Program Overview

• Discovering (and fixing!) vulnerable systems at scale

  Joel Snape (BT)

  As a global enterprise which has been operating since 1846, and with operations in more than 180 countries BT has a large and sprawling estate managed across several different operational divisions. Over the last few years, we have developed a set of techniques and tools to mimic the reconnaissance that would be carried out by an attacker, and now run this as a project to discover unloved, unmaintained and vulnerable systems across our network.

  This talk will run through some of the tools and techniques developed, our findings and some of the challenges in getting things fixed at scale across a large enterprise.

  • Joel Snape has worked in a variety of security roles at BT, starting in physical security before moving on to work on hardware and software vulnerability assessment and mitigation. For the past few years, he has been working alongside BT security operations team on high profile incidents, as well as leading a team responsible for discovering and detecting threats to BT’s global networks and customers.

  April 26, 2017 12:00-13:00

• How political motivated threat actors attack

  Feike Hacquebord (Trend Micro)

  Throughout history, politically motivated threat actors have been interested in changing the public opinion. In recent years the popularity of the Internet gave these threat actors new tools that are highly effective and scalable. Not only do they make use of social media to spin the news, spread rumours and fake news, but they also actively hack into political organisations. In this talk we will give an overview of the attack tools that political motivated actors use. We will give explicit examples of advanced credential phishing, leaking sensitive data and attempts to influence what mainstream media publish. We will also discuss networks that are designed to spread rumours and fake news on social media. Cyber attacks against political organisations are not likely to stop anytime soon. Our presentation we will include recommendations for organisations to protect themselves from the most prevalent attacks politically motivated actors use.

  • Feike Hacquebord works as a Senior Threat Researcher for the Forward Looking Threat Research team of Trend Micro and has more than 10 years of experience in investigating cybercrime. In recent years he got interested in targeted attacks and he is the author of more than a dozen blog postings on high profile targeted attacks. Prior to joining Trend, Feike was an independent researcher and he holds a PhD degree in Theoretical Physics from University of Amsterdam.

  April 26, 2017 14:00-15:00

  How_politically_motivated_actors_attack.pdf

  MD5: 1f343576f1f5980b700369f180c1fc64

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 15.3 Mb

• Injection without needles: A detailed look of the data being injected into our web browsers

  Paul Alderson (Fireeye)

  Shortly after Al Gore invented the internet, banking and credential theft malware was created. Join me as we take a peek into 18 months (roughly 100,000 items) of web-­inject and other configuration data harvested from several different botnets. We will identify, discuss, and contrast trends across this unique data set -­ from target preferences of banks, shifting attention between countries and size, to things outside the financial sector. What specific social media sites other non-­financial institutions being targeted and what is in it for the attackers? Then we will examine the data outside of the web-­injects -­ keylogging of processes, exfiltration commands, screenshotting of applications and DDOS commands and other evil stuff. We'll take a look at the infrastructure/software built to track the malware infrastructure. On the flip-­side, several anti-­analysis techniques have also been observed the last couple years. We expect this to only increase and attempt to break our stuff. The talk will end with various obligatory predictions of the future.

  • Paul Alderson joined FireEye (previously iSIGHT Partners) in 2011 where he currently serves as a Principal Analyst on the FireEye Intelligence team. His fifteen years of experience in technology spans computer security, network design, and application development all starting with a Bachelor of Computer Science from Boise State University in the US. Before working at FireEye he owned his own consulting business and was a commissioned officer in the United States Army in Aviation and Network Defense. Paul currently lives here in Amsterdam.

  April 25, 2017 14:45-15:45

• Intelligence Collection Techniques

  Chris Hall (Wapack Labs)

  You don't have to be a three-­letter agency in order to perform cyber-­intelligence collection! Today, anybody with the computing-­power and time can easily start passive (and legal) collection. This presentation discusses tactical methodology for some of the more popular methods such as DNS sinkholes as well some lesser known niche techniques. Also included are lessons-­learned and case-­studies from some of our more memorable collection operations.

  • Chris Hall is the Principal Engineer and Co-­founder at Wapack Labs. Since 2000, Chris has worked in the intelligence community, in varied positions to include SIGINT analysis, security engineering, malware reverse engineering, and cyber threat intelligence. In 2012, Chris left the government to help start the Red Sky Alliance and then co-­founded Wapack Labs a year later.

  April 26, 2017 09:30-10:30

• Internal Network Monitoring and Anomaly Detection through Host Clustering

  Thomas Attema (TNO)

  Internal network traffic is an undervalued source of information for detecting targeted attacks. Whereas most systems focus on the external border of the network, we observe that targeted attacks campaigns often involve internal network activity. To this end, we have developed techniques capable of detecting anomalous internal network behavior. As a second contribution we propose an additional step in the model-­based anomaly detection involving host clustering. Through host clustering, individual hosts are grouped together on the basis of their internal network behavior. We argue that a behavioral model for each cluster, compared to a model for each host or a single model for all hosts, performs better in terms of detecting potentially malicious behavior. We show that by applying this concept to internal network traffic, the detection performance for identifying malicious flows and hosts increases.

  • Thomas Attema MSc graduated in Mathematics from the University of Utrecht in 2013, after which he started working as a research scientist at TNO in the department Cyber Security & Robustness. One of his main topics of interest is anomaly detection. As such, he has contributed to the development of new network intrusion detection algorithms. Another topic of interest is cryptography in which he is currently working on applying various multi-­party computation schemes to the cyber security domain. Moreover he is involved in various initiatives in the field of quantum and post-­quantum cryptography.

  April 25, 2017 10:30-11:30

  Internal_Network_Monitoring_and_Anomaly_Detection.pdf

  MD5: 8b8de9150fdc5d658f8f2fad11d45ac8

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 3.88 Mb

• Lessons learned in fighting Targeted Bot Attacks

  Jose Enrique Hernandez (Zenedge)

  The talk aims at first dissecting some recently targeted bot attacks we have faced at Zenedge and walk through the capabilities of a determined threat actor. Expanding upon the chess game of mitigation we pivot into the 5 main mitigation techniques:

  1. Rate limiting/Delaying
  2. Javascript Challenges
  3. CAPTCHA
  4. Human Interaction Challenges
  5. Fingerprinting

  Then discuss their pros and cons, and what combination is most effective against targeted attacks. In the final section of the talk will discuss how to employ these techniques and have them leverage by your very own CIRT team. The talk will close off with advice/guidelines to follow in order to detect, mitigate and report on bot attacks using open source software.

  • Jose Hernandez is currently the SVP Technology and Engineer at Zenege Inc. He started his professional career at Prolexic Technologies (now Akamai) in DDOS fighting attacks from anonymous and lulzsec against fortune 100 companies. While working at Splunk Inc. as a Security Architect, he built and released an auto-­mitigation framework that has been used to automatically fight attacks in large organizations. In the past, he has helped build security operation centers as well as run a public threat intelligence service. Jose is originally from Miami, Florida where he completed his Master’s degree in Information Security from Nova Southeastern University. He also achieved two undergraduate Bachelor degrees from Florida International University in the field of Management of Information Systems and Information Technologies. Although security information has been the focus of his career, Jose has found that his true passion is in solving problems and creating solutions. As an example, he built an underwater remote control vehicle called the SensorSub, which was used to test and measure toxicity in Miami’s waterways.

  April 26, 2017 15:30-16:30

  https://app.slidebean.com/p/NFgtVrcBmD/Fighting-Bots

• Let your CSIRT do malware analysis, Recruit-­CSIRT has done it!

  Tatsuya Ichida (Recruit Technologies)

  I introduce the deep customized sandbox system for CSIRT. This has some individual functions in order to make forensic easier. We had considered what CSIRT wants via malware analysis. Finally, our CSIRT's dream come true. Our system has the functions below.

  • customized dynamic agent for malwares to behave more active in our workplace environment.
  • create IOC and auto-­analysis the C&C servers
  • Real-­time Visualization the analyzed behavior on Web UI.
  • Post C&C information to FW & Web Proxy in order to block the malicious outbound traffic.

  This system help Recruit-­CSIRT on the both of Forensic and Prevention. Normal behavior and traffic removing is very tough and still now on going. Our system is a kind of enhanced cuckoo sandboxes.

  • Tatsuya Ichida is a security engineer and incident handler in Recruit-CSIRT, especially prefer to analyze malware. He love malware and may be loved by malware. He joined Recruit Technologies; domestic IT company 2 years ago to seek the best method of handling malware incidents for CSIRT. He hold CISSP, GCIH, GPEN.

  April 25, 2017 17:00-17:25

  Recruit-CSIRT_TatsuyaIchida.pdf

  MD5: 9986dbbc990fe06b98e1a56a34e143b3

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 3.71 Mb

• Leveraging Event Streaming and Large Scale Analysis to Protect Cisco

  Steve McKinney & Eddie Allan (Cisco)

  Cisco is continually finding new ways to protect our company. This talk will walk through a recent approach where we are leveraging an event streaming architecture to detect, enrich, and (soon) respond to threats in near real-­time. We have converted CSIRT plays to run on Kafka and Flink which then feed results to Splunk for analysts. We will also demonstrate the use of Spark SQL to do large scale retrospective detections. These systems enable Cisco to reduce time spent on cases, decrease detection times, and run more complex detection engines than were possible with our existing approaches.

  • Eddie Allan is a security engineer for Cisco’s Threat Intelligence Platform. After obtaining a BS and MS in computer science from Wake Forest University, he began his career with a 2.5 year stint at Booz Allen Hamilton consulting in the intelligence community. His love of warmer weather and BBQ brought him back to North Carolina and to a new job with Cisco, where he’s been happily designing, coding, breaking, analyzing, and securing things for nearly six years.

  • Steve McKinney is a technical leader in Cisco's Security and Trust Organization. He has a MS degree from NC State University in computer networks and lives in Raleigh, NC.

  April 26, 2017 16:30-17:30

• pcap doesnt scale'| sed 's/doesnt/does/'

  Erik Waher & Matt Moran (Facebook)

  Incident Responders need reliable packet capture as a source of truth for what happened on their networks. You can’t file carve from netflow records that tarball the attackers exfiltrated from your breached server, and flow isn’t always detailed enough for writing an IDS signature. This leaves incident response teams with conjecture – “we know there was traffic, but we don’t know what it was.” Do you want to tell your legal team you know exactly what was lost in a breach, or #yolo “We think we only lost half the database”?

  Historically, scaling packet capture infrastructure to meet network demands has been a significant challenge. Physical space for infrastructure can be limited, traffic rates can be too high to maintain meaningful retention windows, and costs may be prohibitive. How do you efficiently query petabytes of data in time to resolve an incident? “Capture All the Things!” seems impossible to scale in the real world.

  To address these problems, our in-­house security team built a scalable, cost-­effective, pcap solution backed by Open Compute Project hardware. This presentation will walk you through the architecture and design decisions that enabled us build a high performance packet capture infrastructure capable of handling tens of Gbps per host and providing retention measured in petabytes. The solution automatically delivers packets to analysts and responders, allowing fast identification and reporting on security incidents.

  • Erik is a security engineer with a love of all things on the network.
  • Matt hates computers, but he needs money so...

  April 25, 2017 09:30-10:30

  PCAP-Facebook-lowQv2.pdf

  MD5: a40991920260e47cb6fc650907b3d9a7

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 804.86 Kb

• Security Analytics with Network Flows

  Sunil Amin (Cisco Lancope)

  This talk is introduction in the use of Network Flow telemetry (NetFlow, sFlow, IPFIX) for advanced analytics for security detection and incident investigation. We will start by covering some of the background and history of the protocols and the information they contain. Next, we will cover the techniques that can be used to pre-­process the corpus and illustrate some of the analytic techniques that can be applied with real-­world use cases and case studies. Finally, we will talk about the FOSS tool that are available to get you up and running as quickly as possible.

  • Sunil leads Research and Development for the Cisco Stealthwatch product line and is responsible for providing the technology direction for the advanced security analytics capabilities of the products. Prior to joining Cisco, Sunil was Chief Scientist at Lancope and drove the innovation behind the Stealthwatch products culminating in its acquisition by Cisco in 2015. He also previously held roles at Mitsubishi Telecommunications, Hitachi Telecommunications and Nortel (UK).

  April 26, 2017 10:30-11:30

  Sunil.pdf

  MD5: dba6e8da69e3d2ca4815f7e10ddf2ee2

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.07 Mb

• SWITCH DNS Firewall Update

  Matthias Seitz (SWITCH-­CERT)

  An update of the SWITCH DNS Firewall will be presented. This includes the current status, lessons learned and other important points. Also a overview what have changed on the RPZ market will be presented.

  • Matthias Seitz, SWITCH-­CERT. Working at SWITCH since 4 years for the Universities /Registry Team.

  April 25, 2017 16:15-17:00

  SWITCH_DNS_Firewall_Update.pdf

  MD5: cf601c0076e7c23b609a0b61e51b5555

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.4 Mb

• The evolution of Nigerian cybercrime

  Davide Canali (Proofpoint)

  Nigerian scammers have been known for years as perpetrators of Advanced Fee Fraud scams -­ probably the Internet's least advanced scams. Since then, common belief was that these people had limited technical abilities and were unable to carry out advanced or organized crimes.

  However, today's reality is different. Nigerian cybercrime groups have evolved and are able to perform a wide range of attacks against different targets, from individuals to high value organizations (e.g., big multinational companies). They have divided their tasks and organized so to orchestrate everything from sending out malware campaigns, carrying out business email compromise (BEC) scams, registering bank accounts in different countries, and handling money mules abroad. Today, Nigerian cybercrime alone is responsible for a high percentage of targeted attacks worldwide. This talk will showcase some of the tactics, techniques and procedures (TTPs) we've observed by monitoring several Nigerian cybercrime groups over the last few months. Attendees will learn how these groups operate, what tools and infrastructures they use, and how they "cash out".

  • Davide Canali is Senior Threat Analyst at Proofpoint, Inc. Previously, he worked as Network Threat Analyst at Lastline in London, and Researcher at the Networking and Security department of EURECOM on the French Riviera. Davide holds a PhD in Computer Security from Telecom ParisTech and a MSc in Computer Engineering from the University of Bologna (Italy). During his studies, he has also worked as visiting researcher at the Computer Security Lab at UCSB (University of California, Santa Barbara). His main area of expertise is web and network security, although his current role covers a much wider spectrum of computer threats.

  April 25, 2017 12:00-13:00

• TRAINING: Incident Response, Forensics, and Vulnerability Management Lessons Learned

  Sasa Rasovic, Omar Santos & Stefano De Crescenzo (CISCO)

  It is no secret that the security landscape has changed. Adversaries employ sophisticated ways and all it takes is one small crack in your armor and the next thing you know they have compromised your devices, finding sensitive data, and holding your business hostage. In this course we will cover several use cases explaining the threat exploitation based on target industry-­types. We will cover several lessons learned while performing forensics of compromised embedded devices and infrastructure platforms. With number of attacks against networking infrastructure growing, it has become essential to be able to determine the integrity of your network infrastructure. This session also outlines the tools and processes for determining the integrity of network infrastructure devices.

  We will discuss the indicators of comprise (IoC) that govern the level of risk associated with a device. We will examine the details of custom sophisticated malware including SynFul Knock, exploits revealed by Shadow Brokers, and other examples. We will also discuss and show how Cisco proactively fights systemic issues and show details about tools we have created to identify and confirm new vulnerabilities.

  • Sasa Rasovic, is a Security Architect/Incident Manager in Cisco’s Product Security Incident Response Team (PSIRT) where he works on investigation and resolution of critical security vulnerabilities affecting customers running Cisco products. Sasa's been part of the security industry for 17 years (7 at Cisco). In his many roles for multiple leading vendors in the field over the years, Sasa has designed, implemented and supported some of the world's largest networks. Prior to his current role, he was a technical leader for security group within Cisco's Technical Assistance Center (TAC) in Brussels where he served as an escalation point for critical network outages and product design reviews.

  • Omar Santos, is a Principal Engineer in the Cisco Product Security Incident Response Team (PSIRT) within Cisco's Security Research and Operations. Omar is an active member of the security community, where he leads several industry-­wide initiatives and standard bodies. Omar is often delivering technical presentations at many conferences and to Cisco customers and partners. He is the author of over a dozen books, video courses, and several other publications.

  • Stefano De Crescenzo, is a senior incident manager with the Cisco Product Security Incident Response Team (PSIRT) where he focuses on products vulnerability management Cisco products forensic. He is author of several blog post and white papers about security best practices and forensic. He is an active member of the security community and invited speakers at several security conferences.

  Stefano is specialized in malware detection and integrity assurance in critical infrastructure devices and he is author of integrity assurance guidelines for Cisco IOS, IOS-XE and ASA. Stefano holds a B.Sc. and M.Sc. in telecommunication engineering from Politecnico di Milano, Italy and a M.Sc. in telecommunication from Danish Technical University, Denmark. He also holds a CCIE in Security #26025 and he is CISSP and CISM certified.

  April 24, 2017 08:30-18:00

• Vaccination: An Anti-Honeypot Approach

  Gal Bitensky ( Minerva)

  Malware often searches for specific artifacts as part of its “anti-­VM\analysis\sandbox\debugging” evasion mechanisms, we will abuse its cleverness against it. The "anti-­honeypot" approach is a method to repel (instead of luring) attackers, implemented by creating and modifying those artifacts on the potential victim’s machine. Once the created artifacts are found by the malware – it will terminate.

  My session will include motivations for attackers to use evasion techniques, some in-­the-­wild examples and effective countermeasures against it. I also wish to perform a short DIY-­vaccination demo, including the execution and prevention of a live malware. The script I will use in my demo to vaccinate the potential victim will be uploaded to GitHub and publicly shared.

  • Gal "B1t" Bitensky, 29 years old geek from Tel-­Aviv Senior analyst and security researcher, currently repelling attackers on enterprise scale at Minerva "Full stack researcher" – experienced in anything from debugging exploit kits to ICS protocols reverse engineering.

  April 25, 2017 14:00-14:45

  Vaccination.pdf

  MD5: d1377a47dd234e1156f403032e451af0

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 16.44 Mb