Publications (2010)

13 Things to Consider Before DNSSEC
John Kristoff (Team Cymru)
The domain name system (DNS), a key component upon which much of the Internet communications relies, has undergone intense scrunity and analysis the past few years. DNSSEC, a suite of extensions that helps address some potential problems, has been gaining steam and is set to see a significant increase in deployment beginning this year. Yet, there are at least 13 things that organizations who rely on DNS, which is to say everyone, should consider with or without DNSSEC, but ideally before embarking on their own DNSSEC roll-out.

In this session, we will highlight 13 of the most important questions an organization should be asking about their own usage of DNS. While DNSSEC is an important technology, none of the answers require DNSSEC as the answer. The answers include all the types of things a proper DNS implementation should have even before DNSSEC. How well do you fare?

The 13 topic areas include:
- Authoritative name server RRset size
- Geographic and network diversity DNS servers
- Parent and child delegation consistency
- Open Resolvers
- Answer spoofing protection
- Domain name registration protection
- Co-mingled services on DNS servers
- DNS server administrative processes
- DNS server physical resource limitations
- TCP and DNS
- Monitoring and auditing
- Time synchronization
- IETF RFC 2870
kristoff-slides.pdf
MD5: 29827f760d2e87671c5d8e32d6b5a6a9
Format: application/pdf
Last Update: June 7th, 2024
Size: 873.94 Kb
A Day in the Life of a Web Application
Kenneth Van Wyk (KRvW Associates, LLC)
Today's web-based software applications have grown substantially in importance over those of just a few years ago. As a result, the impact of security failures has increased commensurately, often with potentially large-scale financial impact to the enterprise. Yet, security failures occur in often times spectacular ways.

A common failing occurs in how enterprise software interacts with security infrastructures, from enterprise event logging through intrusion detection and prevention systems. These security facilities frequently go untouched by application developers, leaving security staff to seek bolt-on solutions to application-layer security issues.

In this session, a common web application user interface component known as a servlet is examined and enhanced, to build a web app example that is not only secure against attack, but able to stand up to the rigors of a modern enterprise computing environment. Starting from a simple, highly vulnerable servlet is examined and discussed as a case study, with particular attention paid to some of today's most prevalent web-based attacks like SQL injection and cross-site scripting. First, security features are added to the servlet to provide defense against these most common attacks (e.g., OWASP Top-10 2010). Next, enterprise event logging is added, with the use cases of the CSIRT in mind specifically. Finally, the servlet is enhanced to provide the ability to take evasive actions when attacks are detected, based on policies set by the CSIRT and/or CISO staff.

By highlighting these building blocks in source code case studies, we clearly illustrate the urgent need for close collaboration among the CSIRT, software development, and business staff
vanwyk-slides.pdf
MD5: adb21b83affdafcf8b25c86ece9f8f2d
Format: application/pdf
Last Update: June 7th, 2024
Size: 1008.85 Kb
DE
Ad hoc File System Forensics
Andreas Schuster (Deutsche Telekom AG, DE)

Andreas Schuster is a Senior Computer Forensic Examiner with the security department of Deutsche Telekom AG since December 2003. Previously he led a commercial computer incident response team and had worked in the Internet business for about seven years. Andreas has authored and contributed to several memory analysis tools. For his research he was awarded the DFRWS 2006 best paper award and the German IT-Security Award 2008.

In order to analyze file systems, incident responders and computer forensic examiners commonly rely on a couple of well-known tools, like EnCase, X-Ways Forensic, and FTK. But what do you do if your tools fail to parse a file system correctly? This course will instruct attendees how to get an examination started even under those circumstances and how to improvise their own tools. Sample disk images for this course were obtained from live systems that could be found in an arbitrary office environment.
schuster-slides.pdf
MD5: 64aa2f98e52e6edd5036bfb7df7d00a1
Format: application/pdf
Last Update: June 7th, 2024
Size: 718.96 Kb
After the Acquisition: A Software Security Assurance Perspective
Bruce Lowenthal (Oracle Corp. )
Over the past five years, Oracle Corporation has been acquiring companies at a rate of about one company per month. After nearly all acquisitions, Oracle has found that product security processes and procedures needed to be upgraded for the acquired products. Oracle has also found that recently acquired products get a higher level of attention from hackers and security researchers immediately after the acquisition due to the Oracle branding. As a result, Oracle now quickly institutes product security policy and procedure upgrades for newly acquired organizations soon after change of control.

This presentation covers the security process and procedure changes that Oracle institutes after new organizations are acquired. These include development, testing and changes in the handling of reported vulnerabilities. In addition, this presentation will address a most important, yet often overlooked issue: the changing of an organization’s attitude regarding secure coding, testing and vulnerability handling.

While the focus of this talk is process and policy changes made as a result of acquisition, the content of this talk should be relevant to all organizations that do software development and are considering upgrading their security assurance policies and procedures. This would include financial, retail and governmental organizations, among others, whose developed software is accessed by large internal groups or by Internet constituents.
lowenthal-slides.pdf
MD5: 4c7dd98979c7deb921f303fd11ff55a2
Format: application/pdf
Last Update: June 7th, 2024
Size: 209.06 Kb
Analysis on How CSIRTs are Organized in Japanese Large Companies
Toshio Nawa (CDI-CIRT)
Computer Security Incident Response Teams (CSIRTs) can be set up within organizations in a variety of ways depending on their constituencies and the nature of services that the teams provide. Yet according to the classic textbook approach, it is preferable to set up CSIRTs directly below the management level in the organization and endow the teams with the authority they need to carry out their responsibilities. Indeed, this arrangement may be the optimum solution for many American companies. However, the way Japanese companies are organized and governed, particularly Japanese large corporations, are very different from the U.S., so setting up CSIRTs in the classic textbook manner is not only very difficult but may not even be appropriate. In light of these cross-cultural differences, a number of Japanese large firms have established and are now operating CSIRTs that are tailored to their own unique organizational and governance requirements, and performance results for these teams are now starting to become available. This paper describes (1) results of the survey about some successful implementations of CSIRTs in Japanese large firms, (2) analyses on reasons why these implementations have succeeded, and (3) suggestions about how CSIRTs can be set up to meet the unique organizational requirements of Japanese large firms. The organizational principles uncovered here are not just confined to Japanese big companies, but are expected to be useful in setting up CSIRTs in other countries where companies are organized similarly to those in Japan.
nawa-slides.pdf
MD5: bcbabda43a9e61b3d597f8b6abf931f4
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.17 Mb
BlackEnergy 2 Revealed
Joe Stewart (SecureWorks)
BlackEnergy is a popular DDoS trojan written by "Cr4sh", a member of the Russian hacking group "Hell Knights". Recently a major new version of the trojan in extremely limited circulation was identified in the wild by the presenter of this talk. This new rewrite of the trojan expands BlackEnergy's capabilities from a simple DDoS trojan to a stealthy modular platform for DDoS, spam and banking fraud
stewart-slides.pdf
MD5: 9f3e260ab69a27933f58405bef49f5ca
Format: application/pdf
Last Update: June 7th, 2024
Size: 390.21 Kb
AT
Building a CSIRT in an ITIL Driven Organization
Christian Proschinger (Raiffeisen Informatik, GmbH, AT)
2010 Symposium - Hamburg
Hamburg, DE
January 26, 2010 10:45-11:15
Hosted by DFN-CERT
proschinger-christian-slides.pdf
MD5: 8e7c4ccf87f2496b3ba3b23514ce23cc
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.01 Mb
Building a Fortune 5 CIRT Under Fire
Richard Bejtlich (General Electric)
n 2007, the CISO of General Electric decided to invest in a dedicated program to detect and respond to intrusions, as a centralized, formal function within GE. Since then, GE has built a Computer Incident Response Team (CIRT) by hiring analysts, deploying dozens of sensors across the planet, aggregating billions of log records, and institutionalizing its detection and response processes. At the same time, GE has continued to face the sorts of information security challenges found in many global organizations. In this presentation, GE's Director of Incident Response (Richard Bejtlich) will describe his experience building and leading GE-CIRT. Richard will describe how lessons learned at a Fortune 5 company can apply to any organization, from the smallest start-up to the largest multinational. Richard will pay special attention to the role of Defensible Enterprise Architecture, Network Security Monitoring, team building and operations, preparing and applying for FIRST membership, and justifying resources through metrics and communication with leadership.
bejtlich-slides.pdf
MD5: 7915a80f9ab9a0ed906843f8730cfc39
Format: application/pdf
Last Update: June 7th, 2024
Size: 284.64 Kb
Case study in the use of System Whitelisting
David Billeter (InterContinental Hotels Group)

David Billeter is the Vice President and is the global lead of Information Security for InterContinental Hotels, with over 4000 hotels around the world and a new hotel opening every day. A pioneer of digital signatures, Mr. Billeter was recognized by the Governor of the State of Utah in 1997 for his efforts to promote PKI technology.

Companies have been working for years to implement anti-virus across thier enterprise and working toward regular updates of signature files. However, recent attacks have shown the deficiencies in this approach. Whitelisting, which effectively takes a "snapshot" of a clean system and prevents any activities that are not authorized. However, whitelisting across a complex environment is daunting. This presentation will present a case study of whitelisting by reviewing the steps being undertaken by InterContinental Hotels to implement this technology globally.
billeter-slides.pdf
MD5: e5392be9cf6cbf6c222e39fa85127da1
Format: application/pdf
Last Update: June 7th, 2024
Size: 116.57 Kb
FI
CERT-EE and CERT-FI: AbuseHelper framework for community-wide, automated abuse handling.
Anto Veldre (CERT-EE), Juhani Eronen (FI)

Juhani Eronen is an Information Security Analyst at CERT-FI, where his responsibilities include vulnerability co-ordination, automation of the handling of security incidents and information assurance. Formerly, he worked for OUSPG researching protocol vulnerabilities and dependencies of the critical information infrastructure, among other things. He is a postgraduate student at the Oulu University Secure Programming Group, OUSPG.

With a total of 7 generations of automated abuse handling, CERT-EE and CERT-FI are now looking into bringing the tools and workflows for community-wide use. We call for multilateral collaboration, by sharing the lessons-learned and offering a starting point. With public/private collaboration we have bootstrapped an open framework, which we have experimented on together. In this framework we have documented the available feeds of information, use cases, processes, workflows, architectures, terminology, and the context of abuse fighting. We have identified different interest groups and how we could provide them with process building blocks and supporting software, such as the AbuseHelper toolkit. We believe that we are now ready to demonstrate effective trusted sharing in action. In this presentation we explain the lessons learned and how the current generation manages them. Together with you we will also take a step towards the future, considering how the integration of abuse data with network monitoring and audit findings could serve to provide much-needed information for the management of infrastructure risks.

(This presentation can be linked to 'CERT-FI Autoreporter and the automated abuse handling concept')
eronen-veldre-slides.pdf
MD5: ed118dbcf28cc34933a45bd23df9e3e1
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.18 Mb
Challenges for Digital Forensic Acquisition on Virtualization and Cloud Computing Platforms
Christopher Day (Terremark Worldwide)

Christopher Day joined Terremark Worldwide, Inc. in December 2005 as Senior Vice President, Secure Information Services. He is responsible for global information security services provided to Terremark customers. Prior to Terremark, Mr. Day was Vice President for SteelCloud, a publicly traded network security product and services firm headquartered in Herndon, Virginia. Mr. Day was responsible for directing SteelCloud’s investments in advanced technology as well as leading the design and development of SteelCloud’s proprietary security systems. He also led the information security professional services group.
Christopher Day joined Terremark Worldwide, Inc. in December 2005 as Senior Vice President, Secure Information Services. He is responsible for global information security services provided to Terremark customers. Prior to Terremark, Mr. Day was Vice President for SteelCloud, a publicly traded network security product and services firm headquartered in Herndon, Virginia. Mr. Day was responsible for directing SteelCloud’s investments in advanced technology as well as leading the design and development of SteelCloud’s proprietary security systems. He also led the information security professional services group.With over fourteen years in the security industry and working with Fortune 1000 companies and financial services firms in the United States, Latin America, Europe, the Middle East, Asia and Africa, Mr. Day has led numerous consulting projects in the areas of security audit, vulnerability assessment, computer forensics, and secure systems design. Christopher has also been involved as an expert in various security incidents dealing with system intrusions, theft of intellectual property, harassment, and fraud.
Christopher Day joined Terremark Worldwide, Inc. in December 2005 as Senior Vice President, Secure Information Services. He is responsible for global information security services provided to Terremark customers. Prior to Terremark, Mr. Day was Vice President for SteelCloud, a publicly traded network security product and services firm headquartered in Herndon, Virginia. Mr. Day was responsible for directing SteelCloud’s investments in advanced technology as well as leading the design and development of SteelCloud’s proprietary security systems. He also led the information security professional services group.With over fourteen years in the security industry and working with Fortune 1000 companies and financial services firms in the United States, Latin America, Europe, the Middle East, Asia and Africa, Mr. Day has led numerous consulting projects in the areas of security audit, vulnerability assessment, computer forensics, and secure systems design. Christopher has also been involved as an expert in various security incidents dealing with system intrusions, theft of intellectual property, harassment, and fraud.Mr. Day regularly lectures on computer forensics, incident response, intrusion detection/prevention, and wireless technology security. Christopher is a contributing author for the books "Going Mobile: Building the Real-Time Enterprise with Mobile Applications that Work" and "Computer And Information Security Handbook". Mr. Day has been awarded two patents in the in the areas of Intrusion Detection (#7017186) and Wireless Network Security (#7020476), respectively, and has two others pending.

Given the complexity of modern Communication and Information Systems (CIS) and the speed at which cyber attacks can progress, the need for automated Cyber Defence processes is clear. Such automation ranges from correlating data from different sources, so as to provide more meaningful information to computer security incident response team (CSIRT) analysts, to taking immediate defensive action in a network without human intervention. To provide the intended results, automated processes require standardized and accurate data. This Cyber Defence data can be broken down in two categories: the operational data that describes the organisation’s CIS being protected, and reference data that describes common knowledge not specific to that organisation, such as lists of vulnerabilities and software products. The presentation outlintes a solution for improving the management of Cyber Defence reference data to adequately support automated Cyber Defence processes. As well, it describes the kind of reference data supported, it lists the high-level requirements that need to be met, and it provides an overview of a potential architecture.
day-slides.pdf
MD5: c1da5cf0be2b4f48937827c43ce260e4
Format: application/pdf
Last Update: June 7th, 2024
Size: 762.46 Kb
Clearing the Brush: Lessons Learned in Gutting a CIRT and Rebuilding with Free Tools
Michael La Pilla (NetCentrics)
CIRT organizations are expected to handle any type of incident thoroughly but quickly. In a past life as a pure researcher I made many assumptions about what could and couldn't be done in a CIRT. This talk is about how I integrated everything I learned in my previous world into a CIRT environment. Targeted attack discovery and response will be high on the discussion list. Specifically this talk will focus on standing up tools to automate high volumes of incidents and to discover unknown intrusions. During the talk I will include discussions of many tools, both open source and custom made that can be replicated for use in other CIRTs. I will maintain the talks focus on no-cost tools and techniques that can be implemented by anyone, anywhere in the world, without any budget.
lapilla-slides.pdf
MD5: 25e47b6a05d4a710be956750e75a9892
Format: application/pdf
Last Update: June 7th, 2024
Size: 126.03 Kb
Cloudifornication - Indiscriminate Information Intercourse Involving Internet Infrastructure
Christofer Hoff (Cisco)

Chris Hoff has over 19 years of experience in high-profile global roles in network and information security architecture, engineering, operations and management with a passion for virtualization and all things Cloud. Hoff is currently Director of Cloud and Virtualization Solutions, Data Center Solutions at Cisco Systems. Prior to Cisco, he was Unisys Corporation's Systems & Technology Division's Chief Security Architect. Additionally, he served as Crossbeam Systems' chief security strategist; was the Chief Information Security Officer for a $25 billion financial services company; and was founder/Chief Technology Officer of a national security consultancy.

What was in is now out.

This metaphor holds true not only as an accurate analysis of adoption trends of disruptive technology and innovation in the enterprise, but also parallels the amazing velocity of how our data centers are being re-perimiterized and quite literally turned inside out thanks to cloud computing and virtualization.

One of the really scary things that is happening with the massive convergence of virtualization and cloud computing is its effect on security models and the information they are designed to protect. Where and how our data is created, processed, accessed, stored, backed up and destroyed in what is sure to become massively overlaid cloud-based services - and by whom and using whose infrastructure - yields significant concerns related to security, privacy, compliance, and survivability.

Further, the "stacked turtle" problem becomes incredibly scary as the notion of nested clouds becomes reality: cloud SaaS providers depending on cloud IaaS providers which rely on cloud network providers. It's a house of, well, turtles.

We will show multiple cascading levels of failure associated with relying on cloud-on-cloud infrastructure and services, including exposing flawed assumptions and untested theories as they relate to security, privacy, and confidentiality in the cloud, with some unique attack vectors.
hoff-slides.pdf
MD5: 7341284cbcd047994e4910c39a35a701
Format: application/pdf
Last Update: June 7th, 2024
Size: 13.99 Mb
Cooperation and self-regulation of Polish ISPs in combating online crime
Przemek Jaroszewski (NASK)

Przemek Jaroszewski - member of CERT Polska since 2001. Since 2007 he is leading the core incident response team within CERT Polska. His main interests in IT security area are dealing with UCE, keeping up with current trends and statistics as well as being an evangelist for safe online behaviour. As a programmer, he develops and integrates tools supporting the team's work. Przemek is an active member of international CERT forums. In 2008 he was elected a member of the Trusted Introducer Review Board, reviewing work done within the accreditaion model for European CERTs. Since 2005 he actively promotes cooperation of Polish ISPs in the area of incident response in the ABUSE-FORUM initiative.

Over the past few years botnets and malware controllers have evolved into very sophisticated environments. Using bulletproof hosting, fast flux and other techniques they have become more and more sustainable. Going after infected machines is like playing a whack-a-mole game and the fact that malware is hiding deep in the system and staying below users' radars does not help at all. At the same time e-crime has become a serious and organized business. Threats like DDoS and phishing are common, result in huge losses, and their mitigation requires prompt actions - something that law enforcement is not very good at. Do we have to lose this fight? Not if the ISPs start to act. Limiting users' access to harmful parts of the net can effectively cut communication between drones and controllers. It can also help to combat phishing and drive-by-downloads. The presentation will discuss self-regulations of ISPs in Poland, joint cooperation based on trust, technologies involving BGP and DNS blackholing, legal challenges, and the role of lawmakers and law enforcement.
jaroszewski-slides.pdf
MD5: b37895280a7043bb1f112e212810ff4c
Format: application/pdf
Last Update: June 7th, 2024
Size: 362.3 Kb
US
Critical Functions: A Functions Based Approach to IT Sector Risk Assessment
Jerry Cochran (Microsoft Corporation), Scott Algeier (Information Technology - Information Sharing and Analysis Center , US)

Jerry Cochran, is a Principal Security Strategist with Microsoft’s Trustworthy Computing group where he leads the Global Security Strategy Team and is focused on corporate strategic initiatives, critical infrastructure protection, and cyber security R&D projects. He works in these areas representing Microsoft internationally and with key U.S. government agencies such as the Department of Defense, Department of Homeland Security, and the Intelligence community. Jerry also represents Microsoft on various projects and committees with industry and government. Jerry currently represents Microsoft in IT Sector Coordinating Council activities where he has been a key contributor in the development of the IT Sector risk management approach. Jerry also is the Microsoft board member and Treasurer for the Information Technology-Information Sharing and Analysis Center (IT-ISAC).
Jerry Cochran, is a Principal Security Strategist with Microsoft’s Trustworthy Computing group where he leads the Global Security Strategy Team and is focused on corporate strategic initiatives, critical infrastructure protection, and cyber security R&D projects. He works in these areas representing Microsoft internationally and with key U.S. government agencies such as the Department of Defense, Department of Homeland Security, and the Intelligence community. Jerry also represents Microsoft on various projects and committees with industry and government. Jerry currently represents Microsoft in IT Sector Coordinating Council activities where he has been a key contributor in the development of the IT Sector risk management approach. Jerry also is the Microsoft board member and Treasurer for the Information Technology-Information Sharing and Analysis Center (IT-ISAC).Jerry has spent over 26 years as a reservist with the U.S. Air Force and Air National Guard where he holds the rank of Chief Master Sergeant (E9). Over his military career he has held various positions in electronics systems maintenance, computer systems operations and squadron leadership. For the last 10 years he has been assigned as the Chief Enlisted Advisor to the 262nd Network Warfare Squadron that is part of the U.S. 24th Air Force and the Air National Guard.

Scott Algeier is a recognized homeland security thought leader, is the Executive Director of the Information Technology- Information Sharing and Analysis Center (IT-ISAC)and owner of homeland security consulting company Conrad, Inc. As the IT-ISAC Executive Directr, Scott is responsible for the daily management of the IT-ISAC, formulating policies and procedures to coordinate security and incident response activities between industry and government, and ensuring members receive value from their membership. He is the IT-ISAC’s principle spokesperson, representing the organization to the public, federal agencies and Congress. Scott also serves as the Industry Chair of the Risk Assessment Committee, comprised of industry and government subject matter experts, that developed the Baseline IT Sector Risk Assessment.

Each day corporations and government agencies defend against countless attacks each day. But how do we identify threats that are larger than individual networks and to the infrastructure as a whole? This dynamic panel, comprised of those who developed the IT Sector Baseline Risk Assessment, will present on the findings of the IT Sector Baseline Risk Assessment, which assessed risk to six “Critical Functions” maintained by the IT Sector. The panel will describe the unique "functions based" methodology, detail how the results of the assessment are being used to develop protective programs, prioritize R&D, and produce outcome based metrics, and how the Risk Assessment can add value to individual corporations and agencies.
algeier-cochran-slides.pdf
MD5: f6383a001e47cc66234077af6c6705cc
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.53 Mb
Cyber[Crime|War] - Drawing the hidden links
Iftach Amit (Security & Innovation)

With more than 10 years of experience in the information security industry, Iftach Ian Amit brings a mixture of software development, OS, network and Web security expertise as a Managing Partner of the top-tier security consulting and research firm Security & Innovation. Prior to Security & Innovation, Ian was the Director of Security Research for the Content Security Business Unit at Aladdin Knowledge Systems, where he created the AIRC (Attack Intelligence Research Center). Prior to joining Aladdin, Amit was Director of Security Research at a global Internet security company, leading its security research while positioning it as a leader in the Web security market. Amit has also held leadership roles as founder and CTO of a security startup in the IDS/IPS arena, developing new techniques for attack interception, and director at Datavantage responsible for software development and information security, as well as designing and building a financial datacenter. Prior to Datavantage, he managed the Internet application and UNIX worldwide. Amit holds a Bachelor's degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya.

CyberWar has been a controversial topic in the past few years. Some say the the mere term is an error. CyberCrime on the other hand has been a major source of concern, as lack of jurisdiction and law enforcement have made it one of organizaed crime's best sources of income. In this talk we will explore the uncharted waters between CyberCrime and CyberWarfare, while mapping out the key players (mostly on the state side) and how past events can be linked to the use of syndicated CyberCrime organization when carrying out attacks on the opposition. We will discuss the connections between standard warfare (kinetic) and how modern campaigns use cybersecurity to its advantage and as an integral part of it.
amit-slides.pdf
MD5: ab6fc537decea42359b6f5f17bb07eb0
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.82 Mb
US
Cyber Supply Chain Assurance: Incident Response in the global IT supply chain
Hart Rossman (SAIC, US)
Hart Rossman is VP/CTO for Cyber Security Solutions at SAIC. He is a Senior Research Fellow with the Supply Chain Management Center at the University of Maryland, IANS faculty, FIRST team rep, and an advisor to the Corporate Executive Programme. He is on the Editorial Board and co-author of “Insecure IT” column for IEEE "IT Professional" magazine, and co-authored NIST SP 800-64rev2. He has earned a CISSP, CSSLP, received his MBA from the University of Maryland, R.H. Smith School of Business.

Our paper,“Building A Cyber Supply Chain Assurance Reference Model”, marked the culmination of a seven-month research project which sought to fuse together the fields of cybersecurity and supply chain risk management by applying proven supply chain practices to this evolving cyber domain. This presentation will take a cross-functional risk perspective of Cyber Supply Chain Assurance referencing cutting edge models, tools, and practices extending the initial findings in this paper. The audience will learn through case study and example threat vectors, details of known incidents, and best practices for creating resilient cyber supply chains. Of particular focus will be the role of the incident response and security teams as actors in the cyber supply chain. We will explore tools and tactics that might be used including technical and contractual means to influence response capability throughout the cyber supply chain. The cyber supply chain encompass the information and communications technology components, products, services, and integrated systems created and transported by global supply chain.

This presentation is the result of a collaboration between SAIC and the Supply Chain Management Center (SCMS) of the Robert H. Smith School of Business, University of Maryland (UMD) at College Park. Our research assessed the dynamics, risks, and management challenges and opportunities of the cyber supply chain in its role as a critical public system/private infrastructure.

Among the research team's key findings are:
- A fully integrated cyber supply chain requires the coordination of what researchers describe as "defense in depth," the process of securing/hardening core systems and their constituent parts during the build and deploy phases of the lifecycle; and "defense in breadth," the process of securing the global web of actors who use and maintain a system including customers, system integrators and suppliers.
- There is a lack of visibility and coherence across the cyber supply chain which prevents effective orchestration and synchronization.
- There is a clear need for structured incentives and relationship drivers which facilitate management of shared risk.
- Lack of communication between the cyber and physical supply chain domains is constraining advancement. Most organizations mistakenly view themselves as the terminus in the cyber supply chain and do not recognize the need for accountability within all internal function areas, as well as among all suppliers, customers and partners.
- Information security operations is not sufficiently aligned with the supply chain risk management function to be capable of performing joint operations during an incident
The central challenge is that global cyber supply chains today are as fragmented as physical supply chains were 15 years ago. Since the release of our paper we have been diligently conducting on-site case studies with several government and commercial organizations to better understand the application of the model.

In this session we will introduce our model and present one industry and one government case study covering a cross-functional executive perspective of its application paying particular attention to the challenges an incident response team faces in aligning the CERT/CIRC function with conventional supply chain risk management.

This talk could be extended into a tutorial if desired. I have attached the executive summary for the paper to this submission. The full paper is available at: http://www.saic.com/news/resources/Cyber_Supply_Chain.pdf
rossman-slides.pdf
MD5: 9462675824dc3ea16cb586fb02b70941
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.26 Mb
CZ
CZ.NIC presentation
Martin Peterka (CZ.NIC, CZ)
2010 Symposium - Hamburg
Hamburg, DE
January 25, 2010 13:40-14:00
Hosted by DFN-CERT
http://www.terena.org/activities/tf-csirt/meeting29/peterka-cznic.pdf
DE
Delivering services in a user-focused way
Marcus Pattloch (DE)
2010 Symposium - Hamburg
Hamburg, DE
January 25, 2010 14:30-15:00
Hosted by DFN-CERT
http://www.terena.org/activities/tf-csirt/meeting29/pattloch-dfncert-portal.pdf
PL
Detecting and Analyzing Malicious PDF Files
Pawel Jacewicz (NASK/CERT Polska, PL)
2010 Symposium - Hamburg
Hamburg, DE
January 26, 2010 10:00-10:30
Hosted by DFN-CERT
Malicious_PDF_Files.pdf
MD5: bc5b5e55dfe316eb93a61112bdc442b7
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.82 Mb
DNS community efforts to enable Security Stability and Resiliency
Greg Rattray (ICANN, Multinational organisation)
2010 Symposium - Hamburg
Hamburg, DE
January 25, 2010 15:30-16:00
Hosted by DFN-CERT
http://www.terena.org/activities/tf-csirt/meeting29/rattray-dns-security.pdf
Dragon Research Group Security Distro
Jacomo Piccolini (Team Cymru)
The DRG Distro is a minimized Linux distribution designed to operate as part of a distributed Internet-based security research network. The Distro, or "pod", is Slax-derived and comes with a useful set of utilities that provides the pod "runner" an easy way to develop awareness of local network security conditions. When integrated into the pod network, this tool also provides a broad view of malicious activity gleaned from other networked pods. The ultimate goal is to combine local pod network activity with DRG insight, analysis and tools to provide actionable intelligence to the Internet security community. For more information see http://drg.team-cymru.org/
peixinho-piccolini-slides.pdf
MD5: 1f61eb0192f98b987726160be86d07cc
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.89 Mb
UY
FACTOIDS: An open architecture for secure, efficient and dynamic data exchange among CSIRTs
Carlos Martinez-Cagnazzo (CSIRT-Antel, UY)
Computer Security Information Response Teams (CSIRTs) are service organizations, highly-specialized task forces that handle security incidents at either coordination or operational level. Malicious Internet activities recognize no boundaries; therefore, in order to be able to carry out their tasks as efficiently as possible, CSIRTs must establish relationships of trust that will allow them to share information.

In order to be acceptable, this information sharing must also comply with the information security policies of each security team’s parent organization and, in order to be as effective as possible, they must be capable of being automated.

The problem opens various research avenues, including but not limited to: (a) streamlining trust relationship establishment; (b) automatic sanitization according to a stored, machine-executable information security policy; (c) efficient access to event repositories through remotely-callable APIs and (d) efficient storage of large volumes of security-related event data.

This paper contains an introduction to this information exchange scenario among CSIRTs and then analyzes some relevant tools and architectures found in the literature with the aim of preparing an analysis of the requirements and proposing a high-level architecture for the automatic exchange of information among CSIRTs through administrative domains such that it complies with each organization’s information security policies.
martinez-cagnazzo-slides.pdf
MD5: 36ae572755cbe2b2ab6b0680b52c5946
Format: application/pdf
Last Update: June 7th, 2024
Size: 441.13 Kb
Fingerprinting Malware Developers
Rich Cummings (HBGary, Inc.)

Rich Cummings has been focused on catching cybercriminals for over 10 years. Rich has been doing incident response investigations since the late 90’s when he worked as part of the 911 emergency response team at Network Associates. During his career, Rich has been involved in many high profile incident response investigations at some of the largest companies in the world. Prior to joining HBGary, Mr. Cummings was with Guidance Software for 6 years as the Director of Security Engineering & Government Solutions. Rich was instrumental at Guidance in the early days crafting the enterprise go to market strategy for their flagship product Encase Enterprise. During his time at Guidance Rich held many leadership roles in the organization in product engineering, sales, and marketing departments. Rich also worked closely with the federal government and military to architect large scale solutions for incident response, computer network defense, and counterintelligence investigations.

Over the last decade, the Malware Industry has grown at a phenomenal rate. The volume of unique Malware, the sophistication of Malware techniques, and the number of participants in the overall Malware environment have all reached a critical mass – they have surpassed the ability of the Security Industry to provide comprehensive protection. The Security Industry is changing, adapting, and growing in an effort to catch up to the Malware Industry. In my presentation, "Fingerprinting Malware Developers,” I will discuss how to fingerprint -- and potentially identify -- the developers behind each piece of Malware.

Fingerprinting Malware has emerged as a significant concern in today’s security environment. Forensic Investigators, Security Consultants, Software Vendors, Network Administrators, and CISOs all want to determine who is behind the attacks on their victims, clients, customers, products, and networks. They want to utilize this information for a variety of purposes—prosecute the attackers, identify related attacks, and secure against future attacks.

This presentation will outline a number of methods, and some myths, related to the more general field of fingerprinting software developers. Methods covered include instruction usage, analysis of code patterns, debug information, language attribution, linked third-party libraries, embedded product keys, compiler and linker information, compiler signatures, machine signatures, and globally unique identifiers. These methods are then applied to the more specific context of Malware, and the success or failure of each method will be discussed. Finally, I will discuss some of the reasons that fingerprinting Malware developers can be a difficult problem to solve.
cummings-slides.pdf
MD5: edcbcafb34bac80c4450829038bf13c6
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.59 Mb
FISHA - A Framework for Information Sharing and Alerting in Europe
Bence Birkás, Ferenc Suba (CERT-Hungary)

Bence Birkas is the international relations maganer for CERT-Hungary. Since 2006, he is employed by the Theodore Puskas Foundation, working for CERT-Hungary, where the focus of his work is liaising with international counterparts in the field of incident response and CIIP, as well as keeping contacts with Hungarian partners by coordinating the work of national information sharing groups. CERT-Hungary runs sevaral EC and national projects, and Mr. Birkas is responsible for the management these projects.His previous work included assistance in setting up and operating the Hungarian Current Research Information System until the end of 2005.

The FISHA (Framework for Information Sharing and Alerting) is a collaboration between NASK/CERT Polska, CERT-Hungary and the University of Gelsenkirchen to build a common European information and alerting system within the framework of the EU EPCIP programme, based on the findings of the EISAS study of ENISA. The project addresses the issue of improving security awareness amongst home users and SMEs through the creation of a European information sharing and alerting system. The focus on home users and SMEs stems from the fact that these groups play a critical role in the security of the Internet as a whole, and as such, the European critical information infrastructure. At the same time both groups remain an easy target of attacks, due to low awareness of security issues and the lack of required technical skills to handle them in a proper manner. There is therefore a need of a channel that can be used to reach these groups and supply them with timely best practice information, alerts and warnings phrased in an easy to understand, non-technical way. While a number of national initiatives with a similar goal exist, these initiatives do not cooperate as actively in this field as they could. There is therefore much to be gained by pooling their resources and building upon existing information exchange initiatives, developed in particular, in the CERT community. Previous studies in the watch and warning field have shown that there are a lot of different views and interpretations by experts from different countries as to what really should be done at a European level. These differing views have hindered past European wide efforts, with relevant stakeholders firmly opposing a creation of a large centralized structure. The presentation will introduce our vision of the framework for information sharing and alerting, which we plan will act as a meta-information broker for various stakeholders (including CERTs), and explain the rationale behind the choices made, both technical (including a description of the proposed P2P network) and organizational. Our vision takes into account not just our own ideas or ideas inspired from previous work, but comments from experts (particularly from CERTs) that have taken part in our first FISHA workshop organized in October 2009 in Rotterdam.
birkas-slides.pdf
MD5: e2922113bd0bed6c6d2ea8f33f40865d
Format: application/pdf
Last Update: June 7th, 2024
Size: 476.44 Kb
FISHA - Understanding the Insider Threat: Lessons Learned from Actual Insider Cyber Crimes
Randall Trzeciak (CERT / Software Engineering Institute / Carnegie Mellon University)
Cyber crimes committed by malicious insiders continue to represent one of the most significant threats to networked systems and data. It is important to consider the insider threat perspective when developing policies and procedures for responding to cyber security events.

Since 2001 CERT’s insider threat team has built an extensive library and comprehensive database containing hundreds of actual cases of insider cyber crimes. This presentation will focus on three primary types of insider cyber crimes: IT sabotage, theft of intellectual property (e.g. trade secrets), and employee fraud. For each type of crime, a “crime profile” will be presented which describes who committed the crimes, their motivation, organizational issues surrounding the incidents, methods of carrying out the attacks, impacts, and precursors that could have served as indicators to the organization in preventing the incident or detecting it earlier. Insight will be provided regarding the technical means and methods used by malicious insiders including where to gather data on insider activity for event reconstruction. We will convey the "big picture" of the insider threat problem - the complex interactions, relative degree of risk, and unintended consequences of policies, practices, technology, insider psychological issues, and organizational culture over time. Each crime profile will describe the patterns evident in the crimes so that attendees can recognize these patterns in their own organizations, and implement effective countermeasures to mitigate the threat.

Attendees will leave with an understanding of the scope of the insider threat problem, patterns to watch for that could signify increased risk, and proactive measures that they can put into place for prevention and detection of insider threats. Actual cases will be presented throughout the presentation to provide concrete examples and lessons learned.

THIS IS A SIMILAR PRESENTATION TO THE ONE OFFERED BY DAWN CAPPELLI, GEORGIA KILLCRECE, AND GREG LONGO AT THE FIRST TECHNICAL COLLOQUIUM IN HAMBURG GERMANY (JANUARY 2010).
trzeciak-slides.pdf
MD5: ed320c5644cb0e970a8b628cb4e4edd1
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.18 Mb
US
Getting Ahead of Malware
Jeff Boerio (Intel Corporation, US)

Jeff is a 16-year veteran of Intel Corporation, and is a Senior Information Security Specialist with their Threat Management team, the operational security arm of the information security group. He is the leader of their cyber intelligence incident response team, responding to cyber intrusions and outbreaks in the enterprise. He also leads investigation into imminent threats and longer term trends to establish controls to protect against those threats. He holds a Bachelor of Science in Computer Science degree from Purdue University.

To minimize the threat posed by malicious software, or malware, making its way into the enterprise, Intel IT has established a process that actively seeks to identify and take action against the malware before it reaches Intel’s user base. This process focuses on real-time monitoring and interpretation of security events on the network and taking immediate action against any identified threats. The paper describes the process of detecting and addressing new malicious code threats in a global enterprise environment. Since implementing our security event monitor and detection processes, we have seen a 40 percent decrease in the number of formal incident response events.
boerio-slides.pdf
MD5: f60789ca6d30cf60d47c32e83d543d2d
Format: application/pdf
Last Update: June 7th, 2024
Size: 300.94 Kb
GN3 Security Activities
Maurizio Molina (DANTE, Multinational organisation)
2010 Symposium - Hamburg
Hamburg, DE
January 25, 2010 16:40-17:00
Hosted by DFN-CERT
http://www.terena.org/activities/tf-csirt/meeting29/kaskina-gn3-security.pdf
Got Spies in Your Wires?
Marshall Heilman (Mandiant)

Marshall Heilman is a Manager at Mandiant with over eleven years experience in computer and information security. His particular areas of expertise include enterprise-wide incident response investigations, secure network design and architecture, penetration testing, and strategic corporate security development. Marshall has extensive experience working with the Federal government, defense industrial base, financial industry, telecommunications industry and Fortune 500 companies. He has spoken at multiple security conferences, including OWASP, ISSA, and ISACA.
Marshall Heilman is a Manager at Mandiant with over eleven years experience in computer and information security. His particular areas of expertise include enterprise-wide incident response investigations, secure network design and architecture, penetration testing, and strategic corporate security development. Marshall has extensive experience working with the Federal government, defense industrial base, financial industry, telecommunications industry and Fortune 500 companies. He has spoken at multiple security conferences, including OWASP, ISSA, and ISACA.Prior to joining Mandiant, Marshall was a member of the United States Marine Corps. Most recently he was the Information Assurance Officer at Marine Corps Forces Pacific Command Headquarters, Camp Smith, Hawaii. Marshall received his Master of Business Administration from ASU and his Bachelor of Science in Computer and Information Science from UMUC. He holds the CISSP security certification and a current Top Secret government security clearance.

“Spies in the Wires” is a term used to refer to an entity’s ability to surreptitiously gather data from a remote victim organization through the Internet, often used in conjunction with foreign governments. In most instances the victim organization does not even realize it has been penetrated. Once the victim organization has been notified of the breach, the daunting task of cleaning up the breach, notifying appropriate parties, and dealing with the ramifications of data loss, begins.

The talk will begin with a discussion of some of the more serious intelligence gathering threats faced by government, DIB, and contracting organizations today, followed by real world case studies to better demonstrate some of the threats. After a discussion of the threats, the talk will discuss various tools and techniques to combat major facets of each threat: Initial Exploitation, Lateral Infection, Persistence, Attacker Visibility, and Damages. Each facet will be discussed in detail and analyzed from the perspective of an attacker, an incident responder, and a security architect. This in-depth breakdown of each facet will ensure that the intricacies of each threat are understood before combative tools and techniques are discussed.

The tools and techniques discussed during this talk to combat “Spies in the Wires” were derived from countless hours of being on the frontlines at many unique organizations dealing with these threats. This talk approaches security from an operational “what works” standpoint and not from a theoretical, or best practices, standpoint.
heilman-slides.pdf
MD5: ad9c3a312ab9c11350fb75191c6a0dfb
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.2 Mb
Grid Security developments
Daniel Kouril (Masaryk University)
2010 Symposium - Hamburg
Hamburg, DE
January 25, 2010 16:00-16:30
Hosted by DFN-CERT
http://www.terena.org/activities/tf-csirt/meeting29/kouril-gridsec.pdf
Hand On Computer Forensic with FOSS Tools
Nelson Uto (CPqD Telecom & IT Solutions), Sandro Melo (Locaweb)
In past, a server configured their risks but these risks were physically dimensioned, corresponding to the limits of the LAN of the corporation or institution. The Internet has radically changed this scenario.

It is more secure than a system with Firewall or other security devices, there will always be the possibility of human error or hitherto unknown failure in the operating system or applications, whether proprietary or FOSS system. Given this degree of risk, at first intangible, the threat of an invasion is something that we can't overlook.

In this context, the forensic techniques are essential during the response to an incident, to identify where the computer has violated its security, which was changed, the identity of the attacker and preparing the environment for expertise of Forensic Computer.

Bearing in mind the care of an expert as a Computer Forensic invasion is electronic crime. A digital evidence must be preserved so that it can have value.
melo-slides.pdf
MD5: 66edaeece4dac15370d54a0416a9931a
Format: application/pdf
Last Update: June 7th, 2024
Size: 517.34 Kb
How change to all-IP world impact attack scenarios and how CERT teams can be prepared?
Anu Puhakainen (Ericsson)

Anu Puhakainen has more than 20 years experience on IT and telecom industries and she has been employed by Ericsson since 1997. She is currently the manager for Ericsson Product Security Incident Response Team (Ericsson PSIRT), the corporate wide security incident response team serving both internal product organizations and Ericsson customers.

The ongoing network transformation impacts the business environment of all the actors in communications. While many more millions of people get access to services improving their daily lives, the whole networked community is exposed to the security threats that a global communication system entails. The session starts with a discussion about how the change to all-IP networking and convergence of fixed and mobile communications creates new possibilities for attackers. Ensuring security while maintaining appropriate privacy has been challenging in communication networks in the past. In the coming years, it will be even more of a challenge due to changes that takes place. The session continues with how network convergence, the opening up of networks and security de-perimeterization lead to an emergence of serious threats that were previously unapplicable. Both networks and end-users will be targeted with traffic that serves other purposes than what the communications solutions were designed for. CERT teams need skills, tools and collaboration to understand and adapt to a continuously changing security environment while equipment vendors must provide proper security in their products, solutions and services. The session will cover how evolving networks place strict demands on distributed protection mechanisms and the relevance of possible countermeasures like event sensoring, traffic separation, traffic protection and node protection in increasingly untrusted telecommunication network environments.
puhakainen-slides.pdf
MD5: 0094d61ce89129d57733c3b1500d9474
Format: application/pdf
Last Update: June 7th, 2024
Size: 649.89 Kb
GB
Incident Response in a Collegiate University
David Ford (Oxford University Computing Services, GB)
2010 Symposium - Hamburg
Hamburg, DE
January 26, 2010 14:15-14:45
Hosted by DFN-CERT
IncidentResponseCollegiate.pdf
MD5: 494fe6fb310d0a27e4d1769b85262da4
Format: application/pdf
Last Update: June 7th, 2024
Size: 981.52 Kb
Incident Response in Virtual Environments: Challenges in the Cloud
Russ McRee (Microsoft)

Bryan Casper, GCIA, CISSP, is a senior security analyst for Microsoft Online Service’s Security Incident Management team. His broad experience includes expertise in network traffic analysis and server forensics. Prior to his ten years at Microsoft, Bryan served in the US Air Force as a security analyst/engineer.

Incident response in large production environments is challenging enough. Add layers of virtualization, a constantly dynamic state, as well as a broad external customer base and the challenges deepen exponentially.

This presentation aims to provide recommendations and guidance based on experience and information gathered while conducting incident response in such environments including large virtualized caching networks and cloud-based services. Logging, tooling, forensic methods, and egress-based network security monitoring are amongst the topics to be discussed. This presentation also intends to allow active discussion with participants to share their experiences.
casper-mcree-slides.pdf
MD5: df6615f1de2dfc998404d12464968f6d
Format: application/pdf
Last Update: June 7th, 2024
Size: 232.42 Kb
Incident Response to Social Enginering Attacks
Ramses Martinez (Verisign)
In today’s enterprise environment an incident responder must not only be a technical expert but also posses a good understanding of the legal, economic and human aspects of dealing with a security incident. This increase in complexity has resulted in incident response becoming one of the most challenging disciplines in the filed of information security. During this presentation three real life incident cases will be discussed; a social engineering, one a targeted phishing email and a DDoS attack. In each of these cases the dependencies between an information security team and the legal, financial, HR and executive team will be analyzed. The processes tools and roles used by each of the groups involved will be discussed in detail as well as the impact that geography and culture have on the incident handling process. Lesson learned, containment, mitigation and recovery strategies will also be shared with the audience during this presentation.
martinez-slides.pdf
MD5: ea2580baffb323faf7f2ebd7416e0440
Format: application/pdf
Last Update: June 7th, 2024
Size: 311.16 Kb
Intrusion Response Reality Check
Kris Harms (Mandiant)

Kris Harms is a Principal Consultant at Mandiant with extensive experience investigating and resolving high risk computer security incidents. He has responded to intrusions for Fortune 100 companies, e-commerce sites and financial institutions. He has also supported multiple counter-intelligence intrusion investigations for several government entities. He has assisted organizations with post incident activities such as remediation strategy development, vulnerability management, security architecture design, executive presentations and incident response program development. A frequent industry speaker and instructor, Mr. Harms has appeared on the CBS News program 60 Minutes and PBS's Wealth and Wisdom.

Threats today are more frequently altering executive level business strategies and activities. Incident response techniques and technology must evolve to keep up with current threats. When investigating, it is crucial to get it right. Jamie Butler and Kris Harms will discuss their unique view of intrusion sets that continuously gain top level organizational visibility. They will also give you a peek inside their malware vault and expose some of the counter-forensics techniques widely used today. They will then focus on recent advances and misnomers in intrusion investigation, discuss how the average corporate forensicator is misled, and what you can do about it. Learn what goes unseen, and learn techniques to find it during this talk.
harms-silberman-slides.pdf
MD5: cd12a4d069c9c31f0832c55b98450850
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.88 Mb
Know Thy Enemy: Cataloguing Agents of Threat for Improved Risk Assessments
Steve Mancini (Intel Corp.), Timothy Casey (Intel Corporation)

Steve Mancini has been with Intel since he graduated from Purdue. He has been involved with several Intel security initiatives including the formation of the Security Operations Center, co-authoring Intel’s risk assessment process, creation of the first generation Intel’s incident response tool, RAPIER which Intel released as an open source tool, and enterprise scale threat modeling.

Timothy Casey, CISSP, IAM, is a senior Information Security Analyst for Intel’s Information Security & Risk Management group, with 25 years of experience in many information security fields. Originally a systems designer, before coming to Intel he was a key architect in many government and commercial security systems. At Intel, Timothy now designs and implements technologies like Intel’s Security Wargaming capability for advanced information risk management capabilities.

When risk managers assess threats to information assets, they have to understand the potential human threat agents: the categories of people who can harm those information assets. Historically, however, this has been challenging. A key problem is the lack of industry standards or reference definitions of agents. Assessors often have different concepts of even the most common agents, and interpret a seemingly simple term such as “spy” very differently, making it difficult to share information or apply it consistently.

As a result, risk management projects often experience threat creep-- threat definitions are repeatedly re-negotiated as the project progresses, causing many delays. Even if a team agrees on the definitions, information about threats is often fragmented and sensationalized, making it difficult to understand the real threat and how to prioritize it. Additionally, some agents attract considerable publicity, resulting in the most-publicized agents appearing as the biggest threat and receiving a disproportionately large amount of limited mitigation resources.

A cross-organizational team of senior Intel information security specialists decided to create a standardized set of threat agent archetypes, with the goal of improving the accuracy and efficiency of risk assessments. Unable to find a suitable set already in use, they developed their own Threat Agent Library of 23 agent archetypes, each uniquely defined. The library includes both the “usual suspects” and characters that are easily overlooked if not explicitly listed.

The standardized threat agent approach was only recently deployed internally but is already making an impact. It was incorporated into Intel’s main business security and acquisitions risk assessment tools, where it has dramatically streamlined the process. A key manufacturing group reported a 60% improvement in total threat assessment time, reducing the negotiation period from months to days. The agent archetypes also enable focused data collection and accurate threat ranking, allowing Intel IT architecture and mitigation groups to better prioritize resources. Externally, the US DHS has incorporated the library as a cornerstone methodology of its IT Sector Baseline Risk Assessment.

This presentation will describe these elements in further detail, so that the audience can understand the problem we addressed, basics of the library itself and where to access it, and how to apply the concepts to common risk assessment situations.
casey-mancini-slides.pdf
MD5: b890926b115d2105e670342519d0f965
Format: application/pdf
Last Update: June 7th, 2024
Size: 245.09 Kb
Locale-specific threats: Security challenges due to globalization
Anthony Bettini (McAfee)

Anthony Bettini is part of the McAfee Labs senior management team. His professional security experience comes from working for companies like McAfee, Foundstone, Guardent, Bindview, and independent contracting. He specializes in software security and vulnerability detection. Anthony has spoken publicly for NIST in Washington, DC, the Computer Anti-Virus Research Organization (CARO) in Europe, and most recently at RSA Europe 2009. Anthony has published new vulnerabilities found in Microsoft Windows, ISS Scanner, PGP, Symantec ESM, and other popular applications. In addition to contributing to a handful of security books, Anthony was also the technical editor for Hacking Exposed 5th edition. Anthony’s most recent public speaking engagement was at RSA Europe 2009 in London and covered security risks in social networking applications (titled: You should be careful who you, and your friends, link with).

Responding to threats in the enterprise is a challenging problem. But when the enterprise goes global and perpetually expands its reach, the challenges take on a new dimension. The impact of globalization on IT security is rarely discussed at the threat level, but on the ground, an all too real problem. Pieces of this may be well understood problems, such as adhering to local regulations and technical standards in a given country or region of the world. However, other pieces may not be so clear, such as software that is only prevalent in one particular country being subject to targeted attacks and 0day vulnerabilities. In this talk, we will go over real world examples of locale-specific impacts to traditional IT security challenges, particularly in the realms of: vulnerabilities, 0days, compliance, threat monitoring and prioritization, and the impact various global CERT organizations play.
bettini-slides.pdf
MD5: 8a570a423a59b972ba5bf78ba47273af
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.19 Mb
AT
Mass Malware Analysis: A Do-It-Yourself Kit
Christian Wojner (AT)
2010 Symposium - Hamburg
Hamburg, DE
January 26, 2010 11:15-12:00
Hosted by DFN-CERT
mass_malware_analysis__a_do-it-yourself_kit.pdf
MD5: b8c8fca5029bb182ee98e10e2208b3ee
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.09 Mb
Phising Malware vs Brazilian Banks: What each side is doing to raise the bar
Ivo Peixinho (Brazilian Federal Police)
Brazilian banks are constantly changing their websites and adding new security measures to try to contain the tsunami of new phishing malware that arrives every day on the net. Recently some banks started taking radical approaches, like accepting transactions only from pre-registered computers and using off-the-band mechanisms like SMS messages. This presentation shows the latest advances on security regarding Brazilian online banking, trends and the latest types of malware found on the wild. There will be some demonstrations of the latest malware that target the latest security measures of the online banking sites.

The talk will also present the latest moves of the Police and Justice to put the criminals behind bars, and the impact of this new security measures on the end user. Since this presentation will cover the latest developments the final material will be given only at the conference.
peixinho-piccolini-slides.pdf
MD5: 1f61eb0192f98b987726160be86d07cc
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.89 Mb
Portable Destructive File (PDF) Attacks And Analysis
Mahmud Ab Rahman (CyberSecurity Malaysia - MyCERT)
The increased prevalence of malicious Portable Document Format (PDF) files has generated interest in techniques to perform analysis on such document.We have observed a lot of attacks try to abuse the PDF vulnerabilities by hosting malicious pdf files on the Internet. The modus operandi involved in lurking people to open malicious PDF files by using social engineering attack. The emails were sent with a link to PDF file, by attaching the malicious PDF file directly to trap victim to open the files. .

In this presentation we will share with you on how to analyze malicious PDF files which abusing JavaScript for exploitation and as well as using it as attacker payloads. What you will learn here will help you to analyze malicious PDF files on your own by using freely available tools.
abrahman-slides.pdf
MD5: 46e3f121207a8f4ec750c85d3612a384
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.36 Mb
R&D projects launched in response to the dynamic evolution of Internet security threats - CERT view
Krzysztof Silicki (NASK)
Wherever they are, CERTs (Computer Emergency Response Teams) as security incident handlers have hands-on experience with the latest attack techniques on the Internet. This is the result of direct contact with their constituency and other CERT teams, which often serve as the first line of support when faced with new threats. The dynamic development of threats remains a never ending challenge not just for them, but the entire security industry. Research and development projects that are launched in response to analyzing threats, often have a problem keeping up and developing adequate tools that can be applied in practice. Nevertheless, creating new platforms that can facilitate detection and improve situation awareness is critical in order to stop these threats. We will present technical issues concerning national and international research and development projects conducted by the CERT Polska team, operating within NASK structures. We will also present how these projects support the operational activity of CERT, which determines the requirement for new tools and research – namely for projects having practical application in e.g. threat monitoring, correlation, early warning, malware analysis or effective transfer of information to proper recipients. A few examples of building synergy between projects being implemented will be described. We believe that the most valuable part of our work is a very effective approach to the problem of relationship between practical needs of an operational work of CERT team and the outcomes of security projects and systems development within such team. We are convinced that such relationship should be very strong and we try to ensure it in our technical work. Thus the technical projects undertake the most important and the most novel topics related to the ICT security. We believe that a major idea of our work is the positioning of different projects in a way the enables them to work together, creating a synergy that results in a solution to today's security problems of the Internet. In each of the presented projects, we come up with novel algorithms that enable the achievement of specific project goals.
silicki-slides.pdf
MD5: b7ae0a9b47b047effa3738b809afca93
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.69 Mb
Risk Intelligence: Business Intelligence meets Information Security
Matt White (Intel Corporation)
In 2009, Intel Corporation used a novel business intelligence approach to address needs in the protection of its intellectual property. A team inside Intel developed a flexible architecture that uses business intelligence to implement risk models, determine actual likelihood and impact, and measure risk reduction. As the solution grows, it is part of an end-to-end process to protect intellectual property in the company. This talk covers the hardest problems to solve, and the solutions Intel found. Learn how business intelligence concepts were benchmarked against risk concepts like likelihood and impact. How to implement risk models that detect intellectual property misappropriation will be discussed.
white-slides.pdf
MD5: 587ad09762cfe377cee976f70b176c6a
Format: application/pdf
Last Update: June 7th, 2024
Size: 724.98 Kb
Securing Europe's Information Society
Udo Helmbrecht (ENISA)

Born in Castrop-Rauxel in 1955, Udo Helmbrecht completed high school in 1974. He then served for two years in the German Federal Armed Forces. From 1976 to 1981, Helmbrecht studied Physics, Mathematics and Computer Science at the Ruhr University in Bochum. Having received his Diploma in Physics, he then went on to obtain a Doctorate in Theoretical Physics in 1984.
Born in Castrop-Rauxel in 1955, Udo Helmbrecht completed high school in 1974. He then served for two years in the German Federal Armed Forces. From 1976 to 1981, Helmbrecht studied Physics, Mathematics and Computer Science at the Ruhr University in Bochum. Having received his Diploma in Physics, he then went on to obtain a Doctorate in Theoretical Physics in 1984.Between 1981 and 1983, Helmbrecht worked as a research assistant for the Institute of Theoretical Physics at the Ruhr University. For the following two years, he ran the Software Development Department of the Bergische University in Wuppertal.
Born in Castrop-Rauxel in 1955, Udo Helmbrecht completed high school in 1974. He then served for two years in the German Federal Armed Forces. From 1976 to 1981, Helmbrecht studied Physics, Mathematics and Computer Science at the Ruhr University in Bochum. Having received his Diploma in Physics, he then went on to obtain a Doctorate in Theoretical Physics in 1984.Between 1981 and 1983, Helmbrecht worked as a research assistant for the Institute of Theoretical Physics at the Ruhr University. For the following two years, he ran the Software Development Department of the Bergische University in Wuppertal.Moving to Messerschmitt-Bölkow-Blohm GmbH (MBB) in Munich, the predecessor of today´s EADS, in 1985 Helmbrecht began his career as a systems analyst, working on a German Chinese project. He advanced to project leader one year later. Over this period, he successfully completed a two-year executive management training programme for high potentials. Between 1988 and 1989, he was personal assistant to the Head of the Military Aircraft Division.
Born in Castrop-Rauxel in 1955, Udo Helmbrecht completed high school in 1974. He then served for two years in the German Federal Armed Forces. From 1976 to 1981, Helmbrecht studied Physics, Mathematics and Computer Science at the Ruhr University in Bochum. Having received his Diploma in Physics, he then went on to obtain a Doctorate in Theoretical Physics in 1984.Between 1981 and 1983, Helmbrecht worked as a research assistant for the Institute of Theoretical Physics at the Ruhr University. For the following two years, he ran the Software Development Department of the Bergische University in Wuppertal.Moving to Messerschmitt-Bölkow-Blohm GmbH (MBB) in Munich, the predecessor of today´s EADS, in 1985 Helmbrecht began his career as a systems analyst, working on a German Chinese project. He advanced to project leader one year later. Over this period, he successfully completed a two-year executive management training programme for high potentials. Between 1988 and 1989, he was personal assistant to the Head of the Military Aircraft Division.In 1990, Helmbrecht was assigned the position of Head of the Technical Data Systems Department and between 1992 and 1995 he functioned as Information Technology Programme Manager, assuming responsibility for the programme and project management of information technology in the military aircraft product group.
Born in Castrop-Rauxel in 1955, Udo Helmbrecht completed high school in 1974. He then served for two years in the German Federal Armed Forces. From 1976 to 1981, Helmbrecht studied Physics, Mathematics and Computer Science at the Ruhr University in Bochum. Having received his Diploma in Physics, he then went on to obtain a Doctorate in Theoretical Physics in 1984.Between 1981 and 1983, Helmbrecht worked as a research assistant for the Institute of Theoretical Physics at the Ruhr University. For the following two years, he ran the Software Development Department of the Bergische University in Wuppertal.Moving to Messerschmitt-Bölkow-Blohm GmbH (MBB) in Munich, the predecessor of today´s EADS, in 1985 Helmbrecht began his career as a systems analyst, working on a German Chinese project. He advanced to project leader one year later. Over this period, he successfully completed a two-year executive management training programme for high potentials. Between 1988 and 1989, he was personal assistant to the Head of the Military Aircraft Division.In 1990, Helmbrecht was assigned the position of Head of the Technical Data Systems Department and between 1992 and 1995 he functioned as Information Technology Programme Manager, assuming responsibility for the programme and project management of information technology in the military aircraft product group.In 1995, Helmbrecht was appointed CIO of the Bayerische Versorgungskammer, a public insurance institution for pensions. As Director and Division Manager of Information Processing, he was responsible for data processing, information technology and security, application development, as well as data centre and network infrastructure. Here, he succeeded in introducing several entrepreneurial operating methods.
Born in Castrop-Rauxel in 1955, Udo Helmbrecht completed high school in 1974. He then served for two years in the German Federal Armed Forces. From 1976 to 1981, Helmbrecht studied Physics, Mathematics and Computer Science at the Ruhr University in Bochum. Having received his Diploma in Physics, he then went on to obtain a Doctorate in Theoretical Physics in 1984.Between 1981 and 1983, Helmbrecht worked as a research assistant for the Institute of Theoretical Physics at the Ruhr University. For the following two years, he ran the Software Development Department of the Bergische University in Wuppertal.Moving to Messerschmitt-Bölkow-Blohm GmbH (MBB) in Munich, the predecessor of today´s EADS, in 1985 Helmbrecht began his career as a systems analyst, working on a German Chinese project. He advanced to project leader one year later. Over this period, he successfully completed a two-year executive management training programme for high potentials. Between 1988 and 1989, he was personal assistant to the Head of the Military Aircraft Division.In 1990, Helmbrecht was assigned the position of Head of the Technical Data Systems Department and between 1992 and 1995 he functioned as Information Technology Programme Manager, assuming responsibility for the programme and project management of information technology in the military aircraft product group.In 1995, Helmbrecht was appointed CIO of the Bayerische Versorgungskammer, a public insurance institution for pensions. As Director and Division Manager of Information Processing, he was responsible for data processing, information technology and security, application development, as well as data centre and network infrastructure. Here, he succeeded in introducing several entrepreneurial operating methods.Since March 2003, Udo Helmbrecht has served as President of the Federal Office for Information Security (BSI) in Bonn. He has successfully developed the agency´s central service provision for information security within the German Federal Government. In addition, he has spearheaded the cooperation between BSI and the IT security industry, as well as raised public awareness of information security issues.
Born in Castrop-Rauxel in 1955, Udo Helmbrecht completed high school in 1974. He then served for two years in the German Federal Armed Forces. From 1976 to 1981, Helmbrecht studied Physics, Mathematics and Computer Science at the Ruhr University in Bochum. Having received his Diploma in Physics, he then went on to obtain a Doctorate in Theoretical Physics in 1984.Between 1981 and 1983, Helmbrecht worked as a research assistant for the Institute of Theoretical Physics at the Ruhr University. For the following two years, he ran the Software Development Department of the Bergische University in Wuppertal.Moving to Messerschmitt-Bölkow-Blohm GmbH (MBB) in Munich, the predecessor of today´s EADS, in 1985 Helmbrecht began his career as a systems analyst, working on a German Chinese project. He advanced to project leader one year later. Over this period, he successfully completed a two-year executive management training programme for high potentials. Between 1988 and 1989, he was personal assistant to the Head of the Military Aircraft Division.In 1990, Helmbrecht was assigned the position of Head of the Technical Data Systems Department and between 1992 and 1995 he functioned as Information Technology Programme Manager, assuming responsibility for the programme and project management of information technology in the military aircraft product group.In 1995, Helmbrecht was appointed CIO of the Bayerische Versorgungskammer, a public insurance institution for pensions. As Director and Division Manager of Information Processing, he was responsible for data processing, information technology and security, application development, as well as data centre and network infrastructure. Here, he succeeded in introducing several entrepreneurial operating methods.Since March 2003, Udo Helmbrecht has served as President of the Federal Office for Information Security (BSI) in Bonn. He has successfully developed the agency´s central service provision for information security within the German Federal Government. In addition, he has spearheaded the cooperation between BSI and the IT security industry, as well as raised public awareness of information security issues. In April 2009, Dr Helmbrecht was appointed Executive Director of ENISA by its Management Board and after a presentation for the European Parliament’s ITRE committee; a position he assumed on 16th October.

The EU policy agenda - Network and information security among top priorities

Under the umbrella of the Lisbon Strategy, the European Commission Communication "i2010 - A European Information Society for growth and employment"1, highlighted the importance of network and information security for the creation of a single European information space. The availability, reliability and security of networks and information systems are increasingly central to our economies and society.

In his speech the Executive Director of the European Network and Information Security Agency (ENISA) will give an overview of the policy process on European level, new tasks and functions for the ENISA and his vision for the future of NIS in Europe - and beyond!
helmbrecht-slides.pdf
MD5: 8587e4b374ae22690b94b43e27840cfd
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.06 Mb
LU
Security made in Luxembourg
Pascal Steichen (CIRCL, LU)
2010 Symposium - Hamburg
Hamburg, DE
January 25, 2010 14:15-14:30
Hosted by DFN-CERT
http://www.terena.org/activities/tf-csirt/meeting29/steichen-circl.pdf
EE
Specifications for a Collaboration & Exchange Infrastructure for Cyber Defence Data
Luc DandurandLuc Dandurand (NATO C3 Agency, EE)

Mr Luc Dandurand joined the NATO C3 Agency on 5 January 2009 as a Senior Scientist in the Information Assurance and Service Control Team. Mr Dandurand received his Bachelor of Engineering degree in Engineering Physics in 1993 from the Royal Military College (RMC) of Canada and his Masters of Engineering degree in Computer Engineering in 1999, also from RMC. He has over 9 years of operational experience in Cyber Defence.

As a Signals Officer in the Canadian Forces (CF), Mr. Dandurand held various scientific and technical positions. He was an Intelligence Analyst for ground-based radars and STANOC equipment in the Directorate of Scientific and Technical Intelligence at National Defence Headquarters. He then led the Canadian Forces Information Operations Group’s Network Vulnerability Analysis Team during its expansion, supervising vulnerability assessments of military operational networks in Canada and in theatre. Finally, he founded the Canadian Forces Information Operation Group Red Team, responsible for conducting controlled computer network attacks against military networks in order to assess their security and the network managers’ ability to react, contain and recover from such attacks.

In 2003 he left the CF and joined the Communication Security Establishment (CSE) as an engineer on the expanded Joint Red Team, now operated both by the CF and CSE. In 2005, he was tasked to lead the CyberLab, a team of scientist and engineers who prototype novel solutions to difficult Cyber Defence problems. His major project in CyberLab was to lead the development of an intrusion detection system capable of detecting sophisticated attacks. He also was tasked for a period of seven months to assist in the development of the legal framework and policies that support the Cyber Defence activities of the CSE.

This presentation will discuss the issues involved with acquiring digital evidence from virtualization systems such as VMware and Xen-based systems, as well as so-called ‘cloud’ computing platforms that rely on these technologies to provide organizations and users with highly-scalable and distributed computing capabilities. Attendees will learn how virtualization systems work and the particular challenges they pose to the forensic investigator. In addition attendees will learn about the most common types of cloud computing platforms and how each introduces additional challenges for the investigator above and beyond those presented by virtualization technologies. This presentation will provide practitioners a primer for these increasingly common but, to many practitioners, still mysterious, technologies and platforms that they will likely be asked to perform forensics acquisitions and investigations on in the near future. This presentation will also present some practical techniques and procedures practitioners can utilize in their work with these systems.

Various estimates and projections point to an increasing use of cloud computing platforms now and in the near future, some indicating as much as 30% of corporate information processing will take place on some form of cloud platform by 2011. In any case, forensic investigators will need to have an understanding of the technologies involved, the different types of cloud platforms likely to be encountered and what acquisition and investigation challenges they are likely to encounter. Most importantly, investigators must have an established, tested, and accepted methodology for performing evidence acquisitions and investigations on these platforms.
dandurand-slides.pdf
MD5: eea0c7a06f81b1c7cd95b940f94135a9
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.12 Mb
Tales From the War Room
John Snyder (TD Bank Financial Group)
2010 Symposium - Hamburg
Hamburg, DE
January 26, 2010 15:30-17:00
Hosted by DFN-CERT
Tales.v0.1_handouts.pdf
MD5: aa7c4bd6675448ee914ce9faa713272d
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.25 Mb
That Pesky Critical Infrastructure
Jason Larsen (Idaho National Laboratory (DOE))
Very little incident data surrounding cyber attacks of control systems is public and the little that is public is pretty much boring or uninformative. This presentation will focus on public research available on hacking control systems. It will take a technical look at the new exploits and techniques being applied and what their consequences are. For example, a number of recent exploits have been published that allow the attacker to recover the encryption keys used in ZigBee meshes. What does that actually mean to the critical infrastructure?

The presentation will examine hardware hacking techniques and secure key storage as it applies to the new generation wireless devices that are entering the market. It will also try to take a crystal ball approach to security when vendor solutions that attach iPhone and Window Mobile devices to control systems come out later this year.

The presentation focus will be on the technical security measures and will largely ignore policy and best practices. It will attempt to be high level enough that it’s accessible to most audiences.
larsen-slides.pdf
MD5: bdd79e78178d47ee9976099da243deab
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.05 Mb
The Botnet Ecosystem
Vitaly Kamluk (Kaspersky Lab)

Vitaly joined Kaspersky Lab in 2005, and specializes in research focusing on corporate network protection, malware behaviour, and developing protection methods and tools. He has acted as an expert witness in IT forensic cases, and is based in Moscow. He has been in his current position since June 2008.

Vitaly has also worked as a virus analyst and developer, and participated in developing systems and components for internal use in the company’s Virus Lab. Before he joined Kaspersky Lab, he studied at Belarus State University, and worked as a programmer at an R&D company.

kamluk-slides.pdf
MD5: 64272a1e98eaf180211f527b5839d878
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.79 Mb
The Common Vulnerability Reporting Framework (CVRF)
Jim Duncan (Juniper Networks, Inc.)
In recent years, the computer security collective has made significant progress in categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposure (CVE) dictionary (http://cve.mitre.org) and Common Vulnerability Scoring System (CVSS) (http://nvd.nist.gov/cvss.cfm). However, one major gap in vulnerability standardization remains: there is no common framework for reporting and sharing vulnerability documentation among multiple organizations.

Current methods of vulnerability reporting, such as embedding security metric and vulnerability data inside response reports, are vendor-specific, non-standard, and non-cooperative. Additionally, because each producer of vulnerability reports employs a unique document structure that does not facilitate automated processing, users must manually parse individual vulnerability reports to find information that is germane to their environments.

In an effort to solve these problems, The Internet Consortium for Advancement of Security on the Internet (ICASI) has initiated the Common Vulnerability Reporting Framework (CVRF) project. CVRF will standardize vulnerability reporting in the form of an XML framework. Once CVRF is available, discoverers, vendors, users and coordinators of security response efforts worldwide will be able to use it to share critical vulnerability-related information, speeding information dissemination, exchange, and incident resolution. Producers of vulnerability reports will benefit from faster reporting, and end users will gain the ability to find relevant information more quickly and easily.
duncan-slides.pdf
MD5: 2914645013c87de22e0482586ceb20db
Format: application/pdf
Last Update: June 7th, 2024
Size: 720.99 Kb
The Opt-in Social Protesting Botnet
Günter Ollmann (Damballa)

Gunter Ollmann is the vice president for research at Damballa, an adviser to IOActive and a known veteran in the security space. Prior to joining Damballa, Gunter held several strategic positions at IBM Internet Security Systems (IBM ISS) with the most recent being the Chief Security Strategist. In this role he was responsible for predicting the evolution of future threats and helping guide IBM's overall security research and protection strategy, as well as being the key IBM spokesperson on evolving threats and mitigation techniques. He also held the role of Director of X-Force as well as the former head of X-Force security assessment services for EMEA while at ISS (which was acquired by IBM in 2006). Prior to joining ISS, Gunter was the professional services director of Next Generation Security Software (NGS), a vulnerability research and attack-based consulting firm. Gunter has been a contributor to multiple leading international IT and security focused magazines and journals, and has authored, developed and delivered a number of highly technical courses on Web application security. He is a well-known industry speaker worldwide and is often invited to present at various international security conferences. Gunter is also highly regarded in the press as an expert source on security threats and is a frequently quoted by the international media.

For the last few years social networking services have grown in breadth, scope and popularity. Their ability to attract huge groups of like-minded individuals from around the world and coordinate global protest actions and cyber attacks has also not gone unnoticed. 2009 saw many instances where new social networking groups appeared overnight, attracting tens-of-thousands members to a specific cause, and served as a centralized command and control for coordinated attacks. In several public instances participants willing installed classic botnet agents on their systems to take more active and damaging roles in the attacks. We’ve already seen some of the tools and baby-steps in to taking protesting online, but what will it look like when things get really start to get serious? What happens when you embrace Social Networking sites to further your cause and harness hundreds-of-thousands of compatriots, arm them with new-generation cyber-warfare tools, and launch coordinated attacks? How has online protesting jumped from classic Web denial of service or mail flooding, and in to social jihad botnets that embrace other channels such as blogosphere disinformation and telephony services? Next generation tools are already being created. The reasons for taking up cyber-arms are increasingly prevalent. How should you deal with attacks that may be targeted at your organization by your own customers? What are the implications of being a facilitator when your own employees take up cyber-arms and join a social jihad?
ollmann-slides.pdf
MD5: b3904b969bb71d761395ba95a48bc22a
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.25 Mb
NL
TRANSITS update
Don StikvoortDon Stikvoort (NL)

Don Stikvoort is founder of the companies “S-CURE” and “Cross Your Limits”. S-CURE offers senior consultancy in the area of cyber security – specialising in CSIRT matters. Cross Your Limits coaches and trains in the human area. Based in Europe, Don’s client base is global.

After his MSc degree in Physics, he became Infantry platoon commander in the Dutch Army. In 1988 he joined the Dutch national research network SURFnet. In that capacity he was among the pioneers who together created the European Internet since November 1989. He recognised “security” as a future concern in 1991, and was chair of the 2nd CSIRT in Europe (now SURFcert) from 1992-8, and FIRST member since 1992. Today Don is a FIRST Liaison Member.

Together with Klaus-Peter Kossakowski he initiated and built the closer cooperation of European CSIRTs starting in 1993 – this led to the emergence of TF-CSIRT in 2000. In 1998 he finished the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown of CERT/CC. He was active in the IETF and RIPE (co-creator of the IRT-object). Don chaired the Program Committee for the 1999 FIRST conference in Brisbane, Australia, and kick-started the international FIRST Secretariat in the same year. From 2001-2011 his company ran TF-CSIRT’s Trusted Introducer service. He wrote and taught several training modules for the CSIRT community.

In 1998 Don started his first company. A first assignment was to build the network connecting over 10,000 schools in The Netherlands. Many CSIRTs were created with his help and guidance, among which the Dutch national team (NCSC-NL). Second opinions, audits and maturity assessments in this field have become a specialty – and in that capacity Don developed SIM3 in 2008, the maturity model for CSIRTs which is used worldwide today for maturity assessments and certifications. SIM3 has is now under the wings of the “Open CSIRT Foundation” (OCF). Don was one of the founders in 2016 and now chairs its board.

Starting in 1999, Don was certified in NLP, Time Line Therapy®, Coaching and Hypnotherapy, and brought that under the wing of “Cross Your Limits”, which portfolio is life & executive coaching, and training courses in what Don likes to call “human arts”. He also trains communicators, presenters and trainers, including many in the CSIRT field.

Don thrives as motivational and keynote speaker. He enjoys to share his views on how the various worlds of politics, economics, psychology and daily life, but also cyber security, all intertwine and relate – and how deeper understanding and a better ability to express ourselves, increase our ability to bring good change to self as well as the world around us. He has discussed such topics all over the world, from Rome to the Australian Outback. His goal is to challenge his audience to think out-of-the-box, and motivate them to be the difference that makes the difference, along the lines of the old African proverb:

“If you think you’re too small to make a difference, try sleeping in a closed room with a mosquito”.

2010 Symposium - Hamburg
Hamburg, DE
January 25, 2010 16:30-16:40
Hosted by DFN-CERT
http://www.terena.org/activities/tf-csirt/meeting29/stikvoort-transits.pdf
http://www.terena.org/activities/tf-csirt/meeting29/stikvoort-ti.pdf
Understanding and Combating Man-in-the-Browser Attacks
Jason Milletary

Jason Milletary is the Technical Director for Malware Analysis in SecureWorks' Counter Threat Unit (CTU). He has over 10 years of experience in Information Security, encompassing operations and research. In addition, Jason has six years of hands-on malware analysis experience supporting tactical and strategic goals. Jason is a seasoned speaker on topics related to malicious code, having spoken at numerous events worldwide. He is a recognized and well-respected subject matter expert on malware threats against the financial sector and e-commerce systems.

Over the past few years, we have seen an evolution of malware that integrates itself into the functionality of the victim’s web browser, in what is commonly called a “Man-In-The-Browser” (MITB) attack. The ultimate goal of malware with this capability is to take advantage of the trust boundary between the user and application to perform sophisticated information theft attacks. Traditionally, these attacks were largely focused against the financial sector. However, we have seen indications these types of attacks affecting more diverse targets. In this presentation, we will review several malware families that utilize MITB capabilities and discuss strategies for recognizing and mitigation against these threats from the point of view of a targeted organization.
milletary-slides.pdf
MD5: 1c25950d6259fb13a51a844ca2a65352
Format: application/pdf
Last Update: June 7th, 2024
Size: 863.51 Kb
AT
Visualization for IT-Security
Aaron KaplanAaron Kaplan (EC-DIGIT-CSIRC, AT)

Currently working for EC-DIGIT-CSIRC where he focuses on how to leverage the power of Large Language Models (LLMs) for CTI purposes. Prior to joining EC-DIGIT-CSIRC, Aaron was employee #4 of CERT.at, the national CERT of Austria. He was member of the board of directors FIRST.org between 2014-2018. He co-founded intelmq.org, a tool for automating incident handling workflows. He is a frequent speaker at (IT security) conferences such as hack.lu, black hat, amongst others.

He is co-chair of the AI Security SIG at FIRST.org. Aaron likes to come up with ideas which have a strong benefit for (digital) society as a whole and which scale up. He loves sharing knowledge and open source tools to automate stuff.

This talk will present visualization techniques for IT-security events and incidents.

Conficker demonstrated that sinkholing botnets and logging relevant IT-security events on a massive scale is a powerful weapon for mitigation and remediation. However, naturally these data collections quickly grow to sizes too large to understand or handle. Visualization can prove to be an invaluable tool for the IT security handler to gain insights into the dimensions of a problem as well as for management and even politicians.

Therefore this presentation will show - based on a concrete example - how we can extract understandable information out of a multitude of data sources. The concrete example will deal with DNS, DNScap and NFSen / NFDump visualizations. Since DNS is a hidden treasure box for IT Security and since DNS requests can hint to lots of problems (misconfigurations as well as abuse), visualizing DNS is in our opinion a promising fresh approach.

Finally, a list of practical tools will be presented which participants can use in their own organizations and thus improve their own incident handling.
kaplan-slides.pdf
MD5: ff6095d65207a7feb50d1e2dc19003c3
Format: application/pdf
Last Update: June 7th, 2024
Size: 9.46 Mb
US
Who Moved My Cheese? Why The Security Industry Has Been Turned Upside Down
John Stewart (US)

Throughout his career spanning more than two decades, John Stewart has led or participated in security efforts ranging from elementary school IT design to national security programs. A heavily sought public and closed-door speaker, blogger to blogs.cisco.com/security, and 2010 Federal 100 Award recipient, Stewarts’ drive is simple: results.
Throughout his career spanning more than two decades, John Stewart has led or participated in security efforts ranging from elementary school IT design to national security programs. A heavily sought public and closed-door speaker, blogger to blogs.cisco.com/security, and 2010 Federal 100 Award recipient, Stewarts’ drive is simple: results.As Vice President and Chief Security Officer for Cisco, Stewart leads the security operations, product security, and government security functions. His team focuses on global information security consulting and services, security evaluation, critical infrastructure assurance, source code security, identification management, and special programs that promote Cisco, Internet, national, and global security. He is also responsible for overseeing security for Cisco.com, the infrastructure supporting Cisco’s $36+ billion business, WebEX, the collaboration service providing 73 million online meetings per year, among other Cisco functions.
Throughout his career spanning more than two decades, John Stewart has led or participated in security efforts ranging from elementary school IT design to national security programs. A heavily sought public and closed-door speaker, blogger to blogs.cisco.com/security, and 2010 Federal 100 Award recipient, Stewarts’ drive is simple: results.As Vice President and Chief Security Officer for Cisco, Stewart leads the security operations, product security, and government security functions. His team focuses on global information security consulting and services, security evaluation, critical infrastructure assurance, source code security, identification management, and special programs that promote Cisco, Internet, national, and global security. He is also responsible for overseeing security for Cisco.com, the infrastructure supporting Cisco’s $36+ billion business, WebEX, the collaboration service providing 73 million online meetings per year, among other Cisco functions.Stewart remains an active member in the security industry, having served on advisory boards for Akonix, Cloudshield, Finjan, Ingrian Networks, Riverhead, and TripWire. Currently, he sits on technical advisory boards for Core Security Technologies, Panorama Capital (formerly JPMorganPartners Venture), RedSeal Networks, and Signacert, is on the board of directors for KoolSpan, and a standing member of the CSIS Commission on Cyber Security.
Throughout his career spanning more than two decades, John Stewart has led or participated in security efforts ranging from elementary school IT design to national security programs. A heavily sought public and closed-door speaker, blogger to blogs.cisco.com/security, and 2010 Federal 100 Award recipient, Stewarts’ drive is simple: results.As Vice President and Chief Security Officer for Cisco, Stewart leads the security operations, product security, and government security functions. His team focuses on global information security consulting and services, security evaluation, critical infrastructure assurance, source code security, identification management, and special programs that promote Cisco, Internet, national, and global security. He is also responsible for overseeing security for Cisco.com, the infrastructure supporting Cisco’s $36+ billion business, WebEX, the collaboration service providing 73 million online meetings per year, among other Cisco functions.Stewart remains an active member in the security industry, having served on advisory boards for Akonix, Cloudshield, Finjan, Ingrian Networks, Riverhead, and TripWire. Currently, he sits on technical advisory boards for Core Security Technologies, Panorama Capital (formerly JPMorganPartners Venture), RedSeal Networks, and Signacert, is on the board of directors for KoolSpan, and a standing member of the CSIS Commission on Cyber Security.Stewart holds a Master of Science degree in computer and information science with honors from Syracuse University, Syracuse, New York.

In a world of no boundaries and digital warfare, electronic attacks upon national IT systems are becoming more frequent, sophisticated and effective. These attacks against the IT infrastructure of governments, defense departments, and the large financial institutions on which we rely are challenging current defense operating systems to their fullest, and may have lasting adverse effects to the nation's economy, security, and overall way of life. Research has found that these attacks have progressed from initial curiosity probes to well-funded and organized operations for political, military, economic and technical espionage and maliciousness. As threats continue to evolve in this multifaceted world, we must develop macro, strategic solutions that can help to protect our interests. Each stolen document has a monetary cost. And at a time when many of us carry valuable information on multiple devices, we must each accept the responsibility of creating the architecture of assurance. As IT security professionals, are we asking the right questions regarding information assurance? Are we providing the right set of solutions to today's challenges and are they enough to protect our IT systems? John N. Stewart questions established practices by asking the hard questions that require real-world answers for today's security challenges.
stewart-2-slides.pdf
MD5: 36fcb10e39b52047020bfb1679591b32
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.08 Mb
WOMBAT API: handling incidents by querying a world-wide network of advanced honeypots
Piotr Kijewski (NASK/CERT Polska)
Our presentation will describe the WOMBAT API, an API developed by the WOMBAT (Worldwide Observatory of Malicious Behaviors and Attack Threats) project consortium that allows different organizations to give access to their security-related datasets in a simple but consistent manner. Unlike most standards, the WOMBAT API places only a few general requirements on an entity wishing to implement the API. It enables users to explore and compare datasets from different organizations through a powerful interactive command line level interface, without knowledge of underlying database architecture. The HoneySpider Network (a hybrid client honeypot solution) dataset is described in detail, with examples of usage. Other datasets that are WAPI-enabled are also introduced. This is followed by an example scenario which shows how a real-life incident can be handled by using information from a diverse group of datasets, from the moment that a security breach is detected, initial assessment of the compromise, up to identification of possible infection vectors, IPs, URLs and malware responsible. We believe that the WOMBAT API has the potential to become a powerful tool and be a catalyst enabling CERTs and security researchers to share security related data in a much more open and effective manner than has been possible up till now.
kijewski-slides.pdf
MD5: d2e74ced664053a5e3cc31bea506141c
Format: application/pdf
Last Update: June 7th, 2024
Size: 412.38 Kb
Your Other Network
Fabian "Fabs" Yamaguchi (Recurity Labs)
yamaguchi-slides.pdf
MD5: d45ae6b37d52af95944e6846bb430d27
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.8 Mb

Publications (2010)

13 Things to Consider Before DNSSEC

A Day in the Life of a Web Application

Ad hoc File System Forensics

After the Acquisition: A Software Security Assurance Perspective

Analysis on How CSIRTs are Organized in Japanese Large Companies

BlackEnergy 2 Revealed

Building a CSIRT in an ITIL Driven Organization

Building a Fortune 5 CIRT Under Fire

Case study in the use of System Whitelisting

CERT-EE and CERT-FI: AbuseHelper framework for community-wide, automated abuse handling.

Challenges for Digital Forensic Acquisition on Virtualization and Cloud Computing Platforms

Clearing the Brush: Lessons Learned in Gutting a CIRT and Rebuilding with Free Tools

Cloudifornication - Indiscriminate Information Intercourse Involving Internet Infrastructure

Cooperation and self-regulation of Polish ISPs in combating online crime

Critical Functions: A Functions Based Approach to IT Sector Risk Assessment

Cyber[Crime|War] - Drawing the hidden links

Cyber Supply Chain Assurance: Incident Response in the global IT supply chain

CZ.NIC presentation

Delivering services in a user-focused way

Detecting and Analyzing Malicious PDF Files

DNS community efforts to enable Security Stability and Resiliency

Dragon Research Group Security Distro

FACTOIDS: An open architecture for secure, efficient and dynamic data exchange among CSIRTs

Fingerprinting Malware Developers

FISHA - A Framework for Information Sharing and Alerting in Europe

FISHA - Understanding the Insider Threat: Lessons Learned from Actual Insider Cyber Crimes

Getting Ahead of Malware

GN3 Security Activities

Got Spies in Your Wires?

Grid Security developments

Hand On Computer Forensic with FOSS Tools

How change to all-IP world impact attack scenarios and how CERT teams can be prepared?

Incident Response in a Collegiate University

Incident Response in Virtual Environments: Challenges in the Cloud

Incident Response to Social Enginering Attacks

Intrusion Response Reality Check

Know Thy Enemy: Cataloguing Agents of Threat for Improved Risk Assessments

Locale-specific threats: Security challenges due to globalization

Mass Malware Analysis: A Do-It-Yourself Kit

Phising Malware vs Brazilian Banks: What each side is doing to raise the bar

Portable Destructive File (PDF) Attacks And Analysis

R&D projects launched in response to the dynamic evolution of Internet security threats - CERT view

Risk Intelligence: Business Intelligence meets Information Security

Securing Europe's Information Society

Security made in Luxembourg

Specifications for a Collaboration & Exchange Infrastructure for Cyber Defence Data

Tales From the War Room

That Pesky Critical Infrastructure

The Botnet Ecosystem

The Common Vulnerability Reporting Framework (CVRF)

The Opt-in Social Protesting Botnet

TRANSITS update

Understanding and Combating Man-in-the-Browser Attacks

Visualization for IT-Security

Who Moved My Cheese? Why The Security Industry Has Been Turned Upside Down

WOMBAT API: handling incidents by querying a world-wide network of advanced honeypots

Your Other Network

Publications on Spotlight