Program Overview

Sebastian Wagner joined CERT.at, the Austrian national CERT, in 2015 as software developer and security analyst. Since joining CERT.at, Sebastian has been working in the field of automated incident handling and developing & maintaining IntelMQ.

In 2014, several CERTs joined their resources to start an open source solution for automated incident handling with the goals of simplicity, adaptability and extensibility. The outcome of their efforts is the IntelMQ software which is subsequently being used by a great number of CERTs worldwide. This talk outlines the concepts and the architecture of the tool, and describes the capabilities, use-cases and related tools.

Heiki Pikker is a Senior Information Security Expert at CERT-EE. He has been working with systems and networks for over 20 years and has extensive knowledge on how to build both secure and unsecure services. Working as a Senior Information Security Expert, he specializes more on threat hunting, both on network and client side. If you don't know him yet, you have probably heard of the Cuckoo public sandbox that runs somewhere in Estonia, or you may have heard about additional ClamAV signatures he provides or RBL services he runs. If not, then maybe it’s time to meet Heiki.

Cuckoo is not only a bird, but also a sandbox that CERT-EE provides publicly and free of charge. Nowadays, malware is spread every day and different anti-virus vendors offer slightly different protections. Therefore, verifying suspicious files is more crucial than ever. Hence, CERT-EE offers their Cuckoo sandbox free of charge to everyone that wishes to check their suspicious files for malware. You can check Cuckoo out at: https://cuckoo.cert.ee CERT-EE believes that providing free services will help companies and the security community a lot. However, the public Cuckoo sandbox is only a tip of the iceberg as compared to what CERT-EE does. This presentation will give some insight on “what” and “how” CERT-EE operates, as well as shed light on some plans that CERT-EE has.

Lawrence (Larry) Rogers is a Senior Member of Technical Staff at CERT Division of the Software Engineering Institute, a Federally Funded Research and Development Center hosted at Carnegie Mellon University. At CERT, he has worked with U.S. Federal Law Enforcement Agencies on “gap” areas of digital investigations and forensics. He also manages the CERT Linux Forensics Tool Repository, a collection of public domain software tools packages for Fedora and CentOS/RedHat Enterprise Linux.

Larry was also the principle architect of the Survivability and Information Assurance and several writings on the topic of Home Computer Security. All of his published writings are available here. Larry has been at CERT for over 24 years.

Before working at CERT, Larry worked in the Computer Science department and the Computing Center at Princeton University. He also consulted with companies in the Princeton, NJ area.

Larry holds a Master’s degree in Computer Engineering from Case Western Reserve University and a Bachelor’s degree in Systems Analysis from the Miami University.

The Software Engineering Institute will provide training from its Investigating Digital Assets Course, centered upon CERT Division’s digital investigation process PRAVARA (Prepare, Respond, Acquire/Verify, Analyze, Report, Archive). This course walks through the digital investigation process from start to end, addresses the tools and selection criteria used throughout the process, and the procedures required for an effective digital investigation process. Additional focus will be afforded to the response and analysis steps, including the basics of email, network and malware analysis. The presentation will also include a Q&A segment whereby attendees are encouraged to ask questions particular to their situations and environments.

Please note that the materials will be electronically distributed on a thumb drive. To follow along with the presentations, it is recommended that attendees bring a laptop or other suitable device.

Jakob Dhondt is a security engineer at SWITCH, working on different topics that are security or DNS related or in the ideal case both. Next to DNS RPZ Jakob is collecting and analysing DNS data from various sources mainly in order to fight abuse. Before working at SWITCH Jakob has finished a master degree in computer science at the KULeuven in Belgium where his main areas of interest were also security related.

SWITCH has started the DNS Firewall service in 2014. Since its beginning, the service has been revamped multiple times on a technical layer as well as from a service point of view. This presentation covers an overview of our current technical setup, the different components that belong to the service, the types of threat data we use and examples of cooperation between SWITCH and its partners.

Victor Sant’Anna is a Senior Security Consultant working currently with PSIRT coaching and Digital Identity. Victor has worked in the Information Security industry for the past 19 years in various roles usually revolving PSIRT activities, Vulnerability management and Identity and Access Management. Human interactions and especially social engineering have always been a subject of interest.

As a social engineering role-playing game to raise social engineering awareness, this workshop will introduce some of the methods for social engineering attacks and prevention. The game can be used by security experts to better support/train their own organizations.

Social engineering basic concepts, methods and techniques will be explained during the game. The players will play as attackers and victims, identifying the valuable publicly available social clues that can be exploited while engaging in social attack scenarios. A lessons-learned section, wrap-up and discussions will follow to ensure assimilation by the participants.

No previous experience needed. No computers will be used during this session. Pen, paper & some imagination required.

Paweł Pawliński is a principal specialist at CERT.PL. His past job experience includes data analysis, threat tracking and automation. In his current role, Paweł leads a team developing threat monitoring and data sharing systems.

The talk will outline different sources of technical indicators available for CSIRTs/SOCs and how useful they can be in fighting badness within (your) networks. We will look into the evolution of the IoC "market" and discuss whether evaluation of their quality is possible in practice.

Panel includes reps. from: DCAF, ENISA, FIRST, CMU SEI

Moderator: Gorazd Božič, SI-CERT