard way in the hope that others won't have to.

  June 13, 2017 09:45-10:45

•  GB

  Keynote: Cybersecurity and the Age of Privateering

  Florian Egloff (University of Oxford, GB)

  Florian Egloff is a Clarendon Scholar, a D.Phil (PhD) Candidate in Cyber Security at the Centre for Doctoral Training in Cyber Security at the University of Oxford, and a Research Affiliate at the Cyber Studies Programme at Oxford University's Department of Politics and International Relations. He is currently working on his thesis entitled 'Cybersecurity and non-state actors: a historical analogy with mercantile companies, privateers, and pirates.'

  .

  June 14, 2017 09:45-10:45

•  US

  Keynote: Post-Quantum Cryptography

  Brian Lamacchia (Microsoft Research, US)

  Brian LaMacchia is the Director of the Security & Cryptography group within Microsoft Research (MSR) where his team conducts basic and applied research and advanced development. Brian is also a founding member of the Microsoft Cryptography Review Board and consults on security and cryptography architectures, protocols and implementations across the company. Before moving into MSR in 2009, Brian was the Architect for cryptography in Windows Security, Development Lead for .NET Framework Security and Program Manager for core cryptography in Windows 2000. Prior to joining Microsoft, Brian was a member of the Public Policy Research Group at AT&T Labs—Research. In addition to his responsibilities at Microsoft, Brian is an Adjunct Associate Professor in the School of Informatics and Computing at Indiana University-Bloomington and an Affiliate Faculty member of the Department of Computer Science and Engineering at the University of Washington. Brian also currently serves as Treasurer of the International Association for Cryptologic Research (IACR) and is Past President of the Board of Directors of the Seattle International Film Festival (SIFF). Brian received S.B., S.M., and Ph.D. degrees in Electrical Engineering and Computer Science from MIT in 1990, 1991, and 1996, respectively.

  In an August 2015 announcement, the Information Assurance Directorate of the US National Security Agency announced plans to begin a transition from the existing “Suite B” cryptography to quantum-resistant algorithms. Since Peter Shor of AT&T Bell Laboratories first published an efficient quantum algorithm for factoring in 1994, we have known that when a general-purpose quantum computer of sufficient size is built then all our commonly-used public-key cryptographic algorithms will be broken. Recent progress in the physics and engineering of quantum computation is changing our assumptions about the feasibility of building a cryptographically-relevant quantum computer, and while there are still technical challenges to address, the best estimates today are that such a machine could become feasible in as little as 10-15 years. Given our experience with past cryptographic algorithm transitions, this time horizon means that we need to start today the process of identifying hard problems that are quantum resistant, developing efficient cryptographic algorithms based on those problems, standardizing these algorithms and deploying them broadly, and deprecating our existing public-key cryptosystems.

  In this talk I will discuss recent advances in quantum computing, the potential impact on public-key cryptographic algorithms and protocols widely used today, the upcoming US NIST “competition” for quantum-resistant algorithms and related standardization activities, and the possible impact of the move to post-quantum cryptography on incident analysis and response.

  June 16, 2017 09:45-10:45

•  AU

  Lean Gains - Small Team Effectiveness

  Ben May (AEMO, AU)

  Ben is Manager of the Cyber Security Team at the Australian Energy Market Operator (AEMO). Ben has been with AEMO for almost ten years and has had a strong focus on establishing and operating the Threat Detection and Response capability. Ben’s current role has a strong focus on the delivery of key security initiatives along with the operating and maturing the threat detection, intelligence and response function.

  Small teams who want to look at ways to deliver effective threat detection and response capabilities. Teams that want to look at ways to leverage resource constraints to better deliver services and effect change.

  June 15, 2017 12:00-12:45

  Lean-Gains-Small-Team-Effectiveness.pdf

  MD5: 7db2ce58b5e7965a52eee035a624df1b

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.35 Mb

•  CZ

  Malicious Proxy Auto-Configs: Harvesting Credentials From Web Forms Made Easy

  Jan Sirmer (Avast Software, CZ), Jaromir Horejsi (Avast Software, CZ)

  Jaromir Jaromír is a malware researcher at Avast Software. His main specialization is reverse engineering mainstream cyber threats that target Windows and Linux. During the course of his career, he has researched many types of threats, e.g. DDoS botnets, banking Trojans, click fraud and ransomware. In the past, he has successfully presented his research at RSAC, Virus Bulletin, AVAR, Botconf and CARO.

  Jan Jan is a senior malware analyst at Avast Software. His main specialization is analyzing malicious Java threats, Android applications and exploits, macro viruses, web based malware and other non-executable malware. During the course of his career, Jan has authored blog posts about phishing threats, malicious web exploits and Android threats. In the past, he has successfully presented his research at AVAR, Virus Bulletin and WebExpo.

  Most media attention is given to imminent and visible threats, like ransomware. Other threats remain under the radar and often go unnoticed. Malicious proxies are one of these threats.

  The redirections done via malicious proxies are only activated in certain situations. Internet web browser settings are slightly modified, so that a very small (<1KB), and often obfuscated, proxy auto-config file is queried from the configuration server. If a victim browses particular websites, like banking sites, they are redirected to fake or malicious domains that pretty much look identical to real sites. Other than that, infected computers behave normally and victims usually don’t notice anything. All the credentials victims enter into fake sites are harvested by cybercriminals. This allows for a variety of attacks, including MitM and SSL impersonation, which may later lead to identity theft, unauthorized account access, and financial loss.

  In our talk, we will discuss the Retefe banking Trojan, which celebrated its comeback in the summer of 2016. There have been several changes made to Retefe, including, but not limited to, the structure of the delivered payload, geographical distribution, and the online banking systems it is targeting. Spread via malicious email attachments, a few malicious scripts are dropped and executed, and a rogue certificate is installed and the victim’s browser proxy configurations are changed. Retefe traditionally targeted banking users in German-speaking countries, however, we managed to detect completely new waves targeting banking users in the UK. The particular waves differ from one another, for example, Retefe started installing third-party tools and libraries (Tor, Proxifier,...), using different methods of persistence, and began targeting additional financial institutions. The last, and perhaps the most important part of the threat, are the mobile applications for Android, which the fake banking sites encourage victims to download. During our research we managed to collect and analyze hundreds of these apps.

  We will show a detailed infection vector, ways of targeting and changing settings of various web browsers, and reverse engineer all the malware components coming from the various waves, and finally show original and fake websites as they would be seen from clean and infected computers. We will also show the statistics and severity of this threat, as seen by our user base. We hope our talk will be beneficial for attendees coming from a DFIR background, because we intend to dive into all aspects of this threat, share interesting IOCs and system settings, which might be modified by Retefe or other similar malicious threats. Although Retefe is simple from a technical point of view, it is very powerful and efficient in reaching its hideous goals.

  June 13, 2017 16:00-16:30

  Malicious-Proxy-Auto-Configs-Harvesting-Credentials-From-Web-Forms-Made-Easy.pdf

  MD5: 8960fbaf782f40f8d8ee8a17cf88e4af

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.18 Mb

•  US

  Managerial Strategies for Improving the Social Maturity of Cybersecurity Incident Response Teams and Multiteam Systems: A Workshop

  Daniel Shore (George Mason University, US), Stephen Zaccaro (George Mason University, US)

  Dr. Stephen J. Zaccaro is a professor of psychology at George Mason University, Fairfax, Virginia. He is also an experienced leadership development consultant. He has written over 140 journal articles, book chapters, and technical reports on group dynamics, team performance, leadership, and work attitudes. He has authored a book titled, The Nature of Executive Leadership: A Conceptual and Empirical Analysis of Success (2001). He has co-edited five other books, including a recent one on the psychosocial dynamics of cyber security. He serves on the editorial board of The Leadership Quarterly, and he is an associate editor for Journal of Business and Psychology and Military Psychology. He is a Fellow of the Association for Psychological Science, and of the American Psychological Association, Divisions 14 (Society for Industrial and Organizational Psychology) and 19 (Military Psychology).

  Daniel Shore, M.A., is a doctoral candidate in the Industrial-Organizational Psychology program at George Mason University (GMU). He currently serves as a graduate teaching assistant at GMU. For the past four years, Daniel has served as a research assistant on a DHS-funded project that examined the socio-behavioral characteristics associated with effective performance in cybersecurity incident response teams (CSIRTs). Through this project, Daniel was the lead researcher on developing the protocol for and conducting cognitive task analysis interviews. In total, he conducted over 40 interviews using this protocol and identified the top cognitive skills and abilities utilized by CSIRT members. Daniel was also a lead author on the decision-making and performance evaluation chapters in a managerial handbook on improving CSIRT performance. His other research focuses around how employee recognition and rewards impact attitudes and behaviors of the non-recipients.

  CSIRT social maturity reflects how well members of a cybersecurity team collaborate and coordinate together to complete the performance requirements defined by the team’s mission. Establishing the social maturity of a cybersecurity incident response team (CSIRT) represents a critical challenge for CSIRT managers. As an extension of our recently completed work on a four-year, DHS-funded project examining social maturity in CSIRTs, we are offering a three-hour workshop at FIRST 2017 to share our findings and offer strategies and best practices to CSIRT managers for improving CSIRT social maturity from a socio-behavioral perspective. The findings and recommendations we share have been derived from our interviews with representatives of 52 CSIRTs and surveys taken by nearly 90 CSIRT members. In the workshop, we will first define the social maturity challenges we found to be facing CSIRT managers in setting up and maintaining effective CSIRTs. Then we will present staffing and training strategies that establish an effective foundation for collaboration. We will also share strategies for establishing and managing strong collaboration and coordination between cybersecurity teams that exist in what we refer to as CSIR-multiteam systems, or CSIR-MTS. This will lead us to the managerial handbook we created based on our research findings, and we will provide access to a digital copy of the handbook during the workshop. The handbook presents a set of management tools for assessing CSIRT social maturity and delineates the appropriate strategies for improving upon the challenges identified through those tools. These strategies and tools are supported by best practices from socio-behavioral psychology research focused on enhancing team collaboration and coordination. Lastly, we will provide attendees with opportunities and coaching to understand how to take these tools and apply them to their own cybersecurity teams.

  June 14, 2017 14:00-15:30

•  DE

  Marvin: Automated Incident Handling at DFN-CERT

  Eugene Brin (DFN-CERT, DE), Jan Kohlrausch (DFN-CERT, DE)

  Jan Kohlrausch received a Diploma in computer science from the University of Hamburg in June 2000. Since July 2000 he works as a Senior member of the research and development team at the DFN-CERT Services GmbH. His research interests include Honeypots, malware analysis, and network forensics.

  Eugene Brin is a consultant and engineer with focus on honeypots, mobile security and threat management. After years of entrepreneurial practice he joined DFN-CERT Services GmbH in 2012 and has been involved in numerous security research projects since.

  We introduce Marvin (Malicious Activity Refining, Validating, and Integrating), a framework that efficiently automates the handling and coordination of incidents caused by well-known threats. This framework is especially designed to save human resources for incident handling where automated treatment is feasible where technical guidance for specific threats can be provided. Incident handling automation by Marvin integrates data collection, contact management, incident categorization, technical guidance, and reporting. The framework leverages the relationship between a CSIRT or SOC and its customers and end-users. The constituent groups are granted access to a web-based portal where they can maintain their contact and network data. Marvin itself uses supplied data pertaining to security events in order to put together an actionable incident report that enables the affected site to resolve the incident. Furthermore, a web-based front end allows to configure Marvin workflows and displays event information to the internal Incident Response Team (IRT) of DFN-CERT.

  Marvin has proven to efficiently reduce manual effort required to handle incidents caused by well-known threats. We strongly believe that other CSIRTs or SOCs would also benefit from this approach to reduce their work load. Even in case the framework cannot be deployed as a whole, components such as the quality control or security event management could prove to be valuable to other teams.

  June 15, 2017 14:45-15:30

  Marvin-Automated-Incident-Handling-at-DFN-CERT.pdf

  MD5: 6d9d9d0e820db7fc74261e64da98ea60

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.37 Mb

•  US

  Measuring Similarity Between Cyber Security Incident Reports

  Samuel PerlSamuel Perl (CERT/CC, US), Zachary Kurtz (Software Engineering Institute, US)

  Zach Kurtz (Statistics Ph.D., CMU 2014) is an applied statistician with experience on projects in fields as diverse as cyber security, public transit, psychology, marketing analytics, ecology, medicine, human rights, and international capital flows. His dissertation built on capture-recapture theory to introduce a new method for estimating the sizes of partially observed populations. At the SEI, Zach has developed cyber incident visualization tools and developed new evaluation methodologies for open-ended cyber warning competitions. Zach began his data science career at the age of 14 with a school project on tagging Monarch butterflies near his childhood home in remote West Virginia.

  Samuel J. Perl is a senior member of the CSIRT Development and Training (CDT)Team within the CERT® Division of the Software Engineering Institute (SEI), at Carnegie Mellon University in Pittsburgh, PA. He has been at CERT since 2011 and has worked on a variety of projects areas including insider threat, vulnerability assessment, security incident data analysis, and incident management capacity development. Prior to CERT, Perl gained over 10 years of industry experience working with client organizations to manage their most challenging IT security risk issues. Perl holds a M.S. in Information Security Management from Carnegie Mellon University and a B.S in Information Systems from Carnegie Mellon University.

  Most security incident teams work in close real-time communication with each other to ensure that related incidents are grouped together and handled with consistent defensive actions. As the size of the internet has grown and the tactics of attackers has shifted, it is not always obvious what security incidents or events are related to each other. Today's security teams now need to connect security activity that is sometimes months apart, on different partner networks, or across different attacking infrastructure. Additionally, the teams face issues of employee departures, work handoffs, outsourcing, cross border communications, and budget constraints. It is not always practical or even possible to maintain real-time communication with all relevant partner teams.

  Our team has been working in collaboration with US-CERT on a variety of automated methods to measure the similarity between incident reports. Measurements can be used to supplement the knowledge that a real-time operations team already has, or it can be helpful in identifying unknown historical information in a large corpus.

  For example, in one incident ticket collection database, we examine how to quickly locate the most-closely related historical incidents based upon analyst settings for what they consider to be most important in determining similarity. We also consider identifying and presenting data-driven taxonomies of cyber-attacks based on grouping similar incidents into clusters regardless of human categorical labels which are often under-specified. Finally, we are developing novel ways to take large sets of cyber-attack warnings and compare them against attacks that are actually observed to decide whether any of the warnings had merit.

  Our presentation will review multiple approaches to computing similarity of incident reports at multiple levels. One approach involves viewing each incident report as a document containing many terms and analyzing the graph of incidents with linkages determined by shared terms. Another approach involves defining similarities for each kind of detail in an incident and then averaging the similarities across the various details between any pair of incidents. Finally, we'll introduce a new generalization of the Jaccard similarity to account for approximate equality between set elements and demonstrate how this could be used to detect similarity between incidents containing sets of indicators among which exact matches are rare and yet approximate matches are meaningful.

  June 12, 2017 11:15-12:00

  Measuring-Similarity-Between-Cyber-Security-Incident-Reports.pdf

  MD5: 921ae101f3d34bd226a27f8ec3f6065b

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.8 Mb

•  US

  Medical Device Security: A Sucking Chest Wound That Needs Emergency Medicine

  Denise Anderson (NH-ISAC, US)

  Denise Anderson is President of the National Health Information Sharing and Analysis Center (NH-ISAC), a non-profit organization dedicated to protecting the health sector from physical and cyber attacks and incidents through dissemination of trusted and timely information.

  Denise serves as Chair of the National Council of ISACs and participates in a number of industry initiatives. She is a private sector liaison to the National Infrastructure Coordinating Center (NICC) to enhance information sharing between the private sector, and the government. She is a representative to the National Cybersecurity and Communications Integration Center (NCCIC) — a Department of Homeland Security-led watch and warning center and sits on the Cyber Unified Coordination Group, (UCG) - a public/private advisory body that provides guidance during a significant cyber event.

  Denise is certified as an EMT (B), Firefighter I/II and Instructor I/II in the state of Virginia, and is an Adjunct Instructor at its Fire and Rescue Academy. She has spoken at events all over the globe.

  Denise holds a BA in English, magna cum laude, from Loyola Marymount University and an MBA in International Business from American University. She graduated from the Executive Leaders Program at the Naval Postgraduate School Center for Homeland Defense and Security.

  Modern Medicine has evolved dramatically in the last five years enabled by new technologies and data collection/analysis. This is accomplished in many cases by connecting devices, products, systems and networks to the internet. But as is the case with innovation, many medical devices are built without security in mind. Hospitals often have tens of thousands of connected devices in their environments and with estimates of billions of patient exposures per year, the huge vulnerabilities, jurisdictional chasms and evolving threat landscape serve to increase the risks to patient safety and potentially lives. This session will look at the current situation in medical device security, the vast issues, the threat landscape and will look at a cutting edge effort between industry and government to address these challenges by turning the perspective from device security to patient centered security.

  June 15, 2017 14:00-14:45

  Medical-Device-Security-A-Sucking-Chest-Wound-That-Needs-Emergency-Medicine.pdf

  MD5: 7c1ff38d2154271904108c7183039a4c

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 5.66 Mb

•  US BR

  Moving Like a Spook Through Walls or Being Just a Shadow for APT Detectors

  Dmitry Bestuzhev (Kaspersky Lab, US), Fabio Assolini (Kaspersky Lab, BR)

  Dmitry Bestuzhev Director, Global Research and Analysis Team, Latin America

  Dmitry Bestuzhev is Director of Kaspersky Lab’s Global Research and Analysis Team in Latin America, where he oversees anti-malware research by the company’s experts in the region.

  Dmitry joined Kaspersky Lab in 2007 as a Malware Analyst monitoring the local threat landscape and providing preliminary analyses. By 2008 he had become Senior Regional Researcher for the Latin American region and he was appointed to his current role in 2010.

  In addition to overseeing anti-malware research and analysis work, Dmitry produces reports and forecasts for the region and is frequently sought out by international media and organizations for his expert commentary on IT security. Dmitry’s wide field of expertise covers everything from online fraud, through to the use of social networking sites by cybercriminals. Dmitry is also an expert in corporate security, cyber espionage and complex targeted attacks and participates in various educational initiatives throughout the Americas.

  Dmitry has more than 16 years of experience in IT security across a wide variety of roles and is fluent in English, Spanish and Russian.

  Fabio Assolini: Senior Security Researcher, Global Research and Analysis Team

  Fabio Assolini joined Kaspersky Lab’s Global Research and Analysis Team (GReAT), which boasts the industry’s top analysts, in July 2009 to primarily focus on one of the most dynamic countries in Latin America: Brazil. Fabio’s responsibilities include the analysis of virus, cyber attacks, banking trojans and other types of malware that originate from Brazil and the rest of the region. He particularly focuses on the research and detection of banking trojans. In November 2012, he was promoted to senior security researcher.

  Since 2006, Fabio has been a voluntary member of the security community Linha Defensiva (Defensive Line), a non-government organization. In addition, he is a member of the Alliance of Security Analysis Professionals (ASAP), a network of NGOs, professionals and individuals dedicated to providing security related support to end users. Fabio has more than five years of experience as a malware analyst and possesses a university degree in Computer Science.

  It all began in the fall of 2016, or perhaps a bit earlier… We were working on the analysis of the latest developments of a known APT-threat actor when suddenly, we discovered that the network traffic we thought was just noise, was actually the exfiltration method used to bypass traditional anti-APT solutions and the analysis of Security Researchers. The threat actor actually had carefully prepared the whole theater of operations, ensuring the trespassing of well-known top security practices such as file inbound domains/network traffic inspection, file whitelisting and finally APT detection based on the outbound DNS requests. In our presentation, we will share additional details about this threat actor we named “move-through-walls” and its operation techniques causing false positives detections for some security vendors.

  Strong points: Fooling traditional Anti-APT solutions Bypassing Security products abusing legitimate services you want to use Proxification and C2 obfuscation Incident response countermeasures

  June 16, 2017 12:15-12:45

•  LV

  Non-Formal - Everything Out of Normal

  Svetlana Amberga (CERT.LV, LV)

  Svetlana Amberga is working in CERT.LV Latvia, Riga, as Public Relations Team Manager. Previos experience include project management and practical educational work for groups, mostly for youth leaders in Riga City council Wellfare department. Svetlana was involved in non profit organization management as board member of Latvian National Youth Council and European level organization – ACTIVE - Sobriety, Friendship and Peace. Fields of expertise – youth work, organizational development, communication. Previos experience include project management and practical educational work for groups, mostly for youth leaders in Riga City council Wellfare department. Svetlana was involved in non profit organization management as board member of Latvian National Youth Council and European level organization – ACTIVE - Sobriety, Friendship and Peace. Fields of expertise – youth work, organizational development, communication.

  CSIRT teams in incident response have to work fast and efficient in order to solve incidents timely and keeping high quality. Such performance is very demanding and requires efficient team work and well understood roles for all participants.

  Problem: When growing and transforming, CSIRT teams may have to face challenges on how to improve their communication and cooperation. Though such challenges are essential part of the growth, it may be hard to manage changes efficiently and with satisfactory results.

  The challenges teams might be facing: • Communication challenges (quality, frequency, low social skills) • Relations and roles in the team (old/new members, unclear roles, who is driving incident handling process, etc.) • Motivation (lack of initiative, lack of feedback, inappropriate reporting, etc.)

  Proposed solution: This presentation would explore experience the CERT.LV team gained during a teambuilding activity, using non-formal learning methods and present concept of how to use such experience for other teams. It would to examine how teams can benefit from non -formal learning to improve their internal communication, to raise motivation and clarify the roles internally.

  The presentation would focus on the following questions: • What is non-formal learning? Why is it efficient for the team work? • How can structural group work experience improve the team work? • Can non-formal learning improve team members’ motivation? • How to identify important learning needs of the team?

  Beneficiaries from the presentation will be CSIRT team members as well as teams’ management.

  June 16, 2017 12:15-12:45

  Non-Formal-Everything-Out-of-Normal.pdf

  MD5: 893679b50d9a04aede73cafac50ac1e7

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.98 Mb

•  US

  OSS Security: That’s Real Mature Of You!

  Christine Gadsby (BlackBerry, US), Jake Kouns (Risk Based Security, US)

  Jake Kouns is the CISO for Risk Based Security that provides vulnerabilities and data breach intelligence. He previously oversaw the operations of the Open Sourced Vulnerability Database (OSVDB.org) and DataLossDB. Kouns has presented at many well-known security conferences, including RSA, Black Hat, DEF CON, DerbyCon, FIRST, CanSecWest, InfoSecWorld, SOURCE and more!

  Christine Gadsby is the Director of BlackBerry's global Product Security Incident Response Team (SIRT). This highly respected team monitors the security threat landscape and responds rapidly to emerging threats for all of BlackBerry's products and services and those of its subsidiaries and consulting customers.

  Open source software (OSS) usage is on the rise and also continues to be a major source of risk for companies.ˇ OSS and 3rd party code may be inexpensive to use to build products but it comes with significant liability and maintenance costs.ˇ Even after high profile vulnerabilities in OpenSSL and other critical libraries, tracking and understanding exposure continues to challenge even at the most mature enterprise company.

  It doesn’t matter if you are a software vendor or not, development and the use of OSS in your organization is most likely significant. It also doesn’t matter if you have been developing software for years or are just getting started, or whether you have one product or one hundred, it can feel to many nearly impossible to keep up with OSS vulnerabilities or more important ensure they are properly mitigated.

  This presentation looks at the real risk of using OSS and the best way to manage its use within your organization and more specifically the Product Development Lifecycle.ˇ We will examine all the current hype around OSS and separate out what are the real risks, and what organizations should be the most concerned about.ˇ ˇWe explore the true cost of using OSS and review the various factors that can be used to evaluate if a particular product or library should be used at your organization, including analyzing Vulnerability Metrics including Time to Patch.

  Getting your head wrapped around the issues and the need to improve OSS security is challenging, but then taking action at your organization can feel impossible.ˇ This presentation provides several real world examples that have been successful at Black Berry including:

  A case study of a single third party library vulnerability across several products will help to show why the result of investigating actual impact against your different products is valuable intelligence.

  We will provide learnings from your incident response function and why understanding the vulnerabilities in your current software can gain you valuable insight into creating smarter products to avoid maintenance costs.

  Finally, we will introduce a customized OSS Maturity Model and walk through the stages of maturity for organization developing software with regards to how they prioritize and internalize the risk presented by OSS.

  This presentation will review the following topics using data and evidence:

  Part I:

  -Introduction to the Open Source Software and the security issues (brief) -Vulnerability statistics/review of 2015 and focus on OSS issues/libraries -Legal Liability pressures continue to increase on vendors, examples of recent cases -Concerns with OSS have been constant, but seem to be losing the hype -What are the real issues, what is hype?ˇ What are the biggest risks to consider? -When has OSS gone bad? -When bad code gets submitted or a developer rage quits -License issues are still a critical part of using OSS and can?t be ignored -Understanding actually potential and hidden costs with OSS -Why does the cadence of release cycle matter? -How often are OSS updates released -Too many = way too often to update, huge cost of ownership -Too few = leaves you open to risks and compromise -Need the porridge to be JUST right and prefer secure coding from the beginning -How can you evaluate OSS or determine is there are any potential issues? -How can you tell if an OSS project is mature enough to rely on? -Lack of long term viability of a project -Lack of sponsorship, will the code get abandoned? -Health of the project, # of contributors, # of updates, etc. -Support available?Do they have a contact person/vehicle for security? -Vulnerability Timeline Metrics can help! -How long does it take for researchers to get a response? -How long does it take to provide a patch?

  Part II:

  -How do you get executives to buy in? Why is OSS security so important? -A quick view current potential economic risk and the pressure of feature development over writing secure code: Will market force or legal risk prevail first? -Intelligence: Do you know how much OSS you are actually using in your products? -Do you know what versions of those OSS libraries? Are you updating versions or cherry-picking fixes? How do you decide? -How much OSS is actually in a tech vendor - data points on BlackBerry?s OSS usage across its product suite. -Case Study: 1 OSS vuln can affect products differently, blind patching doesn?t make sense. We will look at a of a major OSS vuln across BlackBerry?s product verticals (products affected x cvss score on each x patch timelines) This will paint a picture of the value of investigating OSS vulns and their impact vs. patching timelines -How to evaluate OSS against your products - now that you know how many OSS libs are in your product, what you do about it -Introduce the OSS Maturity Model and how to evaluate OSS -How to use your SIRT and investigation function to determine risk in OSS -How do you handle current and incoming OSS 3rd Party Libs as part of your development lifecycle? -Using Containers to minimize risk -Which OSS project pose the most risk- OSS Blacklist and OSS EOL policy -Learnings and take away from a major tech vendor

  June 12, 2017 14:00-15:30

•  NL

  Ozon: Running a Gap Bridging Cybercrisis Exercise

  Remon Klein Tank (SURFcert, NL)

  Remon Klein Tank (CEH/CISSP) is cyber security specialist at Wageningen University and Research and one of the ten members of SURFcert, the NREN CERT team in the Netherlands. Remon is in the program comity for SCIRT community, bringing cyber security experts within the SURFnet constituency together and facilitating the sharing of knowledge.

  In the morning of October 4th, a large number of public Dutch institutes got a threat mail from an idealistic movement that preach transparency and openness of information. They claimed to have obtained documented proof of malpractices within these organizations concerning mismanagement, questionable research and careless treatment of personal data. The initial reaction was a call to remain calm and alert. However, quite soon it proved not to be a small incident and board members, communications officers, lawyers and IT staff were mobilized. For over a day crisis management teams worked hard to get a grip on the situation and had to make difficult decisions. Three people were fired on the spot and an entire institution was disconnected from the Internet.

  Missed this in the news? That is correct. The above was a part of cybercrisis exercise OZON which was organized by SURFcert for their constituency. In total 27 organizations and over 200 people were participating, from IT to the board of directors. It was a hit. Crisis exercises outside of the IT department are traditionally focused on physical threats. Now all of our information is digitized, the resiliency of the organization also depends on the ability to handle a crisis that is born out of an IT security breach.

  This presentation will take you through the set-up of the OZON exercise, the scenario and the lessons learned. Additionally we can provide a playbook and the infrastructure we build, so you can run this exercise in your own organization.

  June 14, 2017 11:15-12:00

  Ozon-Running-a-Gap-Bridging-Cybercrisis-Exercise.pdf

  MD5: 994b893b3db3a802223d9648dd8018eb

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.82 Mb

•  US

  Panel Topic Friend or Foe? Named Flaws, the Impact to Your Products and Your Customers

  , Amy Rose (Lenovo, US), Art Manion (CERT Coordination Center (CERT/CC), US), Lisa Bradley (NVIDIA, US)

  Dr. Lisa Bradley is currently the Technical Program Manager for NVIDIA’s Product Security Incident Response Team (PSIRT). Her responsibilities include the management and resolution of product security vulnerabilities involving all NVIDIA products. She previously worked at IBM for 17 years and most recently as the PSIRT Program Manager and Team Lead. Lisa has been an active spokesperson for many tech related events, including: IBM InterConnect, 2016 FIRST Technical Colloquium in Raleigh, and the Security Journey White Belt modules. Lisa received her BA degree in both Mathematics and Computer Science from SUNY Geneseo. She then went on to receive her Masters and PhD in Applied Mathematics from NC State University. Outside of her main career, for the past 12 years, she has been a part-time professor at local universities. Lisa enjoys spending time with her husband, Jimmy, and three kids, James (9), Jesse (6) and Anna (4).

  Art Manion is the Technical Manager of the Vulnerability Analysis team in the CERT Coordination Center (CERT/CC), part of the Software Engineering Institute at Carnegie Mellon University. He has studied vulnerabilities and coordinated responsible disclosure efforts since joining CERT in 2001. After gaining mild notoriety for saying "Don't use Internet Explorer" in a conference presentation, Manion now focuses on policy, advocacy, and rational tinkering approaches to software security, including standards development in ISO/IEC JTC 1 SC 27 Security techniques. Prior to joining CERT Manion was the Director of Network Infrastructure at Juniata College.

  Amy Rose has been the Technical Project Manager for the Lenovo Product Security Incident Response team for two years, driving closure of security issues from a wide range of sources across all Lenovo products. Amy has a background in computer networking and customer support engineering for Lenovo desktops and servers. She has 6 patents granted and over 40 more patents pending with the US Patent Office covering a breadth of technologies, from servers to mobile devices, software and security.

  Beverly Finch is the Program Manager and Coordinator for the Lenovo PSIRT. Beverly built the Lenovo PSIRT from the ground up within a few months, obtaining buy in from all business executives and securing incident response support across all brands. With more than 20 years in the PC industry, Beverly has experience in many roles including Critical Situation Management, Software Development, Accessibility Compliance and Lean Six Sigma. A certified Project Management Professional, PMP®, Beverly brings value to Lenovo's PSIRT by applying project management and Lean Six Sigma methodologies to improve processes and communications across all teams.

  Moderator: Beverly Finch (Lenovo, US)

  Panelists: Lisa Bradley (NVIDIA, US), Amy Rose (Lenovo, US), Art Manion (CERT Coordination Center (CERT/CC), US)

  Heartbleed, ShellShock and Ghost. Do these named vulnerabilities make you want to hurl or are you thankful for them? This session will have a panel of PSIRT experts ready to discuss how these named vulnerabilities impacted their company, products, customers and their lives. We will also discuss the important things learned from dealing with named vulnerabilities and how to be prepared for the next one.

  June 13, 2017 16:30-17:30

•  US

  Panel Topic: Incident Response Providers: Casework Trends

  Robert FloodeenBrian Klenke (Morphick, US), Eric Szatmary (SecureWorks, US), Robert Floodeen (PwC, US)

  Brian Klenke is the Vice President of Services for Morphick. In this role, he leads a team of experienced incident responders, threat analysts, and threat intelligence experts that help organizations identify and respond to targeted cyber intrusions. Brian brings 17 years of information security experience to this position. Before joining Morphick, he was a Senior Cyber Intelligence Analyst for the Lockheed Martin CIRT. He was also instrumental in building the counter-APT program for General Electric's Aviation, Energy, and Transportation businesses. He has been a leading contributor to the counter-APT community within the Defense Industrial Base, organizing and leading cyber intelligence sharing events between the major defense contractors and the US intelligence community, including the DoD, FBI, USAF, and NCIS. Brian has presented on counter-APT techniques and initiatives to the CIO of the Pentagon, the Department of Defense Cyber Crime Center (DC3), and defense industry groups. Additionally, he has participated in meetings with senior cyber policy makers at the White House and Department of State.

  Eric Szatmary is the Future Operations Lead for SecureWorks IR services. In this role, Eric Szatmary leads the functional area focused on continuous improvement for current and emergent global IR service delivery capabilities. Previous roles at SecureWorks included serving as a Senior Security Consultant providing IR services, onsite assessment services, and security monitoring deployment services. Prior to joining SecureWorks in 2010, Eric Szatmary held various IT and security consulting, leadership, and technical staff positions over a 13-year time period in the private sector for consulting, financial services, healthcare, and manufacturing organizations.

  Robert Floodeen's bio coming soon.

  Cyber incident response providers handle a large number of incident response cases each year spanning numerous verticals. This level of exposure offers each provider unique perspectives on what is and is not working in cyber incident response practices for numerous environments. While a subset of details on these cases are published in threat advisories and individual provider casework reports, few outlets exist where accredited commercial incident response providers are publicly sharing observations from their collective casework. As a result, commercial incident response casework reports commonly suffer from various biases that result in incomplete perspective on trends for the greater incident response community to benefit from.

  The panelists would like to provide an overview of collective findings and indicators of trends observed over the previous calendar year.

  While the time slot precludes the session from being an overly technical presentation, there will be technical aspects of compromise scenarios, threat actor patterns, and sanitized victim details shared during the presentation.

  This panel can be viewed as a first step in establishing a focus area for FIRST to help bring together accredited commercial incident response service providers to regularly share casework perspectives and eventually casework datasets in a common format for the benefit of the FIRST community.

  In accordance with FIRST policy, the panel organizers will ensure this session is not a marketing presentation.

  June 14, 2017 16:00-17:00

•  US CA

  Panel Topic: Issues Surrounding Internet of Things (IoT) Security Upgradibility and Patching

  Allan FriedmanAllan Friedman (NTIA / US Department of Commerce, US), John Banghart (Venable LLP, US), Kent Landfield (McAfee, US), Vic Chung (SAP, CA)

  As Director of Standards and Technology Policy at McAfee, Kent is extremely active in the NIST Cybersecurity Framework, participating/presenting in workshops, global outreach, coordinating Intel’s and McAfee’s responses. He co-authored The Cybersecurity Framework in Action: An Intel Use Case and the IETF’s RFC 7203, An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information. He is Chair of the Information Sharing and Analysis Organization (ISAO) Standard Organization’s, Information Sharing Working Group. Previously Kent was the chief McAfee Labs Vulnerability Group Architect and a designated Principal Architect. A founding and current member of the CVE (Common Vulnerabilities and Exposures) Board, an OVAL Board member and active in Security Content Automation Protocol (SCAP), he holds patents in DNS, Email and software patch distribution.

  Dr. Allan Friedman is Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA’s multistakeholder processes on cybersecurity, including initiatives on IoT security upgradability and vulnerability disclosure. Prior to joining the Federal government, Dr. Friedman spent over a decade as a noted cybersecurity and technology policy researcher at Harvard’s Computer Science department, the Brookings Institution, and George Washington University’s Engineering School. He has a degree in Computer Science from Swarthmore College, a PhD in Public Policy from Harvard University, and is the coauthor of Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford University Press, 2014).

  John Banghart is Venable's Senior Director for Technology Risk Management, with over two decades of federal government and private-sector experience in risk management, government policy, standards and regulatory compliance, and incident management. He currently co-chairs the NTIA Working Group on IoT Barriers and Incentives. As Director of Federal Cybersecurity at the White House National Security Council, he successfully led efforts to address significant and high-profile cybersecurity issues within major government programs and institutions while facing complex legal, technical, and political circumstances. Previously he led security vulnerability and automation research at the National Institute of Standards and Technology, was Senior Director of Trusted Engineering for Azure at Microsoft, and Director of Benchmark Development at the Center for Internet Security.

  Vic Chung is a Product Security Architect with SAP Global Security. Vic is responsible for case-management of vulnerabilities reported by hackers and is the lead in Americas. Prior to joining the security team, Vic managed intellectual property compliance for development teams globally and has deep expertise in technical program management. Vic has a Master’s degree in Information Systems from University of Toronto, Canada and a MBA in Technology Management from Open University Business School, UK.

  Given the rise of IoT, consumers are now playing an important role in cyber-attacks and defense. Our IoT infrastructure security (or lack thereof) can be instrumental in assisting or defeating efforts to protect consumers. This panel consists of industry practitioners, policy advocates, and security researchers discussing the effect of consumer IoT on incident response and security. The ultimate objective is to foster an ecosystem offering more devices and systems that support security upgrades while increasing consumer awareness and understanding. One idea is to enable a thriving market differentiator for patchable IoT with common definitions for manufacturers and solution providers. Shared visions for security upgradability are needed so consumers know what they are purchasing. No such commonly accepted set of definitions or vision exists. Manufacturers struggle to effectively communicate to consumers the security features of their devices. This panel will explore and map out the many dimensions of security upgradability and patching for the relevant systems and applications. Definitions that are easily understandable, while being backed by technical specifications and organizational practices will be discussed. The panelists hope to share these definitions and ideas throughout the broader IoT development and incident response communities, and ultimately with consumers.

  June 14, 2017 16:00-17:00

  Panel-Topic-Issues-Surrounding-Internet-of-Things-IoT-Security-Upgradibility-and-Patching.pdf

  MD5: 966c65d23fa3c5b0eab2ca1310edfbcc

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 589.7 Kb

•  US CN MY

  Panel Topic: Mirai: How Did We Do?

  Merike KaeoMerike Kaeo (Farsight Security, US), Yiming Gong (Qihoo 360, CN), Chris Baker (Dyn, US), Martin McKeay (Akamai, US), Megat Muazzam Bin Abdul Mutalib (MyCERT, MY)

  Merike Kaeo is the CTO of Farsight Security, where she is responsible for developing the company’s technical strategy and executing its vision. Previously, Merike was CISO for Internet Identity (IID), where she created the strategic direction for improving and evolving the corporate security posture, and founder of Doubleshot Security, where she worked with numerous companies creating strategic operational security and resilient networking architectures. She led the first security initiative for Cisco Systems in the mid 1990s and authored the first Cisco book on security—translated into more than eight languages and leveraged for prominent security accreditation programs such as CISSP. She is on ICANN’s Security and Stability Advisory Council (SSAC) and the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC). Merike earned a MSEE from George Washington University and a BSEE from Rutgers University.

  Yiming Gong has been in the security industry for over 19 years, and currently is the Director of the Network Security Research Lab at Qihoo 360, where his team focuses on security data related research, and runs a few big platforms such as PassiveDNS, botnet C2 tracking system, scanmon and ddosmon as well. Check out http://netlab.360.com for more details.

  Chris Baker is an Internet cartographer, data analyst, and wanderlust researcher at Dyn / Oracle, where he is responsible for an array of data analysis and research projects ranging from trends in the DNS to Internet measurement and infrastructure profiling. Previously, Chris worked at Fidelity Investments as a senior data analyst. He graduated from Worcester Polytechnic Institute with a master’s degree in system dynamics and a bachelor’s degree in management of information systems and philosophy.

  Martin McKeay is a Senior Security Advocate at Akamai, joining the company in 2011. Martin is a senior editor of Akamai’s State of the Internet Security Report, Akamai’s quarterly report on DDoS and other threats. Three years ago Martin moved his family to the UK in order to help Akamai reach the European audience.
  With over fifteen years of experience in the security space and five years of direct Payment Card Industry work, Martin has provided expertise to hundreds of companies. He has spoken at events in the US, Europe, Asia and Australia, including RSA, Black Hat, Defcon and FIRST. He is a member of Europol’s European Cybercrime Center Internet Advisory Committee.

  The Mirai botnet created global awareness of the increasing impact of IoT device insecurity and the ability to weaponize such devices for DDoS attacks of unprecedented size and impact. This panel will discuss Mirai’s effects and the global CSIRT response to them: Who was affected? What information was available before the more significant attacks happened? Which CSIRTs were able to effectively disseminate remediation information? What could the community have done better?

  June 13, 2017 11:45-12:45

  Panel-Topic-Mirai-How-Did-We-Do.pdf

  MD5: 17edc4fff097b9ba8dc6388f7421a5f7

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.29 Mb

•  MY

  Practical Workflow for Automation and Orchestration of Addressing Cyber. Threat: Case Study of Mirai Botnet in Malaysia

  Megat Muazzam Abdul Mutalib (CyberSecurity Malaysia, MY)

  Megat Muazzam Abdul Mutalib is Head of the Malaysia Cyber Emergency Response Team or in short, MyCERT – a department within CyberSecurity Malaysia. He is responsible in Cyber999 Incident Handling and Emergency Response daily operation, which primarily focuses on incident alert or threat issue, related to Malaysia constituency and the Malware Research Centre. He has various experiences in IT security field such as network security, penetration testing, web security, malware research and honeypot technology. He is recognised for his capability of conducting numerous training and talks for various organisations locally and internationally on topics ranging from introduction to advanced security courses. He holds a Degree in Computer Science from University Putra Malaysia (UPM) and has wide experience in IT Security for more than 10 years. Actively involves in Cyber Early Warning System project, focusing in the areas of perimeter defense, detection and intrusion analysis. He is the GIAC Certified Intrusion Analyst (GCIA) and Certified Penetraton Tester (GPEN).

  The ever-increasing scale, complexity and globalization of cyber attacks require quick detection and eradication of the attacks based on how the information is disseminated across CSIRTS and PSIRTs globally. Having structured information that can be delivered in quick manner is important for quick eradication and mitigation of cyber attacks. In this way it saves time and effort in incident response and post-mortem analysis.

  Traditional way of delivering threat intelligent information has limitations that effects the quick response of incidents that may consequently affect immediate preventions of attacks at global. Thus, the need for automation and orchestration of Threat Intelligent Information is critical for quick remediation and eradication of large-scale attacks, at global level, which will be presented in our presentation.

  The key points to highlight in this presentation are:

  The important roles of CSIRTs and PSIRTs in eradicating and mitigating large-scale cyber attacks on a global level. Share our workflow that illustrates how Threat Intelligent Information is delivered with automation and orchestration for quick and efficient Incident Response. Share our in-house developed tools and applications that we used for automation and orchestration of Threat Intelligent Information delivery for effective mitigation of large-scale global cyber attacks.

  Another important factor to address cyber threats on how we use Threat Intelligent Information process to secure our own environment through various blocking, filtering as well as creating a repository of knowledge base index for research analysis and future reference and as a mean to increase our preparedness in facing new and large-scale cyber attacks. Share the work taken by us to further study the behavioral and anatomy of an incident so as to propagate and reduce the effect of similar type of incident in the future.

  To prove that the workflow has worked for us, we will highlight a case study on successful Mirai eradication activities in using automation and orchestration of Threat Intelligent Information. This includes how MyCERT received the Threat Intelligent Information on Mirai botnet infected IPs in Malaysia, identification of the infected devices in our constituency until successful takedown of the botnets in Malaysia, which in overall helped to mitigate Mirai botnet infection at the global level.

  The presentation hopes to give new insights into the automation and orchestration of Threat Intelligent Information for a comprehensive and global mitigation of new and large-scale cyber attacks.

  June 13, 2017 11:15-11:45

  Practical-Workflow-for-Automation-and-Orchestration-of-Addressing-Cyber.pdf

  MD5: 70030cd97198a2545d842413baa1c528

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 5.6 Mb

•  US

  Privacy Incident Management: It’s Not Just Security Any More

  Andy Bohm (Google, US)

  Andy Bohm has spent over twenty years working in Information Technology, focusing in Platforms, Network Engineering and most recently in Privacy Engineering. He is NOT a lawyer, because Privacy is an Engineering problem, and if you’re focusing solely on the legal aspects, you’ve got a bigger problem.

  You’ve already got a plan for security, but what about Privacy? Aren’t they the same thing? Can you have a Security incident without Privacy implications? Can you have a Privacy incident without Security implications? We’ll discuss why these two things might not be the same and how responses and investigations may differ between the two.

  June 13, 2017 14:00-14:45

•  US

  PyNetSim: A Modern INetSim Replacement

  Jason Jones (Arbor Networks ASERT, US)

  Jason Jones is the Security Architect for Arbor Networks' ASERT team. His primary role involves reverse engineering malware, development of internal malware processing infrastructure, and other development tasks. Jason has spoken at various industry conferences including BlackHat USA, FIRST, BotConf, REcon, and Ruxcon.

  Analyzing malware comes with many challenges, one of the common being dealing with network-related issues. Command and control servers may be non-responsive, domain names may no longer be valid, corporate policy may prohibit direct contact with malicious entities and / or the malware may need to have valid contact to fully unpack itself in memory for further static analysis. In these cases, having a host that can act as a gateway and spoof any address requested becomes necessary to achieve the various goals of analysis and is the reason for PyNetSim's existence.

  PyNetSim is intended to a modern replacement for the outdated INetSim and an alternative to the Windows-based FakeNet-NG. PyNetSim will a similar feature-set as these tools as well as dynamic protocol detection to account for protocols on non-standard ports, dynamic TLS/SSL support and also support specific botnet protocols via a pluggable architecture.

  June 16, 2017 11:15-11:45

  PyNetSim-A-Modern-INetSim-Replacement.pdf

  MD5: a9e8eafe848fffd1a2317fb06386889c

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 3.04 Mb

•  US

  Remediation Ballet: Choreographing Your Team To Victory

  Matt Linton (Google, US)

  Matt Linton is a security generalist and DFIR specialist with 18 years of experience breaking, fixing, and laughing at computers. He is formally trained in Disaster Management and has 20 years of experience as an emergency responder with various fire departments and USAR teams. Currently with Google and formerly with NASA, he has attacked and defended environments large and small, near and very, very far away. He is still uncomfortable referring to himself in the third person.

  The security industry focuses a great deal on defense, detection and investigation of advanced threats, but the red team always wins in the end. Once an attacker is on your network, it’s imperative to quickly get them back out! This talk explores how Google performs incident management and remediation at scale, adapting the techniques of disaster management professionals and modern open source tools to achieve lightning-fast, efficient response cycles and push the envelope in the field of Incident Response.

  June 13, 2017 14:45-15:30

•  NL

  Revising the TLP - Lessons Learned

  Don StikvoortDon Stikvoort (Open CSIRT Foundation, NL)

  Don Stikvoort is a theoretical physicist who was one of Europe's Internet pioneers since 1988. Since 1992 he has been a member of FIRST in various capacities - right now he is Liaison Member, and the co-chair of the TLP SIG. Together with Klaus-Peter Kossakowski he started the European cooperation of CSIRTs in 1993 that later led to TF-CSIRT and the Trusted Introducer. Don leads his own company, specialising in security management and community building - but is also a certified master trainer and executive coach. His CSIRT specialty is the topic of governance and maturity - he is the lead author of the SIM3 maturity model. Don is the Chairman of the Board of the Open CSIRT Foundation, and regularly gives keynote talks, in which he challenges his audiences to think outside the box and assume full responsibility for their work, in the context of society and the humans that make up society.

  Review of what we did with TLP and learned on the way

  June 13, 2017 17:00-17:30

•  BR

  Rio 2016 Olympic CSIRT - Creation, Operation and Lessons Learned

  Romulo Rocha (Former Rio2016 Commitee and now Tempest Security Intelligence, BR)

  Romulo Rocha was part of Rio 2016 Olympic Committee, being responsible for designing,building and acting as incident response leader in CSIRT during olympic games. Romulo has technical knowledge in incident response, data analysis and architecture of IT environments. Graduated in System analysis and development with post-graduation in information security at UFRJ (Rio Federal University), been part of Information Security market for 10 years, working in multiples companies in Brazil.

  This is a talk filled with good stories about our journey to establish a CSIRT team for Rio 2016 Olympic Games. A big and ambitious project, with multiple challenges, and a very limited time to put it alive. The participants will see how was our operations during Olympics, photos from our Technology Operations Center, number of incidents, examples of incidents, threat intel timeline and lessons learned from this athletic journey. This presentation provides insights on:

  • How was our strategy to put our team ready for the games;
  • CSIRT timeline (creation, important dates, highlights, life cycle);
  • Our preparation using Cyber Wargames exercises;
  • Challenges when dealing with rapid environment growth, government agencies, and third-party companies;
  • Threat intel timeline and importance for our CSIRT;
  • Lessons learned;

  June 16, 2017 11:15-11:45

  Rio-2016-Olympic-CSIRT-Creation-Operation-and-Lessons-Learned.pdf

  MD5: 9450ae2992ea61c50be0f7a895cc3d23

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.12 Mb

•  JP

  SDN Control System Based on Threat Level of Shared Information

  Takuho Mitsunaga (The University of Tokyo, JPCERT/CC, JP)

  Dr. Takuho MITSUNAGA Project Associate Professor, Graduate School of Interfaculty Initiative in Information Studies, The University of Tokyo. He is also Technical Advisor at Watch and Warning Group, JPCERT/CC

  After completing his degree at Graduate School of Informatics, Kyoto University, Mr. Mitsunaga worked at the front line of incident handling and penetration test at a security vendor. In FY 2010, he led an R&D project of the Ministry of Trade, Economy and Industry (METI) for encryption data sharing system for cloud with an efficient key managing function. He has been a member of Watch and Warning Group of JPCERT/CC since April 2011, where he is engaged in cyber attack analysis including APT cases. He has also contributed in some cyber security related books as coauthor or editorial supervisor including “Information Security White Paper 2013”.

  Proxy log and Firewall log collection is commonly practiced at many organizations mainly for incident handling purposes. Network packets are also important for effective incident analysis. However, its retention and storage could be difficult due to its high volume.

  On the other hand, opportunities for information exchange using STIX and other formats at cyber security related communities have been increasing. However, such information may not be readily actionable – its threat level and other possible impacts need to be judged before recipient organizations take actions based received information. For example, organizations who obtained a list of malicious IP addresses cannot immediately block corresponding communication since this action may cause possible impact on the business/network operation.

  As a breakthrough of such problems, The University of Tokyo developed “Network Control System based on Shared Information” by combining Software Defined Networking (SDN) and STIX. This is a new idea that Software Defined Networking (SDN) is made use of for CSIRT activities.

  The system judges the threat level of information in STIX files based on its categories and tags, and then provides routing configurations to SDN controllers correspond to the threat level as follows:

  1. Black (Risk: High) – Block communication immediately
  2. Gray (Risk: Medium) – Take network capture
  3. White (Risk: Low) – Maintain normal routing

  By providing different configurations, network load would not increase unnecessarily, and thus impact on the business/network operation would remain low. This system provides a proactive approach for incident handling, enabling network forensics based on the captured data in case of incidents.

  The University of Tokyo operated verification tests of the system which proved its reliability and effectiveness in terms of behavior in increased network load and application into incident handling procedures etc. This presentation will demonstrate how this system operates and how it can be integrated into CSIRT operation.

  June 12, 2017 16:00-16:30

•  US

  Steel Sharpens Steel: Using Red Teams to Make Blue Teams Better

  Christopher Payne (Target, US)

  Chris is a Director of Cyber Security at Target. In his role, Chris has responsibility for Incident Response, Compliance Monitoring, Adversary Simulation, and Cyber Hunting across the Target enterprise. In addition, Chris founded the annual cyber security conference GrrCON. Chris is a former adjunct professor and has earned a Master’s degree in Information Assurance, a Bachelor’s degree in Network Security, a Bachelor’s degree in Computer networking, and is currently finishing his MBA in Strategic Management from Davenport University. Chris has also achieved a myriad of industry certifications. Chris is an international speaker on information security topics and has been featured by multiple television, radio, internet and print organizations.

  Understanding, anticipating, and identifying the wide array of evolving threats facing organizations today requires well-developed skills, experience, and analytical prowess. Table top exercises and expensive training courses can only get you so far. There is no better training method than creating real world quality adversarial sparring within the control of your own enterprise. Current Incident Response programs can integrate Red team exercises to simulate an adversary’s mindset and tactics, techniques, and procedures (TTPs) to mature processes, validate system protections and enhance the skills of staff. Adaptive red team exercises create a cycle of rapid improvement in both detection and response within today’s Blue Team programs. We will discuss real world examples to find deficiencies in staff skills, processes, and technologies. Along with the metrics and data to back it up.

  June 14, 2017 12:00-12:45

• The Arrr in PSIRT

  Beverly Finch is the Program Manager and Coordinator for the Lenovo PSIRT. Beverly built the Lenovo PSIRT from the ground up within a few months, obtaining buy in from all business executives and securing incident response support across all brands. With more than 20 years in the PC industry, Beverly has experience in many roles including Critical Situation Management, Software Development, Accessibility Compliance and Lean Six Sigma. A certified Project Management Professional, PMP®, Beverly brings value to Lenovo’s PSIRT by applying project management and Lean Six Sigma methodologies to improve processes and communications across all teams.

  Who determines what a reasonable remediation timeline is for an issue? And how does an organization track and enforce it? In this talk, I will explain some issues our PSIRT encountered with respect to time to fix and the resulting SLO (Service Level Objective) and how we are pushing the industry to respond faster. I'll also provide a view of our dashboard template for metrics tracking & reporting explaining how each metric is important to both our customers and what it means to us internally.

  June 13, 2017 11:45-12:15

  The-Arrr-in-PSIRT.pdf

  MD5: b5024ce848d623c42e4564d33c4aedc8

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.56 Mb

•  US

  The Art of the Jedi Mind Trick: Learning Effective Communication Skills

  Jeff Man (Cybrary.it, US)

  Jeff Man is a respected Information Security expert, adviser, and evangelist. He has over 33 years of experience working in all aspects of computer, network, and information security, including risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Earlier in his career, Jeff held security research, management and product development roles with NSA, the DoD and private-sector enterprises and was part of the first penetration testing "red team" at NSA. For the past twenty years, Jeff has served as a pen tester, security architect, consultant, QSA, and PCI subject matter expert, providing consulting and advisory services to many of the nation's best known brands.

  The hacker/security community continues to struggle with how to get our message across to others. We know what’s wrong, what’s insecure, and what needs to be done to fix the problems. BUT…we seem to hear more stories about failure rather than success stories. Maybe WE are part of the problem. It’s easy to give a talk at a conference where you’re “preaching to the choir” and everyone speaks your language, but how do you fare when you are trying to give the message to your boss, or your bosses’ boss, or C-Level management?

  This workshop/course will explore a variety of techniques that I’ve learned over my 20+ years of consulting/advising customers about how to get the right message to the right people so real change happen.

  Topics will include:

  overcoming obstacles, roadblocks and challenges; getting past bad attitudes and misunderstandings (yours and theirs); practical methods for getting your point across; helping others to understand what you are saying; learning to speak their language (e.g. non-technical); and helping your audience draw the desired conclusion. Students will have numerous opportunities to speak – both in small groups and also making a presentation to the entire class. We’ll discuss techniques and methods and then practice them, or we’ll attempt some form of communication and then critique how well we do. Students will be expected to evaluate each other on how well we are communicating or putting the techniques into practice, and will provide constructive feedback, share ideas, and collaboratively work together to make everyone a better communicator.

  Effective communication, particularly persuasive speech, is part art and part science – and maybe a little luck. I believe there are skills/techniques you can learn that will make you a successful communicator and help you get your message heard.

  June 15, 2017 14:00-15:30

  The-Art-of-the-Jedi-Mind-Trick-Learning-Effective-Communication-Skills.pdf

  MD5: ea851c50c9c71531e036ef24001e0a4a

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 7.71 Mb

•  US

  The Budding World of Cloud Storage Abuse and Exploitation : A Technical Deep Dive

  Aditya K SoodAditya K Sood (BlueCoat, A Symantec Company, US)

  Dr. Sood works as a Director of Security and Cloud Threat Labs at Blue Coat Systems, a Symantec Company. Dr. Sood has research interests in cloud security, malware automation and analysis, application security, secure software design and cyber security. He has worked on a number of projects pertaining to penetration testing specializing in product/appliance security, networks, mobile and web applications while serving Fortune 500 clients for IOActive, KPMG and others. He is also a founder of SecNiche Security Labs, an independent web portal for sharing research with security community. He has authored several papers for various magazines and journals including IEEE, Elsevier, CrossTalk, ISACA, Virus Bulletin, Usenix and others. His work has been featured in several media outlets including Associated Press, Fox News, The Register, Guardian, Business Insider, Kaspersky Threatpost, CBC and others. He has been an active speaker at industry conferences and presented at BlackHat, DEFCON, HackInTheBox, RSA, Virus Bulletin, OWASP and many others. Dr. Sood obtained his Ph.D from Michigan State University in Computer Sciences. Dr. Sood is also an author of "Targeted Cyber Attacks"​ book published by Syngress. He also sits on the review board of "CrossTalk - Journal of Defense Engineering", a publication sponsored by Department of Homeland Security (DHS) and NavAir.

  Cloud storage usage is increasing rapidly. The attackers are using cloud applications as launchpads for triggering cyber attacks on the Internet. It has become indispensable for enterprises to keep track of the active cloud applications in the network for detecting malice. With that, threats from malicious insiders, attackers and naive users are increasing that are putting organizations at risk.

  Cloud apps are heavily used for cloud storage purposes and adopted by millions of users for routine work. No doubt cloud apps have revolutionized the cloud computing technology by providing users with an ease of usability and portability for storing, managing and distributing documents over the cloud. However, with every technology, threat accompanies. Cloud apps functionalities have been exploited and abused by attackers to conduct targeted cyber attacks. In general, this problem is not specific to a region rather it’s a global issue. Cloud apps abuse and exploitation could have severe impact on the end-users as it highlights that cloud platforms are not immune against cyber-attacks. Elastica Cloud Threat Labs analyzes large chunks of data shared on cloud apps on regular basis. In this talk, we cover real life case studies including demonstrations to highlight how attackers have abused cloud apps for nefarious purposes such as conducting drive-by download attacks, advanced spear Phishing, malware distribution, DDoS and many others. We will also discuss how cloud apps security protections can be bypassed to distribute malware. At last, we will discuss security solutions that are required to protect users against cyber attacks to restrict the abuse of cloud apps.

  June 14, 2017 12:00-12:45

•  NO

  The Incident Responder and the Half Year APT

  Dr. Martin EianJon Røgeberg (mIRT/mnemonic AS, NO), Dr. Martin Eian (mnemonic, NO)

  Dr. Martin Eian works as a Senior Security Analyst in mnemonic's Threat Intelligence group, and he is the Project Manager for the research project "Semi-Automated Cyber Threat Intelligence". He has more than 15 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is an Adjunct Associate Professor at the Department of Telematics, NTNU. He is also a member of the Europol EC3 Advisory Group on Internet Security. He holds a PhD in Telematics/Information Security from the Norwegian University of Science and Technology (NTNU).

  Jon Røgeberg works as the Manager for mnemonic’s Threat Intelligence group. He is also the Operational Manager of mnemonic IRT and responsible for Forensics in mnemonic. He has 10 years’ experience with Incident Response ranging from virus outbreaks, opportunistic crime, targeted crime and advanced targeted attacks.

  During a prolonged incident response contract with a customer, mnemonic was able to study an APT actor closely over a time span of six months. During this talk you will be given the result of an analysis of over 12.000 commands issued by the attacker, with some surprising insights into adversary operator behavior.

  June 14, 2017 14:45-15:30

•  US CR

  The Ransomware Odyssey: Their Relevance and Their Kryptonite

  Marco Figueroa (Intel, US), Ronald Eddings (Intel, US), Sue Ballestero (Intel, CR)

  Marco Figueroa is a senior security analyst at Intel whose technical expertise includes reverse engineering of malware, incident handling, hacker attacks, tools, techniques, and defenses. He has performed numerous security assessments and responded to computer attacks for clients in various market verticals. A speaker at Defcon, Hope and other Security and Hacker Conference.

  Ronald Eddings is a Cyber Fusion Analyst at Intel with a diverse background in Network Security, Threat Intelligence, and APT Hunting. Mr. Eddings has created a wide variety of security tools in efforts to automate the identification of malicious activity. Additionally, Mr. Eddings has leveraged user behavior analytics to identify and track anomalous network activity.

  If the multiple high profile Ransomware in the last couple of years wasn’t a wake-up call to enterprises that Ransomware can infiltrate enterprise networks and compromise the most secure networks in the world, then certainly the recent string of Ransomware that has hit infrastructures like the SF MTA, Megent System or Methodist Hostpital. Once an enterprise gets infected with Ransomware, the potential of the other organization's system being infected are high. Enterprise admins know that backups of systems are essential to business and productive continuity of employees, but the initial infection is the problem we take aim on preventing the initial infection. This talk aims to describe manners in which we have addressed this issue and how we view these Ransomware threats.

  Over the last few years, Intel has built up our threat intelligence tracking of APT campaigns and Ransomware Families. We will conclude with how we are further automating the capabilities and, in an unconstrained world, where the Ransomware authors will be targeting next. We will also discuss the cutting-edge techniques ransomware authors will be using in the future and the crippling effects it will have in different market verticals.

  June 12, 2017 12:00-12:45

  The-Ransomware-Odyssey-Their-Relevance-and-Their-Kryptonite.pdf

  MD5: ab25f43a681bf6f80b38e6ae0b0d0d9c

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 7.94 Mb

•  FR

  TheHive: a Scalable, Open Source and Free Incident Response Platform

  Saâd KadhiSaâd Kadhi (Banque de France, FR)

  Saâd Kadhi, head of CERT Banque de France, has over 18 years of experience in cybersecurity.

  He discovered incident response and digital forensics in early 2008 and has been working exclusively in this fascinating field since then. He built a CSIRT at a French multinational food-products corporation and worked as an analyst at CERT Société Générale before joining the French national central bank where he leads a team of 20 analysts. He frequently writes information security articles in a leading French magazine. He also co-organizes the Botconf security conference.

  TheHive is a scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

  • Collaborate - Collaboration is at the heart of TheHive. Multiple analysts can work on the same case simultaneously. For example, an analyst may deal with malware analysis while another may work on tracking C2 beaconing activity on proxy logs as soon as IOCs have been added by their coworker, thanks to the Flow.

  • Elaborate - Within TheHive, every investigation corresponds to a case. Cases can be created from scratch and tasks added on the go and dispatched to (or taken by) available analysts. They can also be created using templates with corresponding metrics to drive your team's activity, identify the type of investigations that take significant time and seek to automate tedious tasks.

  Each task can have multiple work logs where contributing analysts may describe what they are up to, what was the outcome, attach pieces of evidence or noteworthy files, etc. Markdown is supported.

  • Analyze - You can add one or hundreds if not thousands of observables to each case that you create. You can also create a case out of a MISP event since TheHive can be very easily linked to your MISP instance should you have one. TheHive will automatically identify observables that have been already seen in previous cases.

  Observables can also be associated with a TLP and their source (using tags). You can also easily mark observables as IOCs and isolate those using a search query and export them for searching in your SIEM or other data stores.

  TheHive comes also with an analysis engine. Analyzers can be written in any programming language supported by Linux to automate observable analysis: geolocation, VirusTotal lookups, pDNS lookups, Outlook message parsing, threat feed lookups, ...

  Security analysts with a knack for scripting can easily add their own analyzers (and contribute them back to the community since sharing is caring) to automate boring or tedious actions that must be performed on observables or IOCs. They can also decide how analyzers behave according to the TLP.

  June 15, 2017 14:00-14:45

  TheHive-a-Scalable-Open-Source-and-Free-Incident-Response-Platform.pdf

  MD5: 16620214533d9745698abf1eeafc2849

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 4.03 Mb

•  US

  These Aren't The IR Processes You're Looking For

  Jake Kouns (Risk Based Security, US)

  Jake Kouns is the CISO for Risk Based Security that provides vulnerabilities and data breach intelligence. He previously oversaw the operations of the Open Sourced Vulnerability Database (OSVDB.org) and DataLossDB. Mr. Kouns has presented at many well-known security conferences including RSA, Black Hat, DEF CON, DerbyCon, CISO Executive Summit, EntNet IEEE GlobeCom, FIRST, CanSecWest, InfoSecWorld, SOURCE and SyScan; and cyber liability forums such as AAMGA events, ACI’s Cyber and Data Risk Insurance, NetDiligence’s Cyber Risk & Privacy Liability Forum and PLUS.

  Jake has briefed the DHS and Pentagon on Cyber Liability Insurance issues and is frequently interviewed as an expert in the security industry by Information Week, eWeek, Processor.com, Federal Computer Week, Government Computer News and SC Magazine. He has appeared on CNN as well as the Brian Lehrer Show and was featured on the cover of SCMagazine. Jake is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.

  Many people believe that there are only two types of companies: those that have been hacked, and those that will be. It doesn’t matter what industry or the size of an organization, as no company seemed to be immune to data breaches. More businesses are coming to this conclusion every day and have started to purchase Cyber Liability Insurance in case of a data breach.

  This session will provide information on the current data breach landscape and then a behind the scenes look into Cyber Liability insurance and discuss how this coverage is being integrated into a risk management plan. Information Security professionals and responders are in many cases unaware of how the insurance process works when there is a data breach and do not understand the requirements that can affect the incident response process.

  With the rise of Cyber Insurance, incident responders need to understand how this impacts them and their processes. Real data breach examples will be dissected and then mapped to insurance coverage to outline the response and claims process.

  June 13, 2017 16:00-16:30

•  US

  Things That Make You Go HMM: Using a Simple Hunting Maturity Model to Establish and Improve your Threat Hunting Program

  David J. BiancoDavid J. Bianco (Target, US)

  David has over 20 years experience in the information security field, with the last 15 focusing on incident detection and response. He is active in the DFIR and Threat Hunting community, speaking and writing on the subjects of detection planning, threat intelligence and threat hunting. He is the principal contributor to The ThreatHunting Project (http://ThreatHunting.net) and a member of the MLSec Project (http://www.mlsecproject.org). You can follow him on Twitter as @DavidJBianco or subscribe to his blog, "Enterprise Detection & Response" (http://detect-respond.blogspot.com).

  A CISO that's heard that her organization needs to "get a hunt team" may legitimately be convinced that an active detection strategy is the right move, and yet still be confused about how to describe what the team's capability should actually be. Organizations who are already doing some sort of hunting may be able to describe their current capabilities yet wonder “Where do we go from here?”

  This talk first presents a simple Hunting Maturity Model (HMM), discussing the key characteristics and capabilities at each maturity level. Next, we use this model to show an appropriate maturity goal for a brand new capability, and then examine step-by-step what it takes to transition to each of the next levels. We’ll clear up the initial confusion about getting started and offer a roadmap for improvement. At the end of this presentation, attendees will understand what hunting is, what a good hunting capability looks like, and how to move from where they are to where they want to be.

  June 13, 2017 14:00-14:45

  Things-That-Make-You-Go-HMM.pdf

  MD5: 0a5745ad2a4aacdf6c062db58d01596c

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.93 Mb

•  US

  THINKPWN: PSIRT Case Study of a Zero-Day

  Amy Rose (Lenovo, US)

  Amy Rose has been the Technical Project Manager for the Lenovo Product Security Incident Response team for two years, driving closure of security issues from a wide range of sources across all Lenovo products. Amy has a background in computer networking and customer support engineering for Lenovo desktops and servers. She has 6 patents granted and over 40 more patents pending with the US Patent Office covering a breadth of technologies, from servers to mobile devices, software and security.

  With all of the attention users pay to updating their computer’s software, when was the last time you updated your computer’s BIOS – the embedded software that makes the whole system work? We propose to discuss a zero-day vulnerability that received a lot of attention in the media – the ThinkPWN BIOS vulnerability - and the steps that Lenovo and the industry took to fix a serious issue overlooked for years.

  We plan to briefly discuss the mechanics of the vulnerability and the multiple-vendor nature of today’s computer BIOS, but then would like to concentrate on the timeline of the event and how our Product Security Incident Response team dealt with the fallout. This issue was discovered by a researcher who posted his findings on twitter and his blog without a coordinated disclosure, and we will discuss the challenge of getting multiple teams and third party companies (for example code from a leading CPU supplier as well as our independent BIOS vendors) to find and fix the problem once the proof of concept had already been released and how we dealt with the media attention and pressure from our customers as a result.

  We will discuss how this turned from a Lenovo-specific discovery (hence the name “ThinkPwn”) into an industry-wide issue crossing multiple layers of the supply chain. The root of the problem was in a piece of source code written by a leading CPU supplier many years ago and used in various vendor BIOSes, and we will talk about responses from other vendors.

  This presentation could help other companies who have not dealt with a high media impact zero day vulnerability, and it could foster a discussion about how various companies deal with zero day vulnerabilities and researchers who do not want to coordinate disclosures.

  June 14, 2017 11:15-12:00

•  NO

  Threat Ontologies for Cyber Security Analytics

  Dr. Martin EianDr. Martin Eian (mnemonic, NO)

  Dr. Martin Eian works as a Senior Security Analyst in mnemonic's Threat Intelligence group, and he is the Project Manager for the research project "Semi-Automated Cyber Threat Intelligence". He has more than 15 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is an Adjunct Associate Professor at the Department of Telematics, NTNU. He is also a member of the Europol EC3 Advisory Group on Internet Security. He holds a PhD in Telematics/Information Security from the Norwegian University of Science and Technology (NTNU).

  The proposed presentation will give the latest research results from both TOCSA and ACT. We presented the preliminary results from both TOCSA, ACT and Oslo Analytics in the conference STIDS2016 in Washington DC in November 2016. The presentation we propose to FIRST 2017 will contain a detailed description of the threat ontology described as an example in [1], and also present the graph database and the added content. The presentation will go further into detail on the use cases where this ontology will add value. Example use cases including:

  • Incident Response (attribution of incidents as guidance to evidence collection)
  • Threat Hunting (identify presence of known actors in home environment)
  • SOC Analyst (especially to classify incidents as targeted or not targeted)
  • Threat intelligence analyst (RFI)

  June 12, 2017 14:00-14:45

  Threat-Ontologies-for-Cyber-Security-Analytics.pdf

  MD5: 5fe664d2689005ffdd94b24dbd4d9812

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.13 Mb

•  CH

  Trust Nothing: Google's Approach to Enterprise Security in Forensic Context

  Jan Monsch (Google, CH)

  Jan is Staff Security Engineer and member of Google's Infrastructure Protection team. He previously was tech lead on machine identity and inventory on the BeyondCorp effort and is currently leading the efforts to improve firmware security, verification and transparency.

  Prior to joining Google in 2010, he was Senior Security Analyst at Compass Security AG and Software Engineer at Entrust Technologies. He has a bachelor’s degree in electrical engineering from the Zurich University of Applied Sciences and a master’s degree with honors in security and forensic computing from the Dublin City University.

  Virtually every company today enforces perimeter security through firewalls. This is a flawed approach since an attacker can move with relative ease on the network once the perimeter is breached. As mobile and cloud technologies continue to evolve, this enterprise security model becomes increasingly more difficult to enforce. Google takes a different approach through their BeyondCorp model, which removes implicit network trust and brings corporate applications to the Internet. This talks introduces the BeyondCorp model, how the notion of trust is approached, how device inventory ties into it and what chances and challenges the model brings to forensic capabilities.

  June 13, 2017 12:15-12:45

•  PL

  Trying to Know Your Own Backyard (A National CERT Perspective)

  Paweł PawlińskiPaweł Pawliński (CERT.PL / NASK, PL)

  Paweł Pawliński is a principal specialist at CERT.PL, leading the Analytical Projects Team, within Research and Academic Computer Network, Poland (NASK). His interests include tracking all kinds of threats, data analysis and automation. Among other things, he is responsible for the design and implementation of the n6 platform for sharing security-related data. He was also the lead author of the ENISA good practice guide for CERTs on processing and sharing of information ("Actionable Information for Security Incident Response") published in 2015.

  Is it possible to get information on a large constituency without relying on vendors, "threat intelligence providers" or other third parties? This presentation will describe multiple attempts of CERT.PL at monitoring threats at scale and explain the outcomes.

  Over the years we have run multiple projects and developed tools in attempt to obtain information that might be valuable for our constituency, to track activities related to our operations or just because it looked like an interesting piece of research. This talk will summarize most of our major initiatives in the last 10 years and show what worked in practice and what did not.

  Ultimately, this will be a "lessons learned" talk, aimed at showing the ways a CERT can gain true insights into current threats to its constituency (with a strong bias towards automation). Our failures will be analyzed as well, in order to identify the approaches that do not yield useful results.

  Projects that will be mentioned during the presentation include server- and client- side honeypots, early warnings systems, information exchange platforms, sensor networks and malware analysis systems. It will be shown how some of the popular terms like situational awareness, metrics, web-scale, big-data and automation fit the everyday reality of a CERT working at a national scale.

  June 12, 2017 16:00-16:30

•  US

  Update on PSIRT/CSIRT Services Framework

  Peter AllorPeter Allor (Red Hat, US)

  Peter Allor is the Executive Cyber Security Strategist for IBM Security. He is instrumental in IBM's strategy and development of products and services for securing Critical Infrastructure Organizations and Government Operations. He focuses on developing solutions that integrate the full spectrum of security operations supporting the business and addressing risk.

  Peter project manages disclosure of vulnerabilities and external malware coordination for IBM and the IBM Security X-Force Researchers.

  Peter is the Vice-Chair on the Executive Committee Member of the Information Technology - Sector Coordinating Council (IT-SCC). Peter is one of the initial members to the Board of Advisors for the Global Forum on Cyber Expertise (GFCE), focusing on expanding Cyber Capacity Building on a global scale.

  Peter is the President and a Member of the Board of Director representing IBM to the Industry Consortium for Advancement of Security on the Internet (ICASI). A former Commissioner for the CSIS Cybersecurity Commission for the 44th Presidency he assisted in developing recommendations for the Public and Private Sectors to work collaboratively on Cyber Security. He is a member of the Steering Committee for Diabetes Technology Society working on Protection Profiles for Medical Devices (Blood Glucose Monitors and Insulin Pumps) for the past year. Peter was recently a Member, Board of Director of the Forum of Incident Response and Security Teams (FIRST) and is the Education Advisory Board Chair for developing Services Frameworks for Computer and Product Incident Response Teams (CSIRT and PSIRT).

  After a year of long reviews and drafting by PSIRTs from open and closed source vendors of all sizes and input from other response teams the PSIRT Services Framework has made great progress. This session allows all interested parties to discuss the PSIRT Services Framework draft. We will show the similarities and differences in regard to the CSIRT Services Framework. We will also discuss the need to review the CSIRT Services Framework and to incorporate lessons learned in better organizing and drafting (writing) of a Framework to base further training efforts upon it.

  June 14, 2017 11:15-12:45

•  US FR

  WannaCry: What can we do better?

  Dr. Paul VixieDr. Paul Vixie (AWS, US), Saâd Kadhi (Banque de France, FR)

  Coming soon.

  WannaCry infected less than 300'000 hosts world wide, but did so in a media effective way. However, it managed to bind enormous resources from incident handlers and security researchers, who tried to come to grips with facts, separate facts from fiction.

  What could we, as a community do better? In this session we would like to openly discuss these topics together with Paul Vixie and Saâd Kadhi.

  June 14, 2017 16:00-17:00

•  US GB

  WatchEvaluateEnrichPunch (WEEP): A Poor Man’s Self-Defence Host Monitor.

  Adrian Sanabria (Savage Security, US), Konrads Smelkovs (KPMG LLP, GB)

  Konrads Smelkovs is a senior manager in KPMG UK and specialises in technical end of cyber-security - attack and defence.

  Adrian Sanabria is a Director of Research at Savage Security.

  What is it? WatchEvaluateEnrichPunch is a program which monitors a stream of data such as OSQuery’s event stream, does matching and then responds to those alerts by either enriching the data further using other events, commands, Internet for some decision making such as alerting, degrading or destroying of the offensive process.

  In spirit it is similar to Snort or any other major IDS for network or OSSEC, fail2ban for hosts. The difference is the ability to enrich and re-inject the data back into event stream as well as the desire for simplicity.

  Why have it? Well, at network level, security people have firewalls and IDSes that can be configured with custom IOCs, but at host level there are few tools that allow deployment of simple behavioural rules that address a local problem. For example, you can fight ransomware string with WEEP by detecting a process that has renamed more than 5 docx files to a different extension within 5 minutes Each hitherto unseen process can be perhaps checked through a series of Yara signatures or it’s md5 ran through virustotal.

  Of course a sophisticated attacker will evade all of these simple checks, but meanwhile a sysadmin has a tool to fight back.

  June 12, 2017 16:00-16:30

•  TW RU

  Web as ongoing threat vector: case studies from Europe and Asia Pacific

  Fyodor YarochkinFyodor Yarochkin (Trend Micro, TW), Vladimir Kropotov (Trend Micro, RU)

  Fyodor is a researcher with TrendMicro Taiwan as well as a Ph.D. candidate at EE, National Taiwan University. An early Snort developer, and open source evangelist as well as a "happy" programmer. Prior to that, Fyodor professional experience includes several years as a threat analyst at Armorize and over eight years asa information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organisations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.

  Vladimir recently joined Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at some of Fortune 500 companies, was head of Incident Response Team at Positive Technologies since 2014, and holds a university degree in applied mathematics and information security. He participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, and many others.

  This presentation covers several case studies from incident response sessions in Europe and Asia Pacific region. We analyse attackers tools, exploitation chain, and artefacts discovered on compromised assets in each particular case. We do a comparative case study of several attack attack vectors that leverage web browser components to identify signs of compromise that should be examined by forensic teams to trace such attacks to 'patient-zero' cause of breach. We demonstrate several cases where attackers used multi-staged exploitation chains and perform fingerprinting of target systems identifying systems suitable for further compromise before serving additional malicious payload.

  June 13, 2017 12:15-12:45

  Web-as-ongoing-threat-vector-case-studies-from-Europe-and-Asia-Pacific.pdf

  MD5: 452d875d893e19e015db12a6d3375b94

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 6.88 Mb

•  US

  What Metrics Should a CSIRT Collect to Measure Success (Or What Questions Should We Be Asking and How Do We Get the Answers?)

  Robin Ruefle (CERT Division, SEI, CMU, US)

  Robin Ruefle is the team lead for the CSIRT Development and Training (CDT) team within the CERT® Division at the Software Engineering Institute at Carnegie Mellon University. Her focus is on the development of management, procedural, and technical guidelines and practices for the establishment, maturation, operation, and evaluation of Computer Security Incident Response Teams (CSIRTs), incident management capabilities, and insider threat programs worldwide. A second focus area has been helping organizations build training and mentoring frameworks, competency and curricula guidance, and readiness assessments. As a member of CERT, Ruefle has worked with numerous organizations to help them plan and implement their incident management and insider threat capabilities. Ruefle has co-authored a variety of publications including Handbook for CSIRTs 2nd Edition, CSIRT Services List, Defining Incident Management Processes for CSIRTs: A Work in Progress, and The Competency Lifecycle Roadmap (CLR): Toward Performance Readiness. She also develops and delivers sessions in the CERT CSIRT and Insider Threat suite of courses. She has co-developed two instruments for evaluation of incident management capabilities: the Incident Management Capability Assessment and the Mission Risk Diagnostic for Incident Management Capabilities. She also worked as a co-author to develop the Insider Threat Program Evaluation (ITPE) assessment instrument and supporting courses for building an Insider Threat Program. Ruefle received an MPIA (Master of Public and International Affairs) and a BA in Political Science from the University of Pittsburgh.

  Audrey Dorofee is a senior member of the technical staff in the Software Solutions Division at the Software Engineering Institute, Carnegie Mellon. She has worked in the risk management, cybersecurity, insider threat, and process improvement fields for more than 24 years. Her work at the SEI has included development, training, and transition of advanced risk management and cybersecurity methods, tools, and techniques. Her most recent work focuses on identifying security requirements early in the product life cycle and documenting best practices in security incident management. Prior to the SEI, she worked for the MITRE Corporation and the National Aeronautics and Space Administration (NASA). She has co-authored two books, Managing Information Security Risks: The OCTAVESM Approach (Addison-Wesley 2002) and the Continuous Risk Management Guidebook (Software Engineering Institute 1996).

  A key struggle for computer security incident response teams (CSIRTs) and incident management organizations today is determining how successfully they meet their mission of managing cybersecurity incidents. As teams become more mature in terms of operational longevity, they are asking the question “How good am I really doing?” Teams are looking for ways to evaluate their operations to not only identify strengths and weaknesses in processes, technologies, and methods, but also to benchmark themselves against other similar teams. They are looking for quantitative evidence and metrics to show if they are effective in their operations. The question heard repeatedly from established teams seeking to show such effectiveness is “What should I be measuring?” This question also applies to the broader goal of measuring success and to the more specific questions about what data should be collected on a regular basis to support the metrics an organization chooses to report.

  This presentation will focus on the work done to date through a collaboration between US-CERT and the CSIRT Development and Training Team within the CERT Division of the Software Engineering Institute to try to identify a recommended set of metrics to be collected by CSIRT/incident management organizations. This will include our work to identify • the type of questions that should be asked • examples of the types of data and metrics needed to answer the questions

  Included in the discussion will be how we consolidated, categorized, and organized the metrics for better understanding and how all of this can be tied to process improvement.

  The presentation will also discuss what others are doing in this area including emerging trends and what is getting traction.

  June 15, 2017 12:00-12:45

  What-Metrics-Should-a-CSIRT-Collect-Measure-Success.pdf

  MD5: ce9f67a353af66428481170a1c5383ce

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 596.18 Kb

•  FI

  When Phone Networks Go Down - Who You Gonna Call?

  Mikko Karikytö (Ericsson, FI)

  Mikko Karikytö is the Head of Ericsson PSIRT, product security professional and a global force fighting evil and protecting the mobile subscribers. In his work Mikko is responsible of leading a headquarter based Ericsson PSIRT with global responsibilities including incident response and vulnerability management. More than 2.5 billion end-users use the services from which incidents originating Mikko and his gang are tasked to investigate.

  This talk is going be about Ericsson PSIRT and how it became a center piece on a network giant's dinner table. In my talk I will explain how a small team became so important and raised to the center of the corporate to guard the security of big part of global mobile networks. The networks that we all depend on, systems that keep us online regardless the location and time of day. Huge combination of technology generations and platforms that provide us services satisfying all our needs to be connected and social - to be human.

  This talk will shed light to the structures what a vendor like Ericsson builds to produce ever more secure networks and services, and how PSIRT is in very middle of all that. How PSIRT has grown from an incident response function to a central vulnerability management institution and even a governance function. A story of one vendor PSIRT that got to not only respond reactively, but also to proactively define and monitor the security assurance of an R&D giant. I will talk about challenges met on the way, sacrifices done and choices made. How the responsibilities have evolved, grown uncontrolled and shrank deliberately to maintain focus.

  My talk will cover challenges like how incident communication is tuned to fit the stakeholders in both ends of the same organization. How confidentiality of sensitive information is maintained while satisfying the need of sales and support to know it all. I will explain the maturity model, a framework that was created to bring all products on par in security and privacy, and what important role PSIRT plays in that machine. How in our model the lessons learned in PSIRT are infused to product and service development to make better, more secure, reliable networks.

  With great power comes great responsibility.

  June 15, 2017 11:15-12:00

•  US

  Windows Credentials, Attacks, and Mitigation Techniques

  Chad Tilbury (SANS Institute, US)

  Chad Tilbury has been responding to computer intrusions and conducting forensic investigations since 1998. As Technical Director for CrowdStrike, he provides technical leadership for the services team, driving innovation to support customers in a variety of services, including incident response, remediation, forensic support, penetration testing, intelligence operations, and compromise assessment. He has worked with a broad cross-section of Fortune 500 corporations and government agencies around the world, including service as a Special Agent with the US Air Force Office of Special Investigations. Chad is a Senior Instructor at the SANS Institute and co-author of their FOR408 and FOR508 courses.

  Windows credentials are arguably the largest vulnerability affecting the modern enterprise. Credential harvesting is goal number one post-exploitation, and hence it provides an appealing funnel point for identifying attacks early in the kill chain. Credentials are diverse and numerous in Windows, and so are the attacks.  Older vulnerabilities like pass the hash, token stealing, and cached credentials still plague modern enterprises.  Added to these are a seemingly endless supply of new attacks on Kerberos authentication.  No network can be secured without strong credential management.            

  Microsoft released significant credential theft mitigations in Win8.1, Win10 and Server 2012/2016, and both red and blue teams must quickly update their skills accordingly. Red teamers may suddenly find their favorite techniques obsolete, and will need to adapt to ensure new implementations are tested.  Even more important, defenders need to take advantage of newly available mitigation techniques and update credential protection processes immediately.

  Attendees will leave this workshop with a deep understanding of Windows credential vulnerabilities, along with knowledge of attack tools and techniques currently used to exploit them.  Particular attention will be given to mitigating and detecting threats, focusing limited resources, and evaluating new improvements to the Microsoft credential model.  Documentation and reference materials will be provided.  

  June 12, 2017 11:15-12:45

  Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf

  MD5: 919cae5bce256c6f25de91cdfe3e4e04

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.6 Mb

•  US DE

  You Don't Need a Better Car, You Need to Learn How to Drive: On the Importance of Cyber-Defense Line Automation.

  Enrico LovatEnrico Lovat (Siemens Corp, US), Florian Hartmann (Siemens CERT, DE), Philipp Lowack (Siemens CERT, DE)

  Enrico Lovat recveived his PhD from the Technical Univerity Munich. In 2016 he started at Siemens CERT where he is the team lead of the Cyber Threat Intelligence team.

  Florian Hartmann has a MSc. in Computer Science from the TU Munich and started at Siemens CERT in 2014. He works as an Incident Responder and is responsible for the software development at Siemens CERT.

  Philipp Lowack has a MSc. in Computer Science from the TU Munich and started at Siemens CERT in 2013. His main tasks at Siemens CERT are Incident Response and the software development of the analysis frameworks.

  Thomas Schreck is a Principal Engineer at Siemens CERT and started there in 2007.

  In the work of CSIRT, where every incident is different but many incidents are similar, it is not uncommon to find recurrent patterns and tasks across different incidents that could be automatically handled in a systematic way. In a context like incident handling, where timely response can make a huge difference in the impact, tooling and process automation are the key to success.

  But automation does not come for free: integrating the plethora of different security solutions that populates the usual ecosystem of a proper IT infrastructure is a non trivial effort. That's why recently vendors tend to move in the direction of single overarching products, that cover everything (endpoint, malware analysis, TI, reporting , etc).

  But do you really need to be "only" as good a single specific vendor is, with all the possible drawbacks (lockin, updates, subscriptions, etc) that this choice entails? Isn't it possible to leverage open-source tools and the power of community effort to achieve a comparable, if not better, result?

  At Siemens CERT we embraced the UNIX Philosophy of "one tool for one task" and worked hard in the past years to develop a set of tools that implements it and automate their connection. In this talk, we want to share with the FIRST community our vision and our current efforts towards it.

  We believe that sharing the challenges we faced in automating the interplay of our tools is a valuable contribution to the community. At the same time, we hope to benefit from the feedback of more experienced member of the community that may have already faced similar issues. For this reason we also set up a BOF where we can discuss that topic.

  June 15, 2017 12:00-12:45

  You-Dont-Need-a-Better-Car-You-Need-to-Learn-How-to-Drive-On-the-Importance-of-Cyber-Defense-Line-Automation.pdf

  MD5: a7dc765f5ea83f1ddb186d86b95eda6f

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.92 Mb

•  US

  You’re Leaking: Incident Response in the World of DevOps

  Levi Gundert (Recorded Future, US)

  As Vice President of Intelligence & Strategy at Recorded Future, Levi Gundert leads the continuous effort to measurably decrease operational risk for customers. Previous industry roles include VP of Cyber Threat Intelligence at Fidelity Investments, Technical Leader at Cisco Talos, Principal Analyst at Team Cymru, and U.S. Secret Service Special Agent within the Los Angeles Electronic Crimes Task Force (ECTF). Gundert is a prolific blogger and sought-after author/speaker, writing articles for Dark Reading, InformationWeek, and SC Magazine.

  There is a greater push to build software solutions and rush products out the door. Companies are using DevOps or Agile to quickly iterate through solutions including how they collaborate amongst themselves. They use source code repositories like github or sourceforge to share or work on development projects. Often, accidentally or intentionally, leaking account credentials, intellectual property, ssh-keys, digital certificates, network diagrams, and even PII. Everything an attacker needs to penetrate your network.

  This creates challenges for security teams especially those charged with defending networks and data. Many companies are not monitoring for sensitive information being leaked on public source code repositories. They often focus on common cloud services or Data Leak Prevention tools that often do not factor in code repo synchronization or manual puts to them.

  The purpose of this talk is to provide ways to monitor and detect leaks to source-code repositories, building an IR playbook for detection / response, managing the response, and lessons learned from actual response situations.

  June 14, 2017 14:00-14:45

  You-re-Leaking-Incident-Response-in-the-World-of-DevOps.pdf

  MD5: bb217279b6a61c51b5f2c8cb734206f2

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 3.59 Mb

• Facebook
• Twitter
• Linkedin
• E-mail

Diamond Sponsor

Platinum Sponsor

Gold Sponsor

Network Sponsor

Internet Sponsor

Banquet Sponsor