26th Annual FIRST Conference | Boston, MA

Conference Program

Overview

June 21st (Saturday)Return to overview

09:00 – 17:00

FIRST Education & Training Committee Meeting

June 22nd (Sunday)Return to overview

10:00 – 16:30

TRANSITS Train-the-Trainer (T3)

Don STIKVOORT (Avalon Executive Coaching)

14:00 – 18:00

Registration - Pre-reception

15:00 – 16:00

2014 Session Chair Meeting

17:00 – 18:00

FIRST Ambassador Program Training

18:30 – 21:00

Newbie Welcome Reception

18:30 – 19:00

Registration - During Reception

19:00 – 21:00

Ice Breaker

June 23rd (Monday)Return to overview

SparksGraffWest-Brown
07:00 – 08:15

Breakfast

08:15 – 08:30

Opening Remarks

08:30 – 09:30

Keynote Presentation: Dr. Andrew Ozment

Dr. Andrew OZMENT

09:30 – 10:00

Coffee Break

10:00 – 11:00

Use of Passive DNS Databases in Incident Response and Forensics

Dr. Paul VIXIE (Farsight Security, Inc)

Enterprise Security Monitoring: Comprehensive Intel-Driven Detection

David BIANCO (Mandiant Corporation)

Twenty-Five Years of Computer Security and Incident Response: FIRST's First Quarter-Century

Mark ZAJICEK (CERT Coordination Center)

11:00 – 12:00

Avoiding Information Overload: Automated Data Processing with n6

Pawel PAWLINSKI (CERT Polska / NASK)

The Dutch Responsible Disclosure Policy

Tarik EL YASSEM (NCSC.NL)

Common Vulnerability Scoring System v3

Seth HANFORD (Cisco Systems, Inc.)

12:00 – 13:00

Lunch

13:00 – 13:30

STIX and TAXII: The Who, When, What, Where, Why and How

Richard STRUSE (DHS)

Open DNS Resolver Check Site

Takayuki UCHIYAMA (JPCERT Coordination Center), Hiroshi KOBAYASHI (JPCERT Coordination Center)

Protecting the Computer from Ring 0 – A New Concept in Improving Incident Response

Kouichi MIYASHITA (F.TRON Inc.), Mariko MIYA (CDI-CIRT (Cyber Defense Institute, Inc.) - Japan)

13:30 – 14:30

Implementers' Workshop : Automated Information Sharing with TAXII and STIX

Richard STRUSE (DHS), Thomas MILLAR (US-CERT)

Bitcoin for the Incident Responder

Ben APRIL (Trend Micro)

Intelligence Driven Security

Adam MEYERS (CrowdStrike, Inc)

14:30 – 15:00

Coffee Break

15:00 – 16:00

Implementers' Workshop (cont.)

Exfiltration Framework (ExF)

Eric ZIELINSKI (Nationwide), Mick DOUGLAS (Nationwide)

Developing Cybersecurity risk indicators - Metrics (panel)

Yurie ITO (JPCERT/CC)

16:00 – 17:00

Lightning Talks

Understanding Cyber Security Incident Response Teams as Multiteam Systems

Steve ZACCARO (George Mason University)

FIRST Business Plan, Execution & Financial Update

June 24th (Tuesday)Return to overview

SparksGraffWest-Brown
07:00 – 08:15

Breakfast

08:15 – 08:30

Opening Remarks

08:30 – 09:30

Keynote Presentation: Eugene Spafford

09:30 – 10:00

Coffee Break

10:00 – 11:00

Pass-the-Hash: Gaining Root Access to Your Network

Tim SLAYBAUGH (Member)

Securing National Segment of the Internet from Cyber-Threats. CERT-UA's Practical Approach

Nikolay KOVAL (CERT-UA)

Rethinking Indicators of Compromise in an Age of Advanced Analytics

Steve MANCINI (Intel)

11:00 – 12:00

The Art of Sinkholing

Tomasz BUKOWSKI (CERT Polska/NASK)

Cyber-EXE Polska 2013. Cyber Exercises for Banking Sector - the CERT Role.

Miroslaw MAJ (Cybersecurity Foundation)

The MANTIS Framework: Cyber Threat Intelligence Management for CERTs

Dr. Bernd GROBAUER (Siemens), Thomas SCHRECK (Siemens), Dr. Jan GOEBEL (Siemens), Johann WALLINGER (Siemens), Stefan BERGER (Siemens)

12:00 – 13:00

Lunch

13:00 – 13:30

Implementers' Workshop : Automated Information Sharing with TAXII and STIX Part II

Credential Honeytoken for Tracking Web-based Attack Cycle

Dr. Mitsuaki AKIYAMA (NTT-CERT)

Our Turbine Got Hacked! - Performing Forensic Investigations of Industrial Control Systems

Dr. Heiko PATZLAFF (Siemens)

13:30 – 14:30

On the Outside of Tinba Looking In ...

Peter KRUSE (CSIS Security Group A/S)

First Step Guide for Building Cyber Threat Intelligence Team

Hitoshi ENDOH (NTT-CERT)

14:30 – 15:00

Coffee Break

15:00 – 16:00

Implementers' Workshop (cont.)

Enabling Cross-Organizational Threat Sharing through Dynamic, Flexible Transform

Chris STRASBURG (Ames Laboratory, US DOE), Andrew HOYING (National Renewable Energy Laboratory), Daniel HARKNESS (Argonne National Laboratory), Scott PINKERTON (Argonne National Laboratory)

Two-tiered, Multi-team Assessment of CSIRTs

Robin RUEFLE (CERT Program, SEI, CMU)

16:00 – 17:00

Lightning Talks

Managing Your Managed Security Service Provider: Improve Your Security Posture

Stephen SELJAN (General Dynamics Fidelis Cyber Security Solutions)

Preparing for the Inevitable Zeroday or What Makes Networks Defendable?

Konrads SMELKOVS (KPMG LLP)

18:00 – 20:00

Vendor Showcase

June 25th (Wednesday)Return to overview

SparksGraffWest-Brown
07:00 – 08:15

Breakfast

08:15 – 08:30

Opening Remarks

08:30 – 09:30

Keynote Presentation: TBA

09:30 – 10:00

Coffee Break

10:00 – 11:00

Open Source Software Environment Security Issues

Yoshiki SUGIURA (NTT-CERT), Keisuke KAMATA (Freelance)

Using Anthropology to Study Security Incident Respons

Siva Raj RAJAGOPALAN (HONEYWELL), Xinming OU (Kansas State University)

Sochi, After Action

Michael HIGGINS (NBC Universal)

11:00 – 12:00

Network Security Analytics Today

Aubrey MERCHANT-DEST (Blue Coat Systems, Inc.)

Identifying the 'Root' Causes of Propagation in Submitted Incident Reports

Thomas MILLAR (US-CERT)

Processing Intelligence Feeds with Open Source Software

Chris HORSLEY (CSIRT Foundry), L. Aaron KAPLAN (CERT.at)

12:00 – 13:00

Lunch

13:00 – 13:30

YARA: Advanced Topics

Andreas SCHUSTER (Deutsche Telekom AG)

Security Operations, Engineering, and Intelligence Integration Through the Power of Graph(DB)!

Christopher CLARK (Verisign)

Human Intelligence Sharing for Collaborative Defense -- Op Sec Trust

Dr. Paul VIXIE (Farsight Security, Inc)

13:30 – 14:30

Investigator of Interest – Our Philosophy of Adaptive Incident Response to Turn the Tables During an Investigation

Pascal ARENDS (Fox-IT)

MMPC's Coordinated Malware Eradication

Holly STEWART (Microsoft)

14:30 – 15:00

Break

15:00 – 16:00

YARA: Advanced Topics (cont.)

From Participant to Planner - Surviving Cyber Exercise Armageddon

Robert PITCHER (Canadian Government)

Rogue Pharma in .CO: The 33DRUGS.CO Case

Gonzalo ROMERO (.CO Internet)

16:00 – 16:30

 

Emerging Trading System Attacks (And Why You Might Not Detect Them)

Konstantinos KARAGIANNIS (BT)

“Auditing All the Things”: The Future of Smarter Monitoring, Detection and Response

Mark THOMAS (Threat Stack)

19:00 – 19:30

Reception

19:30 – 22:30

Banquet

June 26th (Thursday)Return to overview

SparksGraffWest-Brown
07:00 – 08:15

Breakfast

08:15 – 08:30

Opening Remarks

08:30 – 09:30

Keynote Presentation: Malcom Harkins

09:30 – 10:00

Coffee Break

10:00 – 11:00

Cyber Threats Targeting High Level Individuals: Is Your Organization Prepared?

Andrea HENSON-ARMSTRONG (The Justice Management Institute)

Transparency and Information Sharing in Digital Forensics

Johan BERGGREN (Google)

Don’t Panic! Case studies of Incident Response from the Field

Kristy WESTPHAL (Element Payment Services)

11:00 – 12:00

Malware\Host Analysis for Level 1 Analysts

Garrett SCHUBERT (EMC Corporation)

Looking Back at Three Years of Targeted Attacks: Lessons Learned on the Attackers’ Behaviors and Victims’ Profiles

Dr. Olivier THONNARD (Symantec)

At the Speed of Data: Automating Threat Information to Improve Incident Response

Denise ANDERSON (Financial Services Information Sharing and Analysis Center (FS-ISAC))

12:00 – 13:00

Lunch

13:00 – 13:30

Playing Hide and Seek with Rootkits in OS X Memory

Cem GURKOK (Verizon Terremark)

Merovingio: Mislead the Malware

Juan Carlos MONTES (INTECO-CERT)

A Forensic Analysis of APT Lateral Movement in Windows Environment

Junghoon OH (AhnLab)

13:30 – 14:30

Cyber Security for Board of Directors and Senior Management

Peter O'DELL (Swan Island Networks)

A Survey of Vulnerability Markets

Art MANION (CERT Coordination Center)

14:30 – 15:00

Coffee Break

15:00 – 16:00

Playing Hide and Seek with Rootkits in OS X Memory (cont.)

Attacks Using Malicious Hangul Word Processor(HWP) Documents

JaeByung YOON (KrCERT/CC)

pBot botnets: An Overview

Fernando KARL (Defenda), Felipe BOEIRA (Samsung)

16:30 – 18:00

AGM

18:30 – 20:30

Closing Vendor Reception

June 27th (Friday)Return to overview

SparksGraffWest-Brown
07:00 – 08:15

Breakfast

08:15 – 08:30

Opening Remarks

08:30 – 09:30

Keynote Presentation: Bruce Schneier

09:30 – 10:00

Coffee Break

10:00 – 11:00

Back to the Roots - Incident Case Study

Mikko KARIKYTö (Ericsson)

Everyday Cryptography

John KRISTOFF (Team Cymru)

Incident Response Coordination on a Global Scale: Your Assistance is Requested...

Kauto HUOPIO (NCSC-FI)

11:00 – 12:00

Evidence Based Risk Management and Incident Response

Jake KOUNS (Risk Based Security), Carsten EIRAM (Risk Based Security)

Operational CyberThreat Intelligence: 3 Years of IOC Processing at EMC.

Christopher HARRINGTON (EMC Corporation), Kathleen MORIARTY (EMC Corporation)

We're All the Same in Different Ways: Revisiting the CSIRT Concept for 2015

Thomas MILLAR (US-CERT)

12:00 – 13:00

Closing

  • A Forensic Analysis of APT Lateral Movement in Windows EnvironmentReturn to TOC

    Junghoon OH (AhnLab)

    Junghoon Oh is a Digital Forensic Analyst with A-FIRST of AhnLab since January 2012. He analyzes computer security incidents with digital forensic skills. Previously, he worked at the Digital Forensic Research Center of Korea University as a researcher. Additionally, he presented his paper at DFRWS 2011 and won the DC3 Cyber Crime Challenges 2011 as the civilian winner. His research interests are DFIR, Android Forensics and Web Browser Forensics.
    In APT campaign, the "lateral Movement" is a behavior compromising other systems after initial compromise in internal network of target organization. Unfortunately, it is difficult to distinguish this behavior and normal one due to the use of normal protocol in Windows environment. Therefore, if investigator finds the trace of "lateral Movement", he can trace back to the initial compromised system and grasp attack technique used in initial compromise from DFIR point of view. The root cause of attack will be removed in consequence of the tracing. In this session, Junghoon Oh will introduce existing "lateral Movement" techniques and explain the digital forensic methodology for tracking the trace. In addition, the real case applied on the methodology will be introduced.
    June 26th, 2014 13:00 – 13:30

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • A Survey of Vulnerability MarketsReturn to TOC

    Art MANION (CERT Coordination Center)

    Art Manion analyzes, coordinates, and discloses vulnerabilities at CERT (i.e., the CERT Coordination Center, part of the Software Engineering Institute, or SEI). Art does a number of other related things like standards development and vulnerability information management.
    The past several years have seen growth in markets for information about software vulnerabilities. Vendors offer bug bounties, brokers arrange transactions between buyers and sellers, and offensive-minded firms discover and sell vulnerabilities (usually in the form of exploits) to subscribers. Technical information and weaponized exploits aren't traded by themselves -- exclusivity and secrecy are what give information value in these markets. What are the key similarities and differences between markets? What does market growth mean for public policy around vulnerability disclosure? What data is even available to attempt to answer these questions? Come hear the results of our survey and discuss the implications of evolving vulnerability markets.
    June 26th, 2014 13:30 – 14:30

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • At the Speed of Data: Automating Threat Information to Improve Incident ResponseReturn to TOC

    Denise ANDERSON (Financial Services Information Sharing and Analysis Center (FS-ISAC))

    Denise Anderson has over 25 years of management level experience in the private sector in Finance, Operations, Sales and Marketing, Public Relations/Publications, Administration and Information Technology. Denise is Vice President FS-ISAC, Government and Cross Sector Programs at the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit association comprised of financial institution members that is dedicated to protecting the financial services sector from physical and cyber attacks and incidents through dissemination of trusted and timely information.

    Denise currently serves as Chair of the National Council of ISACs and participates in a number of industry groups such the Cross-Sector Cyber Security Working Group (CSCSWG). She was instrumental in implementing a CI/KR industry initiative to establish a private sector liaison seat at the National Infrastructure Coordinating Center (NICC) to enhance information sharing between the private sector CI/KR community and the federal government and serves as one of the liaisons. She is a financial sector representative to the National Cybersecurity and Communications Integration Center (NCCIC) — a 24-hour, DHS-led coordinated watch and warning center that improves national efforts to address threats and incidents affecting the nation's critical information technology and cyber infrastructure. She is also a member of the Cyber Unified Coordination Group, (UCG) under the National Cyber Incident Response Plan (NCIRP) - a public/private advisory group that comes together to provide guidance during a significant cyber event – where she also represents the financial services sector.

    Denise is certified as an EMT (B), Firefighter I/II and Instructor I/II in the state of Virginia, and is an Adjunct Instructor at the Fire and Rescue Academy in Fairfax County, Virginia. She is also certified under the National Incident Management System (NIMS). In addition, she has served on the Board and as Officer and President of an international credit association, has been recognized and awarded for her professional and volunteer achievements and has spoken at events in both the US and Internationally.

    Denise holds a BA in English, magna cum laude, from Loyola Marymount University and an MBA in International Business from American University. She recently graduated from the Executive Leaders Program at the Naval Postgraduate School Center for Homeland Defense and Security.
    Information sharing in the Cyber Defense world has historically been a tremendously manual and isolated process. While formal and informal networks of incident responders have sprung up to provide defenders some leverage in mitigating attacks, economic forces have driven the attack side faster than defenses can keep up. Exploits built to target a specific sector/industry can be broadly employed to provide a significant return on investment due to slow and uncoordinated responses across that sector/industry. The financial sector has recognized that it is imperative to change the economics of the attack/defense model in order to change the balance of power. Financial institutions through the Financial Services Information Sharing and Analysis Center (FS-ISAC) have been developing and maturing the process of information sharing among its constituents to increase the speed at which defense spreads across the entire financial sector. Several key factors have contributed to the success so far, including:
    • Ability for users to post anonymously
    • Analysts add value to each posting and users find the information valuable
    • Creation of a clear guideline for information dissemination
    • Maturing a trust model
    • Providing an infrastructure to allow information sharing to occur
    Notwithstanding success to date, human to human interaction imposes limits on the speed and volume of data shared. The finance sector has made the commitment to move to the automated sharing of threat information by using standardized protocols (STIX and TAXII) and mark-up automation in order to change the economics of cyber attacks more in favor of the defenders. This presentation will describe critical success factors in generating initial trust necessary to drive collaboration and next steps in automating information exchange so that analysts can focus on “asking the questions” instead of being slowed down by manual processes.
    June 26th, 2014 11:00 – 12:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Attacks Using Malicious Hangul Word Processor(HWP) DocumentsReturn to TOC

    JaeByung YOON (KrCERT/CC)

    Jaebyung Yoon is a researcher with KrCERT/CC since 2009. He analyzes, coordinates vulnerabilities and manages the Vulnerability Reward Program. He recently has focused on the vulnerabilities of Hangul word processor, which is used extensively in South Korea, especially by the government.
    Recently, ATP attacks in Korea use document files (Hangul Word Processor) as an infection vector. Main features of these attacks are using HWP vulnerabilities, hot issue contents of documents, and spear phishing.
    HWP is the main word processor software as much as MS Word in Korea. HWP document format is the de facto format especially in the Korean government.
    We could see a lot of HWP vulnerabilities and exploits through the Vulnerability Reward Program and APT attacks.
    There are many reasons HWP is attractive to an attacker.
    - All government officers use HWP
    - No filtering about HWP files by attack detection devices
    - Many users are without software updates
    Vulnerability, exploits and response will be discussed.
    June 26th, 2014 15:00 – 16:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Avoiding Information Overload: Automated Data Processing with n6Return to TOC

    Pawel PAWLINSKI (CERT Polska / NASK)

    A specialist in the Security Projects Team at CERT Polska, his main interests in the domain of network security include intrusion detection systems, anomaly detection algorithms, honeypots and data visualization. He is responsible for the design of the n6 platform for sharing security-related data and a hybrid system for detecting client-side attacks - Honeyspider Network 2.
    Automated data feeds, internal detection systems and external knowledge repositories are invaluable sources of information for any team responsible for incident response, or IT security in general. Nevertheless, faced with a huge amount of heterogeneous data, how can we make the best use of it? Effective information sharing - often-discussed and undoubtedly important topic - is just one aspect of this problem. Other challenges include appropriate summarization of information to create situational awareness and supporting both operational work and long-term analyzes by establishing a comprehensive data repository.

    We will present our approach to these issues from a national CERT perspective and our experience in development of the n6 (Network Security Incident eXchange) platform. n6 aims to integrate feeds coming from both internal systems and external parties, systematize data processing and facilitate sharing of information with other entities. We will discuss design principles of the platform, its evolution over the years and recent use cases.
    June 23rd, 2014 11:00 – 12:00

    Terrace Room (Lower Level - Basement)

  • Back to the Roots - Incident Case StudyReturn to TOC

    Mikko KARIKYTö (Ericsson)

    Mikko Karikytö is leading the Ericsson Product Security Incident Response Team, PSIRT. Ericsson PSIRT is responsible of vulnerability management and security incident response for Ericsson products.
    In the era of cyber security and cyber war, 50 billion connections, internet of things and clouds, one would expect that incident response and resolution have travelled far away from its roots. As nice as it would be to work with new technologies, new threats and new types of incidents, the truth out there is much more brutal. Instead of swiping around like Tom Cruise in Minority Report, we are back to the basics what comes to incident coordination, findings and root causes for incidents.

    In this presentation we will have a case study of an incident which shows that we still need to work with very basics of the security. No matter where the market around is travelling, it boils down to lack of hardening of the nodes, lack of security policies and procedures, unclear O&M processes and ultimately nobody taking responsibility on security.

    Cost of an incident: huge
    Cost of putting in place security controls afterwards: too much
    Frustration level of a security professional: enormous
    Did Snowden help to build security awareness: no – not really

    We will tell you why.
    June 27th, 2014 10:00 – 11:00

    Terrace Room (Lower Lobby - Basement)

  • Bitcoin for the Incident ResponderReturn to TOC

    Ben APRIL (Trend Micro)

    Ben is a Sr. Threat Researcher and the Americas regional manager of Trend Micro's Forward-looking Threat Research Team. He tends to focus on research areas related to Internet infrastructure such as Routing, DNS and IP reputation. If not doing that, he is likely building a prototype of some analysis tool or sourcing system that will somehow "accidentally" find its way into production.
    The use of Bitcoin is on the rise. How will you handle the next incident if it involves Bitcoin? Is it really anonymous? How can you see transaction history? How does the mining process really work? What tools are available to the incident responder to trace Bitcoin activity? Are the Cryptographic elements really secure? This talk is designed to provide the attendee a solid foundation in Bitcoin and other Bitcoin based currency systems as well as the tools and techniques needed to track Bitcoin activity.
    June 23rd, 2014 13:30 – 14:30

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Common Vulnerability Scoring System v3Return to TOC

    Seth HANFORD (Cisco Systems, Inc.)

    As Manager of the Cisco Threat Research Analysis and Communications (TRAC), Seth Hanford helps to guide some of the most experienced and knowledgeable threat researchers and analysts at Cisco – and in the industry. Their collaborative research and analysis work is intended not only to continually enhance the quality and efficacy of Cisco’s security products, but also, provide actionable intelligence that helps all Internet users defend against both known and emerging network threats. Hanford was an Incident Manager for the Cisco Product Security Incident Response Team (PSIRT) and a Security Analyst for Cisco IntelliShield, a threat and vulnerability alerting service, before becoming manager of the Cisco TRAC team. In the past decade, Hanford has analyzed and scored thousands of vulnerabilities across all manner of software products, using each of the released versions of CVSS.

    He has served as Chair of the Common Vulnerability Scoring System (CVSS) Special Interest Group at FIRST since 2011. Prior to serving as Chair, Hanford was a contributing member of the CVSS v2 SIG.
    The Common Vulnerability Scoring System assists incident responders through standard characteristic classification and severity scoring for software vulnerabilities. With the June 2014 release of CVSS version 3, FIRST has committed once again to improving the standard and assisting incident responders and CVSS score consumers to classify and prioritize the software vulnerabilities found in their environments.

    This paper will address the needs of the security community, changes in the vulnerability landscape, shortcomings of CVSS v2, and the solutions designed into the most recent release of CVSS. Attendees will learn about the new metrics in CVSS v3, how to use them to score vulnerabilities, and how the approach to vulnerability scoring and assessment has changed since CVSS v2. We will cover assessing User Interaction, Privileges Required, vulnerability Scope, as well as assessing the impact of Mitigations in a particular environment, and show how to score some example vulnerabilities. In addition, we will announce the release of the finalized CVSS v3 specification.
    June 23rd, 2014 11:00 – 12:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Credential Honeytoken for Tracking Web-based Attack CycleReturn to TOC

    Dr. Mitsuaki AKIYAMA (NTT-CERT)

    Mitsuaki Akiyama is a researcher with NTT Secure Platform Laboratories and also a member of NTT-CERT in Japan since 2007. He analyzes vulnerabilities and exploits related with browser-based malware infection, and develops various types of honeypot system. His developed client honeypot has been used for NTT-CERT and also several national projects in Japan (i.e., PRACTICE, ACTIVE).
    Background
    – The web-based attacks called Beladen, Gumblar, and Nineball are large-scale incidents of mass compromises of websites. These types of compromises are the leading cause of malware infection of general public users on the Web. In fact, adversaries use complex attack techniques such as malware infection, credential leakage, and tactics to compromise websites. A compromised website then carries out drive-by download attacks and leads to secondary malware infections.?We have focused our research on this web-based attack cycle.

    Our proposal
    – To consistently observe web-based attack cycle, we developed a novel observation system based on a honeytoken that actively leaks credentials and lures adversaries to a decoy that behaves like a compromised web content management system. Our assumption is that honeytoken-based observation can be used for in-depth tracking of a series of attack cycles by a specific adversary and can discover malicious entities.

    Experimental result
    – In a one-year experiment, our proposed system was successfully compromised by various adversary groups without being recognized, which allowed us to closely monitor the adversaries' activities.
    – Obtained malicious enteritis are about 10,000 IP addresses and 900 FQDNs. There are small overlap between them and six famous public blacklists, therefore the result means that our system can observe unknown malicious entities effectively.

    Contributions for CSIRT organizations
    – Our obtained malicious entities can be applicable to proactive defenses such as blacklisting and filtering. Moreover, we revealed detailed activities of adversary groups and ecosystems of recent complex attack cycle. We believe that the knowledge of malicious activities and ecosystems can accelerate CSIRT activity.
    June 24th, 2014 13:00 – 13:30

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Cyber Security for Board of Directors and Senior ManagementReturn to TOC

    Peter O'DELL (Swan Island Networks)

    Pete O’Dell is a business and technology consultant who lives in Alexandria, Virginia. He has been involved with information technology and business strategy/operations for over 25 years, working for large companies like Autodesk, Digital Equipment Corporation, Microsoft, Micro Warehouse and been involved in multiple startup efforts including Swan Island Networks, Upgrade Corporation of America and Online Interactive. At Swan Island Networks, he had extensive interaction with the US Government in the areas of homeland security, information sharing, real time situational awareness and law enforcement. He consults for a wide range of companies, and is on the global advisory board for BuckitDreams, an exciting new enterprise launching in 2014. He is also part of www.nextlevel.com, a growing Northwest executive and board services firm.

    One of Pete’s key skills is the communications and interface between technical and non-technical executives and board members. He’s presented at National Association of Corporate Directors meetings about cyber security. He firmly believes that technologists must make a far better effort to translate the complexity and acronyms of information technology into understandable and actionable strategies that their executive peers and board members can understand.

    Pete is an avid fly fisherman, an occasional marathoner, and a poor golfer. He volunteers with www.fishingcommunity.org to support our Wounded Heroes with fishing events and classes.

    Also by the Author:

    Silver Bullets: How Interoperable Data will revolutionize Information Sharing and Transparency, Authorhouse, 2010 for print editions, self publish for Kindle version

    Essays on Corporate Governance, Andrew Sherman, Guest Essay: Information Systems and the Chief Information Officer (CIO), Advantage, 2012

    The Computer Networking Book, Ventana Press, 1989
    Cyber Security is extremel complex and evolving at a rapid pace. The board of directors and senior management are responsible for oversight and risk management in this very important area. Critical to this process is both prevention and incident response. Both areas are driven by the people responsible inside your organization, and the the outside resources they utilize to prepare and respond.
    June 26th, 2014 13:30 – 14:30

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Cyber Threats Targeting High Level Individuals: Is Your Organization Prepared?Return to TOC

    Andrea HENSON-ARMSTRONG (The Justice Management Institute)

    Andrea Henson-Armstrong is the Director of Justice Technology at The Justice Management Institute in Arlington, Virginia. Dedicated to serving the public, her twenty years of experience spans federal agencies and organizations that include the United States Computer Emergency Readiness Team at the Department of Homeland Security; the Federal Judicial Center; the United States Senate Judiciary Committee; the National Lawyers’ Committee for Civil Rights Under Law; and, the State of California, Department of Justice. Armstrong is a thought leader, who passionately believes that providing high quality IT solutions to courts leads to equality in justice.

    A technologist and educator, Armstrong is a gifted communicator who can translate the most difficult technical concepts into easy to understand narratives, clearing the way for executive decision making. From designing a plan to implementation, she is able to finish a project. She is national speaker and instructor, presenting at over 300 government venues nationwide. Armstrong is a trusted advisor on topics that include privacy, social media and emerging technology. Her current accomplishments include management of the US-CERT public website and social media; and publishing a comment in the Syracuse Law Review on how new web technologies impact the privacy and security of judges.

    Currently, Armstrong is a professorial lecturer at George Washington University, in the Master of Science in Information Systems and Technology Management program. At GWU, she teaches courses in emerging technologies and project management. She also serves as an adjunct instructor for the School of Criminal Justice, Master's Degree, Judicial Administration Specialization and Certificate program at Michigan State University.

    Armstrong received her Master of Science in Information Systems Technology from George Washington University and a Chief Information Officer Certification from the federal government. She has a Juris Doctor degree from the University of the District of Columbia, David A. Clarke School of Law and a Bachelor of Arts in Ethnic Studies from the University of California, Riverside.
    How does a high level official in your organization report, remove and mitigate a situation in confidence? This presentation will provide communication tools and solutions that can be employed when individuals and their families are targeted by threat actors on the internet because of their rank or role. No CEO or high level official wants to admit that they don't know what to do when they or members of their family become a target of a cyber threat actor. Does your organization have a plan to deal with these types of incidents?

    Cybersecurity practitioners worldwide are addressing the need for better information sharing relating to enterprise cyber incident response and internet safety, but many times they do not talk about the personal incidents that target high profile individuals. It's time to begin seriously addressing the human side of cyber threats and how it can affect officials in government and industry.

    Every organization's cybersecurity strategy should include a personal internet security strategy for leadership to prevent coercion and other consequences. This presentation will cover the issues of internet safety and security affecting officials (and/or their families and staff) with case studies focusing on how cyber threats can affect high level officials, how organizations need to provide trusted avenues of disclosure, and illustrating communication and reporting best practices for cyber professionals to help protect their decision-makers and executives."
    June 26th, 2014 10:00 – 11:00

    Terrace Room (Lower Lobby - Basement)

  • Cyber-EXE Polska 2013. Cyber Exercises for Banking Sector - the CERT Role.Return to TOC

    Miroslaw MAJ (Cybersecurity Foundation)

    Miroslaw Maj has more than 15 years of experience in IT and the IT security sector. For almost 10 years he has lead the CERT Polska team – the first Polish incident handling team which plays the role of national level team. In 2010 he founded the Cybersecurity Foundation and he became its first director. Since September 2010 he has become the expert on the CIIP of the Polish Government Center for Security. In 2011 he also became a co-founder of the first Polish independent CERT – ComCERT.PL.
    He is the author of papers on security statistics and other subjects from the security area. He is involved in international cooperation between CSIRT teams as a member of the Trusted Introducer team as well as in formal European projects related to security issues (standards, statistics, information sharing, fighting with an illegal content, building security awareness and establishing new CSIRT teams). He is the co-author of many ENISA publications including CERT exercises and papers on improving the CERT coordination. Miroslaw Maj organized two editions of the national level cyber exercises in Poland – Cyber-EXE Polska – for critical infrastructure and banking sectors. He has presented his works at many international conferences including a number of presentations at the FIRST conferences.
    Last years have shown that cyber exercises are probably one of the most effective ways to improve incident handling capabilities within all kinds of organisations involved in this process, including CERT teams. Thus popularity of such initiatives grows and cyber exercises are now organised in more and more countries.
    Cyber-EXE Polska 2013 (2nd edition on national level cyber exercises in Poland) were organised in Poland in October 2013 by the Cybersecurity Foundation in the partnership with the Polish Government Centre for Security and Deloitte Poland. The main players in the exercises where Polish banks and their incident handling teams. They tested their capabilities in case of two main threats for banks - DDoS and APT attacks. Scenarios contained a number of injects which simulated advanced cyber attacks against the most sensitive bank's services like online banking services, and attacks against confidential banking resources like customers personal and financial data.
    One of the exercise's objectives was to check level of interaction and coordination between affected banks and external organisations - i.g.: other banks, law enforcement agencies and CERTs. During the simulated crisis situations banks contacted CERTs many times and requested their specific services, which became important part of mitigation strategy.
    During the presentation authors will present results of those exercises in terms of CERTs role. Step by step they will present cyber exercises scenarios of DDoS and APT attacks and explain the role of CERT teams in the attacks mitigation actions at each step. This will be mostly about CERT reaction services. Additionally based on the exercises' conclusions the authoris will present a set of recommendations for CERT teams, which cooperate or plan to cooperate with banks. The result of those two approaches will be the complete set of CERT special dedicated services for the banking sector.
    June 24th, 2014 11:00 – 12:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Developing Cybersecurity risk indicators - Metrics (panel)Return to TOC

    Yurie ITO (JPCERT/CC)

    Moderator: Yurie Ito (JPCERT/CC)
    Panelists:
    Dr Aaron Martin (OECD)
    Dr Jose Nazario (Invicea)
    Dr Greg Rattray (Delta Risk)
    Dan Geer (inviting), Peter Cassidy (Inviting)
    One of the things we are missing in pursuing global cybersecurity goals is strong sources of data cross-comparable and robust enough to develop statistics to measure the risk levels nationally and globally.
    Such metrics and risk measurement is essential for policy makers to evaluate the potential cybersecurity approaches. Measurement of global statistics and trends will also useful for the operations to prioritize challenges and manage limited resources. But more significantly the metrics can serve as a the common language between policy and technical operations.

    Panelists will be discussing the existing metrics and new initiatives to look at this challenge and initiated efforts to create such metrics and measurement approaches.
    June 23rd, 2014 15:00 – 16:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Don’t Panic! Case studies of Incident Response from the FieldReturn to TOC

    Kristy WESTPHAL (Element Payment Services)

    Kristy Westphal, a versatile security professional of 20 years with specific experience in the area of information security, is currently employed as Information Security Officer with Element Payment Services. Prior to that, she was Director, Security Operations for T-Systems North America. Skilled in troubleshooting and process analysis, specific expertise in security areas includes: forensics, security awareness, operating system and network security, intrusion detection, incident handling, vulnerability analysis and policy development. Kristy is a CISSP, CRISC, GWAPT and CISA. Kristy also teaches forensics for the University of Advancing Technology.
    One of the best ways to learn about incident handling is to practice practice practice. Learning from past successes and mistakes will help to hone future responses while under fire. This session will take experiences from incident handling of various types of organizations (financial, health care and government), walk through the initial scenario, and then look at what was done. After which we will discuss what could have been done differently to improve the response. Each scenario will be information security/technically focused.
    June 26th, 2014 10:00 – 11:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Emerging Trading System Attacks (And Why You Might Not Detect Them)Return to TOC

    Konstantinos KARAGIANNIS (BT)

    Konstantinos Karagiannis is the Global Ethical Hacking Director for BT Advise Assure. He has extensive experience performing application and network assessments and penetration tests, and specializes in financial applications. He has spoken at dozens of technical conferences around the world. Konstantinos began as a Physics major before finding his way to the world of hacking, and enjoys probing how everything works, from programs to particles.
    Trading systems may just be the dirty little secret of both InfoSec and the financial industry. Set up to ensure low latency first, these systems contain numerous design flaws that attackers could exploit in coming months. We're already seeing some of these exploits, and there are only more on the horizon. Worst of all, the types assaults these systems are most prone to may not be easily detectable by typical forensic means.

    The past few years have shown that attackers are often hired to disrupt competitors--cybercriminals are truly going where the money is. Join Konstantinos for a look at covert local and network-based attacks that could cost companies millions of dollars in milliseconds.
    June 25th, 2014 16:00 – 16:30

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Enabling Cross-Organizational Threat Sharing through Dynamic, Flexible TransformReturn to TOC

    Chris STRASBURG (Ames Laboratory, US DOE), Andrew HOYING (National Renewable Energy Laboratory), Daniel HARKNESS (Argonne National Laboratory), Scott PINKERTON (Argonne National Laboratory)

    Dan Harkness:
    Dan Harkness is a Cyber Security Analyst and Software Developer at Argonne National Laboratory. His work centers around cyber threat sharing, including analysis, representation, and distribution of cyber threat information amongst peer organizations. Dan is a CISSP and holds a Masters in Computer Engineering and Information Assurance from Iowa State University, where his research was in computer forensics. He is passionate about the area of applied research, helping to ensure that operational cyber security continues to grow and draw interest from the next generation.

    Andrew Hoying:
    Andrew Hoying is the senior Cyber Security Analyst and Cyber Security Architect at the National Renewable Energy Laboratory. His work focuses on developing software that integrates existing cyber security technologies with threat intelligence and real time event correlation for enhanced incident detection and response. He frequently contributes patches back to open source software, and also works closely with several closed source vendors to enhance their solutions. He has been active in the cyber security field for over 15 years, and is dedicated to the open sharing of cyber security information so incident responders can get ahead of the constantly growing threat landscape.

    Scott Pinkerton:
    Scott Pinkerton has been active in the Information Technology space for the last thirty years – working on networking, telephony, and cyber security issues. He is currently working on the development of cyber security systems serving the DOE and critical
    infrastructure. Recent accomplishments include:
    - Developing and promoting a federated approach to cyber security (received the 2009 DOE Technology Innovation Award)
    - Implementing a comprehensive risk-based approach to cyber security at ANL, which strives to balance science and security
    - Active in the Internet2 Joint Techs and Energy Sciences Coordinating Committee (ESCC) – addressing network related issues across the DOE National Laboratories and R&E space

    Prior to joining ANL, Scott was a Staff Engineer at Martin Marietta Denver Astronautics where he worked extensively with ring-laser gyro based inertial navigation systems for Expendable Launch Vehicles like the Titan IV, and Upper Stages like the Transfer Orbit
    Stage (TOS) that flew the Mars Observer mission.

    Scott holds a BS Mathematics & BS Computer Science from Bowling Green State University, and a MS Computer Science from University of Colorado.

    Chris Strasburg:
    Chris is a Ph.D. candidate in computer science at Iowa State University as well as a full time researcher in cyber security and computational science at Ames National Laboratory, a Department of Energy open science lab. His research interests lie in the areas of machine learning, formal knowledge representation, and computer security automation. Prior to his move into research, Chris worked as a cyber security analyst and program manager for six years at Ames, implementing security controls, defining policy, and setting program objectives. His publications include works in masquerader detection, automated intrusion response selection, software fault prediction, and intrusion detection assessment. Chris is currently leading projects implementing aspects of cyber threat representation languages for the Cyber Fed Model, developing an automated organizational relationship model for network flow data, and formalizing intrusion detection and response descriptions in the Web Ontology Language (OWL).
    The objective of the Cyber Fed Model (CFM) project is to facilitate the sharing of actionable and relevant cyber threat data between organizations in near real time. One obstacle to scalable data sharing is making the process of sharing (uploading) as streamlined as possible, while ensuring that data is delivered to recipients in a format they can easily integrate into existing cyber processes.

    This is not a new challenge; many SIEM vendors and open source tools have addressed the problem of ingesting and producing data in multiple formats. These approaches tend to fall into two broad categories:

    • Use pre/post processing of data to extract fields and allow users to define new fields on the fly (e.g. Splunk)
    • Develop an extensive library of event parsers that preprocess all events and extract known fields from them (e.g. ArcSight)

    Generally, however, these solutions are specific to the vendor or tool in question. Complicating the scenario is the existence of multiple competing standards for data sharing formats. Even when a local tool is capable of producing data in a number of formats, sharing that data with other organizations still requires a transformation for the recipient to parse and act on it.

    To address this problem, the CFM project is working to develop a flexible transform capability which will both apply defined parsers to known well-defined formats, as well as allow data submitters to provide a description of their data format. Three levels of translation are used to provide on-the-fly transformation to an intermediate representation: syntactic, schematic, and semantic. Uploaders (and downloaders) provide descriptions of the provided (desired) format, and the data will be parsed (produced) in that form.
    Developing this capability requires addressing a number of questions, for example:

    • How do we normalize the semantics between the data produced by various sources for sharing? For example, similar fields with different meanings, when different tools interpret the same data.
    • How do we maintain relationship data between submitted indicators during transformation?
    • How do we remain flexible enough to represent new proposed formats without requiring code changes or manual parser generation?
    • How do we handle cases where the output format cannot represent all the information provided by the original sender?
    • Which aspects of this transformation should be handled centrally (e.g. within the service) as opposed to at the client?

    In this talk, we will present our design in detail, and discuss how our approach addresses the questions above.
    June 24th, 2014 15:00 – 16:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Enterprise Security Monitoring: Comprehensive Intel-Driven DetectionReturn to TOC

    David BIANCO (Mandiant Corporation)

    Before coming to work as the Hunt Team Manager and DFIR subject matter expert at Mandiant, David spent five years helping to build an intel-driven detection & response program for a Fortune 5 company. He set detection strategies for a network of over 500 NSM sensors in over 160 countries and led response efforts for some of the company’s the most critical incidents, mainly involving targeted attacks. His blog is Enterprise Detection & Response (detect-respond.blogspot.com).
    This is a great time to be in the detection field! More and more organizations are waking up to the fact that an effective detection program is a “must-have” to protect themselves against sophisticated threats. This creates a market for high-quality threat intelligence, and many groups are stepping up to meet this demand. With very little effort, your organization can connect to any number of quality data feeds, both commercial and free. However, this can lead to it’s own problems: almost no one is using threat intel effectively! Now that you’re drowning in a sea of intel, how do you make sense of it all and ensure that you are making maximum use of this information to provide the best possible detection strategies for your organization?

    When you fully leverage your knowledge of an adversary to rapidly detect and respond to their attacks, you deny them access to their tradecraft. You become a harder target and they feel the burn! David developed the ESM method it's fundamental model, the "Pyramid of Pain", while creating and running the worldwide detection program at a Fortune 5 company. Learn how to apply ESM in your org to bring the fight to the attackers!
    June 23rd, 2014 10:00 – 11:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Everyday CryptographyReturn to TOC

    John KRISTOFF (Team Cymru)

    John Kristoff is a researcher with Team Cymru, an Internet security research organization dedicated to making the Internet more secure.
    This session aims to help enhance trust, privacy and connectedness of FIRST participants by inviting them to learn about and better utilize everyday cryptographic protocols and tools in the applications they regularly interact with. We will briefly introduce PGP for encrypted email, SSL/TLS certificate issues, key signing and certificate notarization issues, software old and new and new infrastructure technologies such as DNSSEC, BGPSEC and DANE that aim to improve the trustworthiness of everyday Internet communications without end user intervention. As a special incentive, a special gift for each session attendee who exchanges PGP signatures with the presenter will be provided.
    June 27th, 2014 10:00 – 11:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Evidence Based Risk Management and Incident ResponseReturn to TOC

    Jake KOUNS (Risk Based Security), Carsten EIRAM (Risk Based Security)

    Jake Kouns, CISO - Risk Based Security

    Jake Kouns is the CISO for Risk Based Security and the CEO of the Open Security Foundation, that oversees the operations of the Open Source Vulnerability Database (OSVDB.org) and DataLossDB.org. Mr. Kouns has presented at many well-known security conferences including RSA, DEF CON, CISO Executive Summit, EntNet IEEE GlobeCom, CanSecWest, SOURCE, FIRST and SyScan. He is the co-author of the book Security in an IPv6 Environment, Francis and Taylor, 2009, Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.

    Carsten Eiram, Chief Research Officer - Risk Based Security

    Carsten Eiram is the Chief Research Officer of Risk Based Security and previously worked for Secunia for 10 years, managing the Research team. Carsten has a reverse engineering background and extensive experience in the field of Vulnerability Intelligence, jokingly referring to himself as a vulnerability connoisseur. He has deep insights into vulnerabilities, root causes, and trends, and is also an avid vulnerability researcher, having discovered critical vulnerabilities in high-profile products from major vendors including: Microsoft, Adobe, Symantec, IBM, Apple, Novell, SAP, and Trend Micro. Carsten is also a regular contributor to the “Threat of the Month” column in SC Magazine, a credited contributor for the “CWE/SANS Top 25 Most Dangerous Software Errors” list since its launch, and member of the CVE Editorial Board and FIRST VRDX-SIG. He has previously presented at conferences such as FIRST, RSA, DEF CON, Defcamp, and RVAsec.
    Everywhere you turn there seems to be bad news about the state of security at organizations these days. With approximately 10,000 vulnerabilities disclosed each year and many of them very basic in nature, it is clear that vendors have not implemented the security improvement we desire in our software. As the code providing our basic infrastructure (e.g. water, electricity), cars, medical devices comes under increasing scrutiny and attack, dramatic reports flood the news about how vulnerable these critical systems are and the mass chaos that could ensue, if they were compromised or destroyed.

    Unfortunately, no matter how many new shiny information security appliances are purchased, data breaches continue to happen at alarming rates. It doesn't matter what industry or the size of an organization, as no company seems to be immune. The number of data breaches in 2012 hit record highs with over 3,100 known breaches. All time there have been over 10,000 known data breaches tracked by the DataLossDB.org project and with over 2.4 billion records exposed, the costs to organizations simply cannot be ignored.

    This presentation will review the following topics using evidence from the OSVDB.org and DataLossDB.org projects:

    -Review general statistics about data breaches including prevalent breach types
    -Dissect vulnerability statistics and information
    -Review the state of SCADA software and vulnerabilities published
    -Provide detailed breach, vulnerability information and advice to help your organization prioritize risk management and response planning efforts
    June 27th, 2014 11:00 – 12:00

    Terrace Room (Lower Lobby - Basement)

  • Exfiltration Framework (ExF)Return to TOC

    Eric ZIELINSKI (Nationwide), Mick DOUGLAS (Nationwide)

    Eric Zielinski is a Lead Forensic Examiner and Incident Responder for a Fortune 100 company. With over 15 years of security leadership experience he has performed attack and penetration, forensics, incident response, and security monitoring. His experience ranges from working for an ISP to security consulting, to managed security services, and financial insitutions.
    He has been engaged in various infosec community initiatives such as the development of the Exfiltration Framework and is a frequent speaker at forensic conferences such as the CEIC. He is a certified EnCE and member of HTCIA.

    Mick Douglas is a community level instructor for the SANS institute and has taught SANS 504 "Hacker Techniques, Exploits and Incident Handling" and SANS 507 "Auditing Networks, Perimeters & Systems". He is a senior contributor to the PaulDotCom weekly security podcast. While Mick enjoys and actively participates in penetration testing, his true passion is defense -- tweaking existing networks, systems, and applications to keep the bad guys out. In addition to his technical work, Mick jumps at every chance to participate in a social engineering engagement.
    Data exfiltration is a common theme in most attack scenarios. The challenge in this space is sufficiently thwarting data exfiltration methods. This talk discusses a new approach to exfiltration of data. We have developed an Exfiltration Framework which provides insight on how to proactively detect exfiltration methods and how to respond to them. The Exfiltration Framework is the core building blocks to understand what data is leaving the network and how it can be slowed down or prevented. The Exfiltration Framework is designed to delay and/or prevent economic loss and strengthen security posture. Components of this framework allow for quick implementations of security techniques that can be applied to various environments within your network to better protect your data. We have defined new methods of security defense tactics that will help prevent against unauthorized exfiltration of data. The Data Exfiltration Framework can be used to identify gaps in your network and secure data leaving the network.
    June 23rd, 2014 15:00 – 16:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • First Step Guide for Building Cyber Threat Intelligence TeamReturn to TOC

    Hitoshi ENDOH (NTT-CERT)

    Hitoshi ENDOH:
    Research Engineer, Security Management & Operation Project, NTT Secure Platform Laboratories.
    Hitosh joined the cyber space laboratories at R&D section of Nippon Telegraph and Telephone Corporation(NTT), Japan in 1997. He had built Information System Security Guidelines and a security vision with medium and long term action plans for a group company. Since 2012, he has been working on CSIRT activities at NTT-CERT. He is working on information sharing with other CISRT teams and cyber threat analysis.

    Natsuko INUI:
    CDI-CIRT / Cyber Defense Institute, Inc., Information Analysis Department / Chief Analyst
    Localization project manager for enterprise software and vulnerability notes and security papers. Joined Cyber Defense Institute (CDI-CIRT) in November 2009 involved mostly in government research projects, cyber exercises, and incident response. Steering Committee member of the Nippon CSIRT Association.
    Hitoshi Endoh (NTT-CERT, Analyst)
    Natsuko Inui (CDI-CIRT, Analyst)

    Title: First step guide for building Cyber Threat Intelligence Team

    As cyber threats and attacks have evolved into sophisticated and goal oriented attack scenarios, protection with conventional incident response methods has become increasingly difficult. The importance of Cyber Threat Intelligence is widely known by CSIRTs for the reason that although the detection phase is the first of the three basic incident response steps (detection, triage, response), but recent attacks often go unnoticed for long periods of time, in some cases for years. On the other hand, there is a lack of know-how of building a Cyber Threat Intelligence Team.

    Through incident response services, Cyber Defense Institute (CDI-CIRT) has gained knowledge on the importance of situational awareness, and the processes that follow in building a Cyber Threat intelligence team. The purpose of this presentation is to first introduce a "best practice" flow and tips in building a Cyber Threat Intelligence Team and to share the know-how of building a Cyber Threat Intelligence Team and the lessons learned from the case of NTT-CERT which has built newly-organized team since January 2013. This presentation will also introduce concrete methods acquired through our cyber intelligence activities.

    Some cybersecurity companies have their own Cyber Threat Intelligence Teams now and there are a lot of presentations about the great importance and helpful knowledge for leading Cyber Threat Intelligence Teams which are already above a certain level.

    However, these know-how and knowledge are not really useful for someone who plans to build a Cyber Threat Intelligence Team from scratch, because it is too difficult to be learned. This presentation will introduce a First Step Guide for building a Cyber Threat Intelligence Team based on an actual example, the building of NTT-CERT's intelligence team. We will also provide the lessons learned how to keep the team in good performance, and will compare the two teams, NTT-CERT and CDI-CIRT as different existing examples.

    Topics are below:
    # The three phases of building a cyber threat intelligence team
    Recognition (situational awareness)
    Assessment (building a strategy)
    Taking Action (team building, automation of specific functions, operation)
    # Definition of Security Intelligence of NTT-CERT (Mission, constituency, Outputs)
    # How to earn skills of cyber threat intelligence
    # Process of analysis and reporting
    # Daily work (Collecting information)
    # Sharing information with other CSIRTs
    # Requirements for networks and tools
    # Requirements for facilities
    # Lessons learned
    - Team building, operation and maintenance
    - Report creating (Phase: Collecting information, Hypothesis testing, Analysis)
    # A comparison of 2 different intelligence teams
    CDI-CIRT (security specialists and white hackers)
    NTT-CERT (largest telecommunications company in Japan)
    # Future plans
    June 24th, 2014 13:30 – 14:30

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • From Participant to Planner - Surviving Cyber Exercise ArmageddonReturn to TOC

    Robert PITCHER (Canadian Government)

    I am currently a member of the Partnership and Engagement section of the National Cyber Security Branch. Prior to this position I was a senior cyber strategist with the Canadian Cyber Incident Response Centre; the national CERT of Canada. I have 14 years of industry experience that is divided between the private and public sectors, with the past 7 years spent specializing at the national security level. Within my various positions, I have served and continue to serve as the senior point of contact within our sector for cyber based exercises within Canada; and it is this knowledge base that I intend to draw on to deliver these findings.
    Cyber based exercises are quickly becoming the defact-o way to test systems and networks in preparation for the next cyber based emergency. The concept of large scale cyber based emergencies has become a daily threat to those in the CERT profession, and to those which we protect. In order to ensure that we are prepared to handle the worst case scenario, industry and governments have taken to planning and participating in numerous cyber based exercises to support their ability to respond. However, bigger is not always better, and more is not always best. Having participated in and planned many cyber based exercises over the past 7 years, I will provide an experienced overview that will highlight the key areas and considerations that are essential to the development and deployment of well-rounded scenarios. Participants will leave the presentation with knowledge of what it takes to run an effective cyber exercise from both a domestic and an international viewpoint.
    June 25th, 2014 15:00 – 16:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Human Intelligence Sharing for Collaborative Defense -- Op Sec TrustReturn to TOC

    Dr. Paul VIXIE (Farsight Security, Inc)

    Paul Vixie founded a handful of Internet related companies and projects including MAPS, the first anti-spam company; PAIX, the first neutral commercial Internet exchange; and ISC, the home of BIND and F-root. He is the inventor of several Internet DNS and security related technologies including RPZ (DNS firewall), DNS RRL (response rate limiting), NCAP (passive network telemetry toolset), TSIG (DNS transaction signatures), and other works that time has forgotten. Dr. Vixie earned his PhD from Keio University on DNS related work. He is a founding member of ICANN SSAC and RSSAC, and he served on the ARIN board from 2005-2013.
    Human intelligence sharing requires a high level of trust, noting that real and effective trust is earned individually not assigned by an employer. Of the dozens of mailing lists and other forums where human intelligence is shared today, one stands out -- Op Sec Trust -- for its demonstrated effectiveness, efficiency, and scale. Dr. Vixie was an early member of Op Sec Trust, before he hijacked the project by writing some code to support the unique philosophy and objectives of what would otherwise have been "just another security related mailing list." In this presentation, Vixie will explain what went right, what went wrong, where Op Sec Trust is today, and where he expects it to go next.
    June 25th, 2014 13:00 – 13:30

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Identifying the 'Root' Causes of Propagation in Submitted Incident ReportsReturn to TOC

    Thomas MILLAR (US-CERT)

    Our joint team consisted of members from US-CERT, Microsoft, and Carnegie Mellon SEI CERT bringing real data, consistent taxonomy, and domain experience together. Lead presenter will be Sam Perl, a researcher from Carnegie Mellon SEI CERT. Sam is a member of the CSIRT development team and has over 10 years of experience working with large client organizations to manage various operational IT security risk issues.
    Incident response is most obviously about incidents, but looking deeply at root causes has helped improve safety in many fields. We wanted to see if current incident reports could yield interesting root cause information? Such information would obviously be less complete than (say) a finished national transportation and safety board report, but could we extract it at all?

    Incident reports are notoriously of inconsistent quality, hard to aggregate, and complex to analyze for useful conclusions. Further complicating the problem, IR teams are often given incident reports from others over whom the IR team has no authority to dictate reporting requirements.

    We set out to determine if we could use incident reports submitted by others to assess the successful rates of various malware propagation vectors.

    Our approach applied a consistent taxonomy for malware propagation to a sample of incident reports. We will discuss key areas where the taxonomy worked and where we encountered problems.

    We found that for our selected sample, using some important assumptions, we were able to identify a reasonably accurate propagation vector (root cause) for over 70% of the reports with compromises. We will also discuss results showing that some of the same threat vectors were particularly problematic to many different reporters.

    We will talk about how conditions in the data were favorable or unfavorable to our efforts and what implications this may have on our ability to apply this method to other incident reports.
    June 25th, 2014 11:00 – 12:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Implementers' Workshop : Automated Information Sharing with TAXII and STIXReturn to TOC

    Richard STRUSE (DHS), Thomas MILLAR (US-CERT)

    Mr. Struse serves as the Chief Advanced Technology Officer for the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) where he is responsible for technology vision, strategy and implementation in support of the NCCIC’s mission.

    Mr. Struse is also the creator of the STIX and TAXII automated information sharing initiatives at DHS. Prior to joining DHS, Mr. Struse was Vice President of Research and Development at VOXEM, Inc., where he was responsible for the architecture, design and development of a high?performance, extreme high reliability communications software platform that is in use in telecommunications systems around the world. He began his technical career at Bell Laboratories where his work focused on tools to automate software development and the UNIX operating system.
    Since early 2012, the US Department of Homeland Security has been working in close collaboration with US-CERT team members and partners from critical infrastructure organizations to standardize automated information sharing between diverse trust communities, platforms and services. This workshop will begin by presenting a brief overview of the origins and objectives of the Trusted Automated eXchange of Indicator Information (TAXII) and Structured Threat Information eXpression (STIX) standardization initiatives followed by a deep dive into the technical details of each specification along with an introduction to the utilities, samples and libraries that are already available. Participants are actively encouraged to raise questions, propose requirements, and become active contributors to these community-driven efforts.

    Truly interoperable, automated information sharing is a key capability for our shared success as cybersecurity responders and defenders. While each organization's circumstances will drive different implementations with unique features and restrictions, a common message exchange and representation language will allow every CSIRT and SOC to realize new opportunities for more advanced analysis, faster response, and most importantly, more chances to deploy preventative measures before new attacks affect your constituency. This workshop is an opportunity to learn more about how to begin integrating STIX and TAXII into your team's environment and for current adopters to interact in person with the chief architect and engineering team supporting the effort.
    June 23rd, 2014 13:30 – 14:30

    Terrace Room (Lower Level - Basement)

  • Incident Response Coordination on a Global Scale: Your Assistance is Requested...Return to TOC

    Kauto HUOPIO (NCSC-FI)

    Mr. Kauto Huopio is a Chief Specialist at the National Cyber Security Centre Finland (NCSC-FI). Since 1 January 2014, CERT-FI has been a part of the National Cyber Security Centre Finland (NCSC-FI), located within Finnish Communications Regulatory Authority (FICORA). Kauto has more than a decade's worth of experience in cyber security.
    During autumn of 2013, CERT-FI got a call from the police. Finnish and American law enforcement officials had been investigating a group of hackers with links to Finland. The investigators had gotten hold of large amounts of stolen user credentials and material indicating thousands of backdoored servers all over the world. The police requested that CERT-FI would take care of contacting the victims. Why not, we thought. This is what we do every day.

    Turns out, there was lots of material. An awful lot of it. CERT-FI duty officers have already been handling the material for months and have notified thousands of sysadmins during the process. It looks there is still some months worth of work ahead even if the police didn't uncover any new material. This clearly was more than we had prepared for. Probably more than most CSIRTs in the world would have prepared themselves for.

    Originally, the case seemed like no-brainer. A systems administrator of a US based web site reported an intrusion to CERT-FI, as there were signs indicating a Finnish actor behind the case. CERT-FI checked the facts, passed the material forward, pulled some strings in Finland and pretty much put the case to a rest. In the meanwhile, the incident report lead to criminal investigation, investigation lead to a potential suspect, the suspect got arrested, the police lead a successful interrogation and hit a jackpot upon the seizure of perpetrators' computers. Couple of weeks later, the case returned on CERT-FI's desk, this time bigger than any case we had ever handled.

    The presentation will focus on incident response coordination on a global scale. We will discuss the following stages of this particular incident:

    1) Initial discovery: most incidents still go unnoticed; this time, one vigilant sysadmin got lucky

    2) "Pass the Torch, part I": the vigilant sysadmin reported an - what was believed at the time - isolated case to CERT-FI

    3) Domestic LE process: good old-fascioned police investigation

    4) International LE process: the hacker group begins to unfold

    5) "Pass the Torch, part II": CERT-FI contacted national CSIRTs all over the world (still ongoing)

    6) "Pass the Torch, part III": The reports were being passed to the sysadmins (still ongoing)

    7) Follow up: (we haven't even gotten to that yet)

    An incident of this magnitude requires active local and national level CSIRT cooperation. Unless the actual victims are notified their systems will never be cleaned.

    In our presentation we will discuss our understanding of the roles of various parties. We will outline the challenges we faced while reaching the countries that still lack an established national CSIRT (kudos to FIRST community for helping us out!). What would we do differently next time? What would our advice to be to other CSIRTs? When do we consider this particular case closed? We will also present our experiences about handling the media relations. In domestic settings, we utilised the mainstream media to get a word across. After the story picked up, we almost got run over by the media.
    June 27th, 2014 10:00 – 11:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Intelligence Driven SecurityReturn to TOC

    Adam MEYERS (CrowdStrike, Inc)

    Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of Intelligence. Within this role it is Adam’s responsibility to oversee all of CrowdStrike’s intelligence gathering and analytic activities. Adam’s Global Team supports both the Product and Services divisions at CrowdStrike and Adam manages these endeavors and expectations. Prior to joining CrowdStrike, Adam was the Director of Cyber Security Intelligence with the NPO Division of SRA International. He served as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects.
    Cyber adversaries are targeting your enterprise every day. Defending/repelling these attacks is becoming less and less feasible; the adversaries are numerous and belligerent. This talk will explore what can be learned from the adversary's tactics, techniques, and procedures to leverage intelligence about the adversary and their techniques to strengthen your defensive posture. This talk will further explore a system for categorization in order to monitor and track advanced adversaries engaging in sustained attempts to access the enterprise. The key elements for collecting intelligence in today's complex environment and the legal challenges surrounding these measures will be discussed. Finally we will explore how to leverage this intelligence to further your proactive security program in terms of user awareness, security testing, training, and defensive strategy.
    June 23rd, 2014 13:30 – 14:30

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Investigator of Interest – Our Philosophy of Adaptive Incident Response to Turn the Tables During an InvestigationReturn to TOC

    Pascal ARENDS (Fox-IT)

    Pascal works for Fox-IT in the Netherlands. He is a core member of the FoxCERT team and specializes in host investigations.
    “You are being watched, the attacker has a secret system —a spying program— that spies on you every hour of every day. I know, because we have seen it (multiple times).”

    Imagine that you are investigating a breach but the attacker keeps ahead of your investigation. You see malicious traffic on the IDS but once you investigate the machine of interest there are no more traces of the attacker, and the malicious traffic has stopped.

    In this presentation we will provide insight into our philosophy of adaptive incident response. Adaptive incident response requires more than simply running a technical investigation. Crucial, for example, is rapid attacker profiling and how you can use that to adjust your investigation strategy. What type of attacker is this, what do they want and what are their capabilities? The results influence your strategy: live investigation versus offline investigation, network agents versus tools that are in place, active versus passive monitoring and offline bulk analysis. In addition, we’ll discuss practical countermeasures that our investigators use to game up our investigation and keep ahead of attackers. We’ll discuss investigation platforms, communications and systems.

    Ultimately, Adaptive incident response is about turning the tables: once an attacker is inside, they become the defender.
    June 25th, 2014 13:30 – 14:30

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Looking Back at Three Years of Targeted Attacks: Lessons Learned on the Attackers’ Behaviors and Victims’ ProfilesReturn to TOC

    Dr. Olivier THONNARD (Symantec)

    Dr Olivier Thonnard is a Principal Research Engineer at Symantec Research Labs (SRL), Symantec’s global research organization, which is focused on technology innovation as well as thought leadership in many aspects of computer and network security. His R&D activities are focused on data analytics and Internet threat analysis, in particular data mining, machine learning and Big Data analytics for cyber intelligence.
    Targeted attacks consist of sophisticated, low copy number malware developed by attackers having the resources and motivation to research targets in depth. In this talk, we analyze the main trends and characteristics of this escalating threat based on a large corpus of targeted email attacks identified by Symantec in the last three years (2011-2013). Using in-house developed forensics and attack investigation techniques, we analyze a series of notable targeted attack campaigns, like Elderwood, CommentCrew, and some others. We will highlight similarities but also some significant differences in the modus operandi and level of sophistication of attackers involved in these different malware campaigns. Finally, we look at the victim counter part by analyzing the profiles of the organizations and individuals who seem to be more specifically targeted by these spear-phishing attacks.
    June 26th, 2014 11:00 – 12:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Malware\Host Analysis for Level 1 AnalystsReturn to TOC

    Garrett SCHUBERT (EMC Corporation)

    Garrett Schubert specializes in Information Security and Cyber Threat Defense with a focus on Intelligence-driven response. With a decade of experience in Information Technology\Security he works to identify anomalous behavior, triage the activity and mitigate all known threats. Mr. Schubert currently leads the Critical Incident Response Team for EMC Corporation as well as the lead Incident Handler. His experience handling hundreds of cyber incidents involving Fortune 500 companies to large academic institutions gives him a prolific understanding of the current threat landscape and the latest detection\mitigation strategies. Mr. Schubert holds a degree in Computer Engineering Technology from Wentworth Institute of Technology and a graduate certificate in Applied Intelligence from Mercy Hurst University.
    When defending against bleeding edge cyber threats, it is critically important to identify the threat at the earliest stage possible. When an Incident Response team must wait for complete hard-drive analysis to be done to understand the impact of an incident, the exposure time to the organization can be enormous. What would your exposure surface look like if your level 1 (First responder) analyst, who received the first alert, could identify the source of the suspicious network activity, review the system, and identify the process initiating the connection all under an hour? In incident response your security team needs to work like a hospital ER\EMT, the team must triage, diagnose and contain a “threat” all before any major surgery or operating-room activity can take place.
    In this presentation we will review the People, Process, and Technology that the EMC CIRC utilizes to respond to host-based cyber threats from time of detection until host analysis.
    June 26th, 2014 11:00 – 12:00

    Terrace Room (Lower Lobby - Basement)

  • Managing Your Managed Security Service Provider: Improve Your Security PostureReturn to TOC

    Stephen SELJAN (General Dynamics Fidelis Cyber Security Solutions)

    Stephen is a Senior Advanced Engineer for General Dynamics Advanced Information Systems (GDAIS) Cyber Division. I have over 15 years of experience in Information Security with a focus on Threat detection and traffic analysis. I spent most of my career working for two of the largest MSSPs (Managed Security Service Providers) in the world. I have spent my time developing the skills required to identify threats and perform deep packet analysis. I have been trained to manage and operate almost every IDS/IPS/HIPS solution on the market to date. I detected and reported the breach of one of the largest data breaches in history. While working on this breach he received multiple awards and commendations for his hard work and dedication to the project.

    • 15 years as an Analyst/Senior Analyst in large scale Security Operation Centers
    • Conducted and directed a large scale intrusion investigations in 2012 through 2013; leveraged network and host-based forensics and live monitoring to detect intruder activity
    • Trained SOC analysts to detect legitimate threats against organizations such as SQL injections, Malware outbreaks, exploit attempts and other threats
    • Developed and monitored the SOC Incident response policy and procedures at a fortune 500 financial institution
    • Led and managed intrusion analysis operations at Global Payments
    • Developed and implemented incident detection and response
    • Implemented, maintained and adapted rapid malware analysis protocols and reduced analysis time from weeks to days and hours
    • Led and trained all SOC personnel in SOC operations and procedures
    • Recommended and implemented multiple security tools then tested the tools for stability and effectiveness
    • Identified thousands of targeted 0-Day Malware executables and submitted them for signature creation with the AV/IDS vendor
    • Created and documented all processes for SOC operations
    • Generated reports and completed all tasks for PCI compliance during project Fortress
    • Created a series of one page how-to documents covering processing of flat logs, recognition of different types of intrusions and incident specific intrusion analysis strategy
    • Spearheaded malware collection effort leveraging historical data in an effort to increase relevant system detection through the use of target specific datasets
    Do you have an MSSP or an SSP? In this session, I will discuss what a Managed Security Service Provider means to you and your organization and how to derive the right balance in the relationship to make sure you are seeing the best view of your network’s threats. Much of the success of a successful partnership rests in what your definition of an MSSP. For example, do you believe that an MSSP should manage your security, tell you what alerts are important to you, and make sure all of your devices are reporting properly? If you believe that your MSSP should manage your company’s security autonomously, you are leaving your organization open to risk. An MSSP should be managed, directed, lead and monitored by you.
    Critical questions to ask:
    • Does your MSSP know where critical infrastructure is?
    • Does your MSSP know what traffic is important to you?
    • Does your MSSP know what you are vulnerable to?
    • Who accepts financial responsibility if you get breached?
    • Who’s reputation is damaged when a breach is reported?


    For almost 15 years I have worked with MSSPs. I have seen clients that managed the relationship between the MSSP and had a good security posture. These clients were rare and probably one in a thousand. In more cases, I've experienced clients who depend on the MSSP to manage themselves. This is a critical error by the client and we will discuss some of what needs to be done by you, the client in order to properly manage the MSSP thereby decreasing you risk and improving your security posture.
    Your MSSP can only be as good as the management you provide the “SSP”. As the data holder you alone are held responsible and suffer if your data gets breached. It is up to the client to hire security professionals that understand data security, know how to identify threats, know proper incident response, and know how to manage your MSSP. Your MSSP contractually acts as “Tier 1” only, meaning they receive alerts from your systems and only escalate what they think should be viewed by your internal “Tier 2” analysts. In this session we will get into the details on how you can get a better view of your threats and effectively manage your risks.
    June 24th, 2014 16:00 – 17:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Merovingio: Mislead the MalwareReturn to TOC

    Juan Carlos MONTES (INTECO-CERT)

    Juan C. Montes works as technical manager of malware and forensics services at INTECO-CERT. He has been working on IT industry for more than 10 years, mainly as security auditor and forensic/malware analyst, always working in security field.
    He is GREM (GIAC Reverse Enginnering Malware), GCFA (GIAC Certified Forensics Analyst), ISMS Auditor and Specialist ISMS Implementer by AENOR.

    He has spoken at multiple national and international security forums, like TF-CSIRT, ENISE, NavajaNegra, among others. He has also participated as teacher in the Master Degree in Information Security at the University of León (Spain), and in the first edition of the EUROPOL "Fighting Cybercrime Training Course".
    The main problem when our teams need to analyze malware incidents is the limitation imposed by using virtual machines, because we need to analyze each sample in a different virtual machine.
    Our main objective with Merovingio, although it's not the only one, has been to mitigate this limitation.
    Merovingio is an automatic analysis system that allows the parallel execution of more than 25 samples for each GB of RAM in a virtual machine. And each of these samples does not affect the system or the execution of another sample, so our limitation is the amount of samples that our virtual machine can hold at the same time.
    It works with an insulated system at execution level and their behavior is tied to a directory structure which cannot leave, and to improve the system we can use real machines to avoid the virtual machine detections.
    Moreover, as all their actions are monitored by the technique of PEBHooking, presented in Phrack #65, we can control the actions of all the APIs used by the sample, so we can capture all the parameters' information of each API used, and we can modify the behavior of any API that we consider interesting.
    In this line we have run the system with more than 50 controlled APIs allowing us to control the sample when it did actions like process creation, working with files, execution of other samples, using windows registry, communication using sockets, and reading/write between processes.
    We have also added a system to capture and read everything written, which would allow us to reconstruct the execution of such a sample that is being modified from a remote process, as in some samples to use as a packer armadillo. All this information is encoded in base64 and stored in our database.
    In addition, we can also simulate a sample's behavior without the sample itself. Thus if the sample tries to create the file, we can give it a handle and say that the file is created correctly, but actually the handle has been registered in our database as a file only and that file does not exist on disk.
    At the time that the sample tries to write something in that file, using the same process, we say it has written it and all this information is recorded in our database but the hard disk has not been modified.
    This technique is more useful if we face communication systems with C&C panels. When a sample try to connect to the C&C panel, although the panel being inactive, we can simulate the communication, or route it directly to another IP without the sample itself to realize this.
    Our objective for Merovingio is to increase the sample analysis capabilities having our incident response team, and also investigate and detect novel behaviors samples.
    The last part of our system includes an analyzer of behaviors that allow us to say whether a sample is malicious or not a function of its interaction with the operating system. Logically if the notepad tries to write in the explorer process and after that creates a remote thread in the process, is not a good behavior. This is our aim.
    June 26th, 2014 13:00 – 13:30

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • MMPC's Coordinated Malware EradicationReturn to TOC

    Holly STEWART (Microsoft)

    Dennis Batchelder has worked across all disciplines in the security industry for over 20 years as an architect, engineering leader, and entrepreneur. At Microsoft, Dennis is responsible for managing the antimalware initiatives. This includes Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, Microsoft’s antimalware engine, the antimalware research team, and the antimalware industry partnerships.
    The antimalware industry has spent the past two decades detecting, blocking, and removing malware for their customers. And while they can claim business success, the industry’s disjointed efforts put little real pressure on the malware syndicates: it’s all too easy to sidestep individual defenses, spew more malware into the system, and continue to enjoy a high return on malware investment.

    Defending customers is important, but it doesn’t remove malware’s value proposition. If we want the syndicates gone, we have to hit them where it hurts: their wallet. We need to coordinate not just with each other, but cross-industry to do this.

    Dennis will present examples of successful coordinated efforts the Microsoft Malware Protection Center (MMPC) has led against the malware syndicates. He’ll describe MMPC’s initiative on how not only security vendors, but also CERTs, Internet service providers, and ecommerce companies are working together to execute coordinated eradication campaigns that increase customer protection, reduce risk management and fraud costs, and, most importantly, remove the value proposition that sustains the large scale malware syndicates.
    June 25th, 2014 13:30 – 14:30

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Network Security Analytics TodayReturn to TOC

    Aubrey MERCHANT-DEST (Blue Coat Systems, Inc.)

    Aubrey has 27 years experience in Network & Systems/Sales Engineering in both Carrier (fixed and mobile) and Enterprise environments. Prior to joining Solera Networks in 2011 he held SE positions at Qosmos, Ellacoya Networks, CloudShield and iPolicy Networks with a focus on security, traffic engineering/management and network analytics. He has an in-depth and hands-on understanding of networking from layer 2 through 7. While at Solera Networks he supported both commercial and Government business and played a key role in winning large key customers in the financial and Government sectors. With a total of 9 years in Deep Packet Inspection (DPI), his key focus is on how DPI helps solve key issues related to network visibility/context and security analytics. Aubrey is current Security Director for The Americas.
    This presentation/discussion will focus on the use of ‘rich flow-data’ to expose potentially malicious activity on your network which may not be caught with current perimeter defense platforms. The objective is to get the audience thinking about what questions they can ask of the ‘network’ to gain intelligence and mitigate gaps in current defenses.

    The 2013 Verizon breach report uncovered that 84% of attacks happen within hours, however 62% take months to discover. These are targeted attacks that skate traditional perimeter security defenses because they are novel. By exposing the full visibility and context of network flows, these advanced attacks can be detected and mitigated faster. Richer session flow attributes and metadata as a source for analytics can help expose malicious activity that would otherwise go undetected.

    Netflow has been available from routers and switches for well over a decade and is generally used by network operations personnel to detect protocol anomalies and denial of service attacks. Security operations personnel can benefit form Netflow as well by correlating alarms and alerts to flow records. The information available from Netflow is however limited when you consider the implementation of protocol parsers in modern network forensic tools (NFTs). By passively tapping key network segments (gateways, server farms, partners) you can gain full visibility and context into traffic flows, allowing correlation of flow attributes from layer 2 to layer 7 (Ethernet, VLAN, application, filenames, sessions, packets, etc.) providing attribution of hosts, users and applications. This is accomplished using protocol parsing and indexing attribute containers. By using host attributes (IP addresses, users, country) you can perform frequency analysis to discover traffic patterns of interest. Adding additional attributes such as filenames, session and/or byte counts can expose additional activity, which may initially seem unrelated.
    June 25th, 2014 11:00 – 12:00

    Terrace Room (Lower Lobby - Basement)

  • Newbie Welcome ReceptionReturn to TOC

    First-time attendees, members and non-members, are invited to this special networking pre-reception with the FIRST Steering Committee and Membership Committee.
    June 22nd, 2014 18:30 – 19:00

    (TBA)

  • On the Outside of Tinba Looking In ...Return to TOC

    Peter KRUSE (CSIS Security Group A/S)

    Peter Kruse co-founded the Danish IT-security company CSIS in 2003 and is currently leading the eCrime department which provides services mainly aimed at the financial sector.

    His ability to combine a keen appreciation of business needs and a profound technical understanding of malware has made CSIS a valued partner of clients in both Scandinavia and the rest of Europe. Today,

    Peter is by far the most quoted IT-security expert in Denmark and considered among the most recognized in Europe. He has a long history of active participation in several closed and vetted top IT-security communities and has numerous international connections in the antivirus- and banking industry, law enforcement and higher education institutions.
    The hunt for Tinba (aka Tinybanker) as we continue to digg even deeper into this criminal outfit, which is clearly making preparations to make Tinba (or rather Insiderz) a Crime as a Service.

    Tinba is primaly targting Turkey, United Arab Emirates and Germany but as a crimekit it's easily a threat against homebanking service. Besides from specifically attacked homebanking systems Tinba also systematically harvest data from infected hosts which can lead to damaging data leakes of value company and customer data.
    June 24th, 2014 13:30 – 14:30

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Open DNS Resolver Check SiteReturn to TOC

    Takayuki UCHIYAMA (JPCERT Coordination Center), Hiroshi KOBAYASHI (JPCERT Coordination Center)

    Takayuki Uchiyama
    Taki works at JPCERT/CC as an Information Security Analyst. He is part of the Information Coordination Group within JPCERT/CC?and his main tasks include, vendor / CSIRT coordination on security reports, mainly dealing with vulnerabilities, as well as maintaining communications with the various communities across the globe.
    Previous work includes being a compliance consultant, where main tasks involved working with Japanese clients to obtain FIPS 140-2 validations and drafting security documents, in addition to administration of employee benefit plans such as 401(k) and defined benefit plans.

    Hiroshi Kobayashi
    Hiroshi Kobayashi is a member of Incident Response Team, Early Warning Group of JPCERT/CC. Since 2011, he has been handling domestic computer security incidents at the forefront. In addition to his role as an incident handler, he engages in incident analysis and its system development/operation. One of his significant contributions was the design and development of the “Open DNS Resolver Check Site”
    (http://www.openresolver.jp/en/), an easy-to-use online tool released in 2013.
    Before joining JPCERT/CC, he engaged in incident handling and network operation in a Japanese company.
    JPCERT/CC released the “Open DNS Resolver Check Site” on 31st of October, 2013. This web-based tool allows visitors to check if the DNS server configured on their PC and/or network device connecting to the site is running as an open DNS resolver or not.

    The trigger that contributed to the release of this site was a presentation delivered during APRICOT 2013 in March. During this presentation, it was reported that the number of open DNS resolvers deployed in Japan was the largest in Asia Pacific region. These DNS open resolvers could possibly be exploited to conduct significant DDoS attacks. After conducting an investigation, it was discovered that most of the open DNS resolvers in Japan either had dynamic IP addresses provided by an ISP (e.g. home networking device, such as a router) or were hosting servers such as VPS (Virtual Private Server). We then developed the check site and also started our coordination with any relevant parties in order to eliminate these non-secure resolvers.

    My presentation will share our experiences with this project, which include the mechanism of the check site, and the various findings that have been obtained since its release and our extensive global collaboration to tackle the issue.
    June 23rd, 2014 13:00 – 13:30

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Open Source Software Environment Security IssuesReturn to TOC

    Yoshiki SUGIURA (NTT-CERT), Keisuke KAMATA (Freelance)

    Yoshiki Sugiura
    Yoshiki Sugiura has over 10 years' software development experience in a software company (1985-1998).

    He has various background of working as security professional. He used to be a member of national computer security team JPCERT/CC from 1998 to 2002. He currently works for NTT-CERT and IL-CSIRT. NTT-CERT is a CSIRT for NTT Group, one of the biggest Japanese telecommunication companies. IL-CSIRT is a CSIRT for NTT DATA Intellilink Corporation. He has 15 years' experience in IT security and CSIRT.

    He is a steering committee member of Nippon CSIRT Association(NCA). NCA is a community for CSIRTs in Japan.

    He is a big fan of GNU/Linux system and he has written some articles in a magazine about GNU/Linux system several years ago.

    Keisuke Kamata
    Keisuke Kamata, Senior Consultant, Col-Legno Co.,Ltd. Japan.

    Keisuke has 3 years IT engineering background and 8 and half years at JPCERT/CC with experience of Incident Handling, Network Monitoring, Vulnerability Handling, Watch and Warning and International Coordination. After he left JPCERT/CC, worked for The Bank of Tokyo-Mitsubishi UFJ for 3 years as IT specialist to establish various activities of MUFG-CERT and cyber security strategy. Since 2014/Apr, he works as senior consultant at Col-Legno in Japan.
    A lot of IT security issues happen day by day, like cyber attack, site compromize, software vulnerabilities including zero-day, SQL injections and so on.

    Security issues are becoming more important to operate IT related systems including public website, internal network and web applications.

    Open source software(or Free software) is definitely a good option to use even for enterprise environment but it is also important to recognize various security aspects. There are a lot of challenges on OSS(or Free software), for instance, secure development and patch management on the developers, users and system integrator.

    This presentation will cover some security trend and what security challenges are needed to consider for both of "development" and "user" aspect to use open source software.

    Where on the earth for Free Software, you can control the software including patch management. It means you can control its security on Free Software as well.

    It also explain importantance of security operations including CSIRT and PSIRT.

    Topics are below:
    # Security issues on Open source software devlopment
    # Security issues for using Open source software
    # Managing yourself Free software and the security
    # Needs for security operations including CSIRT and PSIRT
    June 25th, 2014 10:00 – 11:00

    Terrace Room (Lower Lobby - Basement)

  • Operational CyberThreat Intelligence: 3 Years of IOC Processing at EMC.Return to TOC

    Christopher HARRINGTON (EMC Corporation), Kathleen MORIARTY (EMC Corporation)

    Christopher:
    Christopher Harrington, a former Naval Intelligence analyst, brings over 18 years of Information System and Security experience including secure network architecture design, malware analysis and reverse engineering, security incident handling / response and detection / mitigation of Advanced Persistent Threats (APT) / nation state sponsored CyberActivity (CNE). Currently holding the position of Consulting Security Engineer with EMC's Global Critical Incident Response Center and having held senior Information Systems & Security positions with MIT Lincoln Laboratory, NitroSecurity (as CTO), National Security Agency, and NMI InfoSecurity Solutions. Chris is an active member of the Information Systems Security Association (ISSA) where he is one of the founders of the New Hampshire and past Vice President and Secretary and the FBI’s Infragard program. As a recognized expert in the security field, Chris has spoken on security topics for RSA Conference, SANS, SecureWorld, NERCOMP / Educause and EGRC.

    *****************
    Kathleen:
    Kathleen Moriarty is the Global Lead Security Architect for EMC Corporation's Office of the CTO working on technology strategy and industry standards in information security. Kathleen has been the primary author of multiple published standards and actively contributes/leads security standards activity in both the IETF and ITU-T with a focus on incident response and security automation. As the co-chair for the IETF's Managed Incident Lightweight Exchange (MILE) working group, she is actively working with the community to improve the secure and effective exchange of threat intelligence working on data formats, secure transport, and access controls. Previously, as the practice manager for security consulting at EMC, she was responsible for oversight of key projects, and development of security programs, in addition to serving as the acting CISO of a global investment banking firm. Kathleen has also been the head of IT Security at MIT Lincoln Laboratory and the Director of Information Security at FactSet Research Systems, responsible for the information security program and team. Kathleen holds a Masters of Science degree in Computer Science from Rensselaer Polytechnic Institute and a Bachelor of Science in Mathematics and Computer Science from Siena College.
    As cyber attacker skills mature and their targets more diverse it becomes increasingly important for Security organizations to leverage Cyber Threat Intelligence. By collecting and processing Indicators of Compromise from external and internal sources Security organizations gain a greater understanding of, and visibility into Cyber attackers tools and methodologies. This Cyber Threat Intelligence can lead to vastly improving an organizations ability to defend, detect and respond to intrusions quicker. Unfortunately most organizations are yet to realize the benefits of Cyber Threat Intelligence. There are multiple reasons why this adoption has been slow including lack of a single data standard, limited security vendor integration, organizations not having the proper skillset and a lack of perceived value or ROI. Using the EMC Critical Incident Response Center as an example we will discuss our experiences and lessons learned from actively having a formal Cyber Threat Intelligence program for the past 3+ years.

    The lack of skill sets is an important factor to consider in how we can improve the overall defensive posture for organizations large and small. When you consider many organizations are part of the supply chain for large organizations, a compelling motivating factor surfaces to address threat more broadly. Many FIRST attendees are from the large organizations or country level security teams that have the resources to protect and defend their networks. If we change the models for information sharing to 'get to the root' of threats, we can address them more broadly and efficiently, protecting not only large organizations, but small and medium sized organizations as well. Within these models, limiting the information shared to what is necessary will help to prevent information leakage to attackers, as will improving security control mechanisms evolving though IETF standards efforts. We will discuss transport options and security controls for indicators and threat intelligence.
    June 27th, 2014 11:00 – 12:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Our Turbine Got Hacked! - Performing Forensic Investigations of Industrial Control SystemsReturn to TOC

    Dr. Heiko PATZLAFF (Siemens)

    Heiko Patzlaff is a security expert at Siemens where he is responsible for the security related forensic activities.

    Before joining Siemens he worked in the Anti-Virus industry. He also holds a doctorate degree in theoretical physics.

    Besides his forensic responsibilities he is involved in security related research activities and Siemens internal consulting.
    While the forensic analysis of security breaches in office networks is a well documented and developed field, investigation of security incidents in industrial control systems and other industrial products currently encounters various obstacles.

    There is a lack of documentation, of tools and of basic procedures for working in these environments.

    This talk adresses the various challenges posed by industrial systems and presents a framework and toolset for the forensic investigator when the call comes: "Help, my turbine got hacked!"
    June 24th, 2014 13:00 – 13:30

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Pass-the-Hash: Gaining Root Access to Your NetworkReturn to TOC

    Tim SLAYBAUGH (Member)

    Tim Slaybaugh is a Senior Digital Media Analyst for the Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) specializing in network intrusion detection, malware and forensic analysis. Over the past ten years, Tim has conducted in-depth forensic analysis and extensive research into identifying intrusion activity as well as providing investigative reports and threat briefs to various government agencies and private industries.
    Tim has presented at the Federal Law Enforcement Training Center (FLETC) and often speaks at national and international conferences on current topics in computer forensic analysis.
    He currently holds multiple certifications with the SANS Institute and the Department of Defense Cyber Investigations Training Academy (DCITA).
    The first objective of an intruder once they have access to your system is to elevate privileges. With root privileges the attacker can potentially have free reign over your network. The use of Pass-The-Hash toolkits have been one of the most common techniques employed for gaining unrestricted privileges without a password. These tools have been used to harvest password hashes and Kerberos security tickets to bypass authentication on a system or network.
    Was Pass-The-Hash used against your system?
    This presentation analyzes various artifacts within a forensic image where evidence of privilege escalation can be found as well as ways to identify the type of tools used. In addition, various techniques will be suggested to mitigate Pass-The-Hash exploits.
    June 24th, 2014 10:00 – 11:00

    Terrace Room (Lower Lobby - Basement)

  • pBot botnets: An OverviewReturn to TOC

    Fernando KARL (Defenda), Felipe BOEIRA (Samsung)

    Felipe Boeira
    Felipe is a Security Researcher who has worked with a variety of subjects in the field. He was involved in cybersecurity incident response on handling cyberfrauds that range from corporate phishing attacks to DNS compromise for pharming campaings. In addition, he has worked as a penetration tester and holds a CEH certification. He is currently focused on mobile security research that involves mobile malware analysis, mobile privacy and mobile security assessments.
    Botnets (robot networks) are computer networks connected one to another that are under the control of a master computer which is denominated the botmaster. Botnets have become one of the largest sources of illegal activities on the internet, being its use assigned to activities such as the mass send of unsolicited e-mails (spam), e-mail addresses harvesting, malicious content hosting (phishing and malware), execution of distributed denial of service attacks, among others. This research consists on the establishment of honeypots to detect attacks, malware source code analysis on a controlled environment and botnet activity monitoring. During 6 months we tracked more than 300 botnets formed by pBot using IRC channels. We found the use of automatic and manual exploitation, spam generator, botnet trading activities and worldwide spread botnets being used by criminal groups located at specific countries. As a final result, we present several new insights relating to the information captured during this period like: preferred weekday for each command, attackers origin contry, common exploits used by these botnets, worldwide distribution of botnets and how the targets are established.
    June 26th, 2014 15:00 – 16:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Playing Hide and Seek with Rootkits in OS X MemoryReturn to TOC

    Cem GURKOK (Verizon Terremark)

    Cem Gurkok, CISSP, CISA is the Threat Intelligence R&D Manager at Verizon Terremark. He specializes in cloud computing security, system security architecture, incident response, digital forensics, malware analysis, litigation consulting, research and development of security software. He has worked with various Fortune 500 companies throughout the world. Cem has recently presented at the Open Source Memory Forensics Workshop (OMFW), Hack in the Box Conference (HITB), HackerHalted, EuroForensics Conference, has published a paper about automated evidence extraction and malware behavior analysis at the International Security and Cryptology Conference, and has written articles about cloud computing security and incident response for ComputerWorld Online.
    The OS X Kernel has become a popular target for malicious players. Currently there are tools that provide detection for obvious OS X rootkit techniques, such as executable substitution or direct function modification (e.g. the Rubilyn rootkit). Advanced rootkits utilize advanced capabilities that are difficult to detect, such as function inlining, DTrace hooks, call reference modification, shadow syscall and trustedbsd policy tables. In this presentation, I will be exploring how to attack various kernel objects with these advanced techniques and how to detect these modifications in memory using the Volatility Framework. The presentation will include demonstrations of system manipulation on a live system and subsequent detection using the new Volatility Framework plugin.
    June 26th, 2014 13:00 – 14:30

    Terrace Room (Lower Lobby - Basement)

  • Preparing for the Inevitable Zeroday or What Makes Networks Defendable?Return to TOC

    Konrads SMELKOVS (KPMG LLP)

    I am an experienced, fast thinking and performing IT consultant with 12 years of experience. I have skills across most of IT spectrum, ranging from development to security, governance and cyber response. Currently, I am mostly focused on information security, cyber response. My key strengths are strong IT skills coupled with creativity and business drive. I am currently a part of KPMG LLP (UK) Cyber team; my main interest area is computer network defence.

    Talks in various client events and conferences. including BlackHat Arsenal 2012, FIRST 2012 lightning talk, part of FIRST 2012 CTF winning team Midas. CREST con 2012.
    The rationale behind having an incident response team is that preventive controls fail. At some point after the controls have been breached, the incident response team begins its mission to identify the type and extent of the breach, take mitigating steps to eventually deny all unauthorized access to the intruder. However, technology, methods and overall organisational and IT procedures can make the IR process and response either confident or borderline impossible. The question therefore is, what makes the networks defendable? This is the question this talk explores.

    A defendable network is defined as a network where the defenders ability to contain breaches before the negative business impact occurs approaches 100%. That is attackers always fail at acting on their ultimate objectives. The three main identified qualities of a defendable network are:

    1) It is able to survive an assault even when attackers have exploits for your fully patched devices - zero days.
    2) It is able to recover from a breach of root of the trust e.g. Windows Active Directory, compromise of root PKI keys, etc. This includes people in the highest trust positions going rogue.
    3) It can continue to function when a significant portion of the network is off-limits: unreachable, damaged, untrusted.

    To add rigour and applicability to the discussion, we perform our threat modelling using attack trees and look for practical solutions.
    June 24th, 2014 16:00 – 17:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Processing Intelligence Feeds with Open Source SoftwareReturn to TOC

    Chris HORSLEY (CSIRT Foundry), L. Aaron KAPLAN (CERT.at)

    Chris Horsley

    Chris has over six years of experience working in national CSIRTs, as well as five years experience as a software developer and sysadmin before that. He joined AusCERT in 2003, where he developed a strong interest in automation and visualisation, particularly for processing phishing sites and log files. The small but very active AusCERT analyst team did everything: tackling online financial fraud, building tools, talking on the phone to victims of compromise, interacting with the international security community, and providing security training courses.

    After almost three years at AusCERT, he moved to Japan to work for JPCERT/CC, the Japanese national CSIRT. This lead to tasks as varied as phishing site monitoring system development, dashboard development, international training, malware analysis, and sensor network visualisations. After four years and a great amount of cultural broadening in Japan, he moved back to Australia to start CSIRT Foundry.

    The common thread that emerged again and again was a desire to develop tools to improve processes. Rather than trying to adapt his job to suit software development, he thought it better to make software development his job.

    Chris has presented at various international security conferences, and has given CSIRT training courses for several governments around the world. He also holds a CISSP (if you like that type of thing).

    L. Aaron Kaplan

    Studied math and computer sciences in Vienna, Austria. Aaron Kaplan is a Unix user and programmer since 4.3BSD-Lite / FreeBSD 1.0. He has been working for major telecoms, IBM, ESA, banks and heavy industries mostly doing Unix consulting/programing since 1997. Since 2008, he has worked for the Austrian domain registry (".AT") where he is part of the CERT.at team.
    For incident response teams, gathering and processing event data from open source intelligence feeds is crucial for getting external, expert perspectives on their constituents' networks. Teams need a system which:

    * Automatically gathers open source or private feeds provided by others;
    * Adjusts the data in the feeds to have standard field names and data formats;
    * Filters out unwanted data (e.g. only keep country / ASN specific data);
    * Stores the data in a searchable, scalable way;
    * Allows searches and trend analysis over long periods of time;
    * Has an attractive web interface, allowing an analyst to make on-demand reports and visualisations;
    * Has an API to allow easy data export into other tools such as RTIR;
    * Is freely open for modification and use by IR teams with limited budgets.

    In this presentation, we explain that the software to achieve these goals already exists - we just need a little glue to put them together.

    We will present various open source tools (Abusehelper, ContactDB, Logstash, Elasticsearch, Kibana, and IFAS) with demonstrations of their capabilities. Attendees will take away knowledge of how to start using each of these pieces of software, as well as an easy method for integrating them all together (IFAS).

    Finally, participants will be shown an "install wizard" way of quickly setting up the IFAS open source feed processing system we outline. This talk will especially help newer CSIRTs looking to build or extend their capability.

    Overview
    --------

    * Problem
    * Teams need widespread awareness of incident activity
    * Must be fully automated and reliable
    * Many feeds available, all in different formats
    * Trying to get everyone to standardise as of today is a hard problem - many long-standing feeds have formats that cannot be easily changed
    * Feed gathering must be fully automated, flexible, and resilient on failure
    * Once we have all this data, how do we use it?
    * Large volumes of data
    * Must be quickly searchable
    * Must be able to report / visualise
    * Must be capable of extending with future logs and new formats
    * Solutions exist, but...
    * Splunk: an excellent product, but expensive
    * Out of budget for small / developing teams
    * Requires teams to write extraction rules for many feeds types
    * Does not foster uninhibited collaborative development - divides the Splunk "haves" and "have-nots"
    * Solution
    * Build something we can all use
    * Open source all the way
    * Can share and collaborate using same building blocks
    * Introducing IFAS: Information Feed Analysis System
    * Take best-in-class open source tools, and integrate them together to tackle the problems above
    * Gets a CSIRT from no event feed processing to gathering, storage, processing and reporting quickly, an essential step in becoming a mature CSIRT
    * Use them pre-integrated and configured with IFAS, or mix and match tools as you like
    * Transparent and well documented API for data exchange
    * Data harmonisation: gather feeds and ensure all are harmonised
    * Collect and analyse feeds
    * Enrich data - Geo IP resolution, Whois lookups
    * Harmonise field names and formats
    * Deduplicate events
    * Write out as logs
    * IFAS uses: Abusehelper
    * Log parsing
    * Need a Splunk-like log tailing and transform functionality
    * Then, need to put processed log event data into datastore
    * IFAS uses: Logstash
    * Log storage
    * Don't know what future event types we might enounter, want flexible schema
    * Must be able to search quickly
    * Must be able to store at scale
    * IFAS uses: Elasticsearch
    * Event reporting
    * Find the best reliable contact to report the incidents automatically:
    * ContactDB
    * Log analysis
    * Need an analyst interface to enable:
    * Operational searches
    * Splunk-like ad-hoc searches for strings, IP addresses in event history
    * IFAS uses: Kibana
    * Analytical searches
    * Reporting on how incidents are trending, e.g. worst performing ISPs for phishing sites last year
    * IFAS uses: IFAS Reporter (Django web application)
    * Need a way to set up and integrate all these tools for a team with few resources
    * Some of these tools have complex setup, and need to be customised heavily before use
    * IFAS automated install: installs Abusehelper, Logstash, Kibana, IFAS Reporter as a single-box solution.
    * The IFAS bundle sets all of the above with sane defaults, ready to collect feeds
    * May be customised per-site

    * Takeaways
    * Tools already exist to achieve open source feed gathering, parsing, normalisation, storage, and analysis
    * Use any of these excellent tools separately to achieve a particular goal, or IFAS for a turnkey solution integrating all of them for you
    June 25th, 2014 11:00 – 12:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Protecting the Computer from Ring 0 – A New Concept in Improving Incident ResponseReturn to TOC

    Kouichi MIYASHITA (F.TRON Inc.), Mariko MIYA (CDI-CIRT (Cyber Defense Institute, Inc.) - Japan)

    Mariko joined Cyber Defense Institute, Inc. (Tokyo) in August 2011. She has the expertise and knowledge of foreign and domestic cyber policies and handling cyber threats involving national security. Her cyber intelligence reports have received recognition from government agencies, written using multi-language capabilities and research capabilities. She has provided practical support and advice to government agencies in charge of foreign affairs and overseas information gathering and analysis.
    Mariko graduated from International Christian University of Tokyo with a BA in English Linguistics after receiving 12 years of education in Los Angeles, California. She has capabilities to approach cyber issues from a multi-linguistic and multi-national point of view.

    Presentations
    - Washington D.C. (2012)
    - Nashville, TN (2013)
    - Speaker at FIRST Conference 2013 in Bangkok (June 2013)
    - 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises in Athens,Greece (Sep 2013)

    Kouichi Miyashita's main work involves various system management and consulting, and has engaged in human resource management, system architecture and operation for finance etc., and in the field of information security.
    He has joined F.TRON in 2011 and after working in sales and business planning, he was appointed President in 2014.
    We are introducing a new concept of technology developed from a completely different point of view, with a focus on computer mechanism. This presentation is about discussing this new concept and how this can be advantageous to incident response in the future.

    In general, the CPU processes so that application programs do not affect programs that are necessary for continuing the operation of the computer, giving privileges to each application program.

    The relationship between Rings (Privilege Levels) and Software (including malware) is as follows:
    The operation level of the CPU consists of 4 levels with Ring 0 as the top with most privileges and Ring 3 as the lowest. Ring 1 and Ring 2 are not normally used, and 2 levels: Ring 0 and Ring 3 are only actually used.

    Ring 3 – Application and some parts of the OS software (API). Least privileged (least trusted with the highest ring number)
    Ring 0 – CPU and Kernel. Most privileged (most trusted), can operate all hardware including CPU, HDD, memory etc.

    Malware (=software), also has 2 privilege levels in the ring theory (malware executed as Ring 3, and malware executed as Ring 0)

    Malware aims to exploit privilege of Ring 0, which enables the malware to freely manipulate all hardware (CPU, HDD, memory etc.) and can deface anti-virus software (that operate at Ring 0) that have the same privilege, in order to operate safely and reliably in the computer.

    [About ‘Full’ and ‘Zig’]
    Currently, there are 3 product concepts: ‘Full’, ‘Zig’, and ‘Full VX-t’.
    ‘Full’ keeps the most privileged Ring 0 while launching before the OS. This creates a 3 level structure Ring 0 (FULL), Ring 2 (CPU), Ring 3 (APP) using Ring Protection, and controls all software (including malware) so that it does not become raised to Ring 0.

    How does this technology work?
    ‘Full’ launches first by rewriting the MBR (Master Boot Record). Then, the OS launches under FULL admin. When launched, it maintains a protective environment and handles areas where Ring level raise occurs.

    ‘Zig’ launches as a driver on the OS. It launches as a part of the OS (Kernel Driver) in the 2 levels: Ring 0 (OS) and Ring 3 (APP), and controls software (including malware) that operate in Ring 3 so that it does not move up to Ring 0.
    -- ‘Zig’ has some functions of FULL with increased OS dependency and versatility.

    As for malware operating in Ring 3, FULL and ZIG monitors API operating in Kernel mode (over 4000) and process information in real-time, then stops unspecified processes (including malware) under certain processing conditions such as launch program path, written path, privilege given by OS (Tokens), etc.
    -- Proxy CPU command used in API “syscall / sysenter” (move Ring 3 to Ring 0) using FULL/ZIG logic. It grasps all intentions of Kernel use from Ring3.

    Malware in the BIOS and MBR level with FULL, by looking at the boot log (when there is an abnormality, FULL does not launch successfully)

    [About ‘Full VT ver.’]
    By using a hardware-assisted mechanism typified by Intel VT-x, we were able to expand compatibility (supported platforms) by taking out OS dependency and still maintain and provide similar functions as FULL.
    In addition, by making the built environment CPU supported, it enabled complete virtualization, which is expected to improve performance with more flexible and in-depth protection and hardware support.

    [Commercializing]
    1. Usage as a Monitoring Tool
    Extracts logs of hardware exploits by Ring 0 viruses and malfunctions from Ring 3 viruses involving API (Kernel mode), and also detects BIOS and MBR abnormalities.

    2. Usage as a Tool for Protection
    Protects the computer from malfunctions from Ring0 viruses, Ring 3 viruses involving API (Kernel mode), and BIOS level viruses

    Examples of use:
    - Protecting from targeted attacks etc. where it involves making the user download malware from the internet or with email attachments
    - Protecting from attacks that try to take the pc’s administrator privileges by exploiting vulnerabilities in MS Office products etc.
    - Protecting from information leakage or attacks that send information externally by exploiting vulnerabilities in Adobe products etc.

    [Advantages]
    - There is no need to analyze or create patterns of attacks
    - There is no need to create a special engine for detection
    - Can operate fully on-premise

    [Disadvantages]
    - There is a possibility that normal process that are not directly recognized by the user (ex. automatic updates, etc.) do not work
    - When a user uses the pc in a way the administrator does not assume, the unexpected parts will not work

    [Outlook for the future]
    We are currently conducting research and development on implementing “function to monitor program operation by grasping process of API,”which would make possible monitoring file I/0, communication data, communication destination etc. Unlike the conventional API hooks, this is a mechanism for covering all API, so it would be possible to monitor and forbid behavior in applications that were difficult to see in software that existed thus far.
    Not to mention computer protection, we are further looking for possible use as a malware analysis tool, then by using this as a base technology, implementation of a new protection platform covering the entire system and network would be possible in the coming future.

    So by going “back to the ‘root’ of computer structure”…
    How can this support us in incident response?

    [Advantages to Incident Response]
    - The basics of incident response are [Detect -> Triage -> Respond] but it is necessary to analyze techniques and mechanisms of the attack in advance in order to make this work.
    - This technology does not involve understanding the mechanisms of the attack, so the response flow would become [Protect/Detect -> Awareness -> Readjustment]. While the technology denies malware operation, responders would need to improve parts that interfere with its operation.
    June 23rd, 2014 13:00 – 13:30

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Rethinking Indicators of Compromise in an Age of Advanced AnalyticsReturn to TOC

    Steve MANCINI (Intel)

    Steve Mancini has been with Intel since 1997 when he graduated from the Purdue University computer science program. After 4 years serving as a system administrator and application developer he moved into security as a information security specialist and eventually as a security strategist for Intel’s chip design environment (Engineering Computing). Moving into Intel’s Information Risk & Security team Steve has been responsible for incident response, system hardening, security design and threat modeling. In his current role he is the program lead for the Emerging Threat Analysis program and threat intelligence analyst delivering intelligence to both product and enterprise customers and is lead in developing Intel’s APT response program. In his spare time he likes to design Flying Cars for Anton Chuvakin.
    Over the last 2 years "security intelligence" has become the hot new sexy marketing term. Look to most of your security solution providers and you will find "analytics" or "big data" swimming in their Marchitecture. But among all the schmooze there is opportunity that comes at a cost. Moving past static indicators of compromise to security analytics is going to take a change in thinking about what to look at, where to look, and what to share. My goal is to share our experiences in building out some initial security analytics capabilities for the large enterprise scale.
    June 24th, 2014 10:00 – 11:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Rogue Pharma in .CO: The 33DRUGS.CO CaseReturn to TOC

    Gonzalo ROMERO (.CO Internet)

    Gonzalo Romero is the Chief Security Officer for .CO Internet S.A.S., the Registry Operator for the .CO top-level domain extension. Since 2010, when the .CO domain launched globally, Gonzalo has been responsible for defining .CO’s information security strategy globally, and overseeing the implementation of all information security initiatives, policies, practices and procedures.

    Gonzalo actively participates in national (Colombian) and regional (LATAM )communities related to information security and technology infrastructure and security matters. Among other things, he establishes and maintains relationships with high-quality security enterprises, CERT’s, CSIRT’s, SOC’s, law enforcement
    agencies and government authorities.

    Prior to joining .CO Internet S.A.S., Gonzalo focused on advising and deploying engineering projects with public entities and private companies in matters involving information technology infrastructure and security. He was a part of the engineering team who requested the .CO ccTLD delegation from InterNIC in the early days of the Internet, and provided Colombia’s connectivity and access to the BITNET academic network and the Internet as well.

    Gonzalo is a frequent guest speaker on issues involving Internet technology and security, including knowledge transfer and user awareness topics. He has a B.A. in Computer Science Engineering from the University of Los Andes in Colombia, where he also has postgraduate studies in Telecommunications.
    “Rogue Pharma” (RP) sites in our .CO ccTLD and how we handle them.

    Presentation will include (a) “Rogue sites”: description and overview, (b) Criminal organizations behind RP online content: 33DRUGS), (c) Taking down process of a RP domain name (33DRUGS.CO) in our ccTLD (based on "Terms and Conditions" and cooperation action with our Registrar's channel), and (e) our learned lessons and challenges for avoiding RP domain name registrations within our ccTLD.
    June 25th, 2014 15:00 – 16:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Securing National Segment of the Internet from Cyber-Threats. CERT-UA's Practical ApproachReturn to TOC

    Nikolay KOVAL (CERT-UA)

    Nikolay Koval is a deputy and acting representative of CERT-UA. He has been working in CERT-UA for almost five years. His main responsibilities are information security audits, penetration test and computer incident handling. The key goals are the following: to educate the GOV sector in the sphere of information security, coordinate law enforcement bodies and provide the safeness in Ukrainian cyberspace. Nikolay and other team members are currently working over the question of automation the process of live threat monitoring and net flow analysis. In the nearest future it's planned to deploy the net of honeypots.
    The presentation is devoted to describe measures and technical solutions which were developed and deployed by CERT-UA in order to protect government information resources and national IT infrastructure from all existing cyber threats. We’ve tried to accumulate and properly process all the information we get within CERT/CSIRTs cooperation and information sharing. Another part of the presentation will touch the topic of private/public cooperation and CERT-LE cooperation as well. Part of report contains schematic display and short video demonstration of systems used in our work. Material, to the greatest extent, consists of practical elements and will be interesting for all acting and developing CERTs.
    June 24th, 2014 10:00 – 11:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Security Operations, Engineering, and Intelligence Integration Through the Power of Graph(DB)!Return to TOC

    Christopher CLARK (Verisign)

    Chris is the Senior Countermeasures Engineer at Verisign. His focus is the development and implementation an intelligence driven defense architecture to protect both corporate interests, and production assets (Root DNS, Registry, and DDOS mitigation services).
    Chris has built several open and closed source security tool deployed in mission critical security stacks at a number of multinational organizations.
    Chris has previously worked as a leading member of the BAE Systems and General Dynamics Focused Operations Threat Intelligence teams. He is also has experience on the other side of the security coin developing offensive networking and security solutions.
    The ability to properly categorize and visualize attacks, security tool efficacy, and targeting trends has previously been cumbersome at best and impossible at worst.
    Through proper schema design a graph database can be used to represent all assets and entities involved in business operations and security both internal and external to your organization. This data can then be used to accurately track and attribute attacks, measure tool and team efficacy/ROI and isolate high risk targets and gaps present in your security posture down to a granular level impossible by other means.
    The graph database model also allows for incredibly complex queries to be returned in milliseconds to include unknown distance questions, such as "Which Exploits have actors from China used against our Development team in the last twelve months?" or "Which IDS rules are in place to defend from malware used by XXXX group?" or "Display all C2 domains beaconed to over port 80 by malware delivered by Watering Hole attack"
    By treating things as entities which they are in real life, and forming contextful relationships between them we can begin to make sense of the piles of data and gain insight into our weaknesses.
    June 25th, 2014 13:00 – 13:30

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Sochi, After ActionReturn to TOC

    Michael HIGGINS (NBC Universal)

    Mike Higgins is a veteran security executive with more than 20 years of experience working in the Government and in private industry. As the founder of the DOD Computer Emergency Response Team (DOD-CERT), Mike was one of the earliest advocates in the leadership role of the Federal Government through the identification of the five critical infrastructures. Mike is also a former Chairman of FIRST who 20 years ago brought this Annual Symposium to Boston.

    Today Mike serves as the Chief Information Security Officer (CISO) for NBCUniversal leading the company’s risk and security programs. Previously Mike held executive Information Security positions at The New York Times and LexisNexis. For more than a decade Mike was an executive security consultant to Fortune 500 companies including Time Warner, Citigroup, Sun Microsystems, Merrill Lynch, JPMorganChase, and British Petroleum.

    Mike holds dual certifications as a Certified Information Security Manager (CISM) and a Certified Protection Professional (CPP) and is the recipient of the Defense Intelligence Agency’s Director’s Medal and Federal Computer Week’s Federal 100 Award. Mike is a visiting professor at the Northeastern University where he teaches the Capstone Course for their Master of Science in Information Assurance, an NSA/DHS Designated Center of Academic Excellence in Information Assurance Education; a visiting lecturer for over 10 years at the McIntire School of Commerce at the University of Virginia and a former adjunct professor in the Information Assurance Program at The George Washington University.

    Mike received his Bachelor’s degree from Northeastern University and his Masters’ from the Viterbi School of Engineering at the University of Southern California.


    PS, Mike is also a former Chairman of FIRST Steering Committee who 20 years ago brought this Annual Symposium to Boston and began FIRST’s internationalization starting the processes that resulted in the first NON-US Symposium in Karlsruhe, Germany the following year.
    Each Olympics brings a new challenge from the physical security events following 9/11 to the introduction of video streaming and the smartphone/tablets for consuming the hundreds of broadcast hours during the normal Games cycle. Sochi 2014 is recognized as the first games where a serious cyber threat was addressed. Hacktivists, cyber criminals and state sponsored surveillance combined to make Sochi an interesting challenge. Lesson learned; what went eel; and what do we do differently next time will be discussed.
    June 25th, 2014 10:00 – 11:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • STIX and TAXII: The Who, When, What, Where, Why and HowReturn to TOC

    Richard STRUSE (DHS)

    Mr. Struse serves as the Chief Advanced Technology Officer for the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) where he is responsible for technology vision, strategy and implementation in support of the NCCIC’s mission.

    Mr. Struse is also the creator of the STIX and TAXII automated information sharing initiatives at DHS. Prior to joining DHS, Mr. Struse was Vice President of Research and Development at VOXEM, Inc., where he was responsible for the architecture, design and development of a high?performance, extreme high reliability communications software platform that is in use in telecommunications systems around the world. He began his technical career at Bell Laboratories where his work focused on tools to automate software development and the UNIX operating system.
    In January 2012, the US Department of Homeland Security began to pursue an unprecedented effort to standardize and automate cybersecurity information sharing in an open and community-focused way that aimed not only to advance the state of practice for critical national infrastructure, but public and private sector networks everywhere. Now, in 2014, STIX and TAXII are being actively adopted by government agencies, major software vendors and critical infrastructure organizations.

    This presentation will explain the origin and objectives of these efforts, describe some of the critical choices that were made, and make clear the incredible importance of open and responsive community engagement every step of the way.
    June 23rd, 2014 13:00 – 13:30

    Terrace Room (Lower Level - Basement)

  • The Art of SinkholingReturn to TOC

    Tomasz BUKOWSKI (CERT Polska/NASK)

    Tomasz Bukowski is a graduate of the Faculty of Physics Warsaw University of Technology. He works in CERT Polska/NASK as a IT Security Specialist since August 2009.
    Tomasz is a member of the Security Incident Response Team in Poland CERT and is responsible for analysis of malware and testing of new vulnerabilities. He is interested in security of network applications and protocols, the functionality and evolution of malware.
    Hobby Linux administrator and programmer.
    In 2013 CERT Polska started to sinkhole .pl domains used for malicious activity. It was obvious, that it is very important to identify infected systems (referring to sinkholed domains) and share this data to the world. To acquire such information it was necessary to simulate CnC, keeping in mind, that various malware types use different communication channels/encryption.

    CERT Polska developed software that is trying to fulfill everything that could be required from decent sinkhole server. It allows to implement (almost) any exotic CnC communication protocol with minimal effort. Software should be publicly released in early 2014.

    In my presentation I will describe technical details of sinkholing process - based on CERT Polska case:
    - configuration and tweaking of server (OS level)
    - sinkholing from DNS perspective
    - short description of common CnC types
    - common pitfalls
    - usage of CERT Polska software in few use-cases
    June 24th, 2014 11:00 – 12:00

    Terrace Room (Lower Lobby - Basement)

  • The Dutch Responsible Disclosure PolicyReturn to TOC

    Tarik EL YASSEM (NCSC.NL)

    Tarik El Yassem is a senior security specialist at the Dutch National Cyber Security Centre(NCSC.NL), previously known as GOVCERT.NL. In this role, Tarik co-developed the Dutch Responsible Disclosure guidelines. After the publication of the guidelines, he coordinated the implementation at the NCSC and worked with a large group of various partners to help them implement their own responsible disclosure policy. Tarik El Yassem holds a Master of Science degree in System and Network Engineering from University of Amsterdam. As of this June, he will transition to a position at the Rabobank Global Security Operations Centre as a senior security intelligence analyst.
    The Dutch hacker community has been asking the government for some kind of whistle-blower protection arrangement. The minister of security and justice promised to come up with guidelines for hackers. The Dutch National Cyber Security Center (NCSC-NL) has worked together with hackers, policymakers, lawmakers, security professionals and other stakeholders to create a guideline for responsible disclosure. Early results are very promising: organizations are made aware of security issues, they get solved and people who report them are taken seriously and get rewarded for their efforts. The Netherlands is the first country that widely implements responsible disclosure and we hope to spread our vision and share lessons learned!
    June 23rd, 2014 11:00 – 12:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • The MANTIS Framework: Cyber Threat Intelligence Management for CERTsReturn to TOC

    Dr. Bernd GROBAUER (Siemens), Thomas SCHRECK (Siemens), Dr. Jan GOEBEL (Siemens), Johann WALLINGER (Siemens), Stefan BERGER (Siemens)

    Dr. Bernd Grobauer is Principal Key Expert at Siemens Corporate Technology's Technology Field "IT Security". He leads the Siemens Computer Emergency Response Team’s (CERT’s) research activities, covering topics such as incident detection and handling, threat intelligence, malware defense, IT forensics, etc. Dr. Grobauer holds a PhD in computer science from Aarhus
    University, Denmark. From 2009 to 2011, he served on the membership advisory committee of the International Information Integrity Institute (I4).

    Thomas Schreck is the Team Representative of Siemens CERT. His fields of interest are intrusion detection and incident analysis. Further, he is a PhD student at the Friedrich-Alexander University Erlangen-Nuremberg.

    Johann Wallinger IT Security Analyst at Siemens Corporate Technology's Technology Field "IT Security". He is responsible for global IT security incident investigations and works with the Siemens Computer Emergency Response Team (CERT) in coordinating threat intelligence exchange activities with external partners in the US.

    Dr. Jan Goebel is the Team leader for Incident Technologies and IT Security Analyst at Siemens CERT. His research interests revolve around IT security, digital forensics, malware analysis (reverse engineering), and network attack detection using honeypots. Dr. Goebel holds a PhD in computer science from RWTH Aachen University.

    Stefan Berger is an IT Security Analyst at the Siemens Computer Emergency Response Team (CERT). His area of work mainly covers global IT security incident handling and analysis as well as the development and maintenance of tools, methods, and procedures in this field.
    Proper Cyber-Threat Intelligence Management is increasingly important for effective incident handling. There is a number of emerging standards such as the STIX/CybOX family and the standards developed by the MILE working group ... but no adequate open tools for managing information conveyed in these standards are available.

    This presentation will describe ongoing work at Siemens CERT regarding "Mantis -- Model-oriented Analysis of Threat Information Sources", an open-source framework for supporting CERT organizations in handling threat intelligence based. The presentation will first give a brief introduction of the relevant standards and describe a CERT's requirements for tool support as well as the challenges in realizing this tool support. It will then describe the approach taken by Siemens CERT and inform about first experiences with productive use of MANTIS as foundation for cyber-threat intelligence management.

    The Open Source MANTIS Framework is available via

    https://github.com/siemens/django-mantis
    June 24th, 2014 11:00 – 12:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • TRANSITS Train-the-Trainer (T3)Return to TOC

    Don STIKVOORT (Avalon Executive Coaching)

    The Train-the-Trainer (T3) meeting consists of 2 parts:

    - Generic concise trainer training: learning strategies, teaching styles, tips and tricks. This will benefit all your trainings and presentations!

    - Specific TRANSITS discussion: what is TRANSITS, what content is there, who is it aimed at, how do we teach TRANSITS. Plus recent developments.

    Attending this T3 meeting, together with following or co-teaching an actual TRANSITS training, will prepare you to become a TRANSITS trainer - and if you already are one, will improve your skills.

    The training is given by Don Stikvoort, member of the FIRST community since 1992, founder/auditor of 20+ CSIRTs, Head Tutor of TRANSITS - but also certified trainer in communication, NLP, presentations.

    Who is welcome at the T3? Existing TRANSITS trainers of course. But also every experienced CSIRT member with teaching talent who would like to become a TRANSITS trainer! We do expect you to be a FIRST member, and we reserve the right to make a selection. We will let you know within 1 week after applying to join the T3.
    June 22nd, 2014 10:00 – 16:30

    (TBA)

  • Transparency and Information Sharing in Digital ForensicsReturn to TOC

    Johan BERGGREN (Google)

    Johan is a security engineer at Google, working with incident response.
    Ever found that your tools or contracted help are interfering with your incident response workflow? That you find yourself discussing and explaining terminology to other responders during an incident? That your tools are just not transparent enough about what data they present you?

    Information exchange during an incident should be about the incident, not about politics, semantics or limitation of tooling.

    In this presentation we take a look at how you can utilize open source forensic software to overcome some of these obstacles. We discuss several tools that make up a powerful toolbox that provides you with the necessary transparency about the artifacts you are examining. To allow you to focus on the incident related knowledge, questions and answers and not the nitty gritty details of the tools we show you ways to add rich annotations as an overlay on top of the raw data.
    June 26th, 2014 10:00 – 11:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Twenty-Five Years of Computer Security and Incident Response: FIRST's First Quarter-CenturyReturn to TOC

    Mark ZAJICEK (CERT Coordination Center)

    Mark Zajicek is a Member of the Technical Staff in the Cyber Security Solutions directorate of the CERT Division, located within the Software Engineering Institute at Carnegie Mellon University. Zajicek’s current work is focused on helping other organizations to build their own computer security incident response team (CSIRT) or incident management capability.
    As a member of the CERT CSIRT Development and Training team, Zajicek is responsible for providing guidance to new and existing CSIRTs, worldwide. He has co-developed a variety of documents and training materials, and is an instructor for a suite of several courses that provide training for CSIRT managers and technical staff.
    Previously, Zajicek was the Daily Operations team leader for the CERT Coordination Center (CERT/CC), after having joined the CERT/CC’s incident handling staff in 1992. Prior to joining the CERT/CC, he also helped support the CERT/CC during its initial start-up in 1988.
    In 1989, a Computer Security Incident Handling Workshop was held in Pittsburgh, Pennsylvania (USA), with invited experts from various organizations. That historic event was the first of what would become a yearly conference, attended annually by hundreds of computer security and incident response team members from around the world; and it laid the roots for what would become the globally-recognized Forum of Incident Response and Security Teams (FIRST). Twenty-five years later, FIRST continues to enable incident response teams to more effectively respond to security incidents. In this presentation [or panel session], we will present an overview of the first meeting that was held, highlights of the first twenty-five years of the annual FIRST Conferences, sprinkled with informal anecdotes, reminisces, and changes observed over our past quarter-century.
    June 23rd, 2014 10:00 – 11:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Two-tiered, Multi-team Assessment of CSIRTsReturn to TOC

    Robin RUEFLE (CERT Program, SEI, CMU)

    Robin Ruefle
    Team Lead, CSIRT Development and Training Team
    CERT Division, Software Engineering Institute, Carnegie Mellon University
    Robin Ruefle is a senior member of the technical staff of the CERT Program at the Software Engineering Institute at Carnegie Mellon University. She is the team lead for the CERT® CSIRT Development and Training (CDT) team. Her focus is on the development of management, procedural, and technical guidelines and practices for the establishment, maturation, operation, and evaluation of Computer Security Incident Response Teams (CSIRTs) worldwide. As a member of the CDT, Ruefle develops and delivers sessions in the suite of courses offered to CSIRT managers and incident handling staff, she also teaches the CERT Insider Threat Workshop. Ruefle has co-authored a variety of CSIRT publications include Handbook for CSIRTs 2nd Edition, Organizational Models for CSIRTs Handbook, CSIRT Services, State of the Practice of CSIRTs, Defining Incident Management Processes for CSIRTs: A Work in Progress, The Role of Computer Security Incident Response Teams in the Software Development Life Cycle, as well as numerous other articles and best practice guides. Current work includes developing an incident management body of knowledge (BOK) and a framework for developing and implementing an organizational Insider Threat Program for government, industry, and educational entities.


    Audrey Dorofee
    Senior Member of the Technical Staff
    Software Engineering Institute
    Carnegie Mellon University
    Audrey Dorofee is a senior member of the technical staff in the Software Solutions Division at the Software Engineering Institute, Carnegie Mellon. She has worked in the risk management, cybersecurity, and process improvement fields for more than 22 years. Her work at the SEI has included development, training, and transition of advanced risk management methods, tools, and techniques. Her most recent work focuses on identifying security requirements early in the product life cycle and documenting best practices in security incident management. Prior to the SEI, she worked for the MITRE Corporation and the National Aeronautics and Space Administration (NASA). She has co-authored two books, Managing Information Security Risks: The OCTAVESM Approach (Addison-Wesley 2002) and the Continuous Risk Management Guidebook (Software Engineering Institute 1996).
    In 2013, CERT developed and piloted a two-tiered assessment of an organization’s group of incident management teams using recently updated versions of two types of assessment instruments. At the higher level, we used the Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC) to do a quick, self-directed assessment of all the local organizational CSIRTs across the enterprise. The results were collected and analyzed by CERT. This quick questionnaire used 16 high-level drivers to explore key aspects of the team’s abilities to detect, analyze and respond to incidents. Two of the teams were also selected for in-depth assessments using the Incident Management Capabilities (IMC), a set of 73 detailed capabilities that provide an in-depth look at a team’s ability detect and respond to incidents as well as protect, prepare, and sustain an incident management function. The MRD-IMC provided insight into patterns, common strengths and weaknesses, and the general status of all of the teams. The in-depth IMC assessment showed in detail where improvements needed to be made to two of the teams and what weaknesses were also in common with the rest of the teams. This presentation will provide an overview of these two evaluation instruments and discussed how they can be used in conjunction to first identify strengths and gaps at a high-level and then perform a more detailed assessment to identify improvement areas to address the gaps.
    June 24th, 2014 15:00 – 16:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • Understanding Cyber Security Incident Response Teams as Multiteam SystemsReturn to TOC

    Steve ZACCARO (George Mason University)

    Dr. Stephen J. Zaccaro is a professor of psychology at George Mason University, Fairfax, Virginia. He is also an experienced leadership development consultant. He has written over 120 journal articles, book chapters, and technical reports on group dynamics, team performance, leadership, and work attitudes. He has authored a book titled, The Nature of Executive Leadership: A Conceptual and Empirical Analysis of Success (2001) and has co-edited four other books on the topics of multiteam systems, organizational leadership, leader development, and occupational stress. He serves on the editorial board of The Leadership Quarterly, and he is an associate editor for Journal of Business and Psychology and Military Psychology. He is a Fellow of the Association for Psychological Science, and of the American Psychological Association, Divisions 14 (Society for Industrial and Organizational Psychology) and 19 (Military Psychology).
    Facilitators: Stephen Zaccaro, Lois Tetrick, and Reeshad Dalal, Psychology Department of George Mason University, on behalf of a project team investigating how to make cyber security incident response teams more effective. The team members represent George Mason University’s Psychology Department; George Mason University’s Center for Infrastructure Protection; and Hewlett-Packard Laboratories’ Cyber Security Research Team.

    Title: Understanding Cyber Security Incident Response Teams as Multiteam Systems

    Audience: Members of incident response teams, members of other teams that interact with incident response teams, managers of incident response teams.

    Duration: 55 minutes

    Expected Outcomes: Greater understanding of incident response teams as part of a larger system of interdependent teams called Multiteam Systems (MTSs). Research-based suggestions for incident response team members and team managers about ways to work more effectively within this type of system.

    One of the first principles of any incident response team (cyber security or otherwise) is that it is part of a system of interconnected teams, called a multiteam system (MTS). MTSs are organizational systems characterized by two or more teams that are closely networked because they address at least one goal that is too large for a single team to accomplish [1]. A group of emergency response teams is a classic example of an MTS. To see why, consider what happens when 9-1-1 is called after a car accident. In response, several teams are called into action. The call center team dispatches police, ambulance, and fire emergency teams to the scene of the accident. The teams then work together to assess the requirements of the accident, the ambulance team will load any victims into the ambulance, the police team will direct traffic away from the accident and conduct an investigation to determine the cause, and the fire team will assist in removing victims from cars and make sure that the accident does not result in a car fire. As this example illustrates, the four types of teams have very different goals but must work closely together to accomplish the superordinate goal of a smooth accident response and rapid yet safe removal of any victims from the accident scene.

    Cyber security incident response teams can also be thought of as MTSs. Here, an individual team member will recognize a potential incident and decide whether to solicit help from his or her own team members. Then, the team will collectively decide whether the incident can be remediated with current resources or whether it needs to be escalated to a different team or to a broader collection of teams. In some situations, escalation may involve teams with very different expertise, including law enforcement and forensic analysis teams, etc. These teams must work together both to determine the source of the incident and to decide whether additional actions should be taken.
    There are several critical distinctions between incident response teams and emergency response teams. In particular, whereas emergency responders focus only on addressing the results of an accident, incident response teams must also work closely together to learn lessons from their response and use them to prevent future incidents. Thus, incident response teams are MTSs with multiple specialties and multiple goals.

    Understanding how MTSs engage several teams to work effectively together can help us understand how an MTS perspective can lead to more effective incident response teams. For example, research has shown that breakdowns in sharing information between teams can have negative effects on the performance of the entire system of teams. This dysfunction occurs because team members tend to identify more closely with their own team, rather than with the MTS as a whole, leading to challenges in sharing information between groups and subsequent decreases in performance [2]. As members of an incident response team learn to think about their teams as part of MTSs, both incident responders and their managers welcome other teams’ participation and anticipate interaction with other members of their MTS. Managers can then begin to hire and train team members who are able to consider the information sharing needs not only of their own team but also between teams in the system. Individual team members can learn to think of themselves as part of an MTS, not just as an individual working independently. Our goal for this long session is to begin to encourage incident responders to frame their own jobs within these broader systems and to act to address the needs of the larger system, rather than just of the individual tasks.

    References
    [1] Mathieu, J. E., Marks, M. A., & Zaccaro, S. J. (2001). Multi-team systems. In N. Anderson, D. Ones, H. K. Sinangil, & C. Viswesvaran (Eds.), International handbook of work and organizational psychology (pp. 289–313). London: Sage.
    [2] Connaughton, S.L., Williams, E.A., & Shuffler, M.L. (2012). Social identity issues in multiteam systems: Considerations for future research. In Zaccaro, S.J., Marks, M.A., & DeChurch, L.A. Multiteam systems: An organizational form for dynamic and complex environments. Taylor & Francis, New York.
    June 23rd, 2014 16:00 – 17:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Use of Passive DNS Databases in Incident Response and ForensicsReturn to TOC

    Dr. Paul VIXIE (Farsight Security, Inc)

    Paul Vixie founded a handful of Internet related companies and projects including MAPS, the first anti-spam company; PAIX, the first neutral commercial Internet exchange; and ISC, the home of BIND and F-root. He is the inventor of several Internet DNS and security related technologies including RPZ (DNS firewall), DNS RRL (response rate limiting), NCAP (passive network telemetry toolset), TSIG (DNS transaction signatures), and other works that time has forgotten. Dr. Vixie earned his PhD from Keio University on DNS related work. He is a founding member of ICANN SSAC and RSSAC, and he served on the ARIN board from 2005-2013.
    Several projects and companies now collect massive quantities of DNS traffic and use them to build searchable databases. Incident responders and forensic analysts can use these databases to aid in attribution and prediction. A little knowledge of DNS itself is required, in order to know what to look for and what you're looking at. In this presentation, Dr. Vixie will briefly outline the workings of Passive DNS in theory, and then work several example incidents to show what a responder or analyst can do with Passive DNS in practice.
    June 23rd, 2014 10:00 – 11:00

    Terrace Room (Lower Lobby - Basement)

  • Using Anthropology to Study Security Incident ResponsReturn to TOC

    Siva Raj RAJAGOPALAN (HONEYWELL), Xinming OU (Kansas State University)

    S. Raj Rajagopalan is a Senior Principal Research Scientist at Honeywell Research, where he is tasked with creating sensible technological enhancements to Honeywell’s vast portfolio of control systems to help defend against attacks exemplified by Stuxnet and Flame. He is working closely with the various business units in Honeywell Automation and Control Systems to study and address the problems of market addressability, lifecycle deployment, and cost-effectiveness of cybersecurity solutions. He is also working with the Security Operations Center organization in Honeywell Global Security where he is embedded with a view to studying and analyzing SOC processes as well as to bring Labs research in-house to improve incident investigation and digital forensics techniques. Prior to joining Honeywell, Dr Rajagopalan worked with HP Labs Security Research Group based in Princeton, NJ where he collaborated with Mr. Daniel Moor who is a senior member of HP's Managed Security Service Provider Business Unit to provide appropriate technology such as better visualization and threat ranking. He has helped transition solutions as needed for HP Enterprise Security Product Units such as Tipping Point and ArcSight. Before joining HP Labs Dr. Rajagopalan started his career at Bellcore (later Telcordia) where he worked on building firewall management tools with DARPA sponsorship that earned him several awards. In recent years he has focused his research on inter-disciplinary research. He was on two DHS S&T awards, one on applying tools from Industrial Psychology to study team dynamics in CSIRTs (with George Mason University) and another on applying social insect models from Biology to distributed intrusion detection (with Rutgers University).
    The most critical assets in guarding the nation from cyber terrorists are our cyber defenders -- these are the security analysts, security center operators, incident investigators, etc. who are at the front line of our national defense, working ceaselessly in commercial, academic and government security operations centers (SOCs) to detect, repel, and prevent cyber intrusions into the sprawling cyber infrastructure. Like in any war, our assets need to have adequate arsenal, and have to be trained and re-trained to keep up with the enemy. Both have been extremely challenging. It is now well accepted that training cyber analysts is a long and hard process, and something that keeps us from expanding our defensive operations to match the enormity of the task. Government agencies, commercial SOCs, private consulting companies, universities are all suffering from a severe shortage of trained personnel in this area and yet there is no clear large-scale program in place to train security analysts. Our current approach to training is in an individual one-on-one mode that does not scale. Indeed, as we discovered in many SOCs, no systematic training is taking place at all and this is even culturally accepted as a fact of life for working in those organizations. Adding to this is the lack of effective tools, both commercially and from the research community, to help analysts do their job more efficiently. Without adequate arsenal and training, one is not expected to win in any war.

    We took the novel approach of trying to study the problem in its native environment, i.e. rather than study the problem of training as an abstract concept in a lab, we aim to observe and study the difficult art of analysts' job in the security operations center itself. Furthermore, in order to study the rather human problem of learning and teaching cyber analysis, we are applying tools and techniques from the humanities, in particular socio-cultural anthropology. Anthropologists use the term "tacit knowledge" to capture the idea that a lot of the knowledge that people use in their jobs is inside their heads and not written down or documented anywhere. This is especially true in SOCs; indeed many times the analysts who possess the knowledge do not even know how to express it. Added to that is the natural censure against sharing of sensitive information and the cultural belief that one has to learn his/her way through the roughs, and we have a "tribal" knowledge regime wherein critical knowledge is only transferred from human to human through long apprenticeships and inter-personal/trust relationships.

    Working with a professional anthropologist, our strategy is to have student interns embedded in various security operations centers with the goal of "learning by participation." Our embeds participate in the SOC just like regular employee trainees and keep detailed field notes on what they observe in their day to day interactions. These analysts process large amounts of data under time-stress conditions when handling cyber threats. The job requires intelligence and high levels of skills but has many mundane/repetitive aspects as well. Adequate tool support is largely lacking and many of the skills and procedures involved are un-codified and undocumented, resulting in a large body of tacit knowledge. We place computer science and anthropology researchers and graduate students trained in both fields into SOCs, working side by side with the analysts. This "participant observation" approach developed in socio-cultural anthropology provides a method and means to access the tacit knowledge of the analysts and to convert it into more explicit knowledge, leading to the development of algorithms that can help automate the tasks. More importantly, the ethnographic fieldwork provides an opportunity to observe real security operation centers' work processes and identify factors that influence the effectiveness and efficiency with which cybersecurity incidents are handled. This may help explain why some cybersecurity problems are hard to address in practice, what roles humans and organizational structures play, and where procedures might be inefficient or completely fail for non-technical reasons. The research is carried out through a collaborative effort involving researchers from Kansas State University and two companies, Honeywell and RedJack, LLC. Results from the research will not only create practical tools that leverage tacit knowledge in security analytics and automate/aid tasks in incident response and forensic analysis, but also informs the training of cybersecurity professionals by making explicit the tacit knowledge of effective security analytics acquired during participant observation.

    Our belief is that, rather than using the traditional approach of trying to build tools to address the problems that appear on the surface, we want to study the deeper relationship between the requirements of the job, the incentives and disincentives in the work environment, and the unique attributes of cyber security operations. Thus far we have conducted the fieldwork at Kansas State University's Office of Information Security and Compliance for about a year, where multiple PhD students work side by side with the security analysts in their daily duties. We have identified significant gaps in the tool support that no existing commercial or open-source solutions address, and we have been building tools to help the analysts' job and using the tool building as a means to open up the discussion on the technical details of their job that constitute the tacit knowledge. This has been a highly beneficial experience for both the researchers and the analysts. The tools that resulted from the discussion have tremendously improved the analysts' work performance (by their evaluation) and reduced the amount of labor they would have to put in to perform the repetitive, low-level, mundane tasks. This has also allowed the analysts to focus more of their effort to investigate sophisticated attacks, which in turn fosters more discussion with the research team and thenceforth to more tacit-to-explicit knowledge conversion. This will be extremely helpful in informing what types of training are most effective for new analysts so that they can more quickly acquire the deep analytical skills and not be overwhelmed by the low-level repetitive processes that can be automated.

    We are now extending and expanding this effort to studying more SOCs, including the commercial SOC at Honeywell. We would like to find more partners to work with us, so that our study can be more representative and valid. In particular, we will need help to access more SOCs to conduct the fieldwork. What we will need from our collaborators is to dedicate some human resources for doing this fieldwork. For academic collaborators, this could mean sending some students to SOC(s) and having regular meeting with the whole research team to exchange the findings produced from the fieldwork. For industry collaborators, this could mean having an analyst working with the student fieldworkers (apprentices) to train them in doing the job. The collaborating organizations will benefit from a third-party perspective of operational effectiveness, intra-team interactions, and other organizational attributes in the context of cyber security operations. They may also benefit from any tools that the fieldworkers build or help build specifically for the organization. At the end of the project, we expect to write a training manual with do's
    and don'ts for organizations employing cyber security operations personnel that are common to such organizations across businesses, academia, and governmental agencies. Collaborating organizations can also benefit by contributing to the framing and prioritization of issues to be addressed in such a manual as well as early access to learning.

    Any study such as this can only improve with more participation. We hope to invite the FIRST community of SOC analysts and managers alike to participate in our study and making the derived outcomes truly global.

    This work is supported by the National Science Foundation under Grant No. 1314925. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.
    June 25th, 2014 10:00 – 11:00

    Arlington/Berkeley/Clarendon (Mezzanine Level - 2nd Floor)

  • Vendor ShowcaseReturn to TOC

    Network with your fellow attendees and our vendors. Please be sure to have your pocket agendas open and ready to the raffle stamp page! Beverages and light snacks will be served.
    June 24th, 2014 18:00 – 20:00

    Plaza Ballroom

  • We're All the Same in Different Ways: Revisiting the CSIRT Concept for 2015Return to TOC

    Thomas MILLAR (US-CERT)

    Tom Millar serves US-CERT's Communications Chief, a role which finds him at the intersection of outreach and awareness, international coordination, and constituent and partner services. In this role, Mr. Millar is focused on continuously improving US-CERT's approach to secure and effective information sharing.

    Since joining US-CERT in 2007, he has played a significant role in US-CERT's response activities during major cyber events such as the Distributed Denial of Service (DDoS) attacks on Estonia in 2007, the outbreak of the Conficker worm, and the DDoS attacks on major U.S. Government and commercial Web sites in 2009.

    Mr. Millar has previously worked as a team lead for intrusion detection and analysis at the FBI’s Enterprise Security Operations Center. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force.

    Mr. Millar has a Master’s of Science in Engineering Management from the George Washington University.
    The idea of the formal CSIRT has been in existence for over 25 years. As FIRST's history shows, this concept has evolved a great deal since 1989. This presentation will provide a look back into the history of the CSIRT to explore where our common practices come from, how they have changed and how they have not. Several efforts have been made (e.g. RFC 2350) to describe the various capabilities and functions of different CSIRTs, but they are not broadly adopted for inter-team cooperation.

    Getting a better grasp on our respective teams' modern responsibilities, capabilities, restrictions and needs is an incredibly important part of making the members of FIRST, our partners, and our constituencies safer and stronger. It's time to discuss, discover and leverage the unique capabilities of our partner teams, not just the TLDs, IP ranges or institutions we are associated with, but the services we can provide one another and the tools and talents we can share.

    By striving for a better understanding of what today's teams truly have in common with one another, the critical ways in which we differ, we can all better support one another to achieve our shared objectives.
    June 27th, 2014 11:00 – 12:00

    Imperial Ballroom (Mezzanine Level - 2nd Floor)

  • YARA: Advanced TopicsReturn to TOC

    Andreas SCHUSTER (Deutsche Telekom AG)

    Andreas Schuster is a Senior Computer Forensic Examiner with the security department of Deutsche Telekom AG since December 2003. Previously he led a commercial computer incident response team and had worked in the internet business for about seven years.

    Andreas has authored and contributed to several forensic analysis tools. He regularly reverses undocumented data formats like file systems and in-memory information.

    Andreas has given trainings to law enforcement and private-sector organizations and presented at FIRST, SANS and other InfoSec conferences. He serves on the program committees of conferences and journals in the field of digital forensics.
    YARA, according to its authors, is "the pattern matching swiss knife for malware researchers (and everyone else)". This hands-on tutorial will cover advanced topics students have asked for during the classes taught at FIRST events during the last years.

    * Transitioning from v1.x to v2.x
    - What is new?
    - Necessary adjustments to existing rules
    - Writing fast end efficient rules

    * Classifying binaries
    - Develop and gradually refine rules to categorize a pile of unknown binaries

    * Parsing an executable file format
    - Structure of a Windows Portable Executable (PE) file
    - Limit searches to certain parts of a PE file

    * Matching on assembler and high-level language constructs
    - Learn about the format of intel x86 machine instructions
    - Make your rules robust against compiler optimizations and simple obfuscation

    Students need to provide a laptop with the latest version of VMware for the operating system of their choice installed (either free VMware Player, VMware Workstation, or VMware Fusion will work; covering MS Windows, Linux, and Mac OS X). There should be 10 GB of free disk space and about 1 GB of RAM available for applications.

    Courseware consists of a Linux virtual machine with a copy of the slide deck, all the required tools and malware samples installed. Of course students may bring their own tools. The image will be available for download at http://r.forens.is/bos1st/ from June 16, 2014. Please install the virtual machine before coming to class!

    Students should have some experience analyzing malware, and navigating a Unix shell. As this class covers advanced topics, basic knowledge about YARA is required, too. (e.g. one of the introductory classes that were taught at various FIRST events before).
    June 25th, 2014 13:00 – 14:30

    Terrace Room (Lower Lobby - Basement)

  • “Auditing All the Things”: The Future of Smarter Monitoring, Detection and ResponseReturn to TOC

    Mark THOMAS (Threat Stack)

    Mark Thomas is a consummate C hacker with more than 15 years of experience in writing software for high performance networking and security applications. He is currently the Principal Software Engineer at Threat Stack.

    He holds several patents in network security and is a dedicated open source contributor. He is currently a maintainer for the popular libevent library and author of the high-performance http library, libevhttp.
    Mark Thomas of Threat Stack will explain how to leverage your audit data as a powerful tool for intrusion detection and incident response purposes. In particular, when deploying in hosted cloud environments where your organization doesn’t own the network infrastructure (i.e. Amazon AWS), there needs to be a level of monitoring and auditing on the host which can compliment -- or even exceed -- the visibility you get from traditional network intrusion detection tools.

    In addition, the Linux operating system has some powerful auditing capabilities, and defenders who aren’t taking advantage of this are seriously missing out. Thomas will discuss the current audit APIs that exist today in the Linux kernel and what exists in terms of its collection capabilities.

    Thomas will also explore the many open source tools currently available to interface with audit data, and the advantages and limitations they have in terms of performance, collection and querying.
    June 25th, 2014 16:00 – 16:30

    Imperial Ballroom (Mezzanine Level - 2nd Floor)