Program Overview

Shadowserver has been collecting network threat information on a large scale for many years with a mission to make the Internet a more secure environment for all. The collected data is sent to National CERTs and network owners via the Shadowserver free daily remediation feed and used to support various law enforcement investigations. Data collection on such a scale is a big challenge - the talk will give an overview of how Shadowserver operates, what data it collects, how the information is being shared and how Shadowserver has supported various botnet takedowns.

The cybersecurity platform CERT@VDE is introduced as a coping strategy for the increasing threat situation for SMEs of the automation industry. Technical trends like “Industry 4.0” and the increasing digitalization and internetting of different domains are the main drivers for complete new challenges around cybersecurity the SMEs are involved in.

Therefore the presentation will show the current process of handling vulnerabilities in the industrial automation sector and how the new, neutral and trustworthy CERT@VDE will support the process of coordination and exchange of information in the future.

CERT@VDE is introduced as a non-profit organization that takes care for knowledge transfer across company borders

This talk will look how products has evolved from "boxes" (i.e. physical objects) to "smart boxes" to connected smart boxes to services. Security vulnerability in each category of products can have different impact to the environment the product is deployed. Increased degree of connectivity (coupled with bandwidth) is directly proportional to adverse impact a product can exhibit.

CLOSED TF-CSIRT Meeting – TI accredited and certified teams only and TI Associates. Information for those with access can be found on the Trusted Introducer website.

Do you think open source vulnerability scanners are OK for basic usage but hardly suited for a secure WAN with dozens of VLANs?

In our presentation we describe the architecture of a self-containing multi-node master-slaves appliance designed to scan for vulnerabilities in a highly secure air-gapped network consisting of many subnets located in several geographical locations.

We integrated various open source solutions in these appliances since not just the scanning was required; collection and analysis of its internal logs, monitoring of HW/OS/service metrics, secure offline updating and reporting to operators was required.

EU Cybercrime Centre will share operational cases as well as some interesting cases for potential future collaboration. Cases to include a botnet takedown and a case on ransomware.

Course level: Intermediate-Advanced

Pre-requisites:

• Participants should be familiar with the operational aspects of CSIRTs/SOCs, including incident handling, analysis and mitigation.
• They should also have good understanding how security teams use information (IoCs, advisories) for network defense.

Content of this training is based on a good practice guide for the exchange and processing of actionable information published by ENISA. References: Actionable information for security incident response: https://www.enisa.europa.eu/publications/actionable-information-for-security Standards and tools for exchange and processing of actionable information: https://www.enisa.europa.eu/publications/standards-and-tools-for-exchange-and-processing-of-actionable-information

Abstract: The objective of this course is to show how information from multiple sources can be translated into actions to protect a network or a larger constituency. Participants will learn how to select sources of information and how to process it to obtain actionable conclusions. The role of automation will be explained, with multiple examples of common tools. Finally, the training will cover practical aspects of information exchange. After completing this course, participants will be able to implement better information-handling processes in their organisations, extract more value from the available data and deploy own automated tools to reduce manual work.

Schedule Training will take place from 09:00 -16:50, followed by a train the trainer session 17:00-18:00 at the Galeria 1 room at the Steigenberger Hotel Hamburg.

This talk will focus on how the RIPE NCC approached the GDPR and how it turned into a detailed data classification and compliance project: what data we store, for how long, who owns what data set, who can access it, etc. We did a legal analysis of how the GDPR affects the RIPE Database, and any other RIPE NCC services.

Hak5 Field Kit include tools like, WiFi Pineapple, Bash Bunny, USB Rubber Ducky and LAN Turtle. CIRCL review the capabilities of this tools and evaluate if there are use cases within CERT/CSIRT activities. One of many outcomes are room 42 exercises which could also be used to train CERT/CSIRT staff.

Course level: Intermediate

The Training will cover:

• Why IPv6 is an extensive security topic
• Overview of the differences to IPv4 - relating to security
• Deep dive into selected protocol details and their accompanied attacks (incl. demonstrations)
• Mitigation Recommendations
• Strategic Recommendations
• Good IPv6 Security Resources and Tools

Schedule Training will take place from 09:00 -12:00 at the Kohlbrand room at the Steigenberger Hotel Hamburg.

Limited to 5 minutes only to present one idea, thought or issue that you think the audience should hear. It may be a quick team update, introduction of a new team, or anything you would like to share but do not need a full slot for. Please contact sigita.jurkynaite@geant.org with the title of your proposed lightening talk.

In partnership with the U.S. Department of State, the International Cybersecurity Initiatives team at CERT/CC has been engaged in developing and implementing cybersecurity capacity building activities. While most activities to date have been in East Asian and Sub-Saharan African countries, we are also initiating activities in Eastern European countries. We would like to provide an overview to the TF-CSIRT event attendees of these activities with a focus on our National CSIRT Development Mentoring Framework designed specifically for capacity building efforts. This framework is a high-level introduction to the process for identifying and developing a mentoring and training plan for National CSIRTs that receive assistance from CERT/CC and the United States Government. The framework describes a standard set of activities to be performed but also provides room for adjustment or customization based on the National CSIRT, its stakeholders, or special circumstances. The framework was developed to also be used by third parties or partners.

The National CSIRT Development Mentoring Framework was architected as four linear phases, (which we will discuss in more detail in the presentation): · Information Discovery · Analysis and Categorization · Mentoring Plan Development · Implementation and Evaluation In addition to examples of how we have used this framework in several countries, we will discuss the importance of information sharing and becoming an active participant in the global community of national CSIRTs and organizations such as FIRST. We will also discuss being successful in these activities even with limited resources.

Course level: Beginners-Advanced

Pre-requisites:

• Personal computers.

Abstract:

Increasing availability of open source and on line data urged a more intense and focused investment in open source collection and analysis. Open Source Intelligence (OSINT) analysis and monitoring of data from open sources, can help organizations anticipate, prepare for and understand events. OSINT is recognized as an empowering methodology that exploits and combines the capabilities of human intelligence with the machine intelligence of search engines and other computer tools. Today open source intelligence methods are not an exclusive government domain and are increasingly employed by businesses, non-governmental organizations, journalists, and alike.

During this course participants will be introduced to the concept of OSINT and SOCMINT (Social Media Intelligence) and will be presented various tools and methods for targeted information gathering and analysis on-line. We will focus on: -Automated information collection from different websites and social media platforms; -Use of search engines for research purposes (string operators, search tools and strategies); -Use and management of monitoring tools; -Information collection from social media platforms; -Personal data Protection and privacy.

Learning outcomes. After this course participants will be able to: -Identify information sources that are relevant to your organization; -Fast and accurate information collection from extensive number of information sources; -Conduct internet research in a safer environment and protect privacy online; -Reduce risks of information disclosure.

Schedule Training will take place from 09:00 -18:00 at the Suderelbe room at the Steigenberger Hotel Hamburg.

In this talk we want to speak about the latest improvements we made on our main IDS system, which we built in 2010 and has been completely rebuilt in 2017. In the first build we used Snort with PF_RING and were able to analyse a mid sized network, but since 2010 we have faced many challenges as more and more devices get connected to the network and more bandwidth is consumed, and forced us to update our IDS systems to keep up with the network growth.

The new build is based on a Cluster of Suricata machines and has allowed us to reach the 10Gb barrier with commodity hardware, as well as improving our detection capacities and giving us more information to investigate with. We also have added load balancing features and a new big data analytics environment that allows us to get the most of the information provided by Suricata and to facilitate the work of our analysts.

ENISA has set up a Task force with the goal of driving the CSIRT community towards agreeing on a common reference taxonomy for incidents. In this presentation we will provide an overview of the task force and its goals, as well as its current status and proposed way forward.

In 2013, the Centre for High Performance Computing (CHPC) sent their first team to the Student Cluster Competition. Inspired by the stellar performance of the CHPC team, the SANReN CSIRT decided to start working towards giving Information Security students in South Africa a similar opportunity.

The goals of the challenge was to stimulate interest in information security within the South African student body and give these students a platform to showcase their skills. Cracking passwords, reverse engineering partial RSA keys, and extracting and decrypting content from fragmented network traffic gave the students a preliminary taste of what was to come in the final.

In this talk, the SANReN CSIRT team will share the experience of organising a cyber security challenge aimed at providing students with the skills to compete at an international event.

There are almost as many tools for scanning vulnerabilities as there are vulnerabilities. Some tools excel at feature X but are not that great at feature Y. Not to despair, there is another tool that does feature Y really well! And another one for feature Z. And do not forget the tool for feature Q.

For the vulnerability assessment we’ll just run a selection of vulnerability scanners and then combine the data. That will give great results! We just need to analyse 13000 results reported for the 400 hosts. Three weeks later. Finally done! On to the next institution with a /16 network…

Reporting on vulnerabilities is an arduous task, the report is generally aimed at system administrators and owners, and management. Very rarely will a report be actioned by a seasoned information security specialist, someone that understands ROPs, RFCs, ACLs, and Buffer Overflows. The main goal of reporting on vulnerabilities is to enable system owners, and to inform management.

ScanMan was designed not only to aggregate the results from a variety of vulnerability and security scanning tools, but also to capture the means and methods required to remediate the vulnerabilities of a system. By capturing the knowledge of information security specialists, this knowledge can be presented to people tasked with dealing with the issues at hand. In this talk, the development of ScanMan is presented as a journey of transforming data into knowledge that can be studied or actioned by all those interested.

The University of St Andrews recently formalised its IT Security function, one of the things they wanted to increase was the scanning and penetration testing of the systems it ran in house. The first attempt at this lead to two conclusions; there were a lot of systems and this would have a dramatic affect on the cost of scanning.

The next stage was to look at a different method of scanning and penetration testing, which balances both risk and cost. Traditionally, scanning has covered 2 areas, Vulnerability Scanning and Penetration testing. This presentation outlines 3 testing types;

1. Infrastructure Scanning
2. Vulnerability Scanning
3. Penetration Testing

The cost (in times of time, analysis and financial) of each scan increases from 1 to 3. Which scan is required, is decided based on the system and the information it contains (a matrix is presented on how this decision is made).

This presentation will outline the steps we took to increase the level of scanning and the impact that had on costs. It will then give an overview of the new solution and a summary of how it is working.

The EU's General Data Protection Regulation comes into force in May 2018 with a very broad geographical scope, an extensive definition of of personal data and severe penalties in case of non-compliance. The session will explain how this legislation impacts what you collect and manage in your SIEM and how you can make sure to comply with the legislation without hampering your SOC operations.

SESSION DETAIL The session will start by presenting the general principles of the EU's General Data Protection Regulation. What's its geographical scope, what is the definition of personal data and who is accountable? It will detail in practical terms what this means for the information a SOC/CERT usually collects and processes in log files.

The presentation will continue by explaining the legal provisions underpinning the lawfulness of processing in the interest of network information security and its limitations. It will provide practical guidance to limit legal and financial exposure by protecting the personal data with additional security measures like pseudonimisation/encryption. Finally, the presentation will highlight how state of the art monitoring and detection solutions can support the operational implementation of GDPR compliance, the early detection of personal data breaches and the limitation of compliance exposure as well as the documentation of the breach response to facilitate the interaction with the data protection supervisors and potential litigation procedures.

Train the trainer sessions will only be offered for the Fusion and Forensics course from 17:500-18:00.