Detect, Correlate, Orchestrate — Intelligent SOC Operations
Georgios Psykakkos, head of First Response at CERT-EU
CERT-EU is the European's Institutions, Agencies and Bodies Computer Emergency Response Team. It is being active since 2011 and continuously expands operationally. Serving its purpose, CERT-EU has cooperated with EU constituents and established common practices to defend against cyber attacks. Therefore, CERT-EU has developed an internal Cyber Threat Intelligence (CTI) database that is being fed with hundreds of IoCs daily. EU-Constituents collect logs from their network services and devices such as Proxy and Email servers. The logs from these sources are stored locally in Splunk appliances and are normalised for later process. All logged events are centrally processed in CERT-EU using filters from CTI. The main categories giving input to Splunk can be summarised in web traffic, e-mail, security appliances, hosts and antivirus software. The First Response Team monitors the alert dashboards of Splunk and is capable of assessing indications of intrusion remotely.
Georgios Psykakos
Georgios Psykakos has joined the European Institutions in 2015 and is currently working for CERT-EU, leading its first response group. He started his career on the banking sector as IT Security Officer. Since 2009, he has been providing his country's National Authorities with cyber-security expertise in the fields of incident handling, forensic investigation and policy making. He holds an MSc in Computer Security with a specialisation in Intrusion Detection Systems. He is experienced in security intelligence and counter-intelligence and a devoted researcher of aviation.
November 23, 2016 11:30-12:00
Does a BEAR Leak in the Woods?
Toni Gidwani, head of Research Operations at ThreatConnect
Unraveling the Democratic National Committee breach, Strategic Leaks, and Russian APTs
Since the June 2016 announcement that the Democratic National Committee (DNC) had been breached by two Russia-based threat groups known as FANCY BEAR and COZY BEAR, the story has evolved from a presumed espionage operation into a series of strategic leaks and conflicting attribution claims. In this presentation we'll demonstrate techniques used to identify additional malicious infrastructure, assess the validity of the Guccifer 2.0 persona and other outlets like DCLeaks, and the strength of the attribution analysis.
Toni Gidwani
Toni Gidwani is the Director of Research Operations at ThreatConnect and leads ThreatConnect’s research team, an elite group of globally-acknowledged cybersecurity experts dedicated to tracking down existing and emerging cyber threats. Prior to joining ThreatConnect, Toni led analytic teams in the U.S. Department of Defense. She is an associate professor at Georgetown University.
November 23, 2016 10:10-10:40
Increasing Value and Efficiency of Security Analysis
Erik Alexander Løkken, head of MSS at Mnemonic
As an MSSP we analyse thousands of events every day. To be able to do this we use a wide variety of methods and technology. In this presentation I will show you why we apply data enrichment as one of those methods and how we do it in our event processing and analysis process.
Erik Alexander Løkken
Erik Alexander Løkken has been working within the field of incident response, forensics and security analysis the last 15 years. He currently runs the MSSP department in mnemonic and has been actively involved in evolving and developing the MSSP services for mnemonic since 2001. He has been actively involved in the security community and presented at multiple security conferences.
November 22, 2016 13:40-14:10
Pål Sandbeck Mathisen, security consultant at SopraSteria
In this talk Pål will describe how he has helped Telenor collect and index interesting enterprise metadata with Splunk to speed up, and in some cases make possible, efficient incident response.
November 22, 2016 14:20-14:50
Planning your CSIRT Capability
Frode Hommedal, head of IR and analytics at Telenor CERT
So, you want a CSIRT, huh?
Wanting to establish a detection and response capability is one thing. Actually building it is something different entirely. In this talk Frode will be sharing how Telenor has been thinking when establishing Telenor CERT and integrating it with the existing Telenor SOC. Warning: CSIRT models ahead!
Frode Hommedal
Frode Hommedal is a senior incident responder and CSIRT leader. He is currently head of incident response and security analytics at Telenor CERT, and part of the team that is establishing the global CERT/SOC capability of Telenor. He previously worked seven years for the Norwegian national CSIRT, NorCERT, and he has extensive experience with countering digital espionage. One of Frode’s goals is to contribute to the infosec curriculum, hoping it will help more CSIRTs to find, face and fight the ever growing number of advanced threats.
November 22, 2016 10:50-11:20
Security Monitoring at Telenor
Henrik Strøm, head of Telenor CERT
Building a telco grade response capability
It's just two years since Telenor established a permanent CSIRT, Telenor CERT. A lot has happened since then, but a lot also happened before the CSIRT was finally established. Henrik will be telling the story of the journey Telenor has embarked upon to build a global telco grade detection and response capability.
Henrik Strøm
While still at NTH, long before AV was declared dead, Henrik wrote his own anti-virus program. Then he went on to building the Internet of Norway at Nextra and then Telenor. The natural progression was to try securing the infrastructure producing the Norwegian Internet backbone. After several years with various security positions within Telenor, this eventually lead to him heading the newly formed Telenor CERT. One of the biggest challenges Henrik is currently facing is helping Telenor establishing a global CERT/SOC operations for Telenor ASA, which own 13 telcos internationally, with more than 200 million customers.
November 22, 2016 10:10-10:40
The Cyber Threat Intelligence Matrix
Frode Hommedal, head of IR and analytics at Telenor CERT
When you are responding to severe intrusions, it has been gospel for the past years to observe, learn and plan before your start cleaning up. This is very sound advice, and probably the only way you can successfully evict a determined and mission driven adversary from your networks. But when is the right time? When do you actually know enough to evict, and more importantly, resist immediate re-entry? Enter the Cyber Threat Intelligence Matrix.
Frode Hommedal
Frode Hommedal is a senior incident responder and CSIRT leader. He is currently head of incident response and security analytics at Telenor CERT, and part of the team that is establishing the global CERT/SOC capability of Telenor. He previously worked seven years for the Norwegian national CSIRT, NorCERT, and he has extensive experience with countering digital espionage. One of Frode’s goals is to contribute to the infosec curriculum, hoping it will help more CSIRTs to find, face and fight the ever growing number of advanced threats.
November 23, 2016 14:20-14:50
The Incident Responder and the Half Year APT
Martin Eian, Senior Security Analyst, Mnemonic
During a prolonged incident response contract with a customer, Mnemonic was able to study an APT actor closely over a time span of six months. During this talk you will be given the result of an analysis of over 12.000 commands issued by the attacker, with some surprising insights into adversary operator behavior.
Martin Eian
Dr. Martin Eian works as a Senior Security Analyst in mnemonic's Threat Intelligence group, and he is the Project Manager for the research project "Semi-Automated Cyber Threat Intelligence". He has more than 15 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is an Adjunct Associate Professor at the Department of Telematics, NTNU. He is also a member of the Europol EC3 Advisory Group on Internet Security. He holds a PhD in Telematics/Information Security from the Norwegian University of Science and Technology (NTNU).
November 22, 2016 11:30-12:00
We can win this!
Jarno Niemelä, Lead Researcher at F-Secure; Frode Hommedal, Head of IR and Analytics at Telenor CERT
From Defender's Dilemma to Attacker's Dilemma
If you've been to any cybersecurity conference the last couple of years, you're bound to have heard the following saying in one form or another: "Attackers only need to get it right once, defenders need to get it right every time." This is known as the Defender's Dilemma, and it is often presented as "the attackers have all the advantages". Well, Jarno and Frode disagree. Strongly! They will have no more of this nonsense, and plan on letting you know in no uncertain terms.
Jarno Niemilä
Jarno is responsible for automatic malware processing and detection systems at F-Secure. Keen on data science and on analyzing behavioral patterns, he also teaches corporate info security at university. He speaks often at cybersecurity events.
Frode Hommedal
Frode Hommedal is a senior incident responder and CSIRT leader. He is currently head of incident response and security analytics at Telenor CERT, and part of the team that is establishing the global CERT/SOC capability of Telenor. He previously worked seven years for the Norwegian national CSIRT, NorCERT, and he has extensive experience with countering digital espionage. One of Frode’s goals is to contribute to the infosec curriculum, hoping it will help more CSIRTs to find, face and fight the ever growing number of advanced threats.
November 23, 2016 10:50-11:20
Why we built a stream processing framework
Kjell Tore Fossbakk, security analyst, HelseCERT
Kjell Tore will tell us why HelseCERT built a stream processing framework for security events. He will share what they have tested and tried, and the experiences they gained, before deciding to create their own stream processing framework instead of using one of the many frameworks out there.
Kjell Tore Fossbakk
Kjell Tore has built and integrated systems for more than 11 years. He used to work for the Norwegian Armed Forces and holds a MSc in information security.
November 22, 2016 13:00-13:30
Windows OpSec — Where are attackers hiding?
Jarno Niemelä, Lead Researcher at F-Secure
Windows, like any modern IT environment, is a complex thing, and attackers can hide in a multitude of places. During this talk, Jarno will walk you through several places attackers are hiding, and give you practical examples of how you can detect them. Alternative title: You can exec, but you can't hide!
Jarno Niemilä
Jarno is responsible for automatic malware processing and detection systems at F-Secure. Keen on data science and on analyzing behavioral patterns, he also teaches corporate info security at university. He speaks often at cybersecurity events.
November 23, 2016 13:00-13:30, November 23, 2016 13:40-14:10
