Program Overview

• Caching DNS as a tool for sanitizing access to the Internet

  Paul Bernal, CSIRT CEDIA, EC

  Implementing Cache DNS servers is a very common practice on networks of all sizes. Here in CEDIA, we've implemented a pair of caching DNS with the aim of offering a reliable caching resolving service to our 50+ members, most of them Universities, but including academic research Institutes and some high-schools. This resolving traffic belongs mostly to web navigation, but can originate in almost any service requirement; and needed to be sanitized in order to prevent clients in our members networks, to reach dangerous destinations. Even though this is currently done through some well-known services/appliances, in our experience those lacks of some issues like: DNSSEC not supported, many destinations used in academic research were detected as bad ones and poor resilience when some massive traffic (like ours: near 4M requests + responses per hour) was send. Not mentioning that our solution is very inexpensive and easy to implement, except for the fact that requires some level of technical knowledge for deploying it. From early 2017 on we've being adding block-lists for some types of threats, currently 8 list feeds (but constantly exploring more options), including one of our own, which we're interested in publish/share. This allowed us, for example, to reduce botnets (among other unwanted) traffic. We have started to develop some sort of techniques for detecting destination sites, containing illegal crypto currency mining-scripts, and use this results for reporting such cases to our members in case the destination site is theirs and also to responsible webmasters for cleaning purposes. Finally, we're collecting all this data into a logger service, so we can analyze traffic in real time, in addition to a post processing capabilities and stats extraction/generation.

  May 2, 2018 14:00-14:40

• FIRST: Where will we go next?

  Maarten Van Horenbeeck, FIRST Board of Directors

  The talk will cover recent initiatives by FIRST, and some of the new work we're doing in the policy community.

  May 2, 2018 09:10-09:50

• Horus - The benefits of an Early Warning System in the Brazilian academic network

  Yuri Alexandro

  The Horus system is a tool for monitoring malicious activity and detecting security events and incidents through the correlation and analysis of data provided by sensors from traditional networks and other sources such as social networks(Facebook,Twitter), forums, IRC and virtual network registries. This tool is also used to monitor the use of institutional names in forums and social networks, alerting possible malicious activities. As a contribution to RNP and its clients, this tool has aided in information security processes, especially security incident detection and response. It is also important to highlight the scientific contribution of this work, which is the evaluation of new sensors and the provision of empirical evidence of the use of information retrieval techniques to support new architectures of EWS (Early Warning Systems).

  May 2, 2018 16:30-17:10

• How Computer Incident Response teams use Cyber Threat Intelligence (CTI) to ensure they keep up with the miscreants

  Gavin Reid – Recorded Future, Jeff Bollinger - US CSIRT/SOC Cisco, US

  In this talk Gavin Reid (Chief Security Architect for Recorded Future) and Jeff Bollinger (Head of US CSIRT/SOC for Cisco Systems) will talk about how CTI enhances the work the CSIRT/SOC does, what makes good threat intelligence, and give practical examples attendees can take home and use with their teams. CTI can help up your investigative game no matter where on the security maturity scale your organization falls. Jeff and Gavin will show you how that is achieved and what you can do to make better use of CTI.

  May 2, 2018 11:30-12:15

• Lessons From Defending The Indefensible

  Guilherme Alencar, CLOUDFARE, US

  For the last years, we've been working hard to optimize Cloudflare's infrastructure and software to survive different types of attacks. In this talk, we'll share our experiences in defending HTTP/S and DNS services, on which this talk will focus, but our techniques are applicable to the usual variety of DDoS'es like Chargen, SSDP, memcache protocol, NTP or DNS reflection. We'll also touch on details such as: phishing that we have seem, hidden malicious software and best practices that have learned along the way.

  May 2, 2018 15:20-16:00

• National CSIRT incident response challenges: automation, orchestration and information sharing

  Javier Berciano – INCIBE, ES

  Nowadays we are processing more than 10 million events per day with SIEM tools and NoSQL databases. Data comes from third parties and internal tools developed for detection and analysis, like spamtraps, honeypots, web analyzers to detect malware or a tool to detect and track fastflux domains. In this presentation we will share technologies in use and self-developed tools for incident handling automation that includes data collection, contact management, incident taxonomy and reporting. We would like to share our approach with the FIRST community in Latin America so another teams can benefit from our experiences, the advantages, disadvantages and lessons learned during last 10 years.

  May 2, 2018 14:40-15:20

• Security Implications of IPv4 Exhaustion and IPv6 Early Deployment

  Carlos Martínez, LACNIC, UY

  The goal of this presentation is to introduce the audience to the security challenges related to IPv4 exhaustion a security officer will face over the next few years regardless whether him or her chooses to deploy IPv6. We will also discuss the main security aspects those working on early deployments of IPv6 should be aware of and how to address them.

  May 2, 2018 09:50-10:20

• SecurityBot: Orchestration and Automation for the real world

  Andre Borges – Banco Fibra, BR

  The presentation aims to show a Security Operations Center automation use case. How bots and data analysis could be used to improve the Security Operation. The idea is to show an orchestration and automation architecture and how the security incident response processes can be automated and more efficient with the use of robots. Also, I am going to show how data analysis can be used for metrics monitoring and decision making.

  May 2, 2018 12:15-13:00

• Spamhaus Labs Botnet Threat Report – IoT & Fraud driving global C&C growth

  Simon Forster and Luciano Minuchin - mxtools

  In 2017, the number of botnet "C&C" listings tracked by the Spamhaus Project increased by a massive 32% - driven by cybercriminals purchasing hosted servers for the sole purpose of hosting a botnet controller. Spamhaus will share their most recent observations of these trends and projected abuse patterns expected during 2018, including registrar & registry compromise in both gTLD and ccTLD domains. Spamhaus researchers will present various tools and data sources that are available for FIRST members to help reduce new types of abuse, as well as data sharing projects in which FIRST members can collaborate via data sharing.

  May 2, 2018 10:20-11:00

• TRAINING: FIRST CSIRT Basic Course

  Maarten Van Horenbeeck

  The goal of the basic course is to give an introduction into the operation of a CSIRT. It consists of the following six modules:

  1. CSIRT Fundamentals
  2. Starting with a CSIRT
  3. CSIRT Operation
  4. Working with Information Sources
  5. Incident Coordination
  6. CSIRT Performance Measurement

  May 1, 2018 09:00-11:00, May 1, 2018 16:30-17:30, May 1, 2018 11:30-13:00, May 1, 2018 14:00-16:00