3J4E - JIGSAW, JUMPSTART, JUNCTURE: Three Ways to Enhance Cyber-Exercise-Experience
Mr. Stefan RITTER (National IT-Situation Centre and CERT-Bund, German Federal Office for Information Security BSI)
Stefan Ritter, National IT-Situation Centre and CERT-Bund, German Federal Office for Information Security BSI
Since 2007, Stefan Ritter is head of CERT-Bund and the national IT-situation centre at the
German Federal Office for Information Security BSI at Bonn. The years before he collected
exercise experience as a senior expert for critical information infrastructure protection and
as an officer at the German armed forces. Since 2009, his team provides dedicated cyber
exercise support. Together they supported the preparation and played most of the large
national and European cyber exercises.
Background
Cyber-Exercises are an important part of national and international cyber-crisis-management within several communities. In this talk we present our 3J4E concept, which adresses the following three challenges of (international) cyber exercises.
Encouraging international / inter-community information sharing within cyber-exercises keeping in mind the expectations of players(JIGSAW)
Optimizing utilisation of limited exercise-time (JUMPSTART)
Adressing top crisis management level within an international exercise (JUNCTURE)
Methodology
The 3J4E concept is modulary, which means that the three parts can be used independently. It consists of three modules presented below.
JIGSAW
One often-seen showstopper for information sharing in international operational cyber-exercises is the fact, that all participating teams get the same set of information from the scenario. As all players hold the same information there is no need or desire for information sharing. Another problem regarding to inforamtion sharing are the different levels of involvement and expectations among the playing teams. Players with a low involvement often don't share information actively so that the whole exercise due to the lack of participation of single playing teams.
Our JIGSAW module tries to solve these two challenges of information sharing by separating the scenario into several so called JIGSAW-pieces and providing them to the players regarding to their level of participation and expectation. Besides scenario elements also the players need to be clustered regarding to their level of involvement.
The idea behind JIGSAW is that each player just holds a little piece of information and just by sharing with others the whole situational picture becomes visible. Sharing should take place regarding the level of involvement and expectation.
To split up the Scenario in pieces and clustering the players regarding their expectation we present a concept that we call the Multilevel Clustered Exercise Framework.
JUMPSTART
A well known problem of cyber exercises is the limited time frame for the exercise play. This problem even increases if strategic top level decision makers participate.
A crisis timeline follows the five phases Pre-Crisis, Detection, Reporting / Alerting, Response and Wrap-Up, while the exercise timeline consits of three phases, Pre-Ex, Ex-Play and Post-Ex. In a classic exercise setup often the two timelines are aligned that way, that the Ex-Play phase covers the Detection and the Reporting / Alerting Phase of the crisis timeline. The Response phase often is just touched slightly or even not played at due to the limited playing-time.
For a JUMPSTART into the exercise it is neccessary to align both timelines that way that the begin of the Ex-Play (StartEx) is aligned with the end of the Reporting/Alerting Phase. This means that the players directly start within the Response phase and can initiate the crisis management procedures right away.
To reach this aim, the JUMPSTART concept shows ways how to create exercise material to cover the first three phases of crisis mangement before StartEx. This requires a more detailed preparation among planners and players but leads to a strong involvement of the stakeholders in the exercise right at StartEx.
To illustrate the benefits of the JUMPSTART concept we use the well known OODA loop (Observe, Orient, Decide, Act) and activity diagrams showing national and international crisis management play.
JUNCTURE
The aim of the JUNCTURE module is to design scenario elements which reach the strategic top level of crisis manangement within an operational exercise. Besides the strategic top level decision makers this also includes staff dealing with strategic decision preparation.
To reach this aim, we developed two ways of creating scenario elements, that reach the intended strategic management level: „By Aggregation“ and „By Singularity“. While the „By Aggregation“ approach deals with a large number of incidents that lead to a crisis, the „By Singularity“ approach focuses on one single high impacting incident which triggers top-level management decisions.
To design scenarios which fit to one of these two approaches, we recommend a technique, which we call Consequence-Backtracking. In this method consquences of top management decisions in real crisis situations (cyber and non-cyber) are analysed to understand which level of impact is neccessary to trigger decisions on the particular mangement level. Based on this backtracking in the following step cyber scenario events are developed, which imply the same consequences as the examined real crisis.
Impact
The overall quality of cyber exercises both in governemental and business context is improved. Satisfaction of top management players will be improvend.
Significance for the audience
The audience is able to understand the three concepts and see the advantages for future cyber exercise. Due to the given implementation examples the audience is able to generate ideas for own implementations.
A Cognitive Study to Discover How Expert Incident Responders Think
Mr. Sam J. PERL (CMU SEI CERT/CC)
Sam Perl
Samuel J. Perl is a member of the CSIRT development team within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. He has been at CERT since 2011 and has worked in a variety of areas including insider threat, vulnerability assessment, security incident data analysis, and incident management team development. Prior to CERT, Perl gained over 10 years of industry experience working with client organizations to manage their most challenging IT security risk issues. Perl holds a M.S. in Information Security Management from Carnegie Mellon University and a B.S in Information Systems from Carnegie Mellon University.
Richard O. Young, Ph.D
Richard O. Young is Teaching Professor of Management Communication at the Tepper School of Business, Carnegie Mellon University, Pittsburgh, PA. He received a Ph.D. in Rhetoric from Carnegie Mellon in 1989 with a dissertation on the cognitive processes of management consultants and their clients. A regular presenter at national conferences on business communication, he is also the author of How Audiences Decide: A Cognitive Approach to Business Communication (2011).
Incident response expertise is a rare and valued resource. Expert incident responders are expensive to hire, difficult to find, and competition for their services is fierce. Governments, the private sector, and non-profits all need experienced incident responders with the proper skills and training in order to respond to effectively to increasingly sophisticated cyber attacks.
We performed a cognitive study on expert incident responders after being inspired by existing research studies on experts in non-security domains. Our goal was to extract the conceptual frameworks or schemata that expert incident responders use to make their decisions and to represent their schemata in a form that could be understood and used by non-experts.
Our presentation will include background information on the four expert incident responders who participated in our study, the real-world proprietary stimulus materials our experts used to decide the best responses to the incidents we gave them, our methodology, and our data analysis. Next, our presentation will describe the results of our study--the schemata our expert incident handlers used to make their decisions, and what our results reveal about the incident response field when compared to the findings of researchers studying expertise in other domains such as business and military decision making.
Last, we will discuss the implications of our results in light of the current societal and business trajectory toward greater technology dependence and the ever-growing demand for incident response expertise.
A Day in the Life of a Cyber Intelligence Professional
Ms. Katherine GAGNON (World Bank Group)
Katherine Gagnon has been working in IT for over 21 years, with 18 focused directly in information security after she graduated Johns Hopkins University with a bachelor's degree in Computer Science. She has worked as a consultant performing pen testing, architecture design and review, infrastructure deployment, and more. In addition to 3 years as the program manager for information security at Discovery Communications, Kate spent substantial time in the public sector having worked for years between USAID and US Department of State before entering the realm of international organizations where she currently serves as an Information Security Officer with the World Bank Group. There she has been managing the Cyber Threat Intelligence program for over 2 years and previously managed the endpoint security engineering function for 4 years.
Building a cyber threat intelligence program can be a daunting task given the firehose of information which could be consumed. Many organizations don't know where to even start, but the truth is it probably has already started...
- Are you monitoring the news for open source information (OSINT) and consider how a similar attack might affect your own organization?
- Do you seek out indicators of compromise (IOCs) for said incidents and apply controls or alerting to firewalls, proxies, endpoints, IDSs, etc?
- Do you collaborate with colleagues outside your organization and share information about techniques, tactics and procedures (TTPs) hackers may be using?
- Is your organization a member of FIRST, an institutional ISAC, or have a relationship with an outside security services vendor?
Those are all beginning elements to a cyber intelligence program, but the question then becomes how to mature and manage information flow past OSINT. This presentation will discuss "a day in the life" of cyber threat intelligence work, including:
- relationship building,
- bi-directional IOC sharing,
- making IOCs actionable within operational systems,
- managing the onslaught of information,
- brand protection & takedowns,
- awareness for users, engineering & management,
- pitfalls to avoid,
- and taking steps towards automation.
It will also discuss staffing considerations in a small or growing intelligence team.
A Funny Thing Happened on the Way to OASIS: From Specifications to Standards
Tom MILLAR (US-CERT)
Mr. Thomas R. Millar serves as the United States Computer Emergency Readiness Team’s (US-CERT) Chief of Communications, a role which finds him at the intersection of outreach, awareness, standards development, and technical interoperability initiatives. In this role, Mr. Millar is focused on modernizing US-CERT's approaches to information sharing, knowledge exchange and coordination. Since joining US-CERT in 2007, he has played a significant role in US-CERT's response activities during major cyber events such as the Distributed Denial of Service (DDoS) attacks on Estonia in 2007, the outbreak of the Conficker worm, and the DDoS attacks on major U.S. Government and commercial Web sites in 2009.
Mr. Millar has previously worked as a team lead for intrusion detection and analysis at the FBI’s Enterprise Security Operations Center. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force.
Mr. Millar has a Master’s of Science in Engineering Management from the George Washington University.
This presentation will explain the process of transitioning the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) from technical specifications sponsored by the US Department of Homeland Security into formal international standards, explaining decisions made along the way and discussing lessons learned during the development, refinement, and transition process.
As pivotal ingredients in the future of automated, structured information exchange between CSIRTs, STIX and TAXII need to "land" in the right standards body with the right amount of support from public and private sector partners to help shepherd them through the process of becoming international, voluntary standards while preserving their functionality and compatibility. Nothing good comes easy, and the path to transition was full of difficult decisions.
In this session, participants will learn key considerations for engaging with international standards bodies; different roles and governance models for the various standards organizations that CSIRTs may interact with; and how to ensure international standardization of our common practices and tools has a positive and lasting impact on the CSIRT community and the constituencies we serve.
A Study on the Categorization of Webshell
Mr. Jinwan PARK (KrCERT/CC)
Jae-Chun Lee is Senior Reserch Associate of KrCERT/CC,a part of KISA, Korea Internet & Security Agency.
Previously for many years he was in charge of internet incident response in KrCERT/CC and
He has a master degree of Computer Science at Sogang University.
Dong-Geun Lee is a Director of KrCERT/CC, a part of KISA, Korea Internet & Security Agency.
Previously for many years he was in charge of internet incident response in KrCERT/CC.
He has a master degree of Computer Science at Korea Kyungpook National University
and now he is the Internet Incidents Analysis Team Manager.
Hyun-Cheol Jeong is a Vice President of KrCERT/CC, a part of KISA, Korea Internet & Security Agency.
Previously for many years he was in charge of internet incident response in KrCERT/CC.
He has a Ph.D. of Information Security from Korea University
and now he is the director for Internet Incidents Analysis Division in KISA.
Jinwan Park is a Director of KrCERT/CC, a part of KISA, Korea Internet & Security Agency.
Previously for many years he was in charge of internet incident response in KrCERT/CC.
He has a master degree of information engineering at Korea Areospace University
and now he is the Cyber Frauds Response Team Manager.
* Jinwan Park is a proxy speaker of this presentation.
Webshell is backdoor program which is used for web hacking most commonly
We can determine the features and methods of hacker groups easily if we know the with the unique features of webshell
For example, DMC webshell used in Dark Seoul case is used by specific hacker groups.
And other hacking case, the systems DMC webshell installed are having similar methods of attacking from same IPs.
There are some cases of applying analysis disturbance techniques such as obfuscation method by stages for some attackers.
So, it should be very helpful to analyze the webshell if we know the history of that.
'KrCert/CC' has about 400 cases of webshell analysis from the intrusion for Korea in 2014 and research how to classify the cases.
The followings are agenda for this presentation.
- Introduction of webshell and its feature
- System of webshell categorization and the correlation of intruders
How to classify webshell
- By function
- By the length of webshell source code
- By the method of source code encoding
- By detection evasion
- By analysis disturbance
- By file name
- By concealment method
- By the fingerprint and transformation of webshell
- By the language
Conclusion
Mr. Cosmin CIOBANU
Agile Security
Mr. Tilmann HAAK (XING)
Security in agile software development, esp. Scrum and Kanban and Agile methods for security teams, based on past two year's experience.
Laura FLETCHER (George Mason University), Kristin M. REPCHICK (George Mason University), Julie STEINKE (George Mason University)
Julie Steinke is a Postdoctoral Research Fellow in the Industrial/Organizational Psychology Program at George Mason University. Her research interests include teams, competition and conflict, performance under stress and adversity, and resilience. Steinke received a PhD in industrial and organizational psychology from Wright State University.
Kristin M. Repchick is a doctoral candidate in the Industrial/Organizational Psychology Program at George Mason University. Her research interests include team processes, CSIRT effectiveness, and multiteam systems. Repchick received an MA in industrial and organizational psychology from George Mason University.
Laura Fletcher is a graduate student in the Industrial/Organizational Psychology Program at George Mason University. Her research interests include teams, multiteam systems, networks, and creativity.
This presentation describes barriers to information sharing and pathways to improving the effectiveness of cybersecurity collaboration. The presentation is based on research conducted by George Mason University, Dartmouth College and Hewlett-Packard under a three-year research grant from the U.S. Department of Homeland Security, the Netherlands and Sweden. Barriers to cybersecurity information sharing were identified through interviews and focus groups in dozens of public and private organizations in Europe and the United States, and through surveys of cybersecurity professionals conducted in 2014 and 2015. Building on the findings of other researchers, we present an overview of information sharing barriers within CSIRTs, C-CERTs, and M-SIRTs; between these teams and their larger organizations, and between the organization and the outside world. We also describe ways to break down barriers and promote information sharing.
Behind the Scenes this Week at FIRST - Potsdam I
BetterCrypto.org Workshop and Hands-on Training
Mr. David DURVAUX (BetterCrypto.org), Mr. Aaron ZAUNER (Azet), Mr. L. Aaron KAPLAN (CERT.at)
David Durvaux was one of the few people that join Aaron & Aaron in their project of writing BetterCrypto. His background is now mostly focussed on incident response. He is a big fan of *nix systems and open-source tools. He was involved in the AbuseHelper project when he was working at CERT.be.
Aaron Zauner
Self employed engineer for large scale infrastructure, HPC and information security. did front and backend development in the past, spent a lot of time in data centers and auditing code/networks and systems. http://azet.org
The BetterCrypto Project started out in the fall of 2013 as a collaborative community effort by systems engineers, security engineers, developers and cryptographers to build up a sound set of recommendations for strong cryptography and privacy enhancing technologies catered towards the operations community in the face of overarching wiretapping and data-mining by nation-state actors. The project has since evolved with a lot of positive feedback from the open source and operations community in general with input from various browser vendors, linux distribution security teams and researchers.
This workshop will give a concise guide on how to properly deploy networked services in a secure fashion that is applicable today. We will also give an update on the project as well as new development on the front of cryptography, attacks and TLS protocol standardization.
In addition, the workshop will touch on the basics of cryptography. However, this part can only give a gentle intro and a historical view on cryptography.
The core idea behind the project is to use the skills of his authors to build an open-source guide for system administrators who need to securely configure their systems. The document is then split into two parts:
- the first one propose state of the art configuration for as much as possible different systems;
- the second part explains why certain settings through a theoretical approach.
The configuration part, try to offer configuration that could be copy/pasted to offer a valid usage of cryptography. As clear-text should protocols should be avoid, we tried to cover as many different systems and usage as possible. For instance, we cover the following technologies and implementations:
- web server: Apache, Lighttpd...
- mail server: Postfix...
- remote session: SSH
- mail encryption: PGP/GPG
- secure chat:
- ...
The theoretical part will cover algorithms, key size, mains concepts and properties that need to be used. It addresses the major discussions like
- algorithms to be used;
- key size;
- asymetric and symetric cryptography;
- perferct forward privacy;
- ...
Made with the open-source spirit in mind (all the document is written in Latex and published in open-source on git), our work is open for comments. We are looking for any new contribution that will be welcome.
Our goal is also to continue to complete the guide with others tools from other vendors. We also dream of a configuration tool that could help people to automatically generate the configuration they need for their systems...
Our workshop at FIRST would cover
- a description of the project and the need for such a work;
- a short introduction to cryptography and the main concepts;
- some description of what proposed configuration looks like and the results on some online
- validation tools;
- a step-by-step demonstration of the usage of GPG in command line to what's really behind the hood;
- a call for collaboration and help: we are open and the more we are, the best our work will be!
In attachment, we propose a draft presentation using previous works. This to demonstrate the type of content we would like to propose.
Bring Your Own Internet Of Things (BYO-IoT)
Mr. Jake KOUNS (Risk Based Security), Mr. Carsten EIRAM (Risk Based Security)
Jake Kouns is the CISO for Risk Based Security and oversees the operations of the Open Sourced Vulnerability Database (OSVDB.org). Mr. Kouns has presented at many well-known security conferences including RSA, Black Hat, DEF CON, CISO Executive Summit, CanSecWest, SOURCE, FIRST and SyScan. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.
Jake has briefed the DHS and Pentagon on Cyber Liability Insurance issues and is frequently interviewed as an expert in the security industry by Information Week, eWeek, Processor.com, Federal Computer Week, Government Computer News and SC Magazine. He has appeared on CNN as well as the Brian Lehrer Show and was featured on the cover of SCMagazine. Jake is the co-author of the book Information Technology Risk Management in
Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.
Carsten Eiram is the Chief Research Officer of Risk Based Security and is managing the company’s research efforts and Vulnerability Intelligence (VI) solution, VulnDB. Prior to RBS, he managed Secunia's Research team and VI solution for 10 years.
Carsten is considered a leading expert in the VI field due to his long experience managing vulnerability databases (VDBs), in-depth knowledge of vulnerabilities, root causes, and trends, as well as hands-on experience. He has spent a good part of his career analyzing vulnerability root causes in software and determine the code quality to promote the concept of “Code Maturity” as a metric to evaluate the secure coding efforts by vendors.
As a vulnerability researcher with a reverse engineering background, Carsten has almost 200 vulnerability discoveries credited to his name. Most are critical issues in high-profile products from major software vendors including: Microsoft, Adobe, Symantec, IBM, Apple, Novell, SAP, Rockwell, Schneider Electric, Blue Coat, and Trend Micro.
Carsten has been interviewed for numerous news articles about software security and has presented at conferences such as FIRST Conference, RSA Conference, DEF CON, RVAsec, as well as keynoting Defcamp 2013. He is also a regular contributor to the "Threat of the Month" column in SC Magazine, a credited contributor for the "CWE/SANS Top 25 Most Dangerous Software Errors" list, and member of the CVE Editorial Board and FIRST VRDX-SIG.
Just as incident response teams thought they were finally getting a handle on Bring Your Own Device (BYOD), whether they know it or not they now face a new challenge of dealing with IoT (Internet of Things). It is no longer just laptops and smart phones being connected to the corporate network. It now includes everything from surveillance cameras to smart light bulbs, smoke detectors, and sprinklers with wireless connectivity - not forgetting the coffee machine. On the surface this may seem like a low risk, but we have already seen numerous data breaches due to third party vendors. Target e.g. admitted the initial break in was due to their HVAC vendor.
We’ve seen researchers focusing on discovering vulnerabilities in SCADA / ICS, smart phones, routers and access points, and within the past couple of years, we’ve seen them focus on surveillance cameras. Now they’re branching out and focusing more on IoT in general. At this point, most of the IoT hacks that we’re seeing are currently lame when it comes down to it. They require physical access or are minor issues. However, the potential real world impact is scary, impressive, and very important to pay attention to, as we’ve seen with other consumer devices.
Is your organization ready to deal with new exploits for IoT devices on your network? Do you have solid policies in place for dealing with how these devices are securely connected to the network, properly protected, and how any compromises involving them should be handled?
This talk will cover a sample of vulnerabilities that currently have been published in various IoT devices and discuss the challenges and concerns organizations need to understand. It will fully discuss the capabilities of IoT vendors to even deal with vulnerability reports and ultimately help ensure that once IoT really enters your enterprise, you’re ready and equipped to deal with it.
Building blocks of a cyber resilience program
Monika JOSI (Consultant and former Microsoft Chief Security Advisor for EMEA)
monika-josi.pdf
MD5: 4612fd01bbcb1ca157e87c3b13809e61
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.13 Mb
Building CERT Team and Responding Incidents in the Large Energy Company.
Mr. Miroslaw MAJ (Cybersecurity Foundation)
MIROSLAW MAJ has almost 20 years of experience in IT and IT security sector. For almost 10 years he has leaded CERT Polska team – the first Polish incident handling team which plays the role of national level team. In 2010 he founded the Cybersecurity Foundation and he became its first director. In September 2010 he became the expert on the CIIP of the Polish Government Center for Security. In 2011 he also became a co-founder of the first Polish independent CERT – ComCERT.PL. He is also the member of Trusted Introducer team being responsible for accreditation and certification process within this trusted platform.
He is the author of the papers on security statistics and others subjects from the security area. He is involved in international cooperation between CSIRT teams as the member of the Trusted Introducer team as well as in formal European projects related to security issues (standards, statistics, information sharing, fighting with an illegal content, building security awareness and establishing new CSIRT teams). He is the co-author of many ENISA publications including CERT exercises and papers on improvement the CERT coordination. Miroslaw Maj organized four editions of national level cyber exercises in Poland – Cyber-EXE™ Polska and in Georgia – Cyber-EXE™ Georgia – for energy, banking and telecommunication sectors. He presented his works on many international conferences including number of presentation at the FIRST conferences.
The number of significant and dangerous incidents related to the energy sector companies is growing. The last year cases related to the activities groups like Dragonfly or Sandworm and attacks like BlackEnergy are the best prove that this sector became the very common aim of the cyberattacks. The political and military tension in the Eastern Europe is fostering this trend.
This situation has forced the energy sector companies to work more actively on their cybersecurity systems including building capabilities of the efficient incident response process.
During the presentation the issue related to the process of the building of CERT team in the energy sector company will be presented.
Such process is specific due to the special requirements related to the existence of CERT in the large energy company. This kind of company is usually organisationally widely distributed. This distribution affects also the technical infrastructure what create a special challenges for the infrastructure protection. Another challenge is the fact that the responsibilities for maintaining the technical infrastructure is shared by many entities including outsourced parties. All these specifics makes the process of building the CERT team very challenging and during it both - technical and personal relationships aspects are very important.
The presentation of the process of the CERT creation will be enriched by the presentation of the experiences from the process of responding to the incidents. The most interesting incidents will be presented in the reaction to the established and implemented CERT processes. So attendees will be able to learn how the specific structure of CERT is prepared and able to effectively response to them.
The presentation will base on the real case study of the CERT creation in the energy sector company as the author is involved in such process. Also real and anonymised computer incidents will be used in the speech.
The attendees will learn:
- hot to prepare and conduct the process of building CERT in the large company
- what are the most common incident in the energy sector company
- what is the influence of the CERT operational model on the effectiveness of the incident management process
- how to use experiences form the energy company in own organisation - what is universal, what is specific
Mr. Christian SEIFERT (Microsoft)
Christian Seifert bio to come.
One of the goals of the Microsoft sponsored Coordinated Malware Eradication program is to use lessons learned from current and past malware eradication campaigns to inform new campaigns. To improve the efficiency of antimalware campaigns, our tactic is to distill the collective experience of past campaigns into playbooks that contain templates and guidelines that the entire community working to eradicate malware can directly incorporate into future campaigns.
This presentation will show the playbooks we’ve created, how participants have used them, and ideas for new playbooks we’d love to build with the help of the community to more effectively fight malware together.
Examples of playbooks are:
• Creating an eradication plan—what deterrence and eradication techniques make sense for this operation?
• Abuse reporting to vetted and to previously unknown entities— what do you say when you don’t know if you can trust the recipient?
• Conducting a postmortem—why is it one of the most critical steps, what questions should you ask?
Building instantly exploitable protection for yourself and your partners against targeted cyber threats using MISP
Mr. Andras IKLODY (CIRCL)
Andras Iklody is a software developer working for CIRCL and has been the main developer of the Malware Information Sharing Platform since the beginning of 2013.
He is a firm believer that there are no problems that cannot be tackled by building the right tool.
The aim of the presentation is to introduce the audience to the Malware Information Sharing Platform (MISP) and give a glimpse into how it can help them turn their analysis into instant protection for both them and their partners.
In a world where cyber threat information sharing via e-mail, a lack of interoperability between defensive and analysis tools and replication of effort during analysis among partners is still a reality for many, MISP offers an easy to use, powerful, free, actively maintained, open-source solution.
The scope of the presentation includes a general high-level overview of the issues that MISP tries to tackle as well as a more in-depth presentation about its capabilities and features, divided into four main topics (sharing and collaboration, populating MISP with data, exploiting the data for analysis and building automated defenses). The final portion will talk about integrating MISP into the audience's workflow by using the built in interfaces, building custom import/export modules or tools that utilise MISP.
As for the technical level of the presentation, it is assumed that the audience is generally familiar with the issues that MISP tries to offer a solution for, but the plan is not to go too deep into the technical solutions (intermediate level).
Case Study: Creating Situational Awareness in a Modern World.
Mr. Michael MEIJERINK (NCSC-NL)
Michael Meijerink is a senior security specialist at the Dutch National Cyber Security Centre(NCSC.NL). Since 2012 he has been involved at the NCSC in creating a technical and social network in which specific indicators and incident related information can be shared in a trusted environment within the government as well as with the critical infrastructure partners.
When Edward Snowden leaked classified information from the NSA in June 2013 all government initiatives on monitoring and data correlation became suspicious. NCSC had just started the pilot preparations at a government data centre aimed at automatically sharing indicators and incident related information, giving a boost to the operational situational awareness of it’s CSOC. Many challenges had to be overcome. As of December 2014 government organizations as well as critical infrastructure partners have started the new sharing collaboration successfully. In his presentation Michael will discuss the prerequisites, technical but mostly non-technical, needed to create this Dutch habitat in which organizations can share information safely on a voluntary basis. Also Michael will share the outcome of the evaluation held in June 2015.
Ce1sus: A Contribution to an Improved Cyber Threat Intelligence Handling
Mr. Jean-Paul WEBER (GovCERT.lu)
Jean-Paul Weber, IT Security Analyst at the governmental CERT in Luxembourg since 2013,
is a specialist in the area of handling and analyzing IT security incidents. Currently one of his
main interests is the follow up of threat intelligence. He is also responsible for development and
maintenance of tools for the facilitation of internal processing.
The daily business of Computer Incident Response Teams (CIRT) is preventing incidents and
handling breaches. Sharing information is crucial for time efficiency and for the prevention of
unnecessary double work. Automated handling and processing of Cyber threat intelligence is im-
perative. Currently there are a number of emerging tools, but to date none of them, in our opinion, sufficiently satisfies the needs of computer specialists working in the domain of incident response. The main needs include the following: ease of use, adequate handling of data structures, interfaceability and automated data enrichment.
In this presentation the benefits of using structured data and automated systems will be out-
lined. Advantages and problems of relevant standards and available tools will be briefly discussed. In consequence our ongoing work on ce1sus, an open source platform that fulfills all the identified needs while circumventing known problems, will be presented. celsus uses a widespread standard (STIX) and allows for interoperability with existing tools.
Ce1sus is available as free open-source software at:
https://github.com/GOVCERT-LU/ce1sus
Collecting, Analyzing and Responding to Enterprise Scale DNS Events
Mr. Bill HORNE (Hewlett-Packard)
Bill Horne is the Director of Security Research in the Security and Manageability Lab of HP Labs. He previously served as a Research Manager in the Security and Cloud Lab of HP Laboratories in Princeton, NJ since August 2002. He directs research on systems and network security, cryptography, privacy and risk management, and is responsible for transferring security technology developed in HP Labs to customers and business units. He is the author of over sixty publications in the area of security and machine learning, holds twenty-two patents and thrity four patents pending. He is a Principal Investigator for a DHS Science and Technology funded project Improving CSIRT Skills, Dynamics, and Effectiveness. He is currently an associate editor for IEEE Security and Privacy Magazine. Prior to joining HP, he held industrial research positions at InterTrust Technologies and NEC Research Institute. He has an MSEE and PhD in Electrical Engineering from the University of New Mexico, and a BS in Electrical Engineering from the University of Delaware.
In this talk I will describe our efforts to collect, analyze and visualize DNS as part of our HP ArcSight SIEM infrastructure. DNS is important for security for many reasons. If the DNS infrastructure can be brought down, many networking tasks would be impossible to complete. If the integrity of the mapping between domain names and IP addresses is compromised, attackers can redirect users undetectably to IP addresses of their choosing. And malware of many types must in one way or another use the DNS infrastructure as part of their operations. For example, botnets often use fast flux techniques and domain name generation algorithms to rendezvous with command and control servers.
Collecting DNS is a significant challenge. In HP, our core internal DNS clusters process approximately 16 billion DNS packets every day. Ideally, we would like to turn each and every one of those packets into an event for our SIEM. However, HP is currently the largest commercial deployment of ArcSight and we would have to grow our SIEM by a factor of six to collect this data. Moreover, traditional logging has a substantial performance impact on the DNS infrastructure, and therefore from an operational perspective enabling logging is also impractical. Finally, DNS servers generally do not log the information necessary to detect many security problems.
To deal with these problems we collect and filter this traffic using hardware network packet sniffers, which have no impact on the performance of the DNS servers and allows us to collect all of the information we need for security purposes. We model known good traffic, and discard it, keeping only anomalous data.
We developed a custom analytics engine, which analyzes this data looking for evidence of botnet infections, blacklist hits, cloud platform abuse, beaconing, data exfiltration, and cache poisoning attempts. The results of these analyses is turned into a set of alerts which are sent to our Security Operations Center (SOC). We’ve also developed a usable dashboard and visualizations to help analysts explore the data.
The system has been up and running in HP since June 2014. The SOC processes on average about 20 of our alerts per day, with very low false positive rates. We’ve worked closely with the SOC to make sure the tool is fully integrated into the workflows that the SOC analysts use and meets the needs of the analysts.
Crisis Communication for Incident Response
Mr. Scott ROBERTS (GitHub)
Scott J Roberts works for GitHub and makes up his title every time he’s asked, so we’ll say he’s the Director of Bad Guy Catching. He has worked for 900lbs security gorillas, government security giants & boutiques, and financial services security firms and done his best to track down bad guys at all these places. He’s released and contributed to multiple tools for threat intelligence and malware analysis. Scott has spoken at Facebook, OpenDNS, Shmoocon, and many other security industry and academic events.
One of the parts of intrusion response that rarely gets attention in DFIR circles, though huge attention outside them, is the customer facing victim companies communication to their own customers. This is almost always the only real information the public gets of your intrusion and communicating what happened effectively is crucial to minimizing damage, both to customers and to your organizations reputation.
Using lessons pulled from professional public relations specialists combined practical experience in operations and security incident response we'll review the five keys to good crisis communications. We'll walk through multiple examples of good and bad crisis communications and develop an understanding of what information people need to know when and why they should get it from you and not the media. We'll also discuss building a comprehensive incident communications plan.
CSIRT Info Sharing Workshop
Shari LAWRENCE PFLEEGER (I3P-Dartmouth-GMU-NL-SE (various CSIRTS)), Julie A. STEINKE, Lois E. TETRICK, Reeshad S. DALAL, Stephen J. ZACCARO, Amber HARGROVE, Daniel SHORE, Kristin M. REPCHICK, Laura FL
Shari Lawrence Pfleeger, Dartmouth College, is the Principal Investigator for a three-year project (October 2012 to September 2015) investigating how to make incident response teams more effective. The project team members draw from George Mason University’s Psychology Department; George Mason University’s Center for Infrastructure Protection; and Hewlett-Packard Laboratories’ Cyber Security Research Team.
Project Details: By analyzing documentation, observing actual CSIRT activity, convening focus groups, and using pre- and post-incident interviews, our team from Dartmouth College, George Mason University and Hewlett-Packard is recommending ways to improve the skills, dynamics and effectiveness of CSIRTs. Through the end of 2014, the team has interacted with 45 CSIRTs, conducted 28 focus groups, and interviewed 117 team members and several dozen team leaders; this data collection continues in 2015. Funded by agencies in the U.S., Sweden and the Netherlands, the project findings reflect CSIRT members in over a dozen countries and in academic, corporate, national and international organizations. This basic research is determining and validating principles for creating, running and sustaining an effective CSIRT. The output includes descriptions of needed knowledge, skills and abilities for key CSIRT roles, viewed from individual, team and multi-team system perspectives, plus recommendations for improving CSIRT performance. Evidence-based decision aids are being developed and used commercially, and technology transfer of results is being accomplished not only in publications (e.g. a special issue of IEEE Security & Privacy magazine, a handbook, and academic publications) but also by participating in existing CSIRT training sessions and by presenting findings to CSIRT members and managers in a final project workshop co-located with FIRST 2015.
Proposal Details: Our team proposes a series of linked workshops and presentations at FIRST 2015 in Berlin:
• Sunday, June 14: An all-day workshop at the Intercontinental Hotel in Berlin. At this experiential, interactive project workshop, our team will work with attendees (CSIRT team members and leaders) in two ways: After we present several key project findings, the attendees will take part in activities that help them identify which findings are directly relevant to their particular CSIRT structures, goals and talents, and then learn and apply techniques to address the most important areas for improvement. For more information about this free workshop, please contact Julie Steinke, at jsteinke@gmu.edu
• Monday, June 15: Project-related presentations at FIRST by our project team members. Presentations to FIRST will be made by Julie Steinke and her colleagues (George Mason University) on information sharing to improve CSIRT effectiveness, and William Horne (Hewlett-Packard) on applying our findings commercially.
• Tuesday, June 16: 90-minute workshop at FIRST on feedback and next steps toward CSIRT effectiveness. This workshop will present an overview not only of the project and its findings but also of techniques useful in immediate CSIRT improvements. In an interactive discussion, our team members will elicit examples from attendees of our findings’ utility and of other areas ripe for investigation and improvement that we have not yet addressed in our research.
Audience: Members/leaders of CSIRTs, members/leaders of other teams that interact with CSIRTs.
Expected Outcomes: Attendees will leave with descriptions of what works well in an incident response team; descriptions of what can be improved; descriptions of lessons learned from incident response teams; suggested pathways from improvement opportunity to actual improvement, based on lessons learned and on research findings; possible descriptions of areas/questions needing significant attention from researchers.
CVSS v3 Hands-on Training
Mr. Seth HANFORD (TIAA-CREF)
Seth Hanford is the manager of the Detection & Response Team for TIAA-CREF, a Fortune 100 financial services firm. Past roles have found Seth managing a threat research and outreach team, working as an incident responder handling product security vulnerabilities, and as a team lead and analyst for a commercial vulnerability database.
He is the Chair of the CVSS v3 Special Interest Group at FIRST, and was involved in the v2 SIG since 2005. He has been rating security vulnerabilities from commercial vendors or open source projects with a variety of scoring systems since 2003.
With the release of Common Vulnerability Scoring System version 3 (CVSSv3), security teams need to understand how the classification and rating of vulnerabilities has changed. Version 2 has become a de facto standard over the last decade, and v2 scores are commonly used to quickly communicate severity.
However, research presented at FIRST 26 showed that ~70% of published vulnerabilities could be described by applying only 10 combinations of metrics. This lack of variety left many characteristics of vulnerabilities poorly described or omitted by v2 classification, which in turn led to clusters of scores that flattened out the standard's usefulness for rating and responding to vulnerabilities.
Version 3 corrects this condition without a net increase in metrics, by updating descriptive language, reducing subjective choice, and providing tools for an analyst to describe environmental mitigations (such as EMET, sandboxing, etc.) which reduce impacts or hamper exploitability in their organizations.
This course is designed to give analysts hands-on training in applying the new CVSS v3 metrics, following the new decisions and descriptions for rating with v3, and exploring the new capabilities of Environmental Mitigations and Vulnerability Chaining. Attendees will work interactively with the facilitator to practice and apply the approach, rate "tough" vulnerabilities, and gain confidence in the new techniques necessary to help their organizations adopt the next standard for vulnerability scoring. It assumes passing familiarity with CVSS v3, such as reading the metrics section of the standard, and looking at the supplemental materials like the example vulnerabilities and scoring calculator; it will not be an in-depth review of those materials, but rather an application of them. Experience with CVSS v2 will be helpful, but is not necessary.
It is intended for a technical audience, particularly for an analyst producing, supporting, or consuming vulnerability characteristics and ratings. Materials are designed for an analyst that is comfortable discussing vulnerability characteristics and foundational information security topics like authorization, privilege escalation, and the like. It may delve into discussion of common or emerging exploitation techniques (at a high level) but should be accessible to anyone comfortable with reading vendor or community produced vulnerability reports.
Cyber-EXE Georgia Project
Mr. Miroslaw MAJ
Cyber exercises organised by my organisation together with CERT.GOV.GE - the Georgian governmental CERT.
Cyber Security Challenges in the Financial Sector: Internal and External Threats
Ms. Rosa Xochitl SARABIA BAUTISTA (Mnemo-CERT)
Rosa Sarabia
Team Lead, Mnemo-CERT
Rosa Sarabia is responsible for the definition, implementation and operation of Mnemo-CERT, standardizing the SOC-CERT processes by taking as reference the best security practices such as ISO, ITIL, COBIT and NIST. She worked at the Mexican National CSIRT (CERT-MX) where she participated developing the National Cyber Security Strategy. She also worked at UNAM-CERT and she was in charge to get ISO 27001 certification for Incident Response Process, a very successful task that remains up to date.
She has been involved in the cyber security field for over 7 years, she studied a Bachelor of Computer Engineer from UNAM, and a Master in Computer Engineering from the same University. She has a reverse engineering background (Certified Reverse Engineering Analyst) and experience as information security auditor.
In last years the attacks targeting financial institutions have evolved and are becoming more sophisticated. In fact, recent studies show that cyber-attacks have caused billions of dollars in losses, among personal data, company records or files, and any other sensible information; which has provoked a falling in consumer confidence and irreparable damage to the brand, right like what happened to Target, Home Depot and J. P. Morgan security breaches.
Due to the growing of the number and complexity of cyber-attacks Mnemo-CERT was created. A financial Computer Emergency Response Team, which works together and closely with banks to timely respond to any kind of information security incidents and also to strengthen their security mechanisms in order to minimize damage from attacks and intrusions.
In this presentation, Mnemo-CERT will speak about two study cases, actually very real threats to financial institutions:
A. Financial fraud (internal threat). Staff represents a potential threat by virtue of their knowledge of and access to organization’s own systems and their ability to bypass security measures through legitimate means. In this case, the results obtained through Digital Forensics Analysis and Cyber Intelligence allowed us to identify who, when and the modus operandi upon this cyber fraud.
B. Malware targeting ATMs (external threat). Ploutus malware detected on ATMs in Mexico was designed to steal cash without requiring any access to the credit or debit cards used by customers. This malware was analyzed in Mnemo Labs by using reverse engineering techniques and the obtained results will be explained. A few months later, Mnemo-CERT team received another malware Ploutus sample and, despite its double obfuscation, similar results were found.
- EU
Raoul “Nobody” CHIESA (APWG, EU) (EU)
raoul-chiesa.pdf
MD5: 4ff57ee8b1dcc3f33ccf61c574149d40
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.14 Mb
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling Indicators
Mr. Alexandre PINTO (Niddel), Mr. Alexandre SIEIRA (Niddel)
Alex Pinto is the Chief Data Scientist of Niddel and the mind behind MLSec Project. He dedicates his waking hours the development of machine learning algorithms and data science techniques to support the information security monitoring practice. He presented results of his research at conferences such as Black Hat USA, DEFCON, BSides Las Vegas, BayThreat and ISC2 Security Congress. He has over 14 years dedicated to Information Security, and 2 years of those focusing on Data Science. If you are into certifications, Alex currently holds a CISSP-ISSAP, CISA, CISM and PMP. He was also a PCI-QSA for almost 7 years, and thankfully is almost fully recovered from that.
Alex Sieira is the CTO of Niddel and a principal at MLSec Project for the last year. He has over 12 years dedicated to information security consulting, managed security services and R&D teams. He is an MBA, CISSP, CISA, besides some other product-specific acronyms. Alex has experience with a great range of security technology and standards, and has gained many a gray hair establishing SOC and SIEM services for large enterprises. He is currently focused on building the information security product his past self would have killed for.
This session will consist of a technological exploration of commercial and open-source threat intelligence feeds that are commonly offered as a way to improve the capabilities of incident response teams. While not all Threat Intelligence can be represented as "indicator feeds", this space has enough market attention that it deserves a proper scientific, evidence-based investigation so that practitioners and decision makers can maximize the results they are able to get for the data they have available.
We will present a data-driven analysis of a cross-section of threat intelligence feeds (both open-source and commercial) to measure their statistical bias, overlap, and representability of the unknown population of breaches worldwide, in addition to some tidbits as indicator age and uniqueness across feeds. All the statistical code written and research data used (from the publicly available feeds) will be made available in the spirit of reproducible research. The tool itself (tiq-test) will be able to be used by attendees to perform the same type of tests on their own data.
We will also provide an additional open-source tool (combine) for attendees to extract, normalize and export data from threat intelligence feeds to use in their internal projects and systems. It will be pre-configured with a good mix of current publicly available network feeds and easily extensible for private or commercial feeds.
Defining and Measuring Capability Maturity for Security Monitoring Practices
Mr. Eric SZATMARY (Dell SecureWorks)
Eric Szatmary is a Senior Security Consultant for the Incident Response and Digital Forensics practice at Dell SecureWorks. Eric Szatmary has over 17 years of information technology and security experience ranging from large enterprises to regulated small/mid-size companies spanning multiple verticals in a variety of operational and consulting roles. Szatmary holds the following certifications: CISSP, CISM, GCIH, GPEN, GCFA, GCFE, Scrum Alliance Certified ScrumMaster, and GE Six Sigma Green Belt. Szatmary also maintains affiliations with the following organizations: FBI InfraGard, FIRST, IEEE Computer Society, ISACA, ISSA, OWASP, USSS Electronic Crimes Task Force, and the Wisconsin Association of Computer Crime Investigators.
All too often, CSIRTs and SOCs are realizing in the middle of high impact cybersecurity incidents that more could have been done to proactively monitor, detect, and respond to threat actor activity.
While logging and monitoring "all the things" may be attainable for some organizations, many organizations must develop and execute a meaningful logging and monitoring strategy that balances coverage, efficacy, and cost. This presentation will cover the following elements to help organizations assess security monitoring capability maturity in a structured manner that enables continuous improvement and benchmarking with industry peer groups for detecting and responding to cybersecurity incidents relevant to their risk profile:
• How to crosswalk security monitoring practices specified in key guidance such as NIST SP 800-53, PCI DSS 3.0, and the Council on CyberSecurity's Critical Security Controls to ensure a minimum security monitoring capability is in place.
• How to use CERT-RMM and the recent derivatives created with DHS (CRR) and DOE (C2M2) to assess security monitoring capability maturity.
• How to develop security monitoring use cases to support cybersecurity incident investigations and continuous monitoring.
• Recommendations for key monitoring sources CSIRTs and SOCs should ensure are collected, retained, and are searchable.
• How to maximize pre-existing monitoring sources and augment with open source/low-cost monitoring sources.
• Recommendations for logging configuration settings and retention.
• Recommendations for utilizing threat intelligence to enrich cybersecurity incident investigations and continuous monitoring.
Discovering Patterns of Activity in Unstructured Incident Reports at Large Scale
Dr. Bronwyn WOODS (CERT Program, SEI, CMU), THOMAS MILLAR (US-CERT), Mr. Sam J. PERL (CERT CC)
Bronwyn Woods is a research statistician in the CERT division of the Software Engineering Institute. She earned her PhD in Statistics and Neural Computation from Carnegie Mellon University, where she developed analysis methodology for neuroimaging data. Her current work involves the application and adaptation of statistical and machine learning techniques to a wide array of data-driven problems in cybersecurity.
Samuel J. Perl is a member of the CSIRT development team within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. He has been at CERT since 2011 and has worked in a variety of areas including insider threat, vulnerability assessment, security incident data analysis, and incident management team development. Prior to CERT, Perl gained over 10 years of industry experience working with client organizations to manage their most challenging IT security risk issues. Perl holds a M.S. in Information Security Management from Carnegie Mellon University and a B.S in Information Systems from Carnegie Mellon University.
Mr. Thomas R. Millar serves as the United States Computer Emergency Readiness Team’s (US-CERT) Chief of Communications, a role which finds him at the intersection of outreach, awareness, standards development, and technical interoperability initiatives. In this role, Mr. Millar is focused on modernizing US-CERT's approaches to information sharing, knowledge exchange and coordination. Since joining US-CERT in 2007, he has played a significant role in US-CERT's response activities during major cyber events such as the Distributed Denial of Service (DDoS) attacks on Estonia in 2007, the outbreak of the Conficker worm, and the DDoS attacks on major U.S. Government and commercial Web sites in 2009.
Mr. Millar has previously worked as a team lead for intrusion detection and analysis at the FBI’s Enterprise Security Operations Center. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force.
Mr. Millar has a Master’s of Science in Engineering Management from the George Washington University.
US-CERT receives a large volume of incident reports, but the reports often vary in quality and completeness. We explored multiple years' worth of reports looking for patterns and found that this data is rich with useful information. Rather than trying to enforce a structure on the data based on response team activity against a given incident, we took an entirely data-driven approach to structuring the information. This resulting structure can be used to complement the expertise of incident responders and answer tough questions from decision makers.
Our method treats incident reports as observations of a large set of unknown real-world activities including malware campaigns, incident response procedures, or simply the daily operations of a reporting entity. We use co-occurrence patterns of indicators in tickets to estimate the strength of associations between indicators and infer potential 'real-world activity groups' that correspond to actual events. These patterns are useful building blocks to answer questions about incident status, investigation progress, threat families, trends and incident predictability. The benefits to CSIRTs include increasing shared situational awareness, better tailoring of incident response services for constituents, increased detection of emerging threats, better visualization of threat activity and better understanding of threat activity against specific constituent types.
This presentation will summarize our methods and discuss ongoing work in visualizing and expanding indicator communities to allow feedback from analysts, integration of additional data sources, improved statistical learning algorithms and richer feature extraction from ticket data. All CSIRT members and managers are encouraged to attend and discuss data-driven information extraction techniques from large bodies of diverse and unstructured incident reports.
DSMS: Automating Decision Support and Monitoring Workflow for Incident Response
Mr. Chris HORSLEY (CSIRT Foundry), Mr. SC LEUNG (HKCERT)
Chris Horsley
Chris has 15 years experience in the technology industry, much of it working with CSIRTs as a security analyst, software developer, and system administrator. He has been a member of AusCERT and JPCERT/CC, and currently runs a consultancy, CSIRT Foundry. He specialises in building CSIRT tools, examining CSIRT practices, and running training for national and organisational CSIRTs. He is especially passionate about open source tools, automation, data analysis, data visualisation, and collaboration tools for software development.
SC Leung
Mr. SC Leung is currently the Senior Consultant of HKCERT. He has over 20 years of working experience serving banking, Internet solution provider, telecommunication and the consultancy industries.
HKCERT is taking proactive measures to clean up compromised computers in Hong Kong and alert the public of vulnerabilities. SC is focused in cyber threat intelligence for raising the secuity situational awareness, closer collaboration with ISPs to process large volume incident reports, and streamlining the CERT operation through building systems.
Wally Wong
Wally is currently a security analyst at HKCERT. He specializes in software development and QA for more than 10 years. He is now responsible for incident response, application development on automation and open source intelligence.
A major challenge of incident response today is the overwhelming load of incident reports, along with the complexities of consistently collecting incident data, analysing it thoroughly, and monitoring the status of a large number of reported incidents.
We will present an initiative to automate incident response workflow with the Decision Support and Monitoring System (DSMS) jointly developed by HKCERT and CSIRT Foundry.
The DSMS is designed with the prime objective to automate the most labour-intensive and unmanaged parts of incident response. By storing analysis results in a central repository that is accessible via a management interface, incident analysts may focus on higher value tasks. DSMS can also provide some capabilities that were not available before.
Major Benefits of DSMS:
- Provide a centralised registry of monitored targets
- Provide a centralised repository to collect and consolidate monitoring results
- Perform actions according to analysis results from a remote Monitoring Subsystem, based on action criteria listed in incident profile
- Automate a team’s analysis workflow for different types of incident
- Choose best-of-breed analysis tools, so that each analyst has access to the same tools
- Perform 24-hour scheduled, ongoing checks, and stores any changes in status found
- Operate in a geographically distributed manner
- Provide a collaborative environment for analysts
- Provide a standard way to customise workflow and use new tools as circumstances evolve
- Provide an API for other systems to consume the functions of DSMS, generate management reports on the usage of input systems and external analysis systems, and provide statistics of malicious objects or malware.
DSMS is built with existing powerful open source tools, and embraces the power of existing security monitoring services (e.g. malware analysis systems and Internet resources lookup APIs). Its architecture is composed of a Core, Broker and several Agents.
- DSMS Core: schedules monitoring jobs for dispatch, processes incoming analysis results, provides web interface, web API, and datastores services;
- DSMS Broker: provides a message queue, providing a communication channel between the Core and the Agents, as well as facilitating file transfers;
- DSMS Agent: responsible for running analysis tasks, interfacing with external services, such as whois and other external vendor analysis services.
The speakers will share the design of DSMS and problems faced, for example, integration of modules, anti-fingerprint by malicious content hosting. HKCERT will share its experience in integrating DSMS with the cyber threat intelligence system (IFAS) and incident report management system (IRMS).
Effective Team Leadership and Process Improvement For Network Security Operators
Mr. Jeremy SPARKS (United States Air Force)
Captain Jeremy Sparks is the Weapons and Tactics Branch Chief at 24th Air Force, Joint Base San Antonio, Texas. Prior to taking his current post, Capt Sparks served as the Wing Weapons Chief at the 67 Cyberspace Wing where he oversaw tactics development for the USAF cyberspace force. During his 14 year career he has served as a Crew Commander at the USAF CERT, USAF CERT incident responder, USAF CERT Chief of Digital Forensics, and Cyber Threat and Network Defense instructor and curriculum developer for the USAF undergraduate cyber training schoolhouse. Capt Sparks is a distinguished graduate of Undergraduate Network Warfare Training, USAF Weapons School and a three-time presenter at the U.S. Department of Defense Cyber Crime Conference.
Background: Effective team leadership often comes with experience but there are ways to expedite the experience cycle. One such method is the debrief process used by militaries, primarily aviators, all over the world.
Summary: Debriefing is simply reconstructing and evaluating an event to determine how to replicate success and avoid repeat mistakes. A successful debrief depends on the ability to critically analyze events and the willingness to admit mistakes. The debrief process should encompass a review of events, identification of problems, determination of root causes and development of lessons learned. Critical self-analysis in the debrief process applies at the individual level as well as the organizational level. Debriefing is not a strategy for protecting a network. It is a method that should be used to evaluate how well you are performing a function, job or mission and provides the tools for constant improvement.
Impact: The USAF aviation and special operations communities have been using the debrief process for decades with tremendous success. Over the past several years, the USAF has applied those same principles to cyber warfare. By institutionalizing the debrief into daily operations, the USAF has observed significant gains in mission effectiveness.
Significance: The debrief process is the US DoD standard on how to perform a function, job or mission more effectively every time the function, job or mission is performed. The principles are straightforward and easily applied to non-military environments.
Technical level of the presentation: Low
Recommended target audience: Primarily team leaders and organizational leaders
Enabling Innovation in Cyber Security
Mr. Michael GORDON (Lockheed Martin)
We take it as a given that cyber threats continually evolve and grow in sophistication, but to defend against this, too many organizations rely on static technologies, rigid organizations, and analysts with narrow skillsets. For defenders, every day brings entirely new problems. It takes innovation to defeat sophisticated, dynamic threats. Teams must innovate to solve the right problems. They need to have right visibility to know what the problems are, and have real data to train solutions against. Organizations need a smaller pool of higher skilled, well rounded analysts, and build organization around collaboration and fostering creativity. Need analysts and developers together to innovate side by side, in concert. The role of analyst vs developer must blur. Need to apply that innovation across the enterprise to make a difference. Innovation in a lab is great, but innovation as an enterprise solution actually stops the threats. Furthermore, innovation across a community of like-minded organizations makes a worldwide difference.
ENISA Threat Landscape: Current and Emerging Threat Assessment
Dr. Louis MARINOS (ENISA)
Dr. Louis Marinos is a senior expert at ENISA in the area of Risk and Threat Management with extensive experience in the management and operation of security and the coordination of European expert groups.
Currently, he is responsible for Projects in the area of Emerging Threat Landscape. He is the author and main responsible of the ENISA Threat Landscape. His expertise is on:
• Threat Analysis, Risk analysis, Risk Management and Business Continuity Planning, including SMEs, Member States and Critical Information Infrastructure Protection.
• Assessment and management of Emerging and Future Risks, Threats and trends hereof.
• Integration of Risk Management with operational and governance processes.
• Strategic consulting in the area of security for major firms in the financial, telecommunication and commercial sectors.
• Security management with regard to critical business areas, such as financial institutions, B2B and telecommunications.
ENISA has performed for the third time a comprehensive threat assessment based on publicly available information.
The assessment consists of:
- Information collection
- Information collation
- Threat analysis
- Creation of context and
- Dissemination
The ENISA threat landscape contains information about:
- Current threats
- Threat Agents
- Attack vectors and
- Emerging threats
Besides the contents of the ENISA threat landscape, experiences about the process of threat intelligence collection will be discussed.
Evaluating the Effectiveness of Fuzzy Hashing Techniques in Identifying Provenance of APT Binaries
Ms. Bhavna SOMAN (Intel Corporation)
Bhavna Soman is a Cyber Analyst and Software Developer for Intel Corporation's APT response team. She works at the intersection of Threat Intelligence, Software and Data Analytics. Bhavna has a Masters degree in Information Security from Georgia Tech. Before joining Intel, she was a Threat Analyst at Damballa.
Knowledge and identification of Malware binaries is a crucial part of detection and incident response. There was a time when using MD5s was sufficient to ID binaries. The reverse engineering analysis conducted once would be useful anytime that same MD5 hash was seen again. This has rapidly changed in recent years. Polymorphic samples of the same specimen change the file hash (MD5, SHAx etc) without much effort by the attacker. Also, cyber criminals and advanced adversaries reuse their codebase to create newer versions of their malware, but changes in the file hash disallow any opportunity to connect and leverage previous analyses of similar samples by defenders. This gives them an asymmetric advantage.
In recent years, there has been research into “similarity metrics”— methods that can identify whether, or to what degree, two malware binaries are similar to each other. Imphash, ssdeep and sdhash are examples of such techniques. In this talk, Bhavna Soman, Cyber Analyst at Intel Information Security will review which of these techniques is more suitable for evaluating similarities in code for APT related samples. This presentation will take a data analytics approach. We will look at binary samples from APT events from Jan- Mar 2015 and create clusters of similar binaries based on each of the three similarity metrics under consideration. We will then evaluate the accuracy of the clusters and examine their implications on the effectiveness of each technique in identifying provenance of an APT related binary. This can aid Incident responders in connecting otherwise disparate infections in their environment to a single threat group and apply past analyses of the the abilities and motivations of that adversary to conduct more effective response.
Fact Tables - A Case Study in Reducing Reactive Intrusion Time-to-Know by 95%
Mr. Jeff BOERIO (Intel Corp.)
Jeff Boerio has a Bachelor of Science Degree in Computer Science from Purdue University and has been with Intel since graduating in 1993. The early part of his career at Intel was spent as embedded UNIX/Linux IT support for microprocessor design teams. Among his many achievements was establishing common open source and commercial software practices across Intel’s global design environment. Since 2004, Jeff has been part of the company’s information security organization where he helped develop the company’s cyber incident response processes. He is currently part of the advanced threat detection team, developing a variety of heuristic anomaly detection and new takes on traditional event correlation to identify suspicious activities in the enterprise. Jeff represents Intel’s interests with industry organizations including FIRST, IT-ISAC and ICASI, and has had leadership roles in special interest groups in those organizations. Away from work, Jeff lives with his wife and son on a small farm in the heart of Oregon’s wine region, juggling work and home life with extracurricular activities that include photography, motor sports, wine, martial arts, soccer, bicycling and rock n’ roll music.
If Operation Aurora in 2009-2010 wasn't a wake-up call to enterprises that foreign entities could and did infiltrate some of the enterprises that were all running best in-class network defenses and monitoring solutions, then certainly the recent string of intrusions and data breaches from big box stores like Target and The Home Depot and major financial institutions including JP Morgan Chase should be. Once the intelligence crosses the desk of enterprise incident responders, assuming you're collecting the data to begin with, is that there is simply too much data to sift through to determine whether we have a problem or not. This talk aims describe manners in which we have addressed this problem.
Over the past few years, we have built up our own data warehouse, analytics and security business intelligence (SBI) capabilities. We started by taking a look at our "big six" event sources that we believed offered the biggest return on our investment and able to answer questions about what happened and when. Those event sources were SMTP headers, web proxies, active directory, DHCP, VPN, and DNS. We invested in technologies that would allow us to ingest large volumes of data, keep it for a relatively long period of time, and allow us to query those archives with great speed.
In this talk, we will review the painful history of trying to pull logs before our SBI capabilities were put into place, how data warehouse solutions provided improvement, and how we turned some lunchtime conversations into enterprise-class search capabilities that have reduced our time to know about industry-reported incidents by more than 95%. We will conclude with how we are further automating the capabilities and, in an unconstrained world, where they could be taken.
Ms. Merike KAEO (Doubleshot Security)
Merike Kaeo is the founder and Chief Network Security Architect at Doubleshot Security, which provides strategic and operational guidance to secure startup, small enterprise and Fortune 100 companies. In past roles she has heId CISO and CTO positions, leading the corporate security strategy and defining and implementing security incident response processes. She led the first security initiative for Cisco Systems in the mid 1990s and authored the first Cisco book on security—translated into more than eight languages and leveraged for prominent security accreditation programs such as CISSP. Merike is a contributor to many international standards bodies including IETF, EU-NIS Platform and NIST security standards. She has been on ICANN’s Security and Stability Advisory Council (SSAC) since 2010 and the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) since 2012. Merike earned a MSEE from George Washington University and a bachelor’s degree in Electrical Engineering from Rutgers University.
Government initiatives from the European Union and the US have been working on standardizing frameworks for cyber security resiliency and information sharing initiatives. The Internet and Jurisdiction project has been working on a global multi-stakeholder framework for multinational due process for combatting cyber crime. The IETF has been standardizing protocols and mechanisms to utilize security related posture and threat information to automate protecting endpoints. This talk will provide an updated and consolidated view of the standards the international government, law enforcement, technical and operational communities are creating to more effectively combat cyber related crime and automate mitigation processes.
Hands-on Network Forensics
Mr. Erik HJELMVIK (FM CERT)
Erik Hjelmvik is an incident handler at the Swedish Armed Forces CERT (FM CERT). Erik is also well known in the network forensics community for having created NetworkMiner, which is an open source network forensics analysis tool. NetworkMiner is downloaded more than 300 times per day from SourceForge and is also included on popular live-CDs such as Security Onion and REMnux.
Network Forensics and Network Security Monitoring (NSM) are becoming increasingly important practices for incident responders in order to detect compromises as well as to trace the steps taken by intruders. In this interactive hands-on tutorial, participants will learn how to perform network forensic analysis in an incident response scenario. They’ll be provided with a virtual machine and a set of PCAP files containing network traffic captured at the network perimeter of a made-up corporation. The PCAP data set was captured specifically for the FIRST 2015 Conference from a real Internet connected network.
Who should come?
- Attendees who want to improve their skills at finding evil stuff in full content packet captures
Who should NOT come?
- Attendees who are afraid of using the Linux command line
Prerequisites:
- Laptop with 64 bit operating system
- 30 GB free disk space
- VirtualBox (64 bit) installed (VMWare will not be supported in the workshop)
The VirtualBox VM will be distributed on USB flash drives during the workshop. However, in order to get a quick start, we recommend attendees to download the zipped virtual machine from the link below in time before the workshop.
Hands-on Pen Testing iOS Apps
Mr. Kenneth VAN WYK (KRvW Associates, LLC)
Kenneth R. van Wyk is an internationally recognized information security expert and author of three popular books on incident response and software security. He is also a monthly columnist for Computer World and a member of FIRST's Board of Directors.
Ken has 25 years of experience as a security practitioner in the US Government, commercial, and academic sectors. He has held senior technologist positions with the US Department of Defense, Carnegie Mellon University, Para-Protect, and SAIC. He is currently the president and principal consultant for his consulting/training practice, KRvW Associates, LLC, located in Alexandria University.
This session will provide a quick but deep dive into penetration testing iOS applications. Using a jailbroken device, security testers are able to actively prove an app's run-time environment to probe, discover, and exploit potential architectural weaknesses in iOS apps. In this session, we'll explore how these testing techniques can be used after an incident occurs, in order to determine possible points of system compromise that occurred during the incident. The same techniques can be used to perform dynamic analysis of iOS incident artifacts.
If you would like to prepare for the session, please download the ZIP file for your convenience. (The tools are iExplorer and pre-compiled “class-dump-z”.) You can download the tools from http://krvw.com/iTools.zip
The download is optional of course, but you may find them useful for the hands-on portions of my class.
Hey! You! Get Off of My Cloud! Attacks Against Cloud Server Honeypots
Martin LEE (Alertlogic), Neil RANKIN (Alertlogic)
The widespread adoption of cloud infrastructure exposes organisations to new threats and present new opportunities for attackers. Deploying honeypots in the cloud allows the collection and analysis of attack data showing how attackers are seeking to compromise servers in this environment. Understanding and reacting to the different strategies used by attackers allows security teams to optimise defenses against threats in realtime.
In this presentation we will discuss how honeypots can be deployed in the cloud, and present detailed analysis of attacks against Alert Logic’s cloud honeypot system.
Mr. Eireann LEVERETT (Cambridge Centre for Risk Studies), Dr. Marie MOE (SINTEF ICT)
Dr. Marie Moe is a research scientist at SINTEF ICT, and has a Ph. D. in information security. Marie is passionate about incident handling and information sharing. She has experience as a team leader at NSM NorCERT, the Norwegian national CERT. Marie Moe is also an associate professor at the Center for Cyber and Information Security (CCIS) in Norway, where she teaches a class on incident management and contingency planning.
Eireann Leverett is a Senior Risk Researcher at the Cambridge Centre for Risk Studies. He works in the areas of peril modelling, cyber-catastrophe, cyber-insurance, technological disasters, network science, and macro-economics. He is also an accomplished hacker, with a focus on systemic risks to industrial systems.
Asset owners who have vulnerable systems, or who are victims of compromise are often unaware of the situation. This talk will focus on how to go about informing industrial system owners of the situation. How can we reach out to many at the same time, how can we inform vendors of vulnerabilities, and how can we inform asset owners that their networks and devices are exposed.
Between the two speakers thousands have been informed in this manner. They will discuss the methods, the bedside manner, and the outcomes. They will discuss industrial systems on the internet and CERTs (a couple thousand), vendor vulnerability notifications (20), Havex notifications in Norway's Oil and Gas and Energy sectors (550).
During the summer of 2014 the Norwegian Oil and Gas and Energy sector was subject to a large coordinated cyber attack where selected recipients were targeted in a spear-phishing campaign that contained Havex. Due the severity and extent of the campaign NSM NorCERT decided to initiate a large warning distribution, reaching out to a total of 550 Norwegian companies.
Since NorCERT did not have a complete contact list of all the potential victims in these sectors this broad distribution was achieved by the CERT working together with the respective sectoral authorities.
NSM NorCERT issued an alert to The Petroleum Safety Authority Norway (PTIL),The Norwegian Water Resources and Energy Directorate (NVE), FinansCERT (Industry CSIRT for the financial sector in Norway) and directly to companies that were already cooperating with NorCERT within the Oil and the Energy sector. The respective authorities then forwarded this information to all affected parties. Letters were sent to targeted companies that were not covered by NVE and PTILs authority.
The alert contained a list of indicators of compromise and a recommendation to search their systems. This resulted in a significant number of new findings. NSM NorCERT worked directly with the companies that had findings, assisting them with artifact analysis and incident handling coordination.
The outreach campaign also attracted media attention, this created some noise and questions asked at higher levels in the targeted organizations. To reach out and build awareness and answer some of these questions a bigger conference meeting was arranged for the alert recipients in the fall of 2014.
Implementation of Machine Learning Methods for Improving Detection Accuracy on Intrusion Detection System (IDS)
Mr. Bisyron MASDUKI (Id-SIRTII), Mr. Muhammad SALAHUDDIEN (Id-SIRTII)
Bisyron Wahyudi is the Vice Chairman of ID-SIRTII/CC (Indonesia Security Incident Response Team on Internet Infrastructure) for Data Center and Application. He is a computer scientist with over twenty years of professional experience in Software/Application development. Broad range Solution Architect with various exposures on enterprise solution development, solution architecture designing, and solution delivery. He pursued his postgraduate study in Software Engineering from Institute of Technology Bandung, Indonesia and Universite’ Thomson, France. He's also been working for more than ten years in the field of network and information security. He is actively involved in several information and network security working groups, workshops, and trainings in the area of cyber security collaboration, capacity building, critical information infrastructure protection, information security standard and compliance, incident handling and CERT/CSIRT establishment & management.
Muhammad Salahuddien – Vice Chairman of Operation and Network Security of Id-SIRTII/CC, the National CSIRT of Indonesia. Responsible to maintain internet security monitoring center daily operation, incident management (reporting and handling) and improve core internet service, critical infrastructure security and protection at national level in coordination and collaboration with others initiatives. Experiencing more than twenty years of ISP operations, internet infrastructure design, network and service security assurance, disaster recovery. Held Master degree in Information Security from Swiss German University. Now PhD candidate at University of Indonesia.
Abstract— Many computer-based devices are now connected to the internet technology. These devices are widely used to manage critical infrastructure such energy, aviation, mining, banking and transportation. The strategic value of the data and the information transmitted over the Internet infrastructure has a very high economic value. With the increasing value of the data and the information, the higher the threats and attacks on such data and information. Statistical data shows a significant increase in threats to cyber security. The Government is aware of the threats to cyber security and respond to cyber security system that can perform early detection of threats and attacks to the internet.
The success of a nation's cyber security system depends on the extent to which it is able to produce independently their cyber defense system. Independence is manifested in the form of the ability to process, analyze and create an action to prevent threats or attacks originating from within and outside the country. One of the systems can be developed independently is Intrusion Detection System (IDS) which is very useful for early detection of cyber threats and attacks.
The advantages of an IDS is determined by its ability to detect cyber attacks with little false. This work learn how to implement a combination of various methods of machine-learning to the IDS to reduce false detection and improve the accuracy in detecting attacks. This work is expected to produce a prototype IDS. This prototype IDS, will be equipped with a combination of machine-learning methods to improve the accuracy in detecting various attacks. The addition of machine-learning feature is expected to identify the specific characteristics of the attacks occurred in the country’s/region’s internet network. Novel methods used and techniques in implementation and the national strategic value are becoming the unique value and advantages of this work.
Incident Response and its role in protecting critical infrastructure
Margrete RAAUM (FIRST Chair)
Energy is one of the most critical and vulnerable parts of what we consider our critical infrastructure. It is the target of advanced attacks for both political and economic reasons from highly skilled and patient attackers. The attack rate is rising at an alarming rate, and the change in skill set in the organizations does not always keep up the pace. To complicate matters further, these critical services are run by legacy systems that were never designed to withstand cyber attacks. Preparing for attacks, and having sound procedures for incident response are key elements to avoid devastating results.
We will discuss the elements that have to be in place, discuss the unique challenges in industrial control system environments and look at some ways of moving forward together with the global ICS community.
President of FIRST (Forum of Incident Response and Security Teams)
Team leader of the Norwegian Energy Sector CERT (KraftCERT)
Margrete Raaum has experience from the academic sector, the ISP community as well as for the National CERT, NorCERT and the energy sector (the transmission/grid operator). She has many years of experience in building and strengthening incident response capabilities in the different sectors, and she is currently leading the newly started Norwegian Energy Sector CERT, working on strengthening the readiness and resilience of energy sector companies and other process control industries in critical infrastructure. She has been active in several communities as FIRST (Forum of Incident Response and Security Teams) and TF-CSIRT for almost 10 years, and she is the current president of FIRST.
Her background is from computer science and electronics, network architecture and security, and she has worked on a range of security related issues.
Incident Response Programming with R
Mr. Eric ZIELINSKI (Nationwide)
Eric Zielinski is a Lead Forensic Examiner and Incident Responder for a Fortune 100 company. With over 15 years of security leadership experience he has performed attack and penetration, forensics, incident response, and security monitoring. His experience ranges from working for an ISP to security consulting, to managed security services, and financial institutions. He has been engaged in various infosec community initiatives such as the development of the Exfiltration Framework as well as a speaker at various conferences such as FIRST, CEIC, and many others. He is a certified EnCE and member of HTCIA.
This presentation dives into the open source programming language of R. R has primarily been used for statistical computing and graphics in the past. We attempt to bring a new programming language to the incident response community by teaching responders the basics of using R and how it can be leveraged during live incident response. The session will be focusing on reading/writing data, graphing incident data, data manipulation, and data modeling. We will be walking through several log analysis scenarios while using R to quickly identify the data we are interested in analyzing. This session aims to provide an introduction to the language of R as well as touch on a few advanced topics.
INTECO-CERT Team Update
Javier BERCIANO (INTECO-CERT)
Recent changes on INTECO and INTECO-CERT, including new constituencies and specialized services for different constituencies
IPv6 Security Hands-on
Mr. Frank HERBERG (SWITCH-CERT)
After completing his studies in engineering, Frank Herberg worked on IT infrastructure and security projects for a number of technology consulting firms. In 2012, he joined SWITCH-CERT, where one of his specialisms is IPv6 security. In the past years he conducted divers IPv6 security trainings and hands-on workshops for the security community.
This workshop will cover
- Why IPv6 is an extensive security topic
- Overview of the differences to IPv4 - relating to security
- Deep dive into selected protocol details and their accompanied attacks (incl. demonstrations)
- What are the latent security risks for organizations today
- Recommended IPv6 Security Resources and Tools
Presentation Time: 14:00 - 17:30
Keeping Eyes on Malicious Websites - “ChkDeface” Against Fraudulent Sites
Mr. Hiroshi KOBAYASHI (JPCERT/CC), Takayuki UCHIYAMA (JPCERT)
Takayuki Uchiyama
Taki works at JPCERT/CC as an Information Security Analyst. He is part of the Information Coordination Group within JPCERT/CC and his main tasks include, vendor / CSIRT coordination on security reports, mainly dealing with vulnerabilities, as well as maintaining communications with the various communities across the globe.
Previous work includes being a compliance consultant, where main tasks involved working with Japanese clients to obtain FIPS 140-2 validations and drafting security documents, in addition to administration of employee benefit plans such as 401(k) and defined benefit plans.
Hiroshi Kobayashi
Hiroshi Kobayashi is a member of Incident Response Team at JPCERT/CC. Since 2011, he has been handling domestic computer security incidents at the forefront. In addition to his role as an incident handler, he engages in incident analysis and its system development/operation. One of his significant contributions was the design and development of the “Open DNS Resolver Check Site”
(http://www.openresolver.jp/en/), an easy-to-use online tool released in 2013.
Before joining JPCERT/CC, he engaged in incident handling and network operation in a Japanese company.
While Targeted Attacks are one of the main concerns in cyber security in recent years, many CSIRTs are still struggling with malicious websites such as defaced websites and phishing sites.
This presentation intends to cover some noteworthy features seen in HTML/Javascript used in actual website defacement cases including SQL injection and watering hole attacks.
It will also introduce a new tool “ChkDeface”, created and implemented at JPCERT/CC, and share its secure and efficient monitoring method utilizing malicious site characteristics, such as signatures.
JPCERT/CC is planning to share the source code of this tool to some CSIRTs within the community, with the hope that the signatures and the tool can be practically utilized to trigger deeper discussion among the many security experts about more precise detection methods.
Keynote Presentation: Collaborative Security - Reflections about Security and the Open Internet - Potsdam I
Olaf KOLKMAN (Internet Society)
As Chief Internet Technology Officer, Olaf has responsibility for leading Internet Society’s Strategic Technical activities, particularly as they pertain to issues and opportunities for enhancing the Internet’s evolution.
Olaf has been actively involved with Internet technologies since his astronomy studies during the early nineties. Internet became his professional focus in 1996 when he joined the RIPE NCC to develop the first version of what has become a worldwide test-network. In 2007 he became the managing director of NLnet Labs. Under his responsibility NLnet Labs produced open-source products, performed research on technical issues with global impact, and contributed actively to the regional and global collaborative standard and governance bodies (e.g. ICANN, RIPE, IETF), and 'pushed the needle' on the development and deployment of DNSSEC.
Kolkman describes himself as an Internet generalist and evangineer, somebody with deep knowledge on some of the Internet's technical aspects who particularly enjoys bridging the technology-society-policy gaps.
Notable Accomplishments
Olaf Kolkman has had numerous responsibilities in the Internet Engineering Task Force (IETF), the premier standards organization for the Internet. He chaired the IETF DNS Extension Working Group (dnsext) and the Web Extensible Internet Registration Data Service (weirds) working groups. He was IAB member from 2006 to 2012 and its chair between March 2007 and March 2011. He was member of the IETF Administrative Oversight Committee (IAOC) and the IETF Trust, and was Acting RFC Series Editor in 2011.
He is the IETF/ISOC representative on the European Multi-Stakeholder Platform on ICT Standardization and a Trusted Community Representative in the context of the DNS Root-Signing ceremony.
Olaf Kolkman is based in the Netherlands, where he lives with his family. He tweets as @kolkman.
Machine Learning for Cyber Security Intelligence
Mr. Edwin TUMP (NCSC-NL)
Edwin Tump received his bachelor's degree in Computer Science at the Polytechnic of The Hague. His main focus during his study was the development of software and technical infrastructures. During the first years of his career, he touched on various subjects of information science working as a systems developer, Windows NT systems administrator, Oracle DBA, X.25 network administrator and security specialist.
Since 2005, Edwin has been working for NCSC-NL (formerly GOVCERT.NL), first as a security specialist and currently as a security analyst. He is, among other things, involved in analyzing current threats, developing and testing tools and writing reports like factsheets, the NCSC Monthly Monitor and the annual Dutch National Cyber Security Assessment.
When not working, Edwin enjoys visiting matches of Rotterdam soccer club Feyenoord and travelling.
The Dutch National Cyber Security Centre (NCSC-NL) continually monitors both public and private sources for digital threats, vulnerabilities and ICT security developments. These sources provide a large amount of news items that are analyzed for both operational threats and tactical/strategic developments and trends.
For the operational process, NCSC-NL has a clustering solution in place to combine common news items, but this solution is less suitable for a longer term analysis of these developments by the analysts of NCSC-NL. Determining the main stories, topics and developments over a time period of e.g. a week, a month or a year is still carried out manually and is therefore time-intensive and error-prone.
NCSC-NL started a project with the Dutch National Forensic Institute (NFI) to explore ways to analyze the available information more effectively and more efficiently, especially over longer periods of time. In this project, the expertise of the NFI in big data analytics and text mining was combined with the available data, requirements and analysis expertise of the specialists at NCSC-NL. At the start of the project, the process that analysts follow and the data available were explored and ways in which an automated system could support in this process were identified. Then, two of the possible solutions (automatic relevance determination and automatic dossier suggestions) were studied in depth and, based on an agile scrum approach, proof-of-concepts were developed.
These project results will now be used to develop a production-ready solution, that is likely to be integrated with the tooling used by NCSC-NL. As other organizations within the community are facing identical operational challenges and are using similar tools to gather information, the project results will not only be useful for NCSC-NL but are also significant for the community as a whole.
Malware in Your Pipes: The State of SCADA Malware
Mr. Kyle WILHOIT (Trend Micro)
Kyle Wilhoit is a Threat Researcher at Trend Micro on the Future Threat Research Team. Kyle focuses on original threats and malware. Kyle also actively tracks crimeware and targeted malware based espionage worldwide. Kyle has spoken at many worldwide conferences such as FIRST, HiTB, and Blackhat US/EU and he has been featured on New York Times, LA Times, Fox Business, ABC and many additional outlets. Prior to joining Trend Micro, Kyle worked at Fireeye as a Threat Intelligence Analyst focusing on state-sponsored attacks and criminal activity. He was also the lead incident handler and reverse engineer at a large energy company, focusing on ICS/SCADA security and targeted persistent threats. Kyle is also involved with several open source projects and actively enjoys reverse engineering things that shouldn’t be.
Malware within SCADA environments is becoming more prevalent. Unfortunately, this trend is increasing, and becoming more worrisome. SCADA related malware and their motives are typically complex, and we will cover motives behind several SCADA related attacks. We will cover the current state of SCADA related malware and their affects on systems and environments. In addition, we will be infecting a live ICS lab and monitor what the malware is doing and why. This talk will cover never released details about SCADA attacks and malware behind those attacks.
Maximizing Value of your Threat Intelligence for Security Incident Response
Mr. Jonathan TOMEK (Lookingglass Cyber Solutions)
Allan Thomson (Lookingglass CTO)
Jonathan Tomek (Lookingglass)
Background:
Today’s threat intelligence typically varies significantly from source to source. These differences sometimes manifest themselves in easily quantifiable ways, such as structure & format, but also in much more complex and subtle ways such as context, ontology, overlap, reputation of the provider, reliability of the data contained in all or part of the feed, and distribution mechanisms Threat analysts and security operations staff are faced with a plethora of feed choices offering differing values to their particular organization or threat landscape. They also are faced with making critical and rapid risk decisions based on sometimes incomplete and untrusted threat intelligence information. Is there a better way to utilize this intelligence to improve incident response efforts?
Abstract:
This presentation will highlight the outcomes of an analysis of threat intelligence feeds and their use in security operational environments. We will present the limitations and challenges that exist but also will describe the effective aspects each intelligence feed offers. We will also discuss on the myriad of challenges associated with working with threat intelligence feeds in a security operational environment.
In addition, we will then explore how security operations/threat analysts can use threat intelligence feeds more effectively in order to move towards a more automated approach to the intel -> incident response lifecycle. Lastly we will explore what analysts should expect in threat intelligence feeds and their use inside a security incident environment.
Audience:
The intended audience of this presentation are threat analysts or security operations personnel or incident responder decision makers responsible for the use of threat intelligence in their security toolkit.
Monoculture - Is it working?
Mr. Damir ‘Gaus’ RAJNOVIC (Panasonic)
The monoculture concept in the context of computer security is introduced in the article “CyberInsecurity: The Cost on Monopoly,” by Dan Geer, et al. In it the authors argue that if an organization depends solely on a single vendor, any security problem affecting that product will affect the entire organization. The corollary is that diversification will improve the security of an organization. A simplistic interpretation of the monoculture argument is to buy products, which will perform the same function, from different vendors.
This talk will examine whether the solution to the monoculture argument is universally valid. Assumption underpinning the monoculture argument is examined and the fallacies found in these assumptions are presented. It will be show that commercially developed products, presumably independently developed, have common points of failure.
Panel: Building an effective National CERT team
Besnik LIMAJ (Moderator)
Moderator: Besnik Limaj
1. Natalia Spinu, Head Cyber Security Center, Moldova
2. Ms. Sharifah Roziah Mohd Kassim, CERT, Malaysia
natalia-spinu.pdf
MD5: 41627d2483af5774318d216a28fcb91d
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.83 Mb
Panel: Challenges of Cybercrime
Paul RAINES (Moderator, UNDP)
Moderator: Besnik Limaj
1. Visar Pacolli, Cybercrime unit, Kosovo
2. Artur Degteariov, Cybercrime unit, Moldova
artur-degteariov.pdf
MD5: c59c2a747f11ff4df4df0b8eb0fd36ce
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.53 Mb
visar-pacolli.pdf
MD5: 68e8408c04e4f2333a06304fd1b95722
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.08 Mb
Passive Detection and Reconnaissance Techniques to Find, Track and Attribute Vulnerable "Devices"
Mr. Alexandre DULAUNOY (CIRCL - Computer Incident Response Center Luxembourg), Mr. Eireann LEVERETT (Cambridge Centre for Risk Studies)
Alexandre Dulaunoy (@adulau)
Alexandre encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix specialized in information security management, and the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL, the national Luxembourgian Computer Security Incident Response Team (CSIRT) in the research and operational fields. He is also lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. Alexandre enjoys working on projects where there is a blend of free information, innovation and a direct social improvement. When not gardening binary streams, he likes facing the reality of ecosystems while gardening or doing photography.
Eireann Leverett (@blackswanburst)
Éireann Leverett studied Artificial Intelligence and Software Engineering at Edinburgh University and went on to get his Masters in Advanced Computer Science at Cambridge. He studied under Frank Stajano and Jon Crowcroft in Cambridge's computer security group. In between he worked for GE Energy for 5 years and has just finished a six month engagement with ABB in their corporate research Dept. He worked for IOActive in their world class Industrial Systems Security team. Eireann is a Risk Researcher at the Centre for Risk Studies (Cambridge), where his research focuses upon technological disasters and the economic impacts of computer security failures or accidents.
Internet is still composed of a significant number of devices (e.g.
industrial control devices, network equipments or smart devices) with obvious
vulnerabilities. The role of a incident response team, especially at a national level,
is to know the current level threat against such vulnerable equipments and the associated
risks to the exposed equipments. Incident response team might find legal issues to
pro-actively scan such equipments or for such vulnerable. This research overcomes
these limits by focusing on existing data collected by other organisations and discover
passively the vulnerable systems (and the owner of the systems which might be a challenge
to incident response team). The passive data collection includes significant datasets like
X.509 certificates, Passive DNS records, public Internet-Wide scans.
Prepare Your Cybersecurity Team for Swift Containment Post Incident
Mr. Michael HARRINGTON (Fidelis Cybersecurity Solutions)
Michael Harrington is a cybersecurity architect for General Dynamics Fidelis Cybersecurity Solutions. He is a certified PCI-QSA, and has his CISSP for over 13 years. He has more than 20 years of experience in design and implementation of multi-platform information technology projects and more than 15 years of experience in the information security arena including projects in both the public and private sectors. Mike began his security efforts while working in the U.S. Federal Government. He has also provided information security services to the Department of Defense. His expertise includes efforts on behalf of small local businesses as well as global enterprises. Mike currently coordinates incident response teams, managing both the people and the systems necessary to provide high-level expertise for clients’ cyber security protection and data exfiltration. Mike was instrumental in identifying and containing a data breach for an international data processor prior to the event becoming catastrophic. Mike has seen firsthand where many enterprises fail to prepare for the inevitability of some type of breach. His experience has taught him several key factors that will mitigate damage and provide for long-term corporate viability. Join him as he discusses key preparedness steps to help before, during and after a crisis strikes.
Appropriate Incident Response is critical to your entity’s longevity and wellbeing, and yet practically preparing for it is often undervalued. This discussion will cover critical factors that, when the groundwork is laid in advance, will facilitate swift, organized, and clean incident response.
Key factors will make or break your response and containment:
• A small team of fully authorized key players
• Up-to-date maps of your servers, connections, software, and analysis capability
• A communication plan for red alerts and private information sharing
• Update, Meet, DRILL
While the keys I specify here may sound simple and easy, most organizations take for granted that they can put their fingers on such information quickly (often times they cannot, particularly during incident containment), create an incident response network team on the fly (anxiety can hinder effectiveness), and automatically know what they need to look at and how to do so.
Key factors will be elaborated during the discussion:
• Who should be on the team and how to appropriately authorize them.
• Examples of data needed to be up-to-date and properly maintained to determine where to close loops upon incident.
• What needs to be included in the communication plan, including specifics such as phone contacts, emails – have your incident response email / contact group already created – and maintain a private info sharing channel for this security.
• Details for how to stay updated and drill for incident response.
Protecting Privacy through Incident Response
Mr. Andrew CORMACK (Jisc)
Andrew Cormack was head of JANET CERT from 1999 to 2003, and has remained a personal member of both FIRST and TF-CSIRT since then. His current role as Janet's Chief Regulatory Adviser covers the security, policy and regulatory issues of providing networks and networked services to the UK’s universities, colleges and schools. He has a particular interest in how digital technologies can be used to enhance privacy. He is an experienced presenter at national and international conferences and training courses, both on-line and in person. He has degrees in Mathematics and Law, and is studying for a Masters in Computer and Communications Law.
Incident response is sometimes regarded as harmful to privacy, since it frequently involves processing e-mail address, IP addresses and other information that may be privacy sensitive. However European privacy law, among the strictest in the world, actually promotes incident response. This talk will highlight the privacy benefits of incident response, suggest practical guidelines that IR teams can use to ensure their activities are and remain privacy-protecting, and show how this approach should satisfy the requirements of European law.
Quality Over Quantity—Cutting Through Cyberthreat Intelligence Noise
Mr. Rod RASMUSSEN (IID)
Rod Rasmussen co-founded IID and is the company’s lead technology development executive. He is widely recognized as a leading expert on the abuse of the domain name system by criminals. Rasmussen serves in leadership roles in various industry groups including the Anti-Phishing Working Group (APWG), ICANN’s Security and Stability Advisory Committee (SSAC), the FCC's Communications Security, Reliability and Interoperability Council (FCC CSRIC), the Online Trust Alliance (OTA), and is IID's FIRST representative.
With organizations under constant threat of losing sensitive data and experiencing network disruptions during cyberattacks, it’s no secret that they are turning to threat intelligence for a real-time cross-industry look at attacks that are happening now and could be hitting them next.
With literally thousands of threat intelligence feeds to pull from, the key isn’t quantity but quality. Is the data you’re feeding into your security appliances important or just noise, and can the data be formatted to meet your security infrastructure’s requirements?
In this session, learn how to achieve truly interoperable cyberthreat intelligence. Get a special inside look at the challenges and opportunities of implementing and leveraging actionable data. What are the common barriers to full interoperability? How can organizations leverage intelligence no matter what security appliances they currently use? What are the challenges to receiving real-time, machine-to-machine information?
IID’s Rod Rasmussen will discuss how to consolidate the dozens of different formats primarily required for various security appliances and prioritize certain threat indicators from others.
Radically Open Security: Smashing the Stack for Fun and Non-profit
Dr. Melanie RIEBACK (Radically Open Security)
Radically Open Security is the world's first not-for-profit computer security consultancy company. We're a collective of hackers who aim to disrupt the computer security market with our ideals - we give 90% of our profits to charity (the NLnet Foundation), work with volunteers, release all our tools/templates into the open-source, invite customers to actively participate in pentest teams, and generally optimize for openness, transparency, and community service.
This talk will discuss our unconventional business model and highlight some of our currently running research projects (S-box, OSAS).
Red + Blue = Purple (Taking security testing to the next level)
Stan HEGT (KPMG)
We need to close the gap between security testing and real-world attacks. Your typical penetration tester will portscan the network, fire up his vulnerability scanner and then do some manual verification of exploitability of the identified weaknesses. While this is fine for obtaining a broad overview of vulnerabilities in your preventive controls, it is by no means a test of your resilience against actual attacks. Penetration tests lack real-world attack aspects like malware, social engineering and creating persistence and hence are no realistic test case for your detective and responsive capabilities.
In this talk, we will discuss our experience and best practices in red/blue teaming exercises that help you to realistically test resilience against real-world attacks. We will provide insight into our bag of dirty red team techniques, but will also disclose some of the coolest tricks that blue teams have pulled on us. Lastly, we will advocate a new trend in security testing called purple teaming: joining forces of the offensive red team and defensive blue team to get most value out of security testing.
RTIR
Mr. James MCLOUGHLIN, Mr. Lee HARRIGAN
Sector Based Cyber Security Drills - Lessons Learnt
Mr. Malagoda Pathiranage DILEEPA LATHSARA (TechCERT)
Author
Mr. M.P. Dileepa Lathsara
Dileepa Lathsara is the Chief Operating Officer of TechCERT (www.techcert.lk), which is the first computer emergency response team set up in Sri Lanka. Lathsara has been working in the information security industry for more than 11 years. He has wide experience in information security management, vulnerability assessment and penetration testing, design, and implementation of comprehensive information security solutions, digital forensic investigations, PKI implementations and online digital trust management.
Lathsara is a founding member of LankaCertify (www.ca.lk) which is the technology and consultancy services provider for online trust establishment and verification for e-Sri Lanka.
He also works as a visiting lecturer for many Sri Lankan universities and conducts lectures on information security and networks, information security management and forensic computing concepts.
Qualifications:
MSc.(Computer Science University of Moratuwa, Specialized in Computer Systems Security) <br>
BSc. Engineering (Hons) University of Moratuwa
CEng, MIE(SL) <br>
CISSP, C|EH, Certified ISMS Auditor (ISO 27001), CPISI (PCI DSS v3.0)
Co - Author
Dr. Shantha Fernando
Shantha Fernando is a Senior Lecturer at the Department of Computer Science and Engineering, University of Moratuwa. He is the Co-founder of the first Computer Emergency Response Team setup in Sri Lanka,TechCERT, which is a Division of LK Domain Registry. He headed the technical team since 2005, and now serves as the Chief Consultant. He served as the Director, Engineering Research Unit (ERU) of the University of Moratuwa during 2011-2013. He also served as a Council Member of the Computer Society of Sri Lanka (CSSL) during 2011-2013. Currently, he serves as a Senior Lecturer at the Department of Computer Science and Engineering.
He obtained BSc Engineering Honours from the University of Moratuwa in 1993. He obtained his Master of Philosophy from the same university in 2000. His PhD was obtained from the Delft University of Technology, The Netherlands in 2010. He became the first Chartered Engineer in Sri Lanka in the field of IT in the Institution of Engineers Sri Lanka (IESL). He also served in the Council of the Computer Society of Sri Lanka (CSSL). His expertise are in Computer and Information Security, Information Systems, and e-Learning. He has provided advisory services for many government and commercial organizations in the areas of his expertise since 1994.
Qualifications:
PhD <br>
MPhil <br>
BSc. Engineering (Hons) University of Moratuwa <br>
IET(UK) <br>
MIE(SL), Ceng <br>
Co - Author
Mr. Kushan Sharma
Mr. Kushan Sharma works as the Engineering Manager - IT Security Services of TechCERT. He holds a BSc Engineering (Hons) degree in Computer Science & Engineering from the University of Moratuwa. He also completed a master’s degree in Computer Science, specialized in Computer Security, from the University of Moratuwa. Further, he is currently reading for his master’s degree in Business Administration. He is an Associate Member of Institution of Engineering Sri Lanka – AMIE (SL) and is a certified ISMS Auditor as well.
For the past five years Mr. Kushan Sharma has been engaged in providing managed security services for TechCERT customer base and in R&D work to develop value added services. He is responsible for performing tasks including network vulnerability assessments, security auditing for compliance verification and forensics investigations. Furthermore, he is experienced in conducting information security workshops and incident response.
Qualifications:
MSc.(Computer Science University of Moratuwa, Specialized in Computer Systems Security) <br>
BSc. Engineering (Hons) University of Moratuwa <br>
AMIE(SL), C|EH, Certified ISMS Auditor (ISO27001)
Even though there is an explosive growth of Internet and information technology usage in Sri Lanka, many Sri Lankan organizations are ill-prepared to overcome potentially catastrophic cyber?attacks that may affect their infrastructure detrimentally and subsequently result in a loss of reputation. Simultaneously, many Sri Lankan organizations are in the process of moving into complex IT systems and technologies to provide better, more effective services to their customers. With the increase of sophistication of these systems, there has been a corresponding growth in the number and severity of threats associated. Unfortunately, many organizations start reacting to security incidents after the fact. In the past five years, cyber-attacks and threats on corporate IS systems dominated news headlines worldwide. Therefore, it is essential for Sri Lankan organizations to be prepared to carry out successful cyber counterattacks, in the best interest of their customers and the IT industry as a whole.
Considering the above facts, TechCERT, in collaboration with the Department of Computer Science and Engineering of the University of Moratuwa, conducts annual cyber security drills for Sri Lankan organizations. “TechCERT Cyber Security Drill” has been an annual event for Sri Lankan organizations since 2011. It was initially introduced to the banking sector and then to the financial and insurance sectors respectively. Since 2013, TechCERT has been able to expand this exercise to a wide range of sectors by including telecommunication service providers and Internet service providers with the assistance of the Telecommunications Regulatory Commission of Sri Lanka (TRCSL). At present, TechCERT is conducting three (03) cyber security drills annually for different sectors. They are:
- Banking and finance sector
- Telecommunication service providers and Internet service providers
- Insurance and other leading professional institutions
The cyber drill will simulate a potential cyber-attack and evaluate the competence of the information security team of the relevant organization in successfully defending against the attack within a minimum time period. The attack scenarios for the drill will be based on the latest cyber-attacks in the relevant industry.
A cyber security drill of this nature is highly beneficial for an organization to determine its readiness to mitigate possible cyber-attacks. The main objective of the cyber drill exercise is to provide the opportunity for participating organizations to:
Train their IT staff to successfully overcome a cyber-attack
Test the communication contact points
Check the contingencies of their IT processes and procedures
Test their technical competency in dealing with cyber attacks
Coordination between relevant stakeholders to mitigate the attack
This presentation will discuss how TechCERT conducts annual cyber security drills, the resources used, the progression of the drills and lessons learnt.
Security Operations: Moving to a Narrative-Driven Model
Mr. Joshua GOLDFARB (FireEye)
Josh (Twitter: @ananalytical) is an experienced information security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as VP and CTO - Americas at FireEye. Until its acquisition by FireEye, Josh served as Chief Security Officer for nPulse Technologies. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh¹s blogging and public speaking appearances, he is also a regular contributor to DarkReading, SecurityWeek, SC Magazine UK, and The Business Journals.
The current security operations model is an alert-driven one. Alerts contain a snapshot of a moment in time and lack important context, making it difficult to qualify the true nature of an alert in a reasonable amount of time. On the other hand, narratives provide a more complete picture of what occurred and tell the story of what unfolded over a period of time. Ultimately, only the narrative provides the required context and detail to allow an organization to make an educated decision regarding whether or not incident response is required, and if so, at what level. This talk presents the Narrative-Driven Model for incident response.
Dr. Masato TERADA (Hitachi Incident Response Team), Yoichi SHINODA (JAIST), Mitsuhiro HATADA (NTT Communications Corporation)
Masato TERADA is the Technology and Coordination Designer for the Hitachi Incident Response Team (HIRT). He is also affiliated with the Information-technology Promotion Agency, Japan (IPA), JPCERT/CC, and Chuo University.
Yoichi SHINODA is a professor at the Japan Advanced Institute of Science and Technology (JAIST). He is also the Steering Committee Chair of the anti-Malware engineering WorkShop (MWS).
Mitsuhiro HATADA is an information security researcher at the NTT Communications Corporation.
Introduction
7 years ago, in 2008, the anti-Malware engineering WorkShop (MWS) started in Japan. The main objective of MWS is to accelerate and expand the activities of anti-malware research and countermeasure. To this end, MWS aims to attract new researchers, engineers of academic, private (enterprise) and public domains. Also stimulate new research for addressing latest cyber threats. To achieve this objective, MWS established the community based sharing scheme of the datasets for anti-malware research and countermeasure and organized research workshops where researchers can freely discuss their results. This paper describes the MWS community, MWS data sets, MWS workshop and the lessons learned from our experiences over the past seven years.
MWS activities
MWS has the community based sharing scheme of the datasets for anti-malware research and countermeasure. Also this scheme has three parts to achieve our objective.
- MWS Dataset: The datasets sharing for anti-malware research and countermeasure; Research sections in academic, enterprise and public domains prepare and analyze data sets.
- MWS: The research interests sharing; MWS organized research workshops MWS2008 - MWS2014 which were held in conjunction with CSS2008 - CSS2014 (Computer Security Symposium) of the SIG-CSEC, IPSJ.
- MWS community: The environment to work hard together; The academic researchers and the enterprise researchers/engineers work hard together for anti-malware research and countermeasure.
MWS Community
Currently MWS Community has organizations of public domain, academic domain and enterprise domain in Japan. In organizations of public domain, JPCERT/CC, IPA, AIST and NICT joined MWS community. Also many organizations of academic/enterprise domain joined. Our community scale is larger each year.
MWS Data sets
The MWS Datasets cover three categories, i.e., probing, infection, and malware activities.
MWS Workshop
This workshop task is to improve an anti-malware research environment such as the detection, the monitoring and the analysis of malware. Also it was to build the collaboration community between the academic field researchers and the enterprise field engineers for the malware countermeasures.
MWS includes workshop and competition. Also it has conjunction with CSS (Computer Security Symposium) of the SIG-CSEC, IPSJ. The launch of MWS has significantly contributed to the increase in the number of anti-malware research papers. Interestingly, not only the number of papers presented at the MWS sessions but also the number of papers presented at other sessions has increased.
Conclusion
In late October, ThaiCERT, a member of ETDA (Electronic Transactions Development Agency), and JPCERT/CC organized an event "Malware Analysis Competition 2014 (MAC 2014)" in Bangkok, Thailand. We gave a talk about MWS in Japan. The format of MWS, especially MWS cup was referred to by MAC 2014. These events are very useful for technical transfer and raising awareness as well as information sharing in the academic, enterprise and public domains for anti-malware research and countermeasure.
We believe that our experiences can assist other research communities that have a similar vision and comparable objectives. So we are hoping to continue the effort and also to extend it to more relationships for anti-malware research and countermeasure.
Sinfonier: Storm Builder for Security Intelligence
Mr. Fran GOMEZ (Telefonica), Mr. Leonardo AMOR (Telefonica)
Fran Gomez:
Fran J. Gómez was born in Madrid. He works as a Security Engineer and his professional career has always been associated with IT Security, even before he completed his university studies. In 2005, Fran joined Telefonica I+D Hacking Ethical Team to participate in security researches on ISP core networks technologies, which has allowed him to know deeply some of the protocols and technologies that will build the future Internet. His current research is focused on security systems, Internet protocols and cyberintelligence at the Security Area of Telefonica Digital España. Fran has also been participated as speaker to events such as RootedCON, RedIRIS Security Forum, CCN-CERT STIC, TEDxTelefónica or Spark Summit. @ffranz
http://about.me/ffranz
Leonardo Amor:
Actual Head of Security & CSO of Telefonica Global Solutions (the Backbone of Telefonica Group) also the representative member of Telefonica CSIRT Team.
Have been involved in security the last 15 years, mostly in Telefonica Group working in different areas from Operations to Development of new security services, always working in areas focused in enterprise customers, from 2010 working in Global Units which has brought me the best opportunity to learn how to work with international teams, appreciate the cultural aspects of being global while respecting the local culture and customs.
CISA, CISM and speaker in congress like APWG, MAAWG, ENISE, RootedCON, RedIRIS Security Forum,
@LeoAmorV
https://www.leonardoamor.com/
In today's world we are consuming an ever-increasing variety of volatile data streams for processing and analysis.
Integrating and using new or modified streams of data is a time-consuming and complex process requiring a different tool at each stage of data capture, processing, analysis and storage. A solution is needed which simplifies and automates integration of open source data in applications and allows developers to share integration algorithms across the community.
After looking ourselves how better improve our investigations and tools and also finding out that many good security analyst does not have enough technical skills we wanted to simplify it and started our own project. We want to help Security analyst to focus on their investigations and make easier their work while putting them a good platform. From the beginning we want it to count with the community and would like to take the opportunity to offer it to other CERT’s teams and share with them our experience and how we do our investigations.
We would make an introduction of our tool and explain it showing how it works and how easily you can conduct a complex investigation.
Sinfonier provides an open environment to graphically build high-level Apache Storm topologies and execute and share them for a definable period of time.
Sinfonier is a change in the focus in respect to current solutions in the area of processing information in real-time. We combine an easy-to-use interface, modular and adaptable and we integrate it with an advanced technological solution to allow you to do the necessary tune up suitable for your needs in matters of information security.
Sinfonier puts at your disposal the ability to collect information from multiple sources, process it and enrich it in a continuous and dynamic way. It will be up to you, the users, to provide the algorithms with content in the form of topologies and get the most out of this information.
Sinfonier provides you capacity to create new knowledge from any of the information you have or can achieve. Sinfonier is not a black box solution implementing a few algorithms, is an open platform to be used and shared multiplied capacities and possibilities.
Because Sinfonier is a high-level design and have facilities to use it, is trying to join Security Analyst, Developers and Researchers. So its target is open to people that need to create new capacities or people to use current capacities.
http://sinfonier-project.net
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
Mr. Gavin REID (Lancope)
Gavin Reid is Vice President of Threat Intelligence at Lancope, With over 25 years of experience in threat intelligence, Reid was a driving force behind the development of big data analytics and threat identification.
While serving at Cisco Systems as director of threat research for Security Intelligence Operations, he led a team that developed new data analytics technologies to detect and remediate advanced cybersecurity threats.
Reid also created and led Cisco’s Computer Security Incident Response Team (CSIRT), a global organization of information security professionals responsible for monitoring, investigating and responding to cybersecurity incidents.
In addition to his time at Cisco, Reid also served as the vice president of threat intelligence at Fidelity Investments and oversaw IT security at NASA’s Johnson Space Center.
Threat Intelligence was once the domain of nation-states. With the increasing attacks on corporations - more and more this is being built in-house. We will cover one organizations approach to building out this function. What worked well - what didn't work at all to help others as a reference example
SSHCure: Flow-based Compromise Detection using NetFlow/IPFIX
Rick HOFSTEDE (University of Twente, The Netherlands)
Dictionary attacks against SSH daemons are a common type of brute-force attack, in which attackers perform authentication attempts on a remote machine. By now, we are used to observing a steady number of SSH dictionary attacks in our networks every day; however, these attacks should not be underestimated. Once compromised, machines can cause serious damage by joining botnets, distributing illegal content, or participating in DDoS attacks. The threat of SSH attacks was stressed again by the Ponemon 2014 SSH Security Vulnerability Report, which states that 51% of the surveyed companies have been compromised via SSH in the last 24 months. Numbers provided by several renowned organizations, such as OpenBL and DShield, show that even more attacks should be expected in the future.
The vast numbers of SSH brute-force attacks emphasize the need for a scalable solution that tells security teams exactly which systems have been compromised and should therefore be taken care of. This is where our open-source IDS SSHCure comes into play. SSHCure is a flow-based Intrusion Detection System (IDS) and the first network-based IDS that is able to detect whether an attack has resulted in a compromise. By analyzing the aggregated network data received from edge routers, it analyzes the SSH behavior of all hosts in a network. Successful deployments—in networks ranging from Web hosting companies and campus networks up to nation-wide backbone networks—have shown that SSHCure is capable of analyzing SSH traffic in real-time and can therefore be deployed in any network with flow export enabled. The latest version of SSHCure features a completely overhauled compromise detection algorithm, together with a brand-new GUI that aids security teams in their day-to-day work.
Technology, Trust, and Connecting the Dots
Mr. George JOHNSON (NC4), Mr. Wayne BOLINE (DIB ISAC (DSIE)), Denise ANDERSON (FS-ISAC)
Wayne Boline:
Wayne joined Raytheon Missile Systems in Tucson, AZ in 2003 as the Network Manager responsible for classified/unclassified networks and voice systems for the 10,000+ member business. Before joining Raytheon, he served nearly 23 years in the US Air Force acting in both enlisted and officer roles responsible for areas in Electronic Warfare, Telecommunications, Computer Crime Investigations, and Communications-Computer Systems. In 2006 he transferred to the Raytheon Corporate IT Security organization in Texas with responsibility for Cybersecurity Incident Response, Information Sharing, and Collaboration.
He has been Chairman of the Board of the Defense Security Information Exchange (DSIE) since Dec 2011 and recently led the organization to incorporate as the DIB-ISAO, a 501c6 non-profit representing the Defense Industrial Base as the DIB ISAC.
Wayne holds a BS in Information Systems Management from the University of Maryland and an MS in Network Security from Capital College. He also holds the Certified Information Systems Security Professional (CISSP) and Information Systems Security Management Professional (ISSMP) certifications.
George Johnson CISSP:
Since the early 90's, while working at the Defense Advanced Research Projects Agency (DARPA) George has been involved in Internet Security and building Communities of Interest, Extranets, Portals, and other tools that focus on providing a secure platform for secure information sharing. He spent two years at Carnegie Mellon as Technical Director, Extranet for Security Professionals working at the Software Engineering Institute further maturing the processes and methodologies necessary to promote security as a principal requirement to information systems. From there he went on to found The ESP Group, which was arguably the first security differentiated collaboration company on the market. Currently George serves as CSO of NC4 where he is responsible for working with the business units to integrate security into the corporate processes - from requirements, SDLC, testing, to production and retirement of systems.
Denise Anderson:
Denise is Vice President FS-ISAC, Government and Cross Sector Programs at the Financial Services Information Sharing and Analysis Center (FS-ISAC), and currently serves as Chair of the National Council of ISACs. She participates in a number of industry groups such the Cross-Sector Cyber Security Working Group (CSCSWG), serves as a private sector liaison to the DHS National Infrastructure Coordinating Center (NICC) and is a financial sector representative to the DHS National Cybersecurity and Communications Integration Center (NCCIC) where she is also represents the financial sector as a member of the Cyber Unified Coordination Group, (UCG) - a public/private advisory group that comes together to provide guidance during a significant cyber event.
Denise is certified as an EMT (B), Firefighter I/II and Instructor I/II in the state of Virginia, and is an Adjunct Instructor at the Fire and Rescue Academy in Fairfax County, Virginia. In addition, she has served on the Board and as Officer and President of an international credit association, has been recognized and awarded for her professional and volunteer achievements and has spoken at events in both the US and Internationally.
Denise holds a BA in English, magna cum laude, from Loyola Marymount University, an MBA in International Business from American University and recently graduated from the Executive Leaders Program at the Naval Postgraduate School Center for Homeland Defense and Security.
Bringing an update to the innovations that have happened in the last year, this presentation is about real world human to human and machine to machine information sharing. This presentation will help you avoid pitfalls while increasing your circle(s) of trust and increasing your speed of defense. We will discuss real implementations (FS-ISAC, US-CERT, DSIE, and others) of information sharing and some of the standards (STIX/TAXII) and automation (Soltra Edge and CRITS) involved. Technologies are advancing and we’re learning more about what it takes to put these technologies and processes into practice. Historically, information sharing in the Cyber Defense world has been a tremendously manual and isolated process. While formal and informal networks of incident responders have sprung up to provide defenders some leverage in mitigating attacks three major factors have complicated our jobs:
- Economic forces have favored the attack side while;
- Several factors (principally our inability to scale “trust”) have hindered sharing on the defense side.
- Moving data faster hasn’t helped humans identify the most important data to act upon – and now more data is moving even faster – how do we help humans find the most important information for their particular organization at the right time?
Exploits built to target a specific sector/industry can be broadly employed to provide a significant return on investment due to slow and uncoordinated responses across that sector/industry. Yet, we’re starting to turn the odds in the defense’s favor. The financial sector has recognized that it is imperative to change the economics of the attack/defense model in order to change the balance of power. Financial institutions, through the Financial Services Information Sharing and Analysis Center (FS-ISAC), have been developing and maturing the process of information sharing among its constituents to increase the speed at which defense spreads across the entire financial sector. Several key factors have contributed to the success so far, including:
- Ability for users to post anonymously
- Analysts add value to each posting and users find the information valuable
- Creation of a clear guideline for information dissemination
- Maturing a trust model
- Providing an infrastructure to allow analysts across companies and sectors to collaborate
- Automation to move machine readable Mitigations/Courses of Actions to move at the speed of trust
To date, human to human interaction has imposed limits on the speed and volume of data shared because people were performing tasks that could be more effectively performed by machines. At the same time many companies could not find or afford the talent to identify malicious activity and so relied on computers to do the job best suited to humans.
To maximize the value of the Human in the Loop, the finance sector has made the commitment to move to the automated sharing of threat information by using standardized protocols (STIX and TAXII) and mark-up automation in order to change the economics of cyber-attacks more in favor of the defenders. This presentation will describe critical success factors that are generating initial trust necessary to drive collaboration and the work being done in automating information exchange so that analysts can concentrate on value-added analysis rather than spending their time on manual processes.
The Daily Show Agenda
Mr. Chris HALL (Wapack Labs)
Chris Hall is the Technical Director and Co-founder at Wapack Labs. Since 2000, Chris has worked in the intelligence community in varied positions to include SIGINT analysis, security engineering, malware reverse engineering, and cyber threat intelligence. In 2012, Chris left the government to help start the Red Sky Alliance and then co-founded Wapack Labs a year later.
In recent years, the global supply chain has become the new "playground for hackers". With supply chain inherently having numerous links (from suppliers to manufacturers to distributors), the number of potentially exploitable relationships makes it an attractive target. This presentation describes the deconstruction of one such campaign dubbed 'Daily Show' that is believed to be targeting the global supply chain for multiple industries. The presentation also offers insight into potential attacker motives and implications of supply chain intelligence falling into the wrong hands.
The Needle in the Haystack
Mr. Jasper BONGERTZ (Airbus Defence and Space CyberSecurity GmbH)
Jasper Bongertz is a Senior Technical Consultant and started working freelance in 1992 while he began studying computer science at the Technical University of Aachen. In 2013, he joined Airbus Defence and Space CyberSecurity, focusing on IT security, Incident Response and Network Forensics. He is also the author of a large training portfolio with a special focus on Wireshark, now owned by Fast Lane GmbH. Jasper is certified Sniffer Certified Professional (SCP), VMware Certified Professional (VCP3/4/5) and was a VMware Certified Instructor (VCI) until January 2014.
In incident response situations, time is short. One of the biggest problems is that it is difficult to determine what happened to which system, and - if possible - when it did happen. The challenge is almost always to identify compromised systems without wasting too much time on examining those who turn out to be unaffected.
Network forensics can help to pinpoint infected nodes, so that system forensics tasks can be focussed on those systems. The problem with network forensics is that it requires a certain amount of preparation (the more the better), and skill/experience to identify malicious patterns. This talk will focus on where network forensics can help with incident response, where the challenges are, and what tools to leverage.
Theory and Practice of Cyber Threat-Intelligence Management Using STIX and CybOX
Dr. Bernd GROBAUER (Siemens)
Dr. Bernd Grobauer is Principal Key Expert at Siemens Corporate Technology's Technology Field "IT Security". He leads the Siemens Computer Emergency Response Team’s (CERT’s) research activities, covering topics such as incident detection and handling, threat intelligence, malware defense, IT forensics, etc. Dr. Grobauer holds a PhD in computer science from Aarhus
University, Denmark. From 2009 to 2011, he served on the membership advisory committee of the International Information Integrity Institute (I4).
Thomas Schreck is the Team Representative of Siemens CERT. His fields of interest are intrusion detection and incident analysis. Further, he is a PhD student at the Friedrich-Alexander University Erlangen-Nuremberg.
Dr. Jan Goebel is the Team leader for Incident Technologies and IT Security Analyst at Siemens CERT. His research interests revolve around IT security, digital forensics, malware analysis (reverse engineering), and network attack detection using honeypots. Dr. Goebel holds a PhD in computer science from RWTH Aachen University.
Stefan Berger is an IT Security Analyst at the Siemens Computer Emergency Response Team (CERT). His area of work mainly covers global IT security incident handling and analysis as well as the development and maintenance of tools, methods, and procedures in this field.
Based on Siemens CERT's experiences with developing and operating the Open Source MANTIS Cyber-Threat Intelligence Framework, this talks will provide and overview of central issues with cyber-threat intelligence management using STIX and CybOX:
With more and more data sources based on STIX and CybOX becoming available,
finding correlations in the supplied data becomes essential. We will present
work in progess on finding correlations.
Because the same basic observation (e.g. an IP address) may give rise
to many distinct CybOX observables, information tagging on the object
level is insufficient for many use-cases. We will present on MANTIS's approach towards
information tagging: by tagging atomic facts rather than objects
a single tagging action applies to all relevant objects.
- Managing actionable threat intelligence
In theory, it should be easy to manage and extract actionable threat intelligence from
STIX/CybOX data for use in detection and prevention systems. In practice, this
proves surpringly hard. We will present on our approach towards this problem.
Mr. Timothy GRANCE (NIST), THOMAS MILLAR (US-CERT), Mr. Pawel PAWLINSKI (CERT Polska / NASK), Mr. Luc DANDURAND (ITU), Sarah BROWN (Fox-IT)
Tim Grance is a senior computer scientist at the National Institute of Standards and Technology. He has held a variety of positions at NIST including Group Manager, Systems and Network Security and Program Manager for Cyber and Network Security. He led a broad portfolio of projects including high profile projects such as the NIST Hash Competition, Cloud Computing, Protocol Security (DNS, BGP, IPv6), Combinatorial Testing, and the National Vulnerability Database. He is presently a senior researcher advising on projects in cloud computing, mobile devices, internet of things, and big data. He has written extensively on cloud computing, incident handling, privacy, and identity management. He is a two-time recipient of the US Department of Commerce’s highest award—a Gold Medal, from the Secretary of Commerce
Mr Luc Dandurand has recently joined the International Telecommunication
Union as Head of the ICT Application and Cybersecurity Division in the
Telecommunication Development Bureau (BDT). Previously he worked at the
NATO Communications and Information Agency in January 2009 in
cybersecurity capability development for NATO and NATO Nations. Prior to
joining NATO, he worked at the Communication Security Establishment of
Canada, leading a team that prototyped novel solutions in Cyber Defence.
He started his career as a Signals Officer in the Canadian Forces, first
as an analyst in the Directorate of Scientific and Technical
Intelligence. Following post-graduate studies, he led the CF's Network
Vulnerability Analysis Team and co-founded the CF Joint Red Team, a team
responsible for assessing the security of CF networks by conducting
controlled cyber-attacks
Mr. Thomas R. Millar serves as the United States Computer Emergency Readiness Team's (US-CERT) Chief of Communications, a role which finds him at the intersection of outreach, awareness, standards development,and technical interoperability initiatives. In this role, Mr. Millar is focused on modernizing US-CERT's approaches to information sharing, knowledge exchange and coordination. Since joining US-CERT in 2007, he has played a significant role in US-CERT's response activities during major cyber events such as the Distributed Denial of Service (DDoS) attacks on Estonia in 2007, the outbreak of the Conficker worm, and the DDoS attacks on major U.S. Government and commercial Web sites in 2009. He has previously worked as a team lead for intrusion detection and analysis at the FBI's Enterprise Security Operations Center. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force.
Pawel Pawlinski is a senior specialist in the Security Projects Team at CERT.PL, within Research and Academic Computer Network, Poland (NASK).
In this role, he leads the information exchange program, in particular he is responsible for the design and deployment of the n6 platform for sharing security-related data. He is also the main author of the recent ENISA good practice guide for CERTs on processing and sharing of information ("Actionable Information for Security Incident Response").
Pawel's main interests in the domain of network security include intrusion detection systems, anomaly detection algorithms, honeypots and data visualization. His past experience include work on automated tools for large-scale analysis of both client- and server-side attacks:
Honeyspider Network, ARAKIS.
Sarah Brown works as a member of the Fox-IT InTELL team, providing threat intelligence to banks and retailers to keep them in control of hacking, malware, phishing and hybrid attacks. At Fox-IT, she works to the evolve the cutting edge intelligence portal where InTELL customers are informed of cyber threats targeting them in real time. One of her key focus areas is cyber threat information sharing, cyber security sharing systems, and standards and automation. From 2004-2013 she held cyber security positions with MITRE supporting the US Government, NATO, and other international partners. She was posted to the NATO Communications and Information Agency (NCIA) in The Hague, NL from 2008-2013, with a focus on cyber exercises, interoperability, and situational awareness. She has been a speaker at the 2014 ACM Workshop on Information Sharing and Collaborative Security (WISCS) in Scottsdale, AZ, the 2014 Information Security Solutions Europe conference in Brussels, Belgium, and the 2012 International Conference on Cyber Conflict (CyCon), in Tallinn, Estonia.
Collaboration and sharing have become motive forces from startups to web-scale global companies. However, security in general and particularly in incident handling at the enterprise level information sharing is still in its infancy. This panel presentation and discussion will briefly outline efforts in the public and private sectors such as NIST's Draft Special Publication 800-150 on Guide to Cyber Threat Information Sharing and European efforts on improving threat data exchange among CERTs and other private sector initiatives. Specifically, the panel will discuss the following topics and questions: 1) Overview of sharing architectures and trust issues 2) What are the present sharing capabilities, technical mechanisms (e.g.identity, access control, etc) and barriers to sharing and using threat information 3) Advice on how to create, maintain, and enhance sharing relationships 4) Specific technical and policy recommendations in the astute use of shared threat information and 5) Discuss specific incident scenarios (nation state malware attacks on an industry sector, distributed denial of service attack against an industry sector,and how sharing could work in that scenario etc)
Unifying Incident Response Teams Via Multilateral Cyber Exercise for Mitigating Cross Border Incidents: Malaysia CERT Case Study
Mrs. Sharifah Roziah MOHD KASSIM (MyCERT, CyberSecurity Malaysia)
Sharifah Roziah currently works as a Specialist for Malaysia Computer
Emergency Response Team (MyCERT) under the umbrella of CyberSecurity
Malaysia. Besides being a Specialist, she is also tasked as a Manager of the
Security Operation Centre (SOC) in MyCERT, to ensure computer security
incidents reported to MyCERT are responded in a timely and efficient manner.
Prior to that, she worked as a Senior Analyst at MyCERT. Roziah has been
involved in the computer security field for 15 years, mainly in Computer
Security Incident Response. Her area of focus
and interest is on Computer Security Incident Response, Incident Data
Analysis and Network Security. Roziah had been a key person in responding
and resolving many computer security incidents reported to MyCERT from the
Malaysia constituency. Roziah had also conducted many talks, presentations,
trainings in local and also in international in the field of computer security
particularly in Computer Security Incident Response. Apart from that, Roziah
has also produced various Security Advisory on latest vulnerabilities and
threats, Security Guidelines, Articles and Proceeding Papers related to
computer security.
Cyber attacks today are becoming more sophisticated and transnational in threat landscape, challenging CERT’s incident response capability. CERTs need to be efficient in terms of having strong foundation, readiness, sophisticated tools, up-to- date Standard Operating Procedures (SOP) to respond the ever-growing incidents in the cyber space. Cyber Exercises at national level or multilateral level has now become essential and an integral part of any Incident Response that can be used to assess the readiness of the Team. It has laid strong foundation in an Incident Response procedure for responding and mitigating cyber threats. A multilateral Cyber Exercise brings various teams from different countries, unified together, building common goals and work together to understand, respond and mitigate threats in cyber space.
A lot has been said about Multilateral Cyber Exercises that are conducted every year at various locations or regions around the world. However, the question is, are they really effective in overcoming the challenges in responding to cross border incidents and how various Teams from different countries can possibly come together to respond, mitigate cross border incidents?
Malaysia CERT has long been engaged in various multilateral cyber exercises. We had played the roles as Coordinator, Player and Excon, significantly, in three different multilateral Cyber Exercises conducted annually. They are the Asia Pacific CERT Cyber Exercise, South East Asian Cyber Exercise and the Organization of Islamic Country CERT Cyber Exercise. In this presentation we would like to share our case study and experiences in participating in the above multilateral Cyber Exercises. The significance or uniqueness of our Team is that we engage in three different multilateral Cyber Exercises, annually, and we play active role in them.
In this presentation, we would like to share our case study and experiences engaging in three different Multilateral Cyber Exercises, as below:
1) How Multilateral Cyber Exercise has contributed successfully in responding and mitigating cross border incidents efficiently.
2) Sharing our own in-house developed tools and applications that assisted in developing scenarios, crafting injects, artifact analysis and developing dashboard for status updates of the Multilateral Cyber Exercise.
3) Sharing knowledge of how we customized some of the existing applications and tools for the Multilateral Cyber Exercise purposes.
4) How communication using multiple platforms played an effective way of communication among Coordinators, Players and Excons during a Multilateral Cyber Exercise.
5) Overall observations, team’s expectations and lessons learnt from the Multilateral Cyber Exercise that can be used for future improvement.
6) To show that Multilateral Cyber Exercise is not a costly job. How in-house developed tools can be cost-effective and economical during the exercise.
In conclusion, the findings from the presentation can be a benchmark or a beginning point for CERTs or any organizations to get engaged in Multilateral Cyber Exercises. The presentation also concludes that Multilateral Cyber Exercise need to be part of any Incident Response procedure as a foundation, for the purpose of responding and mitigating cross border incidents, in efficient manner.
Validating and Improving Threat Intelligence Indicators
Mr. Douglas WILSON (FireEye)
Douglas Wilson a Senior Manager at FireEye Labs. He is in charge of the Threat Indicators Team, which he had previously led at Mandiant before its acquisition by FireEye. Doug's team primarily works on developing and refining techniques for improving threat indicator quality and coverage, as well as working on innovative threat intelligence automation efforts. During his time at FireEye & Mandiant, he has experienced a lot of ways to try and improve threat indicators first hand, and hopes to be able to share his experiences at FIRST 2015.
Doug is based out of Washington DC in the United States. He has over 15 years of experience in a variety of Information Security and Technology positions, including Incident Response and Multi-tiered Application Architecture among others. He spoke at FIRST Bangkok in 2013, and FIRST Boston in 2014.
Doug has spoken on various Infosec topics at events including FIRST, GFIRST, DoD Cybercrime, NIST IT-SAC, Suits and Spooks, Shmoocon, and many other local events in the Washington DC Metropolitan area.
Threat Intelligence has been a hot item for the past year or two now – everyone sells it and has it drive their products and solutions – but how do you really tell if it’s really making a difference? Several other recent presentations at industry conferences have dealt with trying to measure vendor offerings – but how do you measure your own internal content and processes? How do you know if the Threat Intelligence and Indicators you are creating and consuming are worth your investment of resources? And how do you make them better if they are not?
This presentation will discuss several ways that you can implement measurement of indicator efficacy and feedback loops in your organization to measure and improve your operationalized threat intelligence. You want to make sure that what your organization is using is the most potent, current, and viable intelligence out of the many sources that may be available – and also identify when certain types or sources of intelligence no longer have value.
This presentation will cover best practices derived from real world environments at a high level that can easily be applied in common operational situations, as well as a variety of lessons learned. It will not be limited to specific technologies and/or products, and only classes of products or Open Source technologies (versus specific vendors or products) will be mentioned to avoid any conflicts of interest. It will cover simple tests and workflows that can be applied to a variety of indicator types without being specifically tied to one particular type of intelligence or threat detection.
Attendees will learn about processes that they can put in place to gather metrics from their SOCs/CIRTs and/or other operational environments, and then how to best apply that to an indicator generation and maintenance workflow. Mature organizations may likely have some of these practices in place, but emerging or new organizations will hopefully find this information saves them time and makes their use of threat intelligence more efficient and effective. The presentation will not be deeply technical in nature, but will be useful to technical teams trying to better operationalize threat intelligence and/or aggregate collections of threat indicators.
Ideal attendees will be teams and management focused on implementing or adopting threat intelligence into an operational form for enterprises small and large.
VRDX-SIG: Global Vulnerability Identification
Mr. Art MANION (CMU SEI CERT/CC), Mr. Takayuki UCHIYAMA (JPCERT/CC), Dr. Masato TERADA (Hitachi Incident Response Team)
Art MANION is a senior member of the Vulnerability Analysis team in the CERT Coordination Center (CERT/CC) at the Software Engineering Institute (SEI).
Taki UCHIYAMA is an information security analyst at the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC).
Masato TERADA is the Technology and Coordination Designer for the Hitachi Incident Response Team (HIRT). He is also affiliated with the Information-technology Promotion Agency (IPA), JPCERT/CC, and Chou University.
Like most ontological exercises, defining what exactly constitutes a software vulnerability turns out to be at least somewhat subjective. Vulnerability databases use different definitions, scopes, identification systems, and data formats. There are some well-known, comprehensive(-ish) databases like Common Vulnerabilities and Exposures (CVE) and the Open Sourced Vulnerability Database (OSVDB), and more narrowly-scoped databases like Japan Vulnerability Notes (JVN) and vendor security advisories. Differences in scope and how vulnerabilities are defined and identified lead to difficulty counting, tracking, and responding.
The FIRST Vulnerability Reporting and Data eXchange Special Interest Group (VRDX-SIG) was chartered to study existing practices and develop recommendations on how to better identify, track, and exchange vulnerability information across disparate vulnerability databases.
What are the key similarities and differences across databases?
Should there be a global vulnerability identification system, and what would it look like?
This talk will present results of the VRDX-SIG's work, including a survey and catalog of vulnerability databases, a comparison of identification systems, and recommendations on how to globally identify vulnerabilities.
When Business Process and Incident Response Collide: The Fine-Tuning of the IR Program
Ms. Reneaue RAILTON (Duke Medicine)
Reneaué Railton, CISSP
Senior Information Security Analyst Duke Medicine Cyber Defense and Response Team
Reneaué Railton is an Information Security Analyst at Duke Medicine with over 28 years in the Computer Industry, 19 years focused on Cyber Security. As an Information Security Analyst, she provides support for a variety of operational and consultative functions as part of the Duke Medicine Information Security Office and Cyber Defense, including analyzing findings from security monitoring systems to identify and respond to potential security incidents and data breaches.
Prior to Duke Medicine, Reneaué spent 16 years in various Cyber Security and Incident Response related positions at Cisco in RTP, NC. Formerly an Incident Manager in Cisco's Product Security and Incident Response Team (PSIRT), she provided incident management and coordination with external incident response teams and information sharing organizations worldwide.
In a previous role, as an Incident Response Program Manager for Cisco's Critical Infrastructure Assurance Group, Reneaué identified and established programs that support Cyber Security Incident Response with an emphasis on supporting internal Cisco teams. She worked closely with the U.S. Department of Homeland Security Sector Specific Information Sharing Analysis Centers (ISACs), namely the Communications ISAC and IT ISAC to provide situational awareness and enhance public-private partnership and communications.
As a Cisco representative, she participated in cyber security exercises designed to simulate attacks or disasters that affect telecommunications systems as well as contributing to the development and improvement of supporting policies and procedures for incident response. Reneaué routinely engaged in activities of the Forum of Incident Response and Security Teams (FIRST), IT and Communications ISACs, National Infrastructure Advisory Council (NIAC), The Internet Consortium for the Advancement of Security on the Internet (ICASI), and National Security Telecommunications Advisory Committee (NSTAC) working groups that are interconnected to incident response.
Reneaué is a CISSP and a Level II Certified Network Expert. She is also ITILv3 certified.
There is a delicate balancing act of maintaining an effective incident response team in the maelstrom of cyber attacks amid limited resources and tools. An IR team must overcome obstacles such as limited network visibility and systems access to lack of training and proper tools. The cost of an incident is increasingly difficult to determine. Is it the impact to customers or corporate brand? The loss of revenue or regulatory fines? How does an organization measure the risks and costs of a cyber event as it relates to the experience of the incident handler in terms of event discovery to containment? How can we leverage this information to build a business case to fill the gaps in our incident response capabilities?
This talk focuses on common impediments to an effective incident response and tools to improve IR processes. The presenter will use real incidents and case studies to illustrate common gaps in IR procedures & event handling. We will discuss how to fine-tune the IR program to detect compromises earlier and how to lower the costs incurred with an organization suffers an intrusion.
Working Towards the Tokyo 2020 Olympics - Situation in 2015
Ms. Mariko MIYA (CDI-CIRT (Cyber Defense Institute, Inc.) - Japan)
Mariko is the Chief Security Analyst of Cyber Defense Institute, Inc. located in Tokyo, Japan. She has the expertise and knowledge of foreign and domestic cyber policies and handling cyber threats regarding national security. In particular, her cyber intelligence reports have received high recognition from government agencies, which are written using her high-level multi-language capabilities and research capabilities. She has also been giving practical support to government agencies in charge of foreign affairs and overseas information gathering and analysis.
She graduated from International Christian University of Tokyo with a BA in English Linguistics after 12 years of education in Los Angeles, California from elementary school through high school. Throughout her education, she studied German, Korean, and French, enabling her to approach cyber issues from a multi-linguistic and multi-national point of view.
This presentation will be about the current situation in Japan in regards to preparation for the Tokyo 2020 Olympics, and lessons learned from our research about the past major events including the Olympics and other major events in different countries, in which we have researched under contract of the Japanese government and other major Japanese companies.
In comparing the 2012 London Olympics and 2020 Tokyo Olympics, the following are some major differences that we have gained from our research:
Communication (network) interception
- London 2012 – Intelligence agencies and law enforcement implement according to anti-terrorism laws (intelligence agencies and law enforcement have response capabilities against potential threats)
- Tokyo 2020 – Law enforcement implement according to court order (response capabilities of law enforcement depend on detection, judgment and response capabilities of targeted organizations)
Mobile devices and Wi-Fi traffic
- London 2012 – Since it was the transition phase of dramatic increase smartphone and tablet use, amount (increase) of Wi-Fi traffic was within expectations.
- Tokyo 2020 – In addition to smartphones and tablet devices, there is expected to be a rapid increase in the usage of cloud applications and wearable devices, and is extremely difficult to estimate the amount of traffic.
Terrorist organizations and cyberspace
- London 2012 – Illegal activities using cyberspace was only somewhat limited.
- Tokyo 2020 – There is expected to be rapid increase in illegal activities using cyberspace (an easily accessible environment is being continually being built at an accelerating pace)
Impact of cyber attacks on businesses
- London 2012 – Legacy systems were intermixed, so business impact was limited.
- Tokyo 2020 – There will be fewer legacy systems, and it is likely that there will be dependency on extremely efficient or highly productive systems, so therefore business impact will be extremely high.
In the presentation, I will further explain some possible cyber attack scenarios according to the factors above. Also, Japan has several unique issues they would have to deal with; for example, earthquakes and nuclear power plants, which relate to dealing with physical security along with cyber security, in considering unified security at the time of the Olympics.
Currently as of 2015, there are more information sharing frameworks being established, like the Japanese Financial ISAC or Cyber Defense Council of MOD and J3 (Japan Cybercrime Control Center, Japanese version of NCFTA), and large scale cyber exercises taking place in preparation for nation-wide massive events such as the Tokyo Olympics. The most updated information will be given in June 2015. I would also like to discuss and explore possibilities of other countries working together with us toward making such massive event secure and successful.
