27th Annual FIRST Conference

Conference Program

Overview

June 13th (Saturday)Return to overview

Pre-Conference
10:00 – 17:00

FIRST Education & Training Committee Meeting - Check

June 14th (Sunday)Return to overview

Pre-Conference
09:00 – 17:00

FIRST Education Summit III (Invite Only) - Bellevue


FIRST Training - Check

09:00 – 16:30

Train the Trainers - Rook

Don STIKVOORT, Lauri PALKMETS (ENISA)

17:00 – 18:00

Ambassador Program Training - Rook

18:30 – 19:00

Newbie Reception - Pavillon

19:00 – 21:00

Ice Breaker Reception - Pavillon

June 15th (Monday)Return to overview

Potsdam IPotsdam IIIBellevueCharlottenburg
08:45 – 09:30

Conference Opening - Potsdam I

09:30 – 10:00

Keynote Presentation - Potsdam I

10:00 – 10:30

Morning Networking Break - Conservatory / Potsdam Foyer

10:30 – 11:00

Introduction - Potsdam I

11:00 – 12:00

Adventures in Fighting Cybercrime

Mr. Piotr KIJEWSKI (CERT Polska/NASK)

TBA

TBA

 

12:00 – 13:00

Lunch - LA Café & Pavillon

13:00 – 14:00

The Crack in KrakenBOT

Mr. Peter KRUSE (CSIS Security Group A/S)

I'm Sorry to Inform You...

Mr. Eireann LEVERETT (Cambridge Centre for Risk Studies), Dr. Marie MOE (SINTEF ICT)

3J4E - JIGSAW, JUMPSTART, JUNCTURE: Three Ways to Enhance Cyber-Exercise-Experience

Mr. Stefan RITTER (National IT-Situation Centre and CERT-Bund, German Federal Office for Information Security BSI)

BetterCrypto.org Workshop

Mr. David DURVAUX (BetterCrypto.org), Mr. Aaron ZAUNER (Azet), Mr. L. Aaron KAPLAN (CERT.at)

14:00 – 14:30

So You Want a Threat Intelligence* Function (*But Were Afraid to Ask)

Mr. Gavin REID (Lancope)

Working Towards the Tokyo 2020 Olympics - Situation in 2015

Ms. Mariko MIYA (CDI-CIRT (Cyber Defense Institute, Inc.) - Japan)

Everyday Etiquette: Responding to Uncoordinated Disclosures

Ms. Laura RABA (US-CERT)

BetterCrypto.org Workshop (cont.)

14:30 – 15:00

Afternoon Networking Break - Conservatory / Potsdam Foyer

15:00 – 16:00

Threat Information Sharing; Perspectives, Strategies, and Threat Scenarios

Mr. Timothy GRANCE (NIST), THOMAS MILLAR (US-CERT), Mr. Pawel PAWLINSKI (CERT Polska / NASK), Mr. Luc DANDURAND (ITU)

Malware in Your Pipes: The State of SCADA Malware

Mr. Kyle WILHOIT (Trend Micro)

Collecting, Analyzing and Responding to Enterprise Scale DNS Events

Mr. Bill HORNE (Hewlett-Packard)

BetterCrypto.org Workshop (cont.)

16:00 – 17:00

Financial Review

Barriers and Pathways to Improving the Effectiveness of Cybersecurity Information Sharing Among the Public and Private Sectors

Laura FLETCHER (George Mason University), Kristin M. REPCHICK (George Mason University), Julie STEINKE (George Mason University)

Incident Response Programming with R

Mr. Eric ZIELINSKI (Nationwide)

 

17:00 – 17:30

Financial Review (cont.)

Lightning Talk

 

 

17:30 – 18:00

 

Lightning Talk (cont.)

 

 

June 16th (Tuesday)Return to overview

Potsdam IPotsdam IIIBellevueCharlottenburg
08:45 – 09:00

Opening Remarks - Potsdam I

09:00 – 09:45

Keynote Presentation - Potsdam I

09:45 – 10:15

Morning Networking Break - Conservatory / Potsdam Foyer

10:15 – 11:15

Fact Tables - A Case Study in Reducing Reactive Intrusion Time-to-Know by 95%

Mr. Jeff BOERIO (Intel Corp.)

RAT Tracking - Proactive Adversary Attribution via Scalable C2 Profiling

Mr. Levi GUNDERT (Fidelity Investments)

Quality Over Quantity—Cutting Through Cyberthreat Intelligence Noise

Mr. Rod RASMUSSEN (IID)

CSIRT Info Sharing Workshop

Shari LAWRENCE PFLEEGER (I3P-Dartmouth-GMU-NL-SE (various CSIRTS))

11:15 – 11:45

Prepare Your Cybersecurity Team for Swift Containment Post Incident

Mr. Michael HARRINGTON (General Dynamics Fidelis Cybersecurity Solutions)

A Day in the Life of a Cyber Intelligence Professional

Ms. Katherine GAGNON (World Bank Group)

Seven Years in MWS: Experiences of the Community Based Data Sharing for Anti-Malware Research in Japan

Dr. Masato TERADA (Hitachi Incident Response Team), Yoichi SHINODA (JAIST), Mitsuhiro HATADA (NTT Communications Corporation)

CSIRT Info Sharing Workshop (cont.)

11:45 – 12:45

Lunch - LA Café & Pavillon

12:45 – 13:15

Overview of South Korea Target Malwares

Mrs. Dongeun LEE (KRCERT/CC, KISA)

When Business Process and Incident Response Collide: The Fine-Tuning of the IR Program

Ms. Reneaue RAILTON (Former/Future member)

Ce1sus: A Contribution to an Improved Cyber Threat Intelligence Handling

Mr. Jean-Paul WEBER (GovCERT.lu)

Hands-on Network Forensics Workshop

Mr. Erik HJELMVIK (FM CERT)

13:15 – 14:15

The Cybercrime Evolution in Brazil: An Inside View of Recent Threats and the Strategic Role of Threat Intelligence

Mr. Ricardo ULISSES (Tempest Security Intelligence), Mr. Aldo ALBUQUERQUE (Tempest Security Intelligence)

Security Operations: Moving to a Narrative-Driven Model

Mr. Joshua GOLDFARB (FireEye)

Case Study: Creating Situational Awareness in a Modern World.

Mr. Michael MEIJERINK (NCSC-NL)

Hands-on Network Forensics Workshop (cont.)

14:15 – 14:45

Afternoon Networking Break - Conservatory / Potsdam Foyer

14:45 – 15:45

Enabling Innovation in Cyber Security

Mr. Michael GORDON (Lockheed Martin)

Technology, Trust, and Connecting the Dots

Mr. George JOHNSON (NC4), Mr. Bill NELSON (FS-ISAC), Mr. Wayne BOLINE (Raytheon), Kris HERRIN (FS-ISAC)

Bring Your Own Internet Of Things (BYO-IoT)

Mr. Jake KOUNS (Risk Based Security), Mr. Carsten EIRAM (Risk Based Security)

Hands-on Network Forensics Workshop (cont.)

15:45 – 16:45

DSMS: Automating Decision Support and Monitoring Workflow for Incident Response

Mr. Chris HORSLEY (CSIRT Foundry), Mr. SC LEUNG (HKCERT)

Crisis Communication for Incident Response

Mr. Scott ROBERTS (GitHub)

Cyber Security Challenges in the Financial Sector: Internal and External Threats

Ms. Rosa Xochitl SARABIA BAUTISTA (Mnemo-CERT)

Hands-on Network Forensics Workshop (cont.)

17:00 – 19:00

Vendor Show Case - Conservatory / Potsdam Foyer

June 17th (Wednesday)Return to overview

Potsdam IPotsdam IIIBellevueCharlottenburg
08:45 – 09:00

Opening Remarks - Potsdam I

09:00 – 10:00

Keynote Presentation - Potsdam I

10:00 – 10:30

Morning Networking Break - Conservatory / Potsdam Foyer

10:30 – 11:30

Passive Detection and Reconnaissance Techniques to Find, Track and Attribute Vulnerable "Devices"

Mr. Alexandre DULAUNOY (CIRCL - Computer Incident Response Center Luxembourg), Mr. Eireann LEVERETT (Cambridge Centre for Risk Studies)

TBA

TBA

CVSS v3 Hands-on Training

Mr. Seth HANFORD (TIAA-CREF)

11:30 – 12:30

National Cyber Protection through Facilitation. Real Cases by CERT-UA

Mr. Nikolay KOVAL (CERT-UA)

TBA

TBA

CVSS v3 Hands-on Training (cont.)

12:30 – 13:30

Lunch - LA Café & Pavillon

13:30 – 14:30

The Future of Information Exchange Policy

Mr. Paul MCKITRICK (Microsoft), Ms. Merike KAEO (IID)

Data-Driven Threat Intelligence: Useful Methods and Mesurements for Handling Indicators

Mr. Alexandre PINTO (Niddel), Mr. Alexandre SIEIRA (Niddel)

Sinfonier: Storm Builder for Security Intelligence

Mr. Fran GOMEZ (Telefonica), Mr. Leonardo AMOR (Telefonica)

Pen Testing iOS Apps Workshop

Mr. Kenneth VAN WYK (KRvW Associates, LLC)

14:30 – 15:00

Afternoon Networking Break - Conservatory / Potsdam Foyer

15:00 – 16:00

Theory and Practice of Cyber Threat-Intelligence Management Using STIX and CybOX

Dr. Bernd GROBAUER (Siemens)

The Needle in the Haystack

Mr. Jasper BONGERTZ (Airbus Defence and Space CyberSecurity GmbH)

How We Saved the Death Star and Impressed Darth Vader

Mr. Matthew VALITES (Cisco CSIRT), Mr. Jeff BOLLINGER (Cisco CSIRT)

Pen Testing iOS Apps Workshop (cont.)

16:00 – 17:00

Validating and Improving Threat Intelligence Indicators

Mr. Douglas WILSON (FireEye)

Malware Analysis Case Study & Experimental Evaluation on the Applicability of Live Forensics for Industrial Control Systems

Mr. Yuji KUBO (CFC), Mr. Kensuke TAMURA (CFC)

Machine Learning for Cyber Security Intelligence

Mr. Edwin TUMP (NCSC-NL)

Pen Testing iOS Apps Workshop (cont.)

17:00 – 18:00

Lightning Talks

 

 

 

18:30 – 19:15

Reception at the Postbahnhof

19:15 – 22:00

Banquet at the Postbahnhof

June 18th (Thursday)Return to overview

Potsdam IPotsdam IIIBellevueCharlottenburg
09:00 – 09:15

Opening Remarks - Potsdam I

09:15 – 10:00

Keynote Presentation - Potsdam I

10:00 – 10:30

Morning Networking Break - Conservatory / Potsdam Foyer

10:30 – 11:00

Evaluating the Effectiveness of Fuzzy Hashing Techniques in Identifying Provenance of APT Binaries

Ms. Bhavna SOMAN (Intel Corporation)

Protecting Privacy through Incident Response

Mr. Andrew CORMACK (Jisc)

Building Community Playbooks for Malware Eradication

Mr. Christian SEIFERT (Microsoft)

 

11:00 – 11:30

Recent Trends of Android Malicious Apps: Detection And Incident Response in South Korea

Mr. Inseung YANG (KrCERT/CC), Ms. Jihwon SONG (KrCERT/CC)

Defining and Measuring Capability Maturity for Security Monitoring Practices

Mr. Eric SZATMARY (Dell SecureWorks)

Building Community Playbooks for Malware Eradication (cont.)

 

11:30 – 12:00

A Study on the Categorization of Webshell

Mr. Jae Chun LEE (KISA, KrCert/CC)

ENISA Threat Landscape: Current and Emerging Threat Assessment

Dr. Louis MARINOS (ENISA)

A Cognitive Study to Discover How Expert Incident Responders Think

Mr. Sam J. PERL (CMU SEI CERT/CC)

 

12:00 – 13:00

Lunch - LA Café & Pavillon

13:00 – 14:00

VRDX-SIG: Global Vulnerability Identification

Mr. Art MANION (CMU SEI CERT/CC), Mr. Takayuki UCHIYAMA (JPCERT/CC), Dr. Masato TERADA (Hitachi Incident Response Team)

Effective Team Leadership and Process Improvement For Network Security Operators

Mr. Jeremy SPARKS (United States Air Force)

Global Standards Unification - How EU NIS Platform, NIST and IETF Standards are Breaking Barriers for Information Sharing and Automated Action

Ms. Merike KAEO (IID)

 

14:00 – 15:00

Il Buono, il Brutto, il Cattivo: Tales from Industry

Mr. Rich BARGER (Cyber Squared Inc.), Mr. Andre LUDWIG (Novetta Solutions)

Unifying Incident Response Teams Via Multilateral Cyber Exercise for Mitigating Cross Border Incidents: Malaysia CERT Case Study

Mrs. Sharifah Roziah MOHD KASSIM (MyCERT, CyberSecurity Malaysia)

A Funny Thing Happened on the Way to OASIS: From Specifications to Standards

Mr. Richard STRUSE (US-CERT)

IPv6 Security Workshop

Mr. Frank HERBERG (SWITCH-CERT)

15:00 – 15:30

Afternoon Networking Break - Conservatory / Potsdam Foyer

15:30 – 17:30

AGM (Members Only) - Potsdam I

 

 

IPv6 Security Workshop (cont.)

June 19th (Friday)Return to overview

Potsdam IPotsdam IIIBellevue
08:45 – 09:00

Opening Remarks - Potsdam I

09:00 – 10:00

Keynote Presentation - Potsdam I

 

 

10:00 – 10:15

Morning Networking Break - Conservatory / Potsdam Foyer

10:15 – 11:15

Building CERT Team and Responding Incidents in the Large Energy Company.

Mr. Miroslaw MAJ (Cybersecurity Foundation)

Implementation of Machine Learning Methods for Improving Detection Accuracy on Intrusion Detection System (IDS)

Mr. Bisyron MASDUKI (Id-SIRTII), Mr. Muhammad SALAHUDDIEN (Id-SIRTII)

Streamlined Incident Response from a Forensic Perspective

Matthew ROHRING (U.S. Department of Homeland Security / U.S. Computer Emergency Readiness Team)

11:15 – 11:45

Sector Based Cyber Security Drills - Lessons Learnt

Mr. Malagoda Pathiranage DILEEPA LATHSARA (Member)

Keeping Eyes on Malicious Websites - “ChkDeface” Against Fraudulent Sites

Mr. Hiroshi KOBAYASHI (JPCERT/CC), Takayuki UCHIYAMA (JPCERT)

Discovering Patterns of Activity in Unstructured Incident Reports at Large Scale

Dr. Bronwyn WOODS (CERT Program, SEI, CMU)

12:00 – 13:00

Closing Remarks - Potsdam I

13:00 – 14:00

Lunch - LA Café & Pavillon

  • 3J4E - JIGSAW, JUMPSTART, JUNCTURE: Three Ways to Enhance Cyber-Exercise-ExperienceReturn to TOC

    Mr. Stefan RITTER (National IT-Situation Centre and CERT-Bund, German Federal Office for Information Security BSI)

    Stefan Ritter, National IT-Situation Centre and CERT-Bund, German Federal Office for Information Security BSI

    Since 2007, Stefan Ritter is head of CERT-Bund and the national IT-situation centre at the German Federal Office for Information Security BSI at Bonn. The years before he collected exercise experience as a senior expert for critical information infrastructure protection and as an officer at the German armed forces. Since 2009, his team provides dedicated cyber exercise support. Together they supported the preparation and played most of the large national and European cyber exercises.

    Background

    Cyber-Exercises are an important part of national and international cyber-crisis-management within several communities. In this talk we present our 3J4E concept, which adresses the following three challenges of (international) cyber exercises. Encouraging international / inter-community information sharing within cyber-exercises keeping in mind the expectations of players(JIGSAW) Optimizing utilisation of limited exercise-time (JUMPSTART) Adressing top crisis management level within an international exercise (JUNCTURE)

    Methodology

    The 3J4E concept is modulary, which means that the three parts can be used independently. It consists of three modules presented below.

    JIGSAW

    One often-seen showstopper for information sharing in international operational cyber-exercises is the fact, that all participating teams get the same set of information from the scenario. As all players hold the same information there is no need or desire for information sharing. Another problem regarding to inforamtion sharing are the different levels of involvement and expectations among the playing teams. Players with a low involvement often don't share information actively so that the whole exercise due to the lack of participation of single playing teams. Our JIGSAW module tries to solve these two challenges of information sharing by separating the scenario into several so called JIGSAW-pieces and providing them to the players regarding to their level of participation and expectation. Besides scenario elements also the players need to be clustered regarding to their level of involvement. The idea behind JIGSAW is that each player just holds a little piece of information and just by sharing with others the whole situational picture becomes visible. Sharing should take place regarding the level of involvement and expectation. To split up the Scenario in pieces and clustering the players regarding their expectation we present a concept that we call the Multilevel Clustered Exercise Framework.

    JUMPSTART

    A well known problem of cyber exercises is the limited time frame for the exercise play. This problem even increases if strategic top level decision makers participate. A crisis timeline follows the five phases Pre-Crisis, Detection, Reporting / Alerting, Response and Wrap-Up, while the exercise timeline consits of three phases, Pre-Ex, Ex-Play and Post-Ex. In a classic exercise setup often the two timelines are aligned that way, that the Ex-Play phase covers the Detection and the Reporting / Alerting Phase of the crisis timeline. The Response phase often is just touched slightly or even not played at due to the limited playing-time. For a JUMPSTART into the exercise it is neccessary to align both timelines that way that the begin of the Ex-Play (StartEx) is aligned with the end of the Reporting/Alerting Phase. This means that the players directly start within the Response phase and can initiate the crisis management procedures right away. To reach this aim, the JUMPSTART concept shows ways how to create exercise material to cover the first three phases of crisis mangement before StartEx. This requires a more detailed preparation among planners and players but leads to a strong involvement of the stakeholders in the exercise right at StartEx. To illustrate the benefits of the JUMPSTART concept we use the well known OODA loop (Observe, Orient, Decide, Act) and activity diagrams showing national and international crisis management play.

    JUNCTURE

    The aim of the JUNCTURE module is to design scenario elements which reach the strategic top level of crisis manangement within an operational exercise. Besides the strategic top level decision makers this also includes staff dealing with strategic decision preparation. To reach this aim, we developed two ways of creating scenario elements, that reach the intended strategic management level: „By Aggregation“ and „By Singularity“. While the „By Aggregation“ approach deals with a large number of incidents that lead to a crisis, the „By Singularity“ approach focuses on one single high impacting incident which triggers top-level management decisions. To design scenarios which fit to one of these two approaches, we recommend a technique, which we call Consequence-Backtracking. In this method consquences of top management decisions in real crisis situations (cyber and non-cyber) are analysed to understand which level of impact is neccessary to trigger decisions on the particular mangement level. Based on this backtracking in the following step cyber scenario events are developed, which imply the same consequences as the examined real crisis.

    Impact

    The overall quality of cyber exercises both in governemental and business context is improved. Satisfaction of top management players will be improvend.

    Significance for the audience

    The audience is able to understand the three concepts and see the advantages for future cyber exercise. Due to the given implementation examples the audience is able to generate ideas for own implementations.

    June 15th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • A Cognitive Study to Discover How Expert Incident Responders ThinkReturn to TOC

    Mr. Sam J. PERL (CMU SEI CERT/CC)

    Sam Perl

    Samuel J. Perl is a member of the CSIRT development team within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. He has been at CERT since 2011 and has worked in a variety of areas including insider threat, vulnerability assessment, security incident data analysis, and incident management team development. Prior to CERT, Perl gained over 10 years of industry experience working with client organizations to manage their most challenging IT security risk issues. Perl holds a M.S. in Information Security Management from Carnegie Mellon University and a B.S in Information Systems from Carnegie Mellon University.

    Richard O. Young, Ph.D

    Richard O. Young is Teaching Professor of Management Communication at the Tepper School of Business, Carnegie Mellon University, Pittsburgh, PA. He received a Ph.D. in Rhetoric from Carnegie Mellon in 1989 with a dissertation on the cognitive processes of management consultants and their clients. A regular presenter at national conferences on business communication, he is also the author of How Audiences Decide: A Cognitive Approach to Business Communication (2011).

    Incident response expertise is a rare and valued resource. Expert incident responders are expensive to hire, difficult to find, and competition for their services is fierce. Governments, the private sector, and non-profits all need experienced incident responders with the proper skills and training in order to respond to effectively to increasingly sophisticated cyber attacks.

    We performed a cognitive study on expert incident responders after being inspired by existing research studies on experts in non-security domains. Our goal was to extract the conceptual frameworks or schemata that expert incident responders use to make their decisions and to represent their schemata in a form that could be understood and used by non-experts.

    Our presentation will include background information on the four expert incident responders who participated in our study, the real-world proprietary stimulus materials our experts used to decide the best responses to the incidents we gave them, our methodology, and our data analysis. Next, our presentation will describe the results of our study--the schemata our expert incident handlers used to make their decisions, and what our results reveal about the incident response field when compared to the findings of researchers studying expertise in other domains such as business and military decision making.

    Last, we will discuss the implications of our results in light of the current societal and business trajectory toward greater technology dependence and the ever-growing demand for incident response expertise.

    June 18th, 2015 11:30 – 12:00

    (InterContinental Berlin, Germany)

  • A Day in the Life of a Cyber Intelligence ProfessionalReturn to TOC

    Ms. Katherine GAGNON (World Bank Group)

    Katherine Gagnon has been working in IT for over 21 years, with 18 focused directly in information security after she graduated Johns Hopkins University with a bachelor's degree in Computer Science. She has worked as a consultant performing pen testing, architecture design and review, infrastructure deployment, and more. In addition to 3 years as the program manager for information security at Discovery Communications, Kate spent substantial time in the public sector having worked for years between USAID and US Department of State before entering the realm of international organizations where she currently serves as an Information Security Officer with the World Bank Group. There she has been managing the Cyber Threat Intelligence program for over 2 years and previously managed the endpoint security engineering function for 4 years.

    Building a cyber threat intelligence program can be a daunting task given the firehose of information which could be consumed. Many organizations don't know where to even start, but the truth is it probably has already started...

    • Are you monitoring the news for open source information (OSINT) and consider how a similar attack might affect your own organization?
    • Do you seek out indicators of compromise (IOCs) for said incidents and apply controls or alerting to firewalls, proxies, endpoints, IDSs, etc?
    • Do you collaborate with colleagues outside your organization and share information about techniques, tactics and procedures (TTPs) hackers may be using?
    • Is your organization a member of FIRST, an institutional ISAC, or have a relationship with an outside security services vendor?

    Those are all beginning elements to a cyber intelligence program, but the question then becomes how to mature and manage information flow past OSINT. This presentation will discuss "a day in the life" of cyber threat intelligence work, including:

    • relationship building,
    • bi-directional IOC sharing,
    • making IOCs actionable within operational systems,
    • managing the onslaught of information,
    • brand protection & takedowns,
    • awareness for users, engineering & management,
    • pitfalls to avoid,
    • and taking steps towards automation.

    It will also discuss staffing considerations in a small or growing intelligence team.

    June 16th, 2015 11:15 – 11:45

    (InterContinental Berlin, Germany)

  • A Funny Thing Happened on the Way to OASIS: From Specifications to StandardsReturn to TOC

    Mr. Richard STRUSE (US-CERT)

    Mr. Struse serves as the Chief Advanced Technology Officer for the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) where he is responsible for technology vision, strategy and implementation in support of the NCCIC’s mission. Mr. Struse is the creator of the STIX and TAXII automated information sharing initiatives which have been widely adopted across the public and private sectors. In October 2014, Secretary of Homeland Security Jeh Johnson presented Mr. Struse with one of the department’s highest honors, the Secretary’s Award for Excellence, in recognition of his pioneering work on STIX and TAXII.

    Prior to joining DHS, Mr. Struse was Vice President of Research and Development at VOXEM, Inc., where he was responsible for the architecture, design and development of a high?performance, extreme high reliability communications software platform that is in use in telecommunications systems around the world. He began his technical career at Bell Laboratories where his work focused on tools to automate software development and the UNIX operating system.

    This presentation will explain the process of transitioning the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) from technical specifications sponsored by the US Department of Homeland Security into formal international standards, explaining decisions made along the way and discussing lessons learned during the development, refinement, and transition process.

    As pivotal ingredients in the future of automated, structured information exchange between CSIRTs, STIX and TAXII need to "land" in the right standards body with the right amount of support from public and private sector partners to help shepherd them through the process of becoming international, voluntary standards while preserving their functionality and compatibility. Nothing good comes easy, and the path to transition was full of difficult decisions.

    In this session, participants will learn key considerations for engaging with international standards bodies; different roles and governance models for the various standards organizations that CSIRTs may interact with; and how to ensure international standardization of our common practices and tools has a positive and lasting impact on the CSIRT community and the constituencies we serve.

    June 18th, 2015 14:00 – 15:00

    (InterContinental Berlin, Germany)

  • A Study on the Categorization of WebshellReturn to TOC

    Mr. Jae Chun LEE (KISA, KrCert/CC)

    Jae Chun, Lee

    • KISA(Korea Internet & Security Agency)
    • Internet Incidents Analysis Team

    Education

    • M.S. in Computer Science, Sogang University, 2006
    • B.S. in Computer Science, Sogang University, 2000

    Experience

    • 2006 – now : KISA(Korea Internet & Security Agency)
    • 2001 – 2003 : Game Programmer, Cinepix
    • 2000 – 2001 : Server Programmer, Vocian.com

    Write by

    • Secure Coding Guide, 2010

    / Dong-Geun, Lee

    • KISA(Korea Internet & Security Agency)
    • Internet Incidents Analysis Team Manager

    Education

    • M.S. in Computer Science, Kyungpook National University, 2003
    • B.S. in Computer Science, Kyungpook National University, 2001

    Experience

    • 2011 – now : Manager, KISA(Korea Internet & Security Agency)
    • 2003 – 2010 : Researcher, KISA(Korea Internet & Security Agency)

    / HyunCheol Jeong

    • director for Internet Incidents Analysis Division in KISA

    Education

    • Ph.D. in Information Security from Korea University, 2014
    • M.S. in Computer Science from KwangWoon University, 1999
    • B.S. in Computer & Statistics from Seoul City University, 1989

    Experience

    • 1996 – now : KISA(Korea Internet & Security Agency)

    Webshell is backdoor program which is used for web hacking most commonly

    We can determine the features and methods of hacker groups easily if we know the with the unique features of webshell

    For example, DMC webshell used in Dark Seoul case is used by specific hacker groups. And other hacking case, the systems DMC webshell installed are having similar methods of attacking from same IPs.

    There are some cases of applying analysis disturbance techniques such as obfuscation method by stages for some attackers. So, it should be very helpful to analyze the webshell if we know the history of that.

    'KrCert/CC' has about 400 cases of webshell analysis from the intrusion for Korea in 2014 and research how to classify the cases.

    The followings are agenda for this presentation.

    • Introduction of webshell and its feature
    • System of webshell categorization and the correlation of intruders
    • How to classify webshell

      1. By function
      2. By the length of webshell source code
      3. By the method of source code encoding
      4. By detection evasion
      5. By analysis disturbance
      6. By file name
      7. By concealment method
      8. By the fingerprint and transformation of webshell
      9. By the language
    • Conclusion

    June 18th, 2015 11:30 – 12:00

    (InterContinental Berlin, Germany)

  • Adventures in Fighting CybercrimeReturn to TOC

    Mr. Piotr KIJEWSKI (CERT Polska/NASK)

    Piotr Kijewski is the Head of CERT Polska, a part of NASK. Previously for many years he was in charge of multiple projects and security research in the CERT Polska team. His interests include threat intelligence, malware analysis, botnets and honeypots. Active in incident response, Piotr also orchestrated and coordinated the takedown of multiple botnets. Piotr has also engaged in many different innovative network security projects, both at the national and international level (including EU FP7, NATO and ENISA projects). Author of a couple of dozen publications and articles on network security, as well as frequent speaker and panelist at conferences both in Poland and abroad (including FIRST, NATO Cyber Defense Workshop, Honeynet Project Workshop, Microsoft Digital Crimes Consortium, MSRA and APWG eCrime). In 2011, Piotr set up the Polish Chapter of the Honeynet Project.

    Talk title: Adventures in Fighting Cybercrime

    Presenter: Piotr Kijewski CERT Polska/NASK

    The talk will cover various cybercrime operations analysed by CERT Polska in the last 1-2 years. These primarily involved various forms of malware and botnets that used Polish network properties for C&C purposes or that were specifically targeting Polish users. Many of these include banking trojans (such as VMZeus/Gozi2/Kronos), specifically web-inject malware. We will show how these evolve and use more and more sophisticated social engineering techniques to fool users into losing their money. We will also cover other cases as well that did not involve malware, but that employ similar social engineering tricks - such as mass hackings of home routers for financial gain. We will explore some cases unique to the Polish scene, including the rise of Banatrix (a relatively simple malware that is surprisingly effective in stealing money by substituting bank account numbers when these are rendered by the browser) and its friends. We will present specific case studies on how our team counters these threats and on how effective these cybercrime campaigns really are.

    Relevance to audience: Talks that cover case studies on actual malware (and other cybercrime related cases), its true scale of infection and effectiveness, and how specific cases where dealt with (including sinkholing techniques), are unfortunately still rather rare in the CERT community. Sharing knowledge and experience learned will be beneficial both to the audience and the speaker ;). We will try to cover the most recent cases and some interesting older ones.

    Technical level: Medium - we will cover some technical details but concentrate more on trends and how threats evolve rather than going very deep into malware internals.

    Target audience: Security specialists and management with technical background.

    June 15th, 2015 11:00 – 12:00

    (InterContinental Berlin, Germany)

  • Barriers and Pathways to Improving the Effectiveness of Cybersecurity Information Sharing Among the Public and Private SectorsReturn to TOC

    Laura FLETCHER (George Mason University), Kristin M. REPCHICK (George Mason University), Julie STEINKE (George Mason University)

    Julie Steinke is a Postdoctoral Research Fellow in the Industrial/Organizational Psychology Program at George Mason University. Her research interests include teams, competition and conflict, performance under stress and adversity, and resilience. Steinke received a PhD in industrial and organizational psychology from Wright State University.

    Kristin M. Repchick is a doctoral candidate in the Industrial/Organizational Psychology Program at George Mason University. Her research interests include team processes, CSIRT effectiveness, and multiteam systems. Repchick received an MA in industrial and organizational psychology from George Mason University.

    Laura Fletcher is a graduate student in the Industrial/Organizational Psychology Program at George Mason University. Her research interests include teams, multiteam systems, networks, and creativity.

    This presentation describes barriers to information sharing and pathways to improving the effectiveness of cybersecurity collaboration. The presentation is based on research conducted by George Mason University, Dartmouth College and Hewlett-Packard under a three-year research grant from the U.S. Department of Homeland Security, the Netherlands and Sweden. Barriers to cybersecurity information sharing were identified through interviews and focus groups in dozens of public and private organizations in Europe and the United States, and through surveys of cybersecurity professionals conducted in 2014 and 2015. Building on the findings of other researchers, we present an overview of information sharing barriers within CSIRTs, C-CERTs, and M-SIRTs; between these teams and their larger organizations, and between the organization and the outside world. We also describe ways to break down barriers and promote information sharing.

    June 15th, 2015 16:00 – 17:00

    (InterContinental Berlin, Germany)

  • BetterCrypto.org WorkshopReturn to TOC

    Mr. David DURVAUX (BetterCrypto.org), Mr. Aaron ZAUNER (Azet), Mr. L. Aaron KAPLAN (CERT.at)

    David Durvaux was one of the few people that join Aaron & Aaron in their project of writing BetterCrypto. His background is now mostly focussed on incident response. He is a big fan of *nix systems and open-source tools. He was involved in the AbuseHelper project when he was working at CERT.be.

    Aaron Zauner Self employed engineer for large scale infrastructure, HPC and information security. did front and backend development in the past, spent a lot of time in data centers and auditing code/networks and systems. http://azet.org

    The BetterCrypto Project started out in the fall of 2013 as a collaborative community effort by systems engineers, security engineers, developers and cryptographers to build up a sound set of recommendations for strong cryptography and privacy enhancing technologies catered towards the operations community in the face of overarching wiretapping and data-mining by nation-state actors. The project has since evolved with a lot of positive feedback from the open source and operations community in general with input from various browser vendors, linux distribution security teams and researchers.

    This workshop will give a concise guide on how to properly deploy networked services in a secure fashion that is applicable today. We will also give an update on the project as well as new development on the front of cryptography, attacks and TLS protocol standardization.

    In addition, the workshop will touch on the basics of cryptography. However, this part can only give a gentle intro and a historical view on cryptography.

    The core idea behind the project is to use the skills of his authors to build an open-source guide for system administrators who need to securely configure their systems. The document is then split into two parts:

    • the first one propose state of the art configuration for as much as possible different systems;
    • the second part explains why certain settings through a theoretical approach.

    The configuration part, try to offer configuration that could be copy/pasted to offer a valid usage of cryptography. As clear-text should protocols should be avoid, we tried to cover as many different systems and usage as possible. For instance, we cover the following technologies and implementations:

    1. web server: Apache, Lighttpd...
    2. mail server: Postfix...
    3. remote session: SSH
    4. mail encryption: PGP/GPG
    5. secure chat:
    6. ...

    The theoretical part will cover algorithms, key size, mains concepts and properties that need to be used. It addresses the major discussions like

    • algorithms to be used;
    • key size;
    • asymetric and symetric cryptography;
    • perferct forward privacy;
    • ...

    Made with the open-source spirit in mind (all the document is written in Latex and published in open-source on git), our work is open for comments. We are looking for any new contribution that will be welcome.

    Our goal is also to continue to complete the guide with others tools from other vendors. We also dream of a configuration tool that could help people to automatically generate the configuration they need for their systems...

    Our workshop at FIRST would cover

    • a description of the project and the need for such a work;
    • a short introduction to cryptography and the main concepts;
    • some description of what proposed configuration looks like and the results on some online
    • validation tools;
    • a step-by-step demonstration of the usage of GPG in command line to what's really behind the hood;
    • a call for collaboration and help: we are open and the more we are, the best our work will be!

    In attachment, we propose a draft presentation using previous works. This to demonstrate the type of content we would like to propose.

    June 15th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • Bring Your Own Internet Of Things (BYO-IoT)Return to TOC

    Mr. Jake KOUNS (Risk Based Security), Mr. Carsten EIRAM (Risk Based Security)

    Jake Kouns is the CISO for Risk Based Security and oversees the operations of the Open Sourced Vulnerability Database (OSVDB.org). Mr. Kouns has presented at many well-known security conferences including RSA, Black Hat, DEF CON, CISO Executive Summit, CanSecWest, SOURCE, FIRST and SyScan. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.

    Jake has briefed the DHS and Pentagon on Cyber Liability Insurance issues and is frequently interviewed as an expert in the security industry by Information Week, eWeek, Processor.com, Federal Computer Week, Government Computer News and SC Magazine. He has appeared on CNN as well as the Brian Lehrer Show and was featured on the cover of SCMagazine. Jake is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.

    Carsten Eiram is the Chief Research Officer of Risk Based Security and is managing the company’s research efforts and Vulnerability Intelligence (VI) solution, VulnDB. Prior to RBS, he managed Secunia's Research team and VI solution for 10 years.

    Carsten is considered a leading expert in the VI field due to his long experience managing vulnerability databases (VDBs), in-depth knowledge of vulnerabilities, root causes, and trends, as well as hands-on experience. He has spent a good part of his career analyzing vulnerability root causes in software and determine the code quality to promote the concept of “Code Maturity” as a metric to evaluate the secure coding efforts by vendors.

    As a vulnerability researcher with a reverse engineering background, Carsten has almost 200 vulnerability discoveries credited to his name. Most are critical issues in high-profile products from major software vendors including: Microsoft, Adobe, Symantec, IBM, Apple, Novell, SAP, Rockwell, Schneider Electric, Blue Coat, and Trend Micro.

    Carsten has been interviewed for numerous news articles about software security and has presented at conferences such as FIRST Conference, RSA Conference, DEF CON, RVAsec, as well as keynoting Defcamp 2013. He is also a regular contributor to the "Threat of the Month" column in SC Magazine, a credited contributor for the "CWE/SANS Top 25 Most Dangerous Software Errors" list, and member of the CVE Editorial Board and FIRST VRDX-SIG.

    Just as incident response teams thought they were finally getting a handle on Bring Your Own Device (BYOD), whether they know it or not they now face a new challenge of dealing with IoT (Internet of Things). It is no longer just laptops and smart phones being connected to the corporate network. It now includes everything from surveillance cameras to smart light bulbs, smoke detectors, and sprinklers with wireless connectivity - not forgetting the coffee machine. On the surface this may seem like a low risk, but we have already seen numerous data breaches due to third party vendors. Target e.g. admitted the initial break in was due to their HVAC vendor.

    We’ve seen researchers focusing on discovering vulnerabilities in SCADA / ICS, smart phones, routers and access points, and within the past couple of years, we’ve seen them focus on surveillance cameras. Now they’re branching out and focusing more on IoT in general. At this point, most of the IoT hacks that we’re seeing are currently lame when it comes down to it. They require physical access or are minor issues. However, the potential real world impact is scary, impressive, and very important to pay attention to, as we’ve seen with other consumer devices.

    Is your organization ready to deal with new exploits for IoT devices on your network? Do you have solid policies in place for dealing with how these devices are securely connected to the network, properly protected, and how any compromises involving them should be handled?

    This talk will cover a sample of vulnerabilities that currently have been published in various IoT devices and discuss the challenges and concerns organizations need to understand. It will fully discuss the capabilities of IoT vendors to even deal with vulnerability reports and ultimately help ensure that once IoT really enters your enterprise, you’re ready and equipped to deal with it.

    June 16th, 2015 14:45 – 15:45

    (InterContinental Berlin, Germany)

  • Building CERT Team and Responding Incidents in the Large Energy Company.Return to TOC

    Mr. Miroslaw MAJ (Cybersecurity Foundation)

    MIROS?AW MAJ has almost 20 years of experience in IT and IT security sector. For almost 10 years he has leaded CERT Polska team – the first Polish incident handling team which plays the role of national level team. In 2010 he founded the Cybersecurity Foundation and he became its first director. In September 2010 he became the expert on the CIIP of the Polish Government Center for Security. In 2011 he also became a co-founder of the first Polish independent CERT – ComCERT.PL. He is also the member of Trusted Introducer team being responsible for accreditation and certification process within this trusted platform. He is the author of the papers on security statistics and others subjects from the security area. He is involved in international cooperation between CSIRT teams as the member of the Trusted Introducer team as well as in formal European projects related to security issues (standards, statistics, information sharing, fighting with an illegal content, building security awareness and establishing new CSIRT teams). He is the co-author of many ENISA publications including CERT exercises and papers on improvement the CERT coordination. Miroslaw Maj organized four editions of national level cyber exercises in Poland – Cyber-EXE™ Polska and in Georgia – Cyber-EXE™ Georgia – for energy, banking and telecommunication sectors. He presented his works on many international conferences including number of presentation at the FIRST conferences.

    The number of significant and dangerous incidents related to the energy sector companies is growing. The last year cases related to the activities groups like Dragonfly or Sandworm and attacks like BlackEnergy are the best prove that this sector became the very common aim of the cyberattacks. The political and military tension in the Eastern Europe is fostering this trend. This situation has forced the energy sector companies to work more actively on their cybersecurity systems including building capabilities of the efficient incident response process. During the presentation the issue related to the process of the building of CERT team in the energy sector company will be presented. Such process is specific due to the special requirements related to the existence of CERT in the large energy company. This kind of company is usually organisationally widely distributed. This distribution affects also the technical infrastructure what create a special challenges for the infrastructure protection. Another challenge is the fact that the responsibilities for maintaining the technical infrastructure is shared by many entities including outsourced parties. All these specifics makes the process of building the CERT team very challenging and during it both - technical and personal relationships aspects are very important. The presentation of the process of the CERT creation will be enriched by the presentation of the experiences from the process of responding to the incidents. The most interesting incidents will be presented in the reaction to the established and implemented CERT processes. So attendees will be able to learn how the specific structure of CERT is prepared and able to effectively response to them. The presentation will base on the real case study of the CERT creation in the energy sector company as the author is involved in such process. Also real and anonymised computer incidents will be used in the speech. The attendees will learn: - hot to prepare and conduct the process of building CERT in the large company - what are the most common incident in the energy sector company - what is the influence of the CERT operational model on the effectiveness of the incident management process - how to use experiences form the energy company in own organisation - what is universal, what is specific

    June 19th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • Building Community Playbooks for Malware EradicationReturn to TOC

    Mr. Christian SEIFERT (Microsoft)

    Christian Seifert bio to come.

    One of the goals of the Microsoft sponsored Coordinated Malware Eradication program is to use lessons learned from current and past malware eradication campaigns to inform new campaigns. To improve the efficiency of antimalware campaigns, our tactic is to distill the collective experience of past campaigns into playbooks that contain templates and guidelines that the entire community working to eradicate malware can directly incorporate into future campaigns.

    This presentation will show the playbooks we’ve created, how participants have used them, and ideas for new playbooks we’d love to build with the help of the community to more effectively fight malware together.

    Examples of playbooks are:

    • Creating an eradication plan—what deterrence and eradication techniques make sense for this operation?

    • Abuse reporting to vetted and to previously unknown entities— what do you say when you don’t know if you can trust the recipient?

    • Conducting a postmortem—why is it one of the most critical steps, what questions should you ask?

    June 18th, 2015 10:30 – 11:00

    (InterContinental Berlin, Germany)

  • Case Study: Creating Situational Awareness in a Modern World.Return to TOC

    Mr. Michael MEIJERINK (NCSC-NL)

    Michael Meijerink is a senior security specialist at the Dutch National Cyber Security Centre(NCSC.NL). Since 2012 he has been involved at the NCSC in creating a technical and social network in which specific indicators and incident related information can be shared in a trusted environment within the government as well as with the critical infrastructure partners.

    When Edward Snowden leaked classified information from the NSA in June 2013 all government initiatives on monitoring and data correlation became suspicious. NCSC had just started the pilot preparations at a government data centre aimed at automatically sharing indicators and incident related information, giving a boost to the operational situational awareness of it’s CSOC. Many challenges had to be overcome. As of December 2014 government organizations as well as critical infrastructure partners have started the new sharing collaboration successfully. In his presentation Michael will discuss the prerequisites, technical but mostly non-technical, needed to create this Dutch habitat in which organizations can share information safely on a voluntary basis. Also Michael will share the outcome of the evaluation held in June 2015.

    June 16th, 2015 13:15 – 14:15

    (InterContinental Berlin, Germany)

  • Ce1sus: A Contribution to an Improved Cyber Threat Intelligence HandlingReturn to TOC

    Mr. Jean-Paul WEBER (GovCERT.lu)

    Jean-Paul Weber, IT Security Analyst at the governmental CERT in Luxembourg since 2013, is a specialist in the area of handling and analyzing IT security incidents. Currently one of his main interests is the follow up of threat intelligence. He is also responsible for development and maintenance of tools for the facilitation of internal processing.

    The daily business of Computer Incident Response Teams (CIRT) is preventing incidents and handling breaches. Sharing information is crucial for time efficiency and for the prevention of unnecessary double work. Automated handling and processing of Cyber threat intelligence is im- perative. Currently there are a number of emerging tools, but to date none of them, in our opinion, sufficiently satisfies the needs of computer specialists working in the domain of incident response. The main needs include the following: ease of use, adequate handling of data structures, interfaceability and automated data enrichment.

    In this presentation the benefits of using structured data and automated systems will be out- lined. Advantages and problems of relevant standards and available tools will be briefly discussed. In consequence our ongoing work on ce1sus, an open source platform that fulfills all the identified needs while circumventing known problems, will be presented. celsus uses a widespread standard (STIX) and allows for interoperability with existing tools.

    Ce1sus is available as free open-source software at:

    https://github.com/GOVCERT-LU/ce1sus

    June 16th, 2015 12:45 – 13:15

    (InterContinental Berlin, Germany)

  • Collecting, Analyzing and Responding to Enterprise Scale DNS EventsReturn to TOC

    Mr. Bill HORNE (Hewlett-Packard)

    Bill Horne is the Director of Security Research in the Security and Manageability Lab of HP Labs. He previously served as a Research Manager in the Security and Cloud Lab of HP Laboratories in Princeton, NJ since August 2002. He directs research on systems and network security, cryptography, privacy and risk management, and is responsible for transferring security technology developed in HP Labs to customers and business units. He is the author of over sixty publications in the area of security and machine learning, holds twenty-two patents and thrity four patents pending. He is a Principal Investigator for a DHS Science and Technology funded project Improving CSIRT Skills, Dynamics, and Effectiveness. He is currently an associate editor for IEEE Security and Privacy Magazine. Prior to joining HP, he held industrial research positions at InterTrust Technologies and NEC Research Institute. He has an MSEE and PhD in Electrical Engineering from the University of New Mexico, and a BS in Electrical Engineering from the University of Delaware.

    In this talk I will describe our efforts to collect, analyze and visualize DNS as part of our HP ArcSight SIEM infrastructure. DNS is important for security for many reasons. If the DNS infrastructure can be brought down, many networking tasks would be impossible to complete. If the integrity of the mapping between domain names and IP addresses is compromised, attackers can redirect users undetectably to IP addresses of their choosing. And malware of many types must in one way or another use the DNS infrastructure as part of their operations. For example, botnets often use fast flux techniques and domain name generation algorithms to rendezvous with command and control servers.

    Collecting DNS is a significant challenge. In HP, our core internal DNS clusters process approximately 16 billion DNS packets every day. Ideally, we would like to turn each and every one of those packets into an event for our SIEM. However, HP is currently the largest commercial deployment of ArcSight and we would have to grow our SIEM by a factor of six to collect this data. Moreover, traditional logging has a substantial performance impact on the DNS infrastructure, and therefore from an operational perspective enabling logging is also impractical. Finally, DNS servers generally do not log the information necessary to detect many security problems.

    To deal with these problems we collect and filter this traffic using hardware network packet sniffers, which have no impact on the performance of the DNS servers and allows us to collect all of the information we need for security purposes. We model known good traffic, and discard it, keeping only anomalous data.

    We developed a custom analytics engine, which analyzes this data looking for evidence of botnet infections, blacklist hits, cloud platform abuse, beaconing, data exfiltration, and cache poisoning attempts. The results of these analyses is turned into a set of alerts which are sent to our Security Operations Center (SOC). We’ve also developed a usable dashboard and visualizations to help analysts explore the data.

    The system has been up and running in HP since June 2014. The SOC processes on average about 20 of our alerts per day, with very low false positive rates. We’ve worked closely with the SOC to make sure the tool is fully integrated into the workflows that the SOC analysts use and meets the needs of the analysts.

    June 15th, 2015 15:00 – 16:00

    (InterContinental Berlin, Germany)

  • Crisis Communication for Incident ResponseReturn to TOC

    Mr. Scott ROBERTS (GitHub)

    Scott J Roberts works for GitHub and makes up his title every time he’s asked, so we’ll say he’s the Director of Bad Guy Catching. He has worked for 900lbs security gorillas, government security giants & boutiques, and financial services security firms and done his best to track down bad guys at all these places. He’s released and contributed to multiple tools for threat intelligence and malware analysis. Scott has spoken at Facebook, OpenDNS, Shmoocon, and many other security industry and academic events.

    One of the parts of intrusion response that rarely gets attention in DFIR circles, though huge attention outside them, is the customer facing victim companies communication to their own customers. This is almost always the only real information the public gets of your intrusion and communicating what happened effectively is crucial to minimizing damage, both to customers and to your organizations reputation.

    Using lessons pulled from professional public relations specialists combined practical experience in operations and security incident response we'll review the five keys to good crisis communications. We'll walk through multiple examples of good and bad crisis communications and develop an understanding of what information people need to know when and why they should get it from you and not the media. We'll also discuss building a comprehensive incident communications plan.

    June 16th, 2015 15:45 – 16:45

    (InterContinental Berlin, Germany)

  • CSIRT Info Sharing WorkshopReturn to TOC

    Shari LAWRENCE PFLEEGER (I3P-Dartmouth-GMU-NL-SE (various CSIRTS))

    Shari Lawrence Pfleeger, Dartmouth College, is the Principal Investigator for a three-year project (October 2012 to September 2015) investigating how to make incident response teams more effective. The project team members draw from George Mason University’s Psychology Department; George Mason University’s Center for Infrastructure Protection; and Hewlett-Packard Laboratories’ Cyber Security Research Team.

    Project Details: By analyzing documentation, observing actual CSIRT activity, convening focus groups, and using pre- and post-incident interviews, our team from Dartmouth College, George Mason University and Hewlett-Packard is recommending ways to improve the skills, dynamics and effectiveness of CSIRTs. Through the end of 2014, the team has interacted with 45 CSIRTs, conducted 28 focus groups, and interviewed 117 team members and several dozen team leaders; this data collection continues in 2015. Funded by agencies in the U.S., Sweden and the Netherlands, the project findings reflect CSIRT members in over a dozen countries and in academic, corporate, national and international organizations. This basic research is determining and validating principles for creating, running and sustaining an effective CSIRT. The output includes descriptions of needed knowledge, skills and abilities for key CSIRT roles, viewed from individual, team and multi-team system perspectives, plus recommendations for improving CSIRT performance. Evidence-based decision aids are being developed and used commercially, and technology transfer of results is being accomplished not only in publications (e.g. a special issue of IEEE Security & Privacy magazine, a handbook, and academic publications) but also by participating in existing CSIRT training sessions and by presenting findings to CSIRT members and managers in a final project workshop co-located with FIRST 2015.

    Proposal Details: Our team proposes a series of linked workshops and presentations at FIRST 2015 in Berlin:

    • Sunday, June 14: An all-day workshop at the Intercontinental Hotel in Berlin. At this experiential, interactive project workshop, our team will work with attendees (CSIRT team members and leaders) in two ways: After we present several key project findings, the attendees will take part in activities that help them identify which findings are directly relevant to their particular CSIRT structures, goals and talents, and then learn and apply techniques to address the most important areas for improvement. For more information about this free workshop, please contact Julie Steinke, at jsteinke@gmu.edu

    • Monday, June 15: Project-related presentations at FIRST by our project team members. Presentations to FIRST will be made by Julie Steinke and her colleagues (George Mason University) on information sharing to improve CSIRT effectiveness, and William Horne (Hewlett-Packard) on applying our findings commercially.

    • Tuesday, June 16: 90-minute workshop at FIRST on feedback and next steps toward CSIRT effectiveness. This workshop will present an overview not only of the project and its findings but also of techniques useful in immediate CSIRT improvements. In an interactive discussion, our team members will elicit examples from attendees of our findings’ utility and of other areas ripe for investigation and improvement that we have not yet addressed in our research.

    Audience: Members/leaders of CSIRTs, members/leaders of other teams that interact with CSIRTs.

    Expected Outcomes: Attendees will leave with descriptions of what works well in an incident response team; descriptions of what can be improved; descriptions of lessons learned from incident response teams; suggested pathways from improvement opportunity to actual improvement, based on lessons learned and on research findings; possible descriptions of areas/questions needing significant attention from researchers.

    June 16th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • CVSS v3 Hands-on TrainingReturn to TOC

    Mr. Seth HANFORD (TIAA-CREF)

    Seth Hanford is the manager of the Detection & Response Team for TIAA-CREF, a Fortune 100 financial services firm. Past roles have found Seth managing a threat research and outreach team, working as an incident responder handling product security vulnerabilities, and as a team lead and analyst for a commercial vulnerability database.

    He is the Chair of the CVSS v3 Special Interest Group at FIRST, and was involved in the v2 SIG since 2005. He has been rating security vulnerabilities from commercial vendors or open source projects with a variety of scoring systems since 2003.

    With the release of Common Vulnerability Scoring System version 3 (CVSSv3), security teams need to understand how the classification and rating of vulnerabilities has changed. Version 2 has become a de facto standard over the last decade, and v2 scores are commonly used to quickly communicate severity.

    However, research presented at FIRST 26 showed that ~70% of published vulnerabilities could be described by applying only 10 combinations of metrics. This lack of variety left many characteristics of vulnerabilities poorly described or omitted by v2 classification, which in turn led to clusters of scores that flattened out the standard's usefulness for rating and responding to vulnerabilities.

    Version 3 corrects this condition without a net increase in metrics, by updating descriptive language, reducing subjective choice, and providing tools for an analyst to describe environmental mitigations (such as EMET, sandboxing, etc.) which reduce impacts or hamper exploitability in their organizations.

    This course is designed to give analysts hands-on training in applying the new CVSS v3 metrics, following the new decisions and descriptions for rating with v3, and exploring the new capabilities of Environmental Mitigations and Vulnerability Chaining. Attendees will work interactively with the facilitator to practice and apply the approach, rate "tough" vulnerabilities, and gain confidence in the new techniques necessary to help their organizations adopt the next standard for vulnerability scoring. It assumes passing familiarity with CVSS v3, such as reading the metrics section of the standard, and looking at the supplemental materials like the example vulnerabilities and scoring calculator; it will not be an in-depth review of those materials, but rather an application of them. Experience with CVSS v2 will be helpful, but is not necessary.

    It is intended for a technical audience, particularly for an analyst producing, supporting, or consuming vulnerability characteristics and ratings. Materials are designed for an analyst that is comfortable discussing vulnerability characteristics and foundational information security topics like authorization, privilege escalation, and the like. It may delve into discussion of common or emerging exploitation techniques (at a high level) but should be accessible to anyone comfortable with reading vendor or community produced vulnerability reports.

    June 17th, 2015 10:30 – 11:30

    (InterContinental Berlin, Germany)

  • Cyber Security Challenges in the Financial Sector: Internal and External ThreatsReturn to TOC

    Ms. Rosa Xochitl SARABIA BAUTISTA (Mnemo-CERT)

    Rosa Sarabia

    Team Lead, Mnemo-CERT

    Rosa Sarabia is responsible for the definition, implementation and operation of Mnemo-CERT, standardizing the SOC-CERT processes by taking as reference the best security practices such as ISO, ITIL, COBIT and NIST. She worked at the Mexican National CSIRT (CERT-MX) where she participated developing the National Cyber Security Strategy. She also worked at UNAM-CERT and she was in charge to get ISO 27001 certification for Incident Response Process, a very successful task that remains up to date.

    She has been involved in the cyber security field for over 7 years, she studied a Bachelor of Computer Engineer from UNAM, and a Master in Computer Engineering from the same University. She has a reverse engineering background (Certified Reverse Engineering Analyst) and experience as information security auditor.

    In last years the attacks targeting financial institutions have evolved and are becoming more sophisticated. In fact, recent studies show that cyber-attacks have caused billions of dollars in losses, among personal data, company records or files, and any other sensible information; which has provoked a falling in consumer confidence and irreparable damage to the brand, right like what happened to Target, Home Depot and J. P. Morgan security breaches.

    Due to the growing of the number and complexity of cyber-attacks Mnemo-CERT was created. A financial Computer Emergency Response Team, which works together and closely with banks to timely respond to any kind of information security incidents and also to strengthen their security mechanisms in order to minimize damage from attacks and intrusions.

    In this presentation, Mnemo-CERT will speak about two study cases, actually very real threats to financial institutions:

    A. Financial fraud (internal threat). Staff represents a potential threat by virtue of their knowledge of and access to organization’s own systems and their ability to bypass security measures through legitimate means. In this case, the results obtained through Digital Forensics Analysis and Cyber Intelligence allowed us to identify who, when and the modus operandi upon this cyber fraud.

    B. Malware targeting ATMs (external threat). Ploutus malware detected on ATMs in Mexico was designed to steal cash without requiring any access to the credit or debit cards used by customers. This malware was analyzed in Mnemo Labs by using reverse engineering techniques and the obtained results will be explained. A few months later, Mnemo-CERT team received another malware Ploutus sample and, despite its double obfuscation, similar results were found.

    June 16th, 2015 15:45 – 16:45

    (InterContinental Berlin, Germany)

  • Data-Driven Threat Intelligence: Useful Methods and Mesurements for Handling IndicatorsReturn to TOC

    Mr. Alexandre PINTO (Niddel), Mr. Alexandre SIEIRA (Niddel)

    Alex Pinto is the Chief Data Scientist of Niddel and the mind behind MLSec Project. He dedicates his waking hours the development of machine learning algorithms and data science techniques to support the information security monitoring practice. He presented results of his research at conferences such as Black Hat USA, DEFCON, BSides Las Vegas, BayThreat and ISC2 Security Congress. He has over 14 years dedicated to Information Security, and 2 years of those focusing on Data Science. If you are into certifications, Alex currently holds a CISSP-ISSAP, CISA, CISM and PMP. He was also a PCI-QSA for almost 7 years, and thankfully is almost fully recovered from that.

    Alex Sieira is the CTO of Niddel and a principal at MLSec Project for the last year. He has over 12 years dedicated to information security consulting, managed security services and R&D teams. He is an MBA, CISSP, CISA, besides some other product-specific acronyms. Alex has experience with a great range of security technology and standards, and has gained many a gray hair establishing SOC and SIEM services for large enterprises. He is currently focused on building the information security product his past self would have killed for.

    This session will consist of a technological exploration of commercial and open-source threat intelligence feeds that are commonly offered as a way to improve the capabilities of incident response teams. While not all Threat Intelligence can be represented as "indicator feeds", this space has enough market attention that it deserves a proper scientific, evidence-based investigation so that practitioners and decision makers can maximize the results they are able to get for the data they have available.

    We will present a data-driven analysis of a cross-section of threat intelligence feeds (both open-source and commercial) to measure their statistical bias, overlap, and representability of the unknown population of breaches worldwide, in addition to some tidbits as indicator age and uniqueness across feeds. All the statistical code written and research data used (from the publicly available feeds) will be made available in the spirit of reproducible research. The tool itself (tiq-test) will be able to be used by attendees to perform the same type of tests on their own data.

    We will also provide an additional open-source tool (combine) for attendees to extract, normalize and export data from threat intelligence feeds to use in their internal projects and systems. It will be pre-configured with a good mix of current publicly available network feeds and easily extensible for private or commercial feeds.

    June 17th, 2015 13:30 – 14:30

    (InterContinental Berlin, Germany)

  • Defining and Measuring Capability Maturity for Security Monitoring PracticesReturn to TOC

    Mr. Eric SZATMARY (Dell SecureWorks)

    Eric Szatmary is a Senior Security Consultant for the Incident Response and Digital Forensics practice at Dell SecureWorks. Eric Szatmary has over 17 years of information technology and security experience ranging from large enterprises to regulated small/mid-size companies spanning multiple verticals in a variety of operational and consulting roles. Szatmary holds the following certifications: CISSP, CISM, GCIH, GPEN, GCFA, GCFE, Scrum Alliance Certified ScrumMaster, and GE Six Sigma Green Belt. Szatmary also maintains affiliations with the following organizations: FBI InfraGard, FIRST, IEEE Computer Society, ISACA, ISSA, OWASP, USSS Electronic Crimes Task Force, and the Wisconsin Association of Computer Crime Investigators.

    All too often, CSIRTs and SOCs are realizing in the middle of high impact cybersecurity incidents that more could have been done to proactively monitor, detect, and respond to threat actor activity.

    While logging and monitoring "all the things" may be attainable for some organizations, many organizations must develop and execute a meaningful logging and monitoring strategy that balances coverage, efficacy, and cost. This presentation will cover the following elements to help organizations assess security monitoring capability maturity in a structured manner that enables continuous improvement and benchmarking with industry peer groups for detecting and responding to cybersecurity incidents relevant to their risk profile:

    • How to crosswalk security monitoring practices specified in key guidance such as NIST SP 800-53, PCI DSS 3.0, and the Council on CyberSecurity's Critical Security Controls to ensure a minimum security monitoring capability is in place.

    • How to use CERT-RMM and the recent derivatives created with DHS (CRR) and DOE (C2M2) to assess security monitoring capability maturity.

    • How to develop security monitoring use cases to support cybersecurity incident investigations and continuous monitoring.

    • Recommendations for key monitoring sources CSIRTs and SOCs should ensure are collected, retained, and are searchable.

    • How to maximize pre-existing monitoring sources and augment with open source/low-cost monitoring sources.

    • Recommendations for logging configuration settings and retention.

    • Recommendations for utilizing threat intelligence to enrich cybersecurity incident investigations and continuous monitoring.

    June 18th, 2015 11:00 – 11:30

    (InterContinental Berlin, Germany)

  • Discovering Patterns of Activity in Unstructured Incident Reports at Large ScaleReturn to TOC

    Dr. Bronwyn WOODS (CERT Program, SEI, CMU)

    Bronwyn Woods is a research statistician in the CERT division of the Software Engineering Institute. She earned her PhD in Statistics and Neural Computation from Carnegie Mellon University, where she developed analysis methodology for neuroimaging data. Her current work involves the application and adaptation of statistical and machine learning techniques to a wide array of data-driven problems in cybersecurity.

    Samuel J. Perl is a member of the CSIRT development team within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. He has been at CERT since 2011 and has worked in a variety of areas including insider threat, vulnerability assessment, security incident data analysis, and incident management team development. Prior to CERT, Perl gained over 10 years of industry experience working with client organizations to manage their most challenging IT security risk issues. Perl holds a M.S. in Information Security Management from Carnegie Mellon University and a B.S in Information Systems from Carnegie Mellon University.

    Mr. Thomas R. Millar serves as the United States Computer Emergency Readiness Team’s (US-CERT) Chief of Communications, a role which finds him at the intersection of outreach, awareness, standards development, and technical interoperability initiatives. In this role, Mr. Millar is focused on modernizing US-CERT's approaches to information sharing, knowledge exchange and coordination. Since joining US-CERT in 2007, he has played a significant role in US-CERT's response activities during major cyber events such as the Distributed Denial of Service (DDoS) attacks on Estonia in 2007, the outbreak of the Conficker worm, and the DDoS attacks on major U.S. Government and commercial Web sites in 2009.

    Mr. Millar has previously worked as a team lead for intrusion detection and analysis at the FBI’s Enterprise Security Operations Center. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force.

    Mr. Millar has a Master’s of Science in Engineering Management from the George Washington University.

    US-CERT receives a large volume of incident reports, but the reports often vary in quality and completeness. We explored multiple years' worth of reports looking for patterns and found that this data is rich with useful information. Rather than trying to enforce a structure on the data based on response team activity against a given incident, we took an entirely data-driven approach to structuring the information. This resulting structure can be used to complement the expertise of incident responders and answer tough questions from decision makers.

    Our method treats incident reports as observations of a large set of unknown real-world activities including malware campaigns, incident response procedures, or simply the daily operations of a reporting entity. We use co-occurrence patterns of indicators in tickets to estimate the strength of associations between indicators and infer potential 'real-world activity groups' that correspond to actual events. These patterns are useful building blocks to answer questions about incident status, investigation progress, threat families, trends and incident predictability. The benefits to CSIRTs include increasing shared situational awareness, better tailoring of incident response services for constituents, increased detection of emerging threats, better visualization of threat activity and better understanding of threat activity against specific constituent types.

    This presentation will summarize our methods and discuss ongoing work in visualizing and expanding indicator communities to allow feedback from analysts, integration of additional data sources, improved statistical learning algorithms and richer feature extraction from ticket data. All CSIRT members and managers are encouraged to attend and discuss data-driven information extraction techniques from large bodies of diverse and unstructured incident reports.

    June 19th, 2015 11:15 – 11:45

    (InterContinental Berlin, Germany)

  • DSMS: Automating Decision Support and Monitoring Workflow for Incident ResponseReturn to TOC

    Mr. Chris HORSLEY (CSIRT Foundry), Mr. SC LEUNG (HKCERT)

    Chris Horsley

    Chris has 15 years experience in the technology industry, much of it working with CSIRTs as a security analyst, software developer, and system administrator. He has been a member of AusCERT and JPCERT/CC, and currently runs a consultancy, CSIRT Foundry. He specialises in building CSIRT tools, examining CSIRT practices, and running training for national and organisational CSIRTs. He is especially passionate about open source tools, automation, data analysis, data visualisation, and collaboration tools for software development.

    SC Leung

    Mr. SC Leung is currently the Senior Consultant of HKCERT. He has over 20 years of working experience serving banking, Internet solution provider, telecommunication and the consultancy industries.

    HKCERT is taking proactive measures to clean up compromised computers in Hong Kong and alert the public of vulnerabilities. SC is focused in cyber threat intelligence for raising the secuity situational awareness, closer collaboration with ISPs to process large volume incident reports, and streamlining the CERT operation through building systems.

    A major challenge of incident response today is the overwhelming load of incident reports, along with the complexities of consistently collecting incident data, analysing it thoroughly, and monitoring the status of a large number of reported incidents.

    We will present an initiative to automate incident response workflow with the Decision Support and Monitoring System (DSMS) jointly developed by HKCERT and CSIRT Foundry.

    The DSMS is designed with the prime objective to automate the most labour-intensive and unmanaged parts of incident response. By storing analysis results in a central repository that is accessible via a management interface, incident analysts may focus on higher value tasks. DSMS can also provide some capabilities that were not available before.

    Major Benefits of DSMS:

    • Provide a centralised registry of monitored targets
    • Provide a centralised repository to collect and consolidate monitoring results
    • Perform actions according to analysis results from a remote Monitoring Subsystem, based on action criteria listed in incident profile
    • Automate a team’s analysis workflow for different types of incident
    • Choose best-of-breed analysis tools, so that each analyst has access to the same tools
    • Perform 24-hour scheduled, ongoing checks, and stores any changes in status found
    • Operate in a geographically distributed manner
    • Provide a collaborative environment for analysts
    • Provide a standard way to customise workflow and use new tools as circumstances evolve
    • Provide an API for other systems to consume the functions of DSMS, generate management reports on the usage of input systems and external analysis systems, and provide statistics of malicious objects or malware.

    DSMS is built with existing powerful open source tools, and embraces the power of existing security monitoring services (e.g. malware analysis systems and Internet resources lookup APIs). Its architecture is composed of a Core, Broker and several Agents.

    • DSMS Core: schedules monitoring jobs for dispatch, processes incoming analysis results, provides web interface, web API, and datastores services;
    • DSMS Broker: provides a message queue, providing a communication channel between the Core and the Agents, as well as facilitating file transfers;
    • DSMS Agent: responsible for running analysis tasks, interfacing with external services, such as whois and other external vendor analysis services.

    The speakers will share the design of DSMS and problems faced, for example, integration of modules, anti-fingerprint by malicious content hosting. HKCERT will share its experience in integrating DSMS with the cyber threat intelligence system (IFAS) and incident report management system (IRMS).

    June 16th, 2015 15:45 – 16:45

    (InterContinental Berlin, Germany)

  • Effective Team Leadership and Process Improvement For Network Security OperatorsReturn to TOC

    Mr. Jeremy SPARKS (United States Air Force)

    Captain Jeremy Sparks is the Weapons and Tactics Branch Chief at 24th Air Force, Joint Base San Antonio, Texas. Prior to taking his current post, Capt Sparks served as the Wing Weapons Chief at the 67 Cyberspace Wing where he oversaw tactics development for the USAF cyberspace force. During his 14 year career he has served as a Crew Commander at the USAF CERT, USAF CERT incident responder, USAF CERT Chief of Digital Forensics, and Cyber Threat and Network Defense instructor and curriculum developer for the USAF undergraduate cyber training schoolhouse. Capt Sparks is a distinguished graduate of Undergraduate Network Warfare Training, USAF Weapons School and a three-time presenter at the U.S. Department of Defense Cyber Crime Conference.

    Background: Effective team leadership often comes with experience but there are ways to expedite the experience cycle. One such method is the debrief process used by militaries, primarily aviators, all over the world.

    Summary: Debriefing is simply reconstructing and evaluating an event to determine how to replicate success and avoid repeat mistakes. A successful debrief depends on the ability to critically analyze events and the willingness to admit mistakes. The debrief process should encompass a review of events, identification of problems, determination of root causes and development of lessons learned. Critical self-analysis in the debrief process applies at the individual level as well as the organizational level. Debriefing is not a strategy for protecting a network. It is a method that should be used to evaluate how well you are performing a function, job or mission and provides the tools for constant improvement.

    Impact: The USAF aviation and special operations communities have been using the debrief process for decades with tremendous success. Over the past several years, the USAF has applied those same principles to cyber warfare. By institutionalizing the debrief into daily operations, the USAF has observed significant gains in mission effectiveness.

    Significance: The debrief process is the US DoD standard on how to perform a function, job or mission more effectively every time the function, job or mission is performed. The principles are straightforward and easily applied to non-military environments.

    Technical level of the presentation: Low Recommended target audience: Primarily team leaders and organizational leaders

    June 18th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • Enabling Innovation in Cyber SecurityReturn to TOC

    Mr. Michael GORDON (Lockheed Martin)

    Coming Soon

    We take it as a given that cyber threats continually evolve and grow in sophistication, but to defend against this, too many organizations rely on static technologies, rigid organizations, and analysts with narrow skillsets. For defenders, every day brings entirely new problems. It takes innovation to defeat sophisticated, dynamic threats. Teams must innovate to solve the right problems. They need to have right visibility to know what the problems are, and have real data to train solutions against. Organizations need a smaller pool of higher skilled, well rounded analysts, and build organization around collaboration and fostering creativity. Need analysts and developers together to innovate side by side, in concert. The role of analyst vs developer must blur. Need to apply that innovation across the enterprise to make a difference. Innovation in a lab is great, but innovation as an enterprise solution actually stops the threats. Furthermore, innovation across a community of like-minded organizations makes a worldwide difference.

    June 16th, 2015 14:45 – 15:45

    (InterContinental Berlin, Germany)

  • ENISA Threat Landscape: Current and Emerging Threat AssessmentReturn to TOC

    Dr. Louis MARINOS (ENISA)

    Dr. Louis Marinos is a senior expert at ENISA in the area of Risk and Threat Management with extensive experience in the management and operation of security and the coordination of European expert groups.

    Currently, he is responsible for Projects in the area of Emerging Threat Landscape. He is the author and main responsible of the ENISA Threat Landscape. His expertise is on:

    • Threat Analysis, Risk analysis, Risk Management and Business Continuity Planning, including SMEs, Member States and Critical Information Infrastructure Protection.

    • Assessment and management of Emerging and Future Risks, Threats and trends hereof.

    • Integration of Risk Management with operational and governance processes.

    • Strategic consulting in the area of security for major firms in the financial, telecommunication and commercial sectors.

    • Security management with regard to critical business areas, such as financial institutions, B2B and telecommunications.

    ENISA has performed for the third time a comprehensive threat assessment based on publicly available information.

    The assessment consists of:

    • Information collection
    • Information collation
    • Threat analysis
    • Creation of context and
    • Dissemination

    The ENISA threat landscape contains information about:

    • Current threats
    • Threat Agents
    • Attack vectors and
    • Emerging threats

    Besides the contents of the ENISA threat landscape, experiences about the process of threat intelligence collection will be discussed.

    June 18th, 2015 11:30 – 12:00

    (InterContinental Berlin, Germany)

  • Evaluating the Effectiveness of Fuzzy Hashing Techniques in Identifying Provenance of APT BinariesReturn to TOC

    Ms. Bhavna SOMAN (Intel Corporation)

    Bhavna Soman is a Cyber Analyst and Software Developer for Intel Corporation's APT response team. She works at the intersection of Threat Intelligence, Software and Data Analytics. Bhavna has a Masters degree in Information Security from Georgia Tech. Before joining Intel, she was a Threat Analyst at Damballa.

    Knowledge and identification of Malware binaries is a crucial part of detection and incident response. There was a time when using MD5s was sufficient to ID binaries. The reverse engineering analysis conducted once would be useful anytime that same MD5 was seen again. This has rapidly changed in recent years. Polymorphic samples of the same specimen change the file hash (MD5, SHAx etc) without much effort by the attacker.Also, cyber criminals and advanced adversaries reuse their codebase to create newer versions of their malware, but changes in the file hash disallow any opportunity to connect and leverage previous analyses of similar samples by defenders.

    In recent years, there has been research into “similarity metrics” or fuzzy hashing techniques that can identify whether, or to what degree, two malware binaries are similar to each other. Imphash and ssdeep are examples of such techniques. This talk aims to evaluate which of these techniques is more suitable for evaluating similarities in code/coding methodology for APT related samples specifically.

    This presentation will take a data analytics approach. We will look at binary samples from APT events from the past two years and create clusters of similar binaries based on each of the two fuzzy-hashing techniques under consideration. We will then evaluate the accuracy of the clusters and examine their implications on the effectiveness of each technique in identifying provenance of an APT related binary.

    June 18th, 2015 10:30 – 11:00

    (InterContinental Berlin, Germany)

  • Everyday Etiquette: Responding to Uncoordinated DisclosuresReturn to TOC

    Ms. Laura RABA (US-CERT)

    Laura Raba has been a part of the CSIRT community since 2009. She currently works at US-CERT. The organization responds to major incidents, analyzes threats, and shares critical cybersecurity information with trusted partners around the world. Learn more at https://www.us-cert.gov/.

    When an incident occurs or a vulnerability is disclosed, the appropriate CSIRT(s) can deliver actionable information to counterparts and users firsthand. This exchange of information has become commonplace, based in part on reciprocal trust.

    As the CSIRT community has matured, so too has coverage of cyber issues in the media. Yet in an era when anyone can be a content publisher, "it's public" does not mean information has been depicted accurately or disclosed responsibly. As a result, the appropriate course of action for a CSIRT to take in response can be unclear.

    This presentation explores constraints that may prevent a CSIRT from sharing information, assumptions partners can consider when information seems to be withheld or mishandled, and a set of principles to guide communication in response to uncoordinated disclosure. Developed from lessons learned by US-CERT, the content will enable CSIRTs to approach similar engagement in a manner that minimizes uncertainty and stimulates trust. It is recommended for managers and policy makers responsible for CSIRT processes and workflow.

    June 15th, 2015 14:00 – 14:30

    (InterContinental Berlin, Germany)

  • Fact Tables - A Case Study in Reducing Reactive Intrusion Time-to-Know by 95%Return to TOC

    Mr. Jeff BOERIO (Intel Corp.)

    Jeff Boerio has a Bachelor of Science Degree in Computer Science from Purdue University and has been with Intel since graduating in 1993. The early part of his career at Intel was spent as embedded UNIX/Linux IT support for microprocessor design teams. Among his many achievements was establishing common open source and commercial software practices across Intel’s global design environment. Since 2004, Jeff has been part of the company’s information security organization where he helped develop the company’s cyber incident response processes. He is currently part of the advanced threat detection team, developing a variety of heuristic anomaly detection and new takes on traditional event correlation to identify suspicious activities in the enterprise. Jeff represents Intel’s interests with industry organizations including FIRST, IT-ISAC and ICASI, and has had leadership roles in special interest groups in those organizations. Away from work, Jeff lives with his wife and son on a small farm in the heart of Oregon’s wine region, juggling work and home life with extracurricular activities that include photography, motor sports, wine, martial arts, soccer, bicycling and rock n’ roll music.

    If Operation Aurora in 2009-2010 wasn't a wake-up call to enterprises that foreign entities could and did infiltrate some of the enterprises that were all running best in-class network defenses and monitoring solutions, then certainly the recent string of intrusions and data breaches from big box stores like Target and The Home Depot and major financial institutions including JP Morgan Chase should be. Once the intelligence crosses the desk of enterprise incident responders, assuming you're collecting the data to begin with, is that there is simply too much data to sift through to determine whether we have a problem or not. This talk aims describe manners in which we have addressed this problem.

    Over the past few years, we have built up our own data warehouse, analytics and security business intelligence (SBI) capabilities. We started by taking a look at our "big six" event sources that we believed offered the biggest return on our investment and able to answer questions about what happened and when. Those event sources were SMTP headers, web proxies, active directory, DHCP, VPN, and DNS. We invested in technologies that would allow us to ingest large volumes of data, keep it for a relatively long period of time, and allow us to query those archives with great speed.

    In this talk, we will review the painful history of trying to pull logs before our SBI capabilities were put into place, how data warehouse solutions provided improvement, and how we turned some lunchtime conversations into enterprise-class search capabilities that have reduced our time to know about industry-reported incidents by more than 95%. We will conclude with how we are further automating the capabilities and, in an unconstrained world, where they could be taken.

    June 16th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • Global Standards Unification - How EU NIS Platform, NIST and IETF Standards are Breaking Barriers for Information Sharing and Automated ActionReturn to TOC

    Ms. Merike KAEO (IID)

    Merike Kaeo, Chief Information Security Officer at IID, is responsible for the company's overall security strategy which includes defining and implementing security incident response processes. Prior to joining IID, Merike founded Double Shot Security, which provided strategic and operational guidance to secure Fortune 100 companies. She led the first security initiative for Cisco Systems in the mid 1990s and authored the first Cisco book on security—translated into more than eight languages and leveraged for prominent security accreditation programs such as CISSP. Merike is a contributor to many international standards bodies including IETF, EU-NIS Platform and NIST security standards. She has been on ICANN’s Security and Stability Advisory Council (SSAC) since 2010 and the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) since 2012. Merike earned a MSEE from George Washington University and a bachelor’s degree in Electrical Engineering from Rutgers University.

    Government initiatives from the European Union and the US have been working on standardizing frameworks for cyber security resiliency and information sharing initiatives. The Internet and Jurisdiction project has been working on a global multi-stakeholder framework for multinational due process for combatting cyber crime. The IETF has been standardizing protocols and mechanisms to utilize security related posture and threat information to automate protecting endpoints. This talk will provide an updated and consolidated view of the standards the international government, law enforcement, technical and operational communities are creating to more effectively combat cyber related crime and automate mitigation processes.

    June 18th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • Hands-on Network Forensics WorkshopReturn to TOC

    Mr. Erik HJELMVIK (FM CERT)

    Erik Hjelmvik is an incident handler at the Swedish Armed Forces CERT (FM CERT). Erik is also well known in the network forensics community for having created NetworkMiner, which is an open source network forensics analysis tool. NetworkMiner is downloaded more than 300 times per day from SourceForge and is also included on popular live-CDs such as Security Onion and REMnux.

    Network Forensics and Network Security Monitoring (NSM) are becoming increasingly important practices for incident responders in order to detect compromises as well as to trace the steps taken by intruders. In this interactive hands-on tutorial participants will learn how to perform network forensic analysis in an incident response scenario. The audience will be provided with a virtual machine and a set of PCAP files containing network traffic captured at the network perimeter of a made-up corporation. The PCAP data set is captured specifically for the FIRST 2015 Conference from a real Internet connected network.

    To actively participate in the hands-on tutorial students will need to bring a computer with VirtualBox installed. It is also possible to follow along using a physical machine with tools like Wireshark, tshark, argus, tcpflow and NetworkMiner installed.

    June 16th, 2015 12:45 – 13:15

    (InterContinental Berlin, Germany)

  • How We Saved the Death Star and Impressed Darth VaderReturn to TOC

    Mr. Matthew VALITES (Cisco CSIRT), Mr. Jeff BOLLINGER (Cisco CSIRT)

    Matthew Valites is a senior investigator and site lead on Cisco's Computer Security Incident Response Team (CSIRT). He has architected Incident Response and monitoring solutions for cloud and hosted service enterprises, with a focus on targeted and high-value assets. A hobbyist Breaker and Maker for as long as he can recall, his current professional responsibilities include security investigations, operationalizing CSIRT's detection logic, and adapting monitoring and response techniques to Cisco's Cloud Services.

    With over ten years of information security experience, Jeff Bollinger has worked as security architect and incident responder for both academic and corporate networks. Specializing in investigations, network security monitoring, and intrusion detection, Jeff Bollinger currently works as an information security investigator, and has built and operated one of the world's largest corporate security monitoring infrastructures. Jeff regularly speaks at international FIRST, and writes for the Cisco Security Blog. His recent work includes log mining, search optimization, threat research, and security investigations.

    Consider this scenario: you are a leader of an incident response team. Threat intelligence sources indicate that a trusted insider has leaked confidential network diagrams, and a competitor or hacktivist may have discovered a vulnerability and is planning an attack. Your boss demands evidence of adequate preparations to ensure threat management systems are performing optimally. In defense of your operations, and possibly your job, now more than ever you must demonstrate your incident response team's value.

    Thankfully, you have already deployed security monitoring technology throughout the network, and have been measuring operations, tuning systems for false positives, and tweaking processes for improvement over time.

    In this presentation, we will:

    • Use a science fiction film as a metaphor for incident response
    • Show how to obtain the usable metrics
    • Describe how to interpret the metrics
    • Discuss the back-end requirements for producing good metrics
    • Demonstrate how to use the metrics to prove efficacy and plan for future capabilities

    Incident response teams, managers, and security architects can use the lessons divulged in this session to improve their own incident response processes and systems. They should come away with knowledge on how to measure their own performance and prove their success.

    June 17th, 2015 15:00 – 16:00

    (InterContinental Berlin, Germany)

  • I'm Sorry to Inform You...Return to TOC

    Mr. Eireann LEVERETT (Cambridge Centre for Risk Studies), Dr. Marie MOE (SINTEF ICT)

    Dr. Marie Moe is a research scientist at SINTEF ICT, and has a Ph. D. in information security. Marie is passionate about incident handling and information sharing. She has experience as a team leader at NSM NorCERT, the Norwegian national CERT. Marie Moe is also an associate professor at the Center for Cyber and Information Security (CCIS) in Norway, where she teaches a class on incident management and contingency planning.

    Eireann Leverett is a Senior Risk Researcher at the Cambridge Centre for Risk Studies. He works in the areas of peril modelling, cyber-catastrophe, cyber-insurance, technological disasters, network science, and macro-economics. He is also an accomplished hacker, with a focus on systemic risks to industrial systems.

    Asset owners who have vulnerable systems, or who are victims of compromise are often unaware of the situation. This talk will focus on how to go about informing industrial system owners of the situation. How can we reach out to many at the same time, how can we inform vendors of vulnerabilities, and how can we inform asset owners that their networks and devices are exposed.

    Between the two speakers thousands have been informed in this manner. They will discuss the methods, the bedside manner, and the outcomes. They will discuss industrial systems on the internet and CERTs (a couple thousand), vendor vulnerability notifications (20), Havex notifications in Norway's Oil and Gas and Energy sectors (550).

    During the summer of 2014 the Norwegian Oil and Gas and Energy sector was subject to a large coordinated cyber attack where selected recipients were targeted in a spear-phishing campaign that contained Havex. Due the severity and extent of the campaign NSM NorCERT decided to initiate a large warning distribution, reaching out to a total of 550 Norwegian companies.

    Since NorCERT did not have a complete contact list of all the potential victims in these sectors this broad distribution was achieved by the CERT working together with the respective sectoral authorities.

    NSM NorCERT issued an alert to The Petroleum Safety Authority Norway (PTIL),The Norwegian Water Resources and Energy Directorate (NVE), FinansCERT (Industry CSIRT for the financial sector in Norway) and directly to companies that were already cooperating with NorCERT within the Oil and the Energy sector. The respective authorities then forwarded this information to all affected parties. Letters were sent to targeted companies that were not covered by NVE and PTILs authority.

    The alert contained a list of indicators of compromise and a recommendation to search their systems. This resulted in a significant number of new findings. NSM NorCERT worked directly with the companies that had findings, assisting them with artifact analysis and incident handling coordination.

    The outreach campaign also attracted media attention, this created some noise and questions asked at higher levels in the targeted organizations. To reach out and build awareness and answer some of these questions a bigger conference meeting was arranged for the alert recipients in the fall of 2014.

    June 15th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • Il Buono, il Brutto, il Cattivo: Tales from IndustryReturn to TOC

    Mr. Rich BARGER (Cyber Squared Inc.), Mr. Andre LUDWIG (Novetta Solutions)

    Rich is a pioneer in threat intelligence analysis and is the Chief Intelligence Officer and Director of Threat Intelligence at ThreatConnect. After watching China vacuum up most of the world’s intellectual property for a little over a decade, Rich sought likeminded security experts and together they founded ThreatConnect. Rich has more than 15 years supporting DC’s most elite cyber defense and intelligence organizations from within both public and private sector as former U.S. Army Intelligence Analyst and security consultant. In 2011, Rich abandoned any resemblance of a social life and sleep, to better serve the community he loves, and chose a “choose your own adventure” career by fusing intelligence analysis and technical administration. Rich is an analyst at heart, and his technical and operational vision is truly what makes ThreatConnect a disruptive new technology for organizations worldwide. Rich leads the ThreatConnect Intelligence Research Team (TCIRT), a globally recognized threat research team. Rich maintains a variety of professional industry certifications, and a BS in Information System Security.

    Andre likes to push boundaries and do things that people intially say are impossible. This has included fun stuff like disrupting botnets, malware, and creating the technical procedures for standing up the first TLD level domain takedown process at Neustar. Currently Andrew is responsible for Novetta's cyber products and service offerings as well as leading the Advanced Research Group who is responsible for R&D efforts as well as Disruption operations and other fun projects.

    This session takes apart Operation SMN and the threat group Axiom, and examines in-depth how over 10 private industry companies banded together to address a single threat groups entire tool set. We will cover some of the events that transpired during Operation SMN including identifying and onboarding security vendors, handling sensitive evidence, creating novel analysis techniques, and fusing all that information into various reports for consumption by the public as and industry. During this presentation we will also cover some of the strategic goals for the operation and how we went about executing against those goals and some of the results and measurable impacts we have had. We will also review the strategic reasons why and the tactics of how these industry partners shared their knowledge with one another to achieve their common goal.

    Attendees in this session will learn:

    •History and background of related coordinated efforts.

    •Learn some of the basic lessons learned and how to apply them to your own operations

    •Ways to group and characterize a common threat, and examples how this team completed that task and leveraged that insight

    •Discuss working with Microsoft through their Coordinated Malware Eradication Program and Novetta’s taking advantage of Microsoft’s Virus Information Alliance (VIA)

    •What things were important to look for and capture

    •Looking forward: what we would have done differently, and what we want to see this evolve into

    June 18th, 2015 14:00 – 15:00

    (InterContinental Berlin, Germany)

  • Implementation of Machine Learning Methods for Improving Detection Accuracy on Intrusion Detection System (IDS)Return to TOC

    Mr. Bisyron MASDUKI (Id-SIRTII), Mr. Muhammad SALAHUDDIEN (Id-SIRTII)

    Bisyron Wahyudi is the Vice Chairman of ID-SIRTII/CC (Indonesia Security Incident Response Team on Internet Infrastructure) for Data Center and Application. He is a computer scientist with over twenty years of professional experience in Software/Application development. Broad range Solution Architect with various exposures on enterprise solution development, solution architecture designing, and solution delivery. He pursued his postgraduate study in Software Engineering from Institute of Technology Bandung, Indonesia and Universite’ Thomson, France. He's also been working for more than ten years in the field of network and information security. He is actively involved in several information and network security working groups, workshops, and trainings in the area of cyber security collaboration, capacity building, critical information infrastructure protection, information security standard and compliance, incident handling and CERT/CSIRT establishment & management.

    Muhammad Salahuddien – Vice Chairman of Operation and Network Security of Id-SIRTII/CC, the National CSIRT of Indonesia. Responsible to maintain internet security monitoring center daily operation, incident management (reporting and handling) and improve core internet service, critical infrastructure security and protection at national level in coordination and collaboration with others initiatives. Experiencing more than twenty years of ISP operations, internet infrastructure design, network and service security assurance, disaster recovery. Held Master degree in Information Security from Swiss German University. Now PhD candidate at University of Indonesia.

    Abstract— Many computer-based devices are now connected to the internet technology. These devices are widely used to manage critical infrastructure such energy, aviation, mining, banking and transportation. The strategic value of the data and the information transmitted over the Internet infrastructure has a very high economic value. With the increasing value of the data and the information, the higher the threats and attacks on such data and information. Statistical data shows a significant increase in threats to cyber security. The Government is aware of the threats to cyber security and respond to cyber security system that can perform early detection of threats and attacks to the internet. The success of a nation's cyber security system depends on the extent to which it is able to produce independently their cyber defense system. Independence is manifested in the form of the ability to process, analyze and create an action to prevent threats or attacks originating from within and outside the country. One of the systems can be developed independently is Intrusion Detection System (IDS) which is very useful for early detection of cyber threats and attacks. The advantages of an IDS is determined by its ability to detect cyber attacks with little false. This work learn how to implement a combination of various methods of machine-learning to the IDS to reduce false detection and improve the accuracy in detecting attacks. This work is expected to produce a prototype IDS. This prototype IDS, will be equipped with a combination of machine-learning methods to improve the accuracy in detecting various attacks. The addition of machine-learning feature is expected to identify the specific characteristics of the attacks occurred in the country’s/region’s internet network. Novel methods used and techniques in implementation and the national strategic value are becoming the unique value and advantages of this work.

    June 19th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • Incident Response Programming with RReturn to TOC

    Mr. Eric ZIELINSKI (Nationwide)

    Eric Zielinski is a Lead Forensic Examiner and Incident Responder for a Fortune 100 company. With over 15 years of security leadership experience he has performed attack and penetration, forensics, incident response, and security monitoring. His experience ranges from working for an ISP to security consulting, to managed security services, and financial institutions. He has been engaged in various infosec community initiatives such as the development of the Exfiltration Framework as well as a speaker at various conferences such as FIRST, CEIC, and many others. He is a certified EnCE and member of HTCIA.

    This presentation dives into the open source programming language of R. R has primarily been used for statistical computing and graphics in the past. We attempt to bring a new programming language to the incident response community by teaching responders the basics of using R and how it can be leveraged during live incident response. The session will be focusing on reading/writing data, graphing incident data, data manipulation, and data modeling. We will be walking through several log analysis scenarios while using R to quickly identify the data we are interested in analyzing. This session aims to provide an introduction to the language of R as well as touch on a few advanced topics.

    June 15th, 2015 16:00 – 17:00

    (InterContinental Berlin, Germany)

  • IPv6 Security WorkshopReturn to TOC

    Mr. Frank HERBERG (SWITCH-CERT)

    After completing his studies in engineering, Frank Herberg worked on IT infrastructure and security projects for a number of technology consulting firms. In 2012, he joined SWITCH-CERT, where one of his specialisms is IPv6 security. In the past years he conducted divers IPv6 security trainings and hands-on workshops for the security community.

    This workshop will cover

    • Why IPv6 is an extensive security topic
    • Overview of the differences to IPv4 - relating to security
    • Deep dive into selected protocol details and their accompanied attacks (incl. demonstrations)
    • What are the latent security risks for organizations today
    • Recommended IPv6 Security Resources and Tools
    June 18th, 2015 14:00 – 15:00

    (InterContinental Berlin, Germany)

  • Keeping Eyes on Malicious Websites - “ChkDeface” Against Fraudulent SitesReturn to TOC

    Mr. Hiroshi KOBAYASHI (JPCERT/CC), Takayuki UCHIYAMA (JPCERT)

    Takayuki Uchiyama

    Taki works at JPCERT/CC as an Information Security Analyst. He is part of the Information Coordination Group within JPCERT/CC and his main tasks include, vendor / CSIRT coordination on security reports, mainly dealing with vulnerabilities, as well as maintaining communications with the various communities across the globe. Previous work includes being a compliance consultant, where main tasks involved working with Japanese clients to obtain FIPS 140-2 validations and drafting security documents, in addition to administration of employee benefit plans such as 401(k) and defined benefit plans.

    Hiroshi Kobayashi

    Hiroshi Kobayashi is a member of Incident Response Team at JPCERT/CC. Since 2011, he has been handling domestic computer security incidents at the forefront. In addition to his role as an incident handler, he engages in incident analysis and its system development/operation. One of his significant contributions was the design and development of the “Open DNS Resolver Check Site” (http://www.openresolver.jp/en/), an easy-to-use online tool released in 2013. Before joining JPCERT/CC, he engaged in incident handling and network operation in a Japanese company.

    While Targeted Attacks are one of the main concerns in cyber security in recent years, many CSIRTs are still struggling with malicious websites such as defaced websites and phishing sites.

    This presentation intends to cover some noteworthy features seen in HTML/Javascript used in actual website defacement cases including SQL injection and watering hole attacks. It will also introduce a new tool “ChkDeface”, created and implemented at JPCERT/CC, and share its secure and efficient monitoring method utilizing malicious site characteristics, such as signatures.

    JPCERT/CC is planning to share the source code of this tool to some CSIRTs within the community, with the hope that the signatures and the tool can be practically utilized to trigger deeper discussion among the many security experts about more precise detection methods.

    June 19th, 2015 11:15 – 11:45

    (InterContinental Berlin, Germany)

  • Machine Learning for Cyber Security IntelligenceReturn to TOC

    Mr. Edwin TUMP (NCSC-NL)

    Edwin Tump received his bachelor's degree in Computer Science at the Polytechnic of The Hague. His main focus during his study was the development of software and technical infrastructures. During the first years of his career, he touched on various subjects of information science working as a systems developer, Windows NT systems administrator, Oracle DBA, X.25 network administrator and security specialist.

    Since 2005, Edwin has been working for NCSC-NL (formerly GOVCERT.NL), first as a security specialist and currently as a security analyst. He is, among other things, involved in analyzing current threats, developing and testing tools and writing reports like factsheets, the NCSC Monthly Monitor and the annual Dutch National Cyber Security Assessment.

    When not working, Edwin enjoys visiting matches of Rotterdam soccer club Feyenoord and travelling.

    The Dutch National Cyber Security Centre (NCSC-NL) continually monitors both public and private sources for digital threats, vulnerabilities and ICT security developments. These sources provide a large amount of news items that are analyzed for both operational threats and tactical/strategic developments and trends.

    For the operational process, NCSC-NL has a clustering solution in place to combine common news items, but this solution is less suitable for a longer term analysis of these developments by the analysts of NCSC-NL. Determining the main stories, topics and developments over a time period of e.g. a week, a month or a year is still carried out manually and is therefore time-intensive and error-prone.

    NCSC-NL started a project with the Dutch National Forensic Institute (NFI) to explore ways to analyze the available information more effectively and more efficiently, especially over longer periods of time. In this project, the expertise of the NFI in big data analytics and text mining was combined with the available data, requirements and analysis expertise of the specialists at NCSC-NL. At the start of the project, the process that analysts follow and the data available were explored and ways in which an automated system could support in this process were identified. Then, two of the possible solutions (automatic relevance determination and automatic dossier suggestions) were studied in depth and, based on an agile scrum approach, proof-of-concepts were developed.

    These project results will now be used to develop a production-ready solution, that is likely to be integrated with the tooling used by NCSC-NL. As other organizations within the community are facing identical operational challenges and are using similar tools to gather information, the project results will not only be useful for NCSC-NL but are also significant for the community as a whole.

    June 17th, 2015 16:00 – 17:00

    (InterContinental Berlin, Germany)

  • Malware Analysis Case Study & Experimental Evaluation on the Applicability of Live Forensics for Industrial Control SystemsReturn to TOC

    Mr. Yuji KUBO (CFC), Mr. Kensuke TAMURA (CFC)

    Yuji Kubo is a technical official in the National Police Agency of Japan. He has been engaged in computer forensics for over 10 years in local police and national police. Currently, he works at Cyber Force Center as a malware analyst. His role is not only analyzing malware but also teaching malware analysis techniques for the technical officials working at local and regional police organizations.

    Kensuke Tamura is also a technical official in the National Police Agency of Japan. He has also been engaged in computer forensics for over 10 years in local police and national police. Currently, he is engaged in the research for the prevention of cyber attacks against ICS at Cyber Force Center.

    CFC (Cyber Force Center) is one of the special task forces in the High-Tech Crime Technology Division in the National Police Agency of Japan. CFC deals with technical matters for prevention of cyber crimes and provides technical support for local police task force. CFC has two main roles, that is, counter cyber intelligence and counter cyber terrorism. From the standpoint of counter cyber intelligence, we'd like to talk about the malware analysis case study. From the standpoint of counter cyber terrorism, we'd like to talk about the live forensics for ICS (Industrial Control Systems).

    1. Malware Analysis Case Study

    CFC is engaged in the malware analysis mainly in the case of cyber intelligence. In our presentation, we'd like to talk about the techniques used in the malware that tageted a Japanese private company from the technical perspective. It has a unique encoding scheme for communication between the attacker and the victim and some anti-analysis techniques. We'd like to explain these techniques as a result of our analysis.

    2. Experimental Evaluation on the Applicability of Live Forensics for Industrial Control Systems

    Now, ICS is one of the main targets by cyber terrorism. CFC is responsible for the emergent measures to mitigate the damage caused by cyber terrorism. In order to accomplish the job, we are engaged in a research for effective digital forensic tools for the ICS which automatically execute a command for the evidence preservation after an incident has occurred. This research focuses on measuring the latency time by the command on the experimental environment.

    June 17th, 2015 16:00 – 17:00

    (InterContinental Berlin, Germany)

  • Malware in Your Pipes: The State of SCADA MalwareReturn to TOC

    Mr. Kyle WILHOIT (Trend Micro)

    Kyle Wilhoit is a Threat Researcher at Trend Micro on the Future Threat Research Team. Kyle focuses on original threats and malware. Kyle also actively tracks crimeware and targeted malware based espionage worldwide. Kyle has spoken at many worldwide conferences such as FIRST, HiTB, and Blackhat US/EU and he has been featured on New York Times, LA Times, Fox Business, ABC and many additional outlets. Prior to joining Trend Micro, Kyle worked at Fireeye as a Threat Intelligence Analyst focusing on state-sponsored attacks and criminal activity. He was also the lead incident handler and reverse engineer at a large energy company, focusing on ICS/SCADA security and targeted persistent threats. Kyle is also involved with several open source projects and actively enjoys reverse engineering things that shouldn’t be.

    Malware within SCADA environments is becoming more prevalent. Unfortunately, this trend is increasing, and becoming more worrisome. SCADA related malware and their motives are typically complex, and we will cover motives behind several SCADA related attacks. We will cover the current state of SCADA related malware and their affects on systems and environments. In addition, we will be infecting a live ICS lab and monitor what the malware is doing and why. This talk will cover never released details about SCADA attacks and malware behind those attacks.

    June 15th, 2015 15:00 – 16:00

    (InterContinental Berlin, Germany)

  • National Cyber Protection through Facilitation. Real Cases by CERT-UAReturn to TOC

    Mr. Nikolay KOVAL (CERT-UA)

    Nikolay Koval is a deputy head of unit in State Center of Information and Telecommunications Systems Protection and deputy head of CERT-UA. He is devoted to CERT-UA and along with his team struggle for making Internet safer place. Doing his daily job he tries to analyze the state of information security in “Ukrainian” Internet and provide national IT-infrastructure with ability to effectively counteract cyber-threats. He is also a leader of Ukrainian Honeynet Project chapter and actively participating in the process of deploying honeypots in UA net.

    Ukraine's been witnessing tremendous economic, political and social problems during last year or so. In all those bad circumstances the question of cybersecurity became even more important than ever - bad gays try to take advantage of this situation all the time. At the same time the shortage of financial resources is observed, that negatively affects process of improvement. That's why CERT-UA decided to accept the challenge and tried to fix the situation. The goal of main concern - TO PROVIDE PROTECTED NATIONAL IT INFRASTRUCTURE - was gained. The presentation will cover developed and deployed technical solutions that were appropriately applied in GOV and nonGOV networks. Also, it's planned to give short overview of CYBERTRENDS 2014 in Ukraine and demonstrate real cases solved (some even brand-new ones for us). The talk touches the following topics: tools used for response and investigation, information sharing process, cooperation with stakeholders, threats. As epilogue for presentation we will try to estimate the effectiveness of approaches used while protecting national cyberspace.

    June 17th, 2015 11:30 – 12:30

    (InterContinental Berlin, Germany)

  • Overview of South Korea Target MalwaresReturn to TOC

    Mrs. Dongeun LEE (KRCERT/CC, KISA)

    KrCERT, Code Analysis Team, Deputy General Researcher

    1. Characteristics of the Spread of South Korea Target Malwares.
    2. Similarity between Sony Pictures Malwares and South Korea Target Malwares.
    3. Needs for analyzing Hackers as a Malware Analyst.
    4. How to analyze malwares in KrCERT based in yara project.

    South Korea faces lots of malwares because it is an attractive place from hackers' point of view. South Koreans can transfer money in a few seconds because Internet Banking process is so fast. Hackers use this fast transfer system for earning money. They intercept Security numbers, South Korean's Identity Numbers, Account Numbers and etc. They pretend like they are normal users using these informations and transfer money to their accounts. KrCERT/CC has analysed these hackers, and could know the same hackers who had stolen game accounts and passwords for gaining game money have started stealing information related to internet banking.

    National cyber attack is ongoing in South Korea also. Hackers spread malwares through ActiveX vulnerabilites, changed update module of Webhard program, email attachment and etc. Malwares in infected PCs send information related to organization, system, and etc to hackers. Hackers manage Zombie PCs and use those Zombies for several campaigns. If there are PCs belonging to target organization, hackers install more complicated malwares and control the system. In case of National cyber attack, KrCERT recognized that hackers spend long time studying target organization to spread malwares in local network.

    One of South Korea cyber attacks is very similar to Sony Pictures attack. Through many experience attacking South Korea organization, KrCERT/CC is developing yara patterns related hacking organization and filtering malwares automatically.

    June 16th, 2015 12:45 – 13:15

    (InterContinental Berlin, Germany)

  • Passive Detection and Reconnaissance Techniques to Find, Track and Attribute Vulnerable "Devices"Return to TOC

    Mr. Alexandre DULAUNOY (CIRCL - Computer Incident Response Center Luxembourg), Mr. Eireann LEVERETT (Cambridge Centre for Risk Studies)

    Alexandre Dulaunoy (@adulau)

    Alexandre encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix specialized in information security management, and the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL, the national Luxembourgian Computer Security Incident Response Team (CSIRT) in the research and operational fields. He is also lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. Alexandre enjoys working on projects where there is a blend of free information, innovation and a direct social improvement. When not gardening binary streams, he likes facing the reality of ecosystems while gardening or doing photography.

    Eireann Leverett (@blackswanburst)

    Éireann Leverett studied Artificial Intelligence and Software Engineering at Edinburgh University and went on to get his Masters in Advanced Computer Science at Cambridge. He studied under Frank Stajano and Jon Crowcroft in Cambridge's computer security group. In between he worked for GE Energy for 5 years and has just finished a six month engagement with ABB in their corporate research Dept. He worked for IOActive in their world class Industrial Systems Security team. Eireann is a Risk Researcher at the Centre for Risk Studies (Cambridge), where his research focuses upon technological disasters and the economic impacts of computer security failures or accidents.

    Internet is still composed of a significant number of devices (e.g. industrial control devices, network equipments or smart devices) with obvious vulnerabilities. The role of a incident response team, especially at a national level, is to know the current level threat against such vulnerable equipments and the associated risks to the exposed equipments. Incident response team might find legal issues to pro-actively scan such equipments or for such vulnerable. This research overcomes these limits by focusing on existing data collected by other organisations and discover passively the vulnerable systems (and the owner of the systems which might be a challenge to incident response team). The passive data collection includes significant datasets like X.509 certificates, Passive DNS records, public Internet-Wide scans.

    June 17th, 2015 10:30 – 11:30

    (InterContinental Berlin, Germany)

  • Pen Testing iOS Apps WorkshopReturn to TOC

    Mr. Kenneth VAN WYK (KRvW Associates, LLC)

    Kenneth R. van Wyk is an internationally recognized information security expert and author of three popular books on incident response and software security. He is also a monthly columnist for Computer World and a member of FIRST's Board of Directors.

    Ken has 25 years of experience as a security practitioner in the US Government, commercial, and academic sectors. He has held senior technologist positions with the US Department of Defense, Carnegie Mellon University, Para-Protect, and SAIC. He is currently the president and principal consultant for his consulting/training practice, KRvW Associates, LLC, located in Alexandria University.

    This session will provide a quick but deep dive into penetration testing iOS applications. Using a jailbroken device, security testers are able to actively prove an app's run-time environment to probe, discover, and exploit potential architectural weaknesses in iOS apps. In this session, we'll explore how these testing techniques can be used after an incident occurs, in order to determine possible points of system compromise that occurred during the incident. The same techniques can be used to perform dynamic analysis of iOS incident artifacts.

    June 17th, 2015 13:30 – 14:30

    (InterContinental Berlin, Germany)

  • Prepare Your Cybersecurity Team for Swift Containment Post IncidentReturn to TOC

    Mr. Michael HARRINGTON (General Dynamics Fidelis Cybersecurity Solutions)

    Michael Harrington is a cybersecurity architect for General Dynamics Fidelis Cybersecurity Solutions. He is a certified PCI-QSA, and has his CISSP for over 13 years. He has more than 20 years of experience in design and implementation of multi-platform information technology projects and more than 15 years of experience in the information security arena including projects in both the public and private sectors. Mike began his security efforts while working in the U.S. Federal Government. He has also provided information security services to the Department of Defense. His expertise includes efforts on behalf of small local businesses as well as global enterprises. Mike currently coordinates incident response teams, managing both the people and the systems necessary to provide high-level expertise for clients’ cyber security protection and data exfiltration. Mike was instrumental in identifying and containing a data breach for an international data processor prior to the event becoming catastrophic. Mike has seen firsthand where many enterprises fail to prepare for the inevitability of some type of breach. His experience has taught him several key factors that will mitigate damage and provide for long-term corporate viability. Join him as he discusses key preparedness steps to help before, during and after a crisis strikes.

    Appropriate Incident Response is critical to your entity’s longevity and wellbeing, and yet practically preparing for it is often undervalued. This discussion will cover critical factors that, when the groundwork is laid in advance, will facilitate swift, organized, and clean incident response.

    Key factors will make or break your response and containment: • A small team of fully authorized key players • Up-to-date maps of your servers, connections, software, and analysis capability • A communication plan for red alerts and private information sharing • Update, Meet, DRILL

    While the keys I specify here may sound simple and easy, most organizations take for granted that they can put their fingers on such information quickly (often times they cannot, particularly during incident containment), create an incident response network team on the fly (anxiety can hinder effectiveness), and automatically know what they need to look at and how to do so.

    Key factors will be elaborated during the discussion: • Who should be on the team and how to appropriately authorize them. • Examples of data needed to be up-to-date and properly maintained to determine where to close loops upon incident. • What needs to be included in the communication plan, including specifics such as phone contacts, emails – have your incident response email / contact group already created – and maintain a private info sharing channel for this security. • Details for how to stay updated and drill for incident response.

    June 16th, 2015 11:15 – 11:45

    (InterContinental Berlin, Germany)

  • Protecting Privacy through Incident ResponseReturn to TOC

    Mr. Andrew CORMACK (Jisc)

    Andrew Cormack was head of JANET CERT from 1999 to 2003, and has remained a personal member of both FIRST and TF-CSIRT since then. His current role as Janet's Chief Regulatory Adviser covers the security, policy and regulatory issues of providing networks and networked services to the UK’s universities, colleges and schools. He has a particular interest in how digital technologies can be used to enhance privacy. He is an experienced presenter at national and international conferences and training courses, both on-line and in person. He has degrees in Mathematics and Law, and is studying for a Masters in Computer and Communications Law.

    Incident response is sometimes regarded as harmful to privacy, since it frequently involves processing e-mail address, IP addresses and other information that may be privacy sensitive. However European privacy law, among the strictest in the world, actually promotes incident response. This talk will highlight the privacy benefits of incident response, suggest practical guidelines that IR teams can use to ensure their activities are and remain privacy-protecting, and show how this approach should satisfy the requirements of European law.

    June 18th, 2015 10:30 – 11:00

    (InterContinental Berlin, Germany)

  • Quality Over Quantity—Cutting Through Cyberthreat Intelligence NoiseReturn to TOC

    Mr. Rod RASMUSSEN (IID)

    Rod Rasmussen co-founded IID and is the company’s lead technology development executive. He is widely recognized as a leading expert on the abuse of the domain name system by criminals. Rasmussen serves in leadership roles in various industry groups including the Anti-Phishing Working Group (APWG), ICANN’s Security and Stability Advisory Committee (SSAC), the FCC's Communications Security, Reliability and Interoperability Council (FCC CSRIC), the Online Trust Alliance (OTA), and is IID's FIRST representative.

    With organizations under constant threat of losing sensitive data and experiencing network disruptions during cyberattacks, it’s no secret that they are turning to threat intelligence for a real-time cross-industry look at attacks that are happening now and could be hitting them next.

    With literally thousands of threat intelligence feeds to pull from, the key isn’t quantity but quality. Is the data you’re feeding into your security appliances important or just noise, and can the data be formatted to meet your security infrastructure’s requirements?

    In this session, learn how to achieve truly interoperable cyberthreat intelligence. Get a special inside look at the challenges and opportunities of implementing and leveraging actionable data. What are the common barriers to full interoperability? How can organizations leverage intelligence no matter what security appliances they currently use? What are the challenges to receiving real-time, machine-to-machine information?

    IID’s Rod Rasmussen will discuss how to consolidate the dozens of different formats primarily required for various security appliances and prioritize certain threat indicators from others.

    June 16th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • RAT Tracking - Proactive Adversary Attribution via Scalable C2 ProfilingReturn to TOC

    Mr. Levi GUNDERT (Fidelity Investments)

    Over the past decade, Levi Gundert has become an internationally recognized information security and risk management leader and trusted cyber security advisor to leading corporations.

    As Vice President of Threat Intelligence for Fidelity Investments, Levi currently leads a team focused on advancing a robust program capable of efficiently operationalizing threat data. Levi is interested in the practical application of big data analytics in threat intelligence programs, and is particularly focused on developing new proprietary sources of threat insight.

    Levi’s past roles include investigating electronic crimes for the U.S. Secret Service (Los Angeles Electronic Crimes Task Force), threat research and analysis at Team Cymru, and most recently, Technical Leader for Cisco's Threat Research, Analysis & Communications (TRAC) team.

    In 2012 Gundert was recruited by the U.S. Federal Bureau of Investigation Law Enforcement Executive Development Association (FBI-LEEDA) to develop and deliver a comprehensive law enforcement program on identify theft, fraud, and cybercrime. The course was presented to more than 600 federal, state, and local law enforcement officials.

    Levi is a frequent contributor to online information security magazines and is a regular lecturer at information security conferences. Among the many organizations that have engaged Levi as a guest speaker are INTERPOL, Kaspersky, the Australian Federal Police, and the U.S. Department of Justice.

    Today threat intelligence – for law enforcement and private industry - continues to rely on the bulk processing of malware samples for derivative indicators of compromise (IOCs) for inclusion in defensive technologies as well as leads for criminal investigations. This approach, while effective, relies on large amounts of computing and Internet resources to process the tens (to hundreds) of thousands of daily malware samples collected by security vendors. The problem is that even anti-virus companies encounter challenges processing the vast amount of daily samples. Additionally, the derivative insight that law enforcement and private industry rely on in is largely reactive and only as good as the sources collecting the malware.

    The proposed solution to the aforementioned issue is complimentary to bulk malware run-time analysis, it’s scalable, it’s resource efficient, and it often leads to quick and direct attribution. The solution is proactive and iterative large scale Internet enumeration in order to identify specific HTTP C2 server signatures. In limited testing this approach revealed malware C2 locations that were unknown to Virus Total and Total Hash. Additionally, because this author focused on RAT (Remote Access Trojans) families, many of the C2 servers were located on residential ISP (Internet Service Provider) net blocks potentially indicating the RAT adversary’s physical location.

    June 16th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • Mr. Inseung YANG (KrCERT/CC), Ms. Jihwon SONG (KrCERT/CC)

    Mr.YANG, Inseung

    Education : Yonsei University M.S. in Computer Science, Joongang University B.S in Computer Science

    Experiences : KrCERT/CC, Code Analysis Team (2010.2-)

    MS.SONG,Jihwon

    Education : Seoul National University M.S. in Technology, Management, Economics and Policy, Korea University B.S. in Computer Science Education

    Experiences : KrCERT/CC, Code Analysis Team (2013.12-) Samsung Electronics, Mobile communication division (2006.12-2012.1)

    According to Cisco's annual report, 99 percent of all mobile malware intended to compromise a device is targeted at Android devices. In Korea, in particular, hackers distribute SMS phishing(Smishing) apps predominantly through spam messages. This activity has resulted in large numbers of Korean Android users being harmed financially. Further, the policies designed by the South Korean government against these threats have had some weakness because the malicious apps are bypassing them.

    This presentation will describe the policy methods for mobile banking in Korea and the attack methods used by hackers. Among the attack methods utilized are stealing of certification, pretending to be legitimate banking apps that require the security numbers issued to users when they opened their accounts, and Automatic Response Service (ARS) phishing attacks in conjunction with Call Forwarding. Other methods include requesting One Time Password (OTP) number and Internet of Things (IoT) hacking cases in which routers are attacked; in this case, both smartphone and PC users are targeted simultaneously. I will discuss the activities of KrCERT/CC in response to these malicious mobile apps.

    1) Evolution of malicious malware dissemination methods

    In South Korea, 90% of malicious apps are distributed by Smishing. In these scenarios, attackers use social engineering to convince people to divulge sensitive information, using topics that change in accordance with the times. For example, following the Sewol Ferry Disaster, attackers sent SMS messages that referenced it for about 15 days and distributed associated fraudulent banking apps. Malicious apps have even recently used the film “The Interview,” from Sony Corporation, as a lure. There are even malicious apps pretending to be from KrCERT/CC security, Google marketplace, mobile antivirus software companies, well-known delivery companies, domestic popular Internet portals, prosecutors, and police. They use various distribution means, such as the official app market, hacking of mobile web servers, sending emails to specific targets, and inducing APT to install the malicious app.

    2) Types of malicious apps

    There are many apps that not only want to uncover users’ financial details but also to spy on users. Such apps are used to tap cell phones and send users’ personal data to Command and Control (C2) servers on a regular basis. There are even cases of hackers trying to steal a popular Korean mobile messenger’s database and users being affected by mobile ransomeware as a result of malicious apps. Thus, it is clear that malicious apps are evolving continuously.

    3) How malicious apps transfer users' data to attackers

    Traditionally, attackers obtained users’ data via HTTP or FTP connections. Nowadays, however, they can obtain the data simply by sending an email through SMTP or posting data on a bulletin board system.

    4) Mitigation

    o Technology based mitigation

    We have an SMS spam detection system that ascertains whether it has an APK’s abbreviated URL or not. The system analyzes the APK file and, if a malicious server address is found, it is blocked and a notification is sent to the infected mobile phone user. Monitoring is being carried out both in the Google Play Store and some black markets.

    o Policy

    Once an Android user agrees to install an app from an untrusted source, permission is never sought again. Because numerous malicious apps are distributed through unofficial app markets and web servers, we recommend that mobile phone manufacturers change their UIs to include a new option wherein Korean mobile phone users will have to explicitly decide whether to allow installation of apps from untrusted sources at all times.

    June 18th, 2015 11:00 – 11:30

    (InterContinental Berlin, Germany)

  • Sector Based Cyber Security Drills - Lessons LearntReturn to TOC

    Mr. Malagoda Pathiranage DILEEPA LATHSARA (Member)

    Author

    Mr. M.P. Dileepa Lathsara

    Dileepa Lathsara is the Chief Operating Officer of TechCERT (www.techcert.lk), which is the first computer emergency response team set up in Sri Lanka. Lathsara has been working in the information security industry for more than 11 years. He has wide experience in information security management, vulnerability assessment and penetration testing, design, and implementation of comprehensive information security solutions, digital forensic investigations, PKI implementations and online digital trust management.

    Lathsara is a founding member of LankaCertify (www.ca.lk) which is the technology and consultancy services provider for online trust establishment and verification for e-Sri Lanka.

    He also works as a visiting lecturer for many Sri Lankan universities and conducts lectures on information security and networks, information security management and forensic computing concepts.

    Qualifications:

    MSc.(Computer Science University of Moratuwa, Specialized in Computer Systems Security) <br> BSc. Engineering (Hons) University of Moratuwa CEng, MIE(SL) <br> CISSP, C|EH, Certified ISMS Auditor (ISO 27001), CPISI (PCI DSS v3.0)

    Co - Author

    Dr. Shantha Fernando

    Shantha Fernando is a Senior Lecturer at the Department of Computer Science and Engineering, University of Moratuwa. He is the Co-founder of the first Computer Emergency Response Team setup in Sri Lanka,TechCERT, which is a Division of LK Domain Registry. He headed the technical team since 2005, and now serves as the Chief Consultant. He served as the Director, Engineering Research Unit (ERU) of the University of Moratuwa during 2011-2013. He also served as a Council Member of the Computer Society of Sri Lanka (CSSL) during 2011-2013. Currently, he serves as a Senior Lecturer at the Department of Computer Science and Engineering.

    He obtained BSc Engineering Honours from the University of Moratuwa in 1993. He obtained his Master of Philosophy from the same university in 2000. His PhD was obtained from the Delft University of Technology, The Netherlands in 2010. He became the first Chartered Engineer in Sri Lanka in the field of IT in the Institution of Engineers Sri Lanka (IESL). He also served in the Council of the Computer Society of Sri Lanka (CSSL). His expertise are in Computer and Information Security, Information Systems, and e-Learning. He has provided advisory services for many government and commercial organizations in the areas of his expertise since 1994.

    Qualifications:

    PhD <br> MPhil <br> BSc. Engineering (Hons) University of Moratuwa <br> IET(UK) <br> MIE(SL), Ceng <br>

    Co - Author

    Mr. Kushan Sharma

    Mr. Kushan Sharma works as the Engineering Manager - IT Security Services of TechCERT. He holds a BSc Engineering (Hons) degree in Computer Science & Engineering from the University of Moratuwa. He also completed a master’s degree in Computer Science, specialized in Computer Security, from the University of Moratuwa. Further, he is currently reading for his master’s degree in Business Administration. He is an Associate Member of Institution of Engineering Sri Lanka – AMIE (SL) and is a certified ISMS Auditor as well.

    For the past five years Mr. Kushan Sharma has been engaged in providing managed security services for TechCERT customer base and in R&D work to develop value added services. He is responsible for performing tasks including network vulnerability assessments, security auditing for compliance verification and forensics investigations. Furthermore, he is experienced in conducting information security workshops and incident response.

    Qualifications:

    MSc.(Computer Science University of Moratuwa, Specialized in Computer Systems Security) <br> BSc. Engineering (Hons) University of Moratuwa <br> AMIE(SL), C|EH, Certified ISMS Auditor (ISO27001)

    Even though there is an explosive growth of Internet and information technology usage in Sri Lanka, many Sri Lankan organizations are ill-prepared to overcome potentially catastrophic cyber?attacks that may affect their infrastructure detrimentally and subsequently result in a loss of reputation. Simultaneously, many Sri Lankan organizations are in the process of moving into complex IT systems and technologies to provide better, more effective services to their customers. With the increase of sophistication of these systems, there has been a corresponding growth in the number and severity of threats associated. Unfortunately, many organizations start reacting to security incidents after the fact. In the past five years, cyber-attacks and threats on corporate IS systems dominated news headlines worldwide. Therefore, it is essential for Sri Lankan organizations to be prepared to carry out successful cyber counterattacks, in the best interest of their customers and the IT industry as a whole.

    Considering the above facts, TechCERT, in collaboration with the Department of Computer Science and Engineering of the University of Moratuwa, conducts annual cyber security drills for Sri Lankan organizations. “TechCERT Cyber Security Drill” has been an annual event for Sri Lankan organizations since 2011. It was initially introduced to the banking sector and then to the financial and insurance sectors respectively. Since 2013, TechCERT has been able to expand this exercise to a wide range of sectors by including telecommunication service providers and Internet service providers with the assistance of the Telecommunications Regulatory Commission of Sri Lanka (TRCSL). At present, TechCERT is conducting three (03) cyber security drills annually for different sectors. They are:

    1. Banking and finance sector
    2. Telecommunication service providers and Internet service providers
    3. Insurance and other leading professional institutions

    The cyber drill will simulate a potential cyber-attack and evaluate the competence of the information security team of the relevant organization in successfully defending against the attack within a minimum time period. The attack scenarios for the drill will be based on the latest cyber-attacks in the relevant industry.

    A cyber security drill of this nature is highly beneficial for an organization to determine its readiness to mitigate possible cyber-attacks. The main objective of the cyber drill exercise is to provide the opportunity for participating organizations to:

    Train their IT staff to successfully overcome a cyber-attack Test the communication contact points Check the contingencies of their IT processes and procedures Test their technical competency in dealing with cyber attacks Coordination between relevant stakeholders to mitigate the attack

    This presentation will discuss how TechCERT conducts annual cyber security drills, the resources used, the progression of the drills and lessons learnt.

    June 19th, 2015 11:15 – 11:45

    (InterContinental Berlin, Germany)

  • Security Operations: Moving to a Narrative-Driven ModelReturn to TOC

    Mr. Joshua GOLDFARB (FireEye)

    Josh (Twitter: @ananalytical) is an experienced information security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as VP and CTO - Americas at FireEye. Until its acquisition by FireEye, Josh served as Chief Security Officer for nPulse Technologies. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh¹s blogging and public speaking appearances, he is also a regular contributor to DarkReading, SecurityWeek, SC Magazine UK, and The Business Journals.

    The current security operations model is an alert-driven one. Alerts contain a snapshot of a moment in time and lack important context, making it difficult to qualify the true nature of an alert in a reasonable amount of time. On the other hand, narratives provide a more complete picture of what occurred and tell the story of what unfolded over a period of time. Ultimately, only the narrative provides the required context and detail to allow an organization to make an educated decision regarding whether or not incident response is required, and if so, at what level. This talk presents the Narrative-Driven Model for incident response.

    June 16th, 2015 13:15 – 14:15

    (InterContinental Berlin, Germany)

  • Seven Years in MWS: Experiences of the Community Based Data Sharing for Anti-Malware Research in JapanReturn to TOC

    Dr. Masato TERADA (Hitachi Incident Response Team), Yoichi SHINODA (JAIST), Mitsuhiro HATADA (NTT Communications Corporation)

    Masato TERADA is the Technology and Coordination Designer for the Hitachi Incident Response Team (HIRT). He is also affiliated with the Information-technology Promotion Agency, Japan (IPA), JPCERT/CC, and Chuo University.

    Yoichi SHINODA is a professor at the Japan Advanced Institute of Science and Technology (JAIST). He is also the Steering Committee Chair of the anti-Malware engineering WorkShop (MWS).

    Mitsuhiro HATADA is an information security researcher at the NTT Communications Corporation.

    Introduction

    7 years ago, in 2008, the anti-Malware engineering WorkShop (MWS) started in Japan. The main objective of MWS is to accelerate and expand the activities of anti-malware research and countermeasure. To this end, MWS aims to attract new researchers, engineers of academic, private (enterprise) and public domains. Also stimulate new research for addressing latest cyber threats. To achieve this objective, MWS established the community based sharing scheme of the datasets for anti-malware research and countermeasure and organized research workshops where researchers can freely discuss their results. This paper describes the MWS community, MWS data sets, MWS workshop and the lessons learned from our experiences over the past seven years.

    MWS activities

    MWS has the community based sharing scheme of the datasets for anti-malware research and countermeasure. Also this scheme has three parts to achieve our objective.

    • MWS Dataset: The datasets sharing for anti-malware research and countermeasure; Research sections in academic, enterprise and public domains prepare and analyze data sets.
    • MWS: The research interests sharing; MWS organized research workshops MWS2008 - MWS2014 which were held in conjunction with CSS2008 - CSS2014 (Computer Security Symposium) of the SIG-CSEC, IPSJ.
    • MWS community: The environment to work hard together; The academic researchers and the enterprise researchers/engineers work hard together for anti-malware research and countermeasure.

    MWS Community

    Currently MWS Community has organizations of public domain, academic domain and enterprise domain in Japan. In organizations of public domain, JPCERT/CC, IPA, AIST and NICT joined MWS community. Also many organizations of academic/enterprise domain joined. Our community scale is larger each year.

    MWS Data sets

    The MWS Datasets cover three categories, i.e., probing, infection, and malware activities.

    MWS Workshop

    This workshop task is to improve an anti-malware research environment such as the detection, the monitoring and the analysis of malware. Also it was to build the collaboration community between the academic field researchers and the enterprise field engineers for the malware countermeasures. MWS includes workshop and competition. Also it has conjunction with CSS (Computer Security Symposium) of the SIG-CSEC, IPSJ. The launch of MWS has significantly contributed to the increase in the number of anti-malware research papers. Interestingly, not only the number of papers presented at the MWS sessions but also the number of papers presented at other sessions has increased.

    Conclusion

    In late October, ThaiCERT, a member of ETDA (Electronic Transactions Development Agency), and JPCERT/CC organized an event "Malware Analysis Competition 2014 (MAC 2014)" in Bangkok, Thailand. We gave a talk about MWS in Japan. The format of MWS, especially MWS cup was referred to by MAC 2014. These events are very useful for technical transfer and raising awareness as well as information sharing in the academic, enterprise and public domains for anti-malware research and countermeasure. We believe that our experiences can assist other research communities that have a similar vision and comparable objectives. So we are hoping to continue the effort and also to extend it to more relationships for anti-malware research and countermeasure.

    June 16th, 2015 11:15 – 11:45

    (InterContinental Berlin, Germany)

  • Sinfonier: Storm Builder for Security IntelligenceReturn to TOC

    Mr. Fran GOMEZ (Telefonica), Mr. Leonardo AMOR (Telefonica)

    Fran Gomez:

    Fran J. Gómez was born in Madrid. He works as a Security Engineer and his professional career has always been associated with IT Security, even before he completed his university studies. In 2005, Fran joined Telefonica I+D Hacking Ethical Team to participate in security researches on ISP core networks technologies, which has allowed him to know deeply some of the protocols and technologies that will build the future Internet. His current research is focused on security systems, Internet protocols and cyberintelligence at the Security Area of Telefonica Digital España. Fran has also been participated as speaker to events such as RootedCON, RedIRIS Security Forum, CCN-CERT STIC, TEDxTelefónica or Spark Summit. @ffranz

    http://about.me/ffranz

    Leonardo Amor: Actual Head of Security & CSO of Telefonica Global Solutions (the Backbone of Telefonica Group) also the representative member of Telefonica CSIRT Team.

    Have been involved in security the last 15 years, mostly in Telefonica Group working in different areas from Operations to Development of new security services, always working in areas focused in enterprise customers, from 2010 working in Global Units which has brought me the best opportunity to learn how to work with international teams, appreciate the cultural aspects of being global while respecting the local culture and customs.

    CISA, CISM and speaker in congress like APWG, MAAWG, ENISE, RootedCON, RedIRIS Security Forum,

    @LeoAmorV

    https://www.leonardoamor.com/

    In today's world we are consuming an ever-increasing variety of volatile data streams for processing and analysis.

    Integrating and using new or modified streams of data is a time-consuming and complex process requiring a different tool at each stage of data capture, processing, analysis and storage. A solution is needed which simplifies and automates integration of open source data in applications and allows developers to share integration algorithms across the community.

    After looking ourselves how better improve our investigations and tools and also finding out that many good security analyst does not have enough technical skills we wanted to simplify it and started our own project. We want to help Security analyst to focus on their investigations and make easier their work while putting them a good platform. From the beginning we want it to count with the community and would like to take the opportunity to offer it to other CERT’s teams and share with them our experience and how we do our investigations.

    We would make an introduction of our tool and explain it showing how it works and how easily you can conduct a complex investigation.

    Sinfonier provides an open environment to graphically build high-level Apache Storm topologies and execute and share them for a definable period of time.

    Sinfonier is a change in the focus in respect to current solutions in the area of processing information in real-time. We combine an easy-to-use interface, modular and adaptable and we integrate it with an advanced technological solution to allow you to do the necessary tune up suitable for your needs in matters of information security.

    Sinfonier puts at your disposal the ability to collect information from multiple sources, process it and enrich it in a continuous and dynamic way. It will be up to you, the users, to provide the algorithms with content in the form of topologies and get the most out of this information.

    Sinfonier provides you capacity to create new knowledge from any of the information you have or can achieve. Sinfonier is not a black box solution implementing a few algorithms, is an open platform to be used and shared multiplied capacities and possibilities.

    Because Sinfonier is a high-level design and have facilities to use it, is trying to join Security Analyst, Developers and Researchers. So its target is open to people that need to create new capacities or people to use current capacities.

    http://sinfonier-project.net

    June 17th, 2015 13:30 – 14:30

    (InterContinental Berlin, Germany)

  • So You Want a Threat Intelligence* Function (*But Were Afraid to Ask)Return to TOC

    Mr. Gavin REID (Lancope)

    Bios to Follow

    Gavin Reid

    Threat Intelligence was once the domain of nation-states. With the increasing attacks on corporations - more and more this is being built in-house. We will cover one organizations approach to building out this function. What worked well - what didn't work at all to help others as a reference example

    June 15th, 2015 14:00 – 14:30

    (InterContinental Berlin, Germany)

  • Streamlined Incident Response from a Forensic PerspectiveReturn to TOC

    Matthew ROHRING (U.S. Department of Homeland Security / U.S. Computer Emergency Readiness Team)

    Matthew Rohring is the Digital Media Analysis team lead within the Digital Analytics Branch (DAB) of the United States Computer Emergency Readiness Team (US-CERT), Department of Homeland Security (DHS). In this capacity, he leads and coordinates the forensic examination of digital media provided to US-CERT for analysis. His team maintains robust and flexible capabilities which allow for both in-house and offsite investigative analysis of digital devices and their storage mediums in an effort to provide insight into the cause and effect of suspected cyber intrusions.

    Mr. Rohring has over 18 years experience in the Computer Network Defense field and began working for US-CERT in October of 2008. Prior to joining DHS, he worked with the United States Army Computer Emergency Response Team (ACERT), The United States Air Force Computer Emergency Response Team (AFCERT), the DoD Computer Emergency Response Team (DoD-CERT) and for the Joint Task Force – Global Network Operations in analytical roles supporting both Cyber Operations and Cyber Intelligence.

    The world of cyber incident response is rife with distractions, confusion, conflicting expectations and a plethora of limitations; but timely, accurate response is critical even when data sets seem overwhelmingly large and complex.

    This presentation will describe a streamlined approach to media triage and initial case assessment of cyber incidents. Cyber incident response team members, CSIRT managers and anyone interested in learning more about processing digital media and potentially harmful binaries prior to traditional deep dive analysis or reverse engineering are encouraged to attend.

    The following issues and techniques will be addressed:

    *Focused approaches to case scoping

    *Data set carving, i.e., making mountains into molehills

    *Setting expectations with victims and incident managers

    *A framework for rapid initial forensic and malware analysis and identification of immediately actionable Indicators of Compromise

    *Handling and packaging of casework for transition to deep dive analysis and sharing with incident response partners

    June 19th, 2015 10:15 – 11:15

    (InterContinental Berlin, Germany)

  • Technology, Trust, and Connecting the DotsReturn to TOC

    Mr. George JOHNSON (NC4), Mr. Bill NELSON (FS-ISAC), Mr. Wayne BOLINE (Raytheon), Kris HERRIN (FS-ISAC)

    Bill Nelson:

    Bill is the President and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC is a non-profit association dedicated to protecting financial services firms from physical and cyber attacks. Members within the FS-ISAC include organizations from banks, credit unions, payment processors, securities firms and insurance companies.

    The FS-ISAC fulfills its mission through the dissemination of trusted and timely information regarding physical and cyber security risks to its membership. In 2012 and again in 2013, FS-ISAC joined with Microsoft in successful civil litigation actions to disrupt malware botnets. In January 2013, Mr. Nelson was named the fifth most influential person in the field of Financial Information Security by the publication Bank Info Security. In February 2013, FS-ISAC received the prestigious RSA Award for Excellence in Information Security.

    Before joining the FS-ISAC, Bill was the Executive Vice President of NACHA, The Electronic Payments Association from 1988 to 2006. Bill oversaw the development of the ACH Network into one of the largest electronic payment systems in the world. He also oversaw NACHA’s rule-making, marketing, rules enforcement, education and government relations programs. Prior to joining NACHA, Bill held several treasury management and lending positions within the banking industry.

    Wayne Boline:

    Wayne joined Raytheon Missile Systems in Tucson, AZ in 2003 as the Network Manager responsible for classified/unclassified networks and voice systems for the 10,000+ member business. Before joining Raytheon, he served nearly 23 years in the US Air Force acting in both enlisted and officer roles responsible for areas in Electronic Warfare, Telecommunications, Computer Crime Investigations, and Communications-Computer Systems. In 2006 he transferred to the Raytheon Corporate IT Security organization in Texas with responsibility for Cybersecurity Incident Response, Information Sharing, and Collaboration. He is currently the Chairman of the Board of the Defense Security Information Exchange (DSIE), Representative on both the DOD Defense Industrial Base (DIB) Program & Sector Coordinating Council (SCC), and Co-Chair of the AIA Cybersecurity Steering Committee.

    Wayne holds a BS in Information Systems Management from the University of Maryland and an MS in Network Security from Capital College. He also holds the Certified Information Systems Security Professional (CISSP) and Information Systems Security Management Professional (ISSMP) certifications.

    George Johnson CISSP:

    Since the early 90's, while working at the Defense Advanced Research Projects Agency (DARPA) George has been involved in Internet Security and building Communities of Interest, Extranets, Portals, and other tools that focus on providing a secure platform for secure information sharing. He spent two years at Carnegie Mellon as Technical Director, Extranet for Security Professionals working at the Software Engineering Institute further maturing the processes and methodologies necessary to promote security as a principal requirement to information systems. From there he went on to found The ESP Group, which was arguably the first security differentiated collaboration company on the market. Currently George serves as CSO of NC4 where he is responsible for working with the business units to integrate security into the corporate processes - from requirements, SDLC, testing, to production and retirement of systems.

    Bringing an update to the innovations that have happened in the last year, this presentation is about real world human to human and machine to machine information sharing. This presentation will help you avoid pitfalls while increasing your circle(s) of trust and increasing your speed of defense. We will discuss real implementations (FS-ISAC, US-CERT, DSIE, and others) of information sharing and some of the standards (STIX/TAXII) and automation (Soltra Edge and CRITS) involved. Technologies are advancing and we’re learning more about what it takes to put these technologies and processes into practice. Historically, information sharing in the Cyber Defense world has been a tremendously manual and isolated process. While formal and informal networks of incident responders have sprung up to provide defenders some leverage in mitigating attacks three major factors have complicated our jobs:

    1. Economic forces have favored the attack side while;
    2. Several factors (principally our inability to scale “trust”) have hindered sharing on the defense side.
    3. Moving data faster hasn’t helped humans identify the most important data to act upon – and now more data is moving even faster – how do we help humans find the most important information for their particular organization at the right time?

    Exploits built to target a specific sector/industry can be broadly employed to provide a significant return on investment due to slow and uncoordinated responses across that sector/industry. Yet, we’re starting to turn the odds in the defense’s favor. The financial sector has recognized that it is imperative to change the economics of the attack/defense model in order to change the balance of power. Financial institutions, through the Financial Services Information Sharing and Analysis Center (FS-ISAC), have been developing and maturing the process of information sharing among its constituents to increase the speed at which defense spreads across the entire financial sector. Several key factors have contributed to the success so far, including:

    • Ability for users to post anonymously
    • Analysts add value to each posting and users find the information valuable
    • Creation of a clear guideline for information dissemination
    • Maturing a trust model
    • Providing an infrastructure to allow analysts across companies and sectors to collaborate
    • Automation to move machine readable Mitigations/Courses of Actions to move at the speed of trust

    To date, human to human interaction has imposed limits on the speed and volume of data shared because people were performing tasks that could be more effectively performed by machines. At the same time many companies could not find or afford the talent to identify malicious activity and so relied on computers to do the job best suited to humans.

    To maximize the value of the Human in the Loop, the finance sector has made the commitment to move to the automated sharing of threat information by using standardized protocols (STIX and TAXII) and mark-up automation in order to change the economics of cyber-attacks more in favor of the defenders. This presentation will describe critical success factors that are generating initial trust necessary to drive collaboration and the work being done in automating information exchange so that analysts can concentrate on value-added analysis rather than spending their time on manual processes.

    June 16th, 2015 14:45 – 15:45

    (InterContinental Berlin, Germany)

  • The Crack in KrakenBOTReturn to TOC

    Mr. Peter KRUSE (CSIS Security Group A/S)

    Peter Kruse, Founder and Head of CSIS eCrime Unit, CSIS Security Group

    Peter Kruse co-founded the Danish IT-security company CSIS in 2003 and is currently leading the eCrime department which provides services mainly aimed at the financial sector.

    His ability to combine a keen appreciation of business needs and a profound technical understanding of malware has made CSIS a valued partner of clients in both Scandinavia and the rest of Europe.

    Today, Peter is by far the most quoted IT-security expert in Denmark and considered among the most recognized in Europe. He has a long history of active participation in several closed and vetted top IT-security communities and has numerous international connections in the antivirus- and banking industry, law enforcement and higher education institutions.

    KrakenBOT is a fully commercialized RAT (Remote Administration Tool), which is distributed throug advertising on several criminal focused underground forums.

    Despite the fact that the price for the standard package is low (approx. 270 US dollars), the complexity and increasing number of various functions and add-ons continue to be implemented. For these reasons, KrakenBOT is slowly becoming a cheap and very effective crimekit and the choice of many criminal groups.

    As new versions of KrakenBOT are constantly being released by the author, development is assumed to continue and is likely to affect even more victims in the future.

    This research will focus on the economy behind KrakenBOT. It will provide insight on the different functions and modules, give a technical rundown on the KrakenBOT C&C software and look at the binary code generated by the Kraken crimekit.

    Finally, the purpose of this research is to identify the individuals behind KrakenBOT and document how it has been systemically abused to steal valuable data from unknowing victims.

    June 15th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • The Cybercrime Evolution in Brazil: An Inside View of Recent Threats and the Strategic Role of Threat IntelligenceReturn to TOC

    Mr. Ricardo ULISSES (Tempest Security Intelligence), Mr. Aldo ALBUQUERQUE (Tempest Security Intelligence)

    • Aldo Albuquerque

    With more than 15 years experience in information security, Aldo has been involved with and managed complex projects in large corporations related to ethical hacking, forensic analysis, incident response, and threat intelligence. Aldo is in charge of the whole Tempest’s Threat Intelligence operation as the company's Chief Operations Officer. Currently, he also holds the position of senior researcher in the Threat Intelligence team with deep interest on cybercrime.

    • Ricardo Ulisses

    Leader of Tempest's Threat Intelligence team, is currently in charge of various researches on the field, in Brazil and abroad. Infosec analyst for the last 6 years, he has been involved in performing vulnerability assessment, forensic analysis, and threat intelligence research for multiple industries with special interest on the technical and operational aspects of fraud schemes, and webapp and infrastructure attacks and defenses.

    In this presentation we will show our view of how cybercrime in Brazil is evolving and adapting in terms of tactics and techniques, with special focus to events that took place in 2014 and 2015. This includes exploring the most prevalent threats and actions that have been aiming at some of the high profile Brazilian organizations, their customers, and the population in general.

    This presentation also points out the strategic role played by the Threat Intelligence approach to information security in this new scenario and the possibilities it brings to the table, with some real cases of success.

    June 16th, 2015 13:15 – 14:15

    (InterContinental Berlin, Germany)

  • The Future of Information Exchange PolicyReturn to TOC

    Mr. Paul MCKITRICK (Microsoft), Ms. Merike KAEO (IID)

    Paul McKitrick, Microsoft; and Merike Kaeo, Internet Identity.

    Automating the exchange of security and threat information, is imperative to the future success and effectiveness of the security response community. However, there are two primary challenges organizations face in relation to automating information exchange; the lack of automated tooling and technologies available; and the lack of adequate policy and governance.

    While the lack of automated technologies is a well understood problem and being actively addressed by the security industry, the policy challenges associated with automating information exchange are not as well understood or appreciated, and they are just as complex and critical, as the technical challenges.

    The lack of information exchange policy limits the ability to define and interpret, the permitted Sharing, Handling, and Use of security and threat information, that is shared between organizations. The consequences of this are limited and often siloed information sharing between partners, individuals exposing themselves and their organizations to unnecessary risk, as sharing is often under the radar of management and is not covered by legal policy and agreements.

    The lack of policy is in part a result of the knowledge gap, and disconnect between technologists, policy writers, and … lawyers. The need for an extensible "Information Exchange Policy Framework" was identified, to address these limitations, bridge the knowledge gaps, and to promote information exchange within the security response community and industry.

    This presentation will provide attendees with an overview of the of the policy challenges and implications organizations face today; the rational, approach, and considerations behind developing the "Information Exchange Policy Framework"; the lessons learned; next steps; and most importantly how you, and your organization, can get involved, and contribute to this initiative.

    June 17th, 2015 13:30 – 14:30

    (InterContinental Berlin, Germany)

  • The Needle in the HaystackReturn to TOC

    Mr. Jasper BONGERTZ (Airbus Defence and Space CyberSecurity GmbH)

    Jasper Bongertz is a Senior Technical Consultant and started working freelance in 1992 while he began studying computer science at the Technical University of Aachen. In 2013, he joined Airbus Defence and Space CyberSecurity, focusing on IT security, Incident Response and Network Forensics. He is also the author of a large training portfolio with a special focus on Wireshark, now owned by Fast Lane GmbH. Jasper is certified Sniffer Certified Professional (SCP), VMware Certified Professional (VCP3/4/5) and was a VMware Certified Instructor (VCI) until January 2014.

    In incident response situations, time is short. One of the biggest problems is that it is difficult to determine what happened to which system, and - if possible - when it did happen. The challenge is almost always to identify compromised systems without wasting too much time on examining those who turn out to be unaffected.

    Network forensics can help to pinpoint infected nodes, so that system forensics tasks can be focussed on those systems. The problem with network forensics is that it requires a certain amount of preparation (the more the better), and skill/experience to identify malicious patterns. This talk will focus on where network forensics can help with incident response, where the challenges are, and what tools to leverage.

    June 17th, 2015 15:00 – 16:00

    (InterContinental Berlin, Germany)

  • Theory and Practice of Cyber Threat-Intelligence Management Using STIX and CybOXReturn to TOC

    Dr. Bernd GROBAUER (Siemens)

    Dr. Bernd Grobauer is Principal Key Expert at Siemens Corporate Technology's Technology Field "IT Security". He leads the Siemens Computer Emergency Response Team’s (CERT’s) research activities, covering topics such as incident detection and handling, threat intelligence, malware defense, IT forensics, etc. Dr. Grobauer holds a PhD in computer science from Aarhus University, Denmark. From 2009 to 2011, he served on the membership advisory committee of the International Information Integrity Institute (I4).

    Thomas Schreck is the Team Representative of Siemens CERT. His fields of interest are intrusion detection and incident analysis. Further, he is a PhD student at the Friedrich-Alexander University Erlangen-Nuremberg.

    Dr. Jan Goebel is the Team leader for Incident Technologies and IT Security Analyst at Siemens CERT. His research interests revolve around IT security, digital forensics, malware analysis (reverse engineering), and network attack detection using honeypots. Dr. Goebel holds a PhD in computer science from RWTH Aachen University.

    Stefan Berger is an IT Security Analyst at the Siemens Computer Emergency Response Team (CERT). His area of work mainly covers global IT security incident handling and analysis as well as the development and maintenance of tools, methods, and procedures in this field.

    Based on Siemens CERT's experiences with developing and operating the Open Source MANTIS Cyber-Threat Intelligence Framework, this talks will provide and overview of central issues with cyber-threat intelligence management using STIX and CybOX:

    • Finding correlations

    With more and more data sources based on STIX and CybOX becoming available, finding correlations in the supplied data becomes essential. We will present work in progess on finding correlations.

    • Information tagging

    Because the same basic observation (e.g. an IP address) may give rise to many distinct CybOX observables, information tagging on the object level is insufficient for many use-cases. We will present on MANTIS's approach towards information tagging: by tagging atomic facts rather than objects a single tagging action applies to all relevant objects.

    • Managing actionable threat intelligence

    In theory, it should be easy to manage and extract actionable threat intelligence from STIX/CybOX data for use in detection and prevention systems. In practice, this proves surpringly hard. We will present on our approach towards this problem.

    June 17th, 2015 15:00 – 16:00

    (InterContinental Berlin, Germany)

  • Threat Information Sharing; Perspectives, Strategies, and Threat ScenariosReturn to TOC

    Mr. Timothy GRANCE (NIST), THOMAS MILLAR (US-CERT), Mr. Pawel PAWLINSKI (CERT Polska / NASK), Mr. Luc DANDURAND (ITU)

    Tim Grance is a senior computer scientist at the National Institute of Standards and Technology. He has held a variety of positions at NIST including Group Manager, Systems and Network Security and Program Manager for Cyber and Network Security. He led a broad portfolio of projects including high profile projects such as the NIST Hash Competition, Cloud Computing, Protocol Security (DNS, BGP, IPv6), Combinatorial Testing, and the National Vulnerability Database. He is presently a senior researcher advising on projects in cloud computing, mobile devices, internet of things, and big data. He has written extensively on cloud computing, incident handling, privacy, and identity management. He is a two-time recipient of the US Department of Commerce’s highest award—a Gold Medal, from the Secretary of Commerce

    Mr Luc Dandurand has recently joined the International Telecommunication Union as Head of the ICT Application and Cybersecurity Division in the Telecommunication Development Bureau (BDT). Previously he worked at the NATO Communications and Information Agency in January 2009 in cybersecurity capability development for NATO and NATO Nations. Prior to joining NATO, he worked at the Communication Security Establishment of Canada, leading a team that prototyped novel solutions in Cyber Defence. He started his career as a Signals Officer in the Canadian Forces, first as an analyst in the Directorate of Scientific and Technical Intelligence. Following post-graduate studies, he led the CF's Network Vulnerability Analysis Team and co-founded the CF Joint Red Team, a team responsible for assessing the security of CF networks by conducting controlled cyber-attacks

    Mr. Thomas R. Millar serves as the United States Computer Emergency Readiness Team's (US-CERT) Chief of Communications, a role which finds him at the intersection of outreach, awareness, standards development,and technical interoperability initiatives. In this role, Mr. Millar is focused on modernizing US-CERT's approaches to information sharing, knowledge exchange and coordination. Since joining US-CERT in 2007, he has played a significant role in US-CERT's response activities during major cyber events such as the Distributed Denial of Service (DDoS) attacks on Estonia in 2007, the outbreak of the Conficker worm, and the DDoS attacks on major U.S. Government and commercial Web sites in 2009. He has previously worked as a team lead for intrusion detection and analysis at the FBI's Enterprise Security Operations Center. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force.

    Pawe? Pawli?ski is a senior specialist in the Security Projects Team at CERT.PL, within Research and Academic Computer Network, Poland (NASK). In this role, he leads the information exchange program, in particular he is responsible for the design and deployment of the n6 platform for sharing security-related data. He is also the main author of the recent ENISA good practice guide for CERTs on processing and sharing of information ("Actionable Information for Security Incident Response"). Pawe?'s main interests in the domain of network security include intrusion detection systems, anomaly detection algorithms, honeypots and data visualization. His past experience include work on automated tools for large-scale analysis of both client- and server-side attacks: Honeyspider Network, ARAKIS.

    Collaboration and sharing have become motive forces from startups to web-scale global companies. However, security in general and particularly in incident handling at the enterprise level information sharing is still in its infancy. This panel presentation and discussion will briefly outline efforts in the public and private sectors such as NIST's Draft Special Publication 800-150 on Guide to Cyber Threat Information Sharing and European efforts on improving threat data exchange among CERTs and other private sector initiatives. Specifically, the panel will discuss the following topics and questions: 1) Overview of sharing architectures and trust issues 2) What are the present sharing capabilities, technical mechanisms (e.g.identity, access control, etc) and barriers to sharing and using threat information 3) Advice on how to create, maintain, and enhance sharing relationships 4) Specific technical and policy recommendations in the astute use of shared threat information and 5) Discuss specific incident scenarios (nation state malware attacks on an industry sector, distributed denial of service attack against an industry sector,and how sharing could work in that scenario etc)

    June 15th, 2015 15:00 – 16:00

    (InterContinental Berlin, Germany)

  • Unifying Incident Response Teams Via Multilateral Cyber Exercise for Mitigating Cross Border Incidents: Malaysia CERT Case StudyReturn to TOC

    Mrs. Sharifah Roziah MOHD KASSIM (MyCERT, CyberSecurity Malaysia)

    Sharifah Roziah currently works as a Specialist for Malaysia Computer Emergency Response Team (MyCERT) under the umbrella of CyberSecurity Malaysia. Besides being a Specialist, she is also tasked as a Manager of the Security Operation Centre (SOC) in MyCERT, to ensure computer security incidents reported to MyCERT are responded in a timely and efficient manner. Prior to that, she worked as a Senior Analyst at MyCERT. Roziah has been involved in the computer security field for 15 years, mainly in Computer Security Incident Response. Her area of focus and interest is on Computer Security Incident Response, Incident Data Analysis and Network Security. Roziah had been a key person in responding and resolving many computer security incidents reported to MyCERT from the Malaysia constituency. Roziah had also conducted many talks, presentations, trainings in local and also in international in the field of computer security particularly in Computer Security Incident Response. Apart from that, Roziah has also produced various Security Advisory on latest vulnerabilities and threats, Security Guidelines, Articles and Proceeding Papers related to computer security.

    Cyber attacks today are becoming more sophisticated and transnational in threat landscape, challenging CERT’s incident response capability. CERTs need to be efficient in terms of having strong foundation, readiness, sophisticated tools, up-to- date Standard Operating Procedures (SOP) to respond the ever-growing incidents in the cyber space. Cyber Exercises at national level or multilateral level has now become essential and an integral part of any Incident Response that can be used to assess the readiness of the Team. It has laid strong foundation in an Incident Response procedure for responding and mitigating cyber threats. A multilateral Cyber Exercise brings various teams from different countries, unified together, building common goals and work together to understand, respond and mitigate threats in cyber space. A lot has been said about Multilateral Cyber Exercises that are conducted every year at various locations or regions around the world. However, the question is, are they really effective in overcoming the challenges in responding to cross border incidents and how various Teams from different countries can possibly come together to respond, mitigate cross border incidents? Malaysia CERT has long been engaged in various multilateral cyber exercises. We had played the roles as Coordinator, Player and Excon, significantly, in three different multilateral Cyber Exercises conducted annually. They are the Asia Pacific CERT Cyber Exercise, South East Asian Cyber Exercise and the Organization of Islamic Country CERT Cyber Exercise. In this presentation we would like to share our case study and experiences in participating in the above multilateral Cyber Exercises. The significance or uniqueness of our Team is that we engage in three different multilateral Cyber Exercises, annually, and we play active role in them. In this presentation, we would like to share our case study and experiences engaging in three different Multilateral Cyber Exercises, as below: 1) How Multilateral Cyber Exercise has contributed successfully in responding and mitigating cross border incidents efficiently. 2) Sharing our own in-house developed tools and applications that assisted in developing scenarios, crafting injects, artifact analysis and developing dashboard for status updates of the Multilateral Cyber Exercise. 3) Sharing knowledge of how we customized some of the existing applications and tools for the Multilateral Cyber Exercise purposes. 4) How communication using multiple platforms played an effective way of communication among Coordinators, Players and Excons during a Multilateral Cyber Exercise. 5) Overall observations, team’s expectations and lessons learnt from the Multilateral Cyber Exercise that can be used for future improvement. 6) To show that Multilateral Cyber Exercise is not a costly job. How in-house developed tools can be cost-effective and economical during the exercise. In conclusion, the findings from the presentation can be a benchmark or a beginning point for CERTs or any organizations to get engaged in Multilateral Cyber Exercises. The presentation also concludes that Multilateral Cyber Exercise need to be part of any Incident Response procedure as a foundation, for the purpose of responding and mitigating cross border incidents, in efficient manner.

    June 18th, 2015 14:00 – 15:00

    (InterContinental Berlin, Germany)

  • Validating and Improving Threat Intelligence IndicatorsReturn to TOC

    Mr. Douglas WILSON (FireEye)

    Douglas Wilson a Senior Manager at FireEye Labs. He is in charge of the Threat Indicators Team, which he had previously led at Mandiant before its acquisition by FireEye. Doug's team primarily works on developing and refining techniques for improving threat indicator quality and coverage, as well as working on innovative threat intelligence automation efforts. During his time at FireEye & Mandiant, he has experienced a lot of ways to try and improve threat indicators first hand, and hopes to be able to share his experiences at FIRST 2015.

    Doug is based out of Washington DC in the United States. He has over 15 years of experience in a variety of Information Security and Technology positions, including Incident Response and Multi-tiered Application Architecture among others. He spoke at FIRST Bangkok in 2013, and FIRST Boston in 2014.

    Doug has spoken on various Infosec topics at events including FIRST, GFIRST, DoD Cybercrime, NIST IT-SAC, Suits and Spooks, Shmoocon, and many other local events in the Washington DC Metropolitan area.

    Threat Intelligence has been a hot item for the past year or two now – everyone sells it and has it drive their products and solutions – but how do you really tell if it’s really making a difference? Several other recent presentations at industry conferences have dealt with trying to measure vendor offerings – but how do you measure your own internal content and processes? How do you know if the Threat Intelligence and Indicators you are creating and consuming are worth your investment of resources? And how do you make them better if they are not?

    This presentation will discuss several ways that you can implement measurement of indicator efficacy and feedback loops in your organization to measure and improve your operationalized threat intelligence. You want to make sure that what your organization is using is the most potent, current, and viable intelligence out of the many sources that may be available – and also identify when certain types or sources of intelligence no longer have value.

    This presentation will cover best practices derived from real world environments at a high level that can easily be applied in common operational situations, as well as a variety of lessons learned. It will not be limited to specific technologies and/or products, and only classes of products or Open Source technologies (versus specific vendors or products) will be mentioned to avoid any conflicts of interest. It will cover simple tests and workflows that can be applied to a variety of indicator types without being specifically tied to one particular type of intelligence or threat detection.

    Attendees will learn about processes that they can put in place to gather metrics from their SOCs/CIRTs and/or other operational environments, and then how to best apply that to an indicator generation and maintenance workflow. Mature organizations may likely have some of these practices in place, but emerging or new organizations will hopefully find this information saves them time and makes their use of threat intelligence more efficient and effective. The presentation will not be deeply technical in nature, but will be useful to technical teams trying to better operationalize threat intelligence and/or aggregate collections of threat indicators.

    Ideal attendees will be teams and management focused on implementing or adopting threat intelligence into an operational form for enterprises small and large.

    June 17th, 2015 16:00 – 17:00

    (InterContinental Berlin, Germany)

  • VRDX-SIG: Global Vulnerability IdentificationReturn to TOC

    Mr. Art MANION (CMU SEI CERT/CC), Mr. Takayuki UCHIYAMA (JPCERT/CC), Dr. Masato TERADA (Hitachi Incident Response Team)

    Art MANION is a senior member of the Vulnerability Analysis team in the CERT Coordination Center (CERT/CC) at the Software Engineering Institute (SEI).

    Taki UCHIYAMA is an information security analyst at the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC).

    Masato TERADA is the Technology and Coordination Designer for the Hitachi Incident Response Team (HIRT). He is also affiliated with the Information-technology Promotion Agency (IPA), JPCERT/CC, and Chou University.

    Like most ontological exercises, defining what exactly constitutes a software vulnerability turns out to be at least somewhat subjective. Vulnerability databases use different definitions, scopes, identification systems, and data formats. There are some well-known, comprehensive(-ish) databases like Common Vulnerabilities and Exposures (CVE) and the Open Sourced Vulnerability Database (OSVDB), and more narrowly-scoped databases like Japan Vulnerability Notes (JVN) and vendor security advisories. Differences in scope and how vulnerabilities are defined and identified lead to difficulty counting, tracking, and responding.

    The FIRST Vulnerability Reporting and Data eXchange Special Interest Group (VRDX-SIG) was chartered to study existing practices and develop recommendations on how to better identify, track, and exchange vulnerability information across disparate vulnerability databases.

    What are the key similarities and differences across databases?

    Should there be a global vulnerability identification system, and what would it look like?

    This talk will present results of the VRDX-SIG's work, including a survey and catalog of vulnerability databases, a comparison of identification systems, and recommendations on how to globally identify vulnerabilities.

    June 18th, 2015 13:00 – 14:00

    (InterContinental Berlin, Germany)

  • When Business Process and Incident Response Collide: The Fine-Tuning of the IR ProgramReturn to TOC

    Ms. Reneaue RAILTON (Former/Future member)

    Reneaué Railton, CISSP Senior Information Security Analyst Duke Medicine Cyber Defense and Response Team

    Reneaué Railton is an Information Security Analyst at Duke Medicine with over 28 years in the Computer Industry, 19 years focused on Cyber Security. As an Information Security Analyst, she provides support for a variety of operational and consultative functions as part of the Duke Medicine Information Security Office and Cyber Defense, including analyzing findings from security monitoring systems to identify and respond to potential security incidents and data breaches. Prior to Duke Medicine, Reneaué spent 16 years in various Cyber Security and Incident Response related positions at Cisco in RTP, NC. Formerly an Incident Manager in Cisco's Product Security and Incident Response Team (PSIRT), she provided incident management and coordination with external incident response teams and information sharing organizations worldwide.

    In a previous role, as an Incident Response Program Manager for Cisco's Critical Infrastructure Assurance Group, Reneaué identified and established programs that support Cyber Security Incident Response with an emphasis on supporting internal Cisco teams. She worked closely with the U.S. Department of Homeland Security Sector Specific Information Sharing Analysis Centers (ISACs), namely the Communications ISAC and IT ISAC to provide situational awareness and enhance public-private partnership and communications.

    As a Cisco representative, she participated in cyber security exercises designed to simulate attacks or disasters that affect telecommunications systems as well as contributing to the development and improvement of supporting policies and procedures for incident response. Reneaué routinely engaged in activities of the Forum of Incident Response and Security Teams (FIRST), IT and Communications ISACs, National Infrastructure Advisory Council (NIAC), The Internet Consortium for the Advancement of Security on the Internet (ICASI), and National Security Telecommunications Advisory Committee (NSTAC) working groups that are interconnected to incident response.

    Reneaué is a CISSP and a Level II Certified Network Expert. She is also ITILv3 certified.

    There is a delicate balancing act of maintaining an effective incident response team in the maelstrom of cyber attacks amid limited resources and tools. An IR team must overcome obstacles such as limited network visibility and systems access to lack of training and proper tools. The cost of an incident is increasingly difficult to determine. Is it the impact to customers or corporate brand? The loss of revenue or regulatory fines? How does an organization measure the risks and costs of a cyber event as it relates to the experience of the incident handler in terms of event discovery to containment? How can we leverage this information to build a business case to fill the gaps in our incident response capabilities?

    This talk focuses on common impediments to an effective incident response and tools to improve IR processes. The presenter will use real incidents and case studies to illustrate common gaps in IR procedures & event handling. We will discuss how to fine-tune the IR program to detect compromises earlier and how to lower the costs incurred with an organization suffers an intrusion.

    June 16th, 2015 12:45 – 13:15

    (InterContinental Berlin, Germany)

  • Working Towards the Tokyo 2020 Olympics - Situation in 2015Return to TOC

    Ms. Mariko MIYA (CDI-CIRT (Cyber Defense Institute, Inc.) - Japan)

    Mariko is the Chief Security Analyst of Cyber Defense Institute, Inc. located in Tokyo, Japan. She has the expertise and knowledge of foreign and domestic cyber policies and handling cyber threats regarding national security. In particular, her cyber intelligence reports have received high recognition from government agencies, which are written using her high-level multi-language capabilities and research capabilities. She has also been giving practical support to government agencies in charge of foreign affairs and overseas information gathering and analysis. She graduated from International Christian University of Tokyo with a BA in English Linguistics after 12 years of education in Los Angeles, California from elementary school through high school. Throughout her education, she studied German, Korean, and French, enabling her to approach cyber issues from a multi-linguistic and multi-national point of view.

    This presentation will be about the current situation in Japan in regards to preparation for the Tokyo 2020 Olympics, and lessons learned from our research about the past major events including the Olympics and other major events in different countries, in which we have researched under contract of the Japanese government and other major Japanese companies.

    In comparing the 2012 London Olympics and 2020 Tokyo Olympics, the following are some major differences that we have gained from our research:

    Communication (network) interception - London 2012 – Intelligence agencies and law enforcement implement according to anti-terrorism laws (intelligence agencies and law enforcement have response capabilities against potential threats) - Tokyo 2020 – Law enforcement implement according to court order (response capabilities of law enforcement depend on detection, judgment and response capabilities of targeted organizations)

    Mobile devices and Wi-Fi traffic - London 2012 – Since it was the transition phase of dramatic increase smartphone and tablet use, amount (increase) of Wi-Fi traffic was within expectations. - Tokyo 2020 – In addition to smartphones and tablet devices, there is expected to be a rapid increase in the usage of cloud applications and wearable devices, and is extremely difficult to estimate the amount of traffic.

    Terrorist organizations and cyberspace - London 2012 – Illegal activities using cyberspace was only somewhat limited. - Tokyo 2020 – There is expected to be rapid increase in illegal activities using cyberspace (an easily accessible environment is being continually being built at an accelerating pace)

    Impact of cyber attacks on businesses - London 2012 – Legacy systems were intermixed, so business impact was limited. - Tokyo 2020 – There will be fewer legacy systems, and it is likely that there will be dependency on extremely efficient or highly productive systems, so therefore business impact will be extremely high.

    In the presentation, I will further explain some possible cyber attack scenarios according to the factors above. Also, Japan has several unique issues they would have to deal with; for example, earthquakes and nuclear power plants, which relate to dealing with physical security along with cyber security, in considering unified security at the time of the Olympics.

    Currently as of 2015, there are more information sharing frameworks being established, like the Japanese Financial ISAC or Cyber Defense Council of MOD and J3 (Japan Cybercrime Control Center, Japanese version of NCFTA), and large scale cyber exercises taking place in preparation for nation-wide massive events such as the Tokyo Olympics. The most updated information will be given in June 2015. I would also like to discuss and explore possibilities of other countries working together with us toward making such massive event secure and successful.

    (I hope to give updates on the Tokyo 2020 Olympics situation every year.) (Presentations can be longer, up to 45 min.)

    June 15th, 2015 14:00 – 14:30

    (InterContinental Berlin, Germany)