In 2005, Florian Weimer introduced the world to Passive DNS Replication at FIRST. In 2007, ISC took up the challenge of implementing a production system and scaling and improving upon it. ISC has written and published a technical paper about his advances in design and operation of the open-source sensor and collection infrastructure and has built a scalable database used by many in the operational security community. Eric will present the technology used in the project and discuss lessons learned.
ziegast-eric-slides.pdf
MD5: 24408bc90d0047a2396875953e097baa
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.3 Mb
Anomaly Detection Through DNS Corelation
Michael H. Warfield
DNS, like security, is not an island and it respects no borders. It is a morass. The Domain Naming System is one of the critical core infrastructure protocols upon which the entire Internet depends, yet it is often ignored, particularly on the client side of the house. In recent years, we've seen cache poisoning attacks and resource amplification attacks. Operation Ghost Click involved redirecting DNS clients through DNSChanger malware. Much of this could have been detected through DNS monitoring. On the other hand, Operation Aurora was uncovered through datamining detailed DNS logs and DNS forensics has been mentioned in more than one study.
A lot can be gleaned from datamining DNS traffic alone, if the facilities have been set up for it in advance. Even more can be acquired by correlating DNS activity with other network activity or lack thereof. The challenge is in establishing and maintaining baselines against which anomalies stand out.
This talk will look at several areas where behavioral anomalies may be detected by monitoring DNS traffic and correlating it with expected behavior and against other expected network traffic. These anomalies can often unveil classes of malicious activities and intrusions before other techniques have a change to catch them. This will also cover managing the baseline to improve the signal to noise ratio that inherently plagues anomaly detect methodologies.
Are Cyber Security Exercises Useful? The Malaysian Case Study
Adli Abdul WahidAdli Abdul Wahid (APNIC, MY)
Cyber security exercises (cyber drills) are pretty common these days. It has been observed certs/csirts, both at the national and regional levels organizing them regularly. In this respect, The Malaysia CERT has been coordinating the national cyber security exercises, known as X-Maya, since 2007. The exercises are hands-on in nature and carried out as part of the critical information protection program. While a lot can be said about the benefits of this activity, some are questioning about its effectiveness when it comes to dealing with real incidents. This presentation will a technical overview of designing and executing X-Maya 4 in 2011. Most importantly, some reflections on the effectiveness of the exercise in the light of Anonymous #opsMalaysia in June 2011 will also be shared withe audience.
wahid-adli-slides.pdf
MD5: f0df8f1229e0830179d5cfa8fa517d95
Format: application/pdf
Last Update: June 7th, 2024
Size: 11.52 Mb
Automated incident notification helper
Javier BercianoJavier Berciano (INCIBE-CERT, ES)
In order to automate incident reports after evaluating existing services, INTECO-CERT decided to develop an internal service for retrieving information and abuse contacts of IP addresses involved in cyber incidents. Service backend uses ARIN Whois-RWS and RIPE-NCC database REST API to retrieve abuse contacts in an efficient manner. These external services offers information for different RIRs, ARIN Whois-RWS provides information from ARIN IP addresses and delegated netblocks, and RIPE-NCC database REST API feeds the same information for RIPE, AfriNIC and APNIC netblocks. As LACNIC doesn´t have any similar service, INTECO-CERT signed an agreement with the purpose of obtain bulk data from this RIR to optimize as much as possible the extraction of technical information from LACNIC netblocks.
This service also has national CERTs contacts collected from FIRST directory members and CERT-CC National CSIRTs database. So for any query it returns the abuse contact published in RIR databases and a national CSIRT contact.
Besides of abuse and national CSIRT contact information, this service offers other technical details like the provided by “IP to ASN Mapping” service offered by Team Cymru
Therefore, this service allows you to obtain all necessary information for reporting a cyber incident. The service output information for any query is:
- AS Number
- BGP Prefix
- Country Code
- RIR
- Abuse Contacts
- CERT
- RIR-extracted
- AS Name
Example output:
AS | IP | BGP Prefix | CC | RIR | Abuse Contacts | AS Name
15169 | 8.8.8.8 | 8.8.8.0/24 | US | Arin | n:soc@us-cert.gov n:phishing-report@us-cert.gov r:arin-contact@google.com r:axelrod@google.com r:ir-contact-netops-corp@google.com r:kk@google.com | GOOGLE - Google Inc.
About abuse contacts field, “n:” designates national CSIRT contact and “r:” indicates abuse contacts collected from RIR.
There are implemented several ways to perform the queries:
- Whois: single and bulk queries are allowed. In case of bulk it must be done using netcat tool.
- REST API: providing three different outputs (plain text, JSON and XML).
In addition to contact information collected from RIRs and national CSIRTs databases, another services are used to fulfill the answer. Some AS data is collected from different whois services like Shadowserver and Team Cymru and is stored in SQL database. Subsequently data is cached in memory using a Patricia Tree (http://en.wikipedia.org/wiki/Patricia_tree) that allows the resolution IP -> ASN to be done almost immediately.
Taking advantage of REST services from ARIN and RIPE NCC, it has been introduced a squid cache to speed up query performance. In the case of LACNIC, which provides data from AS and netblocks with the respective contact handles. Every month it is resolved automatically using traditional whois and stored in a SQL database for later queries to the service.
The service is optimized for bulk queries, performing them in parallel, IP addresses received by the service are sorted by RIR and therefore a new thread is launched every 100 IP addresses.
INTECO-CERT is interested in sharing this service with the FIRST community so they can make use of it by signing an agreement. So that other security teams can benefit from the advantages of this service, and give feedback to us for future improvement and desired features.
Botnet Free Switzerland
Michael HausdingMichael Hausding (SWITCH-CERT, CH), Philipp Rütsche (Swisscom, CH)
Becoming a botnet free country is an unachievable goal. Nevertheless this headline was choosen to coordinate different national initiatives by Swiss ISPs, CERTs, the .ch registry and security researches against malware.
The cooperation started in 2011 when we met to discuss measures against botnets and find out that most ISPs and the registry already support their customers when they are infected with malware or their website is abused for drive-by-infections. Measures that are already in place include the notification of affected DSL-line subscribers and domain-owners and supporting them with the removal of Malware and/or drive-by-code. But they go as far as turning off DSL-lines or removing second-level domains from the DNS. We all agreed that a cooperation would be much more effective in removing malware and preventing new malware infections in Switzerland.
There are currently different activities, from informal meetings to discuss best practices to the discussion of an official anti botnet initiative like the German anti botnet initiative or the Japanese Cyber Clean Center. We dont know yet the formal way of cooperation but we want to present the challenge and results of our cooperations as well as the single measurements we already have in place to prevent infections via drive-by on .ch websites and to remove malware from infected PCs in Switzerland.
CERT coaching in (own) practice – case studies and roads into the future
Przemek Jaroszewski (NASK)
Coaching means support in reaching specific goals and results. In CERT context, coaching of a new or relatively inexperienced team can be performed by a more experienced partner (another team or an individual) and it can extend from the stage of establishing a new team to reaching certain operational capabilities. While there is an increasing number of training programs available for CERT teams and their members, individual coaching seems to be unpopular, most likely due to the fact that it requires relatively high costs in money and resources. However, once the resources can be allocated, the “return on investment” should be unparalleled. Between 2007 and 2009 CERT Polska had been running a project with Central and Eastern European Networking Association (www.ceenet.org), with an ambitious goal of building a network of operational CERTs in countries associated by that organization, particularly in Caucasus and Silk Road Regions, as well as some other countries of former USSR and Balkan States. The project involved coaching and mentorship which should result in new teams joining FIRST and becoming Accredited by Trusted Introducer. The project was called CLOSER, and while it was not entirely successful, it yielded some success stories as well as valuable lessons learned.
The presentation will briefly cover the CLOSER project, its virtues and shortcomings, as well as stories of some of the coached CERTs from the perspective of two years after completion of the project. I will also discuss possible goals that can be achieved in similar projects, their metrics, and incentives for all involved parties.
Combating APTs with NetFlow
Chris Smithee (Lancope, Inc.)
From WikiLeaks to Anonymous and LulzSec, 2011 has been marked by an explosion of high-profile cyber attacks. This steady stream of directed attacks is expected to continue, if not increase, in 2012. Due to the extreme motivation behind today’s attacks, technologies that are designed to block them at the perimeter, or use signatures to detect malware, are no longer enough to protect corporate and government networks. Attendees will learn how leveraging NetFlow (and other flow data) can provide the end-to-end visibility and situational awareness required to protect them from the full spectrum of threats facing today’s enterprises. Having a complete picture of everything happening on the network makes it easier for IT administrators to investigate and mitigate anomalous behaviors that could signify APTs. By collecting and analyzing flow data inherent in their network infrastructure, organizations can seamlessly and cost-effectively create an always-on sensor grid for proactively detecting and thwarting advanced attacks that bypass external defenses.
smithee-christopher-slides.pptx
MD5: 1a19ecf61bd00658d54343429e2130b6
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 6.91 Mb
Cross-Organizational Incident Handling: An evolved process model for improved collaboration
Thomas MillarThomas Millar (US-CERT, US)
Most commonly adopted models for cybersecurity incident handling can trace their origins back to a model developed over 20 years ago, in a very different climate than the one incident response and security teams operate in today. That model focuses on a linear approach to identifying, containing and remediating incidents in your own local environment first, and sharing information with others after the fact.
Modern threats consistently cut across national, organizational and sector boundaries, requiring coordinated collaboration on the part of any network defense operation that hopes to be truly successful. Modern networks can also present "information overload" problems for watch standers, analysis teams and decision makers, presenting additional challenges for identification, escalation and follow-through whenever significant incidents arise.
US-CERT is developing a coordinated model for cybersecurity incident management to improve cooperative operations, shape the adoption of standards for incident data exchange, and streamline the flow of necessary information to the right participants at the right time throughout the cycles of identification and response. This is an opportunity for the FIRST community to learn about the progress of our efforts, provide feedback on the model and pursue avenues for future collaboration.
millar-tom-slides.pdf
MD5: 3b207b1e6f986f91e7d0749de09916eb
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.36 Mb
Cryptanalysis of malware encrypted output files
Nelson Uto (CPqD Telecom & IT Solutions)
The objective of this 45-minute presentation is to show how we decrypted and accessed the contents of the files generated by three different malwares, specially designed to steal sensitive information from a very particular environment belonging to a client. The activities were performed based only on the encrypted files and the malware binaries, since we did not have access to the live systems and the specific hardware employed by them. Besides this restriction, we were able to shorten the amount of time spent with dynamic and static analysis, thanks to the strategy and cryptanalytic techniques that we employed.
This talk will cover the following topics: introduction; detection of weak cryptosystems; description and cryptanalysis of classic algorithms; review of block ciphers; review of DES and 3-DES; identification of the possible encryption mechanisms employed by the malware; deciding what to look for; confirmation of the algorithm used; searching the key within the malware code; searching the key within main memory; finding the key; decrypting the files; worst scenario.
uto-nelson-slides.pdf
MD5: fa142559e6fc8d7eb558c83dcd3cdfda
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.5 Mb
CSIRTs are to Product Security as Ferries are to Islands
Anu Puhakainen (Ericsson), Erka Koivunen (CERT-FI)
This presentation is composed jointly by CERT-FI and Ericsson PSIRT under the conference theme "Security is not an island". The presentation outlines practical cases where a national CSIRT and a vendor can work effectively together to solve security problems with a potential to have a negative impact on third parties.
One often hears claims that cooperation between government authorities and commercial organizations cannot and does not work. The presenters argue that cooperation is not only possible but yields fruitful results. CERT-FI and Ericsson PSIRT have a long history of working together on a variety of product security cases and share information on a regular basis.
The presentation first gives a brief background on both organizations' approach to PPP and then proceeds to show practical examples on cases involving bilateral or multilateral cooperation. Lastly, the presentation summarizes the benefits of such cooperation in terms of lessons-learned and shares some proven hints and tips for the audience how to realize something similar in other countries.
What works in Finland, should work anywhere else. Or is Finland after all an island where we have been lucky enough to find ourselves stranded together?
CVE Perspectives on Global Vulnerability Reporting
Steve Christey (MITRE, US)
christey-steve-slides.pdf
MD5: 7ffe64c0b59e02748ded81ab61ea15f1
Format: application/pdf
Last Update: June 7th, 2024
Size: 564.31 Kb
CVSS
Seth HanfordSeth Hanford (Proofpoint, US)
Seth Hanford is a Principal Engineer at Proofpoint. In his role, he serves as security architect, and as an advisor to the enterprise CSIRT, PSIRT, and other Global Information Security functions responsible for designing secure architectures and protecting customer and enterprise data for the company. He has previously worked as Sr. Manager for Detection & Response for a Fortune 100 financial services firm, as well as various vulnerability & threat intelligence roles, and as a PSIRT incident manager for a Fortune 100 network technology company. He has been active in the FIRST community over the past decade, including service on the CVSS SIG during v2, and as SIG chair for the development of CVSS v3.
hanford-seth-slides.pdf
MD5: 2175f395dd5de1bf0b179393cf000902
Format: application/pdf
Last Update: June 7th, 2024
Size: 577.65 Kb
Cyber Crime & APT Hands on
Cory Mazzola (US-CERT, US), Jeffrey Brown (Cyber Clarity)
Cory Mazzola is a member of the General Dynamics senior technical staff supporting the US-CERT Operations mission in the Washington DC Metro area. His primary focus areas include intrusion detection, incident response, advanced analytics, security operations management and enterprise solutions.
Jeff Brown, is a senior principal member of Cyber Clarity, a United States consulting organization specializing in cyber security operations. Before joining Cyber Clarity Jeff was the lead crimeware analyst at US-CERT, and was responsible for identifying emerging crimeware trends and coordinating remediation efforts with law enforcement, foreign CERTS and other partners.
brown-mazzola-slides.pptx
MD5: 5343c1a8b203c162a3bf3870d9f50fd4
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 1.22 Kb
Defending Cyberspace - Global Challenges Require Global Responses
Suleyman Anil (NATO)
The Third Millennium started by witnessing Cyberspace being added, as a new global domain, to the natural domains of open seas, air and space. Mankind have always progressed by taking advantages of opportunities offered by the open seas, air or by space. Yet the opportunities offered by Cyberspace are unprecedented; both in scope and in speed. Third millennium will benefit those who knows how to utilize the cyberspace better. On the other hand, unprecedented opportunities offered by cyberspace require protection. Piracy in open seas took centuries to cease (well, almost). We need to move much faster in Cyberspace to respond to the cyber threats which are global in nature. Global threats can only be countered by global measures. In the multi-stake holder nature of Cyberspace, we all have shared responsibilities to make the cyberspace a safer global domain. Currently the most important shortcoming in defending against cyber threats is the lack of international cooperation. Through its 28 Member Nations and 40 Partner Nations, NATO has been raising awareness and assisting capacity building against global cyber threats at strategic levels. In this decade, international community needs to do better to make sure first that its own cyberspace is kept “hygiene” and secondly to assist others in defending their cyberspace.
anil-suleyman-slides.pdf
MD5: 35be858e8ffc0e882135bdeb2567607d
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.49 Mb
DNS-CERT: vision and reality for delivering a secure an healthy naming service
Igor Nai Fovino (Global Cyber Security Center)
Dr. Igor Nai Fovino: Igor is the Head of the Research Division of the Global Cyber Security Center.
Igor has deep knowledge in the fields of ICT Security of industrial critical infrastructure, Energy and Smart Grids, Risk Assessment methodologies, Intrusion Detection Techniques, Cryptography and Secure Network Protocols. In this context he is author of more than 60 scientific papers published on international journals, books and conference proceedings; moreover, he serves as reviewer for several international journals in the ICT security field. In May 2010 he received the IEEE HSI 2010 best paper award in the area of SCADA Systems. He is also an expert in European Policies (mainly in CIIP field) and in European policy support mechanism.
During his career Igor worked as contractual researcher at the University of Milano in the field of privacy preserving datamining and computer security and as professor of Operating Systems at the University of Insubria.
From 2005 to 2011 he served as Scientific Officer at the Joint Research Centre of the European Commission where he led the European Laboratory for ICT Security of Industrial Critical Infrastructure, providing scientific support to the EU Policies related to the EPCIIP program.
Since 2007 he is member of the IFIP Working Group on Critical Infrastructure Protection.
nai-fovino-igor-slides.ppt
MD5: db75ff755959f219b5eee2609e59b44b
Format: application/vnd.ms-powerpoint
Last Update: June 7th, 2024
Size: 5.66 Mb
DNS Filtering and Firewalls - Panacea for network protection or the cause of Internet Balkanization?
Rod Rasmussen (IID)
DNS "firewalls" are a potent protective measure against botnets, spear phishing and APT attacks, preventing compromised computers on your networks from communicating with their C&C's and drop zones. However, the same technology that can be used to protect enterprise and other organizations' networks is also in-play at the nation state level, where various policies and laws are leading to filtering of the Internet based on the DNS. As more nation-states are looking to legislate blocking at ISPs or even deeper, what implications does that have, especially for new attack vectors as people circumvent such measures? Also, how do you as a CERT or network security professional implement a "DNS Firewall" for the networks you protect using a variety of resources out there, and then manage it properly. Great technology is almost always a two-edged sword, and using your DNS resolvers to dictate how your users see the world is one of the ultimate examples of this. This session will examine the pros, cons, and how-to's of the technology.
rasmussen-rod-slides.pdf
MD5: 8461bd032b799b8aae702173551559e5
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.92 Mb
DQ: a cyber missile
Costin Raiu (Kaspersky Lab), Vitaly Kamluk (Kaspersky Lab)
Duqu threat made a big noise in media in autumn of 2011. Although its impact was hard to estimate, everyone felt that something major was happening behind that name.
We, at Kaspersky Lab, spent a lot of time working on this threat as it seemed to have cutting edge malware technologies and unknown 0-days used in the attack.
The presentation is going to show some results of a Duqu workgroup and will explain what was Duqu, why people think it was similar to Stuxnet, how it was controlled, how long it had been used and what traces were erroneously left by the attackers on a set of compromised systems. Please expect only technical information about the threat as we are not going to speculate on who may have developed and controlled it and for what reasons.
Also, we would like to share some of our experience (wins and fails) in international collaboration with CERTs, LE and private companies during the investigation.
raiu-kamluk-slides.pdf
MD5: 297b86888b485a3e18955130538dfed2
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.57 Mb
Engineering Solutions for Incident Investigations and Detection
Martin Nystrom (US)
Security threats have grown from network annoyances to attacks on your sensitive infrastructure. Evidence indicates that security threats are growing more sophisticated and aimed at embedded deployment. This presentation will share Cisco CSIRT's evolving architecture for addressing sophisticated, embedded threats.
Topics will describe how CSIRT has evolved its network infrastructure over the past 10 years, and will give detailed architectural examples and guidance regarding their multi-petabyte global deployments of:
- Log/event collection of syslog, DNS, web proxy logs, ModSecurity logs
- NetFlow collection
- Host and user attribution techniques (using DHCP, NAT, VPN logs to identify users)
It will also include a description of how CSIRT Engineering is integrating the following solutions into their global deployment:
- Nascent APT detection using precursors
- Challenges and solutions for multiple filtered detection using SPANs and taps (IDS, DNS collection, web proxy, DLP)
- Data loss protection (DLP)
- Rapid operationalization of collaborative, commercial, and home-grown intelligence
- Pulling this all together in a free-form custom SEIM.
Feasibility study of scenario based self training material for incident response
Masato Terada (IPA, JP)
In this presentation, I show the concept of "scenario based self training material for incident response".
Research motivation is "How we can provide a training resource for the general users and new comers that helps their understanding for incident response of old (ex. network worm infection etc.) and new type (ex. Advanced Persistent Threat etc.) ?".
Keywords for the solution are "a self training" and "scenario based".
Many incidents disclose some snapshot information (ex. privacy information disclosure, SQL injection and etc.), but we can't acquire incident details such as response scenario. In other words, we can't publish our incident details in many cases, too.
Therefore, we propose the concept of "scenario based self training material for incident response" that makes new incident scenario by selecting and combining part from many facts.
We make new incident scenario by selecting and combining part from customized blocks. That scenario is virtual story and is not fact. But it is base on fact.
Also, in "scenario based self training material for incident response", scenario writer presents a learning and discussion points.
terada-masato-slides.pdf
MD5: 9daeb258476960911848adf88ba6f073
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.02 Mb
From Zero to CERT in 60 Days
Sindri Bjarnason (CERT-IS, Icelandic National CERT Team, IS)
With preliminary funding secured in early 2011, the Icelandic Post and Telecommunication Administration (PTA) was tasked with establishing a CERT team in Iceland. In this presentation we will reflect on the major challenges faced by the PTA team in the months leading up to the official launch for the Icelandic national CERT team (CERT-IS). The primary goal of the PTA, is to have the team provide information and if needed, assistance to its initial constituency members (the Icelandic telecommunication companies) when dealing with computer security incidents.From the start, time and budgetary constraints imposed on the project played a significant role in how the PTA chose to approach the many challenges of creating a CERT team from scratch. With assistance from the Finnish national CERT team and Clarified Networks, CERT-IS launched the AbuseHelper framework for internal use in October 2011. This turned out to be a pivotal moment for the CERT-IS team, as it provided the team with fairly detailed insight into the current state of security incidents within its constituency networks as well as providing means for continuous situation awareness.We will cover in detail the 60 days following the AbuseHelper framework implementation, with emphasis on some of the key issues that emerged and the lessons learned during that period. We will focus on a) location and evaluation of available sources for incident related data, b) control of the flow of data through automation and c) extending AbuseHelper in order to respond to specific requirements by the constituency.With AbuseHelper serving as a central data aggregation storage in conjunction with the ability to extend its functionality, the CERT-IS team could focus more on adding value to the processing of incident data, rather than simply ensuring a timely report-to-contact transactions. We will explore some of these value adding processes as well as look towards the future and view the CERT-IS goals in the coming months.
FS-ISAC - A Private/Public Parnership
Kevin Thomsen (Citi)
Launched in 1999, FS-ISAC was established by the financial services sector in response to 1998's Presidential Directive 63. That directive - later updated by 2003's Homeland Security Presidential Directive 7 - mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure.
Constantly gathering reliable and timely information from financial services providers, commercial security firms, federal, state and local government agencies, law enforcement and other trusted resources, the FS-ISAC is now uniquely positioned to quickly disseminate physical and cyber threat alerts and other critical information to your organization. This information includes analysis and recommended solutions from leading industry experts.
Rapid and Trusted Protection for Our Companies, Our Industry and Our Country
The recent successful completion of our Critical Infrastructure Notification System (CINS) allows the FS-ISAC to speed security alerts to multiple recipients near-simultaneously while providing for user authentication and delivery confirmation. The FS-ISAC also provides an anonymous information sharing capability across the entire financial services industry. Upon receiving a submission, industry experts verify and analyze the threat and identify any recommended solutions before alerting FS-ISAC members. This assures that member firms receive the latest tried-and-true procedures and best practices for guarding against known and emerging security threats.
Joining the FS-ISAC is one of the best ways financial services firms can do their part to protect our industry and its vital role in the U.S. critical infrastructure. To that end, FS-ISAC membership is recommended by the U.S. Department of the Treasury, the Office of the Comptroller of Currency, the Department of Homeland Security (DHS), the United States Secret Service, and the Financial Services Sector Coordinating Council. In fact, both Treasury and DHS rely on the FS-ISAC to disseminate critical information to the financial services sector in times of crisis.
thomsen-kevin-slides.pdf
MD5: 3e40828beb77cf8e164102685b701c39
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.61 Mb
Further Aspects of Passive DNS: Datamining, visualization and alternative implementations
Aaron Kaplan
Alexandre Dulaunoy
David Durvaux
Sebastien TricaudAaron Kaplan (EC-DIGIT-CSIRC, AT), Alexandre Dulaunoy (CIRCL, LU), David Durvaux (European Commission, BE), Sebastien Tricaud (Devo, US)
Currently working for EC-DIGIT-CSIRC where he focuses on how to leverage the power of Large Language Models (LLMs) for CTI purposes. Prior to joining EC-DIGIT-CSIRC, Aaron was employee #4 of CERT.at, the national CERT of Austria. He was member of the board of directors FIRST.org between 2014-2018. He co-founded intelmq.org, a tool for automating incident handling workflows. He is a frequent speaker at (IT security) conferences such as hack.lu, black hat, amongst others.
He is co-chair of the AI Security SIG at FIRST.org. Aaron likes to come up with ideas which have a strong benefit for (digital) society as a whole and which scale up. He loves sharing knowledge and open source tools to automate stuff.
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.
David Durvaux owns a master in applied sciences in computer sciences ("Ingénieur Civil informaticien") from the Université Catholique de Louvain (UCL) with an orientation in computer networks, distributed applications and security. David is now working for CERT.be as Security Analyst and is a contributor to the AbuseHelper open-source project.
Sebastien Tricaud is the founder of Picviz Labs. He has more than 15 years experience in various intrusion detection & prevention systems implementation and currently serves as the Honeynet Project Chief Technology Officer. Lecturer for conferences such as Eicar, CanSecWest, Usenix etc., visionary in computer security and does not talk on subjects covered by many. He currently works on how to effectively find attacks in huge amount of data.
Global and Regional CERT Colloboration to Reduce Cyber Conflict Risk Panel
Greg Rattray (ICANN, Multinational organisation), Suleyman Anil (NATO), Yuejin Du (Deputy CTO of CNCERT, CN), Yurie Ito (JP)
This panel will explore the role of CERTs in growing global and regional efforts focusing on reducing the outbreak and risks associated with cyber conflict. The focus will be on how CERTs can play a role in agreements, both formal and informal, that improve crisis communication and build confidence between nations and other actors in order to reduce the degree of escalation of cyber conflicts and to improve understanding of likely behavior of actors involved. The panel will build on both recently published academic and policy writings on this topic as well as the engagement of the panelists in on-going negotiations and operations in this area to include the US-China and US-Russian cyber bilateral discussions, the China-Japan-Korea Joint MOU on Collaboration on Cyber Security Incident Response, the APCERT efforts on cyber clean up, the Nordic CERT framework for collaboration and the OIC cybersecurity collaboration efforts.
Global Vulnerability Identification and Usage: A Vendor’s Perspective
Kent Landfield (McAfee, US)
landfield-kent-slides.pdf
MD5: 128132d83d51c8cf657330dda5d88bf3
Format: application/pdf
Last Update: June 7th, 2024
Size: 413.63 Kb
Honey Spider Network 2.0: detecting client-side attacks the easy way
Pawel Pawlinski (CERT Polska / NASK)
Malicious web pages that use either drive-by downloads or social-engineering to exploit systems of unsuspecting users are presently one of the most serious threats in computer security. This presentation will introduce an open-source framework for detection of client-side attacks, developed by NASK and NCSC (formerly GOVCERT.NL) - Honey Spider Network 2.0. Version 1.0 was a unique combination of high-interaction client honeypot (Capture-HPC NG - see http://pl.honeynet.org) with a custom low-interaction honeypot, resulting in a system that is able to use different approaches for analysis of web pages. Building on the experience gathered from the previous version of the system, we completely redesigned the architecture, focusing on creating a flexible and scalable framework. At the core of the solution is a high-performance engine that controls the flow of tasks that are being processed and distributes the workload using AMQP (Advanced Message Queuing Protocol). HSN 2.0 leverages the functionality of multitude of services (plugins) for data acquisition and analysis. It is possible to create new ones in a straightforward way - they can be implemented in any language, our protocol is well documented and AMQP is a standardized transport layer. Existing honeypot, crawler or threat analysis solutions can be easily plugged in. All this allows the system to go beyond analyzing just URLs but also inspecting files such as PDFs, Office documents, Flash, etc. Furthermore, the architecture is very fault tolerant, meaning that a failure of any service does not lead to the system being unusable. Building such an open and universal architecture is necessary if the security community is to keep up to date with the dynamically shifting threat environment. In our experience, this goal is only achievable through a collaboration of many experts, each contributing knowledge - and code - about certain types of exploits and threats. Apart from the overview of the system's architecture, preliminary results of the system's performance in real-world scenarios will be discussed. A demonstration of the system detecting various threats through multiple plugins will be carried out.
Hot Topics in Internet Measurement : Power-law Properties in Indonesia Internet Traffic. Why do we care about it ?
Bisyron Wahyudi (Id-SIRTII, ID)
In early stage of Internet era, the Internet traffic had been thought to be modeled by Poisson process, because hosts are assumed to send and receive data packets randomly. The validity of this assumption has clearly lost ac the basis of various experimental measurements. Power-law properties have been investigated intensively during this decade. The purpose of this paper is to introduce the power-law properties found in Internet packet flow especially in Indonesia. This paper contains three sections. In the first section, we remind the concept of power-law to the readers. In the section two, the power-law structure of the Internet and the power-law properties of the Internet packet flow are discussed. In the section three, we focus on the relation between power-law structure of the Indonesia Internet and power-law properties of the Indonesia Internet packet flow. Future challenges on investigating power-law properties in various Internet measurement are also discussed.
How to Communicate with your Government (Lessons from Japan)
Suguru Yamaguchi (FIRST, JP)
NLHow we Collaborate and Share
Wim Biemolt (NL)
SURFnet ensures that researchers, instructors, and students can work together simply and effectively with the aid of ICT. It therefore promotes, develops, and operates a trusted, connecting ICT infrastructure that facilitates optimum use of the possibilities offered by ICT. SURFnet is thus the driving force behind ICT-based innovation in higher education and research in the Netherlands. Institutions that use the same ICT facilities have a common interest in effective security. SURFcert plays an important role here. SURFcert, SURFnet’s Computer Emergency Response Team, investigates and coordinates in cases of security breaches that appear to originate from institutions connected to SURFnet or when a SURFnet institution is the victim.
biemolt-wim-slides.pdf
MD5: 4ebeba972155a895a9e5b9f92997329f
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.9 Mb
Incident reponse in large complex business enviroments
Ismail Guneydas (Yahoo!, US), Ramses Martinez (Verisign)
Incident response in a large environment hosting multiple businesses such as mail, retail, online advertising, digital media and news can be a complex and arduous task. During this presentation the audience will be guided through the process that allows an incident response team to successfully deal with issues that cross all of these sometimes disparate business lines. The presenters will discuss tools and processes used, the role that open source intelligence and counter intelligence play in having a successful incident response process. The presenters will also discuss two real incidents (one fraud case/one application security issue) during the presentation that will allow the audience to see the process, procedures and tools discussed in action during the incident response process.
Insight Into Russian Black Market
Almantas Kakareka (CTO, Demyo, Inc.)
You have all heard the term cybercrime, and you have heard about all things cybercrime – stolen credentials, identity theft, fraud, blackmail, DDOS and more. You may have heard that there are markets for goods connected to computer crime. You may have heard that there’s a lot of money in it (enough to pay off the national debts of most states including the USA, if you total all reports on damages by cybercrime). As usual the problems lie in connecting the dots. What are the mechanisms behind these black markets? What are the goods? Who pays for them and by which means? Surely you cannot just walk into a chat room, drop your credit card number and part with the digital loot, or can you? What if you end up being a trade object yourself? Screenshots are shown of actual high profile advertisements such as post about mysql.com root access for sale.
IT security companies and law enforcement organizations have a vested interest in investigating these mechanisms. The information is vital for everyone implementing IT security as well. You have to know who is up against you and why. This is the basic information every defender needs to possess, and proper knowledge is one of the few advantages you can use for the protection of your assets.
Almantas Kakareka will address these questions in his talk Insight Into Russian Black Market. He will give you an insight into the underground and explain which “products” are traded by criminals. If you are in charge of securing the digital heart of your enterprise or implement security, then you should listen to this talk.
kakareka-almantas-slides.pptx
MD5: 054fb7dc288012bf9ea43c801d167f3a
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 4.58 Mb
Introduce SCADA vulnerability and a little suggest for vulnerability numbering format
Kai-chi Chang (III, ICST, TW)
EUIT Security @ EC: Challenges & Experiences
Francisco García Morán (Director General, DG Informatics, European Commission, EU)
Trust and Security is one of the key areas of work in the Digital Agenda for Europe, one of the 7 flagship initiatives launched by the Commission in the framework of EU2020, the EU initiative for smart, sustainable and inclusive growth. It is in this framework that the European Commission proposes, develops and implements its IT security policies including the internal ones.
The presentation will describe the framework in which the internal IT security initiatives are carried out and the challenges ahead. It will also describe how the policies are implemented internally, will present some of the tools used, and will describe some experiences in dealing with security incidents on the ground.
garcia-moran-slides.pdf
MD5: 1603a07835e489775e6dd3643fa1396a
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.8 Mb
Leaving our island: a communication and business strategy for a National CSIRT
Christian Van Heurck
CERT.be is the Belgian National CSIRT and has asked the help of a bureau specialized in branding strategy development and marketing in order to better fulfill it’s wide ranging tasks that include treating and coordinating highly sensitive incidents, day-to-day abuse reports and creating awareness for the general Belgian public.
The result of this collaboration was a communication plan and strategy for CERT.be, including a tagline to be added to the CERT.be logo. It also turned out that a National CSIRT is a very “sexy” product to market due to the unique qualities of “the product” and some very surprising results surfaced after applying techniques and tools normally used to brand an position products and/or big companies.
We will implement the findings starting from January 2012 and we would like to present our findings and the results of this approach. Our aim is to give more visibility to CERT.be and this at all the levels involved: law enforcement, political, the general public, ISP’s and large companies and last but not least: the press. CSIRTs are in fact all about communication and using the press as a very strong ally in our fight against cybercrime and abuse should allow us to do our work more efficiently.
In this presentation I would like to present some of the very interesting conclusions of this collaboration and moreover I should be able to give valuable feedback and lessons learned after some six months into the implementation of this strategy.
Neil Robinson (RAND Europe), Silvia Portesi (European Network and Information Security Agency (ENISA))
CERTs play an important role in helping to mitigate the impacts of cyber attacks and data provided by CERTs may also help industry and government to better understand threat patterns and attack trends, thereby improving the application of preventative measures and reducing the scope for future attacks. In order to mitigate the impact of cyber attacks, responses may require extensive cross-border coordination between CERTs, especially national/governmental CERTs, which are a particular type of CERT playing an important role at a national level in supporting such cross-border coordination. This coordination can include the sharing of certain types of data, in real time, concerning the source or destination of attacks (usually IP addresses) or log files of suspicious types of Internet traffic. Usually CERT cooperation and sharing takes place informally on the basis of trustful relationships.
Nonetheless, the complexity of legal factors surrounding this cross-border collaboration could present issues and can complicate the delicate balancing act that CERTs have to perform their role and contributing to a better understanding of the relative state of cyber security, and protecting those rights and obligations provided for by certain legal and regulatory frameworks.
In this presentation we will focus on the ENISA’s study into the legal and regulatory aspects of information sharing and cross-border collaboration of national/governmental CERTs in Europe. Some of the legal and regulatory factors identified in the study will be presented, such as definitions and criminal sanctions concerning different types of computer and network misuse, the European legal framework governing data protection and privacy, and mandate and competences of the CERTs.
We will also look at some of the existing initiatives to overcome the legal challenges and at some recommendations proposed in the study to further improve the work of CERTs will be addressed, such as the identification of ways to support operational coordination between CERTs, the dissemination of Declared Level of Service templates, ensuring that EU-level legislation takes account of the scope of national/governmental CERTs and the articulation of why CERTs need to process personal data.
National Disinfection Case Study
Mounir Mostafa Kamal (QCERT)
Every country is a special case of fitting malware and disinfection plan and in my presentation I will go to explain what are the procedures we are applying in QATAR to manage fitting malware on national level in cooperation with ISP and how we can use this system to contact public everywhere at home, corporate, and governmental entities to disinfect their machines from malware , furthermore we will go through a demonstration about how to use this system for major incident, and optimizing our malware disinfection life cycle
kamal-mounir-slides.pdf
MD5: 2a60dbc1d111c1fe2fdc53f479fb4368
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.17 Mb
NorCERT incident handling of targeted attacks
Eldar Lillevik (NorCERT), Marie Moe (NorCERT)
Using some real-life cyber espionage incidents in Norway as a basis, Marie and Eldar from NorCERT will drill down in some of the challenges modern national CERTs have to live with. Including aspects like: -how to put sensors in the basements of private companies (voluntarily), when you are the "secret-service” -how not to be a competitor to private security consultant companies -how to build a good basis of signatures for intelligence, detection and early warnings -malware analysis, and how this becomes an important tool for incident handling and discovery of new attacks -how some CERTs move from traditional incident response and abuse handling to counter-intelligence operations -how difficult it is to handle media, wanting to create awareness, but at the same time not telling Who (is targeted), What (is taken) and Who (is behind).
moe-lillevik-slides.pdf
MD5: 967900acaf0394bec3f1dea2ec889ff6
Format: application/pdf
Last Update: June 7th, 2024
Size: 42.59 Kb
Operation black tulip: Certificate authorities lose authority
Marnix Dekker (ENISA)
The Diginotar attack calls into question the foundations of secure communications and the role of part of important players in the security industry (the CAs).
This talk will discuss ENISA's (recently published) analysis of the Diginotar case, and discuss the issues with HTTPS at large. Topics to be covered are as follows: the security of HTTPS (Blaze's Spy in the Middle), the relation with the existing security legislation for telco's (Article 13), if and how to enforce incident reporting and minimum security measures for critical service providers, how to quickly shore up weaknesses and flaws in HTTPS, if and how to overhaul the HTTPS scheme, who or what could be new trust anchors, etc.
This talk will encourage discussion among the audience rather than present a single proposal for solving problems.
dekker-marnix-slides.pdf
MD5: 2074dcd746a882ec70ed1c3acb7fbb3c
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.13 Mb
Overseeing the orchard - Hands-on tutorial
Kenneth R. van WykKenneth R. van Wyk (FIRST.Org, US)
Love it or hate it, Apple's iOS mobile platform has arrived in the enterprise, now exceeding even RIM's (Blackberry) numbers. Often, the task of overseeing these systems's security falls on the IT Security team. So, what will you do?
This session looks at the major security pitfalls to avoid in iOS, and then surveys the various tools and techniques available to the IT Security teams. These include:
- Creating secure configuration profiles for iPhones and iPads with the Apple iPhone Configuration Utility.
- Managing fleets of iOS devices remotely, using MDM products, including configuration profiles, x.509 certificates, and security policies.
- Overseeing in-house app repositories of enterprise-approved apps.
- Static and dynamic testing of apps for enterprise approval. Tools and techniques for testing are covered and demonstrated.
These are the practical issues that many IT Security teams will face in order to oversee iOS deployments, from small numbers of devices through thousands of distributed devices worldwide.
van-wyk-ken-slides.pdf
MD5: 940875eb55126aae531fc22668da2927
Format: application/pdf
Last Update: June 7th, 2024
Size: 12.92 Mb
Phishing and Trojan Banking cases affecting Brazil
Cristine Hoepers (CERT.br - Brazilian Internet Steering Committee, BR)
An Overview of Phishing and Trojan Banking cases affecting Brazil or hosted in Brazil. This presentation will cover the challenges of getting takedowns, statistics about network distribution, uptimes, efficiency of AVs, etc.
Pinkslipbot: A deep look at how malicious code adapt and evolve
Guilherme Vênere (Brazilian Academic and Research Network)
Pinkslipbot is a malware family originally created to steal personal and financial data from infected machines, and to provide complete control of the target machine through a back door. Initial versions of Pinkslipbot appeared around 2007, but only in recent years has the malware started to become more successful, due to improved spread methods and the fact that it started to target corporate networks. It was at this point that Pinkslipbot caught the attention of the media.
In this presentation, we will analyze the historical data about Pinkslipbot outbreaks and look at what has changed between each version — in order to understand the modus operandi of its authors and what we may expect in future variants. This data will include an in depth look at the modus operandi of the malware authors during the most recent outbreak, to show how the malicious code is changed and adapted to counter actions by the Antivirus industry.
We shall focus on specific features of Pinkslipbot that may be of use to both antivirus research as well as to enterprise and law enforcement entities trying to understand this threat.
Poison Ivy for Incident Responders
Andreas Schuster (Deutsche Telekom AG, DE)
Poison Ivy sells itself as a remote administration tool. It has been used in wide variety of attacks, from fake screen saver trojans for the masses to the highly targeted attacks against RSA (1) and the chemical industry (2). The presentation will start with a brief introduction into Poison Ivy, its capabilities and configurable options. We will then have a closer look at the generated binary and learn how code and configuration data blocks are combined. We develop signatures that can help an incident responder to detect Poison Ivy in memory and to reconstruct its configuration without time-consuming reverse engineering. Next, we will examine network activity, especially the session initialization handshake. A brief cryptanalysis will reveal a weakness that incident responders can leverage to identify Poison Ivy command and control servers and to mount a brute-force attack on the attacker's shared secret. (1) http://blogs.rsa.com/rivner/anatomy-of-an-attack/ (2) http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf
Proactive Detection of Network Security Incidents - A Study
Andrea Dufkova
Piotr KijewskiAndrea Dufkova (ENISA, GR), Piotr Kijewski (Shadowserver, PL)
The talk is going to cover a recently published ENISA report on the "Proactive Detection of Network Security Incidents". Proactive detection of incidents is the process of discovery of malicious activity in a CERT’s constituency through internal monitoring tools or external services that publish information about detected incidents, before the affected constituents become aware of the problem. It can be viewed as a form of early warning service from the constituents’ perspective. Effective proactive detection of network security incidents is one of the cornerstones of an efficient CERT service portfolio capability. It can greatly enhance a CERT’s operations, improve its situational awareness and enable it to handle incidents more efficiently, thus strengthening the CERT’s incident handling capability, which is one of the core services of national / governmental CERTs.
The study was largely community driven - it was based on a survey of 45 different CERTs and on input from an security expert group specifically formed for the study, supplemented by the research and knowledge of members of the CERT Polska team and ENISA. Results of the survey will be covered in the presentation.
One of the main discoveries of the study is that CERTs are underutilizing the various detection capabilities at their disposal - and even if they do detect incidents they fail to share data they gather anyway. For instance, the best rated external source of information (Shadowserver) is used by only 40% of CERTs. Less than 25% share information that they collect about other constituencies. Automation and correlation - critical to handling large amounts of incidents - is also a weak spot: only 35% of CERTs automatically correlate incidents.
In the presentation, we will explore why the above and other identified shortcomings (16 in all, mostly technical but also organizational/legal in nature) exist and remain as inhibitors to a CERTs operational activity. We will provide an overview of 35 recommendations for improvements covered in the report. Finally, for selected specific issues we will go into more detail - in particular explore a next generation set of tools enabling the automated processing of bulk incidents.
Note that results of the project go beyond national/government CERTs and are applicable to all types of security incident response teams.
Report is available at http://www.enisa.europa.eu/act/cert/support/proactive-detection
David DurvauxChristian Van Heurck, David Durvaux (European Commission, BE)
National and other active CSIRTs are facing huge amounts of incoming data from automated sources (e.g.: Shadowserver, Team Cymru Services, Clean MX, own honeypot and sensor data, etc.) as well as manual reporting. Processing all this valuable information in a timely manner poses a serious challenge (day after day) and can lead to frustration because valuable data, resources and time are being wasted, to cross-reporting complications and multiple reports for the same incident amplifying the whole problem. CSIRTs are trying to combat organized crime but sometimes they feel like they are “unorganized superheroes”.
Partially automating the process of treating automated sources with projects like AbuseHelper, Megatron or homebrew scripting can bring some relief but unfortunately this won’t solve the cross-reporting and other issues.
A second issue is how to create a global view of the data. National CSIRTs have an “island-view” on what’s happening inside their country (or a partial one) but are barely aware of what is happening in the neighboring countries.
By interconnecting automation systems one can create a global overview. Each island can share with peers legally and politically allowed information in order to benefit from more worldwide intelligence to solve major incidents. There are some natural geopolitical archipelagoes like the US, the EU, the Benelux, etc.
The goal of this presentation is to talk about the challenges and solutions on how to tackle the problems described above. Both legal and technical challenges will be included and we hope it will inspire the community to further collaborate in order to get rid of the CSIRTs island-view while still respecting its constituency, its autonomy and local legislation. This would help the Superheroes to get organized, enabling them to pose a much stronger opposition to organized Internet crime and abuse.
Proposal of FIRST SIG planning "Vulnerability Reporting and Data eXchange"
Coordinator: Takayuki Uchiyama (JPCERT/CC), JP and Steve Christey (MITRE), US
terada-masato-slides3.pdf
MD5: bd5063d4b6413a95f03e0ddff1669fdd
Format: application/pdf
Last Update: June 7th, 2024
Size: 1022.71 Kb
Responding to Security Incident: MyCERT approach and case study
Megat Muazzam Abdul Mutalib (MyCERT, MY)
mutalib-megat-slides.pdf
MD5: d119eef85b749e1ee6b25f75e546c593
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.44 Mb
Role of Cyber Security in Civil Protection
Maurice Cashman (McAfee, DE)
The goal of civil protection is to ensure a safe society. The systems that deliver and manage critical services, such as the smart grid, are part of the vital supply chain that supports a safe society. However, these systems are increasingly interconnected and exposed to cyber attack. With this new reality, building trust in critical infrastructure is a top priority for both the United States and European governments. Fortunately, organizations like ENISA and NIST understand that to build resilient infrastructure requires cyber security and, in cooperation with other international organizations, are delivering awareness and practical standards. We can‘t stop all attackers but we can manage the attack space and through early detection, an understanding of attacker methods, and proactive responses, we can significantly marginalize operational impacts. To ensure this outcome, we must build a strong foundation for trust within critical infrastructure. This presentation addresses the steps to establishing that trust in relation to cyber security…connecting stakeholders, building resilience, and fostering transparency. It will also discuss some of the challenges facing European and US governments in their efforts to deploy secure systems. Building trust in critical services is a long-term effort requiring coordinated efforts of multiple stakeholders. Our civil protection planning must be comprehensive and include cyber security in the risk management process. The result of these efforts is a safe and resilient society.
Securing the Internet Inter-Domain Routing System using Origin Validation and the RPKI
Carlos Martinez-Cagnazzo (CSIRT-Antel, UY)
BGP prefix hijacking is a well-known weak spot in the Internet's global routing system. An attacker who is able to successfully hijack a route prefix could for example re-direct large amounts of traffic to his own systems, where he could perform packet sniffing or manipulation. Also a hijacked prefix could allow a phisher to present authentic-looking URLs to his/her victims through redirecting traffic from the "correct" from the correct web server to his own compromised ones.
The ability to tweak the Internet's routing system to his/her own advantage could present an attacker with novel and very interesting tools to bypass current security mechanisms and entrenched user best-practices.
The main goal of the Resource Certification Public Key Infrastructure is to improve the general security and stability of the global routing system. The RPKI allows legitimate resource holders to create digital certificates and other cryptographic proofs of routing policy that can be verified up to a trust anchor. Validating routers can use these proofs in order to assign validity properties to BGP UPDATES, thus allowing router operators to apply policy decisions to routes according to the validity of said proofs.
This presentation starts with a description of the general guidelines for Internet number resources management followed by a high level description of the current system of Internet Registries and the global routing system and the security problems it currently presents.
Some security aspects of the routing system that require improvements will be also described. The Resource Public Key Infrastructure will be also described at a high level showing how it will mitigate the risks associated with these aspects by allowing rightful owners to assert their usage rights over Internet resources.
Some well known and well publicized cases of route and traffic hijacking will be presented since they provide one of the main drivers behind RPKI.
Finally the current state of the project both from the IETF'S and the RIRs point of view will be described and the current planned project roadmap as well as some statistics gathered by the RIRs after one year and a half of production operation.
Since the RPKI is currently scheduled for a Jan 1 2011 production release by LACNIC and the other RIRs with the sole exception of ARIN, the presentation will also include results and experiences from the first 6 months of operation.
Some references:
[RFC2050] Internet Registry IP Allocation Guidelines: http://tools.ietf.org/html/rfc2050.
[SIDR] Secure Inter Domain Routing Working Group: http://datatracker.ietf.org/wg/sidr/charter/.
[RFC3779] X.509 Extensions for IP addresses and AS identifiers: http://www.ietf.org/rfc/rfc3779.txt.
[DRAFTROA] A Profile for Route Origin Authorizations (ROAs): http://tools.ietf.org/html/draft-ietf-sidr- roa-format-07.
[RADB] The Routing Assets Database: http://www.radb.net
Security incidents overview in Brazilian academic networks
Atanaí Sousa Ticianelli (Brazilian Academic and Research Network, BR)
The Brazilian Academic and Research Network (RNP) is an universe with more than 800 institutions, 3.5 million users and an infinity of connected systems. The diversity of this network represents a challenge to information security and specifically to incident handling. This presentation will cover the results of incident handling activity along the last years at the Brazilian Academic and Research Network, explaining how this process works at a national backbone, the main challenges, numbers and indicators related to it.
Sharing Crime Data Across International Frontiers
Patrick Cain (Anti-Phishing Working Group, US)
Although initially an Internet phenomenon, perpetrators of many types of crime and their victims are now routinely in different jurisdictions which inhibits investigation follow-up and prosecution. This is sub-optimal if the good guys want to respond to the speed and offensive capacity of the cybercrime gangs the global coordination of crime intelligence is a hard problem. This presentation will identify and discuss a number of current projects trying to improve the flow of eCrime and traditional crime reporting between victims, private-sector investigators and law enforcement organizations in different or multiple jurisdictions. Some of the treaty-organization led efforts identified important issues and suggested potential solutions while other efforts have run table-top or pilot exercises to test out various scenarios. Additional lessons-learned and issues uncovered in these projects, along with future plans, will be discussed to inform the audience about these efforts so they may decide to participate, or at least, not be surprised when asked to participate by their local governments.
cain-patrick-slides.pptx
MD5: 94564d32e8cfdab5dcbf871550b134b1
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 3.08 Mb
Sharing data's hard, here's how we did it
Wes Young (REN-ISAC)
The REN-ISAC is a federation of diverse research and education institutions concerned with operational computer and network security. What slowly started out with some people, some hacked up mailing lists, a wiki and some magic perl glue to share intelligence, quickly snowballed into a vast sea of data that no one could keep track of or use in their day to day operations.
Over the last few years we've invested most of our development time and effort into building tools that lower the barrier to entry for our community to share data intelligently. These tools have not only been developed with our own CSIRT constituencies in mind, but also based on feedback from the international CSIRT community.
This talk will focus on how our community went from a set of extremely raw tools to an automated end-to-end process of sharing data within a large heterogeneous community. First we'll detail how institutions currently share data directly into each other's IR process with little or no human interaction. We'll also discuss how we've enhanced various international standards that enable our constituency to further share data with law enforcement agencies as well as our trusted mitigation partners. Additionally, this talk will review the most common data-sharing hurdles when partnering with external organizations, and why most global data-sharing ventures have failed to scale in this space. This will include things like data parsers, information sharing agreements and data formats. And finally, we'll talk about how we plan to evolve this application into the big-data environment (hundreds of billions of things per day) over the next three years.
Attendees should walk away with a real life set of tools and lessons learned, both technical and strategic, that they can use to scale internal intelligence operations past their own borders.
young-wes-slides.pdf
MD5: 30ba901f5725cc3bdceb6709cf027b7a
Format: application/pdf
Last Update: June 7th, 2024
Size: 501.48 Kb
Smartphone Security and Finding "Third- Party" Risks
Tsukasa Oi (Fourteenforty Research Institute, Inc., JP)
Most modern operating systems for smartphones are designed to protect whole system by enforced security compared to classic mobile operating systems like Windows Mobile. However, such designs are broken repeatedly by "third-party" OEMs because of inappropriate modifications and/or missing design of security. In this talk, I will talk about some of such cases regarding Android and Windows Phone 7 operating systems which modifications are permitted.
oi-tsukasa-slides.pdf
MD5: 1bdc7de930118154742f05f63498751b
Format: application/pdf
Last Update: June 7th, 2024
Size: 271.53 Kb
Structure and numbering of JVN, and Security content automation framework
Masato Terada (IPA, JP)
Masato Terada received M.E. in Information and Image Sciences from University of Chiba, Japan, in 1986. From 1986 to 1995, he was a researcher at the Network Systems Research Dept., Systems Development Lab., Hitachi. Since 1996, he has been Senior Researcher at the Security Systems Research Dept., Systems Development Lab., Hitachi. Since 2002, he had been studying at Graduate School of Science and Technology, Keio University and received Ph.D in 2005. Since 2004, he has been with the Hitachi Incident Response Team. Also, he is a visiting researcher at Security Center, Information - Technology Promotion Agency, Japan (ipa.go.jp), and JVN associate staff at JPCERT/CC (jpcert.or.jp), as well.
terada-masato-slides2.pdf
MD5: 20fd0031725fbe18be5f978043224565
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.76 Mb
Surviving the World of Security - The Past, Present and Future
Lance Spitzner (SANS Securing The Human Program, The SANS Institute)
Mr. Lance Spitzner is the Training Director of SANS Securing The Human program. He is an internationally recognized leader in the field of cyber threat research and security training and awareness. He has helped develop and implement numerous multi-cultural security awareness programs around the world for organizations as small as 50 employees and as large as 100,000. He invented and developed the concept of honeynets, is the author of several books, and has published over thirty security whitepapers. Mr. Spitzner started his security career with Sun Microsystems as a senior security architect, helping secure Sun's customers around the world. He is founder of the Honeynet Project; an international, non-profit security research organization that captures, analyzes, and shares information on cyber threats at no cost to the public.
Mr. Spitzner has spoken to and worked with numerous organizations, including the NSA, FIRST, the Pentagon, the FBI Academy, the President's Telecommunications Advisory Committee, MS-ISAC, the Navy War College, the British CESG, the Department of Justice, and the Monetary Authority of Singapore. He has consulted around the world, working and presenting in over 20 countries on six different continents. His work has been documented in the media through outlets such as CNN, BBC, NPR, and The Wall Street Journal. He serves on the Distinguished Review Board for the Air Force Institute of Technology, Technical Review Board for CCIED, and the Information Assurance Curriculum Advisory Board at DePaul University. Before working in information security, Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois-Chicago.
spitzner-lance-slides.pdf
MD5: 4bdc1d62882e246ccfc96e8e112e59af
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.69 Mb
The Current State of Vulnerability Reporting
Harold Booth (NIST, US), Masashi Ohmori (IPA, JP)
booth-harold-slides.pdf
MD5: dd4a8ddb68f336f99f4d19f30dda9602
Format: application/pdf
Last Update: June 7th, 2024
Size: 311.52 Kb
ohmori-masashi-slides.pdf
MD5: d043df88eee8a04fadaf1f5937ea72a1
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.25 Mb
The DigiNotar Crisis: from incident response to crisis coordination
Aart Jochem (GOVCERT.NL)
In this presentation Aart Jochem will give behind the scene insights into handling the DigiNotar incident, from hack to national crisis. What happened, how did this impacted our operations and which lessons can be learned?
DigiNotar was an important certificate service provider for the Dutch governmental PKIOverheid. The report of a fraudulent certificate issued by DigiNotar came as a bombshell to GOVCERT.NL. The seriousness of the situation was clear immediately, though the real impact on Dutch society became apparent later that week. Aart will present the chain of events which led from the report from CERT Bund to the management takeover of DigiNotar by the government.
jochem-aart-slides.pdf
MD5: 25b50f7fac22b363dda155c4a509628a
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.52 Mb
The Laws of Large Numbers and The Impact on IT Security
Peter Kuper (In-Q-Tel, US)
World markets gyrate seemingly almost daily with 100 point swings barely worth a mention. Yet, as these high level indicators try to hint at the overall direction of the economy, a number of other data points can show a more detailed picture of where we're headed. From an IT Security perspective, much can be gleaned from this including the impact on vendors, budgets and of course, attackers. Peter Kuper's presentation distills the macro-economic data right down to how it impacts the IT security professional role as well as offer some perspectives on ways to engage successfully in the current environment.
kuper-peter-slides.pdf
MD5: 4de3347c7c7c877b560657d3e15a2835
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.89 Mb
The OWASP Top 10 Mobile Security Risks
Ken Van Wyk (KRvW Associates, LLC)
Ken is a CERT® Certified Computer Security Incident Handler, as well as an internationally recognized information security expert and author of the popular O'Reilly and Associates books, Incident Response and Secure Coding: Principles and Practices, as well as a monthly columnist for Computerworld. Among his numerous professional roles, Ken is a Visiting Scientist at the Software Engineering Institute at Carnegie Mellon University, where he is a course instructor and consultant to the CERT® Coordination Center.
Ken has previously held senior information security technologist roles at Tekmark's Technology Risk Management practice, Para-Protect Services, Inc., and Science Applications International Corporation (SAIC). Ken was also the Operations Chief for the U.S. Defense Information Systems Agency's DoD-CERT incident response team, as well as a founding employee of the CERT® Coordination Center at Carnegie Mellon University's Software Engineering Institute.
Ken has previously served as the Chairman and as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST), a non-profit professional organization supporting the incident response community. He currently sits on their Steering Committee and Board of Directors. He holds a mechanical engineering degree from Lehigh University and is a frequent speaker at technical conferences, including S3, CSI, ISF, and others FIRST.
wyk-van-ken-slides.pptx
MD5: 17e5aaf17fff2ad355fe40386da70461
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 3.83 Mb
The Value of Global Vulnerability Reporting
Dave Waltermire (NIST), Masato Terada (IPA, JP)
Masato Terada received M.E. in Information and Image Sciences from University of Chiba, Japan, in 1986. From 1986 to 1995, he was a researcher at the Network Systems Research Dept., Systems Development Lab., Hitachi. Since 1996, he has been Senior Researcher at the Security Systems Research Dept., Systems Development Lab., Hitachi. Since 2002, he had been studying at Graduate School of Science and Technology, Keio University and received Ph.D in 2005. Since 2004, he has been with the Hitachi Incident Response Team. Also, he is a visiting researcher at Security Center, Information - Technology Promotion Agency, Japan (ipa.go.jp), and JVN associate staff at JPCERT/CC (jpcert.or.jp), as well.
terada-masato-slides.pdf
MD5: 5a82bc0e0019941fbc229a9fad0b2c15
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.02 Mb
Tracing Attacks on Advanced Persistent Threats in Networked Systems
Hiroshi Koide (Kyushu Institute of Technology, IPA, JP)
We discuss a countermeasure against APTs (Advanced Persistent Threats). The proposed method enables efficient planning of defense strategies to counter APTs. And the method supplies us a powerful tool to trace APT attacks in network systems. A model of APT attack techniques and a network system model under APT are proposed. We design and develop a prototype system of simulator which traces the behaviors of APT attacks on network systems that consist of several servers and network equipments. We describe a network model and research related to a malware working model. And also, we demonstrate the prototype system to trace the behaviors of APT attacks on a simple network system.
koide-hiroshi-slides.pdf
MD5: 529773bad5f509de158d6b5ca4690129
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.85 Mb
Tracing Botnet in Taiwan
Kai-chi Chang (III, ICST, TW)
chi-chang-kai-slides.pdf
MD5: ff6c45716d737bd4dd16bd7ee27bbd43
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.5 Mb
Visualizing cybercrime campaigns using TRIAGE analytics
Olivier Thonnard (Symantec)
Initially developed during the WOMBAT Project (EU-FP7), TRIAGE is a software tool that provides advanced analytical capabilities for automating cyber intelligence tasks on massive security data sets. One of the rationales for developing such tool is to enable rapid triage analysis of security events with respect to any number of features, and therefore help analysts to quickly attribute various waves of Internet attacks to the same phenomenon, e.g., an attack campaign likely run by the same individuals. The framework will soon be enriched with new features such as interactive visualizations developed in VIS-SENSE, a European research project that aims at developing visual analytics technologies suited for network security and attack attribution. Using real-world examples from the analysis of a large set of targeted attacks identified by Symantec in 2011, we will illustrate how TRIAGE analytics can shed some light on large-scale cybercrime campaigns and the modus operandi of their presumed authors.
thonnard-olivier-slides.pptx
MD5: 4683956b5cc894bfc7c8b2c6da247522
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 7.35 Mb
Vulnerability Handling in Japan and linking through CVE
Takayuki Uchiyama (JPCERT/CC, JP)
Vulnerability Handling has been coordinated in Japan by JPCERT/CC since 2004. Vulnerabilities in products even if developed in Japan are most likely to affect users worldwide. Through this presentation I will talk about how the Vulnerability Handling framework in Japan works and how the process collaborates with other CSIRTS and how the use of CVE has helped in not only identifying issues but also to ensure smooth communications.
Where automation ends and people begin - One CSIRT's journey replacing a SIEM with logging
David Schwartzburg
Gavin ReidDavid Schwartzburg, Gavin Reid (HUMAN Security, US)
We all want a magic button that fixes our network security problems. Automated tools can improve a weak computer security posture by preventing new infections and disrupting command and control channels. In reality, though, the scope of these tools will always be limited to the most basic of attacks. A strong security posture requires not only automated equipment, but people to program the equipment and to act on its output. Cisco CSIRT has taken a pragmatic approach where automated equipment better serves the purpose of providing intelligence to highly-trained IT staff, rather than attempting to replace the security staff altogether. This talk focuses on the philosophy that Cisco CSIRT uses to protect its own network
reid-schwartzburg-slides.pptx
MD5: da780ac6e2c282f6e7c85cb7864ed076
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 2.83 Mb
Who, What, Where and How: An Insider's View to Participating in the Security Community
John KristoffJohn Kristoff (DePaul University)
Where do people in the security community go to share insight and collaborate? How do you become a part of the private, so-called "trusted" communities? What can you do to maximize security community relationships? We try to answer these sorts of questions by surveying the security community, including it's collaborative successes and failures.
kristoff-john-slides.pdf
MD5: 1544587cc82b58889cef87459d9bdb84
Format: application/pdf
Last Update: June 7th, 2024
Size: 226.96 Kb
