Program Overview

This summit will consist of working sessions on a number of vulnerability information systems topics. The primary goal of the summit is to develop a global vision to improve multiple aspects of the vulnerability response lifecycle.

Please note the Summit requires separate registration from the TC. Please see details on the Summit event page: 2^nd Global Vulnerability Reporting Summit Program

Venkat is founder of FlexibleIR, a company focused on innovative ways to handle Incident Response. He brings 20 years of experience in building tools and products with leading companies like Sun Microsystems, Intel, Novell, HP, Yahoo,Tesco and startups in cab aggregation and food delivery. He has developed test suites and frameworks for post silicon validation of the Xeon processor family (Fuzzing). He has worked deeply on UFS files system at SUN Microsystem with focus on ON-DISK analysis of unmounted file systems. Was a security paranoid at Yahoo.

For the last year have deeply researched into literatures and surveys on making improvements in the field of Incident Response. Focus has been to keep process simple and promote deep thinking while handling IR. (LinkedIn: https://www.linkedin.com/in/venkat-ramshet-bb09075/)

Mr. Gupta is currently an independent security research specialist. He brings over 20 years of experience in cyber security with leading companies Mercedes Benz R&D and GMR Infra which handles India's major airports. He is a proud member of many closed security groups and communities. He has handled several critical Incidents. (LinkedIn: https://www.linkedin.com/in/guptabs/)

Description: We have come up with a new methodology for handling Incidents. The system is based on a MINIMALISTIC design approach keeping interfaces simple. It is based on our personal experiences,observations,literature study,surveys and talking to Responders. The system is highly effective for preparation,training and practicing mockup IR drills. We will demonstrate on how we can solve a real time incident using system. The emphasis will also be on the collaboration and thinking that has been done during the IR.

The system consists of smart integration of Runbooks, Kanban boards and Chat applications configured rightly to handle distributed attacks.

The focus is on the new processes, tools and information sharing:

1. Configured Runbooks for each case shown over a KANBAN board.
2. Applying NIST recommended phases of incidence handling.
3. Analysts having the flexibility to select different approaches with the runbooks.
4. Guidelines on creating,auditing,managing and versioning of the Runbooks.
5. Advanced tracing on the boards to get the transcript of what happened and how handlers went about resolving the incident.
6. Creation of virtual team and chatrooms for stakeholder communication.
7. We also present how the system can be setup using open source - MIT licensed software.

• Intended Audience: Open to any incident handler, manager
• Tags: Incident response process, collaboration, Flexible Runbooks, Kanban Boards, Chat systems. Advanced Tracing on Kanban Boards.

You Nakatsuru - Senior Security Researcher in Counter Threat Unit at Secureworks and well-known malware analyst in Japan

Ryo Mishina - Senior Manager in Security & Risk Consulting at Secureworks.

Have you ever evaluated the effectiveness of your organization's incident management capability as well as current security posture?

Cyber threats are emerging and evolving everyday. It's being critical for organization to mature their incident management capability and make sure security operation is functioning throughout people / process / technology layer. Secureworks® Red Team testing provides "Real World" Cyber Threat simulation and evaluates full spectrum of the organization's security posture including physical security which is completely different from penetration testing.

This presentation includes case study from our Red Team testing engagement and observation of effective protection and common challenges.

• Targeted level of technical detail: Moderate
• Intended Audience: Those who are working in Information Security, Security Management, CSIRT, Security Operation related, etc.

Jānis Džeriņš has been interested in computers since early school years. Since then he has been learning all things computer-related, and working professionally as a programmer. The endless pressure to deliver features at the cost of quality and security has lead him to reevaluate his priorities and join the CERT.LV team at the end of summer of 2016. He assures everybody this has nothing to do with midlife crisis.

It is a well-known fact in InfoSec community that paste sites are used to anonymously share information that can be (and is) used for illegal and/or unethical activities on the internet (unauthorized access, hacking, DOXing). Static strings and regular expressions are quite commonly used for information leak detection. The objective of this paper is to highlight deficiencies of using patterns as the sole method of information leak detection and propose complementary techniques to increase the usefulness of these systems.

In the paper we look at the different kinds of information published on the paste sites, what computer security related content can be detected and extracted from pastes using patterns. We then look at the classes of information leaks that cannot be processed using patterns, claim that information leak monitoring systems as they are currently implemented are severely lacking and show what additional techniques can be employed to dramatically increase their usefulness.

• Targeted level of technical detail: The paper is not very technical, but familiarity with regular expressions and data encoding methods (e.g., Base64) is required.
• Intended Audience: People that would benefit from the paper most are the ones interested in, or working with information leaks, as well as system architects designing and implementing monitoring and data analysis tools.

Mr. Millar has been a member of US-CERT for 10 years, serving as its Chief of Communications for most of that time. In that role, he has worked to strengthen US-CERT information sharing capabilities, increased the level of public, private and international partner engagement, and supported initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar has a Master of Science in Engineering Management from the George Washington University.

Embedded systems and IoT vulnerabilities are manifesting themselves as a significant threat to our everyday lives. Not only do we see the classes of "obvious" vulnerabilities reappearing that were mostly eradicated from traditional enterprise software during the last decade, but those vulnerabilities are being exploited in ways that traditional PC and server systems couldn't be, causing lasting harm and threats to physical safety. Fixing these issues one-by-one in each affected product is not a scalable solution; we need a strategic approach that can be practically achieved world-wide.

This presentation will explore the classes of systemic weaknesses seen in IoT, the potentially catastrophic impacts of those flaws, some of the reasons for why they are so difficult to address, and finally, pros and cons of some approaches to potentially solving or mitigating the risks. Technical detail will be limited to explanations of selected weaknesses and attack patterns and the content is intended for all audience types.

Adli Wahid is a Senior Internet Security Specialist at APNIC. He has been involved in the CSIRT community for more than 10 years. His previous role includes leading Malaysia CERT (MyCERT) and working for a CERT in the financial sector. Adli is also serving board member of FIRST.Org

In the last 3 years, APNIC have had active engagements with CERTs/CSIRTs in the Asia Pacific region. Most of these engagements have capacity development elements in addition to active collaboration with partners.

This presentation will highlight some of our observations and experience in our work. Emphasis will be given on the expectations of stakeholders on the role of the new CERTs/CSIRTs, different types of capacity development activities and also lessons learned from some of these engagements. Specific examples in different countries will be shared with the audience.

• Targeted level of technical detail: This presentation do not contain technical contents. However it will help the CSIRT community to understand the reality of setting up new CERTs/CSIRTs today in developing economies and how best to assist them so that they can serve their constituencies' expectations.

Megat Muazzam is Head of the Malaysia Cyber Emergency Response Team or in short, MyCERT – a department within CyberSecurity Malaysia. He is responsible in Cyber999 Incident Handling and Emergency Response daily operation, which primarily focuses on incident alert or threat issue, related to Malaysia constituency and the Malware Research Centre. He has various experiences in IT security field such as network security, penetration testing, web security, malware research and honeypot technology. He is recognized for his capability of conducting numerous training and talks for various organizations local and international on topics ranging from introduction to advanced security courses.

He holds a Degree in Computer Science from University Putra Malaysia (UPM) and has wide experience in IT Security for more than 10 years. Actively involves in Cyber Early Warning System project, focusing in the areas of perimeter defense, detection and intrusion analysis.

Norlinda Jaafar is Senior analyst of Malaysia Cyber Emergency Response Team (MYCERT), Cybersecurity Malaysia where responsible in Cyber999 operation in Incident Response related activities.

Experience working within a structured change management environment and formal ticketing systems. Knowledge of Incident response documentation, process and procedures. Performing proactive CERT services including identification of security risks and threats, performing risk assessment and impact analysis as well as identifying proactive security measures and controls for security risks. Good understanding of common vulnerabilities associated with networks, operating systems and applications. Knowledge of Network / Application traffic monitoring and performance analysis. She received a Degree in Information Technology, University of Tun Razak (UNITAR) also actively engaged with various local organizations by giving talks in educating people on security and privacy.

The presentation will cover in general Malaysia cyber security threats landscape and our observation. Will share case study and highlight MyCERT/CyberSecurity Malaysia initiatives and activities to address the cyber security threats/problems to support our constituency. Plus, will also promote FIRST 2018 Annual Conference that will be held at Kuala Lumpur in June 2018.

Bernhards Blumbergs is a team member of the Information Technology Security Incident Response Institution of the Republic of Latvia (CERT.LV) and was a Researcher at NATO Cooperative Cyber Defence Centre of Excellence, Technology branch. He is a certified exploit researcher and advanced penetration tester (GXPN), and Industrial Cyber Security Professional (GICSP). He has a strong military background, targeted at developing, administering and securing wide area information systems. B.Blumbergs is also a Cyber Security PhD student at Tallinn University of Technology, with his research focusing on novel methods for Red Teaming operations and system exploitation research.

Rapid expansion of interconnected devices over TCP/IP-based networks, leading to IoT, has breached the air-gap barrier of industrial control systems, exposing critical elements to the whole world. This, in most cases, is not known, not understood, or underestimated by critical infrastructure owners and operators. Such topic has an increasing urgency in the current age of cyber-warfare and -espionage.

IEC-60870-5-104 protocol is an international standard commonly used in European electrical industry for the transmission of SCADA telemetry and control data over TCP/IP-based networks.

Despite recent introduction of IEC TS 60870-5-7 security extensions, which add additional message integrity calculations, they are seldom implemented by vendors and enabled by engineers, thus still permitting persistent actors to execute targeted incapacitating attacks against critical infrastructure.

Technical paper addresses new critical vulnerabilities in industrial network gateways supporting IEC-104 protocol and focuses on a practical distributed power grid security test case scenario resulting in full compromise and control of target ICS/SCADA system. The step-by-step approach is discussed and explained in detail:

1. IEC-104 protocol reverse engineering to understand the structure of control messages,
2. communication process assessment to comprehend the communication channel establishment and message exchange procedures,
3. multiple vulnerability identification allowing unsanctioned control message injection,
4. attack tool implementation in Python 3, and
5. description of threat scenario and execution of a successful attack.

• Intended Audience: This paper is intended for penetration testers, incident responders, security officers, critical infrastructure operators and ICS/SCADA engineers with solid background in computer networking, understanding principles of network protocol structure and fundamentals of ICS/SCADA network operations.

To discover lateral movements and malware infection in your networks, you need to have abilities of digital forensics and incident response(DFIR) techniques. We will provide various artifacts applied targeted attack techniques.

We cover listed topics below.

1. Over View
2. Building Environment
3. Live Forensics
   • Autoruns online analysis
   • Examining process tree with Process Explorer/Hacker
   • Finding malicious modules and injected code with Process Explorer/Hacker
   • Analyzing strings in process memory
     Tools: Autoruns, Process Explorer, Process Hacker
4. Event Log Analysis
   • PowerShell events
   • Task scheduler events
   • Remote logon events
   • Mimikatz related events
   • Psexec related events
   • DNS time out events
     Tools: Event log explorer
5. File System Timeline Analysis
   Tools: analyzeMFT, NTFS-log-tracker
6. Memory Forensics
   • Examining Processes and Connections
   • Finding Malicious Code Injection
   • Acquiring Malware Configurations
     Tools: Volatility Framework

Prerequisites:
Students must have:

• a working understanding of Windows OS (file system, registry and command-line)
• basic knowledge of Active Directory and Windows security architectures
• a working understanding of VMware/VirtualBox (importing VMs, handling snapshots, modifying configurations)

Requirements:
Students must bring:

• Hardware:
  • 2.0+ GHz, multi-core CPU
  • 4+ GB of RAM
  • 30+ GB of disk space (We recommend SSD)
  • At least one USB 3.0 port (not USB type-C) and you must have a physical access permission for the USB port
  • A wireless network interface card
• Software:
  • HOST OS: Windows OS (7+) / macOS (10.12+) as a HOST OS with administrator rights
  • Guest OS: Windows OS (7+)
  • This is very IMPORTANT!!! You must bring a Windows 7+ VM to execute in-the- wild malware.
  • VMware Workstation (12+) / Fusion (8+) or VirtualBox (5.1+)
  • Full access rights for USB devices

Andras Iklody is a software developer working for CIRCL and has been the main developer of the MISP Core Platform since the beginning of 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.

Designing a successful standard for threat intel sharing is a daunting task, with a host of possible pitfalls. This talk aims to describe the journey, challenges and mistakes the MISP Project made while designing the MISP standard as we know it today. There are several paths that can lead to a well defined standard: early and prolonged requirement gathering versus starting small with rapid iterations, democratic and centralised driving forces, inclusive and exclusive ideologies. Our weapon of choice was an implementation driven, rapid iterative and real-world usage centric approach using the PMF methodology, which allowed us to experiment and fail often but also be aware of our failures before they became unrevokable disasters.

The talk gives a candid view into the journey the MISP standard has taken over the past 6 years and will cover a quick introduction into what MISP is, how it came to be, along with the various issues that have emerged during the design of the standard and the software.

One of the main goals is to convey how we tried to turn our various failures and shortcomings into a tool to improve, as well as our lessons learned on how to drive a standardisation process.

• Targeted level of technical detail: There are no requirements in terms of technical level, however, and interest in threat information sharing is a plus. Involvement in standardisation processes will probably make a lot of the discussed issues more relatable.

I have been involved in several public-private partnership projects in cybersecurity fields, such as Cyber Clean Center which was anti-botnet countermeasures project, with ICT-ISAC as a project manager. Addition to Cyber Clean Center, I worked for RDB project which focused in Drive-by Download, and PRACTICE project, in which we challenged early detection of cyber-attack. Currently I leads IoT security WG at ICT-ISAC, which is consist of ISP operators, security engineers and researchers.

ICT-ISAC is working with a research project on IoT security supported by Ministry of Internal Affairs and Communications. The research project is mainly composed of two parts, research on vulnerable critical IoT devices and research on wide-area scan of IoT devices. Our effort is to clarify the actual state of vulnerable IoT devices and background the vulnerability exists, and to establish countermeasures framework. In this presentation, I explain the results obtained from research project and countermeasures ideas discussed in ICT-ISAC.

Saâd Kadhi leads a large CERT at a reputable French financial institution. TheHive and Cortex are his brainchildren. He has been working in information security for twenty years. A decade ago, he was exposed to DFIR and what we call threat intelligence nowadays and developed a passion for these fields. He co-organizes Botconf, the botnet fighting conference and frequently writes infosec articles. He has also been a speaker at several events throughout the world.

The goal of the tutorial is to familiarize participants with Incident Response and Cyber Threat Intelligence using TheHive, a Security Incident Response Platform, Cortex, a powerful observable analysis engine and MISP, a popular threat sharing platform. All software is free and open source.

Agenda: what is Incident Response and Cyber Threat Intelligence in 2018, overview of the software stack, installation and configuration, an IR case study, the CTI-IR cycle case study.

• Intended audience: security/SOC analysts, CSIRT/CERT team members

• Prerequisites:

  • It is important that you are able to connect with SSH to the VMs.
  • This assumes that you know how to configure the Guest VM to have an IP visible on the Host.

• Requirements: Students must bring:

  • Laptop and an up to date browser that is not only iexplore.exe
  • If you want to get a head start you can always fetch the "The Hive" VM: https://github.com/TheHive-Project/TheHiveDocs/blob/master/training-material.md

• Hardware requirements:
  1.4+ GHz, singlecore
  4+ GB of RAM
  15 GB of disk space
  Blank USB Stick, just in case
  Internet connectivity on-site
  Bottom line, you need to at least be able to decently run a VM with an Apache/PHP/Python3 running.

• Software requirements:
  Host OS:
  Win/*NIX as a HOST OS with administrator rights
  Virtualization environments:
  VMware Workstation (recent) / Fusion (recent) or VirtualBox (recent)
  Full access rights for USB devices and Network interfaces.

Krassimir Tzvetanov is a security engineer at Fastly, a high performance CDN designed to accelerate content delivery as well as serve as a shield against DDoS attacks. His current focus is on incident response and security systems architecture. In the past he worked for hardware vendors like Cisco and A10 focusing on threat research, working on a red team, incident response, DDoS mitigation features, product security and best security software development practices. Before joining Cisco, Krassimir was Dedicated Paranoid (security) at Yahoo!, Inc. where he focused on designing and securing the edge infrastructure of the production network. Part of his duties included dealing with DDoS and abuse. Before Yahoo! Krassimir worked at Google, Inc. as an SRE for two missing critical systems, the ads database supporting all incoming revenue from ads and the global authentication system which served all of the company applications.

Before retiring, he was a department lead for DefCon, and an organizer of the premier BayArea security event BayThreat. In the past he was also an organizer of DC650 - a local BayArea security meetup. Krassimir holds Bachelors in Electrical Engineering (Communications) and Masters in Digital Forensics and Investigations.

This workshop will cover the targeting of blue teams and investigators and what they need to be aware of. It will go through techniques that can be used against the investigator to fingerprint and target them, as well as exploit them.

The exploitation can be either direct attack against their computer or supporting infrastructure, their person or their investigation, which includes steering the investigation in the wrong direction as well as figuring out what the investigator is working on.

More specifically the workshop will cover different browser and infrastructure fingerprinting techniques, browser hooking, email security and tracking.

On the other hand it will also cover how to counter those techniques but different technical means and the creation of personas.

• Requirements: Students must bring: VMWare Player or VBox. (*Note the latter does not perform as well.)

Augustus TANG, graduated from the Nanyang Technological University of Singapore with a Computer Engineering Bachelor's Degree in 2008. He joined the Singapore Police Force straight after graduation and is currently holding the rank of Assistant Superintendent as a Senior Investigation Officer in the Technology Crime Investigation Branch of the Criminal Investigation Department, focusing on Cybercrime Investigations. He was seconded to INTERPOL Global Complex of Innovation (IGCI in Singapore since August 2017, with a tenure of two years. He is currently the INTERPOL Digital Crime Officer, responsible for strategy and outreach, and digital investigation support of transnational cybercrime investigation.

This presentation shows an overview of INTERPOL's Global Cybercrime Strategy, allowing the general audience to understand INTERPOL's work towards combating cybercrime, no technical knowledge is required.

You'll learn about 1) the organistational structure of INTERPOL/INTERPOL Global Complex for Innovation/Cybercrime Directorate; 2) INTERPOL's global cybercrime strategy; and 3) cyber surge operations.

Dr.Yoneda has been working at Mitsubishi Electric Corporation for 23 years. He is the manager of information security department of R&D center. He has involved in developing encryption/authentication system, cyber attack detection system and information security guideline and in setting up CSIRT/PSIRT. He is also a security expert of RRI(Robot Revolution Initiative) and involved in German-Japan collaboration project aiming to develop security guidelines for Industry4.0.

In the age of Industry 4.0, smart factories are connected through internet. So they need countermeasures against sophisticated cyber attacks via internet or malicious devices brought in them.

We first design future mas-customized service using the example of personalized Japanese lunch box delivery service and identify the future factory system.

Then, we identify "production command replace attack" which leads to serious product recalls. We propose a new attack detection technology using a digital twin model of factories.

We also introduce how German and Japan are collaborating to develop security guideline for Industry 4.0 using procedures we used for developing the cyber attack detection technology.

Mikko Hypponen is a worldwide authority on computer security. He has written on his research for the New York Times, Wired and Scientific American and lectured at the universities of Oxford, Stanford and Cambridge. He's also the Curator for the Malware Museum at the Internet Archive and an advisor to EUROPOL.

A keynote presentation on where we are coming from, where we are today and where we are going in the world of computing and security.

Steve Clement is a security engineer working for CIRCL and has been on-staff since 2008. Experienced in the security of Unix systems like Open and FreeBSD his passions turn around sharing this knowledge to the hungry and foolish. Further on Steve is a strong advocate for Free and Open Source Soft-/Hard-ware in an open world with less intellectual boundaries.

Andras Iklody is a software developer working for CIRCL and has been the main developer of the MISP Core Platform since the beginning of 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.

Topic and objectives: The MISP training will demonstrate how the platform functions; explain how to share, comment and contribute data, and describe the future developments. This part of the training focuses on the analyst aspect along with the management of your own MISP instance especially how to connect to other MISP communities.

• Outline of the content:

  • Introduction into information sharing
  • Usage
  • Administration
  • Integration
  • MISP-modules
  • Taxonomies
  • Galaxies
  • API / PyMISP
  • Guidance for developers

• Intended Audience: Generally, anyone interested in threat information sharing, both those new to MISP and active users. An understanding of the basics of cyber threat information sharing is a plus, but the basics will be covered too. The morning sessions are aimed at users of MISP whilst the afternoon sessions more for integrators, developers, contributors to common knowledge bases.

• Prerequisites:

  • It is important that you are able to connect with SSH to the VMs.
  • This assumes that you know how to configure the Guest VM to have an IP visible on the Host.

• Requirements: Students must bring:

  • Laptop with either VirtualBox or VMware for the MISP Virtual Instance.
  • Ideally you already downloaded and setup a test instance from here: http://www.misp-project.org/download/

• Hardware requirements:
  1.4+ GHz, singlecore
  4+ GB of RAM
  15 GB of disk space
  Blank USB Stick, just in case
  Internet connectivity on-site
  Bottom line, you need to at least be able to decently run a VM with an Apache/PHP/Python3 running.

• Software requirements:
  Host OS:
  Win/*NIX as a HOST OS with administrator rights
  Virtualization environments:
  VMware Workstation (recent) / Fusion (recent) or VirtualBox (recent)
  Full access rights for USB devices and Network interfaces.

Przemek Jaroszewski is the head of CERT Polska (part of NASK - Research and Academic Computer Network in Poland). He has been with NASK since the beginning of his career, starting from technical support and incident response. He started his education as a programmer at Warsaw University of Technology, to eventually get his master's degree in Social Psychology from University of Social Sciences and Humanities in Warsaw. Przemek was involved in a number of projects on data exchange and collaboration of incident response teams. He was also a co-author and teacher of trainings for incident responders, including ENISA CERT Exercises and TRANSITS.

Anna Rywczynska - Polish Safer Internet Centre Coordinator and the head of the Training and Social Projects Team at NASK. She has wide experience in working on international projects and has been a speaker and organizer of a range of conferences on safety in telecommunication.

In recent years she has worked as an expert in working groups at ENISA dealing with WEB 2.0 security and online threat awareness raising. Since 2003 she has been one of the organizers of SECURE conference – the oldest cyclical ICT security conference in Poland. Since 2007 she has been a vice chair of the international conference “Keeping Children and Young People Safe Online”. She graduated from the Warsaw University, Institute of Journalism, with specialization in media economics, as well as the Institute of Archaeology, Department of Historical Anthropology – Andean Archaeological Mission.

The presentation will cover a project sponsored by NASK, during which authors have researched social and technical aspects of smart connected toys. We checked how much parents knew about smart devices in general and toys in particular. Do they understand potential risks posed to their children? How much can they learn before and after a purchase?

What data are collected and processed? We tested three different toys available on US market in 2017 for several security aspects such as encryption of data transmission and storage, firmware updates etc. The project’s deliverable will be a guide for parents (due in February 2018) to help them better understand smart toys and make educated decisions with consideration for their children’s privacy and security online. The talk is suitable for both technical and non-technical audiences

Damir "Gaus" Rajnovic is actively involved in computer security arena since 1993 both on incident response and coordination side and in product security. He currently work for Panasonic and is Board Director and CFO of Forum of Incident and Security Teams (FIRST). Damir was invited lecturer for MSc Information Technology Security course at Westminster University in the period 2007-2009. He is subject matter expert for several ISO and ITU international standards.

This presentation will provide information about upcoming ISO/SEA 21434 "Ground vehicles – Cybersecurity engineering" standard. The focus will be on processes related to patching vehicles and, to less extent, handling security vulnerabilities in vehicles.

While patching vehicles follows the same general principle like any other IT device the biggest differences are in two main areas: customer expectations and regulations.

Customers still approach the car as if it is a mechanical device that rarely, if ever, needs to be updated and lasts forever. The reality is that vehicle will need regular patching and that computing components (software and hardware) have finite lifetime and their support may cease at any time during the vehicle lifetime.

Regulations put various legal requirements on car manufacturers – mainly safety but also right to repair (among others) – which are usually not present in the rest of the IT industry.

The talk will present the current thinking of the ISO/SAE experts but also present open questions to which the experts has not reached consensus. The talk will not necessarily focus on specific technical aspects (e.g. how exactly over-the-air update works or other techniques) but will cover things on a higher level (e.g. process).

Steve Clement is a security engineer working for CIRCL and has been on-staff since 2008. Experienced in the security of Unix systems like Open and FreeBSD his passions turn around sharing this knowledge to the hungry and foolish. Further on Steve is a strong advocate for Free and Open Source Soft-/Hard-ware in an open world with less intellectual boundaries.

• Topic and objectives: The tutorial will be based around using the Python MISP module (pyMISP). Specifically using the MISP API in a pythonic way. More generally the talk is a motivation for the participants that always wanted to automate certain things, but never really got around doing it.

• Outline of the content:

  • Introduction into pyMISP and its core
  • Show various ways to easily extract data from MISP
  • Further process data and send it to other independent MISP instance
  • Pull in external sources and automate co-relation
  • A few visualization examples
  • Present viper and how it can fit into the set up
  • Let participants come up with their use cases

• Intended audience: Generally anyone interested in threat information sharing, both those new to MISP and active users. An understanding of the basics of cyber threat information sharing is a plus. A good practical understanding of programming languages is needed. No Python-guru status needed, some experience will help a little. Everything will be Python 3.x only.

Dr. Paul Vixie is an Internet pioneer. Currently, he is the Chairman, CEO and cofounder of Farsight Security, Inc. He was inducted into the Internet Hall of Fame in 2014 for his work related to DNS. Dr. Vixie began his career as a programmer (Cron, RTTY, BIND), before becoming an author (Sendmail: Theory and Practice, Open Sources, RFC 1876, 1996, 2010, 2052, 2136, 2671, 2845), and then a serial entrepreneur (ISC, MAPS, PAIX, MIBH, DNS-OARC, Farsight). He was a member of the ARIN Board from 2004-2013. He completed his Ph.D. in 2010 at Keio University.

Humanity has been building and programming general purpose computers for about six decades now, with spectacular results, mostly good. As we contemplate the Internet of Things in light of our collective experience, there are some disturbing conclusions to be drawn. Can we as a species safely place our economy and culture into a global distributed network of computers, if those computers are programmed by humans using commodity programming languages and tools? Dr. Paul Vixie is personally responsible for more CERT vulnerability notifications than any other living programmer, and he'll share his thoughts on the likely results of Software as Usual as applied to 21st century society.

Jacomo joined Team Cymru in 2012 as part of the Outreach Team and have previously worked at the Brazilian Research and Academic Network. Jacomo is known globally due to his active involvement in FIRST (Forum for Incident Response and Security Teams) and for his work at several Security Communities.

Recent research done by Team Cymru, Internet of Things (IoT) Botnets Distribution Research with Focus on Reaper Botnet based on data collected by Team Cymru.

Fernando Díaz is a malware analyst and software engineer. Currently he is a B.Sc. student in Health Engineering at the University of Malaga and he is working in Koodous as a Security Engineer. Daily work focuses on automated Malware Configuration extractions, distributed analysis environments (Multiplatform sandboxing), and developing software for the Koodous platform. His research includes analysis of new Malware families, Android and IoT malware.

Everyday, security vulnerabilities in IoT devices are being exploited with malicious intent, although most of them could be simply prevented by cost-effective solutions. As within the next few years, billions of IoT devices will densely populate our cities, understanding correctly their security issues and deploy effective countermeasures is essential.

The talk will provide an in-depth overview of the infection process, covering the role of exploits and brute force password attacks, and common patterns used by malicious actors to take the control over thousands of IoT devices, analysing some of the most recent botnets, such as Okiru, Reaper and TrumpBot.

Although term IoT includes thousands of different devices, today's most targeted are the most capable and powerful, such as routers and IP cameras. We will illustrate how dynamic code loading can be used to extend the original functionalities of a device, and easily create distributed attack leveraging each compromised bot: an example of a real module deployed for DDoS attack will be studied.

Finally, we will talk about the critical role of security updates in the IoT world, especially for those products at the end of their lifecycle, and how malware detection techniques inherited from the personal computer world can be effectively applied to stop security threats before their diffusion.

Despite the talk will have a technical connotation, including code snippets and network traffic analysis, the speech will focus on the current security issues related to the IoT world, and the way in which rogue actors exploit vulnerable devices to their malicious aims. The intended audience includes security researchers, auditors, industry professionals, and any enthusiast interested in practical aspects of IoT network and system security.

Mr. Park Moonbeom is a deputy general researcher in TTPA(Trusted Third Party Agency) of Korea, has 10 years of experience in hacking analysis, digital forensic, research on hacking and forensic for IoT device, profiling hacking source. He is one of experts among government and private sector in fields of forensic, hacking analysis, hacker profiling, counter-attack on hackers. Also he has participated in various international security conference such as TROOPERS, Hack In The Box, HITCON, Ekoparty, AVTokyo, VXCON.

Mr. Choi Yongseon is not only a researcher in hacking and security academy called ｡ｮBest of the Best(a.k.a BoB)｡ｯ, but also leader of vulnerability researching group in South Korea. These days, he researching exploit technique and forensic technique for home electric appliances.

Nowadays Internet of Things(IoT) technology is prevalent along with Machine Learning and Big Data. It is a technology that connects computerized objects through a network like internet and communicates information with each other. From the smart factory to make efficient manufacturing process, to the electric heater that has remotely controllable function, IoT technology applied almost every home appliances and industrial machinery.

But as many computerized objects emerged and connected to the internet, incidents and cyber terrors utilizing IoT devices have been rapidly grown. And when it comes to investigating the incidents and collecting cyber evidences, There are differences between the IoT forensic and usual digital forensic as much as the system environment differences between the IoT devices and PCs and Servers. Also Limitation that never be seen in the digital forensic exists.

In this talk, We cover how to hack or exploit to IoT devices(Home electric appliances) and the IoT forensic including collecting the evidences in the IoT devices that damaged or utilized for cyber terror, extracting artifacts(i.e., log files) from the IoT devices infected by malware through the IoT forensic, and analyzing the attacker｡ｯs invasion pathway remaining integrity of the evidence files extracted from the IoT devices.

And we will introduce not only 0-day vulnerabilities with exploits and useful tools developed by ourselves for the IoT forensic but also discuss the limitation of the IoT forensic. We have researched and exploited to one of home electric appliances(robot cleaner) made by a global electronic company (Probably you know which company it is).

Tim, working at TrendMicro as a threat researcher now, has more than 8 years cyber security experiences. He focuses on APT research and IoT research now, including hardware and software reversing and hacking, malware campaign finding and penetration test. He is also a speaker CloudSec and other security conference.

Dove is working at Trend Micro as a threat researcher now, has more than 7 years security experiences in incident response and live forensics. He do some IoT research in last 2 year, including hardware hacking and firmware reversing. He is also a speaker in some conferences, including HITCON and CloudSec.

Kenney is a security researcher at Trend Micro, he joined the company 3 years ago, he focuses on IoT vulnerabilities and malware researching.

At the beginning, we want to know how secure of top-ranking homekits around us. The result is that we find more than 10 vulnerabilities on different kind of devices. And accidentally, we met our new "roommates" and found some dark secrets.

This session provides an overview of hacking IoT device methodologies, we will introduce both hardware and software techniques, including how to extract firmware via different methods, from the easiest network sniffer to the hardest flash dump, and finally get the root permission remotely. We prepare to expose several latest vulnerabilities in our demo. We also describe some interesting findings which lead us to uncover the IoT malware and the threat actor behind.