27th Annual FIRST Conference

Conference Program

Overview

June 14th (Sunday)Return to overview

Pre-Conference
09:00 – 17:00

FIRST Education Summit III (Invite Only) - Bellevue


FIRST Training - Check

09:00 – 16:30

Train the Trainers - Rook

17:00 – 18:00

Ambassador Program Training - Rook

18:30 – 19:00

Newbie Reception - Pavillon

19:00 – 21:00

Ice Breaker Reception - Pavillon

June 15th (Monday)Return to overview

WorkshopsPotsdam IPotsdam IIIBellevue
08:45 – 09:30

Conference Opening - Potsdam I

09:30 – 10:00

Keynote Presentation - Potsdam I

10:00 – 10:30

Morning Networking Break - Conservatory / Potsdam Foyer

10:30 – 11:00

Introduction - Potsdam I

11:00 – 12:00

 

Adventures in Fighting Cybercrime

Mr. Piotr KIJEWSKI (CERT Polska/NASK)

TBA

TBA

12:00 – 13:00

Lunch - LA Café & Pavillon

13:00 – 14:00

BetterCrypto.org Workshop

Mr. David DURVAUX (BetterCrypto.org), Mr. Aaron ZAUNER (Azet), Mr. L. Aaron KAPLAN (CERT.at)

The Crack in KrakenBOT

Mr. Peter KRUSE (CSIS Security Group A/S)

I'm Sorry to Inform You...

Mr. Eireann LEVERETT (Cambridge Centre for Risk Studies), Dr. Marie MOE (SINTEF ICT)

3J4E - JIGSAW, JUMPSTART, JUNCTURE: Three Ways to Enhance Cyber-Exercise-Experience

Mr. Stefan RITTER (National IT-Situation Centre and CERT-Bund, German Federal Office for Information Security BSI)

14:00 – 14:30

BetterCrypto.org Workshop (cont.)

So You Want a Threat Intelligence* Function (*But Were Afraid to Ask)

Mr. Gavin REID (Fidelity), Mr. Levi GUNDERT, Mr. Ed HOLOHAN

Working Towards the Tokyo 2020 Olympics - Situation in 2015

Ms. Mariko MIYA (CDI-CIRT (Cyber Defense Institute, Inc.) - Japan)

Everyday Etiquette: Responding to Uncoordinated Disclosures

Ms. Laura RABA (US-CERT)

14:30 – 15:00

Afternoon Networking Break - Conservatory / Potsdam Foyer

15:00 – 16:00

BetterCrypto.org Workshop (cont.)

Threat Information Sharing; Perspectives, Strategies, and Threat Scenarios

Mr. Timothy GRANCE (NIST), THOMAS MILLAR (US-CERT), Mr. Pawel PAWLINSKI (CERT Polska / NASK), Mr. Luc DANDURAND (ITU)

Malware in Your Pipes: The State of SCADA Malware

Mr. Kyle WILHOIT (Trend Micro)

Collecting, Analyzing and Responding to Enterprise Scale DNS Events

Mr. Bill HORNE (Hewlett-Packard)

16:00 – 17:00

 

Financial Review

Barriers and Pathways to Improving the Effectiveness of Cybersecurity Information Sharing Among the Public and Private Sectors

Mr. John GUDGEL (George Mason University), Dr. Mark TROUTMAN (George Mason University)

Incident Response Programming with R

Mr. Eric ZIELINSKI (Nationwide)

17:00 – 17:30

 

Financial Review (cont.)

Lightning Talk

 

17:30 – 18:00

 

 

Lightning Talk (cont.)

 

June 16th (Tuesday)Return to overview

WorkshopsPotsdam IPotsdam IIIBellevue
08:45 – 09:00

Opening Remarks - Potsdam I

09:00 – 09:45

Keynote Presentation - Potsdam I

09:45 – 10:15

Morning Networking Break - Conservatory / Potsdam Foyer

10:15 – 11:15

CSIRT Info Sharing Workshop

Shari LAWRENCE PFLEEGER (I3P-Dartmouth-GMU-NL-SE (various CSIRTS))

Fact Tables - A Case Study in Reducing Reactive Intrusion Time-to-Know by 95%

Mr. Jeff BOERIO (Intel Corp.)

RAT Tracking - Proactive Adversary Attribution via Scalable C2 Profiling

Mr. Levi GUNDERT (Fidelity Investments)

Quality Over Quantity—Cutting Through Cyberthreat Intelligence Noise

Mr. Rod RASMUSSEN (IID)

11:15 – 11:45

CSIRT Info Sharing Workshop (cont.)

Prepare Your Cybersecurity Team for Swift Containment Post Incident

Mr. Michael HARRINGTON (General Dynamics Fidelis Cybersecurity Solutions)

A Day in the Life of a Cyber Intelligence Professional

Ms. Katherine GAGNON (World Bank Group)

Seven Years in MWS: Experiences of the Community Based Data Sharing for Anti-Malware Research in Japan

Dr. Masato TERADA (Hitachi Incident Response Team), Yoichi SHINODA (JAIST), Mitsuhiro HATADA (NTT Communications Corporation)

11:45 – 12:45

Lunch - LA Café & Pavillon

12:45 – 13:15

Hands-on Network Forensics Workshop

Mr. Erik HJELMVIK (FM CERT)

Overview of South Korea Target Malwares

Mrs. Dongeun LEE (KRCERT/CC, KISA)

When Business Process and Incident Response Collide: The Fine-Tuning of the IR Program

Ms. Reneaue RAILTON (Former/Future member)

Ce1sus: A Contribution to an Improved Cyber Threat Intelligence Handling

Mr. Jean-Paul WEBER (GovCERT.lu)

13:15 – 14:15

Hands-on Network Forensics Workshop (cont.)

The Cybercrime Evolution in Brazil: An Inside View of Recent Threats and the Strategic Role of Threat Intelligence

Mr. Ricardo ULISSES (Tempest Security Intelligence), Mr. Aldo ALBUQUERQUE (Tempest Security Intelligence)

Security Operations: Moving to a Narrative-Driven Model

Mr. Joshua GOLDFARB (FireEye)

Case Study: Creating Situational Awareness in a Modern World.

Mr. Michael MEIJERINK (NCSC-NL)

14:15 – 14:45

Afternoon Networking Break - Conservatory / Potsdam Foyer

14:45 – 15:45

Hands-on Network Forensics Workshop (cont.)

Enabling Innovation in Cyber Security

Mr. Michael GORDON (Lockheed Martin)

Technology, Trust, and Connecting the Dots

Mr. George JOHNSON (NC4), Mr. Bill NELSON (FS-ISAC), Mr. Wayne BOLINE (Raytheon), Kris HERRIN (FS-ISAC)

Bring Your Own Internet Of Things (BYO-IoT)

Mr. Jake KOUNS (Risk Based Security), Mr. Carsten EIRAM (Risk Based Security)

15:45 – 16:45

Hands-on Network Forensics Workshop (cont.)

DSMS: Automating Decision Support and Monitoring Workflow for Incident Response

Mr. Chris HORSLEY (CSIRT Foundry), Mr. SC LEUNG (HKCERT)

Crisis Communication for Incident Response

Mr. Scott ROBERTS (GitHub)

Cyber Security Challenges in the Financial Sector: Internal and External Threats

Ms. Rosa Xochitl SARABIA BAUTISTA (Mnemo-CERT)

17:00 – 19:00

Vendor Show Case - Conservatory / Potsdam Foyer

June 17th (Wednesday)Return to overview

WorkshopsPotsdam IPotsdam IIIBellevue
08:45 – 09:00

Opening Remarks - Potsdam I

09:00 – 10:00

Keynote Presentation - Potsdam I

10:00 – 10:30

Morning Networking Break - Conservatory / Potsdam Foyer

10:30 – 11:30

CVSS v3 Hands-on Training

Mr. Seth HANFORD (TIAA-CREF)

Passive Detection and Reconnaissance Techniques to Find, Track and Attribute Vulnerable "Devices"

Mr. Alexandre DULAUNOY (CIRCL - Computer Incident Response Center Luxembourg), Mr. Eireann LEVERETT (Cambridge Centre for Risk Studies)

TBA

TBA

11:30 – 12:30

CVSS v3 Hands-on Training (cont.)

National Cyber Protection through Facilitation. Real Cases by CERT-UA

Mr. Nikolay KOVAL (CERT-UA)

TBA

TBA

12:30 – 13:30

Lunch - LA Café & Pavillon

13:30 – 14:30

Pen testing iOS apps Workshop

Mr. Kenneth VAN WYK (KRvW Associates, LLC)

The Future of Information Exchange Policy

Mr. Paul MCKITRICK (Microsoft), Ms. Merike KAEO (IID)

Data-Driven Threat Intelligence: Useful Methods and Mesurements for Handling Indicators

Mr. Alexandre PINTO (Niddel), Mr. Alexandre SIEIRA (Niddel)

Sinfonier: Storm Builder for Security Intelligence

Mr. Fran GOMEZ (Telefonica), Mr. Leonardo AMOR (Telefonica)

14:30 – 15:00

Afternoon Networking Break - Conservatory / Potsdam Foyer

15:00 – 16:00

Pen testing iOS apps Workshop (cont.)

Theory and Practice of Cyber Threat-Intelligence Management Using STIX and CybOX

Dr. Bernd GROBAUER (Siemens)

The Needle in the Haystack

Mr. Jasper BONGERTZ (Airbus Defence and Space CyberSecurity GmbH)

How We Saved the Death Star and Impressed Darth Vader

Mr. Matthew VALITES (Cisco CSIRT), Mr. Jeff BOLLINGER (Cisco CSIRT)

16:00 – 17:00

Pen testing iOS apps Workshop (cont.)

Validating and Improving Threat Intelligence Indicators

Mr. Douglas WILSON (FireEye)

Malware Analysis Case Study & Experimental Evaluation on the Applicability of Live Forensics for Industrial Control Systems

Mr. Yuji KUBO (CFC), Mr. Kensuke TAMURA (CFC)

Machine Learning for Cyber Security Intelligence

Mr. Edwin TUMP (NCSC-NL)

17:00 – 18:00

 

Lightning Talks

 

 

18:30 – 19:15

Reception at the Postbahnhof

19:15 – 22:00

Banquet at the Postbahnhof

June 18th (Thursday)Return to overview

WorkshopsPotsdam IPotsdam IIIBellevue
09:00 – 09:15

Opening Remarks - Potsdam I

09:15 – 10:00

Keynote Presentation - Potsdam I

10:00 – 10:30

Morning Networking Break - Conservatory / Potsdam Foyer

10:30 – 11:00

 

Evaluating the Effectiveness of Fuzzy Hashing Techniques in Identifying Provenance of APT Binaries

Ms. Bhavna SOMAN (Intel Corporation)

Protecting Privacy through Incident Response

Mr. Andrew CORMACK (Jisc)

Building Community Playbooks for Malware Eradication

Mr. Christian SEIFERT (Microsoft)

11:00 – 11:30

 

Recent Trends of Android Malicious Apps: Detection And Incident Response in South Korea

Mr. Inseung YANG (KrCERT/CC), Ms. Jihwon SONG (KrCERT/CC)

Defining and Measuring Capability Maturity for Security Monitoring Practices

Mr. Eric SZATMARY (Dell SecureWorks)

Building Community Playbooks for Malware Eradication (cont.)

11:30 – 12:00

 

A Study on the Categorization of Webshell

Mr. Jae Chun LEE (KISA, KrCert/CC)

ENISA Threat Landscape: Current and Emerging Threat Assessment

Dr. Louis MARINOS (ENISA)

A Cognitive Study to Discover How Expert Incident Responders Think

Mr. Sam J. PERL (CMU SEI CERT/CC)

12:00 – 13:00

Lunch - LA Café & Pavillon

13:00 – 14:00

 

VRDX-SIG: Global Vulnerability Identification

Mr. Art MANION (CMU SEI CERT/CC), Mr. Takayuki UCHIYAMA (JPCERT/CC), Dr. Masato TERADA (Hitachi Incident Response Team)

Effective Team Leadership and Process Improvement For Network Security Operators

Mr. Jeremy SPARKS (United States Air Force)

Global Standards Unification - How EU NIS Platform, NIST and IETF Standards are Breaking Barriers for Information Sharing and Automated Action

Ms. Merike KAEO (IID)

14:00 – 15:00

IPv6 Security Workshop

Mr. Frank HERBERG (SWITCH-CERT)

Il Buono, il Brutto, il Cattivo: Tales from Industry

Mr. Rich BARGER (Cyber Squared Inc.), Mr. Andre LUDWIG (Novetta Solutions)

Unifying Incident Response Teams Via Multilateral Cyber Exercise for Mitigating Cross Border Incidents: Malaysia CERT Case Study

Mrs. Sharifah Roziah MOHD KASSIM (MyCERT, CyberSecurity Malaysia)

A Funny Thing Happened on the Way to OASIS: From Specifications to Standards

Mr. Richard STRUSE (US-CERT)

15:00 – 15:30

Afternoon Networking Break - Conservatory / Potsdam Foyer

15:30 – 17:30

IPv6 Security Workshop (cont.)

 

 

 

June 19th (Friday)Return to overview

WorkshopsPotsdam IPotsdam IIIBellevue
08:45 – 09:00

Opening Remarks - Potsdam I

09:00 – 10:00

Internet Architecture Board (IAB) and Internet Society (ISOC) workshop on Coordinating Attack Response at Internet Scale (CARIS)

 

 

 

10:00 – 10:15

Morning Networking Break - Conservatory / Potsdam Foyer

10:15 – 11:15

IAB and ISOC Workshop (cont.)

Building CERT Team and Responding Incidents in the Large Energy Company.

Mr. Miros?aw MAJ (Cybersecurity Foundation)

Implementation of Machine Learning Methods for Improving Detection Accuracy on Intrusion Detection System (IDS)

Mr. Bisyron MASDUKI (Id-SIRTII), Mr. Muhammad SALAHUDDIEN (Id-SIRTII)

Streamlined Incident Response from a Forensic Perspective

Matthew ROHRING (U.S. Department of Homeland Security / U.S. Computer Emergency Readiness Team)

11:15 – 11:45

IAB and ISOC Workshop (cont.)

Sector Based Cyber Security Drills - Lessons Learnt

Mr. Malagoda Pathiranage DILEEPA LATHSARA (Member)

Keeping Eyes on Malicious Websites - “ChkDeface” Against Fraudulent Sites

Mr. Osamu SASAKI (JPCERT/CC), Mr. Hiroshi KOBAYASHI (JPCERT/CC)

Discovering Patterns of Activity in Unstructured Incident Reports at Large Scale

Dr. Bronwyn WOODS (CERT Program, SEI, CMU)

12:00 – 13:00

Closing Remarks - Potsdam I

13:00 – 14:00

Lunch - LA Café & Pavillon

14:00 – 17:00

IAB and ISOC Workshop (cont.)

 

 

 

  • 3J4E - JIGSAW, JUMPSTART, JUNCTURE: Three Ways to Enhance Cyber-Exercise-ExperienceReturn to TOC

    Mr. Stefan RITTER (National IT-Situation Centre and CERT-Bund, German Federal Office for Information Security BSI)

    Background
    ----------

    Cyber-Exercises are an important part of national and international cyber-crisis-management within several communities. In this talk we present our 3J4E concept, which adresses the following three challenges of (international) cyber exercises.
    Encouraging international / inter-community information sharing within cyber-exercises keeping in mind the expectations of players(JIGSAW)
    Optimizing utilisation of limited exercise-time (JUMPSTART)
    Adressing top crisis management level within an international exercise (JUNCTURE)

    Methodology
    -----------

    The 3J4E concept is modulary, which means that the three parts can be used independently. It consists of three modules presented below.

    JIGSAW

    One often-seen showstopper for information sharing in international operational cyber-exercises is the fact, that all participating teams get the same set of information from the scenario. As all players hold the same information there is no need or desire for information sharing. Another problem regarding to inforamtion sharing are the different levels of involvement and expectations among the playing teams. Players with a low involvement often don't share information actively so that the whole exercise due to the lack of participation of single playing teams.
    Our JIGSAW module tries to solve these two challenges of information sharing by separating the scenario into several so called JIGSAW-pieces and providing them to the players regarding to their level of participation and expectation. Besides scenario elements also the players need to be clustered regarding to their level of involvement.
    The idea behind JIGSAW is that each player just holds a little piece of information and just by sharing with others the whole situational picture becomes visible. Sharing should take place regarding the level of involvement and expectation.
    To split up the Scenario in pieces and clustering the players regarding their expectation we present a concept that we call the Multilevel Clustered Exercise Framework.

    JUMPSTART

    A well known problem of cyber exercises is the limited time frame for the exercise play. This problem even increases if strategic top level decision makers participate.
    A crisis timeline follows the five phases Pre-Crisis, Detection, Reporting / Alerting, Response and Wrap-Up, while the exercise timeline consits of three phases, Pre-Ex, Ex-Play and Post-Ex. In a classic exercise setup often the two timelines are aligned that way, that the Ex-Play phase covers the Detection and the Reporting / Alerting Phase of the crisis timeline. The Response phase often is just touched slightly or even not played at due to the limited playing-time.
    For a JUMPSTART into the exercise it is neccessary to align both timelines that way that the begin of the Ex-Play (StartEx) is aligned with the end of the Reporting/Alerting Phase. This means that the players directly start within the Response phase and can initiate the crisis management procedures right away.
    To reach this aim, the JUMPSTART concept shows ways how to create exercise material to cover the first three phases of crisis mangement before StartEx. This requires a more detailed preparation among planners and players but leads to a strong involvement of the stakeholders in the exercise right at StartEx.
    To illustrate the benefits of the JUMPSTART concept we use the well known OODA loop (Observe, Orient, Decide, Act) and activity diagrams showing national and international crisis management play.

    JUNCTURE

    The aim of the JUNCTURE module is to design scenario elements which reach the strategic top level of crisis manangement within an operational exercise. Besides the strategic top level decision makers this also includes staff dealing with strategic decision preparation.
    To reach this aim, we developed two ways of creating scenario elements, that reach the intended strategic management level: „By Aggregation“ and „By Singularity“. While the „By Aggregation“ approach deals with a large number of incidents that lead to a crisis, the „By Singularity“ approach focuses on one single high impacting incident which triggers top-level management decisions.
    To design scenarios which fit to one of these two approaches, we recommend a technique, which we call Consequence-Backtracking. In this method consquences of top management decisions in real crisis situations (cyber and non-cyber) are analysed to understand which level of impact is neccessary to trigger decisions on the particular mangement level. Based on this backtracking in the following step cyber scenario events are developed, which imply the same consequences as the examined real crisis.

    Impact
    ------

    The overall quality of cyber exercises both in governemental and business context is improved. Satisfaction of top management players will be improvend.

    Significance for the audience
    -----------------------------

    The audience is able to understand the three concepts and see the advantages for future cyber exercise. Due to the given implementation examples the audience is able to generate ideas for own implementations.
    June 15th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • A Cognitive Study to Discover How Expert Incident Responders ThinkReturn to TOC

    Mr. Sam J. PERL (CMU SEI CERT/CC)

    Incident response expertise is a rare and valued resource. Expert incident responders are expensive to hire, difficult to find, and competition for their services is fierce. Governments, the private sector, and non-profits all need experienced incident responders with the proper skills and training in order to respond to effectively to increasingly sophisticated cyber attacks.

    We performed a cognitive study on expert incident responders after being inspired by existing research studies on experts in non-security domains. Our goal was to extract the conceptual frameworks or schemata that expert incident responders use to make their decisions and to represent their schemata in a form that could be understood and used by non-experts.

    Our presentation will include background information on the four expert incident responders who participated in our study, the real-world proprietary stimulus materials our experts used to decide the best responses to the incidents we gave them, our methodology, and our data analysis. Next, our presentation will describe the results of our study--the schemata our expert incident handlers used to make their decisions, and what our results reveal about the incident response field when compared to the findings of researchers studying expertise in other domains such as business and military decision making.

    Last, we will discuss the implications of our results in light of the current societal and business trajectory toward greater technology dependence and the ever-growing demand for incident response expertise.
    June 18th, 2015 11:30 – 12:00

    (InterContinental Berlin, Germany)

  • A Day in the Life of a Cyber Intelligence ProfessionalReturn to TOC

    Ms. Katherine GAGNON (World Bank Group)

    Building a cyber threat intelligence program can be a daunting task given the firehose of information which could be consumed. Many organizations don't know where to even start, but the truth is it probably has already started...

    - Are you monitoring the news for open source information (OSINT) and consider how a similar attack might affect your own organization?
    - Do you seek out indicators of compromise (IOCs) for said incidents and apply controls or alerting to firewalls, proxies, endpoints, IDSs, etc?
    - Do you collaborate with colleagues outside your organization and share information about techniques, tactics and procedures (TTPs) hackers may be using?
    - Is your organization a member of FIRST, an institutional ISAC, or have a relationship with an outside security services vendor?

    Those are all beginning elements to a cyber intelligence program, but the question then becomes how to mature and manage information flow past OSINT. This presentation will discuss "a day in the life" of cyber threat intelligence work, including:

    - relationship building,
    - bi-directional IOC sharing,
    - making IOCs actionable within operational systems,
    - managing the onslaught of information,
    - brand protection & takedowns,
    - awareness for users, engineering & management,
    - pitfalls to avoid,
    - and taking steps towards automation.

    It will also discuss staffing considerations in a small or growing intelligence team.
    June 16th, 2015 11:15 – 11:45

    (InterContinental Berlin, Germany)

  • A Funny Thing Happened on the Way to OASIS: From Specifications to StandardsReturn to TOC

    Mr. Richard STRUSE (US-CERT)

    This presentation will explain the process of transitioning the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) from technical specifications sponsored by the US Department of Homeland Security into formal international standards, explaining decisions made along the way and discussing lessons learned during the development, refinement, and transition process.

    As pivotal ingredients in the future of automated, structured information exchange between CSIRTs, STIX and TAXII need to "land" in the right standards body with the right amount of support from public and private sector partners to help shepherd them through the process of becoming international, voluntary standards while preserving their functionality and compatibility. Nothing good comes easy, and the path to transition was full of difficult decisions.

    In this session, participants will learn key considerations for engaging with international standards bodies; different roles and governance models for the various standards organizations that CSIRTs may interact with; and how to ensure international standardization of our common practices and tools has a positive and lasting impact on the CSIRT community and the constituencies we serve.
    June 18th, 2015 14:00 – 15:00

    (InterContinental Berlin, Germany)

  • A Study on the Categorization of WebshellReturn to TOC

    Mr. Jae Chun LEE (KISA, KrCert/CC)

    Webshell is backdoor program which is used for web hacking most commonly

    We can determine the features and methods of hacker groups easily if we know the with the unique features of webshell

    For example, DMC webshell used in Dark Seoul case is used by specific hacker groups.
    And other hacking case, the systems DMC webshell installed are having similar methods of attacking from same IPs.

    There are some cases of applying analysis disturbance techniques such as obfuscation method by stages for some attackers.
    So, it should be very helpful to analyze the webshell if we know the history of that.

    'KrCert/CC' has about 400 cases of webshell analysis from the intrusion for Korea in 2014 and research how to classify the cases.

    The followings are agenda for this presentation.

    - Introduction of webshell and its feature
    - System of webshell categorization and the correlation of intruders
    - How to classify webshell
    1. By function
    2. By the length of webshell source code
    3. By the method of source code encoding
    4. By detection evasion
    5. By analysis disturbance
    6. By file name
    7. By concealment method
    8. By the fingerprint and transformation of webshell
    9. By the language


    - Conclusion
    June 18th, 2015 11:30 – 12:00

    (InterContinental Berlin, Germany)

  • Adventures in Fighting CybercrimeReturn to TOC

    Mr. Piotr KIJEWSKI (CERT Polska/NASK)

    Talk title: Adventures in Fighting Cybercrime

    Presenter: Piotr Kijewski CERT Polska/NASK

    The talk will cover various cybercrime operations analysed by CERT
    Polska in the last 1-2 years. These primarily involved various forms of
    malware and botnets that used Polish network properties for C&C
    purposes or that were specifically targeting Polish users. Many of
    these include banking trojans (such as VMZeus/Gozi2/Kronos), specifically web-inject malware. We will show how these evolve and use more and more sophisticated social engineering techniques to fool users into losing their money. We will also cover other cases as well
    that did not involve malware, but that employ similar social engineering tricks - such as mass hackings of home routers
    for financial gain. We will explore some cases unique to the Polish
    scene, including the rise of Banatrix (a relatively simple malware
    that is surprisingly effective in stealing money by substituting bank
    account numbers when these are rendered by the browser) and its friends. We will present specific case studies on how our team counters these threats and on how effective these cybercrime campaigns really are.

    Relevance to audience:
    Talks that cover case studies on actual malware (and other cybercrime related cases), its true scale of infection and effectiveness, and how specific cases where dealt with (including sinkholing techniques), are unfortunately still rather rare in the CERT community. Sharing knowledge and experience learned will be beneficial both to the audience and the speaker ;). We will try to cover the most recent cases and some interesting older ones.

    Technical level:
    Medium - we will cover some technical details but concentrate more on trends and how threats evolve rather than going very deep into malware internals.

    Target audience:
    Security specialists and management with technical background.
    June 15th, 2015 11:00 – 12:00

    (InterContinental Berlin, Germany)

  • Barriers and Pathways to Improving the Effectiveness of Cybersecurity Information Sharing Among the Public and Private SectorsReturn to TOC

    Mr. John GUDGEL (George Mason University), Dr. Mark TROUTMAN (George Mason University)

    This presentation describes the barriers to information sharing and pathways to improving the effectiveness of cybersecurity collaboration among the public and private sectors. The presentation is based on research conducted by George Mason University's Center for Infrastructure Protection (CIP) under a three year research grant from the U.S. Department of Homeland Security. Barriers to cybersecurity information sharing were identified through interviews and focus with over twenty public and private organizations in both Europe and the United States, and through surveys of cybersecurity professionals conducted in 2014 and 2015. The empirical evidence is then compared to the findings of other researchers to produce a comprehensive overview of information sharing barriers within CSIRTs, C-CERTs, and M-SIRTs; between these teams and their larger organizations, and between the organization and the extra-organizational cybersecurity world. Pathways that some organizations are taking to break down barriers and incentives that might be considered to promote information sharing are also discussed.
    June 15th, 2015 16:00 – 17:00

    (InterContinental Berlin, Germany)

  • BetterCrypto.org WorkshopReturn to TOC

    Mr. David DURVAUX (BetterCrypto.org), Mr. Aaron ZAUNER (Azet), Mr. L. Aaron KAPLAN (CERT.at)

    The BetterCrypto Project started out in the fall of 2013 as a collaborative community effort by systems engineers, security engineers, developers and cryptographers to build up a sound set of recommendations for strong cryptography and privacy enhancing technologies catered towards the operations community in the face of overarching wiretapping and data-mining by nation-state actors. The project has since evolved with a lot of positive feedback from the open source and operations community in general with input from various browser vendors, linux distribution security teams and researchers.

    This workshop will give a concise guide on how to properly deploy networked services in a secure fashion that is applicable today. We will also give an update on the project as well as new development on the front of cryptography, attacks and TLS protocol standardization.

    In addition, the workshop will touch on the basics of cryptography. However, this part can only give a gentle intro and a historical view on cryptography.

    The core idea behind the project is to use the skills of his authors to build an open-source guide for system administrators who need to securely configure their systems. The document is then split into two parts:

    - the first one propose state of the art configuration for as much as possible different systems;
    - the second part explains why certain settings through a theoretical approach.

    The configuration part, try to offer configuration that could be copy/pasted to offer a valid usage of cryptography. As clear-text should protocols should be avoid, we tried to cover as many different systems and usage as possible. For instance, we cover the following technologies and implementations:

    1. web server: Apache, Lighttpd...
    2. mail server: Postfix...
    3. remote session: SSH
    4. mail encryption: PGP/GPG
    5. secure chat:
    6. ...

    The theoretical part will cover algorithms, key size, mains concepts and properties that need to be used. It addresses the major discussions like

    - algorithms to be used;
    - key size;
    - asymetric and symetric cryptography;
    - perferct forward privacy;
    - ...

    Made with the open-source spirit in mind (all the document is written in Latex and published in open-source on git), our work is open for comments. We are looking for any new contribution that will be welcome.

    Our goal is also to continue to complete the guide with others tools from other vendors. We also dream of a configuration tool that could help people to automatically generate the configuration they need for their systems...

    Our workshop at FIRST would cover

    - a description of the project and the need for such a work;
    - a short introduction to cryptography and the main concepts;
    - some description of what proposed configuration looks like and the results on some online
    - validation tools;
    - a step-by-step demonstration of the usage of GPG in command line to what's really behind the hood;
    - a call for collaboration and help: we are open and the more we are, the best our work will be!

    In attachment, we propose a draft presentation using previous works. This to demonstrate the type of content we would like to propose.
    June 15th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • Bring Your Own Internet Of Things (BYO-IoT)Return to TOC

    Mr. Jake KOUNS (Risk Based Security), Mr. Carsten EIRAM (Risk Based Security)

    Just as incident response teams thought they were finally getting a handle on Bring Your Own Device (BYOD), whether they know it or not they now face a new challenge of dealing with IoT (Internet of Things). It is no longer just laptops and smart phones being connected to the corporate network. It now includes everything from surveillance cameras to smart light bulbs, smoke detectors, and sprinklers with wireless connectivity - not forgetting the coffee machine. On the surface this may seem like a low risk, but we have already seen numerous data breaches due to third party vendors. Target e.g. admitted the initial break in was due to their HVAC vendor.

    We’ve seen researchers focusing on discovering vulnerabilities in SCADA / ICS, smart phones, routers and access points, and within the past couple of years, we’ve seen them focus on surveillance cameras. Now they’re branching out and focusing more on IoT in general. At this point, most of the IoT hacks that we’re seeing are currently lame when it comes down to it. They require physical access or are minor issues. However, the potential real world impact is scary, impressive, and very important to pay attention to, as we’ve seen with other consumer devices.

    Is your organization ready to deal with new exploits for IoT devices on your network? Do you have solid policies in place for dealing with how these devices are securely connected to the network, properly protected, and how any compromises involving them should be handled?

    This talk will cover a sample of vulnerabilities that currently have been published in various IoT devices and discuss the challenges and concerns organizations need to understand. It will fully discuss the capabilities of IoT vendors to even deal with vulnerability reports and ultimately help ensure that once IoT really enters your enterprise, you’re ready and equipped to deal with it.
    June 16th, 2015 14:45 – 15:45

    (InterContinental Berlin, Germany)

  • Building CERT Team and Responding Incidents in the Large Energy Company.Return to TOC

    Mr. Miros?aw MAJ (Cybersecurity Foundation)

    The number of significant and dangerous incidents related to the energy sector companies is growing. The last year cases related to the activities groups like Dragonfly or Sandworm and attacks like BlackEnergy are the best prove that this sector became the very common aim of the cyberattacks. The political and military tension in the Eastern Europe is fostering this trend.
    This situation has forced the energy sector companies to work more actively on their cybersecurity systems including building capabilities of the efficient incident response process.
    During the presentation the issue related to **the process of the building of CERT team in the energy sector company** will be presented.
    Such process is specific due to the special requirements related to the existence of CERT in the large energy company. This kind of company is usually **organisationally widely distributed**. This distribution affects also the technical infrastructure what create a **special challenges** for the infrastructure protection. Another challenge is the fact that the **responsibilities for maintaining the technical infrastructure is shared by many entities including outsourced parties**. All these specifics makes the process of building the CERT team very challenging and during it both - technical and personal relationships aspects are very important.
    The presentation of the process of the CERT creation will be enriched by the presentation of **the experiences from the process of responding to the incidents**. The most interesting incidents will be presented in the reaction to the established and implemented CERT processes. So attendees will be able to learn how the specific structure of CERT is prepared and able to effectively response to them.
    The presentation will base on the real case study of the CERT creation in the energy sector company as the author is involved in such process. Also real and anonymised computer incidents will be used in the speech.
    The attendees will learn:
    - hot to prepare and conduct the process of building CERT in the large company
    - what are the most common incident in the energy sector company
    - what is the influence of the CERT operational model on the effectiveness of the incident management process
    - how to use experiences form the energy company in own organisation - what is universal, what is specific
    June 19th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • Building Community Playbooks for Malware EradicationReturn to TOC

    Mr. Christian SEIFERT (Microsoft)

    One of the goals of the Microsoft sponsored Coordinated Malware Eradication program is to use lessons learned from current and past malware eradication campaigns to inform new campaigns. To improve the efficiency of antimalware campaigns, our tactic is to distill the collective experience of past campaigns into playbooks that contain templates and guidelines that the entire community working to eradicate malware can directly incorporate into future campaigns.

    This presentation will show the playbooks we’ve created, how participants have used them, and ideas for new playbooks we’d love to build with the help of the community to more effectively fight malware together.

    Examples of playbooks are:

    • Creating an eradication plan—what deterrence and eradication techniques make sense for this operation?

    • Abuse reporting to vetted and to previously unknown entities— what do you say when you don’t know if you can trust the recipient?

    • Conducting a postmortem—why is it one of the most critical steps, what questions should you ask?
    June 18th, 2015 10:30 – 11:00

    (InterContinental Berlin, Germany)

  • Case Study: Creating Situational Awareness in a Modern World.Return to TOC

    Mr. Michael MEIJERINK (NCSC-NL)

    When Edward Snowden leaked classified information from the NSA in June 2013 all government initiatives on monitoring and data correlation became suspicious. NCSC had just started the pilot preparations at a government data centre aimed at automatically sharing indicators and incident related information, giving a boost to the operational situational awareness of it’s CSOC. Many challenges had to be overcome. As of December 2014 government organizations as well as critical infrastructure partners have started the new sharing collaboration successfully. In his presentation Michael will discuss the prerequisites, technical but mostly non-technical, needed to create this Dutch habitat in which organizations can share information safely on a voluntary basis. Also Michael will share the outcome of the evaluation held in June 2015.
    June 16th, 2015 13:15 – 14:15

    (InterContinental Berlin, Germany)

  • Ce1sus: A Contribution to an Improved Cyber Threat Intelligence HandlingReturn to TOC

    Mr. Jean-Paul WEBER (GovCERT.lu)

    The daily business of Computer Incident Response Teams (CIRT) is preventing incidents and
    handling breaches. Sharing information is crucial for time efficiency and for the prevention of
    unnecessary double work. Automated handling and processing of Cyber threat intelligence is im-
    perative. Currently there are a number of emerging tools, but to date none of them, in our opinion, sufficiently satisfies the needs of computer specialists working in the domain of incident response. The main needs include the following: ease of use, adequate handling of data structures, interfaceability and automated data enrichment.

    In this presentation the benefits of using structured data and automated systems will be out-
    lined. Advantages and problems of relevant standards and available tools will be briefly discussed. In consequence our ongoing work on ce1sus, an open source platform that fulfills all the identified needs while circumventing known problems, will be presented. celsus uses a widespread standard (STIX) and allows for interoperability with existing tools.


    Ce1sus is available as free open-source software at:

    https://github.com/GOVCERT-LU/ce1sus
    June 16th, 2015 12:45 – 13:15

    (InterContinental Berlin, Germany)

  • Collecting, Analyzing and Responding to Enterprise Scale DNS EventsReturn to TOC

    Mr. Bill HORNE (Hewlett-Packard)

    In this talk I will describe our efforts to collect, analyze and visualize DNS as part of our HP ArcSight SIEM infrastructure. DNS is important for security for many reasons. If the DNS infrastructure can be brought down, many networking tasks would be impossible to complete. If the integrity of the mapping between domain names and IP addresses is compromised, attackers can redirect users undetectably to IP addresses of their choosing. And malware of many types must in one way or another use the DNS infrastructure as part of their operations. For example, botnets often use fast flux techniques and domain name generation algorithms to rendezvous with command and control servers.

    Collecting DNS is a significant challenge. In HP, our core internal DNS clusters process approximately 16 billion DNS packets every day. Ideally, we would like to turn each and every one of those packets into an event for our SIEM. However, HP is currently the largest commercial deployment of ArcSight and we would have to grow our SIEM by a factor of six to collect this data. Moreover, traditional logging has a substantial performance impact on the DNS infrastructure, and therefore from an operational perspective enabling logging is also impractical. Finally, DNS servers generally do not log the information necessary to detect many security problems.

    To deal with these problems we collect and filter this traffic using hardware network packet sniffers, which have no impact on the performance of the DNS servers and allows us to collect all of the information we need for security purposes. We model known good traffic, and discard it, keeping only anomalous data.

    We developed a custom analytics engine, which analyzes this data looking for evidence of botnet infections, blacklist hits, cloud platform abuse, beaconing, data exfiltration, and cache poisoning attempts. The results of these analyses is turned into a set of alerts which are sent to our Security Operations Center (SOC). We’ve also developed a usable dashboard and visualizations to help analysts explore the data.

    The system has been up and running in HP since June 2014. The SOC processes on average about 20 of our alerts per day, with very low false positive rates. We’ve worked closely with the SOC to make sure the tool is fully integrated into the workflows that the SOC analysts use and meets the needs of the analysts.
    June 15th, 2015 15:00 – 16:00

    (InterContinental Berlin, Germany)

  • Crisis Communication for Incident ResponseReturn to TOC

    Mr. Scott ROBERTS (GitHub)

    One of the parts of intrusion response that rarely gets attention in DFIR circles, though huge attention outside them, is the customer facing victim companies communication to their own customers. This is almost always the only real information the public gets of your intrusion and communicating what happened effectively is crucial to minimizing damage, both to customers and to your organizations reputation.

    Using lessons pulled from professional public relations specialists combined practical experience in operations and security incident response we'll review the five keys to good crisis communications. We'll walk through multiple examples of good and bad crisis communications and develop an understanding of what information people need to know when and why they should get it from you and not the media. We'll also discuss building a comprehensive incident communications plan.
    June 16th, 2015 15:45 – 16:45

    (InterContinental Berlin, Germany)

  • CSIRT Info Sharing WorkshopReturn to TOC

    Shari LAWRENCE PFLEEGER (I3P-Dartmouth-GMU-NL-SE (various CSIRTS))

    **Project Details:** By analyzing documentation, observing actual CSIRT activity, convening focus groups, and using pre- and post-incident interviews, our team from Dartmouth College, George Mason University and Hewlett-Packard is recommending ways to improve the skills, dynamics and effectiveness of CSIRTs. Through the end of 2014, the team has interacted with 45 CSIRTs, conducted 28 focus groups, and interviewed 117 team members and several dozen team leaders; this data collection continues in 2015. Funded by agencies in the U.S., Sweden and the Netherlands, the project findings reflect CSIRT members in over a dozen countries and in academic, corporate, national and international organizations. This basic research is determining and validating principles for creating, running and sustaining an effective CSIRT. The output includes descriptions of needed knowledge, skills and abilities for key CSIRT roles, viewed from individual, team and multi-team system perspectives, plus recommendations for improving CSIRT performance. Evidence-based decision aids are being developed and used commercially, and technology transfer of results is being accomplished not only in publications (e.g. a special issue of IEEE Security & Privacy magazine, a handbook, and academic publications) but also by participating in existing CSIRT training sessions and by presenting findings to CSIRT members and managers in a final project workshop co-located with FIRST 2015.

    **Proposal Details:** Our team proposes a series of linked workshops and presentations at FIRST 2015 in Berlin:

    • Sunday, June 14: An all-day workshop at the Intercontinental Hotel in Berlin. At this experiential, interactive project workshop, our team will work with attendees (CSIRT team members and leaders) in two ways: After we present several key project findings, the attendees will take part in activities that help them identify which findings are directly relevant to their particular CSIRT structures, goals and talents, and then learn and apply techniques to address the most important areas for improvement.

    • Monday, June 15: Project-related presentations at FIRST by our project team members. Presentations have been proposed to FIRST by John Gudgel (George Mason University) on information sharing, William Horne (Hewlett-Packard) on applying our findings commercially, and Daniel Shore (George Mason University) on essential CSIRT team knowledge, skills and abilities that contribute to CSIRT effectiveness.

    • Tuesday, June 16: 90-minute workshop at FIRST on feedback and next steps toward CSIRT effectiveness. This workshop will present an overview not only of the project and its findings but also of techniques useful in immediate CSIRT improvements. In an interactive discussion, our team members will elicit examples from attendees of our findings’ utility and of other areas ripe for investigation and improvement that we have not yet addressed in our research.

    **Audience:** Members/leaders of CSIRTs, members/leaders of other teams that interact with CSIRTs.

    **Expected Outcomes:** Attendees will leave with descriptions of what works well in an incident response team; descriptions of what can be improved; descriptions of lessons learned from incident response teams; suggested pathways from improvement opportunity to actual improvement, based on lessons learned and on research findings; possible descriptions of areas/questions needing significant attention from researchers.
    June 16th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • CVSS v3 Hands-on TrainingReturn to TOC

    Mr. Seth HANFORD (TIAA-CREF)

    With the release of Common Vulnerability Scoring System version 3 (CVSSv3), security teams need to understand how the classification and rating of vulnerabilities has changed. Version 2 has become a de facto standard over the last decade, and v2 scores are commonly used to quickly communicate severity.

    However, research presented at FIRST 26 showed that ~70% of published vulnerabilities could be described by applying only 10 combinations of metrics. This lack of variety left many characteristics of vulnerabilities poorly described or omitted by v2 classification, which in turn led to clusters of scores that flattened out the standard's usefulness for rating and responding to vulnerabilities.

    Version 3 corrects this condition without a net increase in metrics, by updating descriptive language, reducing subjective choice, and providing tools for an analyst to describe environmental mitigations (such as EMET, sandboxing, etc.) which reduce impacts or hamper exploitability in their organizations.

    This course is designed to give analysts hands-on training in applying the new CVSS v3 metrics, following the new decisions and descriptions for rating with v3, and exploring the new capabilities of Environmental Mitigations and Vulnerability Chaining. Attendees will work interactively with the facilitator to practice and apply the approach, rate "tough" vulnerabilities, and gain confidence in the new techniques necessary to help their organizations adopt the next standard for vulnerability scoring. It assumes passing familiarity with CVSS v3, such as reading the metrics section of the standard, and looking at the supplemental materials like the example vulnerabilities and scoring calculator; it will not be an in-depth review of those materials, but rather an application of them. Experience with CVSS v2 will be helpful, but is not necessary.

    It is intended for a technical audience, particularly for an analyst producing, supporting, or consuming vulnerability characteristics and ratings. Materials are designed for an analyst that is comfortable discussing vulnerability characteristics and foundational information security topics like authorization, privilege escalation, and the like. It may delve into discussion of common or emerging exploitation techniques (at a high level) but should be accessible to anyone comfortable with reading vendor or community produced vulnerability reports.
    June 17th, 2015 10:30 – 11:30

    (InterContinental Berlin, Germany)

  • Cyber Security Challenges in the Financial Sector: Internal and External ThreatsReturn to TOC

    Ms. Rosa Xochitl SARABIA BAUTISTA (Mnemo-CERT)

    In last years the attacks targeting financial institutions have evolved and are becoming more sophisticated. In fact, recent studies show that cyber-attacks have caused billions of dollars in losses, among personal data, company records or files, and any other sensible information; which has provoked a falling in consumer confidence and irreparable damage to the brand, right like what happened to Target, Home Depot and J. P. Morgan security breaches.

    Due to the growing of the number and complexity of cyber-attacks Mnemo-CERT was created. A financial Computer Emergency Response Team, which works together and closely with banks to timely respond to any kind of information security incidents and also to strengthen their security mechanisms in order to minimize damage from attacks and intrusions.

    In this presentation, Mnemo-CERT will speak about two study cases, actually very real threats to financial institutions:

    A. Financial fraud (internal threat). Staff represents a potential threat by virtue of their knowledge of and access to organization’s own systems and their ability to bypass security measures through legitimate means. In this case, the results obtained through Digital Forensics Analysis and Cyber Intelligence allowed us to identify who, when and the modus operandi upon this cyber fraud.

    B. Malware targeting ATMs (external threat). Ploutus malware detected on ATMs in Mexico was designed to steal cash without requiring any access to the credit or debit cards used by customers. This malware was analyzed in Mnemo Labs by using reverse engineering techniques and the obtained results will be explained. A few months later, Mnemo-CERT team received another malware Ploutus sample and, despite its double obfuscation, similar results were found.
    June 16th, 2015 15:45 – 16:45

    (InterContinental Berlin, Germany)

  • Data-Driven Threat Intelligence: Useful Methods and Mesurements for Handling IndicatorsReturn to TOC

    Mr. Alexandre PINTO (Niddel), Mr. Alexandre SIEIRA (Niddel)

    This session will consist of a technological exploration of commercial and open-source threat intelligence feeds that are commonly offered as a way to improve the capabilities of incident response teams. While not all Threat Intelligence can be represented as "indicator feeds", this space has enough market attention that it deserves a proper scientific, evidence-based investigation so that practitioners and decision makers can maximize the results they are able to get for the data they have available.

    We will present a data-driven analysis of a cross-section of threat intelligence feeds (both open-source and commercial) to measure their statistical bias, overlap, and representability of the unknown population of breaches worldwide, in addition to some tidbits as indicator age and uniqueness across feeds. All the statistical code written and research data used (from the publicly available feeds) will be made available in the spirit of reproducible research. The tool itself (tiq-test) will be able to be used by attendees to perform the same type of tests on their own data.

    We will also provide an additional open-source tool (combine) for attendees to extract, normalize and export data from threat intelligence feeds to use in their internal projects and systems. It will be pre-configured with a good mix of current publicly available network feeds and easily extensible for private or commercial feeds.
    June 17th, 2015 13:30 – 14:30

    (InterContinental Berlin, Germany)

  • Defining and Measuring Capability Maturity for Security Monitoring PracticesReturn to TOC

    Mr. Eric SZATMARY (Dell SecureWorks)

    All too often, CSIRTs and SOCs are realizing in the middle of high impact cybersecurity incidents that more could have been done to proactively monitor, detect, and respond to threat actor activity.

    While logging and monitoring "all the things" may be attainable for some organizations, many organizations must develop and execute a meaningful logging and monitoring strategy that balances coverage, efficacy, and cost. This presentation will cover the following elements to help organizations assess security monitoring capability maturity in a structured manner that enables continuous improvement and benchmarking with industry peer groups for detecting and responding to cybersecurity incidents relevant to their risk profile:

    • How to crosswalk security monitoring practices specified in key guidance such as NIST SP 800-53, PCI DSS 3.0, and the Council on CyberSecurity's Critical Security Controls to ensure a minimum security monitoring capability is in place.

    • How to use CERT-RMM and the recent derivatives created with DHS (CRR) and DOE (C2M2) to assess security monitoring capability maturity.

    • How to develop security monitoring use cases to support cybersecurity incident investigations and continuous monitoring.

    • Recommendations for key monitoring sources CSIRTs and SOCs should ensure are collected, retained, and are searchable.

    • How to maximize pre-existing monitoring sources and augment with open source/low-cost monitoring sources.

    • Recommendations for logging configuration settings and retention.

    • Recommendations for utilizing threat intelligence to enrich cybersecurity incident investigations and continuous monitoring.
    June 18th, 2015 11:00 – 11:30

    (InterContinental Berlin, Germany)

  • Discovering Patterns of Activity in Unstructured Incident Reports at Large ScaleReturn to TOC

    Dr. Bronwyn WOODS (CERT Program, SEI, CMU)

    US-CERT receives a large volume of incident reports, but the reports often vary in quality and completeness. We explored multiple years' worth of reports looking for patterns and found that this data is rich with useful information. Rather than trying to enforce a structure on the data based on response team activity against a given incident, we took an entirely data-driven approach to structuring the information. This resulting structure can be used to complement the expertise of incident responders and answer tough questions from decision makers.

    Our method treats incident reports as observations of a large set of unknown real-world activities including malware campaigns, incident response procedures, or simply the daily operations of a reporting entity. We use co-occurrence patterns of indicators in tickets to estimate the strength of associations between indicators and infer potential 'real-world activity groups' that correspond to actual events. These patterns are useful building blocks to answer questions about incident status, investigation progress, threat families, trends and incident predictability. The benefits to CSIRTs include increasing shared situational awareness, better tailoring of incident response services for constituents, increased detection of emerging threats, better visualization of threat activity and better understanding of threat activity against specific constituent types.

    This presentation will summarize our methods and discuss ongoing work in visualizing and expanding indicator communities to allow feedback from analysts, integration of additional data sources, improved statistical learning algorithms and richer feature extraction from ticket data. All CSIRT members and managers are encouraged to attend and discuss data-driven information extraction techniques from large bodies of diverse and unstructured incident reports.
    June 19th, 2015 11:15 – 11:45

    (InterContinental Berlin, Germany)

  • DSMS: Automating Decision Support and Monitoring Workflow for Incident ResponseReturn to TOC

    Mr. Chris HORSLEY (CSIRT Foundry), Mr. SC LEUNG (HKCERT)

    A major challenge of incident response today is the overwhelming load of incident reports, along with the complexities of consistently collecting incident data, analysing it thoroughly, and monitoring the status of a large number of reported incidents.

    We will present an initiative to automate incident response workflow with the Decision Support and Monitoring System (DSMS) jointly developed by HKCERT and CSIRT Foundry.

    The DSMS is designed with the prime objective to automate the most labour-intensive and unmanaged parts of incident response. By storing analysis results in a central repository that is accessible via a management interface, incident analysts may focus on higher value tasks. DSMS can also provide some capabilities that were not available before.

    Major Benefits of DSMS:

    - Provide a centralised registry of monitored targets
    - Provide a centralised repository to collect and consolidate monitoring results
    - Perform actions according to analysis results from a remote Monitoring Subsystem, based on action criteria listed in incident profile
    - Automate a team’s analysis workflow for different types of incident
    - Choose best-of-breed analysis tools, so that each analyst has access to the same tools
    - Perform 24-hour scheduled, ongoing checks, and stores any changes in status found
    - Operate in a geographically distributed manner
    - Provide a collaborative environment for analysts
    - Provide a standard way to customise workflow and use new tools as circumstances evolve
    - Provide an API for other systems to consume the functions of DSMS, generate management reports on the usage of input systems and external analysis systems, and provide statistics of malicious objects or malware.

    DSMS is built with existing powerful open source tools, and embraces the power of existing security monitoring services (e.g. malware analysis systems and Internet resources lookup APIs). Its architecture is composed of a Core, Broker and several Agents.

    - DSMS Core: schedules monitoring jobs for dispatch, processes incoming analysis results, provides web interface, web API, and datastores services;
    - DSMS Broker: provides a message queue, providing a communication channel between the Core and the Agents, as well as facilitating file transfers;
    - DSMS Agent: responsible for running analysis tasks, interfacing with external services, such as whois and other external vendor analysis services.

    The speakers will share the design of DSMS and problems faced, for example, integration of modules, anti-fingerprint by malicious content hosting. HKCERT will share its experience in integrating DSMS with the cyber threat intelligence system (IFAS) and incident report management system (IRMS).
    June 16th, 2015 15:45 – 16:45

    (InterContinental Berlin, Germany)

  • Effective Team Leadership and Process Improvement For Network Security OperatorsReturn to TOC

    Mr. Jeremy SPARKS (United States Air Force)

    Background: Effective team leadership often comes with experience but there are ways to expedite the experience cycle. One such method is the debrief process used by militaries, primarily aviators, all over the world.

    Summary: Debriefing is simply reconstructing and evaluating an event to determine how to replicate success and avoid repeat mistakes. A successful debrief depends on the ability to critically analyze events and the willingness to admit mistakes. The debrief process should encompass a review of events, identification of problems, determination of root causes and development of lessons learned. Critical self-analysis in the debrief process applies at the individual level as well as the organizational level. Debriefing is not a strategy for protecting a network. It is a method that should be used to evaluate how well you are performing a function, job or mission and provides the tools for constant improvement.

    Impact: The USAF aviation and special operations communities have been using the debrief process for decades with tremendous success. Over the past several years, the USAF has applied those same principles to cyber warfare. By institutionalizing the debrief into daily operations, the USAF has observed significant gains in mission effectiveness.

    Significance: The debrief process is the US DoD standard on how to perform a function, job or mission more effectively every time the function, job or mission is performed. The principles are straightforward and easily applied to non-military environments.

    Technical level of the presentation: Low
    Recommended target audience: Primarily team leaders and organizational leaders
    June 18th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • Enabling Innovation in Cyber SecurityReturn to TOC

    Mr. Michael GORDON (Lockheed Martin)

    We take it as a given that cyber threats continually evolve and grow in sophistication, but to defend against this, too many organizations rely on static technologies, rigid organizations, and analysts with narrow skillsets. For defenders, every day brings entirely new problems. It takes innovation to defeat sophisticated, dynamic threats. Teams must innovate to solve the right problems. They need to have right visibility to know what the problems are, and have real data to train solutions against. Organizations need a smaller pool of higher skilled, well rounded analysts, and build organization around collaboration and fostering creativity. Need analysts and developers together to innovate side by side, in concert. The role of analyst vs developer must blur. Need to apply that innovation across the enterprise to make a difference. Innovation in a lab is great, but innovation as an enterprise solution actually stops the threats. Furthermore, innovation across a community of like-minded organizations makes a worldwide difference.
    June 16th, 2015 14:45 – 15:45

    (InterContinental Berlin, Germany)

  • ENISA Threat Landscape: Current and Emerging Threat AssessmentReturn to TOC

    Dr. Louis MARINOS (ENISA)

    ENISA has performed for the third time a comprehensive threat assessment based on publicly available information.

    The assessment consists of:

    - Information collection
    - Information collation
    - Threat analysis
    - Creation of context and
    - Dissemination

    The ENISA threat landscape contains information about:

    - Current threats
    - Threat Agents
    - Attack vectors and
    - Emerging threats

    Besides the contents of the ENISA threat landscape, experiences about the process of threat intelligence collection will be discussed.
    June 18th, 2015 11:30 – 12:00

    (InterContinental Berlin, Germany)

  • Evaluating the Effectiveness of Fuzzy Hashing Techniques in Identifying Provenance of APT BinariesReturn to TOC

    Ms. Bhavna SOMAN (Intel Corporation)

    Knowledge and identification of Malware binaries is a crucial part of detection and incident response. There was a time when using MD5s was sufficient to ID binaries. The reverse engineering analysis conducted once would be useful anytime that same MD5 was seen again. This has rapidly changed in recent years. Polymorphic samples of the same specimen change the file hash (MD5, SHAx etc) without much effort by the attacker.Also, cyber criminals and advanced adversaries reuse their codebase to create newer versions of their malware, but changes in the file hash disallow any opportunity to connect and leverage previous analyses of similar samples by defenders.

    In recent years, there has been research into “similarity metrics” or fuzzy hashing techniques that can identify whether, or to what degree, two malware binaries are similar to each other. Imphash and ssdeep are examples of such techniques. This talk aims to evaluate which of these techniques is more suitable for evaluating similarities in code/coding methodology for APT related samples specifically.

    This presentation will take a data analytics approach. We will look at binary samples from APT events from the past two years and create clusters of similar binaries based on each of the two fuzzy-hashing techniques under consideration. We will then evaluate the accuracy of the clusters and examine their implications on the effectiveness of each technique in identifying provenance of an APT related binary.
    June 18th, 2015 10:30 – 11:00

    (InterContinental Berlin, Germany)

  • Everyday Etiquette: Responding to Uncoordinated DisclosuresReturn to TOC

    Ms. Laura RABA (US-CERT)

    When an incident occurs or a vulnerability is disclosed, the appropriate CSIRT(s) can deliver actionable information to counterparts and users firsthand. This exchange of information has become commonplace, based in part on reciprocal trust.

    As the CSIRT community has matured, so too has coverage of cyber issues in the media. Yet in an era when anyone can be a content publisher, "it's public" does not mean information has been depicted accurately or disclosed responsibly. As a result, the appropriate course of action for a CSIRT to take in response can be unclear.

    This presentation explores constraints that may prevent a CSIRT from sharing information, assumptions partners can consider when information seems to be withheld or mishandled, and a set of principles to guide communication in response to uncoordinated disclosure. Developed from lessons learned by US-CERT, the content will enable CSIRTs to approach similar engagement in a manner that minimizes uncertainty and stimulates trust. It is recommended for managers and policy makers responsible for CSIRT processes and workflow.
    June 15th, 2015 14:00 – 14:30

    (InterContinental Berlin, Germany)

  • Fact Tables - A Case Study in Reducing Reactive Intrusion Time-to-Know by 95%Return to TOC

    Mr. Jeff BOERIO (Intel Corp.)

    If Operation Aurora in 2009-2010 wasn't a wake-up call to enterprises that foreign entities could and did infiltrate some of the enterprises that were all running best in-class network defenses and monitoring solutions, then certainly the recent string of intrusions and data breaches from big box stores like Target and The Home Depot and major financial institutions including JP Morgan Chase should be. Once the intelligence crosses the desk of enterprise incident responders, assuming you're collecting the data to begin with, is that there is simply too much data to sift through to determine whether we have a problem or not. This talk aims describe manners in which we have addressed this problem.

    Over the past few years, we have built up our own data warehouse, analytics and security business intelligence (SBI) capabilities. We started by taking a look at our "big six" event sources that we believed offered the biggest return on our investment and able to answer questions about what happened and when. Those event sources were SMTP headers, web proxies, active directory, DHCP, VPN, and DNS. We invested in technologies that would allow us to ingest large volumes of data, keep it for a relatively long period of time, and allow us to query those archives with great speed.

    In this talk, we will review the painful history of trying to pull logs before our SBI capabilities were put into place, how data warehouse solutions provided improvement, and how we turned some lunchtime conversations into enterprise-class search capabilities that have reduced our time to know about industry-reported incidents by more than 95%. We will conclude with how we are further automating the capabilities and, in an unconstrained world, where they could be taken.
    June 16th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • Global Standards Unification - How EU NIS Platform, NIST and IETF Standards are Breaking Barriers for Information Sharing and Automated ActionReturn to TOC

    Ms. Merike KAEO (IID)

    Government initiatives from the European Union and the US have been working on standardizing frameworks for cyber security resiliency and information sharing initiatives. The Internet and Jurisdiction project has been working on a global multi-stakeholder framework for multinational due process for combatting cyber crime. The IETF has been standardizing protocols and mechanisms to utilize security related posture and threat information to automate protecting endpoints. This talk will provide an updated and consolidated view of the standards the international government, law enforcement, technical and operational communities are creating to more effectively combat cyber related crime and automate mitigation processes.
    June 18th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • Hands-on Network Forensics WorkshopReturn to TOC

    Mr. Erik HJELMVIK (FM CERT)

    Network Forensics and Network Security Monitoring (NSM) are becoming increasingly important practices for incident responders in order to detect compromises as well as to trace the steps taken by intruders. In this interactive hands-on tutorial participants will learn how to perform network forensic analysis in an incident response scenario. The audience will be provided with a virtual machine and a set of PCAP files containing network traffic captured at the network perimeter of a made-up corporation. The PCAP data set is captured specifically for the FIRST 2015 Conference from a real Internet connected network.

    To actively participate in the hands-on tutorial students will need to bring a computer with VirtualBox installed. It is also possible to follow along using a physical machine with tools like Wireshark, tshark, argus, tcpflow and NetworkMiner installed.
    June 16th, 2015 12:45 – 13:15

    (InterContinental Berlin, Germany)

  • How We Saved the Death Star and Impressed Darth VaderReturn to TOC

    Mr. Matthew VALITES (Cisco CSIRT), Mr. Jeff BOLLINGER (Cisco CSIRT)

    Consider this scenario: you are a leader of an incident response team.
    Threat intelligence sources indicate that a trusted insider has leaked
    confidential network diagrams, and a competitor or hacktivist may have
    discovered a vulnerability and is planning an attack. Your boss demands
    evidence of adequate preparations to ensure threat management systems
    are performing optimally. In defense of your operations, and possibly
    your job, now more than ever you must demonstrate your incident
    response team's value.

    Thankfully, you have already deployed security monitoring technology
    throughout the network, and have been measuring operations, tuning
    systems for false positives, and tweaking processes for improvement over
    time.

    In this presentation, we will:

    - Use a science fiction film as a metaphor for incident response
    - Show how to obtain the usable metrics
    - Describe how to interpret the metrics
    - Discuss the back-end requirements for producing good metrics
    - Demonstrate how to use the metrics to prove efficacy and plan for
    future capabilities

    Incident response teams, managers, and security architects can
    use the lessons divulged in this session to improve their own
    incident response processes and systems. They should come away
    with knowledge on how to measure their own performance and prove
    their success.
    June 17th, 2015 15:00 – 16:00

    (InterContinental Berlin, Germany)

  • I'm Sorry to Inform You...Return to TOC

    Mr. Eireann LEVERETT (Cambridge Centre for Risk Studies), Dr. Marie MOE (SINTEF ICT)

    Asset owners who have vulnerable systems, or who are victims of compromise are often unaware of the situation. This talk will focus on how to go about informing industrial system owners of the situation. How can we reach out to many at the same time, how can we inform vendors of vulnerabilities, and how can we inform asset owners that their networks and devices are exposed.

    Between the two speakers thousands have been informed in this manner. They will discuss the methods, the bedside manner, and the outcomes. They will discuss industrial systems on the internet and CERTs (a couple thousand), vendor vulnerability notifications (20), Havex notifications in Norway's Oil and Gas and Energy sectors (550).

    During the summer of 2014 the Norwegian Oil and Gas and Energy sector was subject to a large coordinated cyber attack where selected recipients were targeted in a spear-phishing campaign that contained Havex. Due the severity and extent of the campaign NSM NorCERT decided to initiate a large warning distribution, reaching out to a total of 550 Norwegian companies.

    Since NorCERT did not have a complete contact list of all the potential victims in these sectors this broad distribution was achieved by the CERT working together with the respective sectoral authorities.

    NSM NorCERT issued an alert to The Petroleum Safety Authority Norway (PTIL),The Norwegian Water Resources and Energy Directorate (NVE), FinansCERT (Industry CSIRT for the financial sector in Norway) and directly to companies that were already cooperating with NorCERT within the Oil and the Energy sector. The respective authorities then forwarded this information to all affected parties. Letters were sent to targeted companies that were not covered by NVE and PTILs authority.

    The alert contained a list of indicators of compromise and a recommendation to search their systems. This resulted in a significant number of new findings. NSM NorCERT worked directly with the companies that had findings, assisting them with artifact analysis and incident handling coordination.

    The outreach campaign also attracted media attention, this created some noise and questions asked at higher levels in the targeted organizations. To reach out and build awareness and answer some of these questions a bigger conference meeting was arranged for the alert recipients in the fall of 2014.
    June 15th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • Il Buono, il Brutto, il Cattivo: Tales from IndustryReturn to TOC

    Mr. Rich BARGER (Cyber Squared Inc.), Mr. Andre LUDWIG (Novetta Solutions)

    This session takes apart Operation SMN and the threat group Axiom, and examines in-depth how over 10 private industry companies banded together to address a single threat groups entire tool set. We will cover
    some of the events that transpired during Operation SMN including identifying and onboarding security vendors, handling sensitive evidence, creating novel analysis techniques, and fusing all that information into
    various reports for consumption by the public as and industry. During this presentation we will also cover some of the strategic goals for the operation and how we went about executing against those goals and some of
    the results and measurable impacts we have had. We will also review the strategic reasons why and the tactics of how these industry partners shared their knowledge with one another to achieve their common goal.


    Attendees in this session will learn:

    •History and background of related coordinated efforts.

    •Learn some of the basic lessons learned and how to apply them to your own operations

    •Ways to group and characterize a common threat, and examples how this team completed that task and leveraged that insight

    •Discuss working with Microsoft through their Coordinated Malware Eradication Program and Novetta’s taking advantage of Microsoft’s Virus Information Alliance (VIA)

    •What things were important to look for and capture

    •Looking forward: what we would have done differently, and what we want to see this evolve into
    June 18th, 2015 14:00 – 15:00

    (InterContinental Berlin, Germany)

  • Implementation of Machine Learning Methods for Improving Detection Accuracy on Intrusion Detection System (IDS)Return to TOC

    Mr. Bisyron MASDUKI (Id-SIRTII), Mr. Muhammad SALAHUDDIEN (Id-SIRTII)

    Abstract— Many computer-based devices are now connected to the internet technology. These devices are widely used to manage critical infrastructure such energy, aviation, mining, banking and transportation. The strategic value of the data and the information transmitted over the Internet infrastructure has a very high economic value. With the increasing value of the data and the information, the higher the threats and attacks on such data and information. Statistical data shows a significant increase in threats to cyber security. The Government is aware of the threats to cyber security and respond to cyber security system that can perform early detection of threats and attacks to the internet.
    The success of a nation's cyber security system depends on the extent to which it is able to produce independently their cyber defense system. Independence is manifested in the form of the ability to process, analyze and create an action to prevent threats or attacks originating from within and outside the country. One of the systems can be developed independently is Intrusion Detection System (IDS) which is very useful for early detection of cyber threats and attacks.
    The advantages of an IDS is determined by its ability to detect cyber attacks with little false. This work learn how to implement a combination of various methods of machine-learning to the IDS to reduce false detection and improve the accuracy in detecting attacks. This work is expected to produce a prototype IDS. This prototype IDS, will be equipped with a combination of machine-learning methods to improve the accuracy in detecting various attacks. The addition of machine-learning feature is expected to identify the specific characteristics of the attacks occurred in the country’s/region’s internet network. Novel methods used and techniques in implementation and the national strategic value are becoming the unique value and advantages of this work.
    June 19th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • Incident Response Programming with RReturn to TOC

    Mr. Eric ZIELINSKI (Nationwide)

    This presentation dives into the open source programming language of R. R has primarily been used for statistical computing and graphics in the past. We attempt to bring a new programming language to the incident response community by teaching responders the basics of using R and how it can be leveraged during live incident response. The session will be focusing on reading/writing data, graphing incident data, data manipulation, and data modeling. We will be walking through several log analysis scenarios while using R to quickly identify the data we are interested in analyzing. This session aims to provide an introduction to the language of R as well as touch on a few advanced topics.
    June 15th, 2015 16:00 – 17:00

    (InterContinental Berlin, Germany)

  • Internet Architecture Board (IAB) and Internet Society (ISOC) workshop on Coordinating Attack Response at Internet Scale (CARIS)Return to TOC

    Workshop Information: https://www.iab.org/activities/workshops/caris/

    Numerous incident response efforts exist to mitigate the effects of attacks. Some are operator driven focused on specific attack types, while others are closed analysis and sharing groups spanning many attack types. Many of the operator driven models work with members to mitigate the effects of such attacks for all users, but how to contribute information to these efforts is not always known or easy to discover. Sharing within closed community analysis centers is only practical for very large organizations as a result of resource requirements even to be able to use shared data. Without coordination, these efforts are not only duplicated, but leave out protections for small and medium sized organizations. These organizations may be part of the supply chain for larger organizations, a common pathway for successful attacks.

    This workshop aims to bring together operators, researchers, CSIRT team members, service providers, vendors, information sharing and analysis center members to discuss approaches to coordinate attack response at Internet scale.

    The day-long workshop will include a mix of invited and selected speakers with opportunities to collaborate throughout, taking full advantage of the tremendous value of having these diverse communities with common goals in one room.

    Submission Instructions:
    Attendance at the workshop is by invitation only. There is no fee to attend the workshop.

    For existing attack-mitigation working groups, the survey at
    https://internetsociety2.wufoo.com/forms/caris-workshop-organisation-template/ should be completed by those organizations whose mitigation efforts or use case analyses apply. The data gathered through this questionnaire, including how to participate or contribute to your attack mitigation working group, will be shared with all of the participants at the workshop to better enable collaboration with your effort.
    June 19th, 2015 09:00 – 10:00

    (InterContinental Berlin, Germany)

  • IPv6 Security WorkshopReturn to TOC

    Mr. Frank HERBERG (SWITCH-CERT)

    This workshop will cover

    - Why IPv6 is an extensive security topic
    - Overview of the differences to IPv4 - relating to security
    - Deep dive into selected protocol details and their accompanied attacks (incl. demonstrations)
    - What are the latent security risks for organizations today
    - Recommended IPv6 Security Resources and Tools


    (The workshop can be adjusted to everything between 2-3 hours.)
    June 18th, 2015 14:00 – 15:00

    (InterContinental Berlin, Germany)

  • Keeping Eyes on Malicious Websites - “ChkDeface” Against Fraudulent SitesReturn to TOC

    Mr. Osamu SASAKI (JPCERT/CC), Mr. Hiroshi KOBAYASHI (JPCERT/CC)

    While Targeted Attacks are one of the main concerns in cyber security in recent years, many CSIRTs are still struggling with malicious websites such as defaced websites and phishing sites.

    This presentation intends to cover some noteworthy features seen in HTML/Javascript used in actual website defacement cases including SQL injection and watering hole attacks.
    It will also introduce a new tool “ChkDeface”, created and implemented at JPCERT/CC, and share its secure and efficient monitoring method utilizing malicious site characteristics, such as signatures.

    JPCERT/CC is planning to share the source code of this tool to some CSIRTs within the community, with the hope that the signatures and the tool can be practically utilized to trigger deeper discussion among the many security experts about more precise detection methods.
    June 19th, 2015 11:15 – 11:45

    (InterContinental Berlin, Germany)

  • Machine Learning for Cyber Security IntelligenceReturn to TOC

    Mr. Edwin TUMP (NCSC-NL)

    The Dutch National Cyber Security Centre (NCSC-NL) continually monitors both public and private sources for digital threats, vulnerabilities and ICT security developments. These sources provide a large amount of news items that are analyzed for both operational threats and tactical/strategic developments and trends.

    For the operational process, NCSC-NL has a clustering solution in place to combine common news items, but this solution is less suitable for a longer term analysis of these developments by the analysts of NCSC-NL. Determining the main stories, topics and developments over a time period of e.g. a week, a month or a year is still carried out manually and is therefore time-intensive and error-prone.

    NCSC-NL started a project with the Dutch National Forensic Institute (NFI) to explore ways to analyze the available information more effectively and more efficiently, especially over longer periods of time. In this project, the expertise of the NFI in big data analytics and text mining was combined with the available data, requirements and analysis expertise of the specialists at NCSC-NL. At the start of the project, the process that analysts follow and the data available were explored and ways in which an automated system could support in this process were identified. Then, two of the possible solutions (automatic relevance determination and automatic dossier suggestions) were studied in depth and, based on an agile scrum approach, proof-of-concepts were developed.

    These project results will now be used to develop a production-ready solution, that is likely to be integrated with the tooling used by NCSC-NL. As other organizations within the community are facing identical operational challenges and are using similar tools to gather information, the project results will not only be useful for NCSC-NL but are also significant for the community as a whole.
    June 17th, 2015 16:00 – 17:00

    (InterContinental Berlin, Germany)

  • Malware Analysis Case Study & Experimental Evaluation on the Applicability of Live Forensics for Industrial Control SystemsReturn to TOC

    Mr. Yuji KUBO (CFC), Mr. Kensuke TAMURA (CFC)

    CFC (Cyber Force Center) is one of the special task forces in the High-Tech Crime Technology Division in the National Police Agency of Japan.
    CFC deals with technical matters for prevention of cyber crimes and provides technical support for local police task force.
    CFC has two main roles, that is, counter cyber intelligence and counter cyber terrorism.
    From the standpoint of counter cyber intelligence, we'd like to talk about the malware analysis case study.
    From the standpoint of counter cyber terrorism, we'd like to talk about the live forensics for ICS (Industrial Control Systems).
    ## 1. Malware Analysis Case Study ##
    CFC is engaged in the malware analysis mainly in the case of cyber intelligence.
    In our presentation, we'd like to talk about the techniques used in the malware that tageted a Japanese private company from the technical perspective.
    It has a unique encoding scheme for communication between the attacker and the victim and some anti-analysis techniques.
    We'd like to explain these techniques as a result of our analysis.

    ## 2. Experimental Evaluation on the Applicability of Live Forensics for Industrial Control Systems ##
    Now, ICS is one of the main targets by cyber terrorism.
    CFC is responsible for the emergent measures to mitigate the damage caused by cyber terrorism.
    In order to accomplish the job, we are engaged in a research for effective digital forensic tools for the ICS which automatically execute a command for the evidence preservation after an incident has occurred.
    This research focuses on measuring the latency time by the command on the experimental environment.
    June 17th, 2015 16:00 – 17:00

    (InterContinental Berlin, Germany)

  • Malware in Your Pipes: The State of SCADA MalwareReturn to TOC

    Mr. Kyle WILHOIT (Trend Micro)

    Malware within SCADA environments is becoming more prevalent. Unfortunately, this trend is increasing, and becoming more worrisome. SCADA related malware and their motives are typically complex, and we will cover motives behind several SCADA related attacks. We will cover the current state of SCADA related malware and their affects on systems and environments. In addition, we will be infecting a live ICS lab and monitor what the malware is doing and why. This talk will cover never released details about SCADA attacks and malware behind those attacks.
    June 15th, 2015 15:00 – 16:00

    (InterContinental Berlin, Germany)

  • National Cyber Protection through Facilitation. Real Cases by CERT-UAReturn to TOC

    Mr. Nikolay KOVAL (CERT-UA)

    Ukraine's been witnessing tremendous economic, political and social problems during last year or so. In all those bad circumstances the question of cybersecurity became even more important than ever - bad gays try to take advantage of this situation all the time. At the same time the shortage of financial resources is observed, that negatively affects process of improvement. That's why CERT-UA decided to accept the challenge and tried to fix the situation. The goal of main concern - TO PROVIDE PROTECTED NATIONAL IT INFRASTRUCTURE - was gained.
    The presentation will cover developed and deployed technical solutions that were appropriately applied in GOV and nonGOV networks. Also, it's planned to give short overview of CYBERTRENDS 2014 in Ukraine and demonstrate real cases solved (some even brand-new ones for us).
    The talk touches the following topics: tools used for response and investigation, information sharing process, cooperation with stakeholders, threats.
    As epilogue for presentation we will try to estimate the effectiveness of approaches used while protecting national cyberspace.
    June 17th, 2015 11:30 – 12:30

    (InterContinental Berlin, Germany)

  • Overview of South Korea Target MalwaresReturn to TOC

    Mrs. Dongeun LEE (KRCERT/CC, KISA)

    1. Characteristics of the Spread of South Korea Target Malwares.
    2. Similarity between Sony Pictures Malwares and South Korea Target Malwares.
    3. Needs for analyzing Hackers as a Malware Analyst.
    4. How to analyze malwares in KrCERT based in yara project.

    South Korea faces lots of malwares because it is an attractive place from hackers' point of view. South Koreans can transfer money in a few seconds because Internet Banking process is so fast. Hackers use this fast transfer system for earning money. They intercept Security numbers, South Korean's Identity Numbers, Account Numbers and etc. They pretend like they are normal users using these informations and transfer money to their accounts. KrCERT/CC has analysed these hackers, and could know the same hackers who had stolen game accounts and passwords for gaining game money have started stealing information related to internet banking.

    National cyber attack is ongoing in South Korea also. Hackers spread malwares through ActiveX vulnerabilites, changed update module of Webhard program, email attachment and etc. Malwares in infected PCs send information related to organization, system, and etc to hackers. Hackers manage Zombie PCs and use those Zombies for several campaigns. If there are PCs belonging to target organization, hackers install more complicated malwares and control the system. In case of National cyber attack, KrCERT recognized that hackers spend long time studying target organization to spread malwares in local network.

    One of South Korea cyber attacks is very similar to Sony Pictures attack. Through many experience attacking South Korea organization, KrCERT/CC is developing yara patterns related hacking organization and filtering malwares automatically.
    June 16th, 2015 12:45 – 13:15

    (InterContinental Berlin, Germany)

  • Passive Detection and Reconnaissance Techniques to Find, Track and Attribute Vulnerable "Devices"Return to TOC

    Mr. Alexandre DULAUNOY (CIRCL - Computer Incident Response Center Luxembourg), Mr. Eireann LEVERETT (Cambridge Centre for Risk Studies)

    Internet is still composed of a significant number of devices (e.g.
    industrial control devices, network equipments or smart devices) with obvious
    vulnerabilities. The role of a incident response team, especially at a national level,
    is to know the current level threat against such vulnerable equipments and the associated
    risks to the exposed equipments. Incident response team might find legal issues to
    pro-actively scan such equipments or for such vulnerable. This research overcomes
    these limits by focusing on existing data collected by other organisations and discover
    passively the vulnerable systems (and the owner of the systems which might be a challenge
    to incident response team). The passive data collection includes significant datasets like
    X.509 certificates, Passive DNS records, public Internet-Wide scans.
    June 17th, 2015 10:30 – 11:30

    (InterContinental Berlin, Germany)

  • Pen testing iOS apps WorkshopReturn to TOC

    Mr. Kenneth VAN WYK (KRvW Associates, LLC)

    This session will provide a quick but deep dive into penetration testing iOS applications. Using a jailbroken device, security testers are able to actively prove an app's run-time environment to probe, discover, and exploit potential architectural weaknesses in iOS apps. In this session, we'll explore how these testing techniques can be used after an incident occurs, in order to determine possible points of system compromise that occurred during the incident. The same techniques can be used to perform dynamic analysis of iOS incident artifacts.
    June 17th, 2015 13:30 – 14:30

    (InterContinental Berlin, Germany)

  • Prepare Your Cybersecurity Team for Swift Containment Post IncidentReturn to TOC

    Mr. Michael HARRINGTON (General Dynamics Fidelis Cybersecurity Solutions)

    Appropriate Incident Response is critical to your entity’s longevity and wellbeing, and yet practically preparing for it is often undervalued. This discussion will cover critical factors that, when the groundwork is laid in advance, will facilitate swift, organized, and clean incident response.

    Key factors will make or break your response and containment:
    • A small team of fully authorized key players
    • Up-to-date maps of your servers, connections, software, and analysis capability
    • A communication plan for red alerts and private information sharing
    • Update, Meet, DRILL

    While the keys I specify here may sound simple and easy, most organizations take for granted that they can put their fingers on such information quickly (often times they cannot, particularly during incident containment), create an incident response network team on the fly (anxiety can hinder effectiveness), and automatically know what they need to look at and how to do so.

    Key factors will be elaborated during the discussion:
    • Who should be on the team and how to appropriately authorize them.
    • Examples of data needed to be up-to-date and properly maintained to determine where to close loops upon incident.
    • What needs to be included in the communication plan, including specifics such as phone contacts, emails – have your incident response email / contact group already created – and maintain a private info sharing channel for this security.
    • Details for how to stay updated and drill for incident response.
    June 16th, 2015 11:15 – 11:45

    (InterContinental Berlin, Germany)

  • Protecting Privacy through Incident ResponseReturn to TOC

    Mr. Andrew CORMACK (Jisc)

    Incident response is sometimes regarded as harmful to privacy, since it frequently involves processing e-mail address, IP addresses and other information that may be privacy sensitive. However European privacy law, among the strictest in the world, actually promotes incident response. This talk will highlight the privacy benefits of incident response, suggest practical guidelines that IR teams can use to ensure their activities are and remain privacy-protecting, and show how this approach should satisfy the requirements of European law.
    June 18th, 2015 10:30 – 11:00

    (InterContinental Berlin, Germany)

  • Quality Over Quantity—Cutting Through Cyberthreat Intelligence NoiseReturn to TOC

    Mr. Rod RASMUSSEN (IID)

    With organizations under constant threat of losing sensitive data and experiencing network disruptions during cyberattacks, it’s no secret that they are turning to threat intelligence for a real-time cross-industry look at attacks that are happening now and could be hitting them next.

    With literally thousands of threat intelligence feeds to pull from, the key isn’t quantity but quality. Is the data you’re feeding into your security appliances important or just noise, and can the data be formatted to meet your security infrastructure’s requirements?

    In this session, learn how to achieve truly interoperable cyberthreat intelligence. Get a special inside look at the challenges and opportunities of implementing and leveraging actionable data. What are the common barriers to full interoperability? How can organizations leverage intelligence no matter what security appliances they currently use? What are the challenges to receiving real-time, machine-to-machine information?

    IID’s Rod Rasmussen will discuss how to consolidate the dozens of different formats primarily required for various security appliances and prioritize certain threat indicators from others.
    June 16th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • RAT Tracking - Proactive Adversary Attribution via Scalable C2 ProfilingReturn to TOC

    Mr. Levi GUNDERT (Fidelity Investments)

    Today threat intelligence – for law enforcement and private industry - continues to rely on the bulk processing of malware samples for derivative indicators of compromise (IOCs) for inclusion in defensive technologies as well as leads for criminal investigations. This approach, while effective, relies on large amounts of computing and Internet resources to process the tens (to hundreds) of thousands of daily malware samples collected by security vendors. The problem is that even anti-virus companies encounter challenges processing the vast amount of daily samples. Additionally, the derivative insight that law enforcement and private industry rely on in is largely reactive and only as good as the sources collecting the malware.

    The proposed solution to the aforementioned issue is complimentary to bulk malware run-time analysis, it’s scalable, it’s resource efficient, and it often leads to quick and direct attribution. The solution is proactive and iterative large scale Internet enumeration in order to identify specific HTTP C2 server signatures. In limited testing this approach revealed malware C2 locations that were unknown to Virus Total and Total Hash. Additionally, because this author focused on RAT (Remote Access Trojans) families, many of the C2 servers were located on residential ISP (Internet Service Provider) net blocks potentially indicating the RAT adversary’s physical location.
    June 16th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • Mr. Inseung YANG (KrCERT/CC), Ms. Jihwon SONG (KrCERT/CC)

    According to Cisco's annual report, 99 percent of all mobile malware intended to compromise a device is targeted at Android devices. In Korea, in particular, hackers distribute SMS phishing(Smishing) apps predominantly through spam messages. This activity has resulted in large numbers of Korean Android users being harmed financially. Further, the policies designed by the South Korean government against these threats have had some weakness because the malicious apps are bypassing them.

    This presentation will describe the policy methods for mobile banking in Korea and the attack methods used by hackers. Among the attack methods utilized are stealing of certification, pretending to be legitimate banking apps that require the security numbers issued to users when they opened their accounts, and Automatic Response Service (ARS) phishing attacks in conjunction with Call Forwarding. Other methods include requesting One Time Password (OTP) number and Internet of Things (IoT) hacking cases in which routers are attacked; in this case, both smartphone and PC users are targeted simultaneously. I will discuss the activities of KrCERT/CC in response to these malicious mobile apps.


    **1) Evolution of malicious malware dissemination methods**

    In South Korea, 90% of malicious apps are distributed by Smishing. In these scenarios, attackers use social engineering to convince people to divulge sensitive information, using topics that change in accordance with the times. For example, following the Sewol Ferry Disaster, attackers sent SMS messages that referenced it for about 15 days and distributed associated fraudulent banking apps. Malicious apps have even recently used the film “The Interview,” from Sony Corporation, as a lure.
    There are even malicious apps pretending to be from KrCERT/CC security, Google marketplace, mobile antivirus software companies, well-known delivery companies, domestic popular Internet portals, prosecutors, and police. They use various distribution means, such as the official app market, hacking of mobile web servers, sending emails to specific targets, and inducing APT to install the malicious app.


    **2) Types of malicious apps**

    There are many apps that not only want to uncover users’ financial details but also to spy on users. Such apps are used to tap cell phones and send users’ personal data to Command and Control (C2) servers on a regular basis. There are even cases of hackers trying to steal a popular Korean mobile messenger’s database and users being affected by mobile ransomeware as a result of malicious apps. Thus, it is clear that malicious apps are evolving continuously.


    **3) How malicious apps transfer users' data to attackers**

    Traditionally, attackers obtained users’ data via HTTP or FTP connections. Nowadays, however, they can obtain the data simply by sending an email through SMTP or posting data on a bulletin board system.


    **4) Mitigation**

    o Technology based mitigation

    We have an SMS spam detection system that ascertains whether it has an APK’s abbreviated URL or not. The system analyzes the APK file and, if a malicious server address is found, it is blocked and a notification is sent to the infected mobile phone user. Monitoring is being carried out both in the Google Play Store and some black markets.

    o Policy

    Once an Android user agrees to install an app from an untrusted source, permission is never sought again. Because numerous malicious apps are distributed through unofficial app markets and web servers, we recommend that mobile phone manufacturers change their UIs to include a new option wherein Korean mobile phone users will have to explicitly decide whether to allow installation of apps from untrusted sources at all times.
    June 18th, 2015 11:00 – 11:30

    (InterContinental Berlin, Germany)

  • Sector Based Cyber Security Drills - Lessons LearntReturn to TOC

    Mr. Malagoda Pathiranage DILEEPA LATHSARA (Member)

    Even though there is an explosive growth of Internet and information technology usage in Sri Lanka, many Sri Lankan organizations are ill-prepared to overcome potentially catastrophic cyber?attacks that may affect their infrastructure detrimentally and subsequently result in a loss of reputation. Simultaneously, many Sri Lankan organizations are in the process of moving into complex IT systems and technologies to provide better, more effective services to their customers. With the increase of sophistication of these systems, there has been a corresponding growth in the number and severity of threats associated. Unfortunately, many organizations start reacting to security incidents after the fact. In the past five years, cyber-attacks and threats on corporate IS systems dominated news headlines worldwide. Therefore, it is essential for Sri Lankan organizations to be prepared to carry out successful cyber counterattacks, in the best interest of their customers and the IT industry as a whole.

    Considering the above facts, TechCERT, in collaboration with the Department of Computer Science and Engineering of the University of Moratuwa, conducts annual cyber security drills for Sri Lankan organizations. “TechCERT Cyber Security Drill” has been an annual event for Sri Lankan organizations since 2011. It was initially introduced to the banking sector and then to the financial and insurance sectors respectively. Since 2013, TechCERT has been able to expand this exercise to a wide range of sectors by including telecommunication service providers and Internet service providers with the assistance of the Telecommunications Regulatory Commission of Sri Lanka (TRCSL). At present, TechCERT is conducting three (03) cyber security drills annually for different sectors. They are:

    1. Banking and finance sector
    2. Telecommunication service providers and Internet service providers
    3. Insurance and other leading professional institutions

    The cyber drill will simulate a potential cyber-attack and evaluate the competence of the information security team of the relevant organization in successfully defending against the attack within a minimum time period. The attack scenarios for the drill will be based on the latest cyber-attacks in the relevant industry.

    A cyber security drill of this nature is highly beneficial for an organization to determine its readiness to mitigate possible cyber-attacks. The main objective of the cyber drill exercise is to provide the opportunity for participating organizations to:

    Train their IT staff to successfully overcome a cyber-attack
    Test the communication contact points
    Check the contingencies of their IT processes and procedures
    Test their technical competency in dealing with cyber attacks
    Coordination between relevant stakeholders to mitigate the attack

    This presentation will discuss how TechCERT conducts annual cyber security drills, the resources used, the progression of the drills and lessons learnt.
    June 19th, 2015 11:15 – 11:45

    (InterContinental Berlin, Germany)

  • Security Operations: Moving to a Narrative-Driven ModelReturn to TOC

    Mr. Joshua GOLDFARB (FireEye)

    The current security operations model is an alert-driven one. Alerts contain a snapshot of a moment in time and lack important context, making it difficult to qualify the true nature of an alert in a reasonable amount of time. On the other hand, narratives provide a more complete picture of what occurred and tell the story of what unfolded over a period of time. Ultimately, only the narrative provides the required context and detail to allow an organization to make an educated decision regarding whether or not incident response is required, and if so, at what level. This talk presents the Narrative-Driven Model for incident response.
    June 16th, 2015 13:15 – 14:15

    (InterContinental Berlin, Germany)

  • Seven Years in MWS: Experiences of the Community Based Data Sharing for Anti-Malware Research in JapanReturn to TOC

    Dr. Masato TERADA (Hitachi Incident Response Team), Yoichi SHINODA (JAIST), Mitsuhiro HATADA (NTT Communications Corporation)

    **Introduction**

    7 years ago, in 2008, the anti-Malware engineering WorkShop (MWS) started in Japan. The main objective of MWS is to accelerate and expand the activities of anti-malware research and countermeasure. To this end, MWS aims to attract new researchers, engineers of academic, private (enterprise) and public domains. Also stimulate new research for addressing latest cyber threats. To achieve this objective, MWS established the community based sharing scheme of the datasets for anti-malware research and countermeasure and organized research workshops where researchers can freely discuss their results. This paper describes the MWS community, MWS data sets, MWS workshop and the lessons learned from our experiences over the past seven years.

    **MWS activities**

    MWS has the community based sharing scheme of the datasets for anti-malware research and countermeasure. Also this scheme has three parts to achieve our objective.

    ![enter image description here][1]

    - MWS Dataset: The datasets sharing for anti-malware research and countermeasure; Research sections in academic, enterprise and public domains prepare and analyze data sets.
    - MWS: The research interests sharing; MWS organized research workshops MWS2008 - MWS2014 which were held in conjunction with CSS2008 - CSS2014 (Computer Security Symposium) of the SIG-CSEC, IPSJ.
    - MWS community: The environment to work hard together; The academic researchers and the enterprise researchers/engineers work hard together for anti-malware research and countermeasure.

    **MWS Community**

    Currently MWS Community has organizations of public domain, academic domain and enterprise domain in Japan. In organizations of public domain, JPCERT/CC, IPA, AIST and NICT joined MWS community. Also many organizations of academic/enterprise domain joined. Our community scale is larger each year.

    **MWS Data sets**

    The MWS Datasets cover three categories, i.e., probing, infection, and malware activities.

    ![enter image description here][2]

    **MWS Workshop**

    This workshop task is to improve an anti-malware research environment such as the detection, the monitoring and the analysis of malware. Also it was to build the collaboration community between the academic field researchers and the enterprise field engineers for the malware countermeasures.
    MWS includes workshop and competition. Also it has conjunction with CSS (Computer Security Symposium) of the SIG-CSEC, IPSJ. The launch of MWS has significantly contributed to the increase in the number of anti-malware research papers. Interestingly, not only the number of papers presented at the MWS sessions but also the number of papers presented at other sessions has increased.

    **Conclusion**

    In late October, ThaiCERT, a member of ETDA (Electronic Transactions Development Agency), and JPCERT/CC organized an event "Malware Analysis Competition 2014 (MAC 2014)" in Bangkok, Thailand. We gave a talk about MWS in Japan. The format of MWS, especially MWS cup was referred to by MAC 2014. These events are very useful for technical transfer and raising awareness as well as information sharing in the academic, enterprise and public domains for anti-malware research and countermeasure.
    We believe that our experiences can assist other research communities that have a similar vision and comparable objectives. So we are hoping to continue the effort and also to extend it to more relationships for anti-malware research and countermeasure.


    [1]: http://jvnrss.ise.chuo-u.ac.jp/~masato/mws/mws_activities.png
    [2]: http://jvnrss.ise.chuo-u.ac.jp/~masato/mws/mws_datasets.png
    June 16th, 2015 11:15 – 11:45

    (InterContinental Berlin, Germany)

  • Sinfonier: Storm Builder for Security IntelligenceReturn to TOC

    Mr. Fran GOMEZ (Telefonica), Mr. Leonardo AMOR (Telefonica)

    In today's world we are consuming an ever-increasing variety of volatile data streams for processing and analysis.

    Integrating and using new or modified streams of data is a time-consuming and complex process requiring a different tool at each stage of data capture, processing, analysis and storage. A solution is needed which simplifies and automates integration of open source data in applications and allows developers to share integration algorithms across the community.

    After looking ourselves how better improve our investigations and tools and also finding out that many good security analyst does not have enough technical skills we wanted to simplify it and started our own project. We want to help Security analyst to focus on their investigations and make easier their work while putting them a good platform. From the beginning we want it to count with the community and would like to take the opportunity to offer it to other CERT’s teams and share with them our experience and how we do our investigations.

    We would make an introduction of our tool and explain it showing how it works and how easily you can conduct a complex investigation.

    Sinfonier provides an open environment to graphically build high-level Apache Storm topologies and execute and share them for a definable period of time.

    Sinfonier is a change in the focus in respect to current solutions in the area of processing information in real-time. We combine an easy-to-use interface, modular and adaptable and we integrate it with an advanced technological solution to allow you to do the necessary tune up suitable for your needs in matters of information security.

    Sinfonier puts at your disposal the ability to collect information from multiple sources, process it and enrich it in a continuous and dynamic way. It will be up to you, the users, to provide the algorithms with content in the form of topologies and get the most out of this information.

    Sinfonier provides you capacity to create new knowledge from any of the information you have or can achieve. Sinfonier is not a black box solution implementing a few algorithms, is an open platform to be used and shared multiplied capacities and possibilities.

    Because Sinfonier is a high-level design and have facilities to use it, is trying to join Security Analyst, Developers and Researchers. So its target is open to people that need to create new capacities or people to use current capacities.

    http://sinfonier-project.net
    June 17th, 2015 13:30 – 14:30

    (InterContinental Berlin, Germany)

  • So You Want a Threat Intelligence* Function (*But Were Afraid to Ask)Return to TOC

    Mr. Gavin REID (Fidelity), Mr. Levi GUNDERT, Mr. Ed HOLOHAN

    Threat Intelligence was once the domain of nation-states. With the increasing attacks on corporations - more and more this is being built in-house. We will cover one organizations approach to building out this function. What worked well - what didn't work at all to help others as a reference example
    June 15th, 2015 14:00 – 14:30

    (InterContinental Berlin, Germany)

  • Streamlined Incident Response from a Forensic PerspectiveReturn to TOC

    Matthew ROHRING (U.S. Department of Homeland Security / U.S. Computer Emergency Readiness Team)

    The world of cyber incident response is rife with distractions, confusion, conflicting expectations and a plethora of limitations; but timely, accurate response is critical even when data sets seem overwhelmingly large and complex.

    This presentation will describe a streamlined approach to media triage and initial case assessment of cyber incidents. Cyber incident response team members, CSIRT managers and anyone interested in learning more about processing digital media and potentially harmful binaries prior to traditional deep dive analysis or reverse engineering are encouraged to attend.


    The following issues and techniques will be addressed:

    *Focused approaches to case scoping

    *Data set carving, i.e., making mountains into molehills

    *Setting expectations with victims and incident managers

    *A framework for rapid initial forensic and malware analysis and identification of immediately actionable Indicators of Compromise

    *Handling and packaging of casework for transition to deep dive analysis and sharing with incident response partners
    June 19th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • Technology, Trust, and Connecting the DotsReturn to TOC

    Mr. George JOHNSON (NC4), Mr. Bill NELSON (FS-ISAC), Mr. Wayne BOLINE (Raytheon), Kris HERRIN (FS-ISAC)

    Bringing an update to the innovations that have happened in the last year, this presentation is about real world human to human and machine to machine information sharing. This presentation will help you avoid pitfalls while increasing your circle(s) of trust and increasing your speed of defense. We will discuss real implementations (FS-ISAC, US-CERT, DSIE, and others) of information sharing and some of the standards (STIX/TAXII) and automation (Soltra Edge and CRITS) involved. Technologies are advancing and we’re learning more about what it takes to put these technologies and processes into practice. Historically, information sharing in the Cyber Defense world has been a tremendously manual and isolated process. While formal and informal networks of incident responders have sprung up to provide defenders some leverage in mitigating attacks three major factors have complicated our jobs:

    1. Economic forces have favored the attack side while;
    2. Several factors (principally our inability to scale “trust”) have hindered sharing on the defense side.
    3. Moving data faster hasn’t helped humans identify the most important data to act upon – and now more data is moving even faster – how do we help humans find the most important information for their particular organization at the right time?

    Exploits built to target a specific sector/industry can be broadly employed to provide a significant return on investment due to slow and uncoordinated responses across that sector/industry. Yet, we’re starting to turn the odds in the defense’s favor. The financial sector has recognized that it is imperative to change the economics of the attack/defense model in order to change the balance of power. Financial institutions, through the Financial Services Information Sharing and Analysis Center (FS-ISAC), have been developing and maturing the process of information sharing among its constituents to increase the speed at which defense spreads across the entire financial sector. Several key factors have contributed to the success so far, including:

    - Ability for users to post anonymously
    - Analysts add value to each posting and users find the information valuable
    - Creation of a clear guideline for information dissemination
    - Maturing a trust model
    - Providing an infrastructure to allow analysts across companies and sectors to collaborate
    - Automation to move machine readable Mitigations/Courses of Actions to move at the speed of trust

    To date, human to human interaction has imposed limits on the speed and volume of data shared because people were performing tasks that could be more effectively performed by machines. At the same time many companies could not find or afford the talent to identify malicious activity and so relied on computers to do the job best suited to humans.

    To maximize the value of the Human in the Loop, the finance sector has made the commitment to move to the automated sharing of threat information by using standardized protocols (STIX and TAXII) and mark-up automation in order to change the economics of cyber-attacks more in favor of the defenders. This presentation will describe critical success factors that are generating initial trust necessary to drive collaboration and the work being done in automating information exchange so that analysts can concentrate on value-added analysis rather than spending their time on manual processes.
    June 16th, 2015 14:45 – 15:45

    (InterContinental Berlin, Germany)

  • The Crack in KrakenBOTReturn to TOC

    Mr. Peter KRUSE (CSIS Security Group A/S)

    KrakenBOT is a fully commercialized RAT (Remote Administration Tool), which is distributed throug advertising on several criminal focused underground forums.

    Despite the fact that the price for the standard package is low (approx. 270 US dollars), the complexity and increasing number of various functions and add-ons continue to be implemented. For these reasons, KrakenBOT is slowly becoming a cheap and very effective crimekit and the choice of many criminal groups.

    As new versions of KrakenBOT are constantly being released by the author, development is assumed to continue and is likely to affect even more victims in the future.

    This research will focus on the economy behind KrakenBOT. It will provide insight on the different functions and modules, give a technical rundown on the KrakenBOT C&C software and look at the binary code generated by the Kraken crimekit.

    Finally, the purpose of this research is to identify the individuals behind KrakenBOT and document how it has been systemically abused to steal valuable data from unknowing victims.
    June 15th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • The Cybercrime Evolution in Brazil: An Inside View of Recent Threats and the Strategic Role of Threat IntelligenceReturn to TOC

    Mr. Ricardo ULISSES (Tempest Security Intelligence), Mr. Aldo ALBUQUERQUE (Tempest Security Intelligence)

    In this presentation we will show our view of how cybercrime in Brazil is evolving and adapting in terms of tactics and techniques, with special focus to events that took place in 2014 and 2015. This includes exploring the most prevalent threats and actions that have been aiming at some of the high profile Brazilian organizations, their customers, and the population in general.

    This presentation also points out the strategic role played by the Threat Intelligence approach to information security in this new scenario and the possibilities it brings to the table, with some real cases of success.
    June 16th, 2015 13:15 – 14:15

    (InterContinental Berlin, Germany)

  • The Future of Information Exchange PolicyReturn to TOC

    Mr. Paul MCKITRICK (Microsoft), Ms. Merike KAEO (IID)

    Automating the exchange of security and threat information, is imperative to the future success and effectiveness of the security response community. However, there are two primary challenges organizations face in relation to automating information exchange; the lack of automated tooling and technologies available; and the lack of adequate policy and governance.

    While the lack of automated technologies is a well understood problem and being actively addressed by the security industry, the policy challenges associated with automating information exchange are not as well understood or appreciated, and they are just as complex and critical, as the technical challenges.

    The lack of information exchange policy limits the ability to define and interpret, the permitted Sharing, Handling, and Use of security and threat information, that is shared between organizations. The consequences of this are limited and often siloed information sharing between partners, individuals exposing themselves and their organizations to unnecessary risk, as sharing is often under the radar of management and is not covered by legal policy and agreements.

    The lack of policy is in part a result of the knowledge gap, and disconnect between technologists, policy writers, and … lawyers. The need for an extensible "Information Exchange Policy Framework" was identified, to address these limitations, bridge the knowledge gaps, and to promote information exchange within the security response community and industry.

    This presentation will provide attendees with an overview of the of the policy challenges and implications organizations face today; the rational, approach, and considerations behind developing the "Information Exchange Policy Framework"; the lessons learned; next steps; and most importantly how you, and your organization, can get involved, and contribute to this initiative.
    June 17th, 2015 13:30 – 14:30

    (InterContinental Berlin, Germany)

  • The Needle in the HaystackReturn to TOC

    Mr. Jasper BONGERTZ (Airbus Defence and Space CyberSecurity GmbH)

    In incident response situations, time is short. One of the biggest problems is that it is difficult to determine what happened to which system, and - if possible - when it did happen. The challenge is almost always to identify compromised systems without wasting too much time on examining those who turn out to be unaffected.

    Network forensics can help to pinpoint infected nodes, so that system forensics tasks can be focussed on those systems. The problem with network forensics is that it requires a certain amount of preparation (the more the better), and skill/experience to identify malicious patterns. This talk will focus on where network forensics can help with incident response, where the challenges are, and what tools to leverage.
    June 17th, 2015 15:00 – 16:00

    (InterContinental Berlin, Germany)

  • Theory and Practice of Cyber Threat-Intelligence Management Using STIX and CybOXReturn to TOC

    Dr. Bernd GROBAUER (Siemens)

    Based on Siemens CERT's experiences with developing and operating the Open Source MANTIS Cyber-Threat Intelligence Framework, this talks will provide and overview of central issues with cyber-threat intelligence management using STIX and CybOX:

    - Finding correlations

    With more and more data sources based on STIX and CybOX becoming available,
    finding correlations in the supplied data becomes essential. We will present
    work in progess on finding correlations.

    - Information tagging

    Because the same basic observation (e.g. an IP address) may give rise
    to many distinct CybOX observables, information tagging on the object
    level is insufficient for many use-cases. We will present on MANTIS's approach towards
    information tagging: by tagging atomic facts rather than objects
    a single tagging action applies to all relevant objects.

    - Managing actionable threat intelligence

    In theory, it should be easy to manage and extract actionable threat intelligence from
    STIX/CybOX data for use in detection and prevention systems. In practice, this
    proves surpringly hard. We will present on our approach towards this problem.
    June 17th, 2015 15:00 – 16:00

    (InterContinental Berlin, Germany)

  • Threat Information Sharing; Perspectives, Strategies, and Threat ScenariosReturn to TOC

    Mr. Timothy GRANCE (NIST), THOMAS MILLAR (US-CERT), Mr. Pawel PAWLINSKI (CERT Polska / NASK), Mr. Luc DANDURAND (ITU)

    Collaboration and sharing have become motive forces from startups to web-scale global companies. However, security in general and particularly in incident handling at the enterprise level information sharing is still in its infancy. This panel presentation and discussion will briefly outline efforts in the public and private sectors such as NIST's Draft Special Publication 800-150 on Guide to Cyber Threat Information Sharing and European efforts on improving threat data exchange among CERTs and other private sector initiatives. Specifically, the panel will discuss the following topics and questions: 1) Overview of sharing architectures and trust issues 2) What are the present sharing capabilities, technical mechanisms (e.g.identity, access control, etc) and barriers to sharing and using threat information 3) Advice on how to create, maintain, and enhance sharing relationships 4) Specific technical and policy recommendations in the astute use of shared threat information and 5) Discuss specific incident scenarios (nation state malware attacks on an industry sector, distributed denial of service attack against an industry sector,and how sharing could work in that scenario etc)
    June 15th, 2015 15:00 – 16:00

    (InterContinental Berlin, Germany)

  • Unifying Incident Response Teams Via Multilateral Cyber Exercise for Mitigating Cross Border Incidents: Malaysia CERT Case StudyReturn to TOC

    Mrs. Sharifah Roziah MOHD KASSIM (MyCERT, CyberSecurity Malaysia)

    Cyber attacks today are becoming more sophisticated and transnational in threat landscape, challenging CERT’s incident response capability. CERTs need to be efficient in terms of having strong foundation, readiness, sophisticated tools, up-to- date Standard Operating Procedures (SOP) to respond the ever-growing incidents in the cyber space. Cyber Exercises at national level or multilateral level has now become essential and an integral part of any Incident Response that can be used to assess the readiness of the Team. It has laid strong foundation in an Incident Response procedure for responding and mitigating cyber threats. A multilateral Cyber Exercise brings various teams from different countries, unified together, building common goals and work together to understand, respond and mitigate threats in cyber space.
    A lot has been said about Multilateral Cyber Exercises that are conducted every year at various locations or regions around the world. However, the question is, are they really effective in overcoming the challenges in responding to cross border incidents and how various Teams from different countries can possibly come together to respond, mitigate cross border incidents?
    Malaysia CERT has long been engaged in various multilateral cyber exercises. We had played the roles as Coordinator, Player and Excon, significantly, in three different multilateral Cyber Exercises conducted annually. They are the Asia Pacific CERT Cyber Exercise, South East Asian Cyber Exercise and the Organization of Islamic Country CERT Cyber Exercise. In this presentation we would like to share our case study and experiences in participating in the above multilateral Cyber Exercises. The significance or uniqueness of our Team is that we engage in three different multilateral Cyber Exercises, annually, and we play active role in them.
    In this presentation, we would like to share our case study and experiences engaging in three different Multilateral Cyber Exercises, as below:
    1) How Multilateral Cyber Exercise has contributed successfully in responding and mitigating cross border incidents efficiently.
    2) Sharing our own in-house developed tools and applications that assisted in developing scenarios, crafting injects, artifact analysis and developing dashboard for status updates of the Multilateral Cyber Exercise.
    3) Sharing knowledge of how we customized some of the existing applications and tools for the Multilateral Cyber Exercise purposes.
    4) How communication using multiple platforms played an effective way of communication among Coordinators, Players and Excons during a Multilateral Cyber Exercise.
    5) Overall observations, team’s expectations and lessons learnt from the Multilateral Cyber Exercise that can be used for future improvement.
    6) To show that Multilateral Cyber Exercise is not a costly job. How in-house developed tools can be cost-effective and economical during the exercise.
    In conclusion, the findings from the presentation can be a benchmark or a beginning point for CERTs or any organizations to get engaged in Multilateral Cyber Exercises. The presentation also concludes that Multilateral Cyber Exercise need to be part of any Incident Response procedure as a foundation, for the purpose of responding and mitigating cross border incidents, in efficient manner.
    June 18th, 2015 14:00 – 15:00

    (InterContinental Berlin, Germany)

  • Validating and Improving Threat Intelligence IndicatorsReturn to TOC

    Mr. Douglas WILSON (FireEye)

    Threat Intelligence has been a hot item for the past year or two now – everyone sells it and has it drive their products and solutions – but how do you really tell if it’s really making a difference? Several other recent presentations at industry conferences have dealt with trying to measure vendor offerings – but how do you measure your own internal content and processes? How do you know if the Threat Intelligence and Indicators you are creating and consuming are worth your investment of resources? And how do you make them better if they are not?

    This presentation will discuss several ways that you can implement measurement of indicator efficacy and feedback loops in your organization to measure and improve your operationalized threat intelligence. You want to make sure that what your organization is using is the most potent, current, and viable intelligence out of the many sources that may be available – and also identify when certain types or sources of intelligence no longer have value.

    This presentation will cover best practices derived from real world environments at a high level that can easily be applied in common operational situations, as well as a variety of lessons learned. It will not be limited to specific technologies and/or products, and only classes of products or Open Source technologies (versus specific vendors or products) will be mentioned to avoid any conflicts of interest. It will cover simple tests and workflows that can be applied to a variety of indicator types without being specifically tied to one particular type of intelligence or threat detection.

    Attendees will learn about processes that they can put in place to gather metrics from their SOCs/CIRTs and/or other operational environments, and then how to best apply that to an indicator generation and maintenance workflow. Mature organizations may likely have some of these practices in place, but emerging or new organizations will hopefully find this information saves them time and makes their use of threat intelligence more efficient and effective. The presentation will not be deeply technical in nature, but will be useful to technical teams trying to better operationalize threat intelligence and/or aggregate collections of threat indicators.

    Ideal attendees will be teams and management focused on implementing or adopting threat intelligence into an operational form for enterprises small and large.
    June 17th, 2015 16:00 – 17:00

    (InterContinental Berlin, Germany)

  • VRDX-SIG: Global Vulnerability IdentificationReturn to TOC

    Mr. Art MANION (CMU SEI CERT/CC), Mr. Takayuki UCHIYAMA (JPCERT/CC), Dr. Masato TERADA (Hitachi Incident Response Team)

    Like most ontological exercises, defining what exactly constitutes a software vulnerability turns out to be at least somewhat subjective. Vulnerability databases use different definitions, scopes, identification systems, and data formats. There are some well-known, comprehensive(-ish) databases like Common Vulnerabilities and Exposures (CVE) and the Open Sourced Vulnerability Database (OSVDB), and more narrowly-scoped databases like Japan Vulnerability Notes (JVN) and vendor security advisories. Differences in scope and how vulnerabilities are defined and identified lead to difficulty counting, tracking, and responding.

    The FIRST Vulnerability Reporting and Data eXchange Special Interest Group (VRDX-SIG) was chartered to study existing practices and develop recommendations on how to better identify, track, and exchange vulnerability information across disparate vulnerability databases.

    What are the key similarities and differences across databases?

    Should there be a global vulnerability identification system, and what would it look like?

    This talk will present results of the VRDX-SIG's work, including a survey and catalog of vulnerability databases, a comparison of identification systems, and recommendations on how to globally identify vulnerabilities.
    June 18th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • When Business Process and Incident Response Collide: The Fine-Tuning of the IR ProgramReturn to TOC

    Ms. Reneaue RAILTON (Former/Future member)

    There is a delicate balancing act of maintaining an effective incident response team in the maelstrom of cyber attacks amid limited resources and tools. An IR team must overcome obstacles such as limited network visibility and systems access to lack of training and proper tools. The cost of an incident is increasingly difficult to determine. Is it the impact to customers or corporate brand? The loss of revenue or regulatory fines? How does an organization measure the risks and costs of a cyber event as it relates to the experience of the incident handler in terms of event discovery to containment? How can we leverage this information to build a business case to fill the gaps in our incident response capabilities?

    This talk focuses on common impediments to an effective incident response and tools to improve IR processes. The presenter will use real incidents and case studies to illustrate common gaps in IR procedures & event handling. We will discuss how to fine-tune the IR program to detect compromises earlier and how to lower the costs incurred with an organization suffers an intrusion.
    June 16th, 2015 12:45 – 13:15

    (InterContinental Berlin, Germany)

  • Working Towards the Tokyo 2020 Olympics - Situation in 2015Return to TOC

    Ms. Mariko MIYA (CDI-CIRT (Cyber Defense Institute, Inc.) - Japan)

    This presentation will be about the current situation in Japan in regards to preparation for the Tokyo 2020 Olympics, and lessons learned from our research about the past major events including the Olympics and other major events in different countries, in which we have researched under contract of the Japanese government and other major Japanese companies.

    In comparing the 2012 London Olympics and 2020 Tokyo Olympics, the following are some major differences that we have gained from our research:

    **Communication (network) interception**
    - London 2012 – Intelligence agencies and law enforcement implement according to anti-terrorism laws (intelligence agencies and law enforcement have response capabilities against potential threats)
    - Tokyo 2020 – Law enforcement implement according to court order (response capabilities of law enforcement depend on detection, judgment and response capabilities of targeted organizations)

    **Mobile devices and Wi-Fi traffic**
    - London 2012 – Since it was the transition phase of dramatic increase smartphone and tablet use, amount (increase) of Wi-Fi traffic was within expectations.
    - Tokyo 2020 – In addition to smartphones and tablet devices, there is expected to be a rapid increase in the usage of cloud applications and wearable devices, and is extremely difficult to estimate the amount of traffic.

    **Terrorist organizations and cyberspace**
    - London 2012 – Illegal activities using cyberspace was only somewhat limited.
    - Tokyo 2020 – There is expected to be rapid increase in illegal activities using cyberspace (an easily accessible environment is being continually being built at an accelerating pace)

    **Impact of cyber attacks on businesses**
    - London 2012 – Legacy systems were intermixed, so business impact was limited.
    - Tokyo 2020 – There will be fewer legacy systems, and it is likely that there will be dependency on extremely efficient or highly productive systems, so therefore business impact will be extremely high.

    In the presentation, I will further explain some possible cyber attack scenarios according to the factors above. Also, Japan has several unique issues they would have to deal with; for example, earthquakes and nuclear power plants, which relate to dealing with physical security along with cyber security, in considering unified security at the time of the Olympics.

    Currently as of 2015, there are more information sharing frameworks being established, like the Japanese Financial ISAC or Cyber Defense Council of MOD and J3 (Japan Cybercrime Control Center, Japanese version of NCFTA), and large scale cyber exercises taking place in preparation for nation-wide massive events such as the Tokyo Olympics. The most updated information will be given in June 2015. I would also like to discuss and explore possibilities of other countries working together with us toward making such massive event secure and successful.

    (I hope to give updates on the Tokyo 2020 Olympics situation every year.)
    (Presentations can be longer, up to 45 min.)
    June 15th, 2015 14:00 – 14:30

    (InterContinental Berlin, Germany)