- GB US
A Fistful of Metrics
Eireann Leverett (Concinnity Risks, GB), John Matherly (Shodan HQ, US)
John Matherly is an Internet cartographer, entrepreneur, and all around good guy.
Eireann Leverett is a professionally strange person, entreprenuer, and moustache model. He's probably a nice guy.
They both like toolsmithing for incident responders.
Doing anything at internet scale is hard.
It's also particularly hard to cooperate internationally with out measures of success or failure.
Two of the internet's gentleman scholars want to bring you a variety of metrics they find useful. Metrics that mean things to bitshifters, internauts, and incident responders. Quantifications that help them explain things to policy makers, but also make sense to technicians. Measurements they use to communicate risk to the world, and the visualisations that capture internet cartography.
This session will provide a variety of novel metrics devised during experiments by two of the world's gentleman scholars. They will demonstrate a variety of tools and toolsmithing techniques relevant to the respected audience of the international FIRST community.
FIRST-2016-25.pdf
MD5: 233efaba6205b40e3a3668b752a837fe
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.38 Mb
- US
A Unique Approach to Threat Intelligence Mapping: A Malware-Centric Methodology to Better Understand the Adversary Landscape
Deana Shick (CERT/CC, US), Kyle O'Meara (CERT/CC, US)
Deana is a Member of the Technical Staff at the Software Engineering Institute's CERT Coordination Center (CERT/CC). Deana works on the Threat Intelligence team at the CERT/CC where she researches and analyzes current and emerging threats to national security. Prior to working at CERT/CC, Deana was an International Trade Specialist focusing on EAR and ITAR regulatory processes. She received her B.A. from Duquesne University in International Relations with a Security Studies concentration. In 2014, she completed her M.S. in Information Security Policy and Management from Carnegie Mellon University.
Kyle O'Meara is a Senior Member of the Technical Staff at the Software Engineering Institute's CERT Coordination Center (CERT/CC). Kyle works on the Threat Intelligence team at the CERT/CC where he researches and analyzes current and emerging threats to national security with a focus on exploits and malware. Most recently Kyle was with FireEye, where he was the lead senior threat analyst for the active cyber defensive program called SHARKSEER. Prior to FireEye, he was with the National Security Agency (NSA) for roughly five (5) years. A NSA he had a few different positions as a cyber-cryptanalyst, six (6) month deployment to Iraq as a media exploitation analyst, and a communication signal analyst. Kyle received his MS form Carnegie Mellon University in Information Security Policy and Management. Kyle also presented at DEF CON 21 in 2012 on a forensic deep dive into self-destructing message applications.
shick-deana-slides.pdf
MD5: 2f5580518a42e9b68253fa7b6ae29311
Format: application/pdf
Last Update: June 7th, 2024
Size: 730.8 Kb
- US
Adversary Recon and Practical Defenses Using Domain and DNS OSINT
Timothy Helming (DomainTools, US)
Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of investigative and proactive defense offerings. At WatchGuard, he helped define and launch some of the best-selling SMB security appliances in the market. At Symform, he led definition and messaging efforts for that company’s unique peer-to-peer cloud storage solution. Tim has spoken at security conferences such as BSides Las Vegas, FireEye/MIRcon, and AusCERT, as well as media events and technology partner conferences worldwide.
This session illustrates new ways to investigate—and get ahead of--threat actors, using OSINT (Open Source Threat Intelligence) such as domain registration data, IP address data, MX records, geolocation, and more. Using examples from high-profile cybercrime/espionage cases, Tim Helming of DomainTools will demonstrate how threat actors can be identified or accurately profiled, and how their webs of connected holdings can be mapped for defensive (or offensive) purposes. The techniques shown are used effectively by leading-edge private sector, government, and law enforcement experts to fight cybercrime globally. Effective adversary analysis pays off in all phases of a continuous security model, from monitoring to detection to response to prevention.
From this session, attendees will be able to:
- See how domain-based OSINT has helped investigators glean important information about attackers in high-profile as well as routine threat triage and investigations.
- Identify fruitful sources of open source intelligence (OSINT) to conduct adversary analysis during known or suspected breaches or attempts--and apply the findings to all phases of the continuous security model.
- Create forensic domain maps--conceptual maps of threat actor infrastructure (domains and IP addresses) that can help the security pro defend against current and future attacks from a given threat actor.
- Use easily-discoverable information about threat actors to triage indicators of compromise (IoC) during known or suspected breach activity.
- Learn how to “look back in time” and discover dwell time of malicious actors by correlating previously-seen with currently-seen domains (from the forensic domain map), thereby detecting earlier interactions that may have looked innocuous at the time; and how to use monitoring of threat actors to defend against new attack infrastructure.
FIRST-2016-34.pdf
MD5: 6d3b8a076d04ec1d14629866b9bd54b4
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.97 Mb
Application Security Awareness: Building an Effective and Entertaining Security Training Program
Chris Romeo
romeo-slides_20160219.pdf
MD5: b492a71b4871b2a31c7a57d7784e4299
Format: application/pdf
Last Update: June 7th, 2024
Size: 10.43 Mb
- JP
Approach and Outcome of “AOKI” – DNS Sinkhole by JPCERT/CC
Sho Aoki (JPCERT/CC, JP)
Mr. Sho Aoki
Information Security Analyst, Watch & Warning Group,
Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)
Sho Aoki joined JPCERT/CC in April 2015, and specializes in gathering cyber threat information, verifying vulnerabilities, and also takes part in incident handling and response.
He provides comprehensive analyses of the collected cyber threat information and incident investigations, and engages in sharing early warning information with external organizations including the government, critical infrastructure sectors and enterprise CSIRTs, as well as publishing security alerts for both the domestic and overseas.
This presentation will introduce the approach and outcome of “AOKI” – a DNS sinkhole by JPCERT/CC. Through AOKI, we have observed trends of targeted attacks in the Asia Pacific region and various related threat information. We will also present our information sharing efforts and the outcome in this regard.
JPCERT/CC launched AOKI in June 2015 with the aim of conducting threat analysis of incidents reported to JPCERT/CC, as well as identifying the extent of damage caused by malware, etc. Using AOKI, we also analyze Command and Control Servers (hereafter “C2 Servers”) that the malware communicates with for advanced targeted attacks.
Through AOKI, we observed incidents not only in Japan, but also cross-border among countries and regions. For example, we analyzed a certain C2 Server and found that it links to an attack targeting governmental organizations in some of the specific economies in the Asia Pacific.
JPCERT/CC is exploring ways to effectively share such threat information and related IOCs (Indicators of Compromise) obtained through AOKI, and have started sharing information with some of the economies already. We would like to introduce our approach to FIRST and expand the information sharing coverage beyond the Asia Pacific region, with the hope that it will contribute to the security around the world.
FIRST-2016-104.pdf
MD5: 392999d8254bd3bebdd06603b22ae372
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.31 Mb
- US DE
Attacks on Software Publishing Infrastructure and Windows Detection Capabilities to Thwart that Runbook.
David JonesDavid Jones (Cisco, US), Imran Islam (Cisco, DE)
David Jones
David is a Senior Security Architect for Cisco’s Information Security team. In this roll he is responsible for the creation and implementation of security policies to mitigate risk by preventing security breaches. His primary focus is on mitigating targeted attacks on computing infrastructure. David holds a patent for a network access product innovation.
In his spare time he is the head chef at Burned Roof BBQ'd Hot sauce company.
Imran Islam
Imran is the Investigations Manager for Cisco’s CSIRT team. Imran’s responsibilities include program management, Process enhancements, Acquisitions management and Technology reviews.
Imran is also a Bangladeshi footballer who holds the record for being the oldest player. He always has a passion for football and supports Liverpool.
Emerging Threat: Well-funded adversary’s target developers at software companies in order to embed back doors and other malware into their products while leveraging that companies trusted software distribution infrastructure to deploy those pathogens to their customers. Customers will then install these backdoors along with actual bug fixes while believing all is well.
As a recurring theme, the Windows operating system is still the most common beachhead that is established for this attack to succeed.
In this talk we will discuss this emerging threat and move on to new advanced detection capabilities to stop those adversary’s from infecting those software companies as well as your organization in the first place. These new detection capabilities are focused on enhancing technologies already part of the Windows operating system.
As a bonus, each attendee will leave with a copy of the instructions for deploying these advanced Windows detection capabilities.
FIRST-2016-101.pdf
MD5: 7650970c7ca6a594e388031215a3d4d5
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.8 Mb
- CA
Dave Lewis (Akamai Technologies, CA)
Dave has almost two decades of industry experience. He has extensive experience in IT operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies . He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast. Dave also serves on the (ISC)2 Board of Directors. Dave also writes a column for CSO Online and Forbes.
Attackers are always trying their best to breach your network to steal the secret sauce hidden inside. This session will delve into the attacker's tool set and focus on the types of attacks that are being leveraged against companies today. I will examine tools, case studies and my own war stories.
FIRST-2016-32.pdf
MD5: e18622f0d73480fd1797d054227ef5e7
Format: application/pdf
Last Update: June 7th, 2024
Size: 22.35 Mb
- US
Barncat: Mining Malware at Scale to Create an Encyclopedia of Malware
John Bambenek (Fidelis Cybersecurity, US)
John Bambenek is a Sr. Threat Analyst at Fidelis Cybersecurity and an incident handler with the Internet Storm Center. He has been engaged in security for 15 years researching security threats. He is a published author of several articles, book chapters and one book. He has contributed to IT security courses and certification exams covering such subjects as penetration testing, reverse engineering malware, forensics, and network security. He has participated in many incident investigations spanning the globe. He speaks at conferences around the world and runs several private intelligence groups focusing on takedowns and disruption of criminal entities.
According to Virus Total they received over 500,000 samples of potential malware per day. At times this has peaked to over 1,000,000. The shear deluge of unique malware samples makes it difficult for incident responders to keep up to protect their networks. Even more difficult is the task to investigators and law enforcement to keep up with the size and number of command-and-control networks and criminal operations.
Barncat was designed to help deal with this problem. This system analyzes incoming streams of malware to identify known RATs and other known malware and then strip out the configurations from them to produce near time intelligence of known command-and-control hostnames and IP addresses.
The aspiration is to great automated surveillance tools that can monitor criminal infrastructure to make it easy for incident handlers to identify problems on their network, for security analysts to protect their networks and for law enforcement to have reliable near-time information for their operations.
This talk will discuss how the tool generates information and what the possibilities hold for this kind of analysis.
Access to the database via MISP is given free of charge to CERTs, law enforcement and trusted industry partners.
FIRST-2016-80.pdf
MD5: 4e956c14800cd90fb59cf1b66f1fda58
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.13 Mb
Behind the Curtain: Insider Insights into PC Industry Security
Bill Jaeger
- US
Best Practices and Big Mistakes in Responding to Major Incidents
Chris Butera (US-CERT, US)
Mr. Christopher Butera serves as an Incident Response Engagement Lead for US-CERT.
In this role, he has led response efforts to many large-scale data breaches in both the private sector and federal government, several of which you may have read about in the news. His focus is on discovering and analyzing new forensic artifacts and finding new security controls to prevent APT intrusions and create or enhance opportunities for early detection and containment.
Mr. Butera is a graduate of the University of Notre Dame and has a Master of Science Degree in Computer Science from the University of Chicago. He holds CISSP, GSEC, and GCED certifications.
Responding to a over a dozen major incidents every year, US-CERT has observed significant similarities in breaches and intrusions across a range of different institutions. US-CERT also provides a comprehensive set of services as part of our incident response activities, leading to enhanced understanding of how breaches occur, what can be done to minimize the impact, and what works (and what doesn't) in crisis communications. Several of our incident response engagements have taken over two months to close out, providing a wealth of experience to share with the CSIRT community as we deal with ever more frequent and severe intrusions into our constituent and customer networks.
This presentation will discuss incident response trends from US-CERT's perspective as well as best practices prior to, during, and after response to major incidents. Common missteps, lessons learned and our top five preventative measures for organizations to take will also be described in detail, with a focus on recent experiences dealing with Bulk PII compromises.
FIRST-2016-108.pdf
MD5: d6f38adca40f17cff33a0e3de19c3fe2
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.14 Mb
- US
Beyond Sharing: Cyber Threat Intelligence Making a Difference
Richard StruseRichard Struse (US Department of Homeland Security, US)
Mr. Struse serves as the Chief Advanced Technology Officer for the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) where he is responsible for technology vision, strategy and implementation in support of the NCCIC’s mission. Mr. Struse is the creator of the STIX and TAXII automated information sharing initiatives which have been widely adopted across the public and private sectors. In October 2014, Secretary of Homeland Security Jeh Johnson presented Mr. Struse with one of the department’s highest honors, the Secretary’s Award for Excellence, in recognition of his pioneering work on STIX and TAXII. In 2015 Mr. Struse was named by Federal Computer Week as one of the “Federal 100” in recognition of his leadership role in the development of cyber threat intelligence technology standards.
As CSIRTS, ISACs/ISAOs, commercial vendors and others plug into existing and emerging automated Cyber Threat Intelligence ecosystems, the next logical question is “what should we do with all this data?” This talk will explore successful existing applications of CTI and where the CSIRT/IR community is heading based on these interconnected networks. The emphasis will be on approaches that deliver fundamental improvements in defensive cybersecurity operations - at scale. We’ll also ask some thorny questions about how automated CTI ecosystems might disrupt long-standing processes and even beliefs within the security operations community. Finally, promising new uses of CTI will be highlighted and the audience will gain insights into emerging focus areas including:
• Prevention at the scale of millions of endpoints simultaneously
• Rapid correction of false positives through automated feedback loops
• Advanced analysis and meaningful data-driven visuals
FIRST-2016-151.pdf
MD5: 74544c0542e1261149f7996a0623f02a
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.89 Mb
- US
Building Robust Tabletop Exercises to Strengthen Your Incident Response Capabilities
Kenneth van Wyk (KRvW Associates, LLC, US)
Ken is an internationally recognized information security expert and author of three popular books, including Enterprise Security: A Confluence of Disciplines (Pearson, 2014), Secure Coding: Principles and Practices (O’Reilly, 2003), and Incident Response (O’Reilly, 2001). He is also a monthly columnist for Computerworld. Among his numerous professional roles, Ken is a Visiting Scientist at the Software Engineering Institute at Carnegie Mellon University, where he is a course instructor and consultant to the CERT® Coordination Center.
Ken has previously held executive and senior information security technologist roles at Tekmark's Technology Risk Management practice, Para-Protect Services, Inc., and Science Applications International Corporation (SAIC). Ken was also the Operations Chief for the U.S. Defense Information Systems Agency's DoD-wide incident response team, as well as a founding employee of the CERT® Coordination Center at Carnegie Mellon University's Software Engineering Institute.
Ken was also on the Board of Directors for the Forum of Incident Response and Security Teams (FIRST), a non-profit professional organization supporting the incident response community. He holds a mechanical engineering degree and is a distinguished alumnus from Lehigh University and is a frequent speaker at technical conferences, including S3, CSI, ISF, and others FIRST.
Most CSIRTs today know the value of planning, training, and drilling. Indeed, most have elaborate standard operating procedures describing how they will respond to various types of incidents, as recommended by NIST's SP 800-61.
While that's all well and good, often times those plans focus too much on the technical aspects of incident response, or they fail to adequately address the business or involve the various interdisciplinary key stakeholders in an organization.
In this practical session, Ken van Wyk will describe how to design and run an interdisciplinary tabletop drill in modern medium- to large-sized organizations. The session will cover who to involve in the tabletop drill, what their roles and responsibilities should be, and how to effectively engage with them during the drill. Additionally, it will give practical guidance on how to construct realistic scenarios that draw various business departments into resolving the simulated incidents. These often include corporate communications, legal counsel, human resources, and other organizations that aren't typically direct components of an incident response team, yet are nonetheless key stakeholders during many real world incidents.
Getting the right executive decision makers together for a tabletop drill is challenging enough, and chances are you'll only have their attention for a brief period of time. Designing the right tabletop drill for them to understand not just the basics of your CSIRT's processes but also why their own roles are so vital during real world incidents is crucial to the drill's success.
Van Wyk has built such drills and involved executive teams in dozens of multi-billion dollar corporations. This session will present the practical aspects of making those drills work effectively in your organization.
FIRST-2016-23.pdf
MD5: eacd48811c25e13706d37324d514c6fa
Format: application/pdf
Last Update: June 7th, 2024
Size: 8.12 Mb
- US
Busted! Point of Sale Threat Actor Attribution through POS Honeypots
Kyle Wilhoit (Trend Micro, US)
Kyle is a Sr. Threat Researcher at Trend Micro. Prior to joining Trend Micro, he worked at Fireeye as a Threat Intelligence expert, hunting state sponsored entities worldwide. He was also the lead incident handler and malware reverse engineer at a large energy company, focusing on ICS/SCADA security and targeted persistent threats. He has also worked at a Tier 1 ISP playing with malware, as a threat analyst and incident response specialist. Kyle has extensive knowledge and experience in the offensive security realm as well.
What would POS Terminal cybercriminals do if they didn’t know you were watching? Find out in this demonstration in which researcher Kyle Wilhoit will use a combination of physical and virtual honeypots to track POS attackers from the initial infection to the exfiltration and resale of data. This session will provide you with the insights you need to better protect your organization that may be using POS terminals.
FIRST-2016-24.pdf
MD5: bcce4286cfa3095a5e147ddfff8a885d
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.89 Mb
Case Study on Cyber Incidents in South Korea
Mr Lee, Suwon (KRCERT/CC)
This session will give the presentation on the KrCERT and how we resopond to cyber incidents.
- An introduction of KrCERT
Briefly introduce the KrCERT and our response systems.
- Case studies
Introduce three recent cyber incidents in South Korea.
- Personal information leakage
- Freeware update server hacking
- Anonymous
- JP
Chasing the Operation After the Infection of the Continuing Cyber Attacks - Emdivi -
Hiroki Iwai (Deloitte Touche Tohmatsu LLC, JP), Kenzo Masamoto (Macnica Networks Corp., JP), Takahiro Kakumaru (NEC Corporation, JP)
Takahiro Kakumaru (NEC Corporation), CISSP
Takahiro Kakumaru is an assistant manager with Cybersecurity Strategy Division at NEC Corporation. His research interests lie in the areas of cyber threat intelligence, network security monitoring, honeypots, interfere with deception, cyber threat sharing. He holds a master's degree in Engineering from Hokkaido University. He holds CISSP certification.
Hiroki Iwai (Deloitte Japan)
Hiroki Iwai is a Digital Forensic Analyst with Deloitte Japan and a researcher with Deloitte Tohmatsu Advanced Research Laboratory of Cyber. He analyzes cyber security incidents and advise about security measure to clients in Japan. Forensics instructor specializing in forensics training for law enforcement. Director of Japan Cyber Crime Control Center.
Kenzo Masamoto (Macnica Networks Corp.)
Kenzo Masamoto is the Security Researcher, Digital Forensic Analyst and Security Solution Architect at Macnica Networks Corp. He has been responsible for security consulting, monitoring of security products (IDS/IPS, WAF, Sandbox, Monitoring Products) and security event analysis for over a decade.
RAT (Remote Access Tool) type of malware called Emdivi was shook Japan in 2015. Now also it has been observed continuously. In this presentation, we introduce the results of the attacker's tool that seems to be used, the command that seems to be executed, as well as TTPs (Tools, Techniques, and Procedures), pivoting technology, and clustering analysis of samples. Finally, we try to infer what the attackers are looking for.
FIRST-2016-107.pdf
MD5: 1d897dd997a8ff42edeba50c29ab4e17
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.51 Mb
- IL
Choose Your Battles, How to Fight the Right Wars
Eyal Paz (Check Point, IL)
Eyal Paz is a technology leader and security innovation researcher at Check Point.
During the past five years, Eyal has been doing application and malware research developing new methods to track risks and anomalies on corporate enterprise networks.
Eyal holds a B.Sc. in Software Engineering and currently working on is master degree in Computer Science.
In recent years threat intelligence awareness has grew rapidly not only with the Fortune 500, but with medium-sized companies as well.
There are dozens of threat intelligence IoC feeds by excellent cyber-security companies, start-ups, and by great open and closed communities as well.
But recent researches published on this issue show that even all feeds combined still barely scratching the surface of the malicious threat actors out there.
On the other hand, the opposite problem for some organizations is that they are overloaded with security events, this problem exists even if we assume that the IoC feeds are of high quality and have low false-positive rate.
On this talk we'll discuss how to choose your battles and how to fight the right wars in your own enterprise network.
How to prioritized the incident handling and focus on the most important ones.
This is accomplished by running statistical analysis on your network and creating your own customize threat intelligence feed, and by consolidating all of your available threat intelligence resources, open-source intelligence (OSINT) and your own internal security events. By this you maximize your protections against future potential attack.
We'll demonstrate that this task is relatively simple to perform, but the added revenue of doing so is extremely high.
The security gain is even greater when mutual sharing the home-made feed across the relevant community.
The demonstrations would be on the recent and actual campaigns.
FIRST-2016-14.pdf
MD5: ce8c8c9c28e3751a3fbe75049aa88d33
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.21 Mb
- CH
Collaboration as the Key to Keep a Nation Safe
Dr. Serge DrozMichael Hausding (SWITCH, CH), Dr. Serge Droz (SWITCH, CH)
Dr Serge Droz is a senior expert at SWITCH-CERT and has more than 15 years of experience in CERT work. In his former life Serge did research on black holes.
Michael Hausding specialises in all aspects of Domain security. He is responsible for the Safer Internet campaign which addresses all forms of domain abuse. In his past Michael worked as a security expert for various ISPs.
Traditionally fighting the effects of cyber crime was left to CERTs. But
criminals missus an entire value chain for their malicious purposes.
Endusers, ISPs, webhoster, registrars and domain holders, just to name a
few are among the victims. In Switzerland we follow a holistic approach
to break the cyber crime value chain in multiple places, by
collaborating with all stake holders, national and international and
calling them to do their share.
Phishing campaigns, drive-by attacks, spam-runs to install malware are
more and more local and target only users in Switzerland. Information
about cybercrime targeting Swiss Internet users is collected by the
various players and shared on a national level to clean up and mitigate
risks to Internet users in Switzerland. Drive-by, C&Cs and Phishing
sites are cleaned up asap, infected users are notified by their ISPs and
data to directly mitigate risks via RPZ or Filters are distributed to
the ISPs to help them protect their customers.
Despite these efforts end-users will click on malicious attachments and
surf on infected websites. To support these victims the Swiss Internet
Security Alliance, a collaboration of Swiss ISPs and Banks was founded.
SISA offers a free check that finds and remedies infections as well as
awareness. All participants, banks and ISPs send their infected
customers to the same place: SISA. This makes sure hear the same message.
We show the critical success factors that allowed us to make Switzerland
one of the safest places in the
Internet.
FIRST-2016-13.pdf
MD5: 1cef808ef1475540efde35764f82c9cb
Format: application/pdf
Last Update: June 7th, 2024
Size: 10.81 Mb
- US
Correlating Threats Using Internet Snapshots
Brandon Dixon (PassiveTotal, US), Steve Ginty (PassiveTotal, US)
Brandon Dixon is the lead developer and co-founder of PassiveTotal. His primary research involves data analysis, tool development and devising strategies to counter threats earlier in the decision cycle. Throughout the years, Brandon has developed several public tools, most notably PassiveTotal, PDF X-Ray and HyperTotal. His research and development on various security topics has gained accolades from many major security vendors and industry peers.
Steve Ginty, co-founder of PassiveTotal, has more than nine years of experience in the IT Security Industry. Steve has spent the past five years researching targeted intrusions against Fortune 500 organizations. His experience includes leading a team of multi-disciplined researchers implementing proactive methodologies to track threat actor infrastructure and malware associated with attack activity. Steve’s primary areas of research include threat infrastructure analysis and threat data visualization.
Organizations are bombarded with threat intelligence in the forms of feeds, long form reports and shallow guidance, yet none of these impart the wisdom of the analyst who helped derive the content. Using years of analyst experience, Steve and Brandon from PassiveTotal have created a platform that not only aids in the discovery of new potential threat infrastructure, but also distills their years of subject matter expertise into analyst guideposts that even a junior analyst could follow in order to action data provided from 3rd-party providers.
In September 2015, PassiveTotal was acquired by RiskIQ and with that brought years of Internet-scanning data that RiskIQ had collected by crawling the web. In this talk, we want to move beyond the popular sources of infrastructure connection like WHOIS and passive DNS and instead, focus on the non-traditional points of correlation derived from the data found within the RiskIQ repositories. Our demonstration will not only show that these non-traditional sources find data WHOIS and passive DNS miss, it will also identify subtle mistakes in an attacker's operational security.
Attendees should expect to walk-away with knowledge of new datasets, some of which could be collected on their own, and how they could aid them in discovering additional pieces of infrastructure. Additionally, a demonstration will be done highlighting how an analyst could operationalize the data in order to make discoveries by using the PassiveTotal platform or command line tools using the free API. Threats have become more advanced, yet our ways of making connections have largely stayed the same. By giving the analyst more tools and ways of surfacing malicious content, we hopefully succeed in making it harder for attackers to be successful.
FIRST-2016-73.pdf
MD5: f906fd7df2c563e326a97c399e002eb5
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.35 Mb
- MY
CSIRT Management Workflow: Practical Guide for Critical Infrastucture Organizations
Aswami Ariffin (CyberSecurity Malaysia, MY), Azlan Nor (CyberSecurity Malaysia, MY), Nurul Mohd (CyberSecurity Malaysia, MY), Zahri Yunos (CyberSecurity Malaysia, MY)
NURUL HUSNA BT MOHD NOR HAZALIN is a Senior Analyst in CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation, Malaysia. Nurul holds a Bachelor's Degree in Information Technology majoring in Information System Engineering from the Multimedia University (MMU), Melaka, Malaysia. She is a certified Information Security Auditor by ISACA, certified ISO27001 Lead Auditor by British Standard Institution (BSI), certified Associate Business Continuity Professional by the Disaster Recovery Institute International (DRI) USA, certified Security Analyst by EC-COUNCIL, certified ITIL by EXIN, and certified CompTIA Security+ by CompTIA USA.
DR. ZAHRI YUNOS is the Chief Operating Officer of CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation, Malaysia. Zahri holds a PhD in Information Security from the Universiti Teknikal Malaysia Melaka (UTeM), Melaka, Malaysia. Zahri also holds a Master’s degree in Electrical Engineering from the Universiti Teknologi Malaysia, Malaysia and a Bachelor’s degree in Computer Science from the Fairleigh Dickinson University, New Jersey, USA. He is a certified Associate Business Continuity Professional by the Disaster Recovery Institute International, USA. Zahri has been awarded Senior Information Security Professional Honoree in July 2010 by the (ISC)2, USA. He has contributed various publications and presented papers on topics related to cyber security, cyber terrorism and business continuity management.
Dr Aswami Ariffin is a digital forensics scientist with vast experience in security assurance, threat intelligence, incident response and digital forensic investigation with various law enforcement agencies/regulatory bodies and provided expert testimonies in court. Aswami was awarded ISLA - Information Security Leadership Award in 2009 by (ISC)2 USA including commendation letter from the Attorney General's Chambers Malaysia and the Royal Malaysia Police in 2010. Aswami is active in research and one of his papers was accepted for publication in the Advances in Digital Forensics IX, 2013. He also involves as a committee member for the digital forensics program of the prestigious International Conference on Availability, Reliability and Security (ARES). Currently, Dr Aswami is Vice President of CyberSecurity Responsive Services at CyberSecurity Malaysia.
MOHD AZLAN MOHD NOR is the Head of Secure Technology Services Department in CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation, Malaysia. He holds HND in Electronic Engineering from Frederiksberg Teknike Skole, Copenhagen, Denmark. He is at present overseeing Information Security Services operations in CyberSecurity Malaysia. Azlan has working experiences in Information Technology field over 10 years. His areas of expertise are system security, penetration test, web security and ISMS execution. Azlan is a Certified Ethical Hacker (CEH) and Certified Security Analyst (ECSA).
Cyberspace, including the Internet, has become an indispensable part of modern life. While development in the field of ICT allows for enormous gains in efficiency and productivity, it has created opportunities for those with devious ambitions to cause havoc and harm. The potential for catastrophic cyber attacks that can cripple the operations of critical infrastructures of nations is worrying. Critical National Information Infrastructure (CNII) is deemed critical to the nation; because disruption of the systems and communication networks could significant affect the nation’s economic, political, strategic and socio-economic activities. The capability to have a functional enterprise CSIRT is seen as closely connected to the idea of critical infrastructure protection. This paper proposes for CNII organizations to establish Computer Security Incident Response Team (CSIRT), which provides a systematic guidance for the organization's information security risks management to an acceptable level.
FIRST-2016-22.pdf
MD5: 2c86e47fc29723b5f49461e0c3a8bbe5
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.9 Mb
Cyber Defence Technical Information Sharing: Challenges and Risks in a Multinational Environment
Manisha Parmar (NCI Agency)
- JP
Cybersecurity Readiness for Tokyo 2020 Olympic/Paralympic Games
Ko Ikai (NISC, JP)
Ko IKAI joined National Police Agency(NPA) in April 1995.
At the early stage of his career, he experienced the planning of cybercrime countermeasure. After 1 year study of cybersecurity in George Washington University in USA, he was posted on Deputy Chief of Cyber Force Center, the technical unit for watch & warning and CII of NPA, in 2002. From 2006 to 2008, he worked for G8 Roma/Lyon Group and G8 Justice and Home Affairs Ministerial Meeting in the International Division, NPA, In 2010, he started his first career at National Information Security Center(NISC) and was in charge of strategic policy making. For 3 years after 2012, he served as a Deputy Director for human resources management of about 4,000 technical officials in NPA.
In March 2015, he was posted to NISC again, and he is now working as the Counsellor for Tokyo 2020 Olympic/Paralympic cybersecurity project.
Cybersecurity of global big events such as Olympic/Paralympic Games is a great challenge for concerned incident response teams. To secure such kind of events requires to build coordination of many and various stakeholders, to consider extremely enormous and sophisticated attacks, to analyze variety of international and social background issues and to adapt the solutions to never-ending technological innovations. The author's presentation will depicts the challenges and how the government of Japan try to address them in terms of preparation the cybersecurity readiness for Tokyo 2020 Olympic/Paralympic Games.
FIRST-2016-106.pdf
MD5: 9d6ebeed25c65d9b807aa14d45ddf410
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.11 Mb
- US
Decade of Change: 10 Years of Product Incident Response at Adobe
David Lenoe (Adobe, US), Tom Cignarella (Adobe, US)
Tom Cignarella is the Director of Incident Response at Adobe. He was formerly the director of Product Operations for Adobe's CloudOps group and technical operations for Adobe EchoSign (now part of Adobe Document Cloud). Tom leads Adobe’s response to technical security incidents spanning all aspects of IT operations and our hosted service offerings. Tom partners with the operational incident response teams across the company to set the strategy and build out the framework for day-to-day operations for how teams monitor environments, investigate incidents, and communicate with internal stakeholders and customers. His team also drives the feedback loop of findings and lessons learned from incidents into the security roadmaps that teams use to track & prioritize their proactive investments.
David Lenoe is Director, Secure Software Engineering at Adobe. In his role, Lenoe manages the Product Security Incident Response Team (PSIRT) dedicated to responding to and communicating about security issues, as well as the Adobe Secure Software Engineering Team (ASSET) responsible for ensuring Adobe's products are designed, engineered and validated using security best practices. Lenoe is also responsible for Adobe’s vulnerability information sharing via the Microsoft Active Protections Program (MAPP). Lenoe represents Adobe on SAFECode's Board of Directors and acts as SAFECode’s Treasurer. Lenoe joined Adobe as part of the Macromedia acquisition in 2004. At Macromedia, Lenoe held several management and engineering positions in the areas of product security, product management and quality assurance. Lenoe earned a BA in Japanese language and literature from Connecticut College.
Incident Response at Adobe started off 10 years ago when the Product Security team was first formed – mostly coordinated disclosure (called ‘responsible disclosure’ back then) of vulnerabilities from security researchers and partners. After a couple of years, coordinated disclosure practices became more challenging – when exploits in the wild against Adobe runtime products began to proliferate. As the product and threat landscape evolved further, with hosted services entering into the mix, we began to see that vulnerability response and traditional network incident response were overlapping, and a new approach was required. We’ll talk about our journey, lessons we've learned along the way, and where we see incident response at Adobe going in the future.
FIRST-2016-19.pdf
MD5: 6bfb1e12ba327509bc54386f6b7dc215
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.42 Mb
- JP
Detecting Lateral Movement in APTs – Analysis Approach on Windows Event Log
Shingo Abe (JPCERT/CC, JP)
Mr. Shingo ABE (JPCERT/CC)
After being engaged in research and development on IT security such as the implementation of algorithm, the Mobile Device Management (MDM) development for Android Tablet and the development of cryptography key management system, etc. at Toshiba Solution Corporation for 7 years, Mr. Shingo ABE joined JPCERT/CC in October 2014. He is engaged in the response for cyber incidents on industrial control system, information collection/analysis and communication/coordination in the ICS Security Response Group.
Detecting "lateral movement" – the spreading of an infection after the initial compromise of an internal network – in APT attacks is extremely challenging. This presentation will focus on “Active Directory event log” and introduce our unique visualization of the related activities utilizing event logs, and how to effectively detect attacks. We will also present case studies and findings of JPCERT/CC’s incident analysis. Lastly, through collaborative trial studies with Industrial Control System (ICS) asset owners, we found that this methodology is also effective for principal Windows in ICS, even under an environment where Active Directory is not utilized. The presentation will also discuss results of these studies.
In 2015, Japan faced numerous advanced attacks. Under this situation, JPCERT/CC gained the cooperation of some of the victim organizations and conducted investigations on the malware and related logs. Through our analysis, we found several cases of lateral movement where the attacker had taken over the user account of Domain Controller administrative privileges under the Active Directory environment. In this presentation, we will cover event log settings and key items that are highly useful in detecting such attacks, and more.
FIRST-2016-105.pdf
MD5: 8c8c6bebdde6e09c1d9c94b0bd5b04fd
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.37 Mb
- SE
Detecting Malicious Infrastructure and Calculating Risk Scores Using Contextual Information From Open and Dark Web Sources
Staffan Truve (Recorded Future, SE)
Staffan Truvé is the co-founder and CTO of Recorded Future. He has co-founded over fifteen software companies, including visualization pioneer Spotfire (acquired by Tibco) and Appgate (now Cryptzone) for network security. Staffan holds a PhD in computer science from Chalmers University of Technology. He has been a visiting Fulbright Scholar at MIT. His research interests include threat intelligence, machine learning, natural language processing and information visualization. He is a member of the Royal Swedish Academy of Engineering Sciences
Risk scoring of IP addresses and other technical indicators are crucial to running an efficient IT / network security operation. Currently, traditional threat lists are compiled from information provided by honeypots, analyses of log files, and similar sources. This research shows a new approach that uses contextual information derived through text analysis (Natural Language Processing) of documents sourced from the open web, forums, paste sites, and onion sites. The methodology is illustrated by an analysis done on 12 months of historic data from open web sources, forums, and paste sites, showing how a set of IP addresses can be identified as potentially malicious based on their aggregated context from a large number of documents. This presentation contains information e.g. on planned attacks (including lists of target IP addresses that should be scanned for vulnerabilities, and results of such scans) and discussions about how to configure malware with different C&C servers. In conclusion, this new approach provides a higher proportion of malicious outbound IP addresses when compared to traditional threat lists. As a result of this analysis, operational defenders will gain another valuable source of complementary threat information.
FIRST-2016-84.pptx
MD5: 2a6a4dc095431aca2c22a05d8f526dd1
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 19.66 Mb
- US
Detecting Targeted Web Compromises
James Sheppard (Cisco Systems, US)
James Sheppard joined Cisco Systems in 2011 as an Information Security Analyst for the Computer Security Incident Response Team (CSIRT) and later became the Analyst Team Lead. His primary objectives were rearchitecting analyst procedures, streamlining detection techniques, and improving CSIRT's coverage of the rapidly evolving threat landscape. James is now the Lead Threat Intel Analyst and is primarily focused on operationalizing threat intelligence and designing monitoring strategies to protect Cisco from the newest, most relevant threats.
As an analyst with the Cisco Computer Security Incident Response Team (CSIRT), I have observed and responded to numerous compromises resulting from the exposure of hacked websites. These attacks, growing in popularity, are difficult to detect. Reputation-based scoring doesn’t work, zero-day malware is frequently used, and there are no visible signs of compromise. Regardless of the difficulty, we cannot sit around and wait for hacked machines before discovering the root cause. My job as a practitioner is to create detection capabilities that increase our coverage of the threat landscape, and I would like to discuss how incident response teams can proactively generate their own threat intelligence related to targeted web compromises.
The main focus of this discussion will be a custom web crawler that detects malicious modifications to websites including iframe redirects, spam injection, and website defacement. Cisco CSIRT is actively taking steps to open source this tool and targets a release date of June 12, 2016. Upon release, incident response practitioners can use this tool in two ways:
Website monitoring tool – Add your organization’s domains to the crawler’s list of sites to be regularly monitored. An alert will be generated if anything suspicious is found.
External monitoring solution – Proactively generate your own threat intelligence by scanning potentially compromised websites.
The web crawler employs variety of detection techniques: it inspects the Document Object Model of each page, calculates the position and size of iframes, analyzes anchor tags using threat intelligence, and calculates differences in screenshots and ssdeep hashes. These capabilities allow detection of iframe redirects, vbscript injection, spam injection on blog posts, raw pastebin injection, email disclosure, and website defacement. Case studies of actual compromises and alerts will be presented at the conference.
The web crawler was built using three open-source technologies: Scrapy, PhantomJS, and Django. Scrapy is a web scraping and crawling framework written in Python, which serves as the basic foundation of the web crawler. PhantomJS is a headless web driver; in other words, a browser without a graphical user interface (GUI). PhantomJS allows the crawler to load dynamic page content and “browse” websites just like a human would. Django is a Python web framework and was used to build out a web interface so practitioners can easily add/remove domains to crawl and view alerts.
Finally, the web crawler can be integrated with log aggregation technologies such as a Splunk and ElasticSearch, allowing industry practitioners to search logs for alert data.
FIRST-2016-159.pdf
MD5: d8490285e883944b2de3309e52c2a19f
Format: application/pdf
Last Update: June 7th, 2024
Size: 13.64 Mb
DIY Threat Intelligence with Real-Time Data
Dr. Paul Vixie is the CEO of Farsight Security, Inc. In 2014, he was inducted into the Internet Hall of Fame for his work related to DNS. Previously, he served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Dr. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He is considered the primary author and technical architect of BIND 8. He earned his Ph.D. from Keio University for work related to DNS and DNSSEC.
Today most incident response teams rely on vendor threat feeds to gain additional intelligence about the attacks against their network. Yet vendor threat intelligence alone is limited -- if the IOCs, signatures, or other feeds don't match what investigators have found in their network the investigation itself can come to an abrupt end. In this presentation, “DIY Threat Intelligence With Real-Time Data,” Dr. Paul Vixie, an Internet pioneer inducted into the 2014 Internet Hall of Fame for his work related to DNS, will demonstrate how digital investigators can go beyond threat indicators to create their own threat intelligence using real-time data from the Global DNS. For example, using real-time DNS observations, a domain name might lead you to a list of IP addresses and perhaps a list of name servers. Following those IP addresses and name servers will often lead to more domain names of interest, etc. When you're done investigating, you'll have an excellent picture of "what's connected to what" and have created threat intelligence specific to your own incident leading to faster response and mitigation.
FIRST-2016-40.pdf
MD5: 284d23d929470166c97e6c888470e5a3
Format: application/pdf
Last Update: June 7th, 2024
Size: 820.76 Kb
DNS Root Zone DNSSEC Operations - the KSK
Edward Lewis (ICANN)
ICANN, as the IANA functions operator, is tasked to manage the top-most cryptographic key in the public DNSSEC hierarchy. After 5 years of operation with the original KSK, there is a call to change the key in a non-emergency posture. While preparing for this first-ever change of a static configuration element used by an unknown number of independent and anonymous organizations some details needing to be openly discussed have emerged. In this talk, background on the KSK operations will be followed by a description of such details, with the goal of eliciting feedback from those who will be impacted by the change of the KSK.
- GB NO
Does it Pay to Be Cyber-Insured?
Marie MoeEireann Leverett (Concinnity Risks, GB), Marie Moe (SINTEF, NO)
Marie Moe is passionate about incident handling and information sharing, she cares about public safety and securing systems that may impact human lives, this is why she has joined the grassroots organisation “I Am The Cavalry". Marie is a research scientist at SINTEF ICT, and has a Ph. D. in information security. She has experience as a team leader at NorCERT, the Norwegian national CERT. Marie also teaches a class on incident management and contingency planning at the Norwegian University of Science and Technology.
Eireann Leverett has studied psychology, philosophy, artificial intelligence, software engineering, and computer security at various times in his life. He holds a BEng from Edinburgh University and an MPhil from the University of Cambridge in Advanced Computer Science. His research focuses upon technological disasters and the economic impacts of computer security failures or accidents. He has experience of compromising the security of organisations, and assisting them to improve their security postures through a variety of short and long term methods. He is interested in computer security at scale, security economics, systems security, incident response, critical infrastructure protection, safety, firmware signing, exploit markets, vulnerability management, quality assurance, indicators of compromise, modelling, networks, risk, visualisations, and zero knowledge proofs.
The demand for insurance against cyber attacks is rapidly increasing and insurance companies are entering the field as actors in the incident response food chain. Businesses that want to use cyber insurance as a risk management strategy need to understand the risk they are facing, and how cyber insurance can reduce this risk. This implies a need to understand and evaluate cyber insurance policies. Insurance companies, on the other hand, need to be able to differentiate between potential clients based on the risk they are facing, so as to reduce the risk of adverse selection. They also need to understand the needs of the various market segments, in order to offer cyber insurance products that are relevant.
For both the supply and the demand side it is important to understand and document costs related to cyber-incidents, in order to agree on a compensation in case there is an incident. Insurance companies are currently partnering with security consultants, managed security service providers and incident response teams to evaluate the cyber security posture of potential customers, and to provide rapid incident response services aimed at minimising damage and cost of cyber incidents. However, this is yet an immature area and more research is needed to establish a cost-benefit framework for cyber insurance and better understand the underlying factors that influence the costs associated with cyber attacks.
SINTEF has performed a study identifying knowledge gaps in using cyber insurance as a risk management strategy [1], and performed interviews with several insurance companies that offer cyber insurances to the Norwegian market. This spring we will continue this qualitative research with further in-depth interviews with insurance companies, insurance company contractors and customers.
Some of the key issues that will be discussed in this talk are:
- Where do insurance companies best fit in to the incident response lifecycle?
- How can CERTs collaborate with insurance companies to mitigate and minimise costs of cyber incidents?
- What language do CERTs need to speak to interact efficiently with insurers?
[1] I. A. Tøndel, P. H. Meland, A. Omerovic, E. A. Gjære and B. Solhaug: Using Cyber-Insurance as a Risk Management Strategy: Knowledge Gaps and Recommendations for Further Research. Technical Report
FIRST-2016-74.pdf
MD5: 7eb082a40e7fc43a3b93e1d4417991df
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.8 Mb
- US
Don’t Shoot the Messenger: Understanding Security Notifications At Scale
Frank Li (University of California Berkeley, US)
Presentation by:
Frank Li is a graduate student at the University of California Berkeley in computer security.
Coauthors:
Zakir Durumeric is a graduate student at the University of Michigan in computer security.
Michael Bailey is a professor at the University of Illinois Urbana-Champaign in the Department of Electrical and Computer Engineering.
Vern Paxson is a professor at the University of California Berkeley in the Department of Electrical Engineering and Computer Science.
In March 2014, researchers found a catastrophic vulnerability in OpenSSL, the cryptographic library used to secure connections in popular server products. While OpenSSL has had several notable security issues during its 16 year history, this flaw---the Heartbleed vulnerability---was one of the most impactful allowing attackers to read sensitive memory from vulnerable servers. As researchers, we analyzed the impact of the vulnerability and tracked the server operator community's responses. While this work gave a detailed view into global patching behavior, perhaps the most interesting lesson from our study of Heartbleed is the surprising impact that direct notification of network operators can have on patching. Even with worldwide publicity and automatic update mechanisms, Heartbleed
patching plateaued two weeks after disclosure with 2.4% of HTTPS hosts remaining vulnerable. We emailed network operators about the unpatched systems in their address spaces, in two groups a week apart. Surprisingly, we observed that during the period when only the first group had been contacted, the rate of patching was 47% higher for those notified.
Although Internet-wide measurement techniques have enabled the mass detection of both vulnerable and compromised systems, many researchers (including us) had assumed that performing mass security notifications for any global incident would be either too difficult or ineffective. Our findings challenge this view. As a result, we now believe more work is needed to understand what factors influence the
effectiveness of mass notifications and to determine how best to perform them.
In this talk, we will briefly summarize our experiences with mass notifications and solicit the community's feedback on our ongoing efforts to answer several core research questions. For example, how do response rates vary for a range of types of security events with varying characteristics and user demographics? What is the best means of reaching the people responsible for managing these systems, and what role do organizations like CERTs play? Finally, how do we construct a notification message for maximum effectiveness? By answering these important questions, we hope to make automatic, measurement-driven mass notifications an important tool in the
defensive security arsenal.
FIRST-2016-152.pdf
MD5: 88d77bd82b545591a726e0165f856ad3
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.62 Mb
Embargoing the Open: Challenges for temporary secrecy in open-source
Fábio Olivé, Christopher "CRob" Robinson
- CN US
Empower Researcher with Enriched Data to Find the Needle From the Hay
Feng Xue (ThreatBook, CN), Hong Jia (ThreatBook, US)
Hong Jia is the head of response and research in ThreatBook Labs, a startup company based in China providing threat intelligence services. She is also the co-founder. Hong leads ThreatBook’s effort in threat incident response, threat intelligence research, data mining and correlation data study applied to research in threat intelligence.
Prior to joining and setting up ThreatBook Labs, Hong worked as the principal lab manager of response and research at Microsoft Malware Protection Center (MMPC), with labs in Redmond (WA), Vancouver (BC) and Beijing. She has been leading MMPC labs’ effort to protect billions of computer from malware through fast incident response, deep malware family threat research and machine learning driven automation for malware clustering and classification. She also served as liaison between MMPC and China security companies, and has helped in a number of MMPC security program’s deployment in China through her strong industry relationships with security organizations and vendors. Hong gained valuable experience working at Microsoft and collaborating with security industry during her 15 service in Microsoft.
Feng Xue is the founder and CEO of ThreatBook, which is China’s first Threat Intelligence company. Feng was the CISO for Amazon China where he leads the overall security strategy, before that he was the Director of Internet Security at Microsoft. Feng is also a frequent speaker at International security conferences including Blackhat, Bluehat and XCon.
Researchers at security firm often face the two scenarios: After the security incident happened, tracing back the data in house, they found that some of the relevant data have been in existence for nearly half a year, some even almost a year. The presence of these data didn’t raise any noticeable alert to researcher; Another scenario is that facing huge data every day, hundreds of thousands of suspicious program, tens of thousands of indicator of compromise (IOC) records, researchers need to spend a lot of time to investigate and identify the severe and actionable relevant data using a variety of tools. The data dilemma for researchers always seems too much data or too less data. Researchers need a unified platform to raise the potential high risk threat alert from the mass of data in time. Security researchers can immediately investigate, monitor and further strengthen the collection of the data from targeted sensors and source, thus reduce the investigation cycle to track down of the threat, to find the needle from the hay.
In this talk, I want to share with you a threat intelligence analysis platform via going through two china focused threats ‘s deep dive, share how it helps to gather scalable threat data, provide an interactive unified analysis platform to our researchers, helps researchers to reduce threat analysis cycle, reduce assessment time of the threat infrastructure capability and produce actionable IOC based on threat’s tactics, techniques and procedures (TTP).
FIRST-2016-123.pdf
MD5: 7dbf2f750e51d1809346f7900d6f3fb7
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.32 Mb
Evaluating Threat Intelligence Feeds
Andrew Kompanek (CERT/CC), Pawel Pawlinski (CERT Polska / NASK)
Pawel Pawlinski is a specialist in the Security Projects Team at CERT Polska. His main interests in the domain of network security include intrusion detection systems, anomaly detection algorithms, client honeypots and visualization. Currently he is involved in the design of the Honey Spider Network 2.0 project and a platform for sharing security-related data. He holds an MSc degree in Computer Science from the Faculty of Electronics and Information Technology in Warsaw University of Technology.
- LU
Four years of practical information sharing using MISP, Malware Information Sharing Platform & Threat Sharing.
Alexandre DulaunoyAlexandre Dulaunoy (CIRCL, LU)
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.
dulaunoy-misp.pdf
MD5: 649bb9671519a8826acee3b5afda83f9
Format: application/pdf
Last Update: June 7th, 2024
Size: 485.59 Kb
- NL
Friend or Foe? Probably Both.
Yonathan Klijnsma (Fox-IT, NL)
Yonathan Klijnsma is a senior threat intelligence analyst working for
Fox-IT part of NCCGroup. Yonathan specializes in the
analysis and tracking of attack campaigns, working out the attacker
profiles and investigating the tools and techniques used by attackers.
Yonathan's area of focus and expertise lies within espionage related cases.
Geopolitical relationships between countries are complex and sometimes full of contradictions. Governments that seem to be friendly and cooperative in public, often pursue parallel agendas that are less than obvious. This talk describes systematic espionage aimed at the government and critical infrastructure sector of Myanmar. It specifically focuses on how campaign milestones align with important geopolitical and economic events and outlines the campaign development and the malware being used since 2012, of which nothing is publicly known.
FIRST-2016-30.pdf
MD5: 45c21b5629ed0f35b60bdad133649126
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.44 Mb
- US
From Cyber Incident Response to Cyber Resilience: A Case Study
J.R. Reagan (Deloitte, US)
Dr. Reagan is Global Chief Information Security Officer (CISO) of Deloitte Touche Tohmatsu Limited (DTTL) with revenue of $34B, over 210,000 employees and operating in more than 150 countries. As the senior-most information protection officer, he leads the next-generation design of the global security organization. He is a frequent presenter on Cybersecurity, Innovation & Analytics across the globe and has appeared in the Wall Street Journal, Financial Times, CNN and Washington Post.
Dr. Reagan is Professional Faculty at Johns Hopkins (Carey Business School), Cornell (Johnson Graduate School of Management), Columbia University and has guest lectured at Harvard (Kennedy School of Government), Northwestern University (Kellogg School of Management) and University of Notre Dame (Mendoza College of Business). He also serves on the editorial board of The Public Sector Innovation Journal, the Electronic Journal of e-Government and is a Fellow at the Aspen Institute.
The uncertainty surrounding cyber incident response presents an opportunity for CIOs to educate the executive team on cyber resilience—the coordinated set of enterprise wide activities designed to help organizations respond to and recover from a variety of cyber incidents, while reducing the cost, impact to business operations, and brand damage.
This session will provide a case study of bringing Incident Response together across multiple lines of business in multiple countries with a shared responsibility—not one that falls on the CISO’s shoulders alone. This includes coordinated response efforts across legal, communications, HR, and other functions in a case study of building cyber resilience.
FIRST-2016-9.pptx
MD5: 5a8a8738560c80f982d1217b0d2faf67
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 2.51 Mb
From Cyber Security Information Sharing to Threat Management
Joep Gommers (EclecticIQ), Marko Dragoljevic (EclecticIQ)
"Hiryu" – An IOC Management and Visualization Tool for Analyzing Targeted Attacks
Hiroshi Soeda (JPCERT)
- EG
How to Discover Cyber Security Talents
Moataz SalahMoataz Salah (CyberTalents, EG)
Moataz Salah has been working in cyber security since the last 11 years. Moataz is the founder of Bluekaizen, a company working in cyber security education. Moataz received his bachelor's degree in Communication Engineering from Alexandria University. For the last 6 years, Moataz has been focusing on the human aspect , the weakest link in cyber security chain, In 2010 Moataz founded the most valuable conference in Middle East ( Cairo Security Camp ) . In 2011, The conference released the first capture the flag competition in the region for security professionals. In 2011, Moataz Started issuing the first and only printed magazine devoted to Information Security in Middle East. In the last couple of years, Moataz started to focus on helping fresh graduates and recruiters to get connected through different ways including competitions, bootcamps and cybertalents portal.
Despite of high technologies that we have reached in securing cyber space starting from next generation firewall, UTMs, Anti Malware and others, Human stay the main asset in Information Security System. Finding a cyber security professional that you can trust to secure your infrastructure became a very hard job.Today there is a severe shortage in cybersecurity workforce. According to Cisco Annual Report in 2014, world suffers a shortage of one million cybersecurity job openings.The shortage of cybersecurity talent might explain why salaries of cybersecurity professionals are expected to rise in the coming five years. Governments, Security agencies, large enterprises are, all, desperately searching for cybersecurity talents that can cope with latest cyber security risks and threats in cyber world. Different governments are working on finding solutions to increase the number of cybersecurity workforce and cybersecurity professionals either by funding cybersecurity professional training, Masters or others. Moreover, Cyber Security is not an entry level position. students or graduates must have some knowledge / experience in programming or network field for example to start working on network security field or application security. Today, with the expansion of the attack surface, students/graduates must have basic knowledge in control systems to work in Industrial Control systems or SCADA system or IOT security.
However, An important point is missing that cybersecurity is not only a book to read, a certificate to gain or training to attend.Most of Black hat hackers didn’t take any sans / EC Council training or certificate , They might not even joined one of the top ranked universities. you might find a young kid with an age of 13 years old who hacked to a CIA Director mail or a 15 years old who attacked the British broadband and telephone provider TalkTalk website and many others, the examples are endless.So, what is the equation? what is the formula for discovering Cyber Talents
In this session, we will proof that cybersecurity is a talent. Second, We will share our experience in discovering Cyber talents in different universities. Third, We will present the formula that will help different countries, governments, universities and of course companies to build the workforce they need, the equation that balance the white hat hackers and black hat hackers in our cyber world. Also, The Session will include a demonstration for tools we developed to assess and measure cyber talents
FIRST-2016-31.pdf
MD5: 3419ade60d4492f000f7eb2958c55c13
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.41 Mb
- FI
Incident Response Made Better by Agile Robots
Antti Kiuru (NCSC-FI / Ficora, FI)
Antti Kiuru is the head of Coordination Centre in the National Cyber Security Centre of Finland. He has been with CERT-FI, later NCSC-FI since 2008 and has done his fair share of incident response before moving on to manage the team in the beginning of 2013. Antti has been involved in many areas of the CERT's internals, including system administration, abuse handling, service development and now management among other things.
Finland is often said to have the cleanest networks in the world. That is not only because of an active CERT, but because of right tooling, right timing and cooperation. Presentation will focus on how we've developed our tools, sometimes on-demand and sometimes during a longer phase.
The right tools and quick adaptation of available methods have been in many cases the success factor in both mapping threats and responding to large scale incidents. Tools have everything to do with how building automation enables the teams to focus on more important and non-trivial cyber security issues.
However, tools are not the only thing you'll need. The team, the flow of information inside is the key to success. I will open up how NCSC-FI's team works on daily basis and share some experiences what sort of things you need to take into account when your team triples in size.
FIRST-2016-110.pdf
MD5: 66c2522a698ab869a93d481f206c15bb
Format: application/pdf
Last Update: June 7th, 2024
Size: 10.71 Mb
- ES
Javier BercianoJavier Berciano (INCIBE-CERT, ES)
- US
Insider Threat Mitigation Guidance
Balaji Balakrishnan (World Bank, US)
Balaji Balakrishnan has more than 16 years’ experience in IT and Information security domain specializing in security operations management and incident response. He has worked in major financial services organizations and has managed 24/7 SOCs/incident response teams.
Insider threats are complex and require planning to create multi-year mitigation strategies. Each organization should
tailor its approach to meet its unique needs. The goal of this paper is to provide relevant best practices, policies,
frameworks and tools available for implementing a comprehensive insider threat mitigation program. Security
practitioners can use this paper as a reference and customize their mitigation plans according to their organizations’
goals.
The first section provides reference frameworks for implementing an insider threat mitigation program with the
Intelligence and National Security Alliance (INSA) Insider Threat roadmap, Carnegie Mellon University's Computer
Emergency Response Team (CERT) insider threat best practices, CERT insider threat program components,
National Institute of Standards and Technology (NIST) Cybersecurity Framework, and other relevant guidance. This
section provides an implementation case study of an insider threat mitigation program for an hypothetical
organization.
The second section of this paper will present example use cases on implementing operational insider threat detection
indicators by using a risk scoring methodology and Splunk. A single event might not be considered anomalous,
whereas a combination of events assigned a high-risk score by the methodology might be considered anomalous and
require further review. A risk scoring method can assign a risk score for each user/identity for each anomalous
event. These risk scores are aggregated daily to identify username/identity pairs associated with a high risk
score. Further investigation can determine if any insider threat activity was involved. This section explains how to
implement a statistical model using standard deviation to find anomalous insider threat events. The goal is to
provide implementation examples of different use cases using a risk scoring methodology to implement insider
threat monitoring.
FIRST-2016-83.pdf
MD5: b93f18f0153f337685f7e80048026946
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.33 Mb
- IN
Inspecting Linux Malwares using Limon Sandbox
Monnappa K A (Cisco Systems, IN)
Monnappa K A is based out of Bangalore,India. He works with Cisco's incident response team as information security investigator focusing on threat intelligence, investigation of advanced cyber attacks, and researching on cyber espionage and APT attacks. He is a core member of the security research community "SecurityXploded." His fields of interest include malware analysis, reverse engineering, memory forensics, and threat intelligence. As an active speaker at security conferences like Black Hat Europe, FIRST/4SICS, Nullcon, C0c0n, and SecurityXploded meetings, he has presented on various topics which include memory forensics, malware analysis, rootkit analysis, and also conducted training at FIRST TC Amsterdam and FIRST/4SICS-SCADA cyber security summit. He has also authored various articles in Hakin9, eForensics, and HackInsight magazines.
Linux is growing in its popularity and with servers and embedded applications running Linux, it has become target for malware attacks. When an organization is infected with Linux malwares, responding to such incidents become important. To determine the capabilities of Linux malwares, its associated indicators and to establish better security controls, Today there is a need for automated analysis of Linux malwares.This presentation focuses on the analysis of real world Linux malware samples using Limon sandbox. Limon is a sandbox developed to automatically collect, analyze and report on the runtime indicators of linux malware.The presentation covers the details of inspecting the Linux malware before execution, during execution and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using Limon. It covers details of determining the malware's process activity, interaction with file system, network activity and other advanced techniques used by the Linux malwares to bypass live forensics and system administration tools.The presentation also touches on the implementation details of Limon sandbox and will present video demos showing the analysis of a real world Linux malware samples.
FIRST-2016-38.pdf
MD5: 2e5fd9449a38fed70897af7ae418ed45
Format: application/pdf
Last Update: June 7th, 2024
Size: 20.12 Mb
- NL
IoT in 2016: a serious overview of IoT today and a technical preview of HoneyVNC
Yonathan KlijnsmaYonathan Klijnsma (Fox-IT, NL)
I'm a senior threat intelligence analyst working for a company called Fox-IT part of NCCGroup. Both my work and hobby focus around threat intelligence in the form of malware and campaign analysis. In my spare time I also spend time on security related
subjects most of which I present on at conferences or publish about on my personal blog.
Issues, lessons learned through the eyes of JPCERT/CC on the vulnerability handling framework in Japan
Masaki Kubo (JPCERT), Takayuki Uchiyama (JPCERT)
- US
Java RATs: Not Even Your Macs Are Safe
Anthony Kasza (Palo Alto Networks, US)
Anthony Kasza is a Senior Threat Researcher for Palo Alto Networks. At Palo Alto Networks, Anthony is responsible for discovering new and tracking known threats to ensure context around customer detections. Prior to Palo Alto Networks, Anthony was responsible for creating scalable classification systems, producing and operationalizing threat intelligence, and researching malware communication protocols. Anthony earned his Master of Science degree from DePaul University in Computer, Information, and Network Security. Anthony often speaks at industry conferences and actively participates in the open source community.
Java’s “write once, run anywhere” capabilities make it a popular platform for attackers. This talk will perform a deep examination of popular Java malware families capabilities and indicators and will reveal uncommon analysis techniques to immediately help you with investigations. Analysis of Java malware families' behaviors and infrastructure will be delivered to aide with the creation threat intelligence and provide an understanding of the current threat landscape.
FIRST-2016-122.pdf
MD5: 99f7a47fb7296fd0610dd655ad2ed0bc
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.7 Mb
- KR
Keynote Presentation
Professor Jong In Lim (Korea University, KR)
Professor of Graduate School of Information Security, Korea University
Doctor’s degree and Master’s degree in Cryptology at Korea University
Bachelor’s degree in Mathematics at Korea University
2015/01 – 2015/12: the Special Adviser in Security to the President
2013/06: the Chairman of Digital Investigation Advisory Committee at Supreme Prosecutors’ Office
2012/06: the Head of Cyber Defense R&D Center, Graduate School of Information Security, Korea University
2010/01 – 2010/12: the 15th Chairman of Korea Institute of Information Security & Cryptology
2000 – 2015/12: the Dean of Graduate School of Information Security, Korea University
The Adviser of Cyber security in National Intelligence Service
The Professor of Cyber Defense of Graduate School on Information Security, Korea University
Note: This session will be in Korean with simul-interpretation service.
FIRST-2016-185.pdf
MD5: 29576153504564a8f43762dc15ab50c9
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.98 Mb
- US
Keynote Presentation: Fostering Security Innovation – Silicon Valley VC Perspective
Doug Dooley (Venrock, US)
Doug Dooley focuses on investments in security and infrastructure from Venrock’s Palo Alto office. Before joining Venrock, Doug spent almost two decades as an entrepreneur and technology executive at some of the most innovative and market dominant technology infrastructure companies ranging from large corporations like Cisco and Intel to security and virtualization startups like Neoteris, NetScreen, and RingCube. Doug was the vice president of product management for Coraid, an Ethernet block storage startup. Before working on storage, Doug was an executive leading Cisco’s desktop virtualization product team responsible for the definition, development, and delivery of a complete VDI solution consisting of data center, networking, collaboration, and end-user device elements.
Before Cisco, he was vice president of marketing and product management at virtual desktop startup, RingCube acquired by Citrix now part of XenDesktop. Prior to RingCube/Citrix, he was one of the early employees of Neoteris who pioneered the SSL VPN market. Doug became a director of technical and product marketing overseeing Juniper Networks entire security portfolio joining through the $4 billion dollar double acquisitions of Neoteris and NetScreen. Earlier in his career, Doug held various management, engineering, sales, and marketing roles at Inktomi, Intel, and Nortel Networks.
Doug received his B.S. (cum laude) in computer engineering from Virginia Tech
Sophisticated attackers in the digital world have become extremely innovative in the past decade. As a result of their investments for innovation, many top criminal and state-sponsored cyberattack groups have achieved their financial or strategic goals at the expense of businesses, governments, and private citizens. In addition to global cooperation among FIRST responders, we need to continue to foster disruptive innovation for security. What are some of the characteristics of disruptive innovation? What are some of the exciting new areas we can expect to see in the next 3-5 years in security? What role can each of us play to foster innovation that disrupts our adversaries?
FIRST-2016-184.pdf
MD5: 5a8d53b0aea13c6827f8766aa2e85e19
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.81 Mb
- US
Keynote Presentation - Powering Prevention: Lessons Learned from Building a Global Security Response Team
Christopher Clark (Palo Alto Networks, US)
Christopher is the Managing Director of Palo Alto Network’s Global Security Response Team. Operationally, he is responsible globally for the identification of emerging threats and vulnerabilities while responding with platform wide (Firewall, IPS, Wildfire, Traps, and AutoFocus) countermeasures and newly developed technical solutions. Chris also drives threat research efforts at PANW which materialize in the AutoFocus applied threat intelligence platform and through Unit42 research publications.
In addition to his role at Palo Alto Networks, Chris is the Co-Founder and CTO of NinjaJobs, a boutique cyber security staffing and training company built for and by professions to improve the quality of Cyber Security talent, and help usher in the next generation of practitioners and leaders.
Prior to joining Palo Alto Networks and founding NinjaJobs, Chris served as the Director of Cyber Security Intelligence and Chief of Staff at Verisign iDefense. Chris has extensive experience in both offensive and defensive cyber warfare in roles ranging from pure security research and content creation, to commercial and open source tool architecture and deployment. He has held technical leadership positions with industry leaders such as BAE Systems, General Dynamics, and ManTech International in which he was directly responsible for mission critical cyber operations. Chris is extremely active in the security community through open source development, public and private speaking engagements, and information sharing organizations.
FIRST-2016-186.pdf
MD5: b096c5750c5595cd1af8ba6812d25ddb
Format: application/pdf
Last Update: June 7th, 2024
Size: 8.89 Mb
- US
Keynote Presentation: The Journey of Building a 24x7 Incident Response Operation
Clay Lin (World Bank Group, US)
In 2008, Clay Lin joined the World Bank Group which provides developing countries with grants, leveraged loans, guarantees, and policy advice to improve economic and social conditions worldwide. As the World Bank Group (WBG) Chief Information Security Officer, Mr. Lin is responsible for the information security services and capabilities that ensure the protection of the WBG information assets in a manner that supports the WBG's mission to free the world of poverty.
Since joining the World Bank Group, Mr. Lin built the Office of Information Security from the ground up and obtained ISO 27001 certification in 3 years. He also developed a Next Generation Cyber Security Strategy aimed at protecting critical information, adopting a risk management approach, and transforming information security to become a business enabler supporting Cloud- and Mobility-based IT initiatives. Mr. Lin implemented several technology solutions and operational excellence improvements such as the establishment of an Information Security Operations Center which provides 24 by 7 information security monitoring and incident response across the World Bank Group.
Given his success in building and leading critical functions and excellence in operations, he is recently given additional responsibility to develop and execute a new strategy for the IT sourcing and vendor management function which has an annual spend of $160 million dollars.
Mr. Lin holds a Master’s degree in Computer Science from University of Southern California.
FIRST-2016-187.pdf
MD5: 2a95a7a4c3c31d59882bfc009028e7e8
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.2 Mb
- KR
Keynote Presentation: The Other Billion
Kilnam Chon (Kaist, KR)
Professor Emeritus, KAIST
Education
B.S. in Electrical Engineering, Osaka University, 1965
M.S. in Computer Science, UCLA, 1967
Ph.D in Computer Science, UCLA, 1974
Employment
Member of Technical Staff, JPL/Caltech, 1976~1980
Principal Investigator, ETRI(KIET), 1979~1982
Professor, KAIST, 1982~Present
Professor, Keio University, 2008~2012
Award
Internet Hall of Fame, Internet Society, 2012
Jon Postel Internet Award, Internet Society, 2011
World Technology Award - Communication Technology, 2003
Presidential Award - Information Technology, 1998(Korea)
Scientist of the Year, 1997(Korea)
Presidential Award - Mountain Climbing, 1980(Korea)
Membership
Fellow of Institute of Electrical Engineers, 2000
Fellow of World Technology Forum, 2003
External Activities
Founding Chair, Asia Pacific School on Internet Governance, 2015
Founding Chair, Korea Computer Development History Project, 2015~
Founding Editorial Chair, Asia Internet History Project, 2011~
Web Index Science Council Member, Web Foundation, 2011~2014
Founding Coordination Committee Chair, Africa Asia Forum on
Network Research & Engineering , 2008~2012
Founding Steering Group Chair, Asia Future Internet Forum, 2008-2011
Advisory Board Member, Communications of ACM,1996-2009
Presidential Advisory Board, Asia Institute of Technology, 2003-2006
Governor, International Council of Computer Communication,
1995-2005
Founding Chair, Asia Pacific Advanced Network, 1997-2004
Editorial Board Member, British Computer Society, 1994-2002
Co-Chair, Coordinating Committee on Intercontinental Research
Networking, 1993-2001
Founding Chair, Asia Pacific Top Level Domain Consortium, 1999-2001
Founding Chair, AP* Retreat, 1996
Program Chair, INET, 1995
Founding Chair, Asia Pacific Networking Group, 1991-1995
Founding Chair, Joint Workshop on Computer Communications, 1986
Program Chair, Pacific Computer Communications Symposium, 1985
The Internet is around fifty years old. There are over three billion Internet users today, and we expect the number of the Internet users to double in the next two decades to six or seven billion. We call the current Internet users as "First Billion", and the new Internet users in the coming decade as "The Other Billion." We review the history of the Internet and computer, and address issues we would face in the coming decades.
FIRST-2016-188.pdf
MD5: 99654698d4bf5395f46d0b9a76b18d3a
Format: application/pdf
Last Update: June 7th, 2024
Size: 115.23 Kb
- US
Leveraging 3rd Party Sinkhole Operations for Computer Network Defense and Threat Analysis
Michael Jacobs (Software Engineering Institute, US)
Michael has worked in the IT security industry for 16 years in both the private and civilian government sectors. As a network traffic analyst and former US-CERT Section Chief, Michael's interests focused on DNS and network flow traffic analysis. Currently employed as a Member of the Technical Staff at the CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute, Michael's work involves the application of data mining and cyber threat analysis to define structured analytic process development.
In this talk we will discuss a practical approach to maintaining an inventory of 3rd party sinkhole operations, and applying that knowledge to intrusion analysis. DNS analysis and sinkhole operations have become an essential part of the anti-abuse ecosystem, figuring prominently in network compromise, malware research and in botnet takedowns. But for various reasons, not all organizations have the capacity to maintain their own sinkholes or directly take advantage of the data collected from third party operations.
We will discuss the need for the identification and tracking of third-party sinkhole operations. We will then address how the third-party sinkhole data can be indirectly leveraged for situational awareness and threat intelligence, local perimeter defense and intrusion analysis, as well as the support of research malware analysis efforts. We will describe a practical methodology for identifying and tracking sinkhole operations, and then share a few success stories identifying previously unknown compromises on a real network. Finally, we will argue the need for a larger collaboration effort in tracking third party sinkhole operations and in doing so we will describe how that effort could benefit the larger community.
FIRST-2016-78.pdf
MD5: a1bb7ef1684f782b38624f916299298a
Format: application/pdf
Last Update: June 7th, 2024
Size: 804.83 Kb
- US
Mach-O Libre: Pile Driving Apple Malware with Static Analysis, Big-Data, and Automation
Aaron Stephens (icebrg, inc., US), Will Peteroy (icebrg, inc., US)
Aaron studied Computer Engineering and Computer Science at the University of Washington. Initially set on hardware and software development, his interests shifted towards security after joining student organizations and participating in Capture the Flag (CTF) and Collegiate Cyber Defense Competition (CCDC) events. Hired as an intern at ICEBRG (icebrg.io) over year ago, he is now a full-time associate threat researcher focusing on Apple Static Analysis, Dynamic Analysis environments and large-scale external data source processing and analytics.
William Peteroy, co-founder of Icebrg Inc., has led diverse technical and strategic efforts in network and product security for government agencies and fortune 50 enterprises. William specializes in security architecture, adversary emulation, network analysis, attack methodologies, incident response, threat intelligence and product security. He has spoken at numerous conferences including RECON, DerbyCon, KiwiCon, BSides PDX, BSides Vancouver and BSides Seattle. Icebrg was formed in large part because of William’s passions for “solving the whole problem, not just part of it” and sees it as his responsibility to leverage a unique set of skills and experience to help others understand risk and bring the next generation of network security to market. William holds a Masters of Science in Engineering and Computer Science from The Johns Hopkins University and was an instructor at the U.S. National Cryptologic School.
Apple devices are becoming increasingly more common in personal and enterprise computing environments. It's time to bring modern, scalable techniques for analyzing Apple malware. Early tools for analysis are either very costly, closed-source, or difficult to extend, and none of the available tools focus on extracting key data from binaries to enable collaboration and big-data analysis.
After a brief overview of the Mach-O (Apple binary) file format, we'll take a look at Mach-O Libre, a python-based Mach-O binary metadata parser we've been building and will be sharing publicly for the first time. Where many tools have different approaches to enabling individual analysts, Mach-O Libre extracts and calculates key metadata and outputs it into an extensible, big-data and sharing-friendly format. With our shiny new analysis tool in hand, we'll explore its current features on some real malware samples and discuss how it can automate the process of identifying and dissecting Apple malware at scale. We'll finish with lessons learned and obstacles we had along the way, planned future development, and our vision for Mach-O Libre going forward to enable further attribution and collaboration features.
FIRST-2016-130.pdf
MD5: e3380fc77138cd1e5ea50003e08d7cf5
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.67 Mb
Moving beyond Threatbutt
Trey Darley (Soltra)
- EG
MPD: Malicious PDF Files Detection
Dr. Sherif HashemMohamed Shawkey (EG-CERT, EG), Samir G. Sayed (EG-CERT, EG), Dr. Sherif Hashem (FIRST, EG), Waleed Zakarya (EG-CERT, EG)
All authors are in the Egyptian computer Emergency Readiness Team (EG-CERT)
Dr. Sherif Hashem:
Dr. Sherif Hashem is the Vice President for Cybersecurity at the National Telecom Regulatory Authority (NTRA), Egypt. He is also a Professor at the Faculty of Engineering, Cairo University, Egypt (currently seconded to the NTRA). Dr. Hashem’s responsibility includes supporting cybersecurity efforts at the national level, and setting up the framework for further developing the Egyptian Computer Emergency Readiness Team (EG-CERT) at the NTRA, and supervising its operation. Successful cybersecurity initiatives and activities at the NTRA have contributed to the advanced cybersecurity rank that Egypt has achieved: Egypt was ranked 27th among 193 countries as reported by the International Telecommunications Union (ITU)/ABI Global Cybersecurity Index. (http://www.itu.int/dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf)
Dr. Hashem received a B.Sc. in Communication & Electronic Engineering and a M.Sc. in Engineering Mathematics from Cairo University-Egypt, and a Ph.D. in Industrial Engineering from Purdue University-USA. Dr. Hashem authored and co-authored more than fifty five articles and book chapters in the areas of information technology, e-commerce, computational intelligence, and operations research, with applications in engineering, energy, environment, and computer sciences (with over 1300 international citations: https://scholar.google.com/citations?hl=en&user=KKIju5kAAAAJ/ ).
Portable Document Format (PDF) has become widely-accepted format since its invention by Adobe Systems in 1993. This is because PDF documents are totally independent of operating system, hardware, and software. Although all of these features simplify the handling of documents using computers, they also have made PDF one of the most fascinating vehicle for exploitation by malware writers. As a result, the number of PDF attacks has tremendously increased in the past years. Once the systems have been exploited, they may be used in a class of targeted attacks called Advanced Persistent Threats (APTs) whose goal is espionage on government agencies, financial sectors, and individuals. They might also be used in nontargeted attacks such as worms and botnets. The attackers exploit vulnerabilities in PDF files to inject other malicious files such as JavaScript, portable executable (PE) files, HTML, images, or other malicious PDF files inside PDF documents.
To gain the advantages of using PDF documents with minimum drawbacks, several research efforts have been introduced to detect and/or prevent malicious PDF documents. The existing tools such as intrusion detection systems (IDSs) and antivirus packages are heuristic and signature-based techniques. However, these techniques are inefficient because they need regular updates with the new malicious PDF files which are increasing every day. In addition, there exists limited number of researchers concerning with creating signatures for the new malicious PDF files. Accordingly, there has been an urgent necessity for alternative techniques to detect malicious PDF.
In this research a new technique is presented to overcome the drawbacks of these techniques. The proposed algorithm combines one of the optimization techniques called Improved Binary Gravitational Search Algorithm IBGSA as a feature selection algorithm and set of classifiers such as Random Forest and Decision Tree to detect the malicious PDF files. A large data set of malicious and benign PDF files are gathered. To have balanced training set, the number of malicious and binging PDF files in the training data set are the same. A total of 22000 malicious and benign PDF files with no duplication in the data set are obtained from the EG-CERT. The data set is partitioned into three subsets: training, evaluating, and testing. The training and evaluating sets are used to obtain the most effective attributes. The testing set is used to measure the performance of the proposed system over unseen PDF files. The procedure of selecting the training set is based on 10-fold cross-validation Experimental results show that the proposed algorithm can achieve 99:8% detection rate, 99:8% accuracy, and less than 0:2% false positive rate. The proposed algorithm can achieve better performance compared to antivirus packages. In addition, the proposed algorithm is flexible either to integrate it with antivirus packages or a stand-alone tool. The proposed algorithm also can be used with any type of PDF files. For future works, the proposed system can be improved to achieve better false positive rate by combining it with the dynamic analysis algorithms. In addition, the proposed algorithm will be tested against classifier evasion techniques and the mimicry attacks in which malicious PDF files mimic the structure of benign PDF files.
FIRST-2016-147.pdf
MD5: 01a3d31cb1a7e784643e8b52575aa25b
Format: application/pdf
Last Update: June 7th, 2024
Size: 1000.52 Kb
Multivariate Passive DNS for Investigators
vixie-paul-slides.pdf
MD5: 368d42b5e19f500989fbacb32d5888e4
Format: application/pdf
Last Update: June 7th, 2024
Size: 941.91 Kb
- US
Operationalizing Threat Intelligence: Technical Operations & Program Integration
Cory Mazzola (US-CERT, US)
- GB
Practical Forensic Readiness in Security Operations
Clem Craven (BT, GB), Ian Wilson (BT, GB), Matthew Scott (BT, GB)
Matthew Scott, GCIH, GCED – A subject matter expert in cyber security operations, with extensive skills in detecting and responding to cyber security incidents and events. Employed within BT CERT as an Investigation Specialist, and also responsible for developing SOC’s within BT, both internal and external commercial, to ensure effective detection and handling of incidents. Have performed these roles within both government and FTSE 100 companies.
Clem Craven, CISSP, BSI 27001 LA - A highly experienced and reliable subject matter expert and manager with over 25 years’ experience in both the military and civilian Protective Security, Cyber Security & Information Assurance specialist arena. Employed within BT CERT as the Training Manager for the delivery of fundamental and specialist technical instruction to BT and MOD personnel with regards to Cyber Security solutions, processes and associated tools provided by BT in Cyber Operations and associated Global Security Operation Centre investigations. Also responsible for the upskilling of technical teams and Security Operations Analysts with regards to investigations and the analytical mindset.
Ian Wilson, GCGI, WCNA – A versatile, creative senior intrusion analyst with 25+ years of Information Security experience with in-depth knowledge of security intrusion/incident event management, Intrusion detection/analysis, Information Assurance and establishing/running SOC’s. Currently employed within BT CERT as an Investigation Specialist conducting investigation/remediation of Cyber Security Incidents. Previous roles have included both Physical and Cyber security for both Military/Government and MSSP’s providing services to a range of customers including Financial (PCI DSS) and Petroleum.
Forensic readiness is a crucial aspect of incident response. Failure to apply forensic practices throughout the entire lifecycle of an incident can prevent a threat actor (both external and internal) from being held accountable. Forensic readiness can also be used to improve the quality of decision making, quality of threat intelligence, and lead to efficiencies in investigating an incident. Whilst many incident responders are aware of the principles of forensic readiness, some organisations struggle to effectively implement those principles. We will demonstrate a variety of novel techniques which we have found to improve the forensic readiness of our incident response capability. Whilst each technique does require some resource to establish, they tend to have minimal resource impact during an incident. We will also demonstrate some case studies where these techniques have been utilised to portray their effectiveness.
FIRST-2016-44.pdf
MD5: 641faa1bc01939a68706b59f829822c6
Format: application/pdf
Last Update: June 7th, 2024
Size: 35.5 Mb
- TN
Prof. Nabil SahliProf. Nabil Sahli (TunCERT, TN)
- US
Pushing your CSIRT to its limits with tabletop drills
Kenneth R. van Wyk (KRvW Associates, LLC, US)
Kenneth R. van Wyk is an internationally recognized information security expert and author of the recent O'Reilly and Associates books, Incident Response and Secure Coding, as well as a monthly columnist for on-line security portal, eSecurityPlanet (http://www.eSecurityPlanet.com) and a Visiting Scientist at Carnegie Mellon University's Software Engineering Institute. Ken is
a CERT® Certified Computer Security Incident Handler and provides consulting and training services through his company, KRvW Associates, LLC, (http://www.KRvW.com).
Ken has nearly 20 years as an IT Security practitioner in the Academic, Military, and Commercial sectors. He has held senior and executive technologist positions at Tekmark, Para-Protect, Science Applications International Corporation (SAIC), in addition to the U.S. Department of Defense and Carnegie Mellon and Lehigh Universities.
Ken also served a two-year elected position as a member of the Steering Committee, and a one-year elected position as the Chairman of the Steering Committee, for the Forum of Incident Response and Security Teams (FIRST) organization. At the Software Engineering Institute of Carnegie Mellon University, Ken was one of the founders of the Computer Emergency Response Team (CERT®). He holds an engineering degree from Lehigh University and is a frequent speaker at technical conferences, and has presented papers and speeches for CSI, ISF, USENIX, FIRST, and others.
wyk-slides_20160219.pdf
MD5: 52d39b87d21454becb9d55f0c02f5358
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.48 Mb
Rapid Product Security Incident Response Using a Workflow Based Solution
Rod Henderson, Diane Mickelson
Freddy DezeureFreddy Dezeure (CERT-EU)
Freddy Dezeure founded CERT-EU in 2011 and was its Head until May 2017. Since then, he is advising private enterprises and governments in cybersecurity and cyber-risk management, including by providing cyber training to Boards. He is also active as an Advisor to cybersecurity startups worldwide. He is a highly respected keynote speaker and thought leader and is very active in the cybersecurity community. He set up the EU MITRE ATT&CK Community and chairs a CISO Metrics Working Group.
https://www.FreddyDezeure.eu/
Recent Cyber-Attack Cases in Taiwan
Henry Yu (TWNCERT)
This presentation will share recent cyber-attack case studies in Taiwan, what TWNCERT has learned from these cases, and suggestions for dealing with similar cases in the future. The outline of the presentation is listed below:
- The cyber threat trends in Taiwan
Briefly introduce the recent threat cyber trends in Taiwan in this section, mainly APT attacks via vulnerabilities plus phishing mails.
- Cyber-attack case studies
Three APT attack cases will be discussed:
- Network Equipment Attack
- AD Golden Ticket Attack
- Third Party Software Attack
For each case we will show how the hacker hacked into the system, and what we can do to prevent it.
- Conclusions
- GB
Security Analytics With ElasticSearch
Paul Hood (OxCERT, GB)
hood-paul-slides.pdf
MD5: 7405cef8cce745d79e0cc61d0e5f9827
Format: application/pdf
Last Update: June 7th, 2024
Size: 17.55 Mb
- BR
Sharing is Caring: Understanding and Measuring Threat Intelligence Sharing Effectiveness
Alex Sieira (Niddel, BR)
Alex Sieira, CTO, Niddel
Alex Sieira is the CTO of Niddel and a principal at MLSec Project for the last year. He has over 12 years dedicated to information security consulting, managed security services and R&D teams. He is an MBA, CISSP, CISA, besides some other product-specific acronyms. Alex has experience with a great range of security technology and standards, and has gained many gray hairs establishing SOC and SIEM services for large enterprises. He is currently focused on building the information security product his past self would have killed for.
For the last 18 months, MLSec Project and Niddel collected threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. In this talk, we have gathered aggregated usage information from intelligence sharing communities in order to determine if the added interest and "push" towards sharing is really being followed by the companies and if its adoption is putting us in the right track to close these gaps. We propose a new set of metrics on the same vein as TIQ-test to help you understand what does a "healthy" threat intelligence sharing community looks like, and how to improve the ones you may be a part of today! We will be conducting this analysis with usage data from some high-profile threat intelligence platforms and sharing communities.
FIRST-2016-180.pdf
MD5: de5d5c436c3163a736b0b8a10bc2fd50
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.76 Mb
- US
Shell No! – Adversary Web Shell Trends & Mitigations
Levi Gundert (Recorded Future, US)
In his current role as Vice President of Information Security Strategy at Recorded Future, Levi Gundert leads the continuous development of strategic research and intelligence to decrease operational risk for customers.
Previously, Gundert was the VP of Cyber Threat Intelligence at Fidelity Investments, where he helped build a capability to identify and respond to relevant threats. Prior to that, Gundert was the Technical Leader for Cisco's Threat, Research, Analysis and Communications (TRAC) team. Gundert also served as a Special Agent with the U.S. Secret Service Los Angeles Electronic Crimes Task Force, where he initiated proactive cybercriminal investigations that resulted in worldwide arrests and prosecutions.
Gundert is a prolific blogger and sought-after author/speaker, writing articles for Dark Reading, InformationWeek, and SC Magazine.
Phishing is effective, but predictable. A drive-by (watering hole) campaign paired with a zero-day exploit also accomplishes the objective, but identifying and compromising the correct website(s) for specific victim redirection is tricky and time consuming.
Contrast those attack vectors with web shells. Identifying a target’s vulnerable web server and implanting a web shell is relatively straight forward and perhaps unexpected. Most organizations maintain a web presence full of application layer software which presents a wide attack surface.
Enter the web shell - a tool of convenience that is increasingly being parlayed into an effective and persistent adversary communication mechanism. Web shells are preferred by specific threat actor groups for their small size and ability to maintain unauthorized access.
Using numerous web shell samples and natural language processed (NLP) data from the Web, this presentation focuses on malicious web shell attack trends, the current web shell taxonomy, and specific guidance for operational defenders on detecting web shell attacks.
FIRST-2016-28.pdf
MD5: 53ca8d19c287e15ca15a9fd0e809d938
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.68 Mb
Software Security Assurance
Nadim Barsoum
- CZ
SOHO Router as Crutial Part of End User Security
Zuzana Duracinska (CZ.NIC, team CSIRT.CZ, CZ)
I have joined CZ.NIC-CSIRT and CSIRT.CZ teams in July 2013. Among my main duties are operation of the web scanning service, preparation and realization of cyber exercises, preparation of general articles on cyber security and representation of the team. Other activities include development of national and international collaboration with members of the security community. Our team is engaged in number of projects that help to build the trust and information exchange in cyber security community not just in Czech republic.
Home routers are enter point to home network but still do not get appropriate attention. With often outdated software and wrong settings they are very vulnerable device which immediately affects all the devices connected to it. In just last year number of vulnerable home routers were detected which immediately put into risk hundreds of households. Since the router was usually provided by ISP it was rather difficult to determine who should be hold responsible for patches adn rather confusing for end users. That has put end users in the struggle between ISP and router vendor with long windows until the patch was delivered. CZ.NIC has decided to launch a research project of home router that would have build in firewall with weekly updates. 2000 fully open-source routers (SW and HW) were distributed in Czech household and households became integral part of the research. Greylists created upon the anomalies from the routers along with the recent lists of IPs hosting botnets, phishings and other malicious activities are send to routers regularly and monitored whether any home devices are connecting to them. This research projects already helped number of users to detect malicious files in their network without their previous knowledge. The main reason for delivering the presentation lies in crucial need for focus of security community on SOHO routers. With the rise of IoT SOHO routers will play crucial role in securing the home network. More information about our Turris research project are available here: https://www.turris.cz/en/. Greylists as a data source are available here: https://www.turris.cz/en/greylist
FIRST-2016-20.pdf
MD5: a595fc7e5cf850e66684d9c8b4c0acf7
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.02 Mb
STIX/CybOX Training
John Wunder (MITRE)
wunder-stix2.0.pdf
MD5: 66bd73340ef2320d21f31f7d3cacd154
Format: application/pdf
Last Update: June 7th, 2024
Size: 645.48 Kb
- IT
Swiss Army Knife for Live Container Analysis (POC and tools)
Fabio Nigi (IT)
Fabio Nigi, security investigator @ Cisco SIRT,grew up in Italy, in love with FOSS software and Internet privacy
nigi-fabio-slides.pdf
MD5: 2f2351168c05167dd48689f385fb48e7
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.54 Mb
- CH
Swiss NREN protection with DNS RPZ
Matthias Seitz (SWITCH CERT, CH)
Matthias Seitz studied computer science at the University of Applied Sciences of Eastern Switzerland. In 2013, he joined SWITCH as a security engineer where he is currently leading a project that introduces DNS RPZ into the Swiss NREN.
seitz-matthias-slides.pdf
MD5: aa73715aec2cb01be34f82aae30aea4b
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.16 Mb
- CH
Taking the Red Pill - Incident Response outside The Matrix
Lorenz Inglin (Swisscom (Schweiz) AG, CH), Stephan Rickauer (Swisscom (Schweiz) AG, CH)
Lorenz Inglin built and has been managing various CSIRTs in multinational companies over the last decade. He has more than 15 years of experience in IT security and incident response. Currently, Lorenz is leading the Swisscom CSIRT.
Stephan Rickauer works as Incident Manager and Senior Security Analyst at Swisscom. He is leading Swisscom's Red Team and has a 20 year backround in Unix Engineering, Ethical Hacking and Security Testing. In his private life, Stephan enjoys Shito-Ryu Karate (which helps surviving The Matrix).
Knock Knock … wake up, Neo.
Have you ever considered taking the Blue Pill? Being fully compliant, ignoring threats of real life, enjoying warm & fuzzy cyber banalities and just sitting back hoping for trust? Would that not just fix all of our IR problems?
Swisscom has been there. We felt good, until our new boss has forced us to try the Red Pill … and we realised how deep the rabbit-hole goes.
The Swisscom CSIRT has been redesigned from scratch in 2014, to diverge from a compliance-driven to a threat-driven approach. This has led to new ways of thinking, questioning established methods and introducing innovative ideas.
During this presentation we'll cover organisational as well as technical aspects. This includes pDNS, Red Teaming, Bug Bounty, ChatOps, Threat Intelligence and others. We will share our various experiences, illustrate possible pitfalls and reveal the vulnerabilities of Agent Smith.
FIRST-2016-26.pdf
MD5: 6532f86f377ad22182b7cef7d76a4c5c
Format: application/pdf
Last Update: June 7th, 2024
Size: 30.57 Mb
- US
Jason Jones (Arbor Networks ASERT, US)
Jason Jones is a Senior Security Researcher for Arbor Networks' ASERT team. His primary role involves reverse engineering malware, development of internal malware processing infrastructure, and other development tasks. Jason has spoken at various industry conferences including BlackHat USA, BotConf, REcon, Ruxcon and AusCERT.
Bringing run-time information into IDA is not a new concept, but has been a need for some time. Taking run-time behavior and coupling that with other IDA-based tools can give new insight into how a malware behaves and give a malware analyst more insight into where the "interesting" pieces of the malware may lie. This presentation will cover TACO, a recent IDA plugin that aims to incorporate metadata logged during Cuckoo Sandbox tasks in order to speed up the malware analyst's job of discovering key behaviors used by the malware.
FIRST-2016-158.pdf
MD5: 5cb09870ad806af8a3a046ee60d16daa
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.03 Mb
- IL
The Dark Side of Online Advertisements
Daniel Chechik (Trustwave, IL), Rami Kogan (Trustwave, IL)
Daniel Chechik:
Daniel Chechik is a Senior Security Researcher at Trustwave's SpiderLabs (Singtel). Among other things, he specializes in malware analysis, reverse engineering, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product. Prior to that, Daniel served in a technological unit in the IDF as a security specialist. During the service, Daniel specialized in Check Point Firewall equipment, AntiVirus products and other IT security products. Daniel, among other things, has spoken at the BlackHat, RSA, DefCon, OWASP, Ruxcon, holds CEH and CCSE certificates and has a patent for 'Detecting Malware Communication on an Infected Computing Device'.
Rami Kogan:
Rami Kogan is a Security Researcher at Trustwave’s Spiderlabs (Singtel). Rami’s average day is full of obfuscated web pages, exploit kits and coffee. Among other things, Rami has spoken at First (Bangkok 2013) - “Web Malware Outsmarting Security Products” and at the Ruxcon 2014 conference - “Bitcoin-Transaction-Malleability-Theory-In-Practice”. Rami’s motto in life is: “Stay away from Flash”.
Abstract
Google, Yahoo, YouTube & Forbes are some of the big names that recently fell victim to Malvertising. Actually, in the past year, Malvertising became so common and effective that it has been functioning as the main source of traffic to Exploit Kits. In this presentation we will present our Malvertising research and follow the steps of cybercriminals in the world of the online advertising industry. We will show the unbearable lightness of setting up a malicious ad campaign and the endless possibilities that ad networks provide to cybercriminals to achieve the best ROI all the way to vulnerable victims.
Outline
Recent forecasts predict that in 2016 for the first time, advertisers in the U.S. will have spent more money on online advertising than they have on television advertisements. This is good news for online ads networks and online advertisers, but with great power comes great responsibility- as online advertising increases, so does online malicious advertising or, in short, Malvertising.
The first part of the presentation will quickly cover the recent incidents of high-volume web sites, which unknowingly served malware through hosted ads. Then we will introduce the audience with the basics of online advertisements and all of its aspects: advertisers, publishers and ad-networks.
The second part of the presentation will explain what Malvertising is and why it is a preferred attack vector by cyber-criminals costs and coverage. We will list the different types of Malvertising and the techniques used by cyber-criminals to achieve the best ROI.
The third part will present our research of setting up a pseudo-malicious ad campaign with its amazing results and the different mitigations of ad networks to avoid Malvertising, as well as techniques used to bypass them.
Takeaways
The attendees will be exposed to the cybercriminal's perspective of the benefits that online advertising industry offers to spread malware affectively. We will discuss the various possible methods to reduce the attack surface used by cybercriminals.
FIRST-2016-178.pdf
MD5: 5279dc1b6d1e7018c42a0edfcd8deac3
Format: application/pdf
Last Update: June 7th, 2024
Size: 11.49 Mb
The Hidden Fortress: Defending large networks and complex organisations with agile security
Dr Hinne Hettema (University of Auckland)
A University network is a unique entity with difficult security parameters that need to balance academic freedom, intellectual property protection and normal business operations. As in any environment, breaches occur as a result of unique organisational failure modes, which are often better understood by attackers than by defenders. To complicate matters, security operations are a somewhat special branch of IT which is sometimes poorly understood by the rest of the IT environment and the wider organisation.
To even the scale, understanding your attacker and their objectives is key to a robust cyber security practice. In this talk, I will focus on designing and structuring security operations that take an understanding of the goals and objectives of an attacker as their starting point. True to the nature of an academic environment, such operations need to be light touch, robust and cost-effective. I will discuss some of the regular incidents in our environment and how we have designed controls. In particular, at the University we have developed a number of ‘predictive controls’ that have proven successful in detecting and deterring compromises of University data. I also discuss the sort of security skills and security operations that are required to implement and maximise the usefulness of predictive controls.
- DK
The Missing Link Between Cybercrime Gangs
Yurii Khvyl (CSIS Security Group A/S, DK)
Yurii Khvyl is Senior Malware Analyst at CSIS Security Group A/S, Denmark.
Have more than 10+ years experience of revers analysis and investigation of banking malware thread. Member of HoneyNet Project, DeepEndResearch, DCC. Yurii have presenting talks at many different security conferences.
For professional e-crime researchers, it should be little surprise that we oftentimes observe overlaps in various criminal operations and criminal actions carried out by individuals.
When digging deeper into analysis of both malware and infrastructure of the criminal operations, we can sometimes even document and attribute different operations to individuals. The goal of this presentation is to draw a link between Neverquest, Shifu and Gotkit, i.e. malwares that have already caused significant losses to online banking primarily in Europe. In fact, the potential for even higher short term losses is easily predictable, as will be shown in our presentation..
Our investigation will furthermore uncover and illustrate the criminal infrastructure, the modus operandi and cooperation with other criminal gangs and freelancers.
This is the soul of e-crime research.
FIRST-2016-141.pdf
MD5: 5983b9ffc1ce25dae89292b970e7b3db
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.15 Mb
- US
The Role of Intel and IR for Risk Management
Toni GidwaniToni Gidwani (ThreatConnect, US)
Toni Gidwani is the Director of Research Operations at ThreatConnect. In this capacity, she leads ThreatConnect’s threat intelligence research team, an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. Toni previously built and led analytic teams at the Defense Intelligence Agency and joined ThreatConnect from the Office of the Secretary of Defense.
What is the relationship between threat intelligence, incident response and risk management? Many treat them as separate disciplines with separate teams and separate deliverables, but is that the way it should be? We make the case that intelligence and response isn’t just tracking bad guys and putting out fires. Rather, these tactical functions play a critical role in informing strategic decisions to assess and manage risk to the organization's information assets. I'll discuss exactly what that role is and provide intel and IR analysts with practical recommendations on how to interface with and influence risk managers and decision makers in their organizations.
FIRST-2016-16.pdf
MD5: 4699c07e83f590b06405e5dd1b09f30f
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.05 Mb
Theory and Practice of TI Management using STIX and CybOX
Grobauer (Siemens)
Threat Intelligence Sharing in the Financial Services Sector
Ray Irving (FS-ISAC)
- US
Threat Intelligence - the how, what and why
Gavin ReidGavin Reid (HUMAN Security, US)
- US PL
Towards a Methodology for Evaluating Threat Intelligence Feeds
Andrew Kompanek (CERT/CC, US), Pawel Pawlinski (CERT Polska / NASK, PL), Piotr Kijewski (CERT Polska / NASK, PL)
Andrew Kompanek is the Deputy Director of the Threat Directorate at the CERT Coordination Center. Prior to joining CERT, he worked at several startups, and as part of a research group in the School of Computer Science at Carnegie Mellon University. Drew holds a BS in Mathematics and Computer Science from Carnegie Mellon University.
Pawes Pawlinski is a senior specialist in the Security Projects Team at CERT.PL, within Research and Academic Computer Network, Poland (NASK). In this role, he leads the information exchange program, in particular he is responsible for the design and deployment of the n6 platform for sharing security-related data. He is also the main author of the recent ENISA good practice guide for CERTs on processing and sharing of information ("Actionable Information for Security Incident Response"). Pawel's main interests in the domain of network security include intrusion detection systems, anomaly detection algorithms, honeypots and data visualization. His past experience include work on automated tools
for large-scale analysis of both client- and server-side attacks: Honeyspider Network, ARAKIS.
Piotr Kijewski is the Head of CERT Polska, which is a part of NASK. Previously for many years he was in charge of multiple projects and security research in the CERT Polska team. His interests include threat detection, malware analysis, botnets and honeypots. Piotr has engaged in many different innovative network security projects, both at the national and international level (including EU FP7, NATO and ENISA projects). Piotr also orchestrated and coordinated the takedown of multiple botnets. Author of a couple of dozen publications and articles on network security, as well as frequent speaker and panelist at conferences both in Poland and abroad (including FIRST, NATO Cyber Defense Workshop, Honeynet Project Workshop, Microsoft Digital Crimes Consortium, Microsoft Security Research Alliance Summit, APWG eCrime etc.). In 2011, Piotr set up the Polish Chapter of the Honeynet Project. He holds an MSc degree in Telecommunications from the Warsaw University of Technology.
In this talk we will discuss our efforts to develop a methodology to assess the quality and potential operational value of a threat intelligence data feed being considered for adoption. During the past several years, we've witnessed security operations and commercial vendors move away from traditional detect and respond models toward an intelligence-oriented approach to network defense that emphasizes information sharing and the synthesis of many data sources in order to paint a multi-faceted, higher-level picture of threats. However, evaluating the usefulness of this approach (and the feeds themselves) has remained an open problem.
We will propose a series of practical metrics to assess data quality, the rationale behind their use, and then apply them to a number of data feeds, including those available in the public domain. Next, we will cover case studies where we look at the potential overlaps across different types of threat intelligence feeds, including bulk reputation data, selective IoCs for specific threats, and vulnerability information. This will be an initial step to evaluate the usefulness of threat intelligence feeds in characterizing the threat landscape. A reference implementation of tools will be released enabling evaluation of data feeds.
This work is being done in coordination with the efforts of a working group initiated at the 2015 Annual Technical Meeting for CSIRTs with National Responsibility (http://www.cert.org/natcsirt/).
FIRST-2016-63.pdf
MD5: 1300b2452961954e94fa68b502dc84e0
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.79 Mb
Update on Global Efforts to fight Cyber Crime
Foy Shiver (APWG)
- US
Brian Hein (Hewlett Packard Enterprise, US), Tomas Sander (Hewlett Packard Labs, US)
Tomas Sander
Dr. Tomas Sander is a senior researcher at Hewlett Packard Enterprise Labs in Princeton, New Jersey. He is a member of the Security and Manageability Lab at HPE which conducts research in security, privacy and cloud technologies. Before joining HP, he worked for STAR Lab, the research lab of InterTrust Technologies in Santa Clara, California on a broad range of topics relevant to advanced digital rights management (DRM). Tomas Sander received a doctoral degree in Mathematics from the University of Dortmund, Germany in 1996. From September 1996 to September 1999 he was a postdoctoral researcher at the International Computer Science Institute (ICSI) in Berkeley, California. His research interests include computer security, privacy and cryptography. In the last few years he has been researching and developing technology to implement good privacy practices in large organizations. Based on this research a privacy decision support tool is now deployed globally across HP globally that assists employees in making proper decisions for handling PII.
Tomas is the lead scientist for the creation of HPE’s Threat Central solution, a platform developed for automated and manual threat information sharing.
In 2014 Tomas was the founder and PC Chair for the ACM Workshop on Information Sharing and Collaborative Security (WISCS 2014), the first scientific workshop focused on the topic. He was also the PC Co-Chair for WISCS 2015.
Brian Hein
Brian Hein is a Senior Security Analyst at HPE Security Research group. Brian has worked at HP(E) since 2004, initially joining as part of the TippingPoint acquisition (an IPS vendor.) Brian’s past experience includes helping build Fortinet (a Firewall and AV vendor) in Central Europe. He also has experience in pre-sales, building relationships with North America, Central EMEA and Eastern Europe and supporting high profile Middle Eastern customers. Brian’s current responsibilities at HPE include being the subject matter expert for Threat Intelligence Sharing as well as being the liaison between customers and various Threat Intelligence teams within HPE. Brian has contributed to more than 11 Network and Security books and has been awarded numerous patents in the Information Sharing and Threat Intelligence domain.
Besides the significant progress in automating sharing of Cyber Threat Intelligence, e.g. using Threat Information Sharing Platforms (TISPs), much actionable or contextual Threat Intelligence still requires human analysts for its creation, validation or consumption.
Existing work has mostly focused on data formats, what data to share and on data quality. There is no good understanding yet of the value-proposition for end-users of a TISP. However without high quality user contributions TISPs won’t live up to their promise of collaborative defense against sophisticated attacks, e.g. because lower level observables alone do not carry enough context. In response we recently initiated the systematic study of the human elements of participating in a TISP. We approached this problem from one of the primary HCI and UX methods | personas. Using observational study and open-form interviews we constructed representative profiles of different classes of end-users, known as Personas. We have constructed personas for Level 1 analysts, Incident Responders and CTI analysts. We also recently added personas for CSIRT managers and CISOs.
Building on this prior work that focused on identifying user needs in this will talk present novel solutions that address the requirements identified using personas. For example our work shows that the personas differ significantly in the type of information they contribute and consume from a TISP. We show how to optimize TISP features and the data they provide for these different user groups to maximize their respective contributions and the value they receive. One technique is to turn “raw intelligence” into relevant and useful intelligence based on user type. We also designed UIs that make TISP use simple for novel users but offer advanced capabilities to power sharers.
Another insight from our personas research is that in order to maximize sharing, TISPs should not only maximize user’s corporate (i.e. their organization’s) motivations but also their personal motivations. For example, younger analysts are keenly interested in advancing their career, enhancing their skill level and building a professional network. To serve these needs we designed a system of badges users can earn based on their TISP activities. Badges attest to analyst’s skill level (e.g. ‘Malware Expert’), personal achievements (“Top TISP Contributor”), social validation (“Trusted User”) etc. Users can add badges to their TISP profile and use them as credentials for promotions and interviews. We are currently running a trial in a large SOC and will present the results in the talk. Our solution also addresses the privacy and confidentiality concerns that arise.
A remaining question for future research is how to establish a badging system in a cross-organizational and cross-TISP context and to develop mutually recognized criteria.
FIRST-2016-145.pdf
MD5: 0a1e7fb4507b4d6c8d3a8f60f691587b
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.04 Mb
User Aspects of Threat Information Sharing Technology
Tomas Sander (Hewlett Packard Enterprise)
Using Threat Modeling in protecting ICS/SCADA as Critical Infrastructure Security
Mounir Mostafa Kamal (QCERT)
- AT
Webshell Classification at Scale
Thomas Kastner Msc. (nimbusec Gmbh, AT)
After graduating from his masters on Secure Information Systems Thomas jumped right into practical application of his academic research. He joined the nimbusec team in Austria and devoted his time to detecting and analyzing online malware ever since. His weapons of choice are machine learning algorithms, Java and Go.
Based on the FIRST 2015 presentation “A Study on the Categorization of Webshell” (Lee, Lee, Jeong, & Park, 2015) we show an automated process to classify webshells and our evaluation results based on real world data obtained from a commercial application over the period of 26 months. Lee et. al defined webshell as a “backdoor program which is used for web hacking” and proposed a schematic to classify webshells based on multiple indicators like language, function, fingerprint etc. We have focused specifically on the aspect of function-based classification and developed a system for automatic classification. The most common method for malware classification still is signatures. Yet due to polymorphism, obfuscation and simple transformation of webshells, detection and classification rates are low. We aim at multi-class classification through the combination of two machine-learning stages. In stage one we classify sample data into a malicious and a benign category using SVMs. Stage two further improves classification with 8 function categories based on an adapted k-NN algorithm. In 2015 we successfully employed this concept across multiple enterprise web server environments. Resulting data shows that our webshell focused machine learning produces false positive rates below 0.1%.
During this talk we will present:
our approach to machine learning webshell classification
an evaluation of this approach based on real world data
measures to lower false positive rates
FIRST-2016-183.pdf
MD5: 641872f28bb5848a84f0c97f01b41262
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.77 Mb
- US
Workshop: Leadership Training
Jeremy Sparks (United States Cyber Command, US)
Captain Jeremy Sparks is a Weapons and Tactics officer at US CYBER COMMAND. Prior to taking his current post, Capt Sparks oversaw cyber warfare tactics development for the USAF cyberspace force. During his 16 year career he has served as a Crew Commander at the USAF CERT, USAF CERT incident responder, USAF CERT Chief of Digital Forensics, and Cyber Threat and Network Defense instructor and curriculum developer for the USAF undergraduate cyber training schoolhouse. Capt Sparks is a distinguished graduate of Undergraduate Network Warfare Training, USAF Weapons School and a three-time presenter at the U.S. Department of Defense Cyber Crime Conference.
During FIRST 2015, Capt Sparks gave a presentation on how cyber warfare operators are trained to lead crisis response teams and consistently improve IR practices through a process called debriefing. Debriefing consists of reconstructing and evaluating an event to determine how to replicate success and avoid repeat mistakes. The debrief process encompasses a review of events, identification of problems, determination of root causes and development of lessons learned. Debriefing is not a strategy for protecting a network. It is a method that should be used to evaluate how well you are performing a function, job or mission and provides the tools for constant improvement. The most common feedback item from 2015 was that the attendees would like a hands-on demonstration of the techniques. Based on that feedback, Capt Sparks is offering a 3 hour hands-on session in 2016. The session will be a deep dive of leadership training with practical scenarios and real-world vignettes.
FIRST-2016-71.pdf
MD5: 790947e66d62240c6926e9817cda6bed
Format: application/pdf
Last Update: June 7th, 2024
Size: 9.79 Mb
- US
Workshop: Practical DDoS Mitigation
Krassimir TzvetanovKrassimir Tzvetanov (A10 Networks, Inc, US)
Mr. Tzvetanov currently works as a Principal Security Engineer for A10 Networks, and focuses on security and DDoS products. He also runs the PSIRT and DSIRT teams of A10.
In the past Mr. Tzvetanov has worked on security and traffic management problems at Cisco and Yahoo!.
This session goes over the main types of attacks being used at present, why they are effective, what part of the system they affect and how to mitigate them successfully with a reasonable amount of resources.
In addition it covers some of the tools used by the underground and allow the participants to used them and observe live traffic from them.
FIRST-2016-79.xps
MD5: 2cb706e1712ccfdb291f66edfd2cfdf8
Format: application/zip
Last Update: June 7th, 2024
Size: 2.41 Mb
- US
Your Money is My Money: The Dynamics of a Banking Trojan
Tim Slaybaugh (CyberBrink, US)
Tim Slaybaugh is a Senior Intrusion Analyst for Northrop Grumman Corporation in support of the Department of Homeland Security's US-CERT program.
Tim conducts in-depth forensic and malware analysis, and extensive research into identifying intrusion activity as well as providing investigative reports and threat briefs to various government agencies and private industries.
Previously, Tim worked with the Investigative Analysis Unit of the FBI conducting complex investigations on an array of digital platforms. Tim also provided advanced forensic and specialized malware analysis training for law enforcement agents.
Tim has presented at the Federal Law Enforcement Training Center (FLETC) and often speaks at national and international conferences on current topics in computer forensic analysis.
He currently holds multiple certifications with the SANS Institute and the Department of Defense Cyber Investigations Training Academy (DCITA).
Its sole purpose is to take your money. Vawtrak, aka Neverquest, is considered to be one of the most dangerous pieces of financial stealing malware detected.
Among its sophisticated capabilities is the ability to bypass authentication by injecting itself into user initiated sessions to banking, finance, payroll services, and insurance sites. In addition, Vawtrak can surreptitiously modify data in encrypted web traffic, turn off antivirus applications and even intercept warning notices about fraudulent activity from online banking sites. Vawtrak's nefarious methods of stealing personal data have established it as a premier provider of Crimeware-as-a-Service in the underground banking fraud market.
For the incident responder, the deceptive techniques deployed by the malware makes it critical to acquire memory and network data during an investigation, when possible. As you are guided through the Vawtrak network, various forensic methodologies will be presented to detect indicators of compromise within memory samples and images that are associated with the banking trojan. Mitigation techniques targeting the attack vectors of the trojan will also be discussed.
FIRST-2016-53.pptx
MD5: e267b56f6c97a9fe02f607b2a812069b
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 3.55 Mb
Zambia Update
Choolwe Nalubamba
