•  US

  A Brief History of p0wn4ge: 18 Years and 4506 Incidents

  Aashish Sharma (LBNL, US), Jay Krous (Lawrence Berkeley National Lab, US)

  Aashish Sharma is a member of Cyber Security Team at the Lawrence Berkeley National Lab, Berkeley, CA since Nov 2010. Previously, he worked in the security team at the NCSA at University of Illinois, Urbana-Champaign, IL. Aashish's work/research interests include intrusion-detection and incident-response. At present, he is involved with running Bro-IDS at the Berkeley Lab and works very closely with the Bro project. Aashish has bachelors degree in Computer Engineering from Davi Ahilya University, India and Masters in Computer Science from Illinois State.

  A Brief History of p0wn4ge: 18 years and 4506 incidents

  Speakers: Aashish Sharma, Lawrence Berkeley National Lab, Berkeley, CA Jay Krous, Lawrence Berkeley National Lab, Berkeley, CA

  Abstract: We present both a broad reflection and detailed analysis of security incidents at Lawrence Berkeley National Lab (LBNL) based on extensive data (Bro logs since 1999) and detailed incident tracking that allows us to showcase trends in intrusions and detection capabilities from 1999 to 2017.

  We review how our security monitors flagged some compromises while examining the reasons why others were missed. We also highlight the evolution of detection techniques and incident response process that result in finding malicious but rare events. We will discuss how the analysis we conducted on these incidents provides a basis for attack modeling and the design of new methods for security monitoring and response.

  Focus of proposal topic and importance, relevance, value, and/or interest to the audience: The focus of this presentation is to provide insights into some of the most interesting security incidents that our security team handled over the past two decades. We will describe how we discovered each incidents, our team’s response and the lessons learned. By presenting the incidents in a way that demonstrates the discoveries and what might have been done better, we hope to provide IT security practitioners and leaders better ways to detect, investigate and discuss their own incidents. We also focus on our detection methods and how new incidents feed back into our monitoring techniques. One intention of this talk is that we wish to break the glass ceiling and make it alright to talk about security incidents and getting p0wned.

  Most important outcomes or points we want session attendees to grasp: Historical trend analysis of cyber security incidents, resulting in a deeper understanding of the evolution of attack types as well as detection capabilities. Discuss “interesting attacks” seen at Lawrence Berkeley National Lab We present in-depth lessons learned and our reactive and adaptive attack mitigation strategies We focus on how to secure a open, functional and yet unrestricted large scale network

  June 25, 2018 11:15-12:15

•  FI

  A holistic approach to ensure product security

  Christer Stenhäll (Ericsson PSIRT, FI)

  Christer Stenhäll is working as a Security Consultant in the Ericsson Product Security Incident Response Team (PSIRT). Ericsson PSIRT is the global security point-of-contact for all products in Ericsson's portfolio.

  Christer is responsible for the development of the risk assessment process and the vulnerability management process for product security.

  In a company as big as Ericsson with a multitude of products, solutions and services spanning from legacy telecom systems to complex modern IoT solutions, how can one assure that all products will achieve the necessary Security and Privacy requirements for create, deploy and maintain secure products?

  This presentation will tell about how we at Ericsson tackles the challenge of having a holistic security and privacy approach that works for all products, this talk will be about the Security Reliability Model (SRM) which is the model/framework Ericsson developed to achieve the Security and Privacy ambition in all our products, services and security as a business.

  The Security Reliability Model (SRM) is a holistic approach to secure that product security & privacy is considered and implemented in every step duration the life cycle of the product, from planning to development and to deployment & maintenance.

  I will uncover how the SRM enables Ericsson products, solutions and services to set their product security and privacy ambition level, to ensures the implementation of appropriate security and privacy and to follows up and measures actual product security and privacy status that enables secure product deployment in customer networks. The SRM are built on requirements that set the base for the security and privacy functions as well as other important supporting processes that ties in to the SRM like Vulnerability Managements, Risk Assessment and Vulnerability analysis at also will be presented to give the best possible view of what exactly SRM is.

  June 26, 2018 16:15-17:15

  Stenhall-Christer_FIRST_20180618.pdf

  MD5: 9143d45d0cdb5652639ca6f54d3295b0

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 436.19 Kb

•  LU

  A little tour in the world of password stealers

  Paul Jung (Excellium Services, LU)

  Paul Jung is since a long time a security enthusiast. He works in the security field in Luxembourg since more than a decade. During this time, Paul has covered operations as well as consulting within various industries. He possesses a wide range of skills and experiences that enable him to perform multiple roles from offensive security audit to security incident handling. From 2008 to 2014, prior to join Excellium Services, Paul was Senior Security Architect in the Managed Network Security department of the European Commission. In this previous position, Paul was responsible for leading technical aspects of security projects. He also wrote a few articles in MISC magazine (French) about DDos, Botnets and incident response. Since 2014, Paul works at Excellium Services as senior security consultant. He leads Excellium Services CSIRT (CERT-XLM). Within this position, Paul lead the response team involved in incident handling and intrusion responses. He provides security awareness and recommendations to Excellium Services customers. Paul is often speaker at local event and was multiple times speaker at Hack.lu and Botconf security conferences. His mother tongue is French, and he speaks English.

  PassWord Stealer (PWS) are around since more than a decade now. They are legions. Some like Pony, aka FareIT are well known. Nobody takes really time to explain what is around, what it is capable of and how this little industry works.

  However, they are still a common threat actively used according to our incidents logs. A PWS is not a RAT we made this distinction. The aim of a PWS is to be launched, steal a lot of credentials and optionally keylog and/or drop another payload.

  Sadly nobody cares about them anymore when they fire an antivirus inside a company. To illustrate this, my presentation will go thought a couple of PWS that I meet, and I will an overview of the history and capabilities of the threat, give tricks and tools/script needed to identify and even decipher them. A couple of these decoding/identification tools are freely available to the community and not written by me, this task may be achieved by a lot of security people without even any skills in reverse engineering.

  Finally I will try to summarize these threats by giving to the participants a clear view of what is available in the field and how to detect some backends.

  June 28, 2018 12:00-12:30

  Jung-Paul_FIRST_20180624.pdf

  MD5: c448e2abd5743d3c96fa3d0276a780e8

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 5.94 Mb

•  AU US

  An Internet of Governments: How Policymakers Became Interested in “Cyber”

  Maarten Van HorenbeeckKlee Aiken (APNIC, AU), Maarten Van Horenbeeck (Zendesk, US)

  Maarten Van Horenbeeck is Vice President of security engineering at Fastly, a content delivery network that speeds up web properties around the world. He is also a board member of the Forum of Incident Response and Security Teams (FIRST), the largest association of security teams, counting 300 members in over 70 countries. Previously, Maarten managed the Threat Intelligence team at Amazon and worked on the Security teams at Google and Microsoft. Maarten holds a master’s degree in information security from Edith Cowan University and a master’s degree in international relations from the Freie Universitat Berlin. When not working, he enjoys backpacking, sailing, and collecting first-edition travel literature.

  Klée Aiken is the External Relations Manager with APNIC, the Regional Internet Registry for the Asia-Pacific. In this role he works to promote APNIC’s vision of a global, open, stable, and secure Internet across the region’s 56 economies as well as internationally.

  Prior to joining the team he was an analyst with the International Cyber Policy Centre at the Australian Strategic Policy Institute (ASPI) where he researched domestic and regional cyber policy developments. He has also spent several years working in DC, serving a stint with the International Technology and Trade Associates. Klée holds a Master's degree in International Relations from the Universiteit van Amsterdam in the Netherlands.

  Gradually, the internet has become a bigger part of how we socialize, do business, and lead our daily lives. Though they typically do not own much of the infrastructure, governments have taken ever-increasing note, often aspirational, and sometimes with suspicion.

  In the meanwhile, the amount of control governments have on the internet has slowly eroded - due to the move of offline services, such as mail, online. This talk will show how major security incidents have shown how some things states have taken granted - such as control over borders - have eroded.

  In this talk, we’ll cover how governments internationally debate and work on topics of cybersecurity, agree on what the challenges are, and get inspiration on solutions. The talk will show how these concerns often originate from domestic concerns, but then enter several processes in which governments meet, debate, agree, and disagree on their solutions. As a specific example, it will use cryptography restrictions and how they evolved from law making, through more illicit work such as the promotion of faulty standards, or the introduction of lawful intercept backdoors.

  You’ll learn about initiatives such as the ITU, the UNGGE, the Global Conference on Cyberspace, the UN Institute for Disarmament Research and the Internet Governance Forum, Wassanaar, and how these forums and treaties affect our lives as incident responders. You'll also learn about how FIRST is helping educate these communities on our role as incident responders.

  June 26, 2018 11:00-12:00

  Van-Horenbeeck-Maarten-Aiken-Klee_FIRST_20180626.pdf

  MD5: 7069ec5044d5d80f3863ce5b80b394eb

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 6.82 Mb

•  SG

  Attacker Antics: Illustrations of Ingenuity

  Bartosz Inglot (FireEye, SG), Vincent Wong (FireEye, SG)

  Bart Inglot is a Principal Consultant that specialises in incident response and digital forensics in Mandiant's Security Consulting Services team helping clients restore confidence in an event of a breach. He holds a degree in Computer Forensics, is a keen developer, enjoys inspecting network traffic and specialises in Windows forensics with fascination in volatile memory. Having worked on incident response engagements around the world, Bart routinely develops new tools and ideas to solve on-the-job problems and to ensure Mandiant remains an industry leader. Some of these developments led to Bart's contributions to the Volatility project. After spending 8 years in England, Bart recently relocated to South-East Asia as he believes it's still the most fascinating, culturally diverse, and opportunistic region in the world. The relative immaturity in Cyber Security in most countries, but also the "hunger to learn" that most businesses and government organizations display, offer a significant growth opportunity. Bart has an extensive speaking experience with the most recent talks at Draconcon 2017 (Hong Kong), OPCDE 2017 (Dubai, UAE), RSA APJ 2017 (Singapore) and Ruxcon 2017 (Canberra, Australia).

  Vincent Wong is a Principal Consultant in Mandiant’s Singapore office. Mr Wong's current role requires him to perform targeted attack investigations, which involves incident response, compromise assessment and forensics to identify attacker groups, attacker capabilities, infrastructure and intentions. Mr Wong has extensive digital forensics experience within a law enforcement agency and has provided expert witness testimony. Mr Wong has over 15 years of experience in both private and public sector environments, and he entered the security field 8 years ago as an Digital Forensic Examiner with the Australian Government. In that role, he provided Digital Forensic expertise, research and capability building in a range of criminal cases such as internet crimes (hacking and the spread of child exploitation material), fraud, money laundering, murder and illegal drug importation. The broad range of crime types has seen him provide digital forensic analysis under a national accredited lab reporting on computers, servers, mobile phones and other electronic storage devices. Mr Wong has also presented his experiences at Security Conferences in Singapore and was invited to speak at internal FireEye events.

  The arms race between the vendors creating security defenses and the hackers trying to defeat them continues. While responding to security breaches around the world, we have uncovered some creative and ingenious tactics, techniques and procedures (TTPs). We carefully selected several of the more recent and fascinating attacker TTPs and we are excited to share them with you. Come to the talk to hear about attackers breaching air-gapped networks, abusing anti-virus server, hijacking victim’s emails, camouflaging malware and preventing it from sandbox execution, and using obscure persistence mechanisms, to name a few.

  June 29, 2018 10:00-11:00

  Inglot-Bartosz-and-Wong-Vincent_FIRST_20180606.pdf

  MD5: 03f564255d8be71e9feb3a44b1c3c028

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 3.76 Mb

•  RU

  Banks and Russian Speaking Adversaries

  Alexander Kalinin (CERT-GIB (Group-IB), RU)

  Kalinin Alexander - Head of CERT-GIB

  The last year of threat landscape has shifted, significantly. New players, tools, tactics and targets. This talk will walk through a real incident and operation of a Russian speaking criminal group where tools and tactics were tested and perfected on Russian financials and then successfully used in the USA, Europe and Asia. It will also touch on the difficulty and exactly how to attribute incidents when attackers are using general tools to avoid detection.

  June 27, 2018 13:45-14:15

•  GB

  Behind the Scenes of Recent Botnet Takedown Operations

  Director David Watson (The Shadowserver Foundation, GB)

  David Watson has been a member of the Shadowserver Foundation since 2008, is one of their Directors, and leads their Special Projects Team in support of international Law Enforcement operations. David regularly presents and teaches hands on training classes at information security events, and is passionate about helping network owners and cybercrime victims to defend themselves using tools and information sources that do not necessarily come with strings attached, or huge price tags. David was the Chief Research Officer and a Director of the Honeynet Project from 2006-2016, helping to co-ordinate and promote the development and deployment of honeynet related security tools worldwide.

  Taking down botnets is a challenging and complex process, requiring not just long-term technical analysis of the threat faced but also cross-border and cross-jurisdiction cooperation and coordination, involving many different (types of) players and legal systems. A successful operation culminates in a quick shutdown of cybercriminal operations, sinkholing of botnet command and control infrastructure and lots of media attention. But what happens behind the scenes to make all of that possible? The talk will describe The Shadowserver Foundation's first-hand experiences in assisting recent law enforcement botnet takedown operations, for example Avalanche (2016/2017), Mirai (Botnet#14) and Kelihos - as well as newer operations relevant by the time of the conference. The talk will identify the main organizational, legal and technical challenges facing the takedown teams, which approaches worked and which did not, and what could be improved in the future. How is the infected victim remediation data shared with the security community? What roles should CSIRTs play in such operations?

  June 27, 2018 11:30-12:30

•  JP

  Bridging Cultures: Collaboration of the US/Global and Japanese Financial Communities

  Natsuko Inui (Financial Services Information Sharing and Analysis Center (FS-ISAC), JP)

  As part of FS-ISAC’s global team, Natsuko works with colleagues in the Asia Pacific region to foster the community in sharing, collaboration and engagement in the Asia Pacific region. Previous to FS-ISAC, she was an analyst at Cyber Defense Institute involved in government research projects regarding incident response and cyber exercises. She continues to work with the CSIRT community in Japan and internationally, and is also Vice Chair of the Nippon CSIRT Association, the CSIRT community of Japan.

  Two very different countries, Japan and the United States, have established their own sharing communities and frameworks, but are also working to share and collaborate. The Financial Services Information Sharing and Analysis Center (FS-ISAC) and Financials ISAC Japan (FIJP) first signed a sharing agreement in 2015, and continue to work together to collaborate to benefit the global community. This presentation will give a brief history and overview on each of the communities, our similarities and differences, and what the sharing agreement enabled to start the collaboration. Screenshots of messages/alerts and files that have been shared daily/weekly and the initial sharing criteria will be presented to the audience. Once the sharing kicked off, the two organizations came to gradually understand the strengths and needs, which lead to a major change in the information that is translated and shared on a daily basis. For example, FS-ISAC at first believed the indicators would be most useful, but turned out to be one of the least useful kinds of information to the Japanese community. The presentation will also talk about the gradual dialogue between the two communities to change the daily/weekly information sharing. Screenshots and examples will also be shown for the new content. Other than daily/weekly sharing, the two are working on working group collaboration. Each ISAC has their own set of committees and working groups that work on various issues and producing papers. The talk will cover efforts on working group collaboration and making each other's documents available in the other language and culture.
  Finally, some good practices, along with the struggles and difficulties we face will be addressed. Some of the struggles would be TLP definition differences and declassifying, maturity levels and how that connects to needs, how to ask for honest feedback, and language barriers. Some actual examples of what we couldn't share and why will be presented. As ISAC members are often deeply involved with incident response, collaboration between the two ISACs is for the benefit of the incident responders globally, and is a work in progress as the threats, communities and all involved change and evolve. This presentation will give some insight into an actual ongoing collaboration between two different incident responder communities.

  June 29, 2018 11:00-12:00

•  PL

  Building and Maintaining Large-scale Honeypot Sensor Networks

  Piotr KijewskiPiotr Kijewski (The Shadowserver Foundation, PL)

  Piotr is the Strategic Programmes Manager at The Shadowserver Foundation, a non-profit with a mission of making the Internet a more secure environment. He has a strong CSIRT background, previously working in incident response at a national level for 14 years in the CERT Polska (CERT.PL) team. He managed the team for nearly 7 years up till 2016, building up its various security data gathering and analysis projects as well as managing its anti-malware operations, including numerous botnet disruptions. Piotr currently also serves on the Board of Directors of the Honeynet Project, a well-known and respected non-profit that is committed to the development of honeypot technologies and threat analysis. Piotr is also the author of many papers and reports on security topics and a frequent speaker at conferences worldwide.

  The rise of IoT related attacks as demonstrated so effectively by Mirai and its variants as well as incidents such as Wannacry, (Not)Petya have reinforced the case for using honeypots as effective tools for detecting, collecting and analysing Internet-wide threats. Our ability to effectively respond to and mitigate a new threat relies on not just the fast acquisition of the global picture of an incident but also on obtaining new malware samples for analysis. Thus it is critical to have the capability to quickly deploy new honeypot sensors at scale that enable the above. The talk will cover The Shadowserver Foundation’s efforts at building, deploying and maintaining such large-scale honeypot networks, involving hundreds of sensors. It will describe the unique challenges encountered and lessons learned whilst attempting to automate the process of deployment and management as much as possible. The talk will introduce the honeypot deployment framework developed as part of a new EU Horizon 2020 Project - SISSDEN, along with a live demo. It will also present some of the resuIts of analysis of the collected data. It is important to stress that the data collected from these sensor networks is shared with the security community (90+ National CERTs, 4000+ network owners etc) as part of the free daily Shadowserver victim remediation feeds. How can the CSIRT community help to make these deployments more effective?

  June 26, 2018 13:45-14:45

•  US

  Catching Up with Osquery Workshop

  Douglas Wilson (Uptycs, US)

  Douglas (Doug) Wilson is the Director of Security at Uptycs, a Boston-area startup building SaaS solutions on top of osquery.

  Before Uptycs, Doug was a Senior Manager at FireEye, where he led the FireEye Labs Threat Indicators Team. He was also a Manager and Principal Consultant at Mandiant. He has spent a large amount of his career advocating for open tools, organizations, and standards, being the spokesperson for OpenIOC, as well as founding and running OWASP DC, and being one of two principal organizers of the first three AppSec DC conferences.

  Doug is based out of Washington DC in the US. He has over 18 years of experience in a variety of Information Security and Technology positions, including Incident Response and Multi-tiered Application Architecture. Doug has presented at FIRST in 2013, 2014, and 2015. He has also spoken on various Infosec topics at other events including SOURCE Boston, GFIRST, DoD Cybercrime, NIST IT-SAC, Suits and Spooks, and Shmoocon.

  osquery ( https://osquery.io ) is a powerful cross-platform, open-source endpoint agent that was released by Facebook in 2014. It has been growing rapidly in the past year, becoming one of the top security projects on github, with major internet companies above and beyond Facebook adopting it as their endpoint tool of choice in place of commercial endpoint offerings.

  This presentation, offered by a practitioner who has been working closely with osquery since mid-2016, will provide information for security practitioners who:

  • Have EDR or IR endpoint needs, but don't always have the budget or other resources to purchase and deploy expensive black-box security products
  • Want the ability to freely customize the questions they are asking of their endpoints over time
  • Want the ability to collect and analyze data passively like they would with a SIEM, yet have active investigation capabilities for the endpoint without having to deploy a separate tool.

  This presentation will contain topics such as the basic design concepts of osquery, fundamentals of launching and running osquery interactively and as a daemon, configuring osquery, simple and complex queries against osquery, what osquery event tables are and how to use them, how osquery can be used to investigate a host, and a brief discussion of how to use osquery at scale. It would also include a summary of the osquery project status, including important features added to osquery in the past year, current pain points and roadmap items for osquery, and how attendees can join the osquery community and/or contribute to the ongoing osquery effort.

  In outline form, the presentation would consist of at least the following:

  • The basic concept of osquery -- Abstracting to SQL -- Read Only Agent -- Tries to respect privacy
  • Fundamentals of launching and running osquery -- running osquery interactively -- running osquery as a daemon -- configuring osquery options
  • Simple & complex queries against interactive osquery
  • "Events" in osquery -- what is an _event table versus a normal osquery table -- what events are available on what OS -- Why this is not consistent across all OS
  • how osquery can be used to investigate a host -- compliance audit examples -- file integrity monitoring / file hash retrieval -- tying tables together
  • The challenges of osquery at scale -- possible solutions
  • osquery project year in review -- A summary of important features added to the project in the past year -- A summary of current pain points and/or roadmap items that need work -- How attendees can join the community and/or contribute to the ongoing osquery effort

  June 26, 2018 16:15-17:50

  Wilson-Doug_FIRST_20180629.pdf

  MD5: 9362fff1be3b4a5a3c72009eea73a395

  Format: application/pdf

  Last Update: June 29th, 2018

  Size: 5.08 Mb

•  CR MY

  Civil Society Under Attack - Trends and Tactics

  Daniel Bedoya (Access Now, CR), Szeming Tan (Security Consultant, MY)

  Daniel (email: daniel@accessnow.org) is the Incident Response Manager at Access Now. He works in Access Now’s Costa Rica Office. He is currently working on his Masters Degree in Computer Science at the University of Costa Rica. He holds a Bachelor Degree in Electronics Engineer from the Instituto Tecnologico de Costa Rica. Previously he worked at Costa Rica’s biggest ISP in a Security Operation Center environment, as an Operations Engineer and Quality Assurance Engineer.

  Sze Ming is an experienced civil society organization programme manager with multidisciplinary skills, cross-practice knowledge and experience working on human rights, environmental issues, government development policy, government transparency and digital rights that is now a requirement in being able to initiate and implement effective non-profit programmes and projects.

  She builds partnerships, fund raising , events management, design for advocacy materials and facilitates digital security training. Her work in developing Sinar Project's Digital Rights programme has helped provide support for digital security and safety of at-risk groups, increased youth participation in digital rights and internet governance for Malaysia and internationally for Southeast Asia and East Asia.

  From persistent and tailored attacks against independent media to clever impersonation mechanisms to discredit political activists, Access Now Digital Security Helpline has received over 3000 requests for assistance in the past 4 years. During this period, our 24/7 incident response team has worked directly with civil society organizations, journalists and activists from 126 countries to migitage security incidents and implement preventative measures to defend themselves online.

  Access Now was formed in 2009 in response to the Iranian elections, and the related crackdown on citizens digital rights. The primary focus of Access Now at that time was to provide a technology support help desk for the Iranian Green Movement. Shortly after, Access Now got involved in the digital rights policy and advocacy, but we have always maintained some form of a digital security help desk function. At the beginning of 2013 we embarked upon an ambitious expansion of that help desk, and began the process of building it into the professional 24/7 digital security Helpline that we have today. During this informative session, we would like to present an overview of trends we have seen across regions, explore how civil society organizations are attacked worldwide and present examples of creative and complex attacks conducted against civil society organizations and individuals across the globe.

  June 27, 2018 11:00-11:30

•  MY

  Collaborative National-level Incident Response Model to Address Large-Scale Data Breach Attack in Malaysia

  Sharifah Roziah Mohd KassimFarah Ramlee (Cybersecurity Malaysia, MY), Kilausuria Abdullah (Cybersecurity Malaysia, MY), Sharifah Roziah Mohd Kassim (CYBERSECURITY MALAYSIA, MY)

  Farah is currently working as an Analyst in MyCERT, CyberSecurity Malaysia. In June 2013, Farah started as 1st level incident handler in MyCERT team and handle cases reported to Cyber999 by analyzing the incidents and recommend relevant course of actions in responding to the incidents reported. Kilausuria is currently working as an Senior Analyst in MyCERT, CyberSecurity Malaysia. She was previously in Research and Development (RnD) on field related to intrusion detection system, open source initiative and cloud computing. In February 2012, Kilausuria started as 2nd level incident handler in MyCERT team for Cyber999 services and assist on grooming new incident handlers, drafting media question as well as a qualified trainer in Incident Handling courses. Sharifah Roziah currently works as a Specialist for Malaysia Computer Emergency and Response Team (MyCERT) under the umbrella of CyberSecurity Malaysia. Besides being a Specialist, she is also tasked as a Manager of the Security Operation Centre in MyCERT, to ensure computer security incidents reported to MyCERT are responded in a timely and efficient manner. Prior to that, she worked as a Senior Analyst at MyCERT department. Roziah has been involved in the computer security field for over 15 years, mainly in Computer Security Incident Handling. Her area of focus and interest is on Computer Security Incident Handling, Incident Analysis and Network Security. Roziah had been a key person in handling and resolving many computer security incidents reported to MyCERT from the Malaysia constituency. Roziah had also conducted many talks, presentations, trainings in local and also in international in the field of computer security particularly in Computer Security Incident Handling. Apart from that, Roziah has also produced various Security Advisories/Alerts on latest vulnerabilities and threats, Articles, Security Best Practices, Proceeding Papers related to computer security.

  In October 2017, Malaysia was hit by the news that 46 millions of Malaysians’ personal data is up for sale on the Internet. Data breach attack is not something new in our constituency, however large-scale data breach is something serious that need to be addressed with collaborations between CERTs and various parties at national level. Investigation has been setup respectively by Malaysian Law Enforcement Agencies (LEA), CERT and Internet Service Providers (ISP) in responding to this large-scale national cyber attack. This presentation will share the analysis case study of the incidents reported to Cyber999 and the incident response steps taken by MyCERT with collaboration Law Enforcement Agencies (LEA), CERTs and Internet Service Providers (ISP).

  The statistic in the atatched document illustrates gradual decrease of data breach attack between 2012 and 2016, and significant increase in 2017 within Malaysia.

  The collaborative model between Law Enforcement Agencies, CERTs and ISPs, can be viewed as a method to overcome certain problems of Incident Response, such as:

  ➢ Insufficient coordination between Law Enforcement Agencies, CSIRTs and ISPs in Malaysia during large-scale national-level attack. ➢ Unavailability of an Incident Response model that can be deployed by CSIRTs, Law Enforcement Agencies and ISPs in addressing large-scale national-level attack. ➢ Communication problem with the right parties during a large-scale attack. Having good communication with right people saves much time in incident response. ➢ Time limitation during a large-scale attack incident may deter immediate preventions of an attack at national level.

  To prove that the model has worked for us, we will highlight a case study on large-scale data breach attack involving Malaysians’ personal details exposed on public forums based in Malaysia and in foreign countries. The uniqueness of this model is that it brings together three major players in Malaysia in the field of IT, the CERT, the LEA and the ISP.

  The presentation is targeted for established CSIRTs, PSIRTs and also new teams. The key points that we would like to highlight in this presentation are: ➢ The significant collaboration between CERTs, LEAs and ISPs in eradicating and mitigating large-scale cyber attacks at national level. ➢ Share our model that illustrates how a large-scale attack can be mitigated through collaboration in efficient manner, which in this presentation focuses on large-scale data breach attack in Malaysia. ➢ Share our in-house developed tools and applications that we used for building up and implementing this model for effective mitigation of large-scale national cyber attacks. ➢ Share the work taken by us to further study the behavioral and anatomy of an incident so as to propagate and reduce the effect of similar type of incident in the future. ➢ How CSIRTs of various countries can base our model to build up their own national level collaborative model in responding to large-scale attacks in their country. CSIRTs can no longer work alone. Collaborative work is necessary for execution of effective incident response.

  June 29, 2018 10:00-10:30

•  US

  Coordinating Vulnerability Disclosure with Multiple Vendors

  Laurie Tyzenhaus (SEI CERT, US)

  Five years with SEI-CERT supporting government sponsors with threat analysis and coordinated vulnerability disclosure. Twenty-two years with the Department of Energy: 12 years as a Intelligence/Counterintelligence Cyber Analyst (SME for technical threats & countermeasures at numerous national laboratories and sites), and 10 years building the Argonne National Laboratory Cyber Security program (incident handling, program development and management).

  Coordinated Vulnerability Disclosure (CVD) is an ongoing challenge. We are discussing CVD in vendor forums and in-house to identify the problems and sensitivities associated with changes to the process. Our experience indicates that once more than 5 vendors are involved, our current CVD process struggles with tracking the data and communications associated with these reports. We see these types of reports about 4 times a year and expect it to increase. There are no COTS solutions that can manage the multi-vendor problem.

  Specific questions include: Can vendors work in a collaborative environment (like GitHub)? Is encryption helping or hindering discussions? How can we continue to encourage coordinated disclosure by reporters?

  We expect other CERTs already have, or soon will have to solve this problem. We hope to encourage a “coordinating” solution!

  June 26, 2018 11:00-12:00

  Tyzenhaus-Laurie_FIRST_20180615.pdf

  MD5: a86e635a9cdd676a17b68c8dcfbd3f40

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 973.4 Kb

•  US

  Crawl, Walk, Run: Living the PSIRT Framework

  Mark StanislavMark Stanislav (Cisco (Duo Security), US)

  Mark Stanislav is the Director of Application Security for Duo Security. Mark has spoken internationally at over 100 events, including RSA, DEF CON, SOURCE Boston, Codegate, SecTor, and THOTCON. Mark’s security research and initiatives have been featured by news outlets such as the Wall Street Journal, the Associated Press, CNET, Good Morning America, and Forbes. He is also the author of the book 'Two-Factor Authentication.' Mark holds a BS in networking and IT administration and an MS in technology studies focused on information assurance, both from Eastern Michigan University. During his time at EMU, Mark built the curriculum for two courses focused on Linux administration and taught as an adjunct lecturer for two years. Mark holds CISSP, Security+, Linux+, and CCSK certifications.

  With its June, 2017 draft release, the PSIRT Framework from FIRST established a new era in product security formalization. A quick search of FIRST member organizations show a 5:1 disparity of CSIRT-to-PSIRT members represented, providing a data point to what many industry experts already know -- formal product security programs are much more rare than their corporate counterparts.

  This presentation will detail the journey, hurdles, and outcomes of using the PSIRT Framework to take a hard look at formalizing an existing application security team's efforts into a more holistic program. Topics will include executing a program gap analysis, deciding on how to re-mediate identified gaps, organizing a PSIRT across functional teams, processes we utilize, execution of a product security advisory process, and other parts of our organization's implementation of the framework to guide our program maturity.

  Curious how to take your team's best-effort product security and level it up? Attend this talk and you'll gain real-world value from the experiences our team took to do just that.

  June 27, 2018 14:15-15:15

  Stanislav-Mark_FIRST_20180529.pdf

  MD5: c0984c8996bd1057bd3b666ff7b470f5

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 4.44 Mb

•  HR

  Creating NIS Compliant Country in a Non-regulated Environment, Case Study Croatia

  Jurica Cular (ISSB, HR)

  Jurica Čular graduated at Faculty of electronics and computer science, Zagreb, Croatia as Master of Computer Science. Got an MBA in finance and marketing at Kelley School of Business, Indiana University. Holds several information security certificates CISA, CISSP, ISO 27001 LA.Worked as an information security consultant for financial institutions and for Deloitte. Currently working as an expert advisor in Information Systems Security Bureau.

  The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. The main goal is to ensure harmonization in level of cyber security between member states. Process seems reasonable and most member states agreed on usefulness of such legislation. The fact that NIS is a directive and not a regulation implies that member states should create a legislation in line with NIS. This is where the fun starts. EU member states are very different one from another and creating a harmonization is pretty hard task. How some old and well organized member states are dealing with this task is significantly different than the situation in a rather new member states. This talk will bring insight in a process of transposition of NIS Directive into Croatian legislation. What approach did we take, who were the key players in this process? What are the biases that exist with each key player and what roles were designated to CSIRTs? How did we cope with issues in a society and economy with very low cyber security awareness? These are the questions I will bring answers during the talk. For EU CERTs this would be interesting to hear and compare experiences. For non-EU CERTs this is a good way to hear about good and bad aspects of NIS Directive.

  June 29, 2018 10:30-11:00

  Cular-Jurica_FIRST_20180605.pdf

  MD5: 97aab7e66700ea68dc3415479e8ffef2

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 185.92 Kb

•  FI

  Cyber Weather - Situational Awareness Product For Our Non-technical Constituents

  Tomi Kinnari (NCSC-FI (National Cyber Security Centre) / Finnish Communications Regulatory Authority, FI)

  Tomi Kinnari has been working as Situational Awareness Coordinator in Finnish National Cyber Security Centre for four years. In this role he has been coordinating incidents in CERT and collaborating with both technical and non-technical constituents. In addition he is responsible for handling collaboration with two ISAC's.

  Problem: How to present cyber situational awareness in an understandable way to our non-technical and semi-technical constituents, such as management, CTO’s, risk officers, citizens etc.?

  Solution: We developed a new situational awareness product that we call cyber weather. It covers topics such as DDoS, malware, vulnerabilities, APT, IoT and network failures. It is written in a language that also semi-technical and non-technical audiences can follow.

  How we did this: The information is gathered and distilled monthly by six groups, each immersed in one of the focus areas of the cyber weather. These groups gather information from several internal and external sources, such as incidents from ticketing system, ISACs, other government agencies and news. The new developments from each focus area are discussed and written down on a monthly basis.

  Results: We have collected and made cyber weather for over a year, and the results have been encouraging. Our constituents have considered it a very good and easy to follow summary of the key events. Some use it to follow key trends and events in cyberspace while others have been using it as a source in their risk assessments. Furthermore, it has also enabled NCSC-FI to better follow trends, because creation of cyber weather is forcing us to summarize key events monthly. Cyber weather has also made preparing presentations to speaker gigs much easier, which helps a great deal because NCSC-FI is speaking in over 100 events per year. It has also made the quality of the presentations more homogenous among NCSC-FI employees, because everyone is using the same base for the presentations.

  June 25, 2018 15:00-15:30

  Kinnari-Tomi_FIRST_20180624.pdf

  MD5: 9e31f820913ebe850aaf0dd2fd0f8b84

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 1.56 Mb

•  US

  Deep Dive: Case Study Responding to Intrusions into the US Electric Sector

  Jermaine Roebuck (DHS Hunt and Incident Response Team, US), Mark Bristow (DHS Hunt and Incident Response Team, US)

  Mark Bristow is the Deputy Division Director for Hunt and Incident Response Team (HIRT) at the National Cybersecurity and Communications Integration Center (NCCIC) within the Department of Homeland Security. Mark has been with DHS since 2008 and worked as an Incident Responder and then Chief of Incident Response and Management for Industrial Control Systems incidents under the Industrial Control Systems Cyber Emergency Response team (ICS-CERT). Mark has worked previously conducting assessments and penetration tests of industrial control systems equipment in multiple sectors with a focus on electric power generation, transmission and distribution and found his first vulnerability in ICS systems at the age of 10. Mark has a bachelor’s degree in Computer Engineering from The Pennsylvania State University.

  Deep dive into the details of the intrusions into US energy and other sectors in the summer of 2017. This presentation will discuss some of the key tactics techniques and procedures and insights used by threat actors against us critical infrastructure. DHS will highlight the lessons learned and how they can apply to the broader community. This presentation will also demonstrate how DHS leveraged a tool called a Tactical Threat Map to better understand this intrusion campaign.

  June 26, 2018 14:45-15:45

•  DE

  Detect & Respond to IoT Botnets as an ISP

  Christoph Giese (Telekom Security, DE)

  Studies: BSc IT dual@telekom --> MSc digital forensics (finish line) Work: System Engineer 2y --> CERT/CDC for 3y GCFA/GCNA; open source development

  The Internet of Things (IoT) is an increasing number of (smart) devices of various types, often enough directly connected to the Internet without proper security mechanisms enabled.

  The types of devices range from simple IP-based Cameras to complex home routers with computing powers reaching that of personal computers. The fast development in terms of powerful hardware and the fact that those IoT devices are connected to the Internet 24/7 turns them into highly valuable targets for cyber crime.

  In 2016 the first larger IoT device-based botnets emerged, with Mirai being one of the most prominent examples, which infected more than 120.000 devices [1]. Mirai was also responsible for knocking almost 1 million customers of Deutsche Telekom AG the Internet, and is infamous for performing the largest and most disruptive denial of service (DoS) attacks in history [2]. Due to the leakage of Mirais source code to the public, new variants emerged, such as Reaper or the recent Satori botnet. In order to cope with future variants of Mirai and to avoid further impact on routers of Deutsche Telekom, we have adapted common security mechanisms to minimize detection and response times of IoT device-based botnets. In this talk, we will present our detection, analysis, and response strategy to deal with infected IoT devices from an ISP point of view.

  A high-level overview of our approach will be discussed in more detail during our presentation.

  To boost the early detection of suspicious activity on IoT related network ports, Deutsche Telekom extended its large number of honeypots, deployed across the Internet, with IoT-specific application simulations. Additionally, temporarily unused IP address ranges are used as a so-called black hole [3], to monitor general activity in form of backscatter and malicious traffic on the Internet. Together with basic machine learning algorithms, we use the input of these sensors as a trigger to start further in-depth investigation. Based on traffc fingerprinting, open-source intelligence information, and payload data from the honeypots, we are able to initiate a response chain, to minimize potential impact of an emerging IoT botnet.

  For the response chain, we use well-known open-source tools, such as IntelMQ for message/event processing and MISP (Malware Information Sharing Platform) to distribute relevant indicators across the enterprise to quickly identify infected systems within our responsibility and initiate appropriate mitigation actions.

  During our talk we will use the recent Satori IoT botnet as a showcase for our approach and to explain what kind of challenges still exist.

  [1] https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.html [2] https://www.bitdefender.com/box/blog/iot-news/mirai-writes-new-chapter-history-ddos-attacks/ [3] Bailey M., Cooke E., Jahanian F., Nazario J. and Watson D., 2005. The Internet Motion Sensor - A Distributed Blackhole Monitoring System. In Proceedings of Network and Distributed System Security Symposium (NDSS 05), pp. 167-179.

  June 27, 2018 13:45-14:15

  Giese-Christoph_FIRST_20180620.pdf

  MD5: 26ea0ed2812a20ab19c6c6570999fb87

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 1.55 Mb

•  US

  Determining the Fit and Impact of CTI Indicators on your Monitoring Pipeline (TIQ-Test 2.0)

  Alex Pinto (Niddel (a Verizon Company), US)

  Alex Pinto is a Distinguished Engineer of the Security Solutions Group at Verizon Enterprise Services. He is responsible for data science, analytics and machine learning capabilities of the Verizon Autonomous Threat Hunting product. He joined Verizon through the acquisition of Niddel, where Alex was Co-Founder and Chief Data Scientist.

  Alex has over 20 years of experience in build security solutions and products and the last 5 of those years have been solely dedicated to the application of machine learning in cybersecurity detection and threat hunting activities. He also holds multiple cybersecurity certifications, such as CISSP-ISSAP, CISA, CISM, and was previously PMP and PCI-QSA certified.

  He is an accomplished international speaker and thought leader, has presented various times at conferences such as Black Hat, DEFCON, RSA Conference and FIRST. His usual research subjects are machine learning applied to security, threat intelligence evaluation and metrics, and threat hunting automation.

  Before founding Niddel, Alex was a founder of CIPHER Security, a global full-solution provider of Brazilian origin. He was born in Rio de Janeiro, but for a twist of fate can't play any soccer.

  Implementing an appropriate data processing pipeline to make good use of your indicators of compromise is a problem that has been successfully addressed over the last few years. However, even with all the push of automation and orchestration, a fundamental question remains: WHAT data should I be ingesting in my detection pipelines? There is no lack of data feeds available, shared or not, paid or not. But how to keep my CTI IR team from spinning their wheels on a pile of CTI mud?

  This talk will discuss statistical analysis you can do with the CTI indicators you collect and your own network telemetry to define:

  • COVERAGE: Is your current mix of CTI feeds providing a varied view on the current threats that you should actually be concerned with?
  • FIT: How appropriate does the CTI data apply to your own traffic. CTI vendors always talk about vertical specific threats, but is that measurable and verifiable?
  • IMPACT: How much was your true positive detections assisted by matches and link analysis derived from those CTI feeds?

  Those concepts will be introduced and explained with minimal math background needed, and pseudo-code will be provided to assist organizations to perform those experiments on their own environment. We hope those tools will help attendees to better evaluate the quality of the CTI feeds they ingest from their open sources, paid providers and sharing communities.

  June 28, 2018 13:45-14:45

  Pinto-Alex_FIRST_20180624.pdf

  MD5: be22020ca3c062f2b9dec095f6227f88

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 2.64 Mb

•  JP

  Discovering Evasive Code in Malicious Websites with High- and Low-interaction Honeyclients

  Yuta Takata (NTT-CERT, JP)

  Dr. Yuta Takata is a researcher at NTT R&D and has been a member of NTT-CERT in Japan since 2013. He focuses on developing honeyclients that effectively analyze websites and exhaustively extract malicious behaviors, e.g., browser exploitations and malware infections. Recently, he has been researching methods of detecting malicious websites using machine learning techniques.

  Threats of malicious websites are continuously evolving. These websites are exponentially increasing to achieve attacker's various objectives, e.g., malware distributions, data breaches, defacements, and bitcoin mining. NTT-CERT has been monitoring and detecting such malicious websites by operating both high-interaction honeyclients and low-interaction honeyclients. A high-interaction honeyclient, which is a decoy real browser, can precisely detect browser exploitations and malware downloads. A low-interaction honeyclient, which is a browser emulator, can emulate client profiles, trace complicated redirections, and hook code executions in detail. We usually detect malicious websites and confirm the evidence of maliciousness on the basis of both analysis results. However, attackers also develop more sophisticated techniques to evade our honeyclient analysis. They craft JavaScript code that controls whether to redirect clients to malicious URLs by abusing the differences among client environments. This evasive code is pervasively distributed through exploit kits. Therefore, a countermeasure is urgently needed. My presentation explores evasion techniques by analyzing the redirection differences between high-interaction honeyclients (Internet Explorer) and low-interaction honeyclients (HtmlUnit). Since these honeyclients use different client implementations, I can identify evasive code by leveraging the differences. I investigated 8,500 JavaScript samples executed in 20,000 malicious websites observed in experimental environments of NTT. I discovered previously unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will be necessary for incident responders to understand and analyze modern malicious websites, and contribute to improving the analysis capabilities of conventional honeyclients.

  Contributions:

  • I introduce the operation of monitoring websites using honeyclients at NTT.
  • I share evasive code examples that abuse the differences among JavaScript implementations.
  • I show the effectiveness of evasive code as content signatures for detecting malicious websites.

  June 26, 2018 12:00-12:30

  Takata-Yuta_FIRST_20180531.pdf

  MD5: 3afc9af8ce219dc4a2a44df1ec3a78ef

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 1.56 Mb

•  GB

  Don't Ignore GDPR; It Matters Now!

  Thomas FischerThomas Fischer (Independent, GB)

  Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently a security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated. Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.

  GDPR is in effect since May 25, 2018, any organization handling EU residents’ personal data should be complying with stricter privacy regulations or be ready to pay up to four percent of their global annual revenue in fines or €10,000,000. This is a substantial penalty for non-compliant companies, and does not focus just on companies based in Europe – it’s for ALL companies globally who do business in the EU.

  There is a lot of talk in about compliance with GDPR but in fact it may need some fundamental and deep organizational changes to be prepared and ensure EU citizen personal data. But what does this mean to our incident response process? Let's explore what is covered by GDPR and how it may impact your organisation, answering questions such as do I need to have a DPO; I don't do business directly in the EU when does GDPR affect me; what data is affected? What key processes need changing and importantly how should my incident response procedures work in order to meet GDPR accountability.

  A key first step in protecting that data and being able to respond is to first understand what is personal data as defined under GDPR which not only includes basics but also things like an IP address, IMEI and biometrics. Once we understand the nature of personal data, we can look at what the impact on what needs to be implemented or addressed versus the various Articles in GDPR, look at what they mean to some of our key Infosec best practices (such as SDLC, backup, …) to the discuss the impact and improvement on the incident response process and interactions with the DPO and DPA.

  June 28, 2018 11:00-12:00

  Fischer-Thomas_FIRST_20180619.pdf

  MD5: af6539b1474cf7ca1e62c283edfd6382

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 15.93 Mb

•  GB

  Emotet Malware

  Neil Fox (BT Security, GB)

  Neil Fox (BT plc, GB) Currently a BTCERT Investigator, I have worked in Security for just over three years. Prior to BT Security I worked on Cisco networks for BT corporate customers, Government contracts and BT’s ISP core network.

  AV solutions are constantly fighting a battle with malware authors to ensure that they detect the latest threats and keep our enterprise networks secure. In some cases it is not always possible for the AV to detect the latest malware strains. Malware authors are constantly updating and refining their code to evade detection and in turn this can lead to infections that we have no idea even exist.

  Emotet, although not relatively new, is still being in seen in the wild and evading many AV vendors. This malware impacted BT this year and meant we had to put our own proactive procedures in place to detect and remove this malicious software.

  This presentation will cover the actions undertaken by BT to detect and remove this threat including:

  • Overview of Emotet Malware – It’s techniques to avoid AV detection and how it harvests outlook credentials to create a targeted spam campaign.

  • Impact to BT – Large number of spam emails being sent to BT employees seemingly from people they contact via outlook, in turn individuals are unknowingly downloading the malware payloads by opening word documents that are linked in the email. This campaign has impacted employees across the globe in all sectors of the business.

  • Analysis of malware completed by infecting a physical device - AV wasn’t mitigating the threat so the malware was ran in a controlled environment to see how else we could mitigate the threat.

  • Open source tools used to gather IOC’s - Wireshark, NetMiner, FakeNet, PE Studio, ProcMon, RegEdit were all used to capture network and host based IOC’s of the malware. A custom PowerShell script was implemented meaning we were able to provide our AV with a list of hashes.

  • The customised alerting we created on our proxies based on the IOC’s – From our proxy data we were able to identify a network based IOC which was unique enough to create a custom alert on machines infected with Emotet.

  • Processes we put in place to deal with this as BAU and gather further IOC’s - Dashboard created with list of compromised machines and a process put in place for our 1st line SOC to check devices for known host based IOC’s.

  • Emotet spambot honeypot implemented – BT Security were able to block the spam from being sent but were able to capture the traffic and attachments. We then used this data to our advantage to keep track of the latest C2’s.

  • Other threats we found from conducting this piece of work - From implementing the dashboard we also found other strains of malware that displayed similar behaviour to Emotet. A proactive, hunting technique to find other malware was also created off the back of this.

  This talk will be focused on CSIRTS, will be presented at an intermediate technical level and would require a 45 minute slot.

  Neil Fox | BTCERT Investigations Specialist | Shared Cyber and Physical Engine | BT Security | Mob: 07484079732 | Skype: +443316646584 | neil.2.fox@bt.com

  June 29, 2018 11:00-12:00

•  EE NL

  Exploit Kit Hunting with Cuckoo Sandbox

  Andres Elliku (CERT-EE / Estonian Information System Authority, EE), Jurriaan Bremer (Cuckoo Sandbox, NL)

  Jurriaan Bremer has been working more than 6 years on Cuckoo Sandbox, the leading open source automated malware analysis system, Jurriaan is managing its future success by day as account manager and realizing its roadmap as development & team lead by night.

  Andres Elliku is responsible for incident response, threat hunting and infrastructure and toolkit development. His daily tasks include handling of cyber incidents, incident coordination, supporting institutions and internet service providers and giving out warnings of ongoing threats. Andres is also running CERT-EE’s malware analysis sandbox, S4A and various other toolsets. Occasionally Andres also does some client side red teaming and blue teaming. Before joining CERT-EE team, he worked in the public sector as a systems engineer and security advisor. Andres is currently obtaining a MsC in Cybersecurity from Tallinn Technical University. He is also an active member of the Estonian Cyber Defence League since 2015.

  Cuckoo Sandbox is the leading open source automated malware analysis system, used by tens of thousands of users including hundreds of international CERT/SOC/IR teams.

  In this presentation we'll take a look at the highlights of our recent developments in Cuckoo Sandbox regarding the automated analysis of in-the-wild exploits & payloads used by Exploit Kits, our capabilities of performing an offline replay of such analyses (allowing one to re-run the analysis over and over again), and our work in progress on performing many URL analyses in parallel. Through this new functionality we aim to simplify obtaining relevant information and IOCs from Exploit Kits, something that up until now has been mostly a manual and complex job.

  This presentation will briefly highlight how organizations can use our new functionality in their own teams. We'll provide demo's based on which both novice and expert users can quickly grasp what's going on, how they could replicate a replay of various known/captured Exploit Kits on their own systems, and high-level information on analyzing tens or hundreds of thousands of URLs per day for the existence of Exploit Kits using Cuckoo Sandbox.

  With a growing team of researchers & developers, Cuckoo Sandbox is becoming more mature by the month. We're always looking to improve it further (feedback from our community helps a lot here!) and are working on a number of novel features that will surely be widely adopted in the CERT community throughout the next years.

  June 25, 2018 14:00-15:00

•  US

  Exposing Crypto Phishing BulletProof Hosting

  Artsiom HolubArtsiom Holub (Cisco Talos, US), Austin McBride (Cisco Umbrella, US)

  Artsiom Holub is current Security Research Analyst on the Cisco Umbrella Research team and pentester in the past. Throughout the course of the day, he works on Security Threat Reports for existing and potential clients, works closely with the Customer Support Team, finds new threats and attacks by analyzing Cisco Umbrella DNS data, and designs tactics to track down and identify malicious actors and domains. He has undergraduate studies from National Technical University of Belarus, earns an Associate in Science degree from City College of San Francisco in Computer Networking and Information Security, and has earned various certificates along the way. Currently highly interested in crypto currencies and security challenges coming along with them.

  Austin McBride is a Threat Analytics Researcher at Cisco Umbrella who analyzes and evaluates the impact of security threats on customers, identifies previously unclassified threat vectors, and discovers emerging trends in malware distribution.

  His current research focuses on the significance of cryptocurrency in the ever-evolving threat landscape, which abets malicious actors to remain anonymous while buying infrastructure and avariciously amassing profit that has been unprecedented in traditional financial markets in recent history.

  Additionally, Austin presents at national security conferences, develops tools for threat analysis, and is a regular contributor of the Cisco Umbrella Security Blog.

  Austin’s background is in data mining, analytics, security research, and data visualization. He has also previously worked at UBS as a securities trader.

  Austin lives in San Francisco with his wife and their dog Spock.

  With the price of Bitcoin ascending to new heights in 2017, the rocketing valuation of cryptocurrencies continues its momentum into 2018. Evidence of the massive growth of these digital assets can be seen in the massive spikes in new clients at companies like Coinbase, adding 100,000 users in a 24-hour period, and Binance, which recently expanded its user base by 240,000 users in just one hour. The financial industry and Silicon Valley are not the only groups who have caught the cryptocurrency fever. Malicious actors have discovered that cryptocurrency newbies are unwitting targets that offer a consistent stream of revenue. Through our global network visibility, Cisco has observed many of these attacks originating from bulletproof hosting infrastructures located in the Eastern European region. This area is a hotbed for crypto theft and other computer crimes such as ransomware, botnets, DDoS services and credit card fraud. Some criminals have even extended beyond the digital world by kidnapping and demanding ransoms in Bitcoin, such as the case in the reported kidnapping and ransom of Pavel Lerner. Lerner was a lead analyst at Ukraine-based digital currency exchange, Exmo, who was released by his kidnappers after a $1 million Bitcoin payment was made. The event illustrates the desperate lengths some criminals will go in order to steal cryptocurrency. Joining the Enterprise Ethereum Alliance in 2017, Cisco is committed to protecting these new crypto technologies. Over the past year Cisco researchers have teamed up with the Ukraine Cyber Police to track a Bitcoin phishing operation dubbed the "Coinhoarder" campaign that has been tied to the theft of tens of millions of dollars worth of Bitcoin. Cisco has detected these campaigns with its state of the art web content classification which leverages topic modeling and natural language processing algorithms to predict malicious sites and infrastructures. We will also talk about the increase in SSL certificates used by phishing sites over the past year how criminals are evolving their tactics to make their sites nearly indistinguishable from legitimate sites. Credential phishing continues to be one of the biggest security challenges for internet users, and cryptocurrency phishers have found it to be a very lucrative form of attack. In 2017, Chainalysis reported Ethereum phishing as being the number one source of theft in that ecosystem with estimates placing the total amount stolen at $115 million. Google also recently published a research paper stating credential phishing is one of their top security challenges. Cisco has been proactive in detecting phishing domains in predictive fashion to help protect our customers. Additionally, we have been working with security personnel at top cryptocurrency wallets and exchanges, such as Blockchain.info and Coinbase, to help protect the cryptocurrency community members from having their tokens stolen.

  June 29, 2018 11:00-12:00

•  BE

  Free BugBounty as a CERT

  Emilien Le Jamtel (CERT-EU, BE)

  Emilien Le Jamtel is a security analyst working for CERT-EU.

  As a CERT, handling a bug bounty program for your constituents may be challenging. In CERT-EU, during our vulnerability management process, we created a specific page on our website to thanks a researcher pointing out vulnerabilities on our constituents websites.

  Once the program started, a lot of unexpected issues were encountered and we had to modify our processes and tools to be able to face those challenges.

  In this presentation we will provide details on challenges and how we handled them to make our life easier and provide a better service for our constituents.

  June 27, 2018 13:45-14:15

  Le-Jamtel-Emilien_FIRST_20180627.pdf

  MD5: fa495991334a346ec5e9427b01ff4eb5

  Format: application/pdf

  Last Update: July 27th, 2018

  Size: 1013.5 Kb

•  IN

  Hands-on exploitation and hardening of wearable and IoT platforms

  Sumanth NaropanthSumanth Naropanth (Deep Armor, IN), Sunil Kumar (Deep Armor, IN)

  Sunil Kumar is a Security Analyst at Deep Armor. He has vast experience in pentesting web applications, mobile applications and IoT products. In addition to penetration testing, he has advanced knowledge of AWS and development skills in node.js and python. Prior to Deep Armor, Sunil worked as a security engineer for Olacabs and Aricent technologies.

  Sumanth Naropanth is a technical expert in security research, vulnerability assessments, security architecture & design, and incident response. He has held several security leadership positions, has developed detailed frameworks for Security Development Lifecycle (SDL) for large corporations, and has managed global teams that executed those SDL activities. Sumanth is the founder and CEO of Deep Armor. He previously worked for Sun Microsystems, Palm/HP and Intel. He and his team have published their research at well-known security conferences, including Black Hat Asia, Black Hat Europe, Troopers, Nuit du Hack, Shakacon and so on. Sumanth has a Masters degree in Computer Science (Security) from Columbia University.

  This interactive course teaches engineers about security for IoT and wearable platforms. The course is tailored to educate students on a holistic hands-on approach to securing wearable/IoT ecosystems and designing security development lifecycle (SDL) for such classes of devices. We primarily focus on hardware security paradigms and securing communication protocols used in such devices and accompanying Android/iOS applications.

  We will show maker products built using micro-controllers and SoCs that are commonly used in IoT form factor devices. The audience will be see how the most commonly used communication protocols in these products are complicated to secure. Via a series of demos and live packet sniffing and injection, we will teach mechanisms to snoop on these channels, bypass basic security protections and inject rogue packets. We also teach how to secure the hardware, firmware & software components used in these devices.

  Wearables operate in very close proximity to users, and hence have access to a wealth of user personal information. We consider privacy to be an important aspect of SDL for wearables. Our training includes a session on privacy for wearable platforms.

   

  Prerequisites:

  Familiarity with embedded systems and interfacing with them using USB and serial ports; Basic familiarity with Bluetooth, BLE and ZigBee; Working with, and debugging Android applications; Basics of cryptography and information security

  June 28, 2018 10:30-12:30

  Naropanth-Sumanth-Kumar-Sunil-_FIRST_Workshop_20180702.pdf

  MD5: 4f276ec69d88e651150d9c3ddd6475b1

  Format: application/pdf

  Last Update: July 26th, 2018

  Size: 2.14 Mb

• ICS SIG Meeting

  16:00 – 17:00

  Open meeting. No journalists, publicists, etc.

  June 26, 2018 16:15-17:15

•  LU

  Improving Threat Intelligence Platform and Information Sharing by Measuring Real-Time Collaboration in TIP like MISP

  Raphaël Vinot (CIRCL, LU)

  Raphaël Vinot is a software developer working for CIRCL and is working on all kind of tools around MISP (API, 3dr party modules, ...).

  Information sharing about threats among the community has been demonstrated to be essential in incident response. CERT and CSIRT operators can use the shared information to investigate or prevent attacks or threats against ICT infrastructures, organisations or people.

  The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators. More than 7000 organisations worldwide are using it to share with, but also to receive from others.

  Leveraging the publish-subscribe model of one or more MISP instances, an open source dashboard 'MISP-Dashboard' (https://github.com/MISP/misp-dashboard) has been built, allowing to show live data, action and trends that occurs in one or more MISP platform(s). In addition to this, the can be refined and pushed back to the platform.

  In this the first part of the talk, we propose an overview of 'MISP-Dashboard' by showing use-cases and an example of how information can be refined and pushed back to the community. To illustrate the latter point, historical geolocalised information and how they can support security teams finding threats in their constituency will be presented.

  In the second part, we will show about an initial implementation to passively add confidence-level to contributions, create incentives to share data and promote collaboration; consisting in a gamification of the MISP Threat Sharing Platform. Attendee will be invited to discuss and give opinions about the model. The FIRST community provides a ground on how to measure collaboration in the field of information security. The objective of the talk is to discuss with the members about the opportunities to drive more collaboration in automated systems like MISP or similar tools.

  June 26, 2018 13:45-14:45

•  GB

  Incident Management - The Art of Herding Cats

  Paul Clayton (BT, GB)

  Currently the lead for Incident Management and Personal Engagement. I run three teams which have been carefully assembled to allow incidents to be managed to conclusion, and any learning to be identified and fed back into the training and development of staff once the incident has concluded. My background, prior to this role, is as an Incident Manager, a Technical Trainer and Team Manager.

  BT’s security team is constantly evolving to meet the threat landscape, and the needs of the business. A key part of that team is the security incident management team, who routinely take challenging and fast paced security incidents, investigate them and bring them to a successful resolution. Successful resolution is bringing back normal service, but we worry as much about lateral movement and understanding attackers actions as much as the remediation of the service being impacted.

  This is what we do.

  But how do we do it?

  During this talk I will show how incident managers go about their business day to day, beyond process and beyond formal training.

  • An insight into incident management at an organisation the size of BT with a footprint in 190 countries, employing 90,000 people with 120,000 endpoints, and being covered by a 4 security incident managers) o What is it and what it is not, we are not a technical team, we are investigators who draw on others expertise to solve complex worldwide problems o How we drive incidents to conclusion regardless of complexity or vagary o What are they key challenges that are faced by the team and how we learn from experience and avoid the many pitfalls they bring o How we engage across varied teams with very different skills and abilities and allow them to flourish and innovate o How we build and manage an effective communications stream o Command and control, pre-empting key events and potential incidents to keep assets and people safe. For example Cyber Monday, where preparation and effective communication is key o How we identify learning and bring that back to developing technical teams and also security teams  Post Incident Reviews • Identifying and driving security improvements post incident
  • Maintaining control of improvements • Bringing visibility of security risks trends to relevant stakeholders  War Gaming • How we plan war-games based on incidents we have expertise of, but also ones we don’t yet know but need to be prepared for. This drives maturity. • How these war-games are chosen. • An insight into the core skills required o Why softer skills are invaluable in bridging the gap between technical teams and senior stakeholders  How we manage and issue communications, and provide reassurance of the situation and the steps being taken  How we manage and fulfil expectations of senior management and board level executives  Why emotional maturity (EQ) is so vital to the role • Innovative projects that have been borne out of live incidents o How we have developed our team structure to include behaviours, problem management and training so we can get the root of an issue at pace and deliver learning and improvement across the business o How, over time, we have taken high priority complex incidents and delivered process that simplifies the remediation and allows front line teams to deliver the solution

  The goal of this talk would be to cover fundamental points that all sizes of IM teams could use to improve their service and communicate more effectively with their stakeholders. This is not a technical talk and would be of value to a team leader, strategist or Incident Manager.

  June 25, 2018 16:00-16:30

•  TW

  Internet Cartography using BGP and the Implications to Data Sovereignty

  Fyodor YarochkinFyodor Yarochkin (Trend Micro, TW)

  Fyodor Yarochkin is a researcher with TrendMicro Taiwan as well as a PhD candidate in EE at the National Taiwan University. He was an early Snort developer, and open source evangelist as well as a "happy" programmer. Prior to that, Fyodor's professional experience includes several years as a threat analyst at Armorize and over eight years asa information security analyst responding to network security breaches and conducting remote network security assessments and network intrusion tests for a majority of the regional banking, finance, semiconductor, and telecommunication organizations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally. (do you have a web page you want me to use?)

  We see the world in terms of geographical blocks and break these down further into countries; each country is sovereign and sets its own rules and regulations. These borders are more complicated when they involve the free flow of data. When put into the context of data protection regulations such as the US Patriot Act and GRDP, visualizing this flow of data – and how Internet routing affects Data Sovereignty and Data Protections in various countries - shows a very different view of our “virtual world” than our perceptions of the physical geopolitical one.

  The intention of this talk is to present a cartography of Internet connections by selected countries (US, Canada, UK, Germany, Russia, China, Australia, etc) showing how data is routed in and out of that country via Border Gateway Protocol (BGP) nodes (called ASNs). The presentation will illustrate the breadth at which data sovereignty because of the routing layer is not as cut and dry as currently perceived; the degree to which other countries’ data protection laws (such as GDRP) will affect other countries; the degree to which various Critical Infrastructures within these countries are subject to these issues, and finally, how significant attacks like BGP hijacking can affect data and network Sovereignty.

  June 26, 2018 16:15-17:15

•  CH

  IPv6 Security

  Frank Herberg (SWITCH-CERT, CH)

  After completing his studies in engineering, Frank Herberg worked on IT infrastructure and security projects for a number of technology consulting firms. In 2012, he joined SWITCH-CERT, where one of his specialisms is IPv6 security. In the past years he conducted divers IPv6 security trainings and hands-on workshops for the security community.

  The Training will give an overview of the security aspects of the 'new' Internet Protocol IPv6. Participants will learn the differences to IPv4

  • related to security. The training also covers a deep dive into selected protocol details and their accompanied attacks including demonstrations. The participants will get recommendations on the mitigation of IPv6-related attacks and how to strategically approach IPv6 Security in an organization. Last but not least an overview of useful IPv6 Security Resources and Tools will be provided.

  June 25, 2018 14:00-15:30

  Herberg-Frank_FIRST_20180624.pdf

  MD5: b0df4f48b10af9ea44bd134bfd2ae969

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 5.82 Mb

• Keynote: 30 years on...why are we still needed more than ever?

  Paul Jackson (Managing Director, Kroll)

  Paul Jackson arrived in Asia 30 years ago, just before FIRST began their long and storied history of hosting pre-eminent cyber security conferences. Qualified as an electronics and telecommunications engineer in the UK, Paul naturally decided to seek adventure as a an officer in the Royal Hong Kong Police Force. There was just something about the uniform! After a few years of fun chasing smugglers in speedboats, Paul's past caught up with him and he was asked to lead a team to work with all the new mobile phone operators that were granted licences in 1995 and essentially keep tabs on the criminals with their new toys. Thus began a long career in technology related crime investigation and cyber security. Given his inability to shoot straight, this was probably a good thing!

  As we moved safely past Y2K, he became a founding member of the Technology Crime Division in the HKP. As head of computer forensic investigations, he went on to develop the lab, training programs and evidence handling procedures whilst remaining as hands-on as possible. At the same time, Paul worked extensively to develop and facilitate cybercrime investigation, intelligence and forensics training programs for Interpol across APAC and occasionally in Europe. He co-founded the HTCIA Asia Pacific Chapter in 2005, ran cyber security for the HK portion of the Olympic Games in 2008 and led cyber security for other small events held in HK such as the WTO meeting and ITU conference.

  New adventures beckoned in 2010 when Paul joined JPMorgan. Initially hired as APAC Head of Investigations, Paul's experience in building forensics and IR capabilities soon led to him being asked to move to New York to lead the global high tech investigation teams. Due to restructuring, the team was built virtually from scratch and to this day remains a leading capability in corporate America. The time spent heading this global team was full of extraordinary challenges, dealing with front-page news incidents and high-pressure situations.

  Paul moved back to Asia in 2014, because life's too short! Keen to bring all the knowledge back with him and work with the community in Asia to uplift capability and standards, Paul moved into the consulting world and now heads Kroll's Asia Pacific Cyber Security and Investigations Practice working to protect major organisations throughout the region. He is also a frequent speaker at APAC events and is often quoted in media articles. He can even be heard telling stories on the radio from time to time.

  This presentation takes a look back over the past 30 years of cybercrime and cyber security from an APAC perspective. Seen through the eyes of an Asia veteran who has experienced cybersecurity and cybercrime investigation as a cop, corporate investigator and now consultant, this is not just a journey through how we have evolved as an industry, but also where we have succeeded and failed to learn the lessons of the past.

  The key is criminal ingenuity. For every technological advance that we have made during those 30 years, someone somewhere has looked at it from a very different and often unexpected perspective. As we move forward into a world dominated by artificial intelligence, autonomous vehicles, connected medical devices, robotics and blockchain, are we able to learn from experience and evolve into a safer world? The nature of future technologies having life threatening consequences demands that we get it right! With that in mind, it never hurts to reflect on the stories from the past and explore why we are still needed more than ever to address threats as yet unknown, but perhaps predictable.

  June 29, 2018 08:45-09:45

• Keynote: How to Avoid Having a Really Bad Day

  Rob McMillan (Research Director, Gartner)

  Mr. McMillan joined Gartner after almost nine years in information security at the Commonwealth Bank of Australia, where he was Executive Manager of Business Information Security Support. In this position, he was responsible for developing and implementing security policies and standards, operating the bank's threat intelligence capability, implementing the security awareness program, rolling out security infrastructure technologies, and a range of other issues. During this time, he was also a key participant in broader industry initiatives. Prior to this, Mr. McMillan was co-founder and general manager of AusCERT, responsible for the strategic direction and overall operational management of its core business. He had also spent four years with CERT in the U.S.

  Many organizations struggle with the effective performance of security incident response. It’s always been that way, but the nature of the challenge has changed in the past 30 years. Auditors, regulators and other stakeholders require a clear approach with regard to the management of security incidents. This presentation explores this evolution and its consequences.

  June 26, 2018 09:15-10:30

• Keynote: Jury-Rigging Democracy: The Crazy, Sad Saga of Election Security in the U.S.

  Kim Zetter (Cybersecurity Journalist and Author)

  Kim Zetter is an award-winning investigative journalist and author who has covered cybersecurity and national security since 1999, most recently for WIRED, where she wrote for more than a decade. She has broken numerous stories over the years about NSA surveillance, WikiLeaks, and the hacker underground, including an award-winning series about the security problems with electronic voting machines. She has three times been voted one of the top ten security journalists in the U.S. by her journalism peers and security professionals. She's considered one of the world's experts on Stuxnet, a virus/worm used to sabotage Iran's nuclear program, and published a highly-acclaimed book on the topic - Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.

  When Congress passed the Help America Vote Act in 2002 in the wake of the Florida hanging chad debacle, it flung $3.9 billion at states to upgrade their antiquated election technology along with a deadline in which to spend it. States went on a frenzied buying spree, taking voting machine vendors at their word that new electronic voting machines would solve all of their election woes. But instead of solving the nation's election problems, the machines created a host of new ones -- including providing an easy way for someone to rig elections without detection. Kim Zetter, who has been writing about the voting machine issue for 15 years -- for WIRED, Politico and the New York Times -- will take us through the mad history of election security over the last decade and explain how it set the nation on course for the Russian election hacking scare we face today.

  June 27, 2018 09:15-10:30

• Keynote: Lessons Learned From a Man-in-the-Middle Attack

  Frank Groenewegen (Chief Security Expert, Fox-IT) & Erik de Jong (Chief Research Officer, Fox-IT)

  Erik de Jong is Chief Research Officer with 20 years of experience in the field of information security. In his former position, Erik was responsible for Fox-IT’s Security Research Team: hunting and applying intelligence. Prior to that he ran FoxCERT, Fox-IT’s Computer Emergency Response Team. Previously, Erik has held positions as Incident Handler and Security Advisor for the Dutch National Cyber Security Center.

  Frank Groenewegen is Chief Security Expert within Fox-IT, part of NCC Group. He is responsible for high profile investigations, incident response cases and also active in gathering intelligence in the fast adapting threat landscape. Over the past 12,5 years, Frank has worked in a variety of cyber security roles within our Managed Detection and Response departments. He has led high profile incident response cases, which are internationally recognized, such as the DigiNotar and Belgacom hack.

  It’s become a widely accepted mantra that experiencing a cyber breach is a question of ‘when’ and not ‘if’. For Fox-IT ‘if’ became ‘when’ on Tuesday, September 19 2017, when we fell victim to a “Man-in-the-Middle” attack. As a result of the multi-layered security protection, detection and response mechanisms we had in place, the incident was both small and contained, but as a cyber security specialist it has made us look long and hard at ourselves. While the police investigation is still on-going, we are sharing details of this incident with the public now that we feel confident that most details are sufficiently clear. This is about who we are and what we do. We believe that ultimately in these cases, transparency builds more trust than secrecy and there are lessons to be learned, both good and bad, that we want to share.

  June 28, 2018 09:15-10:30

• Keynote: The Evolution of the Cyber Threat, Our Response and the Role of Diplomacy

  Christopher Painter (Commissioner, Global Commission on the Stability of Cyberspace)

  Chris Painter is a globally recognized leader and expert on cybersecurity and cyber policy, Cyber Diplomacy and combatting cybercrime. He’s currently Commissioner on the Global Commission for the Stability of Cyberspace, a board member for the Center for Internet Security and the Distinguished Visiting Fellow for the Australian Security Policy Institute. He has been on the vanguard of U.S. and international cyber issues for over 25 years—first as a prosecutor of some of the most high-profile cybercrime cases in the country and then as a senior official at the Department of Justice, FBI, the National Security Council and finally the State Department. He has initiated, helped drive, or advised on virtually every major U.S. cyber policy for over a decade and has created innovative new organizations and approaches to deal with threats and take advantage of opportunities in cyberspace.

  In his most recent role as the nation’s top cyber diplomat, Mr. Painter coordinated and led the United States’ diplomatic efforts to advance an open, interoperable, secure and reliable Internet and information infrastructure and advised the Secretary and Deputy Secretary of State on these emerging issues. The pioneering office that Mr. Painter established — the Office of the Coordinator for Cyber Issues — was the first high-level position and office dedicated to advancing the diplomatic aspects of cyber issues ranging from national security to human rights matters. These issues include promoting norms of responsible state behavior and cyber stability, preventing cyber conflict, enhancing deterrence, advancing cybersecurity, fighting cybercrime, promoting multi-stakeholder Internet governance and advancing Internet freedom.

  Among many other things, Mr. Painter was instrumental in negotiating a landmark agreement regarding the theft of intellectual property with China, negotiating a comprehensive cyber cooperation agreement with India, using diplomatic and other tools to combat high-profile cyber attacks and intrusions, and launching first of their kind “whole of government” cyber dialogues and capacity building programs with dozens of countries in Europe, Asia, the Americas, the Middle East and Africa. He and his team also spearheaded the promotion of an international framework of cyber stability that includes building a consensus around norms of acceptable behavior and getting agreement on transparency and confidence-building measures designed to reduce the risk of miscalculation that could inadvertently lead to conflict in cyberspace.

  Prior to joining the State Department, Mr. Painter served in the White House as Senior Director for Cyber Policy and Acting Cyber Coordinator in the National Security Council. He was a senior member of the team that conducted the President’s Cyberspace Policy Review in 2009 and he subsequently helped create and then structure a new directorate in the National Security Council devoted to these issues.

  Mr. Painter has been a frequent media spokesperson and presenter on cyber issues around the globe. He was named the Bartels World Affairs Fellow by Cornell University for 2017-2018 and chosen as a member of the Board of the Center for Internet Security. He is the recipient of the prestigious RSA Award for Excellence in the Field of Public Policy (2016), the Attorney General’s Award for Exceptional Service, the Intelligence Community Legal Award (2008) and has been named to the “Federal 100” list, among other honors. He is a graduate of Stanford Law School and Cornell University and clerked for US Circuit Judge Betty Fletcher.

  June 25, 2018 09:45-10:45

•  US

  Learning from chaos, cloud and scale: Netflix SIRT

  Alex Maestretti (Netflix, US), Swathi Joshi (Netflix, US)

  Alex Maestretti leads the Security Intelligence and Response Team at Netflix, with previous gigs at Apple and the US Government. Our SIRT reflects Netflix’s culture and technology stack. We are a small team that scales through stunning colleagues and engineering. Our technology stack allows us to be agile in responding to security incidents, and recover quickly, which in turn allows smart risk taking. Overall our goal is to understand threats to Netflix through intelligence gathering, and buy down risk across a broad range of threats through Incident Response.

  Swathi currently works at Netflix as Senior Technical Program Manager, on the Security Incident Response team where she is responsible for crisis management and maturing the incident response function.

  Prior to that, she worked at Mandiant as an Engagement Manager, advising and being the front line defense on security issues to 20+ clients. Prior to being a security consultant, she was Associate Director of Information Security at CEB/Gartner where she led the identity and access management team, client engagement and other technical security projects.

  Swathi has her MS in Information Security from George Mason University and her BS in Computer Science from Nitte, India. She currently sits on the board of Sahasra Deepika Foundation for Education.

  The Netflix Security Intelligence and Response Team (SIRT) has grown out of the unique Netflix culture and technology stacks and taken a non-traditional approach. We seek to make SIRT central to our learning security organization while buying down risk across a broad range of known and unknown threats. To achieve this we are leveraging concepts from chaos engineering to introduce continuous testing for security controls and detections spawned out of the post incident review process. Post-detection we are investing in modern forensic and response tools that can scale in the public cloud and leverage immutable deployments in production. On the corporate side we are developing best practices for IR in a fully SaaS environment, and rethinking our approach to network and endpoint security monitoring with identity as the new perimeter. This allows us to grow our response capabilities through engineering and new approaches as opposed to large multi-tiered SOCs with linear staffing requirements. We believe this approach can enable even modestly resourced security teams to have significant impact through their IR programs, and would like to share some of our thoughts for discussion.

  June 25, 2018 12:15-12:45

  Maestretti-Alex-and-Joshi-Swathi_FIRST_20180625.pdf

  MD5: e33cedfa0d27e643066dbf3914d701da

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 2.72 Mb

•  IT

  Malvertising: an Italian Tale

  Andrea Minigozzi (Leonardo Spa, IT), Antonio Rossi (Leonardo Spa, IT)

  Antonio Rossi is a former investigator of Italian Economical and Financial Police Special Units (Guardia di Finanza - GAT), with twenty years experience in digital crime investigation and fraud management. He is actually employed in Leonardo Company as Head of LDO-CERT.

  Andrea Minigozzi is a certified CISSP, GCFA and OPST Security Professional with seventeen years experience, encompassing SOC/SIEM, malware analysis, investigating security incidents, computer and network forensics, ISO 27001/NIST/COBIT audits and hardening of various devices. Andrea is project owner for FG-Scanner project. Clusit (Italian Cyber Security Professionals Networks) and ISC2 Italy Chapter member.

  When a small advertisement becomes a big risk: follow our Incident Responders deep investigating a rare malware infection via hot advertisement. During the speech you will be guided to the entire process, from Early Warning to Remediation, including HR approach to the user. We will cover new aspects about Malvertising as Social Profiling capabilities used to targeting the attack and how attackers mask their identity behind the advertisement network. At the end of the presentation, a section about preventive measures implemented will be explained as result of "Lesson Learned Phase".

  June 28, 2018 11:00-12:00

  Minigozzi-Andrea-Rossi-Antonio_FIRST_20180612.pdf

  MD5: fd5928ead80fbdd3951f1bb41b852e4f

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 4.78 Mb

•  LV

  Malware Reweaponization - A Case Study

  Karlis Podins (CERT.LV, LV)

  Karlis is a PhD student with University of Latvia and threat analyst with CERT.LV. Karlis has 10 years of work experience in cyber security in military and government positions, currently with national CSIRT of Latvia

  The topic of this research is binary editing of captured malware samples to turn them into deployable cyber attack tools, we call this process reweaponization or malware reuse. Cyber attack reflection or cyber attack ricochet is also used in related literature.

  The authors demonstrate a working proof-of-concept of reweaponization by replacing payload in an up-to-date, real world APT malware sample (discovered year 2017, contains 3 0days), while leaving the exploitation part intact. Furthermore, two separate paths for malware reweaponization are shown:

  • replacing whole payload
  • replacing C&C domains

  The sample analysed consists of several layers, that need to be thoroughly analysed and repackaged for successful binary editing:

  • MS office document
  • embedded postscript image
  • packed postscript
  • shellcode
  • packed shellcode
  • dropper executable
  • payload executable
  • C&C domains Authors will describe the analysis process step-by-step, the binary modification and reverse process to get hold of modified working sample.

  Malware reweaponization is not novel, it has recently been mentioned in public discussions, and there is evidence of this technique being used for several years by intelligence agencies. The purpose of our proof-of-concept is to demonstrate the ease with which reweaponization can be achieved.

  The value of this work is in understanding the cyber threat landscape as it changes. We expect that malware reuse will gain popularity creating additional workload for CSIRT teams and will furthermore complicate the attribution of cyber attacks.

  Traditionally, attribution in cyberspace is based on the Tactics-Techniques-Procedures triad, with tools being the category most relied upon. Expanded use of malware reweaponization would render tool-based attribution fairly ineffective, providing a near-perfect false flag cyber operation.

  Note: The strict scientific guidelines require to reveal enough information to make our experiments repeatable. Unfortunately this also means any competent reader could make their own cyber weapon, a clearly undesireable consequence. Thus we do not provide malware sample and detailed instructions (exact byte offsets etc). In authors opinion this decision in no way affects our contribution, as the main goal of technical section is to demonstrate that malware reweaponization is relatively easy.

  June 25, 2018 16:00-16:30

  Podins-Karlis_FIRST_201806019.pdf

  MD5: cbb1eb171f55fbf299216b04ab11f441

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 12.43 Mb

•  CH

  Managing Risks Through Taxonomies

  Dr. Serge DrozDr. Serge Droz (Open Sytems AG, CH)

  Serge Droz is the Vice President OS-CERT at Open Systems, one of the leading managed security service providers in Europe. He studied physics at ETH Zurich and the University of Alberta, Canada and holds a PhD in theoretical astrophysics. Before joining Open Systems, he worked in academia in Switzerland and Canada, later as a Chief Security Officer of Paul Scherrer Institute, as well as in different security roles at SWITCH for more than 15 years. Serge is a member of the board of directors of FIRST. He also served for 2 years in the ENISA (European Union Agency for Network and Information Security) permanent stakeholder group. Serge is an active speaker and a regular trainer for CSIRT (Computer Security Incident Response Team) courses around the world.

  Communicating the value of Security practices and incident response capabilities is challenging. After all, Security only costs money, doesn't it? CISOs are interested in Risks, and mean things like reputation, outages, loss. Security professionals on the other hand talk about vulnerabilities, access vectors and the like, which is reflected in most of the available taxonomies.

  We try to combined the two worlds by creating a multi dimensional taxonomy, which relates the How to the what. The goal is to identify the largest risks to an organisation so resources can be properly allocated. The proposed mechanism helps creating bridges between technically oriented security staff and financially driven executives. It should, at the end of the day, help demonstrating the value of security.

  June 28, 2018 14:45-15:15

• Mature PSIRTs Need Mature Tools

  Beverly Finch is an Executive Program Manager leading Lenovo's PSIRT from its inception just over 3 years ago. She has a passion for collaborating with industry peers to establish best practices in the area of vulnerability management and communications. Beverly is on MITRE's CVE Board and is currently chairing FIRST's Vendor SIG.

  Many PSIRTs have multiple brands and many products which are comprised of hundreds of components. Each component has hundreds (or thousands) of 3rd party source code/open source code with vulnerabilities reported every day. Exactly how does a PSIRT document, assign and track all this complexity? Handling large amounts of information across numerous vulnerabilities and communicating with everyone who needs the information can be tricky! In this presentation, you will see how Lenovo has matured over the course of 3 years from tracking a few vulnerabilities in spreadsheets to Jira ticketing and then most recently to an integrated Jira + database solution.

  June 26, 2018 13:45-14:45

•  AU

  Memory Forensics in Incident Response and Threat Hunting

  Josh LemonJosh Lemon (Salesforce & SANS Institute, AU)

  Josh Lemon is a SANS Instructor for FOR508 - Advanced Digital Forensics, Incident Response, and Threat Hunting at the SANS Institute. He's also a Director at Salesforce.com in their international Computer Security Incident Response Team (CSIRT) managing their APAC team, where he also heads up their Advanced Incident Response service that provides tactical support for complicated incidents.

  Prior to Salesforce, Josh was the CSIRT Manager for the Commonwealth Bank of Australia leading one of the largest dedicated incident response teams in the Australian commercial sector. He has previously worked as a Managing Consult for BAE Systems Applied Intelligence, where he was responsible for all technical cybersecurity services for the Asia Pacific region, included overseeing large and complex incident response and offensive security engagements.

  Josh has provided incident response, digital forensics and penetration testing services to Government, Law Enforcement, and the Commercial sector. He was one of the co-creators for SecTalks in Sydney Australia, a monthly information security community event dedicated to presenting and teaching technical information security skills to others.

  Josh has a varied background in the cybersecurity industry ranging from; Project Management, Lead Incident Responder, Forensics Analysis, Reverse Engineer, Penetration Testing, Secure Network Design, and Software Development. He currently holds a GREM, GCFA, GNFA, GCIH, GPEN, GPYC and lectures on investigating cyber attacks at Universities in Australia.

  Memory is the bridge between the CPU, operating system, and getting things done. Nearly everything of interest that has ever happened on a modern computer has traversed memory. From files to network connections to registry hives to running malware, a wealth of data is available for analysis. Memory analysis for many years was primarily limited to performing string and byte searches through seemingly random data. Now, the structure of modern memory layouts is better and forensic toolsets are continually evolving to allow for a more granular approach to examining the contents of memory.

  The release of Windows 10 has put significant pressure on our memory forensic tools. Significant changes to memory structures occurred in this update (in addition to changes that already occurred in Windows 8). Windows 10 also made significant changes to several standard Windows artefacts, including Prefetch and Shimcache. These artefacts are commonly extracted from memory images, and hence the need for our memory analysis tools to be updated to support the new formats and compression schemes used. The world of memory forensics is ever evolving and being able to maintain pace while also finding quicker ways to perform analysis across an enterprise of systems is becoming increasingly crucial for Incident Responders.

  Attendees will leave this workshop armed with open source tools to analyse memory images quicker with greater accuracy, along with a better knowledge of tools that can be taken advantage of when performing memory analysis in support of incident response. Particular attention will be given to rapidly finding evil within a memory image, the challenges in analysing Windows 10 and Server 2016 systems, and performing memory forensics at scale across an enterprise. Documentation and reference materials will be provided.

  June 26, 2018 10:30-12:30

•  US

  Mind Hunter - Adversary Inception

  Daniel Hatheway (Recorded Future, US), Levi Gundert (Recorded Future, US)

  Levi Gundert is the Vice President of Intelligence at Recorded Future, where he leads the continuous effort to measurably decrease operational risk for customers. Gundert has been defending networks, arresting international criminals, and profiling foreign adversaries for over fifteen years. He is a trusted risk advisor to Fortune 100 companies, and a prolific speaker, blogger, and columnist, writing information security articles for Dark Reading, InformationWeek, and SC Magazine. Previous industry roles include VP of Cyber Threat Intelligence at Fidelity Investments, Technical Leader at Cisco Talos, and U.S. Secret Service Agent within the Los Angeles Electronic Crimes Task Force (ECTF).

  Daniel Hatheway has experience working in operational security (roles include security system operations, security architect, and incident response) across multiple industry verticals, including energy, financial services, and technology. Daniel's experience gives him a refined skill set for creative threat hunting across the web, and malicious campaign tracking. Most recently, Daniel is focused on collecting and analyzing unique malware to enhance Recorded Future's product.

  After a successful breach, information security practitioners may be inclined to say “What difference does it make who did it? Let’s remediate and move on.” This perspective is a mistake. General attribution is a worthwhile exercise for defenders because motivation informs methodology. Businesses that pursue adversary profiling will excel at estimating future risk.

  Today’s most effective adversaries are meticulous about operational security when committing unauthorized access. Therefore, understanding the adversary requires direct engagement. This presentation shares insights gained from conversations with various threat actors over the past two years. The presentation covers OPSEC considerations when engaging with adversaries, the nuisances of motivation, the origination of decisions to engage in criminal behavior, and the takeaways for estimating risk.

  This presentation is about people, their mindsets, their motivations, and their rationalizations/justifications for committing cyber-crime.

  Excel beyond the normal conventions of adversary profiling, and enter the criminal mind. Hear firsthand from actors, to understand the nuisances of motivation, the origination of decisions to engage in cyber-criminal behavior, and the takeaways for estimating business risk.

  Learning Objectives:

  Identify when to approach threat actors, how to initiate successful actor conversations, and effective strategies for obtaining deeper intelligence about adversary tools and tactics.

  Consider whether human intelligence (HUMINT) is right for your INFOSEC program, and OPSEC considerations when building a practice.

  Understand how actors think about their work. Understand how to translate HUMINT into summary business risk.

  June 25, 2018 14:00-15:00

•  FI

  Motivating to Successful Collaboration with Results

  Lasse Laukka (Ericsson PSIRT, FI)

  Lasse Laukka works as a senior specialist in NCSC-FI at Ficora. Lasse is responsible for developing the situational awareness and collaboration at NCSC-FI. Previously Lasse has worked at a PSIRT (Ericsson) and participated in the ISAC activities which gives Lasse a wide view to collaboration from many angles.

  At NCSC-FI we are used to work with relatively low budget, not so many people but still justifying our place in the country by delivering accurate, real-time and useful information to our constituents. One and very important part of this is active dialog with both private and public sector. Collaboration and effective way of working is the key to success.

  The presentation gives an overview of our 15 year journey so far: where we started, what we did in order to establish active collaboration networks for Finnish industry and government, what we have achieved (providing sensor network data for our constituents, confidential sharing of information, quick response times during the incident, uniting security professionals) and how we are planning to improve the maturity of collaboration in the future.

  One of the key factors that makes collaboration possible is trust and added value. We do this by distributing information based on our network scanning during major incidents (i.e. ROBOT-vulnerability, wannacry, heartbleed), sensor network detections(HAVARO) and anonymized data sharing(daily and weekly reporting). This motivates the network to also share information.

  The presentation gives ideas on how you can bring added value to your constituents and collaboration networks. The focus groups are the organizations that are maintaining are running active collaboration but also those who actively participate in such activities.

  June 26, 2018 12:00-12:30

  Laukka-Lasse_FIRST_20180626.pdf

  MD5: 1afb5c0847d2fdb8184f48ca50f012b8

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 382.64 Kb

•  US

  “Moving to The Left”: Getting Ahead of Vulnerabilities by Focusing on Weaknesses

  Jim Duncan (Jim Duncan, US)

  I have been involved in cybersecurity incident response since before the Morris Worm. I have been attending FIRST since 1991 and I became the first full-time hire onto the Cisco PSIRT in 1999. In 2008 I joined the Juniper SIRT when it was re-bootstrapped, and in 2012 I moved over to the newly-formed Juniper Secure Development Lifecycle team. I have a BA in Religion from Auburn University and a BS in Computer Science from Old Dominion University. I have a wide range of outside interests including soccer refereeing, firearms range safety, parliamentary process and piano and string instrument technology.

  If I have learned anything from nearly thirty years of CSIRT experience, it is that the number and complexity of vulnerabilities continue to grow as fast as (or faster than) our plans to deal with them. We continue to develop and improve tools for vulnerability management, classification, analysis, communication and so on, but these are all merely coping strategies. There will always be water in the basement, no matter how fast we run the pump (nor how many pumps we put into service). Just as health professionals move beyond epidemics and infected individuals to improvement of environments and lifestyles that lead to less disease and improved quality of life, so do we need to shift our focus away from vulnerabilities and onto the conditions that allow them to exist. All vulnerabilities depend on the existence of one or more weaknesses, usually in coding or design. The inverse is not true; not all weaknesses result in vulnerabilities. However, because of the former relationship, if we remove or reduce weaknesses, we get vulnerability elimination for free as a side effect. In this one-hour presentation, I will explain this concept and walk the attendees through the structure of the Common Weakness Enumeration. I will give concrete examples of improvements that come with weakness identification and analysis. Shortly after changing jobs from the Juniper SIRT to the Juniper Secure Development Lifecycle program nearly five years ago, I instigated modifications to Juniper’s problem reporting system, GNATS, so that weaknesses could be identified as as part of PR management and CWE labels could be assigned to individual flaws. The grouping of individual weaknesses into larger groups enables trending and analysis. It has become a fundamental part of our penetration testing reports and the results allow us to target certain failures in coding and design. In particular, managers and directors are empowered by the results to implement changes in training requirements and shift focus on bug resolution, for two examples. Separately, without regard to specific products, by studying large numbers of CWE labels attached to a variety of problem reports from across our entire development organization, I have produced a “Top Ten Weaknesses Report” for all but 2017. By comparing to industry trends, we can quickly identify where we are consistent with our vendor peers and take advantage of already-available resources for improvement. We can also see where we diverge from our peers and take action on our own to implement improvements. Next, I will help attendees with tips and tricks for mapping specific findings to a range of CWE labels, help identify which may be the “best” label with regard to grouping and trending analysis, and also show the interplay between CWE, CVE and CAPEC labels. Lastly, I will offer some prognostications on the future of the CWE project and weakness study and processing in general. For any PSIRT with a nascent SDL function, this is a matter of survival. By “moving to the left” – getting ahead of software development coding and into the earlier design phases – a focus on weakness pays real dividends in reducing the overall incidence of vulnerabilities. And that, as we well know, keeps costs down by “vulnerability containment”, keeping flaws from escaping into customers’ networks.

  June 26, 2018 14:45-15:45

  Duncan-Jim_FIRST_20180626.pdf

  MD5: b6ab5c00d671156fe4b9d30ce3c1cec7

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 4.76 Mb

•  JP

  Multi-dimensional Malware Similarity will let you Catch Up with Malware Developers

  Koji YamadaRyusuke MasuokaKoji Yamada (Fujitsu System Integration Laboratories, JP), Kunihiko Yoshimura (Fujitsu System Integration Laboratories Limited, JP), Ryusuke Masuoka (Fujitsu System Integration Laboratories, JP), Toshitaka Satomi (Fujitsu System Integration Laboratories, JP)

  Kunihiko Yoshimura Kunihiko Yoshimura is a cybersecurity researcher with Fujitsu System Integration Laboratories (FSI) in Toranomon, Tokyo. He joined Ahnlab Inc. in Apr 2010 to work on A-SOC managed security service as security analyst, and he analyzed many alerts and many incidents though MSS operation about 4 years. He joined Verizon Inc. in May 2014 to work on Japanese SOC MSS as startup member of security analyst. He joined FSI in Apr 2015 to conduct cybersecurity research.

  Koji Yamada Koji Yamada is a cybersecurity researcher at Fujitsu System Integration Laboratories in Toranomon, Tokyo. He was engaged in FJC-CERT activities over 2 years and his interests are cyber threat intelligence, machine learning, and deception technologies.

  Toshitaka Satomi Toshitaka Satomi is a cybersecurity researcher with Fujitsu System Integration Laboratories (FSI) in Toranomon, Tokyo. After graduating Tokyo Institute of Technology with his bachelor's degree in 1997, he joined Fujitsu Personal Computer Systems to work on F-BASIC compiler, financial systems for an insurance company, and other systems. He got involved in a cybersecurity research project and helped build many cybersecurity prototypes and systems. He joined FSI in April 2017 to conduct cybersecurity research.

  Ryusuke Masuoka Dr. Ryusuke Masuoka is a research principal at Fujitsu System Integration Laboratories Limited in Toranomon, Tokyo, Japan, working on Cyber Security. Since joining Fujitsu Laboratories Ltd. in 1988, he conducted research into neural networks, simulated annealing, and agent systems. After moving to Fujitsu Laboratories of America, Inc. in March of 2001, he engaged in researches on pervasive/ubiquitous computing, Semantic Web, and bioinformatics, from which Task Computing resulted. Then he extended his research into Trusted Computing, Software/Security Validation, Cloud Computing, Smart Grid, the Internet of Things and Cyber Security. He also led numerous standard activities and collaborations with universities, national and private research institutes and startups. From the beginning of 2012, he started working on Anti Cyber Attack Solutions at Fujitsu Laboratories Limited. He joined the Center for International Public Policy Studies in July 2012 and studied Cyber Security Policy for two year. He is with Fujitsu System Integration Laboratories Limited since July 2014.

  The speaker will talk about the importance of multi-dimensional similarity between malware pieces and how it can change your malware analysis workflow and the game between you and malware developers. We have named the system to calculate multi-dimensional similarity “Sample Similarity Scoring System” and we will refer it as S4 in what follows. 

  We will also describe a couple of successful S4 applications to real pieces of malware Some of the problems malware analysts encounter are: 

  • More and more malware pieces are developed and deployed and it has become very difficult to keep up with the pace of increasing malware pieces 
  • Some malware has anti-sandbox capabilities to evade its detection by sandboxes 
  • Some software provides a "malicious score" for malware, but the score does not help how to proceed with malware analysis. 

  When an analyst encounters a new piece of malware, she first needs to determine the type of malware so that she can come up with an appropriate analysis procedure. Is it one of RATs, ransomware, a simple downloader, or totally a new kind? This is the first step of analysis and time-consuming, but it is critical and needs to be done right as it will affect the later analysis stages. If she can determine which past malware is similar to the new malware, she can leverage the knowledge and her past analysis workflow to tackle the new one. Some analysts utilize similarity tools like sdhash or ssdeep to determine the similarity of the new piece of malware to the malware pieces that they have analyzed before and/or famous malware families. However, this approach has one drawback, that is, malware developers have learned to evade their malware’s being detected of malware’s similarity to their past work. This is where “multi-dimensional” similarity comes to rescue. S4 employs more than 10 similarity tools/algorithms to calculate similarity scores between the new piece of malware and those malware pieces already in the S4 system. (Similarity tools and algorithms include fuzzy hashes, entry point, binary entropy, and our original algorisms based on Called APIs, Called DLLs, and their sequences.) However, it would be difficult for human analysts to interpret all the individual scores, so the S4 system summarizes those scores into (currently) three dimensions, namely, surface analysis, dynamic analysis, and geometric analysis similarity scores. Even if malware developers have managed to manipulate a couple of similarity scores, it would be extremely difficult for them to defeat all the tools and algorithms. 

  Other S4 merits include: 

  • An S4 instance can share past malware analysis results by files (currently in our proprietary file format, but STIX 2.x format planned for future) with another S4 instance to calculate the similarity scores of the new malware against past malware pieces from the original S4 instances (as well as those from itself). 
  • Even if a new piece of malware has anti-sandbox capabilities, S4 may be able to determine it similarity to the past malware pieces through its evasive behavior. Actually S4 has successfully determined one piece of malware to be in the WannaCry family through this evasive behavior similarity even though all the other similarity methods failed.

  June 28, 2018 14:45-15:15

  Koji-Yamada-Kunihiko-Yoshimura-Ryusuke-Masuoka-Toshitaka-Satomi_FIRST_20180626.pdf

  MD5: 8f94a9107f14ca54b1fb07168f00f12a

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 2.35 Mb

•  CR

  New Types of Attacks: The Evolution of Ransomware as a Service

  Susan Ballestero Rosales (BsidesSJO, CR)

  Currently Senior Analyst for an Irish Company, passionate about Information Security specially everything with incident response, with 10 years of experience in Information Technology with multinational companies. Master’s degree in Information Technology Project Management. #PuraVida

  The last year I had the opportunity to present at FIRST about ransomware, however I have been doing research about the ransomware as a service, the different threat actors and their techniques tactics and procedures , this research involved the evolution for ransomware , how everything began with a free ransomware solution for educational purposes and how it became a new industry, currently in evolution, we will evaluate how the threat actors made platform so much easily to use that even people with zero knowledge will be able to use it, the different industries that those ransomware have been affecting and what can we expect in the future in areas such as Internet of things, wearable devices and smart cities. I had the opportunity on my previous job to work on a technical paper, obtaining the TTP's for different RaaS, which I would love to share with the community and how they have been changing. This research will benefit: Incident response teams (SOC, Red team, threat intelligence among others) Some of the data I would love to share is about my favourites ransomware in this area,specially because they have developed platforms that have better support than some programs we have to pay a license for it.

  June 25, 2018 12:15-12:45

  Ballestero-Rosales-Susan_FIRST_20180619.pdf

  MD5: 8cee38226470656fc63c225f3e925808

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 1.36 Mb

•  PL

  Not Just Indicators: Data Processing with n6

  Paweł Pawliński (CERT Polska / NASK, PL)

  Paweł Pawliński is a principal specialist at CERT.PL. His past job experience include data analysis, threat tracking and automation. He is responsible for the design and implementation of the n6 platform for sharing security-related data and designed systems for large-scale monitoring of attacks on the internet.

  Paweł is an author of publications and trainings, with the focus the collection, analysis and exchange of information by CSIRTs.

  This technical workshop will introduce an open-source system for automated collection, processing and exchange of security information. If you deal with non-trivial amount of abuse reports, indicators, logs or any other data feeds and looking for new tools, this session might be of interest to you.

  Back in 2011, our team was facing a common problem: a lot of potentially valuable data available but too limited resources to make use of it. We approached that problem by trying to reorganize our data handling processes, integrate and normalize multiple information sources, and automate whatever we could. In a short time we were able to deliver actionable data feeds to our constituents and scale up collection capabilities significantly. That was the beginning of n6 a.k.a. our in-house automation platform.

  What started as a couple hundred lines of Perl and shell scripts, has later developed into a modular stream-processing framework with a scalable database and tooling that is supporting an important part of our operational activities. In 2018 we are finally ready to make a proper release of the software on an open-source license.

  During the workshop we will present the design of n6 and its main components: collection modules, data enrichment, APIs, frontend. We will explain similarities, differences and existing integration mechanisms for other popular tools, especially IntelMQ and MISP. We will also show the practical examples of how n6 is used by CERT.PL for communicating with the constituency but also for obtaining insights into threats on a country level.

  The introduction of the system will be followed by a practical hands-on part. You will learn how to configure, run and extend n6 to fit your data processing pipeline.

  We will finish off with a discussion on the future development plans, with the focus on getting feedback on features that can be useful to other CSIRTs.

  This workshop follows the open-source release of the software and is the first opportunity to present it to the wider community. Source code:

  https://github.com/CERT-Polska/n6

  What to bring: Laptops with recent VirtualBox are recommended for the hands-on part. VM images will be distributed during the workshop.

  June 25, 2018 16:00-17:30

  Pawlinski-Pawel-WORKSHOP_FIRST_20180626.pdf

  MD5: 112eeec231ead85c3250a194fb45e1a7

  Format: application/pdf

  Last Update: June 28th, 2018

  Size: 2.36 Mb

•  NO

  Outside the Box - Training Through Surprise

  Frode Hommedal (Telenor, NO)

  Frode Hommedal is a senior incident responder and CSIRT leader. He is currently head of incident response and security analytics at Telenor CERT, and part of the team that is establishing the global CERT/SOC capability of Telenor. He previously worked seven years for the Norwegian national CSIRT, NorCERT, and he has extensive experience with countering digital espionage. One of Frode’s goals is to contribute to the infosec curriculum, hoping it will help more CSIRTs to find, face and fight the ever growing number of advanced threats.

  Exercising can be fun, especially if you make it realistic and challenging. We ran a red vs blue exercise where we wanted to measure the effect of having access to different tools available to different teams, in addition to tricking our blue teams into making mistakes that would create teachable moments. And we succeeded. This talk is the story about this exercise and the lessons we learned.

  June 26, 2018 14:45-15:45

•  GB US

  Panel: Q&A on Privacy

  Thomas FischerAndrew Cormack - Moderator (Jisc, GB), Gant Redmon (IBM Resilient, US), Thomas Fischer (Independent, GB)

  June 28, 2018 14:15-14:45

•  CZ

  Patchwork : From One Malicious Document to Complete TTPs of a Medium Skilled Threat Actor

  Jaromir Horejsi, Jaromir Horejsi (Trend Micro, CZ)

  Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, Virus Bulletin, FIRST, AVAR, Botconf and CARO.

  Daniel Lunghi is a threat researcher at Trend Micro. He has been hunting malware and performing incident response investigation for years, sometimes in IT infrastructures involving thousands of hosts in big French companies. When not on the trail of online attackers, Daniel still spends time in front of a keyboard — on a piano.

  Patchwork seems to be a capable threat group likely based in Southern Asia. The modus operandi we monitored shows a threat actor without access to zero-day vulnerabilities, but one that focuses on carefully targeting victims and creating convincing lures. Patchwork installs known or custom RAT malware by using weaponized documents with the target's topics of interest. Furthermore, carefully designed phishing websites provide them with credentials for gathering sensitive data from high-value targets, including ranking military officials and individuals in the aerospace, mass media and online retail companies.

  This topic covers how we discovered a large part of the group's infrastructure as well as multiple lure documents and RAT malware they used—all from one malicious document and the use of threat intelligence and reverse engineering methods.

  During the investigation, we discovered how the threat actor manages to infect his targets, what tools he uses and how they have evolved. The discussion also details how they deliver spear phishing emails, which RAT tools they use, how they perform phishing and credential harvesting, and which tools they use to monitor and exfiltrate sensitive data.

  The discussion will cover several chapters: • The start of the investigation • Examples of weaponized delivery documents and their analysis • Backdoors, remote access tools, and how they evolved over time • File stealers and hard disk monitoring tools and their evolution • Analysis and overview of infrastructure • Phishing kits and credential harvesting • Targets and victims • Countermeasures and defense strategies against future attacks • Summary of the tricks involved in all these findings

  During the presentation, we will share additional details about this threat actor, including the threats, tactics, and procedures (TTP) and various indicators of compromise (IOC). We will also discuss how DFIR practitioners can use these techniques to gather IOCs, facilitating the prevention of future attacks from a similar threat actor.

  June 27, 2018 11:00-11:30

  Horejsi-Jaromir-Lunghi-Daniel__patchwork_FIRST_20180626.pdf

  MD5: 1fb9e4b07c873e6ee426036148166610

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 1.61 Mb

•  MY

  Practical Integration of Threat Intelligence and CSIRT Processes to Accelerate Efficiency and Timely Response of Incidents: Malaysia CERT Case Study

  Sharifah Roziah Mohd KassimSharifah Roziah Mohd Kassim (CYBERSECURITY MALAYSIA, MY), Syazwan Hafizzudin Shuhaimi (CYBERSECURITY MALAYSIA, MY)

  Name: Sharifah Roziah Mohd Kassim Designation: Specialist Sharifah Roziah currently works as a Specialist for Malaysia Computer Emergency and Response Team (MyCERT) under the umbrella of CyberSecurity Malaysia. Besides being a Specialist, she is also tasked as a Manager of the Security Operation Centre in MyCERT, to ensure computer security incidents reported to MyCERT are responded in a timely and efficient manner. Prior to that, she worked as a Senior Analyst at MyCERT department. Roziah has been involved in the computer security field for over 15 years, mainly in Computer Security Incident Handling. Her area of focus and interest is on Computer Security Incident Handling, Incident Analysis and Network Security. Roziah had been a key person in handling and resolving many computer security incidents reported to MyCERT from the Malaysia constituency. Roziah had also conducted many talks, presentations, trainings in local and also in international in the field of computer security particularly in Computer Security Incident Handling. Apart from that, Roziah has also produced various Security Advisories/Alerts on latest vulnerabilities and threats, Articles, Security Best Practices, Proceeding Papers related to computer security.

  Name: Syazwan Hafizzudin binshuhaimi Designation:SysAdmin

  Syazwan has been working in MyCERT for3 years. His task are mainly on the technical aspect of configuration and development of system invovled in day to day operation.Also involved in setting up and development of Threat Intelligence platform to be integrated with local system process.

  Possible Title:

  Practical Integration of Threat Intelligence and Computer Security Incident Response Team (CSIRT) processes to accelerate efficiency, meticulousness and timely response of large-scale global incidents: Malaysia CERT Case Study

  Past Incident Response procedures may not be comprehensive enough to address complex and sophisticated incidents. The ever-increasing scale, complexity and globalization of cyber attacks require quick detection, accurate analytics and eradication of the attacks. Hense, a more practical procedure and approach to fulfill this quest.

  Nonetheless, the ever-expanding volume of ICT capacity has indeed in multiple occasions, proved the need to modernize the process and workflow of CSIRT around the globe to provide a better experience of cyber incident handling in general. The presentation is also inline with the Conference Theme, whereby, after years of Incident Handling, it is time to be more innovative and effective in the way we respond to incidents.

  The practical integration of Threat Intelligence unto Computer Security Incident Response Team (CSIRT), can be viewed as a method to overcome certain limitations of CSIRT such as:

  ➢ Accuracy and precision of incident detection. Large amount of data such as logs, can be hard to be processed efficiently by analysts resulting in undetected issues and complication in the particular organization.

  ➢ Time limitation of incident detection may consequently effect immediate preventions of attacks at global level.

  ➢ More on the passive and defensive side of IT Security. Normal CSIRT processes do not cover the scope of understanding attack vectors as well as threat actor information.

  To prove that the integration has worked for us, we will highlight a case study related to multiple IP addresses originating from Malaysia that belongs to a single network operator in Malaysia, that involved in several large-scale cyber attacks around the world such as data leakage, espionage, commercial fraud, web attacks and malware activities. In this case study we will show how we identified the Indicators of Compromise (IOC), Tactics, Techniques and Procedures (TTPs), and the Threat Actors and how this information helped in the investigation of this incident.

  The presentation is targeted for established CSIRTs, PSIRTs and also new teams. The key points that we would like to highlight in this presentation are: ➢ The important roles of CSIRTs, CERTs and PSIRTs in eradicating and mitigating large-scale cyber attacks at global level. ➢ Share our integration workflow that illustrates how Threat Intelligence is delivered in the investigation of an uincident for quick and efficient Incident Response, which in this presentation focuses on a case study of Malaysian IP addresses involved in global large-scale attacks.

  ➢ IT security organizations should also emulate mechanism used by major corporations and institution which prioritize information and data collected to further understand their customers and to provide targeted services ➢ Share our in-house developed tools and applications that we used for the investigation of this incident.. ➢ Share the work taken by us to further study the behavioral and anatomy of an incident so as to propagate and reduce the effect of similar type of incident in the future. ➢ How CSIRTs of various countries can be in the forefront of global cyber attacks via means of Threat Intelligence. ➢ Share our tips on customizing existing tools for enhancement and improvement of the Threat Intelligence delivery for effective mitigation of global cyber attacks. ➢ If such integration can be applied in a CSIRT, a better understanding of threat actor and attack vectors can be utilized to tackle cyber security incidents efficiently and with pinpoint accuracy.

  June 28, 2018 14:45-15:15

•  US

  Preparing the Village - Lessons Learned in Cross-Industry Vulnerability Disclosure

  Phillip Misner (Industry Consortium for the Advancement of Security on the Internet (ICASI), US)

  Phillip Misner is a Principal Security Group Manager with the Microsoft Security Response Center and the President of the Board of Directors for ICASI. In his role at Microsoft he manages the Ecosystem Strategy team. That team drives security researcher engagement, Microsoft's bug bounty programs, industry and government collaboration, and public engagement for MSRC. Previously he led the crisis management team for over ten years driving Microsoft's response to the biggest incidents. As a senior leader on the team he works broadly across Microsoft and the industry to better protect and educate customers on topics in security and privacy.

  Phillip has worked in the Microsoft Security Response Center for over eleven years and a total of seventeen years in the technology industry. Prior to joining MSRC in 2006, he spent six years in product development in the Internet Explorer, Windows, and Developer Divisions.

  On Monday, October 16, 2017, the world awoke to news of a protocol vulnerability in WPA/WPA2. Branded as the "KRACK Attack", this vulnerability impacted virtually every device with a wireless router. As soon as the vulnerability was announced, many vendors announced fixes. This was the result of a large scale coordinated disclosure effort organized by the Industry Consortium for Advancement of Security on the Internet (ICASI). Through collaboration among members, partners, and the researchers, this coordinated disclosure minimized the impact of this vulnerability.

  During this session, the President of ICASI will provide insight into how this coordination took place and explore what this experience means moving forward. This will be an open and honest conversation about what happened and will touch on topics such as what worked well, what did not, who was notified and how those notifications took place, and what lessons learned this experience has for FIRST’s work in Multi-Party Vulnerability Disclosure.

  The call action for participants will focus on tips on when to coordinate, practical skills for multi-party coordination, better coordination, and how to enable quick understandings for defender audiences.

  June 27, 2018 11:30-12:30

  Misner-Phillip_FIRST_20180627.pdf

  MD5: 8dc4164ec8ee18b8d915733d724bbc23

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 1.4 Mb

•  MY

  Proactive Cyber Defense through Attack Modeling and Threat Intelligence

  Hamed Khiabani (Experian, MY)

  Dr. Hamed Khiabani has been in the IT industry for over 20 years in various capacities, ranging from startups to multinational corporations, vendors and system integrators. Over the last 12 years, he has focused on Information Security Analysis, Penetration Testing, Incident Handling and Digital Forensics. He has served as a consultant to organisations in various sectors including oil and gas, banking, financial, telecom, and education. He received his Ph.D. in Computer Science (information Security) from the University of Technology, Malaysia (UTM). He holds a BSc in Hardware Engineering as well as MSc in Computer Architecture. He is accredited as a Certified Information Systems Security Professional (CISSP) from (ISC)² and ISO27001 Lead Auditor from BSi. He holds a variety of professional certification such as the GCFA, GCIA, GPEN, GCIH, GSEC, E|CSA, C|HFI, C|EH, and CCNA CyberOps. He is a member of International Electrical and Electronics Engineers (IEEE), Financial Services Information Sharing and Analysis Center (FS-ISAC), and SANS Advisory Board. He was honored by (ISC)² as 2016 Asia-Pacific Information Security Leadership Achievements (ISLA™) Honoree in Senior Information Security Professionals category. He has been with Experian since November 2013. He joined as the Principal Security Analyst for Global Security Operations Center and later took on the role as Security Operations Manager for APAC. In addition to his time at Experian, Hamed also serves as the Gold Advisor at GIAC from August 2011, where he is responsible for guiding and advising authors of GIAC Gold papers on both technical and writing issues, as well as grading/reviewing candidates’ papers. The papers are all available on the SANS Reading Room website. LinkedIn: https://my.linkedin.com/in/hkhiabani Twitter: @H4IVI3D

  This talk will provide a look at intelligence-driven defensive operations. The Cyber Kill Chain as a model to dissect the stages of increasingly advanced cyber intrusions will be touched on. Then will elaborate the detective and preventive measures taken to ensure that an adversary is unable to set up residence in the environment. It will discuss about changing the mindset from “incident response” to “continuous detection and response”, and the drivers behind this transformation and what you need to know to enable proactive defense at your organization. It will also walk through the F3EAD process to show how threat intelligence can be included into the incident response procedure.

  June 25, 2018 16:00-17:00

•  US

  Professionalizing the Field of Cybersecurity Incident Response

  Tom Millar (US-CERT, US)

  Mr. Millar has been a member of US-CERT for 10 years, serving as its Chief of Communications for most of that time. In that role, he has worked to strengthen US-CERT’s information sharing capabilities, increased the level of public, private and international partner engagement, and supported initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar has a Master’s of Science in Engineering Management from the George Washington University.

  For 30 years, CSIRT work and cybersecurity have been practiced by a diverse community of technically inclined, curious problem solvers, and we have made great strides in the practice over that time. However, if we are going to tackle the tough problems that lie ahead, including the need to massively expand the number of qualified cybersecurity workers and the need to have our voices heard in policy and legislative discussions, we need to professionalize: “to make an activity into a job that requires special education, training, or skill.”

  It’s time for our community to adopt standards of education, training and conduct to ensure we can be trusted to do the right thing and that we can scale up our talent pool without dilution or pollution. This leads to a large number of difficult questions, such as: What are the technical and ethical standards for a CSIRT member (or any cybersecurity professional)? What should they be? How should we govern ourselves, and what kinds of “barriers to entry” should we establish?

  This talk will discuss some of the positive and negative impacts that might come from professionalization, some steps we need to take as a community, and why our field needs to go ahead and do it sooner rather than later.

  June 29, 2018 10:00-11:00

  MillarTom_Professionalizing-Cyber-Incident-Response-Slides-for-FIRST_20180621.pdf

  MD5: 943d44d2a20ffd0a6cf8088a780137e0

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 558.23 Kb

•  JP

  Real-time Log Analysis Tool with STIX 2.0

  Mariko Fujimoto (The University of Tokyo, JP), Takuho Mitsunaga (The University of Tokyo, JP), Wataru Matsuda (The University of Tokyo, JP)

  Wataru Matsuda joined NTT WEST, Ltd. in 2006. In 2015, he joined Watch and Warning Group of JPCERT/CC, where he was engaged in information gathering and early warning activities. Now as Project Researcher of Secure Information Society Research Group, the University of Tokyo, he is engaged in research on cyber security especially log analysis for detecting targeted attacks.

  Mariko Fujimoto joined NEC Solution Innovators, Ltd. in 2004 and worked for development of software and systems for internal control. In 2015, she joined Watch and Warning Group of JPCERT/CC, where she was engaged in information gathering and early warning activities. Now as Project Researcher of Secure Information Society Research Group, the University of Tokyo, she is engaged in research on cyber security especially log analysis for detecting targeted attacks.

  Dr. Takuho MITSUNAGA Project Associate Professor, Graduate School of Interfaculty Initiative in Information Studies, The University of Tokyo. He is also Research Fellow at Information-technology Promotion Agency in Japan. After completing his degree at Graduate School of Informatics, Kyoto University, Mr. Mitsunaga worked at the front line of incident handling and penetration test at a security vendor. In FY 2010, he led an R&D project of the Ministry of Trade, Economy and Industry (METI) for encryption data sharing system for cloud with an efficient key managing function. He has been a member of Watch and Warning Group of JPCERT/CC since April 2011, where he is engaged in cyber attack analysis including APT cases. He has also contributed in some cyber security related books as coauthor or editorial supervisor including “ Information Security White Paper 2013”.

  Many organizations have experienced damages of targeted attacks. In detection of targeted attacks inside network, indicators such as C&C server domain and IP address can be useful. For this reason, information sharing scheme has been developed globally during the past years. One of the examples is a standardized format for automated indicator sharing, STIX, introduced by MITRE.

  However, STIX had not been widely implemented in Japan until recently. According to a survey conducted in NCA (Nippon CSIRT Association) in 2015, only 3% of members have used STIX for threat information exchange at that time. To cultivate a better understanding of STIX in Japan, the University of Tokyo has provided trainings for CII companies and academia. As a result, STIX has gradually become popular in Japan.

  As STIX-formatted indicator exchange increases, however, there are new challenges. In detection of cyber attacks, users are required to compare increasing number of shared indicators against a large amount of logs stored in their network, which consumes quite a lot of resources. Indicators serves two purposes: 1) detecting communication that occurred from their own network to suspicious hosts in the past, and 2) blocklisting malicious hosts so that potential damage is prevented. In order to satisfy both of the function, the University of Tokyo developed a tool analyzing logs effectively by integrating logs into Elasticsearch.

  Our tool compares proxy logs with STIX format indicators upon the following triggering actions: -When logs are imported (in real-time)

  • Compare logs with preset blacklist stored in Elastic Stack, and raise an alert if any matches

  -When indicators are imported (on-demand)

  • Compare indicators with past logs, and raise an alert if any matches
  • Add indicators to blacklist

  We will present how our tool is effective in detecting attacks and reducing incident response time.

  June 25, 2018 15:00-15:30

  Wataru-Matsuda-Mariko-Fujimoto-and-Takuho-Mitsunaga_FIRST_20180620.pdf

  MD5: 73595504df7b1d31fc6672bb1130353c

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 1.18 Mb

•  JP

  Red Team vs Blue Team Tabletop Exercise and Random Scenario Creation Using Cards

  Chiyuki Matsuda (DeNA Co., Ltd., JP), Mitsuru Haba (Canon Inc., JP), Satoshi Yamaguchi (NTT, JP), Takashi Kikuta (transcosmos Inc., JP), Yoshihiro Masuda (Fuji Xerox Co., Ltd., JP), Yusuke Kon (Trend Micro Inc., JP)

  Yoshihiro Masuda is chief investigator of Incident Handling Exercising Method Developing Working Group of Nippon CSIRT Association. Mitsuru Haba is co-chief of the working group. Yusuke Kon, Takashi Kikuta, Chiyuki Matsuda, and Satoshi Yamaguchi are members of the working group.

  Incident handling exercise is an effective method for improving capability of CISRT. We developed a tabletop exercise method and toolkit, which has following features,

  • Red team vs blue team interaction
  • Random scenario creation using cards We examined user acceptability of the method through several trials in largest CSIRT community in Japan, and applied to a group training in TRANSITS workshop held in Japan. In our presentation, we will introduce the exercising method and make short demonstration. Also we will share the toolkit.

  June 28, 2018 13:45-15:15

  Masuda-Haba-Kon-Kikuta-Hirata-Yamaguchi_FIRST_201806010.pdf

  MD5: d80f0dd1179e7a955d9a88b4a59573f4

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 953.68 Kb

•  LU

  Reigning in the Raw Power of PyMISP Thanks to Python

  Steve Clement (CIRCL, LU)

  Steve Clement is a security engineer working for CIRCL and has been on-staff since 2008. Experienced in the security of Unix systems like Open and FreeBSD his passions turn around sharing this knowledge to the hungry and foolish.

  Further on Steve is a strong advocate for Free and Open Source Soft-/Hard-ware in an open world with less intellectual boundaries.

  Topic and objectives The tutorial will be based around using the Python MISP module (pyMISP) Specifically using the MISP API in a pythonic way. More generally the talk is a motivation for the participants that always wanted to automate certain things, but never really got around doing it.

  Outline of the content

  • Introduction into pyMISP and its core
  • Show various ways to easily extract data from MISP
  • Further process data and send it to other independent MISP instance
  • Pull in external sources and automate co-relation
  • A few visualization examples
  • Present viper and how it can fit into the set up
  • Let participants come up with their use cases

  June 26, 2018 13:45-15:30

•  JP

  Removing the Pain From the Repetitive Processing of Vulnerability Reports Using a Vulnerability Ontology

  Masanobu Katagi (JPCERT/CC, JP), Takayuki Uchiyama (JPCERT/CC, JP), Masaki Kubo (NICT, JP)

  Masanobu Katagi Masanobu is a member of Vulnerability Coordination Group at JPCERT/CC. Since July 2017, he has been engaged in coordination of vulnerability reports with PSIRTs, and the analysis of incoming vulnerability reports. Prior to joining JPCERT/CC, he was involved in research on cryptographic algorithms and their implementations and was also engaged in standardization efforts of cryptographic algorithms

  Takayuki Uchiyama Taki is member of both the Vulnerability Coordination and Global Coordination Groups at JPCERT/CC. Main tasks involve the coordination of vulnerability reports with PSIRTs, being involved with various discussions groups related to the identification / analysis / coordination / disclosure of vulnerabilities. In addition to this work, he also collaborates with various CSIRTs across the globe, with a focus on the Asia-Pacific, where he is involved in capacity building and trainings.

  Masaki Kubo Masaki Kubo is an executive technical researcher of NICTER analysis team at NICT, National Institute of Information and Communications Technology where he leads the NICT’s darknet analysis as well as the internal threat analysis operations. He previously worked 13 years for JPCERT/CC where he managed vulnerability handling operation and secure coding initiative.

  JPCERT/CC has been coordinating and disclosing software vulnerabilities since 2004 when the vulnerability handling framework was established in Japan. Over the past few years, the number of vulnerabilities that have been reported to this framework has increased sharply. Until 2014, the maximum number of reports received for a single year never exceeded 300. Since then, this number has increased significantly, with a peak number of over 1,000 in 2016. With a team of less than 10 people, traditionally manual processes such as analysis of reports and the writing of advisories have not scaled well. On the surface, while these processes seem to be independent, these processes utilize the same information to perform tasks that are essential to coordinating software vulnerabilities.

  For these processes to scale, automating wherever possible is essential. In order to automate these processes, JPCERT/CC thought "Is there a way where we can use a common language to communicate vulnerability information?" Vulnerability reports are typically written by people, and various terms / words can be used to describe the same issue. Reading through these various reports to identify the vulnerability and its effects as well as verifying whether there is sufficient information provided in the report for the vendor to remediate the vulnerability takes time. In our attempt to solve this problem we came across NIST IR 8138 "Vulnerability Description Ontology".

  We have attempted to take this ontology and see if it can be utilized to automate some of our coordination processes. In this presentation, we will discuss briefly about the ontology itself and some of its components, how it has helped in scaling our analysis process as well as how it has assisted in automating our advisory writing process. We also will consider some ways in which this information can be shared with other organizations to help assist coordination activities.

  June 26, 2018 12:00-12:30

  Katagi-Masanobu-Uchiyama-Takayuki_FIRST_20180626.pdf

  MD5: 756fdabba68bbf5ff54262575c677e07

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 2.49 Mb

•  TH

  Scaling Up Security to the Whole Country

  Martijn van der Heide (ThaiCERT, TH)

  Martijn van der Heide has been working in the security field for more than 20 years. Currently he works as a consultant at ThaiCERT, the National CERT of Thailand, to help set up security further in the country. His role includes incident response and threat intelligence for the operational CERT team, as well as training and consulting. Before that, he worked at Royal Dutch Telecom, KPN, the incumbent telecom provider of The Netherlands, where he set up KPN-CERT which he chaired for 12 years until he met and married a Thai woman at the FIRST Conference 2013 and was invited to move to Thailand.

  Until 2 years ago, there was only 1 CERT team for the entire country of Thailand. This relatively small National CERT team has done amazing work, but cannot possibly do everything needed to protect the government, critical infrastructure and all 76 million citizens.

  After a thorough assessment of the country's security posture, a bold plan was drafted how to scale up security throughout the country. This was established into law at the end of 2016.

  The first and foremost challenge is the lack of people, tools and procedures to establish teams at all organizations.

  We started by implementing a central government protection solution to combat a large percentage of incidents such as website defacements and infections. Then we began to establish sector-based CERT teams for all critical infrastructure, allowing a better pace in implementing security in the individual organizations while having some form of incident management and coordination in place already. New services have been added to the ThaiCERT portfolio to accommodate this - for example our own annual security conference and a threat intelligence service with daily news feeds.

  The next step was improving awareness at a young age, for which we teamed up with other organizations to produce workshops and training in schools, first in Bangkok only, now spreading out to other cities.

  For the next year, we have ambitious targets on capacity building to steeply increase the security work force in the country. For this, we work with universities and organizations such as CMU and ISC2 to create professional training programs that can scale to 1000 professionals per year.

  This presentation will also cover how the ThaiCERT organization deals with being stretched to breaking point and the cultural and language challenges I experienced myself as one of material authors, trainer and responsibility for threat intelligence.

  June 27, 2018 14:15-15:15

  van-der-Heide-Martijn_FIRST_20180627.pdf

  MD5: b939868646b355d93bb7355fa4e044db

  Format: application/pdf

  Last Update: July 27th, 2018

  Size: 1.9 Mb

•  IN

  Securing your in-ear fitness coach: Challenges in hardening next generation wearables

  Sumanth NaropanthSumanth Naropanth (Deep Armor, IN), Sunil Kumar (Deep Armor, IN)

  Sunil Kumar is a Security Analyst at Deep Armor. He has vast experience in pentesting web applications, mobile applications and IoT products. In addition to penetration testing, he has advanced knowledge of AWS and development skills in node.js and python. Prior to Deep Armor, Sunil worked as a security engineer for Olacabs and Aricent technologies.

  Sumanth Naropanth is a technical expert in security research, vulnerability assessments, security architecture & design, and incident response. He has held several security leadership positions, has developed detailed frameworks for Security Development Lifecycle (SDL) for large corporations, and has managed global teams that executed those SDL activities. Sumanth is the founder and CEO of Deep Armor. He previously worked for Sun Microsystems, Palm/HP and Intel. He and his team have published their research at well-known security conferences, including Black Hat Asia, Black Hat Europe, Troopers, Nuit du Hack, Shakacon and so on. Sumanth has a Masters degree in Computer Science (Security) from Columbia University.

  Wearable platforms today enable rich, next-generation experiences such as secure payments, specialized sports tracking and precise location monitoring. Data collection is only the first step for these products. The real "user experience" is often the result of a complex mesh of interactions between wearables, smartphones, cloud-hosted array of web applications and analytics software. Designing and validating security for such ecosystems, the kind of which never existed until a few years ago, demands brand-new lines of thinking and security best practices. Wearables live and operate on the human body, collecting a wealth of personal data. This gives rise to new challenges in storing such data securely and conforming to privacy regulations, especially in a world where consumer privacy laws are so diverse. We take the example of an actual market product which is a head-worn real time, voice activated coaching system that creates and manages training programs for track running or cycling. The "coach" is an NLP-powered voice assistant on the eyewear. User can converse with it hands-free, and get advanced feedback on their performance. In our presentation, we talk about the security and privacy research that went into designing and developing this in-ear fitness coach, including a custom Security Development Lifecycle (SDL) that accounted for the three "branches" of the program: wearable, phone and the cloud. We present examples of vulnerabilities and privacy problems associated with such new classes of products. While the applications and use cases for wearables are limited only by the designers' imagination, the best practices we have pioneered will be useful and can easily be reapplied by vendors creating new wearables and IoT products. The goal of our presentation is to educate attendees about shedding the old notions of privacy and Security Development Lifecycle when preparing for the products of the future, as well as to discuss interesting security vulnerabilities in such technologies

  June 27, 2018 11:30-12:30

  Naropanth-Kumar-Securing-your-In-ear-_FIRST_20180608.pdf

  MD5: 1ddfdd7908d585836f3d5ee6c5992844

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 7.48 Mb

•  FI

  Security and Privacy Incident Response at Ericsson

  Thomas Grenman (Ericsson, FI)

  Thomas Grenman is working as a Security Manager in the Ericsson Product Security Incident Response Team (PSIRT). Ericsson PSIRT is the global security point-of-contact for all products in Ericsson's portfolio. Thomas is responsible for internal and external vulnerability coordination as well as leading and analyzing customer reported incidents.

  I will set the stage of this presentation by giving a brief introduction on how privacy as well as product incident response is anchored into Ericsson's security reliability model. I describe the internal privacy assessment as well as those mandatory deliverables that are an integral part of the product development process. I also give an overview of the triage process adhered to by Ericsson's Product Security Incident Response Team. With the stage set, I go into detail on how privacy related incidents are handled, managed, and coordinated within Ericsson. I describe the challenges that arise from having critical infrastructure products deployed and operated under almost all conceivable laws and regulations in nearly all available time zones. While some of the products are managed by Ericsson as a service, some product are hosted and run by external parties under a wide variety of service level agreements. I conclude by presenting ways of working and practices that we have found valuable during real-life incidents. I also discus lessons learned and how those lessons have been used to make our processes even more effective.

  June 28, 2018 13:45-14:15

  Grenman-Thomas_FIRST_20180604.pdf

  MD5: 9460cf60fb8c0dd17a51176c888aac7c

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 1.13 Mb

•  US

  Security Response Survival Skills

  Ben Ridgway (Microsoft, US)

  Ben Ridgway has worked on many unusual projects through his security career. He started with a position at NASA fuzzing and looking for vulnerabilities in spacecraft control systems. Following that, he took job with the MITRE Corporation as part of a team which consulted for the US Government. This work involved everything from pen testing high assurance systems to building Cyber Security Operations Centers. He was hired by Microsoft in 2011 to be one of the original security engineers on Microsoft’s Azure cloud. Today he is a technical lead within the Microsoft Security Response Center’s Cloud IR team. This team is responsible for managing critical security incidents within Microsoft’s cloud and online services.

  Jarred awake by your ringing phone, bloodshot eyes groggily focus on a clock reading 3:00 AM. A weak "Hello?" barely escapes your lips before a colleague frantically relays the happenings of the evening. As the story unfolds, you start to piece together details leading you to one undeniable fact: Something has gone horribly wrong...

  Despite the many talks addressing the technical mechanisms of security incident response (from the deep forensic know-how to developing world-class tools) the one aspect of IR that has been consistently overlooked is the human element. Not every incident requires forensic tooling or state of the art intrusion detection systems, yet every incident involves coordinated activity of people with differing personalities, outlooks, and emotional backgrounds.

  Drawing from years of real-word experience, hundreds of incidents worked by Microsoft Security Response Center’s Cloud and Enterprise Incident Response team, and the many lessons learned from some of the greats in IR around the company this talk will delve into:

  • Classification of incidents into those requiring high touch and high interaction, • The human characteristics that contribute to successful outcomes amidst crisis, • Common pitfalls that can strain and derail investigations, and • Essential skills and mindset needed to make a career as a security first responder.

  Come join us as we share observations on the common traits of successful defenders -- with insights aim at career and occasional defenders alike. It is now 3:05AM. Everything has gone horribly wrong. They are waiting on you to tell them what to do. This is your time to sink or swim. Good luck.

  June 25, 2018 14:00-15:00

  Ridgway-Ben_FIRST_20180623.pdf

  MD5: 2e4afe1df379abda9333c7316c5e4b29

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 5.41 Mb

  Ridgway-Ben_FIRST_20180702-commented.pdf

  MD5: 2441d6777c3223a3c02fb2097e4a6840

  Format: application/pdf

  Last Update: July 26th, 2018

  Size: 6.72 Mb

•  NO

  Semi-Automated Cyber Threat Intelligence (ACT)

  Dr. Martin EianDr. Martin Eian (mnemonic, NO)

  Dr. Martin Eian works as a Senior Security Analyst in mnemonic's Threat Intelligence group, and he is the Project Manager for the research projects "Semi-Automated Cyber Threat Intelligence (ACT)" and "Threat Ontologies for CyberSecurity Analytics (TOCSA)". He has more than 15 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is a member of the Europol EC3 Advisory Group on Internet Security. He holds a PhD in Telematics/Information Security from NTNU, and he has previously worked as an Adjunct Associate Professor at the Department of Telematics, NTNU.

  **Please bring your own computer to participate in the workshop.

  In 2016, mnemonic launched the research project "Semi-Automated Cyber Threat Intelligence (ACT)". The project partners are the University of Oslo (UiO), the Norwegian University of Science and Technology (NTNU), the Norwegian National Security Authority (NSM), the Nordic Financial CERT (NFCERT) and KraftCERT.

  The ACT project develops an Open Source platform for threat intelligence. The project researches new methods for data enrichment and data analysis to identify threat agents, their motives, resources and attack methodologies. In addition, the project will develop new methods, work processes and mechanisms for creating and distributing threat intelligence and countermeasures, to stop ongoing and prevent future attacks.

  Our primary motives for launching the ACT project were to provide a holistic workspace for analysts, automate repetitive tasks, facilitate advanced automated analysis, improve our knowledge of threat agents, facilitate efficient and accurate manual analysis, automate sharing of threat information and countermeasures, and automate the processing of unstructured data.

  Threat intelligence analysts use numerous different systems for their daily tasks. They copy and paste data from system to system, then manually try to collate the results. The ACT platform aims to automate such processes, to provide a holistic view of the collated information, and to retain the information for future use.

  The ACT project will facilitate sophisticated enrichment of data and the application of artificial intelligence techniques for automated analysis of data and information. These two research areas are the main responsibility of the universities participating in the project.

  Automated threat information sharing and countermeasures can significantly improve detection and prevention capabilities. The ACT project has reviewed existing standards and protocols for information sharing and countermeasures. The project also closely monitors standards that are under development.

  Finally, masses of data relevant to threat intelligence are available in unstructured formats. Examples include threat reports, academic papers, news articles, blogs, e-mail lists, and wiki pages. The ACT project has implemented and tested prototypes based on natural language processing (NLP) techniques for the extraction of structured data from unstructured sources.

  Since the project started we have developed the core platform with API and graphical user interface. We have also developed new NLP techniques and applied these to extract structured data from relevant sources. The project partners and other interested organizations are currently testing the platform. The platform has also been used in live incident response cases, and has proven itself as a useful addition to our arsenal.

  Our aim is to make the ACT platform a useful tool for the following roles:

  • Incident Responders
  • Penetration Testers
  • Risk Analysts
  • Signature Developers
  • SOC Analysts
  • Threat Hunters
  • Threat Intelligence Analysts
  • Threat Researchers

  We have created a GitHub repository [1] for the project, where we have published platform documentation and code under the ISC Open Source license.

  We have also presented the project in several relevant conferences, including a presentation of preliminary results at the FIRST Conference 2017 [2], a project presentation at the FIRST Technical Colloquium Oslo 2017 [3], and a keynote at NIKT 2017 [4].

  The FIRST 2018 presentation will cover a much more mature version of the platform, including a live demo of advanced analysis techniques. We will have a virtual image (.ova) of the platform ready for distribution to conference participants.

  June 27, 2018 13:45-16:45

  Eian-Martin_FIRST_20180628.pdf

  MD5: 5abdc596dd45bf5126a5b2f0802f52a6

  Format: application/pdf

  Last Update: June 28th, 2018

  Size: 3.64 Mb

•  TW

  Social Mining of Threat Actor Activities

  Fyodor YarochkinFyodor Yarochkin (Trend Micro, TW)

  Fyodor Yarochkin is a researcher with TrendMicro Taiwan as well as a PhD candidate in EE at the National Taiwan University. He was an early Snort developer, and open source evangelist as well as a "happy" programmer. Prior to that, Fyodor's professional experience includes several years as a threat analyst at Armorize and over eight years asa information security analyst responding to network security breaches and conducting remote network security assessments and network intrusion tests for a majority of the regional banking, finance, semiconductor, and telecommunication organizations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.

  Part of responsibility of a Security Incident Response Teams is to be provide situational awareness to the organizations, which they intend to protect. Not only is it necessary to monitor the threat landscape for emergent threats, but having an understanding of the threat actor landscape is a critical component to knowing the enemy. In this study we demonstrate how we leverage Social Network Analytics techniques to provide real-time situational awareness information on threat actor plans and activities. Have you ever wished you had visibility when someone started bragging about a new hack or a new attack they were trying to commit? Ever wonder if two threat actors happen to know one another, thus explaining commonalities in attack chains? Wanted to find out if the individual threatening you was credible or just pretending? In this case you would find our experience useful. While working on this project we’ve been trying to automate finding answers to such questions as: - Who talks to whom on Twitter and in what form? What are the communities of potential threat actors on the social network and what are their size and predominance? Can on-going activities and campaigns be identified within these communities and can we spot a new wave of attacks through keywords in discussions? The presentation includes a number of case studies and visualizations we have developed in course of this study.

  June 25, 2018 11:15-12:15

•  US BE

  STIX2/TAXII2 Workshop

  Allan ThomsonRichard StruseAllan Thomson (LookingGlass Cyber Solutions, US), Richard Struse (The MITRE Corporation, US), Trey Darley (New Context, BE)

  Trey Darley currently serves as Director of Standards Development at New Context. He's been working in infosec for years, including stints at NATO and Splunk's Security Practice. Trey is actively developing security-focused open standards, serving as a co-chair within the OASIS Cyber Threat Intelligence (CTI) Technical Committee responsible for STIX/TAXII and heavily engaged with the OpenC2 Technical Committee. Trey's articles have been featured in publications such as IEEE Security and Privacy and USENIX ;login:. He has presented at a number of security conferences, including O'Reilly Security, BruCON, USENIX LISA, and various FIRST events. Trey is a FIRST Liaison Member, official liaison between OASIS and FIRST, a long-time member of the BruCON organizing committee, OASIS Technical Advisory Board member, Technical Director of the IoT ISAO, and a CISSP.

  Richard Struse is the Chief Strategist for Cyber Threat Intelligence (CTI) at The MITRE Corporation, leading the effort to improve cyber defense by better understanding the adversary’s tactics and techniques. In addition, he is the chair of the Cyber Threat Intelligence Technical Committee within OASIS, an international standards development organization. Previously, Mr. Struse served as the Chief Advanced Technology Officer for the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) where he was responsible for technology vision, strategy and implementation in support of the NCCIC’s mission. Mr. Struse is the creator of the STIX and TAXII automated information sharing initiatives which have been widely adopted across the public and private sectors. In October 2014, Secretary of Homeland Security Jeh Johnson presented Mr. Struse with one of the department’s highest honors, the Secretary’s Award for Excellence, in recognition of his pioneering work on STIX and TAXII. Prior to joining DHS, Mr. Struse was Vice President of Research and Development at VOXEM, Inc., where he was responsible for the architecture, design and development of a high-performance, extreme high- reliability communications software platform that is in use in telecommunications systems around the world. He began his technical career at Bell Laboratories where his work focused on tools to automate software development and the UNIX operating system. In 2015 Mr. Struse was named by Federal Computer Week as one of the “Federal 100” in recognition of his leadership role in the development of cyber threat intelligence technology standards. In 2016, OASIS selected Mr. Struse to receive their “Distinguished Contributor” award for his work as “a pioneer in the development of the STIX, TAXII, and CybOX standards and was instrumental in successfully transitioning the CTI work to OASIS.”

  Allan Thomson is LookingGlass Chief Technology Officer (CTO) responsible for technology product vision, strategy & architecture across Threat Intelligence Management, Threat Mitigation & Response product lines. Allan is currently serving as the Co-Chair of the Interoperability Subcommittee for the Cyber Threat Intelligence Technical Committee at OASIS as well as lead contributor on OpenC2 automation standards. He was recently recognized by OASIS as Distinguished Contributor for his work on standards at OASIS. Previously, he was Principal Engineer and Architect for Threat Defense products at Cisco Systems with active involvement in standards for security (IETF/IEEE) and distributed systems.

  STIX2/TAXII2 workshop (2:45)

  • Overview of STIX2 Domain Objects
  • Overview of STIX2 Graph Model
  • Brief background on what changed and why from STIX1
  • Overview of TAXII2
  • Brief background on what changed and why from TAXII1
  • Interactive threat report modeling exercises
  • STIX Indicator Patterning exercises
  • Tour of STIX2/TAXII2 open-source libraries and tools
  • Hands-on coding exercises (using cloud-based Python Jupyter notebooks):
    • How to interact with a TAXII2 server
    • How to generate STIX2 indicators, sightings, etc
    • i18n and intra-lingual analyst workflow (ie, how to use STIX2 to collaborate with teams using other languages)

  June 29, 2018 09:45-12:30

•  NO

  Taking the Attacker Eviction Red Pill

  Frode Hommedal (Telenor, NO)

  Frode Hommedal is a senior incident responder and CSIRT leader. He is currently head of incident response and security analytics at Telenor CERT, and part of the team that is establishing the global CERT/SOC capability of Telenor. He previously worked seven years for the Norwegian national CSIRT, NorCERT, and he has extensive experience with countering digital espionage. One of Frode’s goals is to contribute to the infosec curriculum, hoping it will help more CSIRTs to find, face and fight the ever growing number of advanced threats.

  Evicting a so called Advanced Attacker from your network is really hard. It is hard to analyze, it can be hard to understand, and it definitely is hard to figure out when the right time to respond is, and how to respond. But if you're part of an incident response team these are challenges you will face often. This talk is about how you can understand the attacker better, and how you can structure your thinking when deciding how to respond to severe incidents.

  June 26, 2018 11:00-12:00

•  CN

  The Analysis of DDoS Attack Resources in China

  Han-Bing Yan (CNCERT, CN), Hao Zhou (CNCERT, CN), Jian Xu (CNCERT, CN), Tian Zhu (CNCERT, CN)

  Han-Bing Yan obtained the Ph.D. degree from the Department of Computer Science and Technology, Tsinghua Univer- sity, China in 2006. He is now working in CNCERT/CC. His research interests include cyber security, image analysis and computer graphics. Tian Zhu obtained the Ph.D. degree from Beijing University of Posts and Telecommunications in 2012. She is now working in CNCERT/CC. Her research interests include cyber security. Hao Zhou obtained the Master. degree from Beijing University of Posts and Telecommunications in 2017. He is now working in CNCERT/CC. Her research interests include cyber security. Jian Xu obtained the Ph.D. degree from China Academy of Science in 2013. He is now working in CNCERT/CC. His research interests include cyber security.

  DDoS is one of the most serious threats within cyber space, which is very easy to start while difficult to defense. In 2017, CNCERT carried out an in-depth analysis of thousands of DDoS attacks happened in mainland China. We digs deep into such DDoS threat landscape by analyzing resources (C&C servers, bots and reflection servers), grouping attackers and probing into attacks themselves on the basis of thousands of real DDoS incidents collected through the automatic DDoS attack analysis platform. According to related statistics, most of the DDoS attacks were carried out by the mixed multiple means. And we classified the attacks from real IP addresses, subnet spoofing attacks, random spoofing attacks and reflection and amplification attacks, and analyze the percentage of each attack method. What’s more, we worked out the attack rhythms of each attack resource (including bots and reflection servers) in a single incident and used the grouping method to find out whether different attack resources are controlled by the same C&C server. This kind of approach is called probing of attacks. Probing of attacks determines by the way of grouping which bots are controlled by the same C&C server and how many C&C servers there are, so as to better facilitate attribution.

  June 25, 2018 15:00-15:30

•  GB

  The Andromeda Botnet Takedown

  Benedict Addis (Shadowserver / Registrar of Last Resort (RoLR), GB)

  Benedict Addis is chair of the Registrar of Last Resort (RoLR), a non-profit ICANN-accredited registrar funded by Shadowserver, that exists solely to quarantine bad domain names. He is an member of ICANN's Security and Stability Advisory Committee (SSAC).

  From 2011 to 2014 he was a technical officer in the UK's National Cyber Crime Unit (formerly SOCA Cyber). There, his team was responsible for international cybercrime enquiries under the Budapest Convention and G8 24/7 process, and he was the unit's point of contact for 'threat to life' emergencies. He was previously a partner in a network and security start-up and worked as a researcher in the Secure Systems lab at HP Labs. He holds a Masters in Information Security from Royal Holloway University of London.

  On 29 November 2017, a public-private team worked to take down Andromeda aka Gamarue, one of the longest running malware families in existence.

  This widely distributed malware created a network of infected computers known as the Andromeda botnet, whose main goal was to distribute other malware families. Over its seven year lifespan, Andromeda was associated with 80 malware families and, in the previous six months, it was detected or blocked on an average of over 1 million machines every month. Andromeda was also distributed by the infamous Avalanche network, which was dismantled by the same team in a major operation in 2016.

  To take down Andromeda required simultaneously seizing servers, suspending domain names across forty different countries, and arresting a suspect, all under conditions of secrecy. Overall, 180,000 domains were sinkholed and a further 640,000 DGA domains blocked. During 48 hours of sinkholing, we observed approximately 2 million unique Andromeda victim IP addresses from almost every country.

  In this talk I will describe how this unprecedented co-operation took place, and propose a solution to reduce the complexity of future botnet takedowns.

  June 28, 2018 12:00-12:30

•  BR

  The Benefits of an Early Warning System in the Brazilian Academic Network

  Edilson Lima (RNP, BR), Rildo Souza (RNP, BR)

  Edilson Lima:Edilson holds a Bachelor degree in Information Systems and a MBA in Information Security Management. He is a certified professional in ISO 27002 and COBIT. With 10 years of experience in Information Security area, Edilson has leaded several projects and has coordinated various security teams. Currently, he acts as the Security Manager of the Incident Handling team at the Brazilian Academic and Research Network CSIRT. Rildo Souza:Rildo holds a Bachelor degree in Information Systems and a post graduation title in Computer Networks at UNICAMP (University of Campinas, Brazil). With more than six years in IT and five in security area, Rildo currently acts as a Security Analyst at CAIS/RNP, the Brazilian Academic and Research Network CSIRT. His major interests include Incident Handling, Vulnerability Analysis and Network Monitoring. In the last years, he leaded various security projects in order to facilitate the day­to­day of academic IT staff and to raise the security awareness among this community. Rildo has also delivered lectures and training courses in national and international events.

  Preliminary studies conducted by University of San Paulo(USP) during the last two years confirm that sources of open information, such as social networks provide relevant security data information[1],[2],[3]. These same studies confirm the utility of virtual networks as both sensors and actuators for EWS[4]. The RNP uses a variety of data sources to identify incidents involving its clients, so the use of social networks was necessary to identify a possible incident before it even occurred, based on these surveys and needs there was a need to create a tool to monitor social networks in search of incidents or future possible incidents involving our customers.

  The Horus system is a tool for monitoring malicious activity and detecting security events and incidents through the correlation and analysis of data provided by sensors from traditional networks and other sources such as social networks(Facebook,Twitter), forums, IRC and virtual network registries. This tool is also used to monitor the use of institutional names in forums and social networks, alerting possible malicious activities.

  As a contribution to RNP and its clients, this tool has aided in information security processes, especially security incident detection and response. It is also important to highlight the scientific contribution of this work, which is the evaluation of new sensors and the provision of empirical evidence of the use of information retrieval techniques to support new architectures of EWS (Early Warning Systems).

  Anticipation of events / incidents is done through a Web system and social media messaging collectors. At the moment the tool is successfully integrated with the SGIS, an incident management system used by CAIS and its clients. In more detail, the tool is able to monitor Twitter, Facebook, and IRC alerts; classify alerts into several classes to facilitate the work of administrators; provide important information for the investigation of attacks, such as screen captures of page disfigurements; manage the sensors through the system's own web interface; producing a timeline of alerts; calculate the risk index of different institutions from the captured alerts; allow manual categorization of alerts as they are processed manually by the administrator; display georeferenced information about captured alerts and manage multiple system core configurations in the web interface itself.

  [1] R. CAMPIOLO, L. A. F. SANTOS, D. M. BATISTA, and M. A. GEROSA. Evaluating the Utilization of Twitter Messages As a Source of Security Alerts. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, SAC ’13, pages 942–943. ACM, 2013

  [2] L. A. F. SANTOS, R. CAMPIOLO, M. A. GEROSA, and D. M. BATISTA. Extra¸c˜ao de Alertas de Seguran¸ca Postados em Mensagens de Redes Sociais. In Anais do XXXI Simp´osio Brasileiro de Redes de Computadores e Sistemas Distribu´ıdos (SBRC), pages 791–804. SBC, 2013

  [3] R. CAMPIOLO, L. A. F. SANTOS, D. M. BATISTA, and M. A. GEROSA. An´alise de Mensagens de Seguran¸ca Postadas no Twitter. In Anais do Simp´osio Brasileiro de Sistemas Colaborativos (SBSC), pages 1–8. SBC, 2012

  [4] L. A. F. SANTOS, R. CAMPIOLO, and D. M. BATISTA. Uma Arquitetura Autonˆomica para Deteccao e Rea¸c˜ao a Amea¸cas de Seguran¸ca em Redes de Computadores. In Anais do III Workshop em Sistemas Distribu´ıdos Autˆonomicos (WoSiDA) – Workshops do Simp´osio Brasileiro de Redes de Computadores e Sistemas Distribu´ıdos, pages 1–4. SBC, 2014.

  June 25, 2018 12:15-12:45

•  AU

  The Road to (IR) Nirvana

  Rob Lowe (Red Hat, AU)

  Rob Lowe is a Senior Manager in the Information Risk and Security team at Red Hat where he focuses on Information Security Operations and Incident Management. Rob has worked in the Information Security industry for the past 15 years at AusCERT, CERT Australia and Red Hat. In these roles he has enjoyed his interactions with the FIRST community, presenting the FIRST Annual Conference in 2005 and delivering TRANSITS training at various locations.

  This presentation examines Red Hat Information Security team’s alligator fighting over the last 7 years, how we came to our liberating realisation, and how we refocused our activities. The question we continue to ask ourselves is: “How do we get back to our objective?” That is, how do we make things hard for our adversaries and minimise the impact of information security incidents. This talk looks specifically at our work on the Network Intrusion and Anomaly Detection, in the context of the incident management in a dynamic business environment (and the cloud!). The Red Hat Information Security Team was formed in 2009 and we take a look at our development during this time, looking at our major milestones and why they are important. This journey is far from complete - we still have a long way to go.

  This presentation won't be technical, it aims to provide insight into our experience as we continue to develop our incident management capabilities. It aims to provide useful elements for incident response practitioners (particularly those focusing on tooling) as well as team leads and managers.

  June 25, 2018 11:15-12:15

•  MY

  Things Attack: Peek into an 18-month IoT Honeypot

  Tan Kean Siong (The Honeynet Project, MY)

  Tan Kean Siong is an independent security researcher and member of The Honeynet Project. He involved in several open source network sensor and honeypot development, including Dionaea, Honeeepi and Glutton. He has spoken in conferences e.g. DEF CON Packet Hacking Village, Hack In The Box, HITCON, Honeynet Project Workshop and other open source community events.

  Internet of Things attacks are on the rise. In this session, we love to share the interesting stories from a single 18 months IoT honeypot.

  Back in year 2015, we designed a IoT 'device' for fun and deployed it as single honeypot, with the UPnP and MQTT protocols emulation. Since early year 2017, we started to listen quietly to the Telnet traffic after Mirai attacks.

  We would like to present the design of the 'device' with three network protocols emulation. The home 'device' was frequently visited by millions of UPnP requests and 'assisted' in DoS attacks. We observed emerges of multiple Mirai variants with different well-crafted characteristics. By tracing the characteristic, we discovered the variant belongs to notorious threat group. We found sneaky Hajime botnet mutants evolve with different evasive tricks, visitors with amusing commands, mis-configured botnets, etc.

  June 27, 2018 14:15-15:15

•  US

  Threat Hunting Techniques at Scale

  Dhia MahjoubThomas MathewDhia Mahjoub (Cisco Umbrella (OpenDNS), US), Thomas Mathew (Cisco Umbrella (OpenDNS), US)

  Dr. Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large scale threat detection and threat intelligence and advises on R&D Strategy. Dhia has a background in networks and security, has co-authored patents with OpenDNS and holds a PhD in graph algorithms applied on Wireless Sensor Networks' problems. He regularly works with prospects and customers and speaks at conferences worldwide including Black Hat, Defcon, Virus Bulletin, FloCon, Kaspersky SAS, Infosecurity Europe, RSA, Usenix Enigma, NCSC One Conference, O'Reilly Security, and FIRST/OASIS Borderless Cyber and Technical Symposium.

  Thomas Mathew is Senior Security Researcher at Cisco Umbrella (OpenDNS) where he works on implementing pattern recognition algorithms to classify malware and botnets. His main interest lies in using various time series techniques on network sensor data to identify malicious threats. Previously, Thomas was a researcher at UC Santa Cruz, the US Naval Postgraduate School, and as a Product and Test Engineer at handsfree streaming video camera company Looxcie, Inc. He presented at Black Hat, Defcon, BruCon, FloCon, Kaspersky SAS, and O'Reilly Security.

  Threat hunting is an important process in every security operation, whether it is meant to produce intelligence for internal or external use it consists in proactively searching through large scale network data to detect and pinpoint threats that evade automated and signature-based security systems. In today’s talk, we discuss the different steps of efficient threat hunting at scale: we describe how to initially use a set of short term high signal seeds from manual analysis to uncover additional threats (domains, IPs, binaries, etc). Then, we introduce a set of techniques that facilitate the automated generation of long term signals associated with the detection of malicious campaigns (botnets, malspam, ransomware). The generation of these signals involves analyzing vast quantities of hourly global DNS query traffic to identify patterns that exhibit non-random anomalous behaviour. These signals have proven to have long term predictive power because they model the network effects of a campaign as it spreads globally. Specifically, network signals are more difficult for a malicious operator to obfuscate and thus these signals can be used for an extended period of time. Generating these signals depends on having large amounts of DNS data to statistically ensure that the anomalies detected can be considered non-random. We show how the anomalies arising in DNS query patterns, SSL hosting infrastructures, and client lookups can all be used to generate a set of initial domains or IPs that can be further researched. By correlating similar hosting patterns between such domains we can identify malicious campaigns. When it came to generating a seed list from SSL data we used a graph-based approach that identified anomalous subgraphs within the global SSL hosting infrastructure which lead us to uncover patterns of criminal hosting space that leverages SSL. Subsequently, we show the importance of investigating overarching patterns and TTPs behind malicious campaigns in order to go beyond short-lived IOCs and develop an understanding of the operational setup of criminal actors. This can provide us a proactive and longer-lasting advantage over the adversary. Our talk will not only go over the statistical methods used to identify these anomalies but also describe the details of the backend infrastructure required to allow for the quick detection of these threats.

  June 26, 2018 16:15-17:15

  Mahjoub-Dhia_FIRST_20180712.pdf

  MD5: bcb1f30f6cb96c9cb7a8e5bb40e00eee

  Format: application/pdf

  Last Update: July 26th, 2018

  Size: 3.37 Mb

•  US

  TLP to IEP Evolution: What, Why & How

  Tom Millar (US-CERT, US)

  Mr. Millar has been a member of US-CERT for 10 years, serving as its Chief of Communications for most of that time. In that role, he has worked to strengthen US-CERT’s information sharing capabilities, increased the level of public, private and international partner engagement, and supported initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar has a Master’s of Science in Engineering Management from the George Washington University.

  FIRST has issued two important standards for helping CSIRTs and their constituents share and re-share sensitive information more efficiently: the Traffic Light Protocol (TLP) and the Information Exchange Policy (IEP) framework. This presentation will give a quick overview of both, followed by an in-depth exploration of the use cases and more advanced options that IEP offers, in addition to the traditional TLP designations.

  IEP’s four policy types – Handling, Action, Sharing and Licensing – address many of the needs of larger, mature sharing communities, but can also work for sharing networks that are just starting out, so that they will be able to easily accommodate other sharing models as they grow. TLP can be used to support the “sharing” policy type in IEP’s model, so they are fully compatible.

  Raising awareness of FIRST’s own standards work is a valuable way to contribute to the CSIRT community around the world, and attendees of this presentation will come away with everything they need to know to implement IEP (and TLP) in their own environments, as well as to educate fellow information sharing peers and partners.

  June 28, 2018 13:45-14:45

  MillarTom_TLP-to-IEP-Evolution-Slides-for-FIRST_20180621.pdf

  MD5: 05c1f5ec08420a2ddd84da06df2f671a

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 2.44 Mb

•  US

  What’s in a Name? The Need for Global Identifiers of Badness.

  Richard StruseRichard Struse (The MITRE Corporation, US)

  Richard Struse is the Chief Strategist for Cyber Threat Intelligence (CTI) at The MITRE Corporation, leading the effort to improve cyber defense by better understanding the adversary’s tactics and techniques. In addition, he is the chair of the Cyber Threat Intelligence Technical Committee within OASIS, an international standards development organization. Previously, Mr. Struse served as the Chief Advanced Technology Officer for the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) where he was responsible for technology vision, strategy and implementation in support of the NCCIC’s mission. Mr. Struse is the creator of the STIX and TAXII automated information sharing initiatives which have been widely adopted across the public and private sectors. In October 2014, Secretary of Homeland Security Jeh Johnson presented Mr. Struse with one of the department’s highest honors, the Secretary’s Award for Excellence, in recognition of his pioneering work on STIX and TAXII. Prior to joining DHS, Mr. Struse was Vice President of Research and Development at VOXEM, Inc., where he was responsible for the architecture, design and development of a high-performance, extreme high- reliability communications software platform that is in use in telecommunications systems around the world. He began his technical career at Bell Laboratories where his work focused on tools to automate software development and the UNIX operating system. In 2015 Mr. Struse was named by Federal Computer Week as one of the “Federal 100” in recognition of his leadership role in the development of cyber threat intelligence technology standards. In 2016, OASIS selected Mr. Struse to receive their “Distinguished Contributor” award for his work as “a pioneer in the development of the STIX, TAXII, and CybOX standards and was instrumental in successfully transitioning the CTI work to OASIS.”

  A recurring theme in the threat analysis community is the need for more “context” surrounding the threat intelligence they consume - cyber threat intelligence lacking context is often described as “not actionable”. The term “context” can refer to many things, from lower-level technical context such as the time window that an indicator is considered valid all the way up to attribution of a threat to a particular named threat actor. Contextual information allows the consumer of the threat intelligence to better understand the threat including its relevance to their organization, the level of risk posed by the threat and potentially how to detect and/or prevent a threat. Context is most useful however, when we are all talking about the same things. Today there are few widely-used sources of freely-available “ground truth” with respect to cyber threats.

  MITRE’s ATT&CK™ repository is openly-accessible and contains machine-readable STIX™ 2 definitions of well-known contextual information including adversary tactics and techniques, threat actor groups, campaigns and malware families. The goal of the repository is to enable publishers and consumers of threat intelligence to leverage well-known and stable identifiers for these important pieces of contextual information for improved correlation, pivoting and automation. To encourage use of the repository, we are providing a web user interface, a TAXII™ interface and a RESTful API to access repository content. The goal of this work is to provide a rich set of contextual information to enable a variety of use-cases including blue & red-teaming, security posture assessments, adversary emulation and analytic development.

  This presentation will explore the need for and use of stable, well-known identifiers for key contextual elements and then give a technical overview of the ATT&CK repository, its architecture and the process used to curate and evolve content over time. Specific examples of how to use the repository to enhance and automate aspects of threat intelligence analysis will be discussed.

  June 28, 2018 11:00-12:00

•  MY

  What’s Up DOCX?: Malicious Office Document Evolution Study

  Mahmud Ab Rahman (Netbytesec sdn bhd, MY)

  Mahmud Ab Rahman currently works as Information Security Researcher for NetbyteSEC. Prior to that, he worked as an Information Security Specialist Manager at MyCERT department. Currently he is taking in-charge of tracking botnet, android reverse engineering and malicious documents tracking on APT to analyze and dissect information security threats.

  His education background comprises of Master Degree in Computer Science from National University of Malaysia in 2006. Prior to that, he obtained a Degree in Computer Science from the same university. Moreover, he is recognized for conducting numbers of training for organizations to talk on advanced security courses. He is a occasional speaker at conferences such as DEFCON (USA), Hack In The Box (MY), HITCON (TW), FIRST Conference (USA), Honeynet Annual Workshop, FIRST-TC (JP,MY) and many more.

  Malicious office documents are getting more commons in cyber attack nowadays. The form of direct control of the execution is evolving into a complex combination of techniques to control EIP, smashing the vulnerable application while avoiding detection to many clear ways of abusing features on Microsoft Office such as DDE, MACRO and few others. These are the main ingredients in the malicious document secret recipe. During the talk, we'll examine latest techniques used by the attacker to hide and bypassing and detection avoidance techniques, using malicious office document samples discovered in-the-wild. In this talk, artefacts related to the malicious office will be showed as well for better coverage during the incident response.

  June 27, 2018 10:30-12:30

•  US

  What was in that Data?

  Gant Redmon (IBM Resilient, US)

  Gant has worked at security software companies for the past nineteen years, most recently at IBM’s Security Division. He ran internal GDPR compliance for IBM Security and currently manages the legal logic in the IBM Resilient Incident Response Platform. Prior to IBM, Gant was the general counsel at several security startups that went on to be acquired. In 1997, he was appointed membership on the President Clinton’s Export Council Subcommittee on Encryption (PECSENC). Gant received his JD from Wake Forest University and his BA from the University of Virginia, and is admitted to practice law in Virginia and Massachusetts.

  In May of next year, the EU’s General Data Protection Regulation (GDPR) will go into effect. GDPR has been the biggest privacy topic of discussion of the past year, with organizations across the globe doing business in the EU working to become compliant with these new obligations throughout this past year. However, many are not fully compliant yet, and some have yet to begin any GDPR preparation at all.

  In this session, Gant Redmon, IBM Resilient’s privacy expert, will give an overview of the impact GDPR will have on organizations that are not compliant. Specifically, he will dive into what incident responders will need to know about the regulation and the impact on their day-to-day jobs. With GDPR in effect, senior leaders within organizations will suddenly be relying on incident responders for much more given the enormous potential penalties. Questions from senior executives like, “what was in that data?” will be asked frequently. Gant’s session will focus on what incident responders can expect to be able to provide their organization with under GDPR, and how they can work with the legal and C-Suite teams to stay ahead of any GDPR-related penalties.

  Attendees will get actionable takeaways on how to best prepare for and respond to any incidents that could trigger GDPR action. Gant will also dive into how incident responders can get ahead of these burning questions, so that they are prepared when the higher-ups ask, “what was in that data?”

  June 28, 2018 12:00-12:30

  Redmon-Gant_FIRST_20180607.pdf

  MD5: f1ff62ec55fedd4287a2fcbb5be30af4

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 1.16 Mb

•  US

  Why is CTI Automation harder than it needs to be.. and what can security teams do about it.

  Allan ThomsonAllan Thomson (LookingGlass Cyber Solutions, US)

  Allan Thomson is LookingGlass Chief Technology Officer (CTO) responsible for technology product vision, strategy & architecture across Threat Intelligence Management, Threat Mitigation & Response product lines.

  Allan is currently serving as the Co-Chair of the Interoperability Subcommittee for the Cyber Threat Intelligence Technical Committee at OASIS as well as lead contributor on OpenC2 automation standards. He was recently recognized by OASIS as Distinguished Contributor for his work on standards at OASIS.

  Previously, he was Principal Engineer and Architect for Threat Defense products at Cisco Systems with active involvement in standards for security (IETF/IEEE) and distributed systems.

  Threat Intelligence is well known as an important part of CERT and Incident Responders toolkit.

  However, sharing of intelligence across heterogeneous tools and environments that different organizations and groups (e.g. security operations vs threat research vs incident responders) use is a real challenge to the successful use and impact threat intelligence can have. When you expand those problems within a single organization to across different companies, CERTs and countries then the complexity and variability increases significantly.

  If you then try to drive automation using threat intelligence, such as a firewall or web gateway, in an automated manner then the problems of inconsistent data sets, inconsistent semantics and unexpected behaviors results in significant headaches for security practitioners downstream from the providers of the data.

  This presentation will cover some real-world problems of Threat Intelligence sharing in heterogeneous environments and provide some insights on how some of the new standards STIXv2/TAXIIv2 and OpenC2 are solving those problems for many of the use cases across a single organization and multiple organizations alike.

  As part of the recommendations and insights, we will present on what OASIS Cyber Threat Intelligence Interoperability program has defined, what were some of the key CERT & Incident Responder use cases that the program supports and some thoughts for future adoption of the program to future use cases of Threat Intelligence and Automation. We will also include some lessons learned from recent Interoperability plugfest. Finally, we will wrap up with key Interoperability standards aspects that CERTs and other users of Threat Intelligence should consider leveraging in their environments before making decision on threat intelligence data and tool providers.

  June 27, 2018 11:00-11:30

  Thomson-Allan_FIRST_20180602.pdf

  MD5: 55f0db2ba614c7c47e74f9e5eea076f5

  Format: application/pdf

  Last Update: June 27th, 2018

  Size: 2.29 Mb

Conference Brochure

Sponsorship Brochure

Register now!

Contact US

Inquiries? Contact us at the following:

email:
first-2018@first.org

hotline:
+1 312 646 1013

snail mail address:
FIRST.Org, Inc.
Conference Office
c/o CAPS, LLC
219 W. Chicago Avenue, Suite 300
Chicago, IL 60654
United States of America