Program Overview
The FIRST Technical Colloquium (TC) event will be held in 28-31 January 2013 at LNEC in Lisbon, Portugal. This is a joint event of FIRST and TF-CSIRT hosted by CERT.PT/FCCN.
Notes to January 30th (Wednesday)
Call for Speakers
FIRST is also looking for speakers that would like to present during FIRST/TF-CSIRT Sessions and for the FIRST Hands-On Classes. This is a GREAT opportunity to give something back to FIRST, and some suggested topics are as follows:
- Lessons learned, case studies, etc.
- Threat updates - statistics of malware and such
- Attack tools and trends
- Incident response tools and trends and security technologies
For your submission, please provide the following information to first-lisbontc@first.org:
- Title
- Brief Summary (Abstract)
- Presenter's Name and Affiliation
- Estimated Time
For the Hands-On day, we are looking for presenters to lead a demonstration or a hands-on exercise. Each instructor is expected to prepare their own material and to bring their own equipment and attendees are expected to bring their own laptop computers and power converters/adaptors. Instructors should expect to work with groups up to 20-30 students. The duration of each demo or exercise should be 2-3 hours, so that it can be run once in the morning and once in the afternoon or may be a full day program. Please advise whether you need any additional equipment or facilities.
If you're interested in speaking or instructing a Plenary Session or Hands-on class, please get in contact with Margrete Raaum (first-lisbontc@first.org) or Jacomo Piccolini (jacomo@cymru.com).
Monday, January 28th
| TF-CSIRT Meeting/FIRST TC |
|---|
| 09:30 – 13:00 | Trusted Introducer Meeting - TI-accredited CSIRTs and TI Review Board members only |
| 13:15 – 14:15 | Lunch |
| 14:15 – 17:15 | 38th TF-CSIRT meeting/FIRST TC |
| 20:00 – 23:00 | Social Event |
- US
Arming Security Investigators
Matthew ValitesChris Fry (US), Matthew Valites (SAP, US)
Over 10 years, security threats have grown from network annoyances to attacks on sensitive infrastructure. Evidence indicates that security threats are growing more sophisticated and aimed at embedding malware in infrastructure. This presentation will share Cisco CSIRT's evolving architecture for addressing sophisticated, embedded threats.
Topics will describe how CSIRT has evolved its network infrastructure over the past 10 years, and will give detailed architectural examples and guidance regarding their multi-petabyte global deployments of:
- Log/event collection of syslog, DNS, web proxy logs, ModSecurity logs
- NetFlow collection
- Host and user attribution techniques (using DHCP, NAT, VPN logs to identify users)
It will also include a description of how CSIRT Engineering is integrating the following solutions into their global deployment:
- Nascent APT detection using precursors
- Challenges and solutions for multiple filtered detection using SPANs and taps (IDS, DNS collection, web proxy, DLP)
- Data loss protection (DLP)
- Rapid operationalization of collaborative, commercial, and home-grown intelligence
- Pulling this all together in a free-form custom SEIM.
January 29, 2013 11:15-13:15
- GB
Challenging appliances
Damir (Gaus) Rajnovic (Cisco Systems Co., GB)
We all have more and more appliances and other devices that can be connected to a network and this trend will only continue. This talk will highlight some unique challenges that this brings to the vendors but also to CERTs. Some of the issues that a vendor is facing are: how to deal with home users who may not have sufficient knowledge, how to scale to reach billions of affected users. On the other hand how will CERT contact my next door neighbour whose washing machine is used to launder bitcoins?
January 29, 2013 10:00-10:45
rajnovic-damir-slides.pptx
MD5: b0104725080f8080ae907f6fb09c8840
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 16.35 Mb
- PT
Effectively detection of intrusions using business process specifications
João Lima (INOV INESC Inovação, PT), Nelson Escravana (INOV INESC Inovação, PT)
In the recent years, the advent large-scale, highly targeted cyber-attacks raised the concern on the protection of IT systems in general, and particularly the systems used to command, support and control critical infrastructures, where public transportation networks are inserted. Intrusion detection systems (IDS) have been used as a tool to detect attempted, or already accomplished, intrusions on IT systems, providing support to security administrators in the monitoring of their networks, in order to discover actual, and avoid future, intrusions. However the extensively acknowledged effectiveness problems these systems suffer have been hampering their broad usage. In the context of the SECUR-ED FP7 project, an intrusion detection tool using an innovative, business-process specification-based approach, that may be effective in increasing the protection of critical infrastructures and, at the same time, is able to solve some of the typical IDS problems, while working at an high semantic abstraction level.
January 29, 2013 16:45-17:05
lima-joao-slides.pdf
MD5: 4e1155ef92678b6da581340e125f49e7
Format: application/pdf
Last Update: June 7th, 2024
Size: 14.45 Mb
- JP
Forensic Investigation & Malware Analysis against Targeted Attack using Free Tools
Hiroshi SuzukiHiroshi Suzuki (IIJ-SECT, JP), Takahiro Haruyama (IIJ-SECT, JP)
We will learn how to examine a disk image of the compromised PC, then analyze malicious document and malware extracted from the image. This hands-on session is outlined as follows:
- Find malicious auto-started programs
- Browse and recover (deleted) files
- Analyze Windows registry hives
- Analyze a malicious Office document
- Analyze swf file and malware
Requirement
Students should bring your own laptop that matches the following requirements.
Hardware
- at least 2GB RAM
- at least 50GB free disk space
Host OS
- Windows XP SP3 or later with administrative accounts
(We will not support other OS such as Mac OS X and Linux, but you can use it on your own.)
- VMware player or VMware workstation(We will not support other VM environments such as VMWare Fusion and VirtualBox, but you can use it on your own.)
- Microsoft Office or OpenOffice to view CSV log files
Guest OS
- Windows XP SP3 or later 32bit with administrative accounts
- OPTIONAL: Microsoft Office 2007 to open a malicious document for dynamic malware analysis
(Attendees without Office 2007 can execute a malware instead of opening the doc)
January 30, 2013 09:30-13:00, January 30, 2013 14:15-17:45
iOS app security for incident handlers
Ken Van Wyk (KRvW Associates, LLC)
What should incident handlers know about iOS security? That depends on the CSIRT's mission, of course, but this class is intended to provide the incident handler with a rapid immersion into iOS app security. We look at iOS platform architectural features that support (or restrict) security, and work through common security weaknesses found in today's iOS apps.
Requirements
For this class, students will NEED to provide their own Apple OS X (either on a Mac or a virtual machine), with Apple's Xcode software development kit installed and operational. For OS X, Mountain Lion is preferred, although anything newer than Snow Leopard should be adequate. For Xcode, the latest version (4.5) is recommended, although anything in the 4.x family should be adequate.
January 31, 2013 09:30-13:00, January 31, 2013 14:15-17:45
- DE
Memory Analysis Update - Volatility v2.2
Andreas Schuster (Deutsche Telekom AG, DE)
The class introduces some of the new analysis features of Volatility versions 2.2 and 2.3. Students will analyze memory images and detect various malware hiding techniques, reconstruct command lines and screen contents, and inspect file system artifacts in memory.
Students should have completed one of the Volatility classes that were presented at TCs and Conferences during past years, or have similar knowledge. An Ubuntu-based training environment with Volatility 2.3(alpha) and real-world RAM images will be provided. Participants are expected to provide their own laptop, with at least 1 GB RAM free for applications, 10 GB free disk space, and the latest version of VMware (either Workstation, Player, or Fusion) installed.
Level: advanced / technical deep-dive. Basic knowledge of memory analysis on Windows and of Volatility required.
January 31, 2013 09:30-13:00
NeIC Security Training
Leif Nixon (European Grid Infrastructure)
On February 6-7, 2013, NeIC (Nordic eInfrastructure Collaboration) and NSC will host a security course for experienced Linux administrators at Nordic HPC sites.
In this class, participants will learn basic incident response and forensic skills in a virtualized environment.
After a couple of introductory lectures on field forensics and incident response, most of the day will be taken up by a tournament where the participants form teams that are given full root access to simulated high-performance computing sites. Their task is to defend against and analyze realistic attacks of increasing sophistication, while keeping their systems up and running. The teams will be scored on their performance, and the winning team will be celebrated the most l33t admins.
The maximum number of participants will be 18, on a first come, first served basis.
January 30, 2013 09:30-13:00, January 30, 2013 14:15-17:45
Static and Dynamic Analysis of iOS Apps for Vulnerabilities
Ken Van Wyk (KRvW Associates, LLC)
IT Security staff are increasingly being tasked to manage or oversee "BYOD" mobile fleets. While this may seem an impossible task, there are things we can do to make the job a bit easier, starting with reviewing apps that are permitted on employee devises (under centralized management), including BYODs. This talk describes how IT Security staff can analyze iOS apps for security weaknesses, both statically as well as dynamically. It covers several fundamental analysis techniques and tools available to help in the process.
January 29, 2013 15:00-15:45
Team Cymru's CSIRT Assistance Program or "How we're winning back the Internet"
Dave Monnier (Cymru)
In this talk we will share some infection statistics for the global Internet including a few animations showing malicious activity world-wide. In addition, we'll discuss the no-cost program offered by Team Cymru specifically designed to help regional and national CSIRTs tackle infections within their constituency.
January 29, 2013 14:30-15:00
Vulnerability Management, CYBEX Standards and Automation
Joao Collier de Mendonca (Senior Security Advisor at Deutsche Telekom CERT)
In order to reduce exposure, improve efficiency and improve service quality, Deutsche Telekom has newly implemented a threat and vulnerability management system. This system process security advisories and network-layer vulnerabilities address them to the system owners and generate alerts, reports and management-like KPIs. In this session we will discuss the current market maturity stage for tools that are able to process CYBEX standards (CPE, CVRF, etc), give an overview of the project requirements and market evaluation, discuss about the current challenges and pitfalls in this field and provide valuable lessons learned.
January 29, 2013 15:45-16:45
- US
Where automation ends and people begin
Gavin ReidGavin Reid (HUMAN Security, US)
We all want a magic button that fixes our network security problems. Automated tools can improve a weak computer security posture by preventing new infections and disrupting command and control channels. In reality, though, the scope of these tools will always be limited to the most basic of attacks. A strong security posture requires not only automated equipment, but people to program the equipment and to act on its output. Cisco CSIRT has taken a pragmatic approach where automated equipment better serves the purpose of providing intelligence to highly-trained IT staff, rather than attempting to replace the security staff altogether. This talk focuses on the philosophy that Cisco CSIRT uses to protect its own network.
January 29, 2013 09:30-10:00
