- FI
A holistic approach to ensure product security
Christer Stenhäll (Ericsson PSIRT, FI)
Christer Stenhäll is working as a Security Consultant in the Ericsson Product Security Incident Response Team (PSIRT). Ericsson PSIRT is the global security point-of-contact for all products in Ericsson's portfolio.
Christer is responsible for the development of the risk assessment process and the vulnerability management process for product security.
In a company as big as Ericsson with a multitude of products, solutions and services spanning from legacy telecom systems to complex modern IoT solutions, how can one assure that all products will achieve the necessary Security and Privacy requirements for create, deploy and maintain secure products?
This presentation will tell about how we at Ericsson tackles the challenge of having a holistic security and privacy approach that works for all products, this talk will be about the Security Reliability Model (SRM) which is the model/framework Ericsson developed to achieve the Security and Privacy ambition in all our products, services and security as a business.
The Security Reliability Model (SRM) is a holistic approach to secure that product security & privacy is considered and implemented in every step duration the life cycle of the product, from planning to development and to deployment & maintenance.
I will uncover how the SRM enables Ericsson products, solutions and services to set their product security and privacy ambition level, to ensures the implementation of appropriate security and privacy and to follows up and measures actual product security and privacy status that enables secure product deployment in customer networks.
The SRM are built on requirements that set the base for the security and privacy functions as well as other important supporting processes that ties in to the SRM like Vulnerability Managements, Risk Assessment and Vulnerability analysis at also will be presented to give the best possible view of what exactly SRM is.
- LU
A little tour in the world of password stealers
Paul Jung (Excellium Services, LU)
Paul Jung is since a long time a security enthusiast. He works in the security field in Luxembourg since more than a decade. During this time, Paul has covered operations as well as consulting within various industries. He possesses a wide range of skills and experiences that enable him to perform multiple roles from offensive security audit to security incident handling. From 2008 to 2014, prior to join Excellium Services, Paul was Senior Security Architect in the Managed Network Security department of the European Commission. In this previous position, Paul was responsible for leading technical aspects of security projects. He also wrote a few articles in MISC magazine (French) about DDos, Botnets and incident response.
Since 2014, Paul works at Excellium Services as senior security consultant. He leads Excellium Services CSIRT (CERT-XLM). Within this position, Paul lead the response team involved in incident handling and intrusion responses. He provides security awareness and recommendations to Excellium Services customers.
Paul is often speaker at local event and was multiple times speaker at Hack.lu and Botconf security conferences.
His mother tongue is French, and he speaks English.
PassWord Stealer (PWS) are around since more than a decade now. They are legions. Some like Pony, aka FareIT are well known. Nobody takes really time to explain what is around, what it is capable of and how this little industry works.
However, they are still a common threat actively used according to our incidents logs. A PWS is not a RAT we made this distinction. The aim of a PWS is to be launched, steal a lot of credentials and optionally keylog and/or drop another payload.
Sadly nobody cares about them anymore when they fire an antivirus inside a company. To illustrate this, my presentation will go thought a couple of PWS that I meet, and I will an overview of the history and capabilities of the threat, give tricks and tools/script needed to identify and even decipher them. A couple of these decoding/identification tools are freely available to the community and not written by me, this task may be achieved by a lot of security people without even any skills in reverse engineering.
Finally I will try to summarize these threats by giving to the participants a clear view of what is available in the field and how to detect some backends.
Agent-Based Modeling and Simulation in Cybersecurity
Cisco: Petr Cernohorsky
As the number and variety of malware types increases, the industry is seeking ways to automate the detection and response. With the abundance of data and recent developments in machine learning and artificial intelligence, we are seeing applications of those methods in every corner of the enterprise including cybersecurity. However, even though data is readily available, not always it is available in a labeled format ready for training up the algorithms. I would like to introduce the concept of computational simulations and debate possible applications in the domain of cybersecurity and as an extension to today's capabilities in machine learning.
- AU US
An Internet of Governments: How Policymakers Became Interested in “Cyber”
Klee Aiken
Maarten Van HorenbeeckKlee Aiken (APNIC, AU), Maarten Van Horenbeeck (Zendesk, US)
Maarten Van Horenbeeck is Vice President of security engineering at Fastly, a content delivery network that speeds up web properties around the world. He is also a board member of the Forum of Incident Response and Security Teams (FIRST), the largest association of security teams, counting 300 members in over 70 countries. Previously, Maarten managed the Threat Intelligence team at Amazon and worked on the Security teams at Google and Microsoft. Maarten holds a master’s degree in information security from Edith Cowan University and a master’s degree in international relations from the Freie Universitat Berlin. When not working, he enjoys backpacking, sailing, and collecting first-edition travel literature.
Klée Aiken is the External Relations Manager with APNIC, the Regional Internet Registry for the Asia-Pacific. In this role he works to promote APNIC’s vision of a global, open, stable, and secure Internet across the region’s 56 economies as well as internationally.
Prior to joining the team he was an analyst with the International Cyber Policy Centre at the Australian Strategic Policy Institute (ASPI) where he researched domestic and regional cyber policy developments. He has also spent several years working in DC, serving a stint with the International Technology and Trade Associates. Klée holds a Master's degree in International Relations from the Universiteit van Amsterdam in the Netherlands.
Gradually, the internet has become a bigger part of how we socialize, do business, and lead our daily lives. Though they typically do not own much of the infrastructure, governments have taken ever-increasing note, often aspirational, and sometimes with suspicion.
In the meanwhile, the amount of control governments have on the internet has slowly eroded - due to the move of offline services, such as mail, online. This talk will show how major security incidents have shown how some things states have taken granted - such as control over borders - have eroded.
In this talk, we’ll cover how governments internationally debate and work on topics of cybersecurity, agree on what the challenges are, and get inspiration on solutions. The talk will show how these concerns often originate from domestic concerns, but then enter several processes in which governments meet, debate, agree, and disagree on their solutions. As a specific example, it will use cryptography restrictions and how they evolved from law making, through more illicit work such as the promotion of faulty standards, or the introduction of lawful intercept backdoors.
You’ll learn about initiatives such as the ITU, the UNGGE, the Global Conference on Cyberspace, the UN Institute for Disarmament Research and the Internet Governance Forum, Wassanaar, and how these forums and treaties affect our lives as incident responders. You'll also learn about how FIRST is helping educate these communities on our role as incident responders.
APCERT Activities and Updates
Tom O’Brien (CERT Australia / APCERT)
Adli Wahid (APNIC)
Noumea TC
Noumea, NC
September 10, 2018 16:45-17:00
Hosted by APNIC
- SG
Attacker Antics: Illustrations of Ingenuity
Bartosz Inglot (FireEye, SG), Vincent Wong (FireEye, SG)
Bart Inglot is a Principal Consultant that specialises in incident response and digital forensics in Mandiant's Security Consulting Services team helping clients restore confidence in an event of a breach. He holds a degree in Computer Forensics, is a keen developer, enjoys inspecting network traffic and specialises in Windows forensics with fascination in volatile memory. Having worked on incident response engagements around the world, Bart routinely develops new tools and ideas to solve on-the-job problems and to ensure Mandiant remains an industry leader. Some of these developments led to Bart's contributions to the Volatility project. After spending 8 years in England, Bart recently relocated to South-East Asia as he believes it's still the most fascinating, culturally diverse, and opportunistic region in the world. The relative immaturity in Cyber Security in most countries, but also the "hunger to learn" that most businesses and government organizations display, offer a significant growth opportunity. Bart has an extensive speaking experience with the most recent talks at Draconcon 2017 (Hong Kong), OPCDE 2017 (Dubai, UAE), RSA APJ 2017 (Singapore) and Ruxcon 2017 (Canberra, Australia).
Vincent Wong is a Principal Consultant in Mandiant’s Singapore office. Mr Wong's current role requires him to perform targeted attack investigations, which involves incident response, compromise assessment and forensics to identify attacker groups, attacker capabilities, infrastructure and intentions. Mr Wong has extensive digital forensics experience within a law enforcement agency and has provided expert witness testimony. Mr Wong has over 15 years of experience in both private and public sector environments, and he entered the security field 8 years ago as an Digital Forensic Examiner with the Australian Government. In that role, he provided Digital Forensic expertise, research and capability building in a range of criminal cases such as internet crimes (hacking and the spread of child exploitation material), fraud, money laundering, murder and illegal drug importation. The broad range of crime types has seen him provide digital forensic analysis under a national accredited lab reporting on computers, servers, mobile phones and other electronic storage devices. Mr Wong has also presented his experiences at Security Conferences in Singapore and was invited to speak at internal FireEye events.
The arms race between the vendors creating security defenses and the hackers trying to defeat them continues. While responding to security breaches around the world, we have uncovered some creative and ingenious tactics, techniques and procedures (TTPs). We carefully selected several of the more recent and fascinating attacker TTPs and we are excited to share them with you. Come to the talk to hear about attackers breaching air-gapped networks, abusing anti-virus server, hijacking victim’s emails, camouflaging malware and preventing it from sandbox execution, and using obscure persistence mechanisms, to name a few.
- US
Big Expensive Problems in Cheap Little Things
Thomas Millar (US-CERT, US) (US)
Mr. Millar has been a member of US-CERT for 10 years, serving as its Chief of Communications for most of that time. In that role, he has worked to strengthen US-CERT information sharing capabilities, increased the level of public, private and international partner engagement, and supported initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar has a Master of Science in Engineering Management from the George Washington University.
Embedded systems and IoT vulnerabilities are manifesting themselves as a significant threat to our everyday lives. Not only do we see the classes of "obvious" vulnerabilities reappearing that were mostly eradicated from traditional enterprise software during the last decade, but those vulnerabilities are being exploited in ways that traditional PC and server systems couldn't be, causing lasting harm and threats to physical safety. Fixing these issues one-by-one in each affected product is not a scalable solution; we need a strategic approach that can be practically achieved world-wide.
This presentation will explore the classes of systemic weaknesses seen in IoT, the potentially catastrophic impacts of those flaws, some of the reasons for why they are so difficult to address, and finally, pros and cons of some approaches to potentially solving or mitigating the risks. Technical detail will be limited to explanations of selected weaknesses and attack patterns and the content is intended for all audience types.
- US
Catching Up with Osquery Workshop
Douglas Wilson (Uptycs, US)
Douglas (Doug) Wilson is the Director of Security at Uptycs, a Boston-area startup building SaaS solutions on top of osquery.
Before Uptycs, Doug was a Senior Manager at FireEye, where he led the FireEye Labs Threat Indicators Team. He was also a Manager and Principal Consultant at Mandiant. He has spent a large amount of his career advocating for open tools, organizations, and standards, being the spokesperson for OpenIOC, as well as founding and running OWASP DC, and being one of two principal organizers of the first three AppSec DC conferences.
Doug is based out of Washington DC in the US. He has over 18 years of experience in a variety of Information Security and Technology positions, including Incident Response and Multi-tiered Application Architecture. Doug has presented at FIRST in 2013, 2014, and 2015. He has also spoken on various Infosec topics at other events including SOURCE Boston, GFIRST, DoD Cybercrime, NIST IT-SAC, Suits and Spooks, and Shmoocon.
osquery ( https://osquery.io ) is a powerful cross-platform, open-source endpoint agent that was released by Facebook in 2014. It has been growing rapidly in the past year, becoming one of the top security projects on github, with major internet companies above and beyond Facebook adopting it as their endpoint tool of choice in place of commercial endpoint offerings.
This presentation, offered by a practitioner who has been working closely with osquery since mid-2016, will provide information for security practitioners who:
- Have EDR or IR endpoint needs, but don't always have the budget or other resources to purchase and deploy expensive black-box security products
- Want the ability to freely customize the questions they are asking of their endpoints over time
- Want the ability to collect and analyze data passively like they would with a SIEM, yet have active investigation capabilities for the endpoint without having to deploy a separate tool.
This presentation will contain topics such as the basic design concepts of osquery, fundamentals of launching and running osquery interactively and as a daemon, configuring osquery, simple and complex queries against osquery, what osquery event tables are and how to use them, how osquery can be used to investigate a host, and a brief discussion of how to use osquery at scale. It would also include a summary of the osquery project status, including important features added to osquery in the past year, current pain points and roadmap items for osquery, and how attendees can join the osquery community and/or contribute to the ongoing osquery effort.
In outline form, the presentation would consist of at least the following:
- The basic concept of osquery
-- Abstracting to SQL
-- Read Only Agent
-- Tries to respect privacy
- Fundamentals of launching and running osquery
-- running osquery interactively
-- running osquery as a daemon
-- configuring osquery options
- Simple & complex queries against interactive osquery
- "Events" in osquery
-- what is an _event table versus a normal osquery table
-- what events are available on what OS
-- Why this is not consistent across all OS
- how osquery can be used to investigate a host
-- compliance audit examples
-- file integrity monitoring / file hash retrieval
-- tying tables together
- The challenges of osquery at scale
-- possible solutions
- osquery project year in review
-- A summary of important features added to the project in the past year
-- A summary of current pain points and/or roadmap items that need work
-- How attendees can join the community and/or contribute to the ongoing osquery effort
Andreas Harner, Head of CERT@VDE, VDE e.V.
The cybersecurity platform CERT@VDE is introduced as a coping strategy for the increasing threat situation for SMEs of the automation industry. Technical trends like “Industry 4.0” and the increasing digitalization and internetting of different domains are the main drivers for complete new challenges around cybersecurity the SMEs are involved in.
Therefore the presentation will show the current process of handling vulnerabilities in the industrial automation sector and how the new, neutral and trustworthy CERT@VDE will support the process of coordination and exchange of information in the future.
CERT@VDE is introduced as a non-profit organization that takes care for knowledge transfer across company borders
Coordinated Vulnerability Disclosure - Today's Challenge
Laurie Tyzenhaus, CERT/CC
Coordinated Vulnerability Disclosure (CVD) is an ongoing challenge. We are discussing CVD in vendor forums and in-house to identify the problems and sensitivities associated with changes to the process. Our experience indicates that once more than 5 vendors are involved, our current CVD process struggles with tracking the data and communications associated with these reports. We see these types of reports about 4 times a year and expect it to increase. There are no COTS solutions that can manage the multi-vendor problem.
Specific questions include: Can vendors work in a collaborative environment (like GitHub)? Is encryption helping or hindering discussions? How can we continue to encourage coordinated disclosure by reporters?
We expect other CERTs already have, or soon will have to solve this problem. We hope to encourage a "coordinating" solution!
PSIRT TC 2018
Atlanta, US
February 28, 2018 13:45-14:45
Hosted by Honeywell
- US
Coordinating Vulnerability Disclosure with Multiple Vendors
Laurie Tyzenhaus (SEI CERT, US)
Five years with SEI-CERT supporting government sponsors with threat analysis and coordinated vulnerability disclosure. Twenty-two years with the Department of Energy: 12 years as a Intelligence/Counterintelligence Cyber Analyst (SME for technical threats & countermeasures at numerous national laboratories and sites), and 10 years building the Argonne National Laboratory Cyber Security program (incident handling, program development and management).
Coordinated Vulnerability Disclosure (CVD) is an ongoing challenge. We are discussing CVD in vendor forums and in-house to identify the problems and sensitivities associated with changes to the process. Our experience indicates that once more than 5 vendors are involved, our current CVD process struggles with tracking the data and communications associated with these reports. We see these types of reports about 4 times a year and expect it to increase. There are no COTS solutions that can manage the multi-vendor problem.
Specific questions include: Can vendors work in a collaborative environment (like GitHub)? Is encryption helping or hindering discussions? How can we continue to encourage coordinated disclosure by reporters?
We expect other CERTs already have, or soon will have to solve this problem. We hope to encourage a “coordinating” solution!
- US
Crawl, Walk, Run: Living the PSIRT Framework
Mark StanislavMark Stanislav (Cisco (Duo Security), US)
Mark Stanislav is the Director of Application Security for Duo Security. Mark has spoken internationally at over 100 events, including RSA, DEF CON, SOURCE Boston, Codegate, SecTor, and THOTCON. Mark’s security research and initiatives have been featured by news outlets such as the Wall Street Journal, the Associated Press, CNET, Good Morning America, and Forbes. He is also the author of the book 'Two-Factor Authentication.' Mark holds a BS in networking and IT administration and an MS in technology studies focused on information assurance, both from Eastern Michigan University. During his time at EMU, Mark built the curriculum for two courses focused on Linux administration and taught as an adjunct lecturer for two years. Mark holds CISSP, Security+, Linux+, and CCSK certifications.
With its June, 2017 draft release, the PSIRT Framework from FIRST established a new era in product security formalization. A quick search of FIRST member organizations show a 5:1 disparity of CSIRT-to-PSIRT members represented, providing a data point to what many industry experts already know -- formal product security programs are much more rare than their corporate counterparts.
This presentation will detail the journey, hurdles, and outcomes of using the PSIRT Framework to take a hard look at formalizing an existing application security team's efforts into a more holistic program. Topics will include executing a program gap analysis, deciding on how to re-mediate identified gaps, organizing a PSIRT across functional teams, processes we utilize, execution of a product security advisory process, and other parts of our organization's implementation of the framework to guide our program maturity.
Curious how to take your team's best-effort product security and level it up? Attend this talk and you'll gain real-world value from the experiences our team took to do just that.
- HR
Creating NIS Compliant Country in a Non-regulated Environment, Case Study Croatia
Jurica Cular (ISSB, HR)
Jurica Čular graduated at Faculty of electronics and computer science, Zagreb, Croatia as Master of Computer Science. Got an MBA in finance and marketing at Kelley School of Business, Indiana University. Holds several information security certificates CISA, CISSP, ISO 27001 LA.Worked as an information security consultant for financial institutions and for Deloitte. Currently working as an expert advisor in Information Systems Security Bureau.
The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. The main goal is to ensure harmonization in level of cyber security between member states. Process seems reasonable and most member states agreed on usefulness of such legislation. The fact that NIS is a directive and not a regulation implies that member states should create a legislation in line with NIS. This is where the fun starts. EU member states are very different one from another and creating a harmonization is pretty hard task. How some old and well organized member states are dealing with this task is significantly different than the situation in a rather new member states. This talk will bring insight in a process of transposition of NIS Directive into Croatian legislation. What approach did we take, who were the key players in this process? What are the biases that exist with each key player and what roles were designated to CSIRTs? How did we cope with issues in a society and economy with very low cyber security awareness?
These are the questions I will bring answers during the talk. For EU CERTs this would be interesting to hear and compare experiences. For non-EU CERTs this is a good way to hear about good and bad aspects of NIS Directive.
Cyber Security Challenges: The need to Bridge the Gaps
Jeff Garae (Cyber Security Advisor)
Noumea TC
Noumea, NC
September 10, 2018 11:30-12:30
Hosted by APNIC
- FI
Cyber Weather - Situational Awareness Product For Our Non-technical Constituents
Tomi Kinnari (NCSC-FI (National Cyber Security Centre) / Finnish Communications Regulatory Authority, FI)
Tomi Kinnari has been working as Situational Awareness Coordinator in Finnish National Cyber Security Centre for four years. In this role he has been coordinating incidents in CERT and collaborating with both technical and non-technical constituents. In addition he is responsible for handling collaboration with two ISAC's.
Problem:
How to present cyber situational awareness in an understandable way to our non-technical and semi-technical constituents, such as management, CTO’s, risk officers, citizens etc.?
Solution:
We developed a new situational awareness product that we call cyber weather. It covers topics such as DDoS, malware, vulnerabilities, APT, IoT and network failures. It is written in a language that also semi-technical and non-technical audiences can follow.
How we did this:
The information is gathered and distilled monthly by six groups, each immersed in one of the focus areas of the cyber weather. These groups gather information from several internal and external sources, such as incidents from ticketing system, ISACs, other government agencies and news. The new developments from each focus area are discussed and written down on a monthly basis.
Results:
We have collected and made cyber weather for over a year, and the results have been encouraging. Our constituents have considered it a very good and easy to follow summary of the key events. Some use it to follow key trends and events in cyberspace while others have been using it as a source in their risk assessments. Furthermore, it has also enabled NCSC-FI to better follow trends, because creation of cyber weather is forcing us to summarize key events monthly.
Cyber weather has also made preparing presentations to speaker gigs much easier, which helps a great deal because NCSC-FI is speaking in over 100 events per year. It has also made the quality of the presentations more homogenous among NCSC-FI employees, because everyone is using the same base for the presentations.
Data driven DNS project to improve cybersecurity
Jinhyun CHO (KISA)
Data driven DNS project to improve cybersecurity
Noumea TC
Noumea, NC
September 10, 2018 11:00-11:30
Hosted by APNIC
- DE
Detect & Respond to IoT Botnets as an ISP
Christoph Giese (Telekom Security, DE)
Studies: BSc IT dual@telekom --> MSc digital forensics (finish line)
Work: System Engineer 2y --> CERT/CDC for 3y
GCFA/GCNA; open source development
The Internet of Things (IoT) is an increasing number of (smart) devices of various types, often enough directly connected to the Internet without proper security mechanisms enabled.
The types of devices range from simple IP-based Cameras to complex home routers with
computing powers reaching that of personal computers. The fast development in terms of powerful hardware and the fact that those IoT devices are connected to the Internet 24/7 turns them into highly valuable targets for cyber crime.
In 2016 the first larger IoT device-based botnets emerged, with Mirai being one of the most prominent examples, which infected more than 120.000 devices [1]. Mirai was also responsible for knocking almost 1 million customers of Deutsche Telekom AG the Internet, and is infamous for performing the largest and most disruptive denial of service (DoS) attacks in history [2].
Due to the leakage of Mirais source code to the public, new variants emerged, such as Reaper or the recent Satori botnet. In order to cope with future variants of Mirai and to avoid further impact on routers of Deutsche Telekom, we have adapted common security mechanisms to minimize detection and response times of IoT device-based botnets. In this talk, we will present our detection, analysis, and response strategy to deal with infected IoT devices from an ISP point of view.
A high-level overview of our approach will be discussed in more detail during our presentation.
To boost the early detection of suspicious activity on IoT related network ports, Deutsche Telekom extended its large number of honeypots, deployed across the Internet, with IoT-specific application simulations. Additionally, temporarily unused IP address ranges are used as a so-called black hole [3], to monitor general activity in form of backscatter and malicious traffic on the Internet. Together with basic machine learning algorithms, we use the input of these sensors as a trigger to start further in-depth investigation. Based on traffc fingerprinting, open-source intelligence information, and payload data from the honeypots, we are able to
initiate a response chain, to minimize potential impact of an emerging IoT botnet.
For the response chain, we use well-known open-source tools, such as IntelMQ for message/event processing and MISP (Malware Information Sharing Platform) to distribute relevant indicators across the enterprise to quickly identify infected systems within our responsibility and initiate appropriate mitigation actions.
During our talk we will use the recent Satori IoT botnet as a showcase for our approach and to explain what kind of challenges still exist.
[1] https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.html
[2] https://www.bitdefender.com/box/blog/iot-news/mirai-writes-new-chapter-history-ddos-attacks/
[3] Bailey M., Cooke E., Jahanian F., Nazario J. and Watson D., 2005. The Internet Motion Sensor - A Distributed Blackhole Monitoring System. In Proceedings of Network and Distributed System Security Symposium (NDSS 05), pp. 167-179.
Detection, Eradication & Forensic: Cyber Threats Intelligence Model for CNII Organizations
Nurul Husna Mohd Nor Hazalin (CyberSecurity Malaysia)
- US
Determining the Fit and Impact of CTI Indicators on your Monitoring Pipeline (TIQ-Test 2.0)
Alex Pinto (Niddel (a Verizon Company), US)
Alex Pinto is a Distinguished Engineer of the Security Solutions Group at Verizon Enterprise Services. He is responsible for data science, analytics and machine learning capabilities of the Verizon Autonomous Threat Hunting product. He joined Verizon through the acquisition of Niddel, where Alex was Co-Founder and Chief Data Scientist.
Alex has over 20 years of experience in build security solutions and products and the last 5 of those years have been solely dedicated to the application of machine learning in cybersecurity detection and threat hunting activities. He also holds multiple cybersecurity certifications, such as CISSP-ISSAP, CISA, CISM, and was previously PMP and PCI-QSA certified.
He is an accomplished international speaker and thought leader, has presented various times at conferences such as Black Hat, DEFCON, RSA Conference and FIRST. His usual research subjects are machine learning applied to security, threat intelligence evaluation and metrics, and threat hunting automation.
Before founding Niddel, Alex was a founder of CIPHER Security, a global full-solution provider of Brazilian origin. He was born in Rio de Janeiro, but for a twist of fate can't play any soccer.
Implementing an appropriate data processing pipeline to make good use of your indicators of compromise is a problem that has been successfully addressed over the last few years. However, even with all the push of automation and orchestration, a fundamental question remains: WHAT data should I be ingesting in my detection pipelines? There is no lack of data feeds available, shared or not, paid or not. But how to keep my CTI IR team from spinning their wheels on a pile of CTI mud?
This talk will discuss statistical analysis you can do with the CTI indicators you collect and your own network telemetry to define:
- COVERAGE: Is your current mix of CTI feeds providing a varied view on the current threats that you should actually be concerned with?
- FIT: How appropriate does the CTI data apply to your own traffic. CTI vendors always talk about vertical specific threats, but is that measurable and verifiable?
- IMPACT: How much was your true positive detections assisted by matches and link analysis derived from those CTI feeds?
Those concepts will be introduced and explained with minimal math background needed, and pseudo-code will be provided to assist organizations to perform those experiments on their own environment. We hope those tools will help attendees to better evaluate the quality of the CTI feeds they ingest from their open sources, paid providers and sharing communities.
- JP
Discovering Evasive Code in Malicious Websites with High- and Low-interaction Honeyclients
Yuta Takata (NTT-CERT, JP)
Dr. Yuta Takata is a researcher at NTT R&D and has been a member of NTT-CERT in Japan since 2013. He focuses on developing honeyclients that effectively analyze websites and exhaustively extract malicious behaviors, e.g., browser exploitations and malware infections. Recently, he has been researching methods of detecting malicious websites using machine learning techniques.
Threats of malicious websites are continuously evolving. These websites are exponentially increasing to achieve attacker's various objectives, e.g., malware distributions, data breaches, defacements, and bitcoin mining.
NTT-CERT has been monitoring and detecting such malicious websites by operating both high-interaction honeyclients and low-interaction honeyclients. A high-interaction honeyclient, which is a decoy real browser, can precisely detect browser exploitations and malware downloads. A low-interaction honeyclient, which is a browser emulator, can emulate client profiles, trace complicated redirections, and hook code executions in detail. We usually detect malicious websites and confirm the evidence of maliciousness on the basis of both analysis results.
However, attackers also develop more sophisticated techniques to evade our honeyclient analysis. They craft JavaScript code that controls whether to redirect clients to malicious URLs by abusing the differences among client environments. This evasive code is pervasively distributed through exploit kits. Therefore, a countermeasure is urgently needed.
My presentation explores evasion techniques by analyzing the redirection differences between high-interaction honeyclients (Internet Explorer) and low-interaction honeyclients (HtmlUnit). Since these honeyclients use different client implementations, I can identify evasive code by leveraging the differences. I investigated 8,500 JavaScript samples executed in 20,000 malicious websites observed in experimental environments of NTT. I discovered previously unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will be necessary for incident responders to understand and analyze modern malicious websites, and contribute to improving the analysis capabilities of conventional honeyclients.
Contributions:
- I introduce the operation of monitoring websites using honeyclients at NTT.
- I share evasive code examples that abuse the differences among JavaScript implementations.
- I show the effectiveness of evasive code as content signatures for detecting malicious websites.
DNS Abuse Handling
Champika Wijayatunga (ICANN)
Noumea TC
Noumea, NC
September 10, 2018 14:45-15:30
Hosted by APNIC
DNS Firewall with Response Policy Zone (RPZ)
Suman Kumar Saha (bdCERT)
DNS RPZ intro and examples
Switch: Mathias Seitz
"DNS RPZ intro and examples" This talk is a follow up from the previous talks at the FIRST-TC 2016 and 2017 in Amsterdam. Users which are not familiar with DNS RPZ yet will receive an introduction to this technology. Attendees from the previous talks will hear about new examples from SWITCH-CERT's daily work, in which the DNS Firewall was an important and very useful tool to protect
end users from threats.
Domain Abuse Activity Reporting - Measuring the reputation of DNS industry
John Crain (ICANN)
- GB
Don't Ignore GDPR; It Matters Now!
Thomas FischerThomas Fischer (Independent, GB)
Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently a security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated.
Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.
GDPR is in effect since May 25, 2018, any organization handling EU residents’ personal data should be complying with stricter privacy regulations or be ready to pay up to four percent of their global annual revenue in fines or €10,000,000. This is a substantial penalty for non-compliant companies, and does not focus just on companies based in Europe – it’s for ALL companies globally who do business in the EU.
There is a lot of talk in about compliance with GDPR but in fact it may need some fundamental and deep organizational changes to be prepared and ensure EU citizen personal data. But what does this mean to our incident response process? Let's explore what is covered by GDPR and how it may impact your organisation, answering questions such as do I need to have a DPO; I don't do business directly in the EU when does GDPR affect me; what data is affected? What key processes need changing and importantly how should my incident response procedures work in order to meet GDPR accountability.
A key first step in protecting that data and being able to respond is to first understand what is personal data as defined under GDPR which not only includes basics but also things like an IP address, IMEI and biometrics. Once we understand the nature of personal data, we can look at what the impact on what needs to be implemented or addressed versus the various Articles in GDPR, look at what they mean to some of our key Infosec best practices (such as SDLC, backup, …) to the discuss the impact and improvement on the incident response process and interactions with the DPO and DPA.
End Point Protection
Raja Azrina Raja Othman (Independent Information Security Advisor)
The ultimate aim in a cyber attack is to gain entry to endpoint systems, be it servers, terminals, or enduser computers. Once successful, further reconnaissance can be conducted to identify more specific target host and information. The session will cover on how the endpoint protection has evolved from blacklisting to whitelisting approach in defending against common attacks and the challenges in implementation.
Noumea TC
Noumea, NC
September 10, 2018 14:00-14:45
Hosted by APNIC
Enhancing open source vulnerability scanners: from a single box to hardened multinode scan clusters
Peter Kleinert, Binconf CDC
Do you think open source vulnerability scanners are OK for basic usage but hardly suited for a secure WAN with dozens of VLANs?
In our presentation we describe the architecture of a self-containing multi-node master-slaves appliance designed to scan for vulnerabilities in a highly secure air-gapped network consisting of many subnets located in several geographical locations.
We integrated various open source solutions in these appliances since not just the scanning was required; collection and analysis of its internal logs, monitoring of HW/OS/service metrics, secure offline updating and reporting to operators was required.
- BE
Free BugBounty as a CERT
Emilien Le Jamtel (CERT-EU, BE)
Emilien Le Jamtel is a security analyst working for CERT-EU.
As a CERT, handling a bug bounty program for your constituents may be challenging.
In CERT-EU, during our vulnerability management process, we created a specific page on our website to thanks a researcher pointing out vulnerabilities on our constituents websites.
Once the program started, a lot of unexpected issues were encountered and we had to modify our processes and tools to be able to face those challenges.
In this presentation we will provide details on challenges and how we handled them to make our life easier and provide a better service for our constituents.
GDPR processes at RIPE NCC
Mirjam Kuehne
This talk will focus on how the RIPE NCC approached the GDPR and how it turned into a detailed data classification and compliance project: what data we store, for how long, who owns what data set, who can access it, etc. We did a legal analysis of how the GDPR affects the RIPE Database, and any other RIPE NCC services.
- IN
Sumanth NaropanthSumanth Naropanth (Deep Armor, IN), Sunil Kumar (Deep Armor, IN)
Sunil Kumar is a Security Analyst at Deep Armor. He has vast experience in pentesting web applications, mobile applications and IoT products. In addition to penetration testing, he has advanced knowledge of AWS and development skills in node.js and python. Prior to Deep Armor, Sunil worked as a security engineer for Olacabs and Aricent technologies.
Sumanth Naropanth is a technical expert in security research, vulnerability assessments, security architecture & design, and incident response. He has held several security leadership positions, has developed detailed frameworks for Security Development Lifecycle (SDL) for large corporations, and has managed global teams that executed those SDL activities. Sumanth is the founder and CEO of Deep Armor. He previously worked for Sun Microsystems, Palm/HP and Intel. He and his team have published their research at well-known security conferences, including Black Hat Asia, Black Hat Europe, Troopers, Nuit du Hack, Shakacon and so on. Sumanth has a Masters degree in Computer Science (Security) from Columbia University.
This interactive course teaches engineers about security for IoT and wearable platforms. The course is tailored to educate students on a holistic hands-on approach to securing wearable/IoT ecosystems and designing security development lifecycle (SDL) for such classes of devices. We primarily focus on hardware security paradigms and securing communication protocols used in such devices and accompanying Android/iOS applications.
We will show maker products built using micro-controllers and SoCs that are commonly used in IoT form factor devices. The audience will be see how the most commonly used communication protocols in these products are complicated to secure. Via a series of demos and live packet sniffing and injection, we will teach mechanisms to snoop on these channels, bypass basic security protections and inject rogue packets. We also teach how to secure the hardware, firmware & software components used in these devices.
Wearables operate in very close proximity to users, and hence have access to a wealth of user personal information. We consider privacy to be an important aspect of SDL for wearables. Our training includes a session on privacy for wearable platforms.
Prerequisites:
Familiarity with embedded systems and interfacing with them using USB and serial ports; Basic familiarity with Bluetooth, BLE and ZigBee; Working with, and debugging Android applications; Basics of cryptography and information security
- CH
IPv6 Security
Frank Herberg (SWITCH-CERT, CH)
After completing his studies in engineering, Frank Herberg worked on IT infrastructure and security projects for a number of technology consulting firms. In 2012, he joined SWITCH-CERT, where one of his specialisms is IPv6 security. In the past years he conducted divers IPv6 security trainings and hands-on workshops for the security community.
The Training will give an overview of the security aspects of the 'new'
Internet Protocol IPv6. Participants will learn the differences to IPv4
- related to security. The training also covers a deep dive into
selected protocol details and their accompanied attacks including
demonstrations. The participants will get recommendations on the
mitigation of IPv6-related attacks and how to strategically approach
IPv6 Security in an organization. Last but not least an overview of
useful IPv6 Security Resources and Tools will be provided.
Yasunari Momoi (IIJ)
- US
Learning from chaos, cloud and scale: Netflix SIRT
Alex Maestretti (Netflix, US), Swathi Joshi (Netflix, US)
Alex Maestretti leads the Security Intelligence and Response Team at Netflix, with previous gigs at Apple and the US Government. Our SIRT reflects Netflix’s culture and technology stack. We are a small team that scales through stunning colleagues and engineering. Our technology stack allows us to be agile in responding to security incidents, and recover quickly, which in turn allows smart risk taking. Overall our goal is to understand threats to Netflix through intelligence gathering, and buy down risk across a broad range of threats through Incident Response.
Swathi currently works at Netflix as Senior Technical Program Manager, on the Security Incident Response team where she is responsible for crisis management and maturing the incident response function.
Prior to that, she worked at Mandiant as an Engagement Manager, advising and being the front line defense on security issues to 20+ clients. Prior to being a security consultant, she was Associate Director of Information Security at CEB/Gartner where she led the identity and access management team, client engagement and other technical security projects.
Swathi has her MS in Information Security from George Mason University and her BS in Computer Science from Nitte, India. She currently sits on the board of Sahasra Deepika Foundation for Education.
The Netflix Security Intelligence and Response Team (SIRT) has grown out of the unique Netflix culture and technology stacks and taken a non-traditional approach. We seek to make SIRT central to our learning security organization while buying down risk across a broad range of known and unknown threats. To achieve this we are leveraging concepts from chaos engineering to introduce continuous testing for security controls and detections spawned out of the post incident review process. Post-detection we are investing in modern forensic and response tools that can scale in the public cloud and leverage immutable deployments in production. On the corporate side we are developing best practices for IR in a fully SaaS environment, and rethinking our approach to network and endpoint security monitoring with identity as the new perimeter. This allows us to grow our response capabilities through engineering and new approaches as opposed to large multi-tiered SOCs with linear staffing requirements. We believe this approach can enable even modestly resourced security teams to have significant impact through their IR programs, and would like to share some of our thoughts for discussion.
Lessons Learned from 24 Years of Coordinated Vulnerability Disclosure (CVD)
Allen Householder, CERT/CC
The CERT/CC has been coordinating vulnerability disclosures since our inception in 1988. In the past year we have been analyzing our own case tracking data going back to 1993, with a focus on the distribution of case workloads over time. In this talk I'll share our findings from that analysis, showing how over time the workload is dominated by a relatively small number of cases -- and why as a result CVD participants
shouldn't rely exclusively on traditional measures such as case counts or averages when assessing the impact of their CVD efforts. The talk will also relate these findings to the CVD advice we included in the CERT Guide to Coordinated Vulnerability Disclosure.
PSIRT TC 2018
Atlanta, US
February 28, 2018 15:00-16:00
Hosted by Honeywell
Leverage OSINT to Trace APT Group
Bowen Pan (360 Enterprise Security Group)
Bowen is Senior Threat Analyst at 360 Enterprise Security Group. He has been a security professional over 5 years. His researches focus on APT investigation and threat intelligence. He is the first finder of PoisonCake which is a famous Trojan. He is author of "Underground Economy of DarkMobileBank".
APT attack is a major security concern for private organizations and states, since it could gain access to sensitive data and cause other unpredictable consequence. For security analyst, APT attacks are not easy to be detected and traced due to limited threat intelligence.
This presentation will introduce our practical methods of tracing APT groups by leveraging Open Source Threat Intelligence (OSINT), as well as summary of common APT attack vectors and trends in 2018 1H.
Presentation Outline
-
An introduction of useful OSINT for APT research
OSINT is always a good friend for security analyst. Some OSINT sources could benefit APT research like collecting IOC, tracing actors, and so on. We will share our 'secret recipe' from OSINT practice.
-
Practical threat hunting skills of tracing APT groups.
First, We will go through several theories of threat intelligence and threat hunting which are guidelines for analyst. Then we will share our several hunting or tracing skills which are based on our hands-on experience.
-
Landscape summary of APT attacks in 2018 1H
We conducted a study for 6-month (2018 1H) APT attack data which is from 360 Threat Intelligence Center. Our study aims to illustrate evolution of Tactics, Techniques, Procedures (TTP) of active APT groups, attacked targets, and so on.
- IT
Malvertising: an Italian Tale
Andrea Minigozzi (Leonardo Spa, IT), Antonio Rossi (Leonardo Spa, IT)
Antonio Rossi is a former investigator of Italian Economical and Financial Police Special Units (Guardia di Finanza - GAT), with twenty years experience in digital crime investigation and fraud management.
He is actually employed in Leonardo Company as Head of LDO-CERT.
Andrea Minigozzi is a certified CISSP, GCFA and OPST Security Professional with seventeen years experience, encompassing SOC/SIEM, malware analysis, investigating security incidents, computer and network forensics, ISO 27001/NIST/COBIT audits and hardening of various devices. Andrea is project owner for FG-Scanner project.
Clusit (Italian Cyber Security Professionals Networks) and ISC2 Italy Chapter member.
When a small advertisement becomes a big risk: follow our Incident Responders deep investigating a rare malware infection via hot advertisement. During the speech you will be guided to the entire process, from Early Warning to Remediation, including HR approach to the user.
We will cover new aspects about Malvertising as Social Profiling capabilities used to targeting the attack and how attackers mask their identity behind the advertisement network.
At the end of the presentation, a section about preventive measures implemented will be explained as result of "Lesson Learned Phase".
- LV
Malware Reweaponization - A Case Study
Karlis Podins (CERT.LV, LV)
Karlis is a PhD student with University of Latvia and threat analyst with CERT.LV. Karlis has 10 years of work experience in cyber security in military and government positions, currently with national CSIRT of Latvia
The topic of this research is binary editing of captured malware samples to turn them into deployable cyber attack tools, we call this process reweaponization or malware reuse. Cyber attack reflection or cyber attack ricochet is also used in related literature.
The authors demonstrate a working proof-of-concept of reweaponization by replacing payload in an up-to-date, real world APT malware sample (discovered year 2017, contains 3 0days), while leaving the exploitation part intact. Furthermore, two separate paths for malware reweaponization are shown:
- replacing whole payload
- replacing C&C domains
The sample analysed consists of several layers, that need to be thoroughly analysed and repackaged for successful binary editing:
- MS office document
- embedded postscript image
- packed postscript
- shellcode
- packed shellcode
- dropper executable
- payload executable
- C&C domains
Authors will describe the analysis process step-by-step, the binary modification and reverse process to get hold of modified working sample.
Malware reweaponization is not novel, it has recently been mentioned in public discussions, and there is evidence of this technique being used for several years by intelligence agencies. The purpose of our proof-of-concept is to demonstrate the ease with which reweaponization can be achieved.
The value of this work is in understanding the cyber threat landscape as it changes. We expect that malware reuse will gain popularity creating additional workload for CSIRT teams and will furthermore complicate the attribution of cyber attacks.
Traditionally, attribution in cyberspace is based on the Tactics-Techniques-Procedures triad, with tools being the category most relied upon. Expanded use of malware reweaponization would render tool-based attribution fairly ineffective, providing a near-perfect false flag cyber operation.
Note: The strict scientific guidelines require to reveal enough information to make our experiments repeatable. Unfortunately this also means any competent reader could make their own cyber weapon, a clearly undesireable consequence. Thus we do not provide malware sample and detailed instructions (exact byte offsets etc). In authors opinion this decision in no way affects our contribution, as the main goal of technical section is to demonstrate that malware reweaponization is relatively easy.
Beverly Finch, Lenovo
Handling large amounts of information across numerous vulnerabilities and communicating with everyone who needs the information can be tricky! In this talk, I will take the audience through how Lenovo has matured over the course of 3 years from tracking a few vulnerabilities in spreadsheets to Jira ticketing and then most recently to Jira + database integration.
This presentation is needed at FIRST based on many conversations I've had with industry peers and the PSIRT community. Many PSIRTs have multiple brands with many products which have hundreds of components. Each component has hundreds (or thousands) of 3rd party source code/open source code with vulnerabilities reported every day. Exactly how does a PSIRT document, assign and track all this complexity?
After 3 years, Lenovo has solved this problem and would like to share with other PSIRTs/CERTs who encounter similar tracking nightmares.
I plan to document, in presentation format, lessons learned, what information to track, SLA integration/ metrics and what information we used to load the integrated database.
PSIRT TC 2018
Atlanta, US
February 27, 2018 11:30-12:00
Hosted by Honeywell
Tania Ward, Dell EMC
Handling large amounts of information across numerous vulnerabilities and communicating with everyone who needs the information can be tricky! In this talk, I will take the audience through how Lenovo has matured over the course of 3 years from tracking a few vulnerabilities in spreadsheets to Jira ticketing and then most recently to Jira + database integration.
This presentation is needed at FIRST based on many conversations I've had with industry peers and the PSIRT community. Many PSIRTs have multiple brands with many products which have hundreds of components. Each component has hundreds (or thousands) of 3rd party source code/open source code with vulnerabilities reported every day. Exactly how does a PSIRT document, assign and track all this complexity?
After 3 years, Lenovo has solved this problem and would like to share with other PSIRTs/CERTs who encounter similar tracking nightmares.
I plan to document, in presentation format, lessons learned, what information to track, SLA integration/ metrics and what information we used to load the integrated database.
PSIRT TC 2018
Atlanta, US
February 28, 2018 10:00-10:30
Hosted by Honeywell
MISP/TheHive
Steve Clement and Raphaël Vinot (Circl.lu), Saâd Kadhi (TheHive)
Course Level: Beginner
Intended Audience: Security/SOC analysts, CSIRT/CERT team members
Pre-requisites: See attached document.
Abstract:
The goal of the tutorial is to familiarize participants with Incident Response and Cyber Threat Intelligence using TheHive, a Security Incident Response Platform, Cortex, a powerful observable analysis engine and MISP, a popular threat sharing platform. All software is free and open source.
Topics:
- TheHive, Cortex & MISP Overview,
- Installing & configuring the product stack
- Bringing it all together
- An IR case study
- Dealing with notifications
- How CTI feeds IR
- How IR feeds CTI
- The CTI-IR cycle: case study
- FI
Motivating to Successful Collaboration with Results
Lasse Laukka (Ericsson PSIRT, FI)
Lasse Laukka works as a senior specialist in NCSC-FI at Ficora. Lasse is responsible for developing the situational awareness and collaboration at NCSC-FI. Previously Lasse has worked at a PSIRT (Ericsson) and participated in the ISAC activities which gives Lasse a wide view to collaboration from many angles.
At NCSC-FI we are used to work with relatively low budget, not so many people but still justifying our place in the country by delivering accurate, real-time and useful information to our constituents. One and very important part of this is active dialog with both private and public sector. Collaboration and effective way of working is the key to success.
The presentation gives an overview of our 15 year journey so far: where we started, what we did in order to establish active collaboration networks for Finnish industry and government, what we have achieved (providing sensor network data for our constituents, confidential sharing of information, quick response times during the incident, uniting security professionals) and how we are planning to improve the maturity of collaboration in the future.
One of the key factors that makes collaboration possible is trust and added value. We do this by distributing information based on our network scanning during major incidents (i.e. ROBOT-vulnerability, wannacry, heartbleed), sensor network detections(HAVARO) and anonymized data sharing(daily and weekly reporting). This motivates the network to also share information.
The presentation gives ideas on how you can bring added value to your constituents and collaboration networks. The focus groups are the organizations that are maintaining are running active collaboration but also those who actively participate in such activities.
- US
“Moving to The Left”: Getting Ahead of Vulnerabilities by Focusing on Weaknesses
Jim Duncan (Jim Duncan, US)
I have been involved in cybersecurity incident response since before the Morris Worm. I have been attending FIRST since 1991 and I became the first full-time hire onto the Cisco PSIRT in 1999. In 2008 I joined the Juniper SIRT when it was re-bootstrapped, and in 2012 I moved over to the newly-formed Juniper Secure Development Lifecycle team. I have a BA in Religion from Auburn University and a BS in Computer Science from Old Dominion University. I have a wide range of outside interests including soccer refereeing, firearms range safety, parliamentary process and piano and string instrument technology.
If I have learned anything from nearly thirty years of CSIRT experience, it is that the number and complexity of vulnerabilities continue to grow as fast as (or faster than) our plans to deal with them. We continue to develop and improve tools for vulnerability management, classification, analysis, communication and so on, but these are all merely coping strategies. There will always be water in the basement, no matter how fast we run the pump (nor how many pumps we put into service).
Just as health professionals move beyond epidemics and infected individuals to improvement of environments and lifestyles that lead to less disease and improved quality of life, so do we need to shift our focus away from vulnerabilities and onto the conditions that allow them to exist. All vulnerabilities depend on the existence of one or more weaknesses, usually in coding or design. The inverse is not true; not all weaknesses result in vulnerabilities. However, because of the former relationship, if we remove or reduce weaknesses, we get vulnerability elimination for free as a side effect.
In this one-hour presentation, I will explain this concept and walk the attendees through the structure of the Common Weakness Enumeration. I will give concrete examples of improvements that come with weakness identification and analysis. Shortly after changing jobs from the Juniper SIRT to the Juniper Secure Development Lifecycle program nearly five years ago, I instigated modifications to Juniper’s problem reporting system, GNATS, so that weaknesses could be identified as as part of PR management and CWE labels could be assigned to individual flaws. The grouping of individual weaknesses into larger groups enables trending and analysis. It has become a fundamental part of our penetration testing reports and the results allow us to target certain failures in coding and design. In particular, managers and directors are empowered by the results to implement changes in training requirements and shift focus on bug resolution, for two examples.
Separately, without regard to specific products, by studying large numbers of CWE labels attached to a variety of problem reports from across our entire development organization, I have produced a “Top Ten Weaknesses Report” for all but 2017. By comparing to industry trends, we can quickly identify where we are consistent with our vendor peers and take advantage of already-available resources for improvement. We can also see where we diverge from our peers and take action on our own to implement improvements.
Next, I will help attendees with tips and tricks for mapping specific findings to a range of CWE labels, help identify which may be the “best” label with regard to grouping and trending analysis, and also show the interplay between CWE, CVE and CAPEC labels. Lastly, I will offer some prognostications on the future of the CWE project and weakness study and processing in general. For any PSIRT with a nascent SDL function, this is a matter of survival. By “moving to the left” – getting ahead of software development coding and into the earlier design phases – a focus on weakness pays real dividends in reducing the overall incidence of vulnerabilities.
And that, as we well know, keeps costs down by “vulnerability containment”, keeping flaws from escaping into customers’ networks.
- JP
Multi-dimensional Malware Similarity will let you Catch Up with Malware Developers
Koji Yamada
Ryusuke MasuokaKoji Yamada (Fujitsu System Integration Laboratories, JP), Kunihiko Yoshimura (Fujitsu System Integration Laboratories Limited, JP), Ryusuke Masuoka (Fujitsu System Integration Laboratories, JP), Toshitaka Satomi (Fujitsu System Integration Laboratories, JP)
Kunihiko Yoshimura
Kunihiko Yoshimura is a cybersecurity researcher with Fujitsu System Integration Laboratories (FSI) in Toranomon, Tokyo. He joined Ahnlab Inc. in Apr 2010 to work on A-SOC managed security service as security analyst, and he analyzed many alerts and many incidents though MSS operation about 4 years. He joined Verizon Inc. in May 2014 to work on Japanese SOC MSS as startup member of security analyst. He joined FSI in Apr 2015 to conduct cybersecurity research.
Koji Yamada
Koji Yamada is a cybersecurity researcher at Fujitsu System Integration Laboratories in Toranomon, Tokyo.
He was engaged in FJC-CERT activities over 2 years and his interests are cyber threat intelligence, machine learning, and deception technologies.
Toshitaka Satomi
Toshitaka Satomi is a cybersecurity researcher with Fujitsu System Integration Laboratories (FSI) in Toranomon, Tokyo. After graduating Tokyo Institute of Technology with his bachelor's degree in 1997, he joined Fujitsu Personal Computer Systems to work on F-BASIC compiler, financial systems for an insurance company, and other systems. He got involved in a cybersecurity research project and helped build many cybersecurity prototypes and systems. He joined FSI in April 2017 to conduct cybersecurity research.
Ryusuke Masuoka
Dr. Ryusuke Masuoka is a research principal at Fujitsu System Integration Laboratories Limited in Toranomon, Tokyo, Japan, working on Cyber Security. Since joining Fujitsu Laboratories Ltd. in 1988, he conducted research into neural networks, simulated annealing, and agent systems. After moving to Fujitsu Laboratories of America, Inc. in March of 2001, he engaged in researches on pervasive/ubiquitous computing, Semantic Web, and bioinformatics, from which Task Computing resulted. Then he extended his research into Trusted Computing, Software/Security Validation, Cloud Computing, Smart Grid, the Internet of Things and Cyber Security. He also led numerous standard activities and collaborations with universities, national and private research institutes and startups. From the beginning of 2012, he started working on Anti Cyber Attack Solutions at Fujitsu Laboratories Limited. He joined the Center for International Public Policy Studies in July 2012 and studied Cyber Security Policy for two year. He is with Fujitsu System Integration Laboratories Limited since July 2014.
The speaker will talk about the importance of multi-dimensional similarity between malware pieces and how it can change your malware analysis workflow and the game between you and malware developers. We have named the system to calculate multi-dimensional similarity “Sample Similarity Scoring System” and we will refer it as S4 in what follows.
We will also describe a couple of successful S4 applications to real pieces of malware Some of the problems malware analysts encounter are:
- More and more malware pieces are developed and deployed and it has become very difficult to keep up with the pace of increasing malware pieces
- Some malware has anti-sandbox capabilities to evade its detection by sandboxes
- Some software provides a "malicious score" for malware, but the score does not help how to proceed with malware analysis.
When an analyst encounters a new piece of malware, she first needs to determine the type of malware so that she can come up with an appropriate analysis procedure. Is it one of RATs, ransomware, a simple downloader, or totally a new kind? This is the first step of analysis and time-consuming, but it is critical and needs to be done right as it will affect the later analysis stages. If she can determine which past malware is similar to the new malware, she can leverage the knowledge and her past analysis workflow to tackle the new one. Some analysts utilize similarity tools like sdhash or ssdeep to determine the similarity of the new piece of malware to the malware pieces that they have analyzed before and/or famous malware families. However, this approach has one drawback, that is, malware developers have learned to evade their malware’s being detected of malware’s similarity to their past work. This is where “multi-dimensional” similarity comes to rescue. S4 employs more than 10 similarity tools/algorithms to calculate similarity scores between the new piece of malware and those malware pieces already in the S4 system. (Similarity tools and algorithms include fuzzy hashes, entry point, binary entropy, and our original algorisms based on Called APIs, Called DLLs, and their sequences.) However, it would be difficult for human analysts to interpret all the individual scores, so the S4 system summarizes those scores into (currently) three dimensions, namely, surface analysis, dynamic analysis, and geometric analysis similarity scores. Even if malware developers have managed to manipulate a couple of similarity scores, it would be extremely difficult for them to defeat all the tools and algorithms.
Other S4 merits include:
- An S4 instance can share past malware analysis results by files (currently in our proprietary file format, but STIX 2.x format planned for future) with another S4 instance to calculate the similarity scores of the new malware against past malware pieces from the original S4 instances (as well as those from itself).
- Even if a new piece of malware has anti-sandbox capabilities, S4 may be able to determine it similarity to the past malware pieces through its evasive behavior. Actually S4 has successfully determined one piece of malware to be in the WannaCry family through this evasive behavior similarity even though all the other similarity methods failed.
Nepal Cyber Security Landscape
Saroj Lamichhane (Rigo Technologies Ltd)
- CR
New Types of Attacks: The Evolution of Ransomware as a Service
Susan Ballestero Rosales (BsidesSJO, CR)
Currently Senior Analyst for an Irish Company, passionate about Information Security specially everything with incident response, with 10 years of experience in Information Technology with multinational companies. Master’s degree in Information Technology Project Management. #PuraVida
The last year I had the opportunity to present at FIRST about ransomware, however I have been doing research about the ransomware as a service, the different threat actors and their techniques tactics and procedures , this research involved the evolution for ransomware , how everything began with a free ransomware solution for educational purposes and how it became a new industry, currently in evolution, we will evaluate how the threat actors made platform so much easily to use that even people with zero knowledge will be able to use it, the different industries that those ransomware have been affecting and what can we expect in the future in areas such as Internet of things, wearable devices and smart cities.
I had the opportunity on my previous job to work on a technical paper, obtaining the TTP's for different RaaS, which I would love to share with the community and how they have been changing.
This research will benefit: Incident response teams (SOC, Red team, threat
intelligence among others)
Some of the data I would love to share is about my favourites
ransomware in this area,specially because they have developed platforms that have better support than some programs we have to pay a license for it.
- PL
Not Just Indicators: Data Processing with n6
Paweł Pawliński (CERT Polska / NASK, PL)
Paweł Pawliński is a principal specialist at CERT.PL. His past job experience include data analysis, threat tracking and automation. He is responsible for the design and implementation of the n6 platform for sharing security-related data and designed systems for large-scale monitoring of attacks on the internet.
Paweł is an author of publications and trainings, with the focus the collection, analysis and exchange of information by CSIRTs.
This technical workshop will introduce an open-source system for automated collection, processing and exchange of security information. If you deal with non-trivial amount of abuse reports, indicators, logs or any other data feeds and looking for new tools, this session might be of interest to you.
Back in 2011, our team was facing a common problem: a lot of potentially valuable data available but too limited resources to make use of it. We approached that problem by trying to reorganize our data handling processes, integrate and normalize multiple information sources, and automate whatever we could. In a short time we were able to deliver actionable data feeds to our constituents and scale up collection capabilities significantly. That was the beginning of n6 a.k.a. our in-house automation platform.
What started as a couple hundred lines of Perl and shell scripts, has later developed into a modular stream-processing framework with a scalable database and tooling that is supporting an important part of our operational activities. In 2018 we are finally ready to make a proper release of the software on an open-source license.
During the workshop we will present the design of n6 and its main components: collection modules, data enrichment, APIs, frontend. We will explain similarities, differences and existing integration mechanisms for other popular tools, especially IntelMQ and MISP. We will also show the practical examples of how n6 is used by CERT.PL for communicating with the constituency but also for obtaining insights into threats on a country level.
The introduction of the system will be followed by a practical hands-on part. You will learn how to configure, run and extend n6 to fit your data processing pipeline.
We will finish off with a discussion on the future development plans, with the focus on getting feedback on features that can be useful to other CSIRTs.
This workshop follows the open-source release of the software and is the first opportunity to present it to the wider community. Source code:
https://github.com/CERT-Polska/n6
What to bring: Laptops with recent VirtualBox are recommended for the hands-on part. VM images will be distributed during the workshop.
- CZ
Patchwork : From One Malicious Document to Complete TTPs of a Medium Skilled Threat Actor
Jaromir Horejsi, Jaromir Horejsi (Trend Micro, CZ)
Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, Virus Bulletin, FIRST, AVAR, Botconf and CARO.
Daniel Lunghi is a threat researcher at Trend Micro. He has been hunting malware and performing incident response investigation for years, sometimes in IT infrastructures involving thousands of hosts in big French companies. When not on the trail of online attackers, Daniel still spends time in front of a keyboard — on a piano.
Patchwork seems to be a capable threat group likely based in Southern Asia. The modus operandi we monitored shows a threat actor without access to zero-day vulnerabilities, but one that focuses on carefully targeting victims and creating convincing lures. Patchwork installs known or custom RAT malware by using weaponized documents with the target's topics of interest. Furthermore, carefully designed phishing websites provide them with credentials for gathering sensitive data from high-value targets, including ranking military officials and individuals in the aerospace, mass media and online retail companies.
This topic covers how we discovered a large part of the group's infrastructure as well as multiple lure documents and RAT malware they used—all from one malicious document and the use of threat intelligence and reverse engineering methods.
During the investigation, we discovered how the threat actor manages to infect his targets, what tools he uses and how they have evolved. The discussion also details how they deliver spear phishing emails, which RAT tools they use, how they perform phishing and credential harvesting, and which tools they use to monitor and exfiltrate sensitive data.
The discussion will cover several chapters:
• The start of the investigation
• Examples of weaponized delivery documents and their analysis
• Backdoors, remote access tools, and how they evolved over time
• File stealers and hard disk monitoring tools and their evolution
• Analysis and overview of infrastructure
• Phishing kits and credential harvesting
• Targets and victims
• Countermeasures and defense strategies against future attacks
• Summary of the tricks involved in all these findings
During the presentation, we will share additional details about this threat actor, including the threats, tactics, and procedures (TTP) and various indicators of compromise (IOC). We will also discuss how DFIR practitioners can use these techniques to gather IOCs, facilitating the prevention of future attacks from a similar threat actor.
Practical Tabletop Drills for PSIRTs (Part 2)
Ken van Wyk, KRvW and Derrick Scholl, Juniper
You’ve built your PSIRT and planned for every conceivable situation, right? How do you know they’ll succeed when pushed to the breaking point? In a prior PSIRT FIRST TC in Raleigh, Ken van Wyk presented a practical session on how to design and deliver tabletop drills to test your incident response capabilities. In this hands-on lab session, together with Juniper’s Derrick Scholl, we’ll take that training further and run a fictional tabletop drill that has been tailored to a highly realistic PSIRT-specific nightmare scenario. The session will begin with a quick re-hash of tabletop essentials from Ken’s session in Raleigh. We will then will enroll several audience volunteers to play key PSIRT roles during the drill. The team will include key stakeholders in the fictional PSIRT’s general counsel, human resources, media communications, and executive decision team. With that audience PSIRT in place, we will then run through a realistic scenario. The remaining audience will then critique the PSIRT’s performance. Attendees will gain practical guidance on how to deliver a meaningful tabletop drill that tests their PSIRT’s capabilities under fire.
PSIRT TC 2018
Atlanta, US
February 27, 2018 15:15-16:15
Hosted by Honeywell
- US
Preparing the Village - Lessons Learned in Cross-Industry Vulnerability Disclosure
Phillip Misner (Industry Consortium for the Advancement of Security on the Internet (ICASI), US)
Phillip Misner is a Principal Security Group Manager with the Microsoft Security Response Center and the President of the Board of Directors for ICASI. In his role at Microsoft he manages the Ecosystem Strategy team. That team drives security researcher engagement, Microsoft's bug bounty programs, industry and government collaboration, and public engagement for MSRC. Previously he led the crisis management team for over ten years driving Microsoft's response to the biggest incidents. As a senior leader on the team he works broadly across Microsoft and the industry to better protect and educate customers on topics in security and privacy.
Phillip has worked in the Microsoft Security Response Center for over eleven years and a total of seventeen years in the technology industry. Prior to joining MSRC in 2006, he spent six years in product development in the Internet Explorer, Windows, and Developer Divisions.
On Monday, October 16, 2017, the world awoke to news of a protocol vulnerability in WPA/WPA2. Branded as the "KRACK Attack", this vulnerability impacted virtually every device with a wireless router. As soon as the vulnerability was announced, many vendors announced fixes. This was the result of a large scale coordinated disclosure effort organized by the Industry Consortium for Advancement of Security on the Internet (ICASI). Through collaboration among members, partners, and the researchers, this coordinated disclosure minimized the impact of this vulnerability.
During this session, the President of ICASI will provide insight into how this coordination took place and explore what this experience means moving forward. This will be an open and honest conversation about what happened and will touch on topics such as what worked well, what did not, who was notified and how those notifications took place, and what lessons learned this experience has for FIRST’s work in Multi-Party Vulnerability Disclosure.
The call action for participants will focus on tips on when to coordinate, practical skills for multi-party coordination, better coordination, and how to enable quick understandings for defender audiences.
- US
Professionalizing the Field of Cybersecurity Incident Response
Tom Millar (US-CERT, US)
Mr. Millar has been a member of US-CERT for 10 years, serving as its Chief of Communications for most of that time. In that role, he has worked to strengthen US-CERT’s information sharing capabilities, increased the level of public, private and international partner engagement, and supported initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar has a Master’s of Science in Engineering Management from the George Washington University.
For 30 years, CSIRT work and cybersecurity have been practiced by a diverse community of technically inclined, curious problem solvers, and we have made great strides in the practice over that time. However, if we are going to tackle the tough problems that lie ahead, including the need to massively expand the number of qualified cybersecurity workers and the need to have our voices heard in policy and legislative discussions, we need to professionalize: “to make an activity into a job that requires special education, training, or skill.”
It’s time for our community to adopt standards of education, training and conduct to ensure we can be trusted to do the right thing and that we can scale up our talent pool without dilution or pollution. This leads to a large number of difficult questions, such as: What are the technical and ethical standards for a CSIRT member (or any cybersecurity professional)? What should they be? How should we govern ourselves, and what kinds of “barriers to entry” should we establish?
This talk will discuss some of the positive and negative impacts that might come from professionalization, some steps we need to take as a community, and why our field needs to go ahead and do it sooner rather than later.
PSIRT Framework Update
Peter Allor, Honeywell
PSIRT TC 2018
Atlanta, US
February 27, 2018 09:15-10:15
Hosted by Honeywell
Qubes OS
Xavier Bahuon (Action Cyber)
Noumea TC
Noumea, NC
September 10, 2018 10:00-10:30
Hosted by APNIC
Xavier_Bahuon_QubesOS.pdf
MD5: b4ae871233bf31d8302015a09d09452d
Format: application/pdf
Last Update: June 7th, 2024
Size: 606.11 Kb
- JP
Mariko Fujimoto (The University of Tokyo, JP), Takuho Mitsunaga (The University of Tokyo, JP), Wataru Matsuda (The University of Tokyo, JP)
Wataru Matsuda joined NTT WEST, Ltd. in 2006.
In 2015, he joined Watch and Warning Group of JPCERT/CC, where he was engaged in information gathering and early warning activities.
Now as Project Researcher of Secure Information Society Research Group, the University of Tokyo, he is engaged in research on cyber security especially log analysis for detecting targeted attacks.
Mariko Fujimoto joined NEC Solution Innovators, Ltd. in 2004 and worked for development of software and systems for internal control.
In 2015, she joined Watch and Warning Group of JPCERT/CC, where she was engaged in information gathering and early warning activities.
Now as Project Researcher of Secure Information Society Research Group, the University of Tokyo, she is engaged in research on cyber security especially log analysis for detecting targeted attacks.
Dr. Takuho MITSUNAGA Project Associate Professor, Graduate School of Interfaculty Initiative in Information Studies, The University of Tokyo. He is also Research Fellow at Information-technology Promotion Agency in Japan.
After completing his degree at Graduate School of Informatics, Kyoto University, Mr. Mitsunaga worked at the front line of incident handling and penetration test at a security vendor.
In FY 2010, he led an R&D project of the Ministry of Trade, Economy and Industry (METI) for encryption data sharing system for cloud with
an efficient key managing function. He has been a member of Watch and Warning Group of JPCERT/CC since April 2011, where he is engaged in cyber
attack analysis including APT cases. He has also contributed in some cyber security related books as coauthor or editorial supervisor including “
Information Security White Paper 2013”.
Many organizations have experienced damages of targeted attacks. In detection of targeted attacks inside network, indicators such as C&C server domain and IP address can be useful. For this reason, information sharing scheme has been developed globally during the past years. One of the examples is a standardized format for automated indicator sharing, STIX, introduced by MITRE.
However, STIX had not been widely implemented in Japan until recently. According to a survey conducted in NCA (Nippon CSIRT Association) in 2015, only 3% of members have used STIX for threat information exchange at that time.
To cultivate a better understanding of STIX in Japan, the University of Tokyo has provided trainings for CII companies and academia. As a result, STIX has gradually become popular in Japan.
As STIX-formatted indicator exchange increases, however, there are new challenges. In detection of cyber attacks, users are required to compare increasing number of shared indicators against a large amount of logs stored in their network, which consumes quite a lot of resources. Indicators serves two purposes: 1) detecting communication that occurred from their own network to suspicious hosts in the past, and 2) blocklisting malicious hosts so that potential damage is prevented. In order to satisfy both of the function, the University of Tokyo developed a tool analyzing logs effectively by integrating logs into Elasticsearch.
Our tool compares proxy logs with STIX format indicators upon the following triggering actions:
-When logs are imported (in real-time)
- Compare logs with preset blacklist stored in Elastic Stack, and raise an alert if any matches
-When indicators are imported (on-demand)
- Compare indicators with past logs, and raise an alert if any matches
- Add indicators to blacklist
We will present how our tool is effective in detecting attacks and reducing incident response time.
- JP
Red Team vs Blue Team Tabletop Exercise and Random Scenario Creation Using Cards
Chiyuki Matsuda (DeNA Co., Ltd., JP), Mitsuru Haba (Canon Inc., JP), Satoshi Yamaguchi (NTT, JP), Takashi Kikuta (transcosmos Inc., JP), Yoshihiro Masuda (Fuji Xerox Co., Ltd., JP), Yusuke Kon (Trend Micro Inc., JP)
Yoshihiro Masuda is chief investigator of Incident Handling Exercising Method Developing Working Group of Nippon CSIRT Association. Mitsuru Haba is co-chief of the working group. Yusuke Kon, Takashi Kikuta, Chiyuki Matsuda, and Satoshi Yamaguchi are members of the working group.
Incident handling exercise is an effective method for improving capability of CISRT. We developed a tabletop exercise method and toolkit, which has following features,
- Red team vs blue team interaction
- Random scenario creation using cards
We examined user acceptability of the method through several trials in largest CSIRT community in Japan, and applied to a group training in TRANSITS workshop held in Japan.
In our presentation, we will introduce the exercising method and make short demonstration. Also we will share the toolkit.
Reference Incident Taxonomy for CSIRTs
Rossella Mattioli and Yonas Leguesse, ENISA
ENISA has set up a Task force with the goal of driving the CSIRT community towards agreeing on a common reference taxonomy for incidents. In this presentation we will provide an overview of the task force and its goals, as well as its current status and proposed way forward.
- JP
Removing the Pain From the Repetitive Processing of Vulnerability Reports Using a Vulnerability Ontology
Masanobu Katagi (JPCERT/CC, JP), Takayuki Uchiyama (JPCERT/CC, JP), Masaki Kubo (NICT, JP)
Masanobu Katagi
Masanobu is a member of Vulnerability Coordination Group at JPCERT/CC.
Since July 2017, he has been engaged in coordination of vulnerability reports with PSIRTs, and the analysis of incoming vulnerability reports.
Prior to joining JPCERT/CC, he was involved in research on cryptographic algorithms and their implementations and was also engaged in standardization efforts of cryptographic algorithms
Takayuki Uchiyama
Taki is member of both the Vulnerability Coordination and Global Coordination Groups at JPCERT/CC. Main tasks involve the coordination of vulnerability reports with PSIRTs, being involved with various discussions groups related to the identification / analysis / coordination / disclosure of vulnerabilities. In addition to this work, he also collaborates with various CSIRTs across the globe, with a focus on the Asia-Pacific, where he is involved in capacity building and trainings.
Masaki Kubo
Masaki Kubo is an executive technical researcher of NICTER analysis team at NICT, National Institute of Information and Communications Technology where he leads the NICT’s darknet analysis as well as the internal threat analysis operations. He previously worked 13 years for JPCERT/CC where he managed vulnerability handling operation and secure coding initiative.
JPCERT/CC has been coordinating and disclosing software vulnerabilities since 2004 when the vulnerability handling framework was established in Japan. Over the past few years, the number of vulnerabilities that have been reported to this framework has increased sharply. Until 2014, the maximum number of reports received for a single year never exceeded 300. Since then, this number has increased significantly, with a peak number of over 1,000 in 2016. With a team of less than 10 people, traditionally manual processes such as analysis of reports and the writing of advisories have not scaled well. On the surface, while these processes seem to be independent, these processes utilize the same information to perform tasks that are essential to coordinating software vulnerabilities.
For these processes to scale, automating wherever possible is essential. In order to automate these processes, JPCERT/CC thought "Is there a way where we can use a common language to communicate vulnerability information?" Vulnerability reports are typically written by people, and various terms / words can be used to describe the same issue. Reading through these various reports to identify the vulnerability and its effects as well as verifying whether there is sufficient information provided in the report for the vendor to remediate the vulnerability takes time. In our attempt to solve this problem we came across NIST IR 8138 "Vulnerability Description Ontology".
We have attempted to take this ontology and see if it can be utilized to automate some of our coordination processes. In this presentation, we will discuss briefly about the ontology itself and some of its components, how it has helped in scaling our analysis process as well as how it has assisted in automating our advisory writing process. We also will consider some ways in which this information can be shared with other organizations to help assist coordination activities.
Sailing the Seas of Open Source - a year in the life of OSS security
Chris Robinson, Red Hat
Avast ye scurvy dogs! Set sail to ADVENTURE with a recap of the year's Open Source security as shared by Red Hat Product Security. Don't walk the plank of jumping into OSS without understanding what ye'er in for!
PSIRT TC 2018
Atlanta, US
February 28, 2018 10:45-11:45
Hosted by Honeywell
- TH
Scaling Up Security to the Whole Country
Martijn van der Heide (ThaiCERT, TH)
Martijn van der Heide has been working in the security field for more than 20 years.
Currently he works as a consultant at ThaiCERT, the National CERT of Thailand, to help set up security further in the country. His role includes incident response and threat intelligence for the operational CERT team, as well as training and consulting.
Before that, he worked at Royal Dutch Telecom, KPN, the incumbent telecom provider of The Netherlands, where he set up KPN-CERT which he chaired for 12 years until he met and married a Thai woman at the FIRST Conference 2013 and was invited to move to Thailand.
Until 2 years ago, there was only 1 CERT team for the entire country of Thailand. This relatively small National CERT team has done amazing work, but cannot possibly do everything needed to protect the government, critical infrastructure and all 76 million citizens.
After a thorough assessment of the country's security posture, a bold plan was drafted how to scale up security throughout the country. This was established into law at the end of 2016.
The first and foremost challenge is the lack of people, tools and procedures to establish teams at all organizations.
We started by implementing a central government protection solution to combat a large percentage of incidents such as website defacements and infections.
Then we began to establish sector-based CERT teams for all critical infrastructure, allowing a better pace in implementing security in the individual organizations while having some form of incident management and coordination in place already. New services have been added to the ThaiCERT portfolio to accommodate this - for example our own annual security conference and a threat intelligence service with daily news feeds.
The next step was improving awareness at a young age, for which we teamed up with other organizations to produce workshops and training in schools, first in Bangkok only, now spreading out to other cities.
For the next year, we have ambitious targets on capacity building to steeply increase the security work force in the country. For this, we work with universities and organizations such as CMU and ISC2 to create professional training programs that can scale to 1000 professionals per year.
This presentation will also cover how the ThaiCERT organization deals with being stretched to breaking point and the cultural and language challenges I experienced myself as one of material authors, trainer and responsibility for threat intelligence.
- IN
Securing your in-ear fitness coach: Challenges in hardening next generation wearables
Sumanth NaropanthSumanth Naropanth (Deep Armor, IN), Sunil Kumar (Deep Armor, IN)
Sunil Kumar is a Security Analyst at Deep Armor. He has vast experience in pentesting web applications, mobile applications and IoT products. In addition to penetration testing, he has advanced knowledge of AWS and development skills in node.js and python. Prior to Deep Armor, Sunil worked as a security engineer for Olacabs and Aricent technologies.
Sumanth Naropanth is a technical expert in security research, vulnerability assessments, security architecture & design, and incident response. He has held several security leadership positions, has developed detailed frameworks for Security Development Lifecycle (SDL) for large corporations, and has managed global teams that executed those SDL activities. Sumanth is the founder and CEO of Deep Armor. He previously worked for Sun Microsystems, Palm/HP and Intel. He and his team have published their research at well-known security conferences, including Black Hat Asia, Black Hat Europe, Troopers, Nuit du Hack, Shakacon and so on. Sumanth has a Masters degree in Computer Science (Security) from Columbia University.
Wearable platforms today enable rich, next-generation experiences such as secure payments, specialized sports tracking and precise location monitoring. Data collection is only the first step for these products. The real "user experience" is often the result of a complex mesh of interactions between wearables, smartphones, cloud-hosted array of web applications and analytics software. Designing and validating security for such ecosystems, the kind of which never existed until a few years ago, demands brand-new lines of thinking and security best practices. Wearables live and operate on the human body, collecting a wealth of personal data. This gives rise to new challenges in storing such data securely and conforming to privacy regulations, especially in a world where consumer privacy laws are so diverse.
We take the example of an actual market product which is a head-worn real time, voice activated coaching system that creates and manages training programs for track running or cycling. The "coach" is an NLP-powered voice assistant on the eyewear. User can converse with it hands-free, and get advanced feedback on their performance.
In our presentation, we talk about the security and privacy research that went into designing and developing this in-ear fitness coach, including a custom Security Development Lifecycle (SDL) that accounted for the three "branches" of the program: wearable, phone and the cloud. We present examples of vulnerabilities and privacy problems associated with such new classes of products. While the applications and use cases for wearables are limited only by the designers' imagination, the best practices we have pioneered will be useful and can easily be reapplied by vendors creating new wearables and IoT products. The goal of our presentation is to educate attendees about shedding the old notions of privacy and Security Development Lifecycle when preparing for the products of the future, as well as to discuss interesting security vulnerabilities in such technologies
- FI
Security and Privacy Incident Response at Ericsson
Thomas Grenman (Ericsson, FI)
Thomas Grenman is working as a Security Manager in the Ericsson Product Security Incident Response Team (PSIRT). Ericsson PSIRT is the global security point-of-contact for all products in Ericsson's portfolio. Thomas is responsible for internal and external vulnerability coordination as well as leading and analyzing customer reported incidents.
I will set the stage of this presentation by giving a brief introduction on how privacy as well as product incident response is anchored into Ericsson's security reliability model. I describe the internal privacy assessment as well as those mandatory deliverables that are an integral part of the product development process. I also give an overview of the triage process adhered to by Ericsson's Product Security Incident Response Team. With the stage set, I go into detail on how privacy related incidents are handled, managed, and coordinated within Ericsson. I describe the challenges that arise from having critical infrastructure products deployed and operated under almost all conceivable laws and regulations in nearly all available time zones. While some of the products are managed by Ericsson as a service, some product are hosted and run by external parties under a wide variety of service level agreements. I conclude by presenting ways of working and practices that we have found valuable during real-life incidents. I also discus lessons learned and how those lessons have been used to make our processes even more effective.
- US
Security Response Survival Skills
Ben Ridgway (Microsoft, US)
Ben Ridgway has worked on many unusual projects through his security career. He started with a position at NASA fuzzing and looking for vulnerabilities in spacecraft control systems. Following that, he took job with the MITRE Corporation as part of a team which consulted for the US Government. This work involved everything from pen testing high assurance systems to building Cyber Security Operations Centers. He was hired by Microsoft in 2011 to be one of the original security engineers on Microsoft’s Azure cloud. Today he is a technical lead within the Microsoft Security Response Center’s Cloud IR team. This team is responsible for managing critical security incidents within Microsoft’s cloud and online services.
Jarred awake by your ringing phone, bloodshot eyes groggily focus on a clock reading 3:00 AM. A weak "Hello?" barely escapes your lips before a colleague frantically relays the happenings of the evening. As the story unfolds, you start to piece together details leading you to one undeniable fact: Something has gone horribly wrong...
Despite the many talks addressing the technical mechanisms of security incident response (from the deep forensic know-how to developing world-class tools) the one aspect of IR that has been consistently overlooked is the human element. Not every incident requires forensic tooling or state of the art intrusion detection systems, yet every incident involves coordinated activity of people with differing personalities, outlooks, and emotional backgrounds.
Drawing from years of real-word experience, hundreds of incidents worked by Microsoft Security Response Center’s Cloud and Enterprise Incident Response team, and the many lessons learned from some of the greats in IR around the company this talk will delve into:
• Classification of incidents into those requiring high touch and high interaction,
• The human characteristics that contribute to successful outcomes amidst crisis,
• Common pitfalls that can strain and derail investigations, and
• Essential skills and mindset needed to make a career as a security first responder.
Come join us as we share observations on the common traits of successful defenders -- with insights aim at career and occasional defenders alike.
It is now 3:05AM. Everything has gone horribly wrong. They are waiting on you to tell them what to do. This is your time to sink or swim. Good luck.
- NO
Semi-Automated Cyber Threat Intelligence (ACT)
Dr. Martin EianDr. Martin Eian (mnemonic, NO)
Dr. Martin Eian works as a Senior Security Analyst in mnemonic's Threat Intelligence group, and he is the Project Manager for the research projects "Semi-Automated Cyber Threat Intelligence (ACT)" and "Threat Ontologies for CyberSecurity Analytics (TOCSA)". He has more than 15 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is a member of the Europol EC3 Advisory Group on Internet Security. He holds a PhD in Telematics/Information Security from NTNU, and he has previously worked as an Adjunct Associate Professor at the Department of Telematics, NTNU.
**Please bring your own computer to participate in the workshop.
In 2016, mnemonic launched the research project "Semi-Automated Cyber Threat Intelligence (ACT)". The project partners are the University of Oslo (UiO), the Norwegian University of Science and Technology (NTNU), the Norwegian National Security Authority (NSM), the Nordic Financial CERT (NFCERT) and KraftCERT.
The ACT project develops an Open Source platform for threat intelligence. The project researches new methods for data enrichment and data analysis to identify threat agents, their motives, resources and attack methodologies. In addition, the project will develop new methods, work processes and mechanisms for creating and distributing threat intelligence and countermeasures, to stop ongoing and prevent future attacks.
Our primary motives for launching the ACT project were to provide a holistic workspace for analysts, automate repetitive tasks, facilitate advanced automated analysis, improve our knowledge of threat agents, facilitate efficient and accurate manual analysis, automate sharing of threat information and countermeasures, and automate the processing of unstructured data.
Threat intelligence analysts use numerous different systems for their daily tasks. They copy and paste data from system to system, then manually try to collate the results. The ACT platform aims to automate such processes, to provide a holistic view of the collated information, and to retain the information for future use.
The ACT project will facilitate sophisticated enrichment of data and the application of artificial intelligence techniques for automated analysis of data and information. These two research areas are the main responsibility of the universities participating in the project.
Automated threat information sharing and countermeasures can significantly improve detection and prevention capabilities. The ACT project has reviewed existing standards and protocols for information sharing and countermeasures. The project also closely monitors standards that are under development.
Finally, masses of data relevant to threat intelligence are available in unstructured formats. Examples include threat reports, academic papers, news articles, blogs, e-mail lists, and wiki pages. The ACT project has implemented and tested prototypes based on natural language processing (NLP) techniques for the extraction of structured data from unstructured sources.
Since the project started we have developed the core platform with API and graphical user interface. We have also developed new NLP techniques and applied these to extract structured data from relevant sources. The project partners and other interested organizations are currently testing the platform. The platform has also been used in live incident response cases, and has proven itself as a useful addition to our arsenal.
Our aim is to make the ACT platform a useful tool for the following roles:
- Incident Responders
- Penetration Testers
- Risk Analysts
- Signature Developers
- SOC Analysts
- Threat Hunters
- Threat Intelligence Analysts
- Threat Researchers
We have created a GitHub repository [1] for the project, where we have published platform documentation and code under the ISC Open Source license.
We have also presented the project in several relevant conferences, including a presentation of preliminary results at the FIRST Conference 2017 [2], a project presentation at the FIRST Technical Colloquium Oslo 2017 [3], and a keynote at NIKT 2017 [4].
The FIRST 2018 presentation will cover a much more mature version of the platform, including a live demo of advanced analysis techniques. We will have a virtual image (.ova) of the platform ready for distribution to conference participants.
Standards Updates
Art Manion, CERT/CC
Refresh the current work on FIRST SIGs - Vuln Disclosure, CVSS, VRDX; OASIS Standards for CSAF and STIX; ISO Disclosure and Handling; IETF; CVE; NIST CSF; GFCE (we are narrowing how to cover all these and allow a discussion).
PSIRT TC 2018
Atlanta, US
February 27, 2018 16:15-17:15
Hosted by Honeywell
- JP
Wataru Takahashi (JPCERT/CC, JP) (JP)
Wataru was previously engaged in security system integration and service development at an IT vendor where he learned expertise in securing servers and access controls against servers. He joined JPCERT/CC in October 2016 and ever since he has been committed to malware analysis and forensics, especially dealing with ever-evolving malware and attack techniques with his persevering attitude.
OS events in the logs such as running applications, created registry entries and network communication. Most commonly, many analysts convert Sysmon logs into text format and search for specific events, however, it is difficult to conduct investigation on multiple devices simultaneously.
For more efficient investigation, JPCERT/CC has developed and released a system "Sysmon Search" which consolidates logs, enabling faster and more accurate log analysis. This system visualizes Sysmon logs to describe relations between processes and networks. Furthermore, with the log search and monitor functions, it will help identifying infected devices according to malware hash value and C&C server host name so that incidents can be detected in an early stage. This presentation will describe the details of this tool.
- US
Threat Hunting Techniques at Scale
Dhia Mahjoub
Thomas MathewDhia Mahjoub (Cisco Umbrella (OpenDNS), US), Thomas Mathew (Cisco Umbrella (OpenDNS), US)
Dr. Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large scale threat detection and threat intelligence and advises on R&D Strategy. Dhia has a background in networks and security, has co-authored patents with OpenDNS and holds a PhD in graph algorithms applied on Wireless Sensor Networks' problems. He regularly works with prospects and customers and speaks at conferences worldwide including Black Hat, Defcon, Virus Bulletin, FloCon, Kaspersky SAS, Infosecurity Europe, RSA, Usenix Enigma, NCSC One Conference, O'Reilly Security, and FIRST/OASIS Borderless Cyber and Technical Symposium.
Thomas Mathew is Senior Security Researcher at Cisco Umbrella (OpenDNS) where he works on implementing pattern recognition algorithms to classify malware and botnets. His main interest lies in using various time series techniques on network sensor data to identify malicious threats. Previously, Thomas was a researcher at UC Santa Cruz, the US Naval Postgraduate School, and as a Product and Test Engineer at handsfree streaming video camera company Looxcie, Inc. He presented at Black Hat, Defcon, BruCon, FloCon, Kaspersky SAS, and O'Reilly Security.
Threat hunting is an important process in every security operation, whether it is meant to produce intelligence for internal or external use it consists in proactively searching through large scale network data to detect and pinpoint threats that evade automated and signature-based security systems.
In today’s talk, we discuss the different steps of efficient threat hunting at scale: we describe how to initially use a set of short term high signal seeds from manual analysis to uncover additional threats (domains, IPs, binaries, etc). Then, we introduce a set of techniques that facilitate the automated generation of long term signals associated with the detection of malicious campaigns (botnets, malspam, ransomware).
The generation of these signals involves analyzing vast quantities of hourly global DNS query traffic to identify patterns that exhibit non-random anomalous behaviour. These signals have proven to have long term predictive power because they model the network effects of a campaign as it spreads globally. Specifically, network signals are more difficult for a malicious operator to obfuscate and thus these signals can be used for an extended period of time. Generating these signals depends on having large amounts of DNS data to statistically ensure that the anomalies detected can be considered non-random. We show how the anomalies arising in DNS query patterns, SSL hosting infrastructures, and client lookups can all be used to generate a set of initial domains or IPs that can be further researched.
By correlating similar hosting patterns between such domains we can identify malicious campaigns. When it came to generating a seed list from SSL data we used a graph-based approach that identified anomalous subgraphs within the global SSL hosting infrastructure which lead us to uncover patterns of criminal hosting space that leverages SSL.
Subsequently, we show the importance of investigating overarching patterns and TTPs behind malicious campaigns in order to go beyond short-lived IOCs and develop an understanding of the operational setup of criminal actors. This can provide us a proactive and longer-lasting advantage over the adversary.
Our talk will not only go over the statistical methods used to identify these anomalies but also describe the details of the backend infrastructure required to allow for the quick detection of these threats.
Threat Hunting, The New Way
Wei-Chea Ang, In-Ming Loh (MWR InforSecurity)
Wei Chea ANG is a Senior Threat Hunter at Countercept, a 24/7 managed threat hunting service by MWR InfoSecurity. He has nine years of experience in information security and has worked in security operations, threat hunting for two global fortune 200 organizations.
In Ming LOH is a Threat Hunter at Countercept, a 24/7 managed threat hunting service by MWR InfoSecurity. He currently holds OSCE and OSCP accreditation and was previously a software developer. His major interests are attack detection and prevention.
Traditional methods of attack detection have failed us. Threat Hunting approaches the problem of attack detection from a new perspective, and seeks to find traces of attacker behavior with the assumption that networks are already compromised.
We’ll cover our approach for real world threat hunting at scale, the key datasets required, and why threat hunting is such an important new development for threat detection. By sharing a range of the real world attack scenarios we have personally encountered, we’ll show you how essential and effective it is to implement threat hunting scenarios into your detection strategy.
Finally, we’ll give you advice on how to start your own threat hunting journey within your organization.
By the end you’ll not only have an understanding of the concept of threat hunting, you’ll also know how to combine people, processes and technology to apply it yourself.
- US
TLP to IEP Evolution: What, Why & How
Tom Millar (US-CERT, US)
Mr. Millar has been a member of US-CERT for 10 years, serving as its Chief of Communications for most of that time. In that role, he has worked to strengthen US-CERT’s information sharing capabilities, increased the level of public, private and international partner engagement, and supported initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar has a Master’s of Science in Engineering Management from the George Washington University.
FIRST has issued two important standards for helping CSIRTs and their constituents share and re-share sensitive information more efficiently: the Traffic Light Protocol (TLP) and the Information Exchange Policy (IEP) framework. This presentation will give a quick overview of both, followed by an in-depth exploration of the use cases and more advanced options that IEP offers, in addition to the traditional TLP designations.
IEP’s four policy types – Handling, Action, Sharing and Licensing – address many of the needs of larger, mature sharing communities, but can also work for sharing networks that are just starting out, so that they will be able to easily accommodate other sharing models as they grow. TLP can be used to support the “sharing” policy type in IEP’s model, so they are fully compatible.
Raising awareness of FIRST’s own standards work is a valuable way to contribute to the CSIRT community around the world, and attendees of this presentation will come away with everything they need to know to implement IEP (and TLP) in their own environments, as well as to educate fellow information sharing peers and partners.
Unknown Threat Detection - The Key Ability of APT Defense
Tian Tian (ZTE)
Tian graduated from TU Dortmund in Germany majoring in Electronic Information Engineering, and worked at Infineon Technologies AG in Germany as a wireless sensor network R&D engineer before joining ZTE Corporation in 2009. She is a senior system architect and product expert with more than 10 years of experience in tel-communication and security area, and has worked on 3GPP SA3 and IETF standards for several years. She has been involved in pre-research in various fields, such as IMS security, M2M security, WLAN, SDN/NFV, and owns more than 10 granted patents in Europe and the US. She is now the APT project manager at ZTE and has more than 3 years of experience in anti-APT solution and product development, which includes advanced threat cloud analysis platform, Email/Web advanced treat prevention system and cyber behavior analysis system.
When talking about advanced cyber attack, the APT, I couldn’t help thinking of one man, Kevin Mitnick, who is the world's most famous hacker. His book The Art of Deception is a classic of social engineering. He wrote in his book, I cannot remember the exact words, to the effect that people is the weakest link in the whole security defense system. As long as people exist, there must be vulnerabilities. As long as you have assets and value, you may become the target of APT attack. Nowadays organizations and companies increasingly expect that it’s not if they will be compromised, but rather when will they be compromised.What I'm going to share today is a technical perspective of where and hot to detect the unknown threats , and our practice in ZTE Corporation.
- US
What was in that Data?
Gant Redmon (IBM Resilient, US)
Gant has worked at security software companies for the past nineteen years, most recently at IBM’s Security Division. He ran internal GDPR compliance for IBM Security and currently manages the legal logic in the IBM Resilient Incident Response Platform. Prior to IBM, Gant was the general counsel at several security startups that went on to be acquired. In 1997, he was appointed membership on the President Clinton’s Export Council Subcommittee on Encryption (PECSENC). Gant received his JD from Wake Forest University and his BA from the University of Virginia, and is admitted to practice law in Virginia and Massachusetts.
In May of next year, the EU’s General Data Protection Regulation (GDPR) will go into effect. GDPR has been the biggest privacy topic of discussion of the past year, with organizations across the globe doing business in the EU working to become compliant with these new obligations throughout this past year. However, many are not fully compliant yet, and some have yet to begin any GDPR preparation at all.
In this session, Gant Redmon, IBM Resilient’s privacy expert, will give an overview of the impact GDPR will have on organizations that are not compliant. Specifically, he will dive into what incident responders will need to know about the regulation and the impact on their day-to-day jobs. With GDPR in effect, senior leaders within organizations will suddenly be relying on incident responders for much more given the enormous potential penalties. Questions from senior executives like, “what was in that data?” will be asked frequently. Gant’s session will focus on what incident responders can expect to be able to provide their organization with under GDPR, and how they can work with the legal and C-Suite teams to stay ahead of any GDPR-related penalties.
Attendees will get actionable takeaways on how to best prepare for and respond to any incidents that could trigger GDPR action. Gant will also dive into how incident responders can get ahead of these burning questions, so that they are prepared when the higher-ups ask, “what was in that data?”
- US
Why is CTI Automation harder than it needs to be.. and what can security teams do about it.
Allan ThomsonAllan Thomson (LookingGlass Cyber Solutions, US)
Allan Thomson is LookingGlass Chief Technology Officer (CTO) responsible for technology product vision, strategy & architecture across Threat Intelligence Management, Threat Mitigation & Response product lines.
Allan is currently serving as the Co-Chair of the Interoperability Subcommittee for the Cyber Threat Intelligence Technical Committee at OASIS as well as lead contributor on OpenC2 automation standards. He was recently recognized by OASIS as Distinguished Contributor for his work on standards at OASIS.
Previously, he was Principal Engineer and Architect for Threat Defense products at Cisco Systems with active involvement in standards for security (IETF/IEEE) and distributed systems.
Threat Intelligence is well known as an important part of CERT and Incident Responders toolkit.
However, sharing of intelligence across heterogeneous tools and environments that different organizations and groups (e.g. security operations vs threat research vs incident responders) use is a real challenge to the successful use and impact threat intelligence can have. When you expand those problems within a single organization to across different companies, CERTs and countries then the complexity and variability increases significantly.
If you then try to drive automation using threat intelligence, such as a firewall or web gateway, in an automated manner then the problems of inconsistent data sets, inconsistent semantics and unexpected behaviors results in significant headaches for security practitioners downstream from the providers of the data.
This presentation will cover some real-world problems of Threat Intelligence sharing in heterogeneous environments and provide some insights on how some of the new standards STIXv2/TAXIIv2 and OpenC2 are solving those problems for many of the use cases across a single organization and multiple organizations alike.
As part of the recommendations and insights, we will present on what OASIS Cyber Threat Intelligence Interoperability program has defined, what were some of the key CERT & Incident Responder use cases that the program supports and some thoughts for future adoption of the program to future use cases of Threat Intelligence and Automation. We will also include some lessons learned from recent Interoperability plugfest. Finally, we will wrap up with key Interoperability standards aspects that CERTs and other users of Threat Intelligence should consider leveraging in their environments before making decision on threat intelligence data and tool providers.
