Conference Program


June 12th (Sunday)Return to overview

08:00 – 11:30

Summit (by invitation only)

11:00 – 17:00

FIRST Hackathon - Park Studio Room

13:00 – 16:30

GFCE CSIRT Maturity 2nd Expert Meeting (by invitation only)

18:30 – 19:00

Newbie Reception

19:00 – 21:00

Ice Breaker Reception

June 13th (Monday)Return to overview

Grand Ballroom 2 Grand Ballroom 1 Grand Ballroom 3 Park Ballroom 1 Other Meetings
08:30 – 09:15

Opening Remarks

09:15 – 10:15

Keynote Presentation

Professor Jong In Lim (Korea University, KR)

10:00 – 10:30

AM Break - Networking Event

10:30 – 11:30

Java RATs: Not even your Macs are safe

Anthony Kasza, Tyler Halfpop (Palo Alto Networks, US)


The missing link between cybercrime gangs

Yurii Khvyl (CSIS Security Group A/S, DK)


Mach-O Libre: Pile Driving Apple Malware with Static Analysis, Big-Data, and Automation

Aaron Stephens, Will Peteroy (icebrg, inc., US)

11:30 – 12:00

The evolution of Russian Android banking Trojans

Alexander Kalinin (CERT-GIB (Group-IB), RU); Dmitry Volkov (Group-IB, RU)


Chasing the operation after the infection of the continuing cyber attacks - Emdivi -

Hiroki Iwai (Deloitte Touche Tohmatsu LLC, JP); Kenzo Masamoto (Macnica Networks Corp., JP); Takahiro Kakumaru (NEC Corporation, JP)

12:00 – 13:00


13:00 – 14:00

EvilEngine: Metamorphic Engine for Kernel Mode Rootkits

Adhokshaj Mishra (Self, IN)


Data Breach Break Downs - A Review Of The Worst Breach Responses

Jake Kouns (Risk Based Security, US)


Advanced Threats in an Exchange Environment

Steven Adair (Volexity, LLC, US)


Tutorial: Coordinated Vulnerability Disclosure for Vendors

Art Manion, Christopher King (CERT/CC, US)

13:00 – 15:00

Information Exchange Policy (IEP) SIG

13:00 – 15:00

14:00 – 14:30

Effective protection against phishing and automated theft

Alexander Kalinin (CERT-GIB (Group-IB), RU); Dmitry Volkov (Group-IB, RU)


Empower researcher with enriched data to find the needle from the hay

Feng Xue (ThreatBook, CN); Hong Jia (ThreatBook, US)


Detecting Malicious Infrastructure and Calculating Risk Scores Using Contextual Information From Open and Dark Web Sources

Staffan Truve (Recorded Future, SE)

Education Committee Meeting

14:00 – 16:00

14:30 – 15:00

PM Break - Networking Event

15:00 – 16:00

The Dark Side of Online Advertisements

Daniel Chechik, Rami Kogan (Trustwave, IL)


Sharing is Caring: Understanding and Measuring Threat Intelligence Sharing Effectiveness

Alex Pinto, Alex Sieira (Niddel, BR)


Evaluating National Level Cyber Risk, the DHS Approach

Mark Bristow (DHS/ICS-CERT, US)


Hunting Malware across the Enterprise

Greg Hoglund (Outlier Security, US)

15:00 – 17:30

16:00 – 17:00

Beyond Sharing: Cyber Threat Intelligence Making a Difference

Richard Struse (US Department of Homeland Security, US)

FIRST Update: Financial & Business Review

16:00 – 17:30


Don’t Shoot the Messenger: Understanding Security Notifications At Scale

Frank Li, Vern Paxson (University of California Berkeley, US); Michael Bailey (University of Illinois Urbana-Champaign, US); Zakir Durumeric (University of Michigan, US)


17:00 – 17:30

Detecting Targeted Web Compromises

James Sheppard (Cisco Systems, US)


Tasty Malware Analysis with T.A.C.O.: Bringing Cuckoo Metadata into IDA Pro

Jason Jones (Arbor Networks ASERT, US)

June 14th (Tuesday)Return to overview

Grand Ballroom 2 Grand Ballroom 1 Grand Ballroom 3 Other Meetings
08:45 – 09:00

Opening Remarks

09:00 – 10:00


10:00 – 10:30

Coffee Break

10:30 – 11:30

Forensic examination of Critical Infrastructure Compromises

Fyodor Yarochkin (Academia Sinica); Vladimir Kropotov (Independent Researcher, RU); Yennun Huang (Academia Sinica, Taiwan)


Building Robust Tabletop Exercises to Strengthen Your Incident Response Capabilities

Kenneth van Wyk (KRvW Associates, LLC, US)


Practical Forensic Readiness in Security Operations

Clem Craven, Ian Wilson, Matthew Scott (BT, GB)

11:30 – 12:00

Leveraging 3rd Party Sinkhole Operations for Computer Network Defense and Threat Analysis

Michael Jacobs (Software Engineering Institute, US)


Survey on CSIRT Maturity Level in Japan

Takuho Mitsunaga (University of Tokyo, JP)


Yara: An Introduction and Real-World Use Case

Matt Brooks (Chevron, SG)

12:00 – 13:00

Lunch Break

13:00 – 14:30

Barncat: Mining Malware at Scale to Create an Encyclopedia of Malware

John Bambenek (Fidelis Cybersecurity, US)


Decade of Change: 10 years of Product Incident Response at Adobe

David Lenoe, Tom Cignarella (Adobe, US)


Cyber Threat Intelligence & Incident Response

Omar Cruz (US-CERT, US)


14:30 – 15:00

Coffee Break

15:00 – 16:00

Usability and Incentives for Threat Information Sharing Technology

Brian Hein (Hewlett Packard Enterprise, US); Tomas Sander (Hewlett Packard Labs, US)


The role of intel and IR for risk management

Toni Gidwani (ThreatConnect, US)


Does it pay to be cyber-insured?

Eireann Leverett (Concinnity Risks, GB); Marie Moe (SINTEF, NO)


15:00 – 17:00

16:00 – 18:00

Vendor Showcase

June 15th (Wednesday)Return to overview

Grand Ballroom 2 Grand Ballroom 1 Grand Ballroom 3 Park Ballroom 1 Other Meetings
08:45 – 09:00

Opening Remarks

09:00 – 10:00

Keynote Presentation: Fostering Security Innovation – Silicon Valley VC Perspective

Doug Dooley (Venrock, US)

10:00 – 10:30

Coffee Break

10:30 – 11:30

Friend or Foe? probably both.

Yonathan Klijnsma (Fox-IT, NL)


Towards a methodology for evaluating threat intelligence feeds

Andrew Kompanek (CERT/CC, US); Pawel Pawlinski, Piotr Kijewski (CERT Polska / NASK, PL)


Webshell classification at scale

Thomas Kastner Msc. (nimbusec Gmbh, AT)


Qualification in the Web – Using NLP for Adversary Identification & Prioritization

Filip Reesalu, Levi Gundert (Recorded Future, US)

10:30 – 13:30

Metrics SIG

10:30 – 12:30

11:30 – 12:30

Facing the Darkness: Domain Shadowing is ruining the Internet

James Pleger, William MacArthur (RiskIQ, US)


DDoS Differentiators: How to gain new insights on attribution from different angles of the same problem

Allison Nixon, Lance James (Flashpoint, US)


Correlating Threats using Internet Snapshots

Brandon Dixon, Steve Ginty (PassiveTotal, US)

12:30 – 13:30

Lunch Break

13:30 – 14:30

Incident response made better by agile robots

Antti Kiuru (NCSC-FI / Ficora, FI)


Best Practices and Big Mistakes in Responding to Major Incidents

Chris Butera (US-CERT, US)


Attacks on Software Publishing Infrastructure and Ground breaking Windows Detection capabilities to thwart that runbook.

David Jones (Cisco, US); Imran Islam (Cisco, DE)


Leadership Training

Jeremy Sparks (United States Cyber Command, US)

13:30 – 16:00

14:30 – 15:00

Coffee Break


14:30 – 16:30

15:00 – 16:00

The Emergence of CSIRTs as Political Actors: Representing Ourselves and Our Stakeholders by Effectively Informing Policy

Tom Millar (US-CERT, US)


Insider Threat Mitigation Guidance

Balaji Balakrishnan (World Bank, US)


Building an Information Sharing Community

Katherine Gagnon (United Nations, US)

16:00 – 16:30

Approach and Outcome of “AOKI” – DNS Sinkhole by JPCERT/CC

Sho Aoki (JPCERT/CC, JP)


How to Discover Cyber Security Talents

Moataz Salah (CyberTalents, EG)


Practical application of STIX/TAXII

Kevin Thomsen (IBM, US)

17:30 – 17:45

Gala Dinner Bus Transfer (meet in hotel lobby)

19:00 – 22:00

Gala Dinner at Let's Run Park

June 16th (Thursday)Return to overview

Grand Ballroom 2 Grand Ballroom 1 Grand Ballroom 3 Park Ballroom 1 Other Meetings
09:00 – 09:15

Opening Remarks

09:15 – 10:00


10:00 – 10:30

Coffee Break


Practical DDoS Mitigation

Krassimir Tzvetanov (A10 Networks, Inc, US)

10:00 – 12:00

10:30 – 11:30

A fistful of metrics

Eireann Leverett (Concinnity Risks, GB); John Matherly (Shodan HQ, US)


Barbarians At The Gate(way): An Examination Of The Attacker's Tool Box

Dave Lewis (Akamai Technologies, CA)


It's Not Just About The Ones And Zeros Anymore

Denise Anderson (NH ISAC, US)

11:30 – 12:00

Cybersecurity Readiness for Tokyo 2020 Olympic/Paralympic Games

Ko Ikai (NISC, JP)


CSIRT Management Workflow: Practical Guide for Critical Infrastucture Organizations

Aswami Ariffin, Azlan Nor, Nurul Mohd, Zahri Yunos (CyberSecurity Malaysia, MY)


From Cyber Incident Response to Cyber Resilience: A Case Study

Jr Reagan (Deloitte, US)

12:00 – 13:00

Lunch Break

13:00 – 14:00

Busted! Point of Sale Threat Actor Attribution through POS Honeypots

Kyle Wilhoit (Trend Micro, US)


Your Money is My Money: The Dynamics of a Banking Trojan

Tim Slaybaugh (Northrop Grumman Corporation, US)


Choose your battles, how to fight the right wars

Eyal Paz (Check Point, IL)

Vendor SIG

13:00 – 15:00

14:00 – 15:00

Shell No! – Adversary Web Shell Trends & Mitigations

Levi Gundert (Recorded Future, US)


Inspecting Linux Malwares using Limon Sandbox

Monnappa K A (Cisco Systems, IN)


Taking the Red Pill - Incident Response outside The Matrix

Lorenz Inglin, Stephan Rickauer (Swisscom (Schweiz) AG, CH)

15:00 – 15:30

Coffee Break

15:30 – 17:30


June 17th (Friday)Return to overview

Grand Ballroom 2 Grand Ballroom 1 Grand Ballroom 3 Park Ballroom 1 Other Meetings
08:45 – 09:00

Opening Remarks

09:00 – 10:00


10:00 – 10:15

Coffee Break

10:15 – 11:15

DIY Threat Intelligence with Real-Time Data

Paul Vixie (Farsight Security, Inc., US)


Adversary Recon and Practical Defenses Using Domain and DNS OSINT

Timothy Helming (DomainTools, US)


Collaboration as the key to keep a nation safe

Michael Hausding, Serge Droz (SWITCH, CH)


Workshop: MISP, the threat sharing platform, a developer perspective to extensions and collaboration.

Alexandre Dulaunoy, Andras Iklody, Raphael Vinot (CIRCL - Computer Incident Response Center Luxembourg, LU)

10:15 – 14:00

11:15 – 11:45

SOHO router as crutial part of end user security

Zuzana Duracinska (CZ.NIC, team CSIRT.CZ, CZ)


Detecting Lateral Movement in APTs – Analysis Approach on Windows Event Log

Shingo Abe (JPCERT/CC, JP)


MPD: Malicious PDF Files Detection

Mohamed Shawkey, Samir G. Sayed, Sherif Hashem, Walid Zakarya (EG-CERT, EG)

12:00 – 13:00

Closing Remarks

13:00 – 14:00

Lunch Break


Trainer Training - How to become a better trainer and presenter!

Don Stikvoort (MSc CTNLP, NL)

13:00 – 19:00

14:00 – 18:00

June 18th (Saturday)Return to overview

Other Meetings
08:30 – 17:00
  • Collaboration as the key to keep a nation safeReturn to TOC

    Serge Droz (SWITCH, CH) , Michael Hausding (SWITCH, CH)

    Dr Serge Droz is a senior expert at SWITCH-CERT and has more than 15 years of experience in CERT work. In his former life Serge did research on black holes.

    Michael Hausding specialises in all aspects of Domain security. He is responsible for the Safer Internet campaign which addresses all forms of domain abuse. In his past Michael worked as a security expert for various ISPs.

    Traditionally fighting the effects of cyber crime was left to CERTs. But criminals missus an entire value chain for their malicious purposes. Endusers, ISPs, webhoster, registrars and domain holders, just to name a few are among the victims. In Switzerland we follow a holistic approach to break the cyber crime value chain in multiple places, by collaborating with all stake holders, national and international and calling them to do their share.

    Phishing campaigns, drive-by attacks, spam-runs to install malware are more and more local and target only users in Switzerland. Information about cybercrime targeting Swiss Internet users is collected by the various players and shared on a national level to clean up and mitigate risks to Internet users in Switzerland. Drive-by, C&Cs and Phishing sites are cleaned up asap, infected users are notified by their ISPs and data to directly mitigate risks via RPZ or Filters are distributed to the ISPs to help them protect their customers.

    Despite these efforts end-users will click on malicious attachments and surf on infected websites. To support these victims the Swiss Internet Security Alliance, a collaboration of Swiss ISPs and Banks was founded. SISA offers a free check that finds and remedies infections as well as awareness. All participants, banks and ISPs send their infected customers to the same place: SISA. This makes sure hear the same message.

    We show the critical success factors that allowed us to make Switzerland one of the safest places in the Internet.

    June 17th, 2016 10:15 – 11:15
  • A fistful of metricsReturn to TOC

    Eireann Leverett (Concinnity Risks, GB) , John Matherly (Shodan HQ, US)

    John Matherly is an Internet cartographer, entrepreneur, and all around good guy.

    Eireann Leverett is a professionally strange person, entreprenuer, and moustache model. He's probably a nice guy.

    They both like toolsmithing for incident responders.

    Doing anything at internet scale is hard.

    It's also particularly hard to cooperate internationally with out measures of success or failure.

    Two of the internet's gentleman scholars want to bring you a variety of metrics they find useful. Metrics that mean things to bitshifters, internauts, and incident responders. Quantifications that help them explain things to policy makers, but also make sense to technicians. Measurements they use to communicate risk to the world, and the visualisations that capture internet cartography.

    This session will provide a variety of novel metrics devised during experiments by two of the world's gentleman scholars. They will demonstrate a variety of tools and toolsmithing techniques relevant to the respected audience of the international FIRST community.


    MD5: 7b4614ed4ad4d61c984a5ddc50c9cc5b

    Type: Slides

    Format: application/pdf

    Last Update: March 28th, 2016

    Size: 1.96 Mb

    June 16th, 2016 10:30 – 11:30
  • Advanced Threats in an Exchange EnvironmentReturn to TOC

    Steven Adair (Volexity, LLC, US)

    Steven Adair is the founder and CEO of Volexity, LLC, a security firm specializing in assisting organizations with threat intelligence, incident response, forensics, and trusted security advisory. Prior to founding Volexity, Steven was the Director of Cyber Intelligence at Verizon Terremark, where he lead and built their efforts to track emerging and advanced threats with a core focus on activity related to cyber espionage. Prior to working at Verizon Terremark, Steven ran the Cyber Threat Analysis Program within the Office of the CIO at NASA, which was responsible for proactively detecting, mitigating, and preventing advanced targeted attacks and cyber-intrusions across the Agency.

    Additionally, Steven works with the 501(c)3 non-profit organization the Shadowserver Foundation and has spent a substantial amount of time over the last several years researching, investigating, and tracking various cyber espionage groups and operations. In April 2010, Steven along with researchers and professors from the University of Toronto released a report titled "Shadows in the Cloud: Investigating Cyber Espionage 2.0." The report detailed a deliberate and successful cyber espionage campaign against the Indian Government and Tibetan interests to include systems belonging to the Dalai Lama and his colleagues. Steven is also a co-author of the book "Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code.

    Microsoft Exchange infrastructure systems are huge targets for APT attackers. These systems are very active, often process user and domain administrative credentials, and general sit on an organizations internal trusted network while being accessible over the Internet. As a result, for the last five plus years, they have become increasing leveraged for persistence and access into victim networks. Attackers are using these mail systems to maintain a foothold into networks and to exiltrate data and e-mail right under the nose of system administrators and security teams. 

    This presentation will look at several different methods attackers are using to exiltrate data and remain undetected. This will cover everything from an attacker logging directly into Outlook Web Access to the use of advanced backdoors to facilitate bulk theft of user mailbox data. The presentation will also explore methods to detect and combat these threats.

    June 13th, 2016 13:00 – 14:00
  • Adversary Recon and Practical Defenses Using Domain and DNS OSINTReturn to TOC

    Timothy Helming (DomainTools, US)

    Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of investigative and proactive defense offerings. At WatchGuard, he helped define and launch some of the best-selling SMB security appliances in the market. At Symform, he led definition and messaging efforts for that company’s unique peer-to-peer cloud storage solution. Tim has spoken at security conferences such as BSides Las Vegas, FireEye/MIRcon, and AusCERT, as well as media events and technology partner conferences worldwide.

    This session illustrates new ways to investigate—and get ahead of--threat actors, using OSINT (Open Source Threat Intelligence) such as domain registration data, IP address data, MX records, geolocation, and more. Using examples from high-profile cybercrime/espionage cases, Tim Helming of DomainTools will demonstrate how threat actors can be identified or accurately profiled, and how their webs of connected holdings can be mapped for defensive (or offensive) purposes. The techniques shown are used effectively by leading-edge private sector, government, and law enforcement experts to fight cybercrime globally. Effective adversary analysis pays off in all phases of a continuous security model, from monitoring to detection to response to prevention.

    From this session, attendees will be able to:

    1. See how domain-based OSINT has helped investigators glean important information about attackers in high-profile as well as routine threat triage and investigations.
    2. Identify fruitful sources of open source intelligence (OSINT) to conduct adversary analysis during known or suspected breaches or attempts--and apply the findings to all phases of the continuous security model.
    3. Create forensic domain maps--conceptual maps of threat actor infrastructure (domains and IP addresses) that can help the security pro defend against current and future attacks from a given threat actor.
    4. Use easily-discoverable information about threat actors to triage indicators of compromise (IoC) during known or suspected breach activity.
    5. Learn how to “look back in time” and discover dwell time of malicious actors by correlating previously-seen with currently-seen domains (from the forensic domain map), thereby detecting earlier interactions that may have looked innocuous at the time; and how to use monitoring of threat actors to defend against new attack infrastructure.
    June 17th, 2016 10:15 – 11:15
  • Approach and Outcome of “AOKI” – DNS Sinkhole by JPCERT/CCReturn to TOC

    Sho Aoki (JPCERT/CC, JP)

    Mr. Sho Aoki Information Security Analyst, Watch & Warning Group, Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)

    Sho Aoki joined JPCERT/CC in April 2015, and specializes in gathering cyber threat information, verifying vulnerabilities, and also takes part in incident handling and response. He provides comprehensive analyses of the collected cyber threat information and incident investigations, and engages in sharing early warning information with external organizations including the government, critical infrastructure sectors and enterprise CSIRTs, as well as publishing security alerts for both the domestic and overseas.

    This presentation will introduce the approach and outcome of “AOKI” – a DNS sinkhole by JPCERT/CC. Through AOKI, we have observed trends of targeted attacks in the Asia Pacific region and various related threat information. We will also present our information sharing efforts and the outcome in this regard.

    JPCERT/CC launched AOKI in June 2015 with the aim of conducting threat analysis of incidents reported to JPCERT/CC, as well as identifying the extent of damage caused by malware, etc. Using AOKI, we also analyze Command and Control Servers (hereafter “C2 Servers”) that the malware communicates with for advanced targeted attacks.

    Through AOKI, we observed incidents not only in Japan, but also cross-border among countries and regions. For example, we analyzed a certain C2 Server and found that it links to an attack targeting governmental organizations in some of the specific economies in the Asia Pacific.

    JPCERT/CC is exploring ways to effectively share such threat information and related IOCs (Indicators of Compromise) obtained through AOKI, and have started sharing information with some of the economies already. We would like to introduce our approach to FIRST and expand the information sharing coverage beyond the Asia Pacific region, with the hope that it will contribute to the security around the world.

    June 15th, 2016 16:00 – 16:30
  • Attacks on Software Publishing Infrastructure and Ground breaking Windows Detection capabilities to thwart that runbook.Return to TOC

    David Jones (Cisco, US) , Imran Islam (Cisco, DE)

    David Jones David is a Senior Security Architect for Cisco’s Information Security team. In this roll he is responsible for the creation and implementation of security policies to mitigate risk by preventing security breaches. His primary focus is on mitigating targeted attacks on computing infrastructure. David holds a patent for a network access product innovation.

    In his spare time he is the head chef at Burned Roof BBQ'd Hot sauce company.

    Imran Islam Imran is the Investigations Manager for Cisco’s CSIRT team. Imran’s responsibilities include program management, Process enhancements, Acquisitions management and Technology reviews.

    Imran is also a Bangladeshi footballer who holds the record for being the oldest player. He always has a passion for football and supports Liverpool.

    Emerging Threat: Well-funded adversary’s target developers at software companies in order to embed back doors and other malware into their products while leveraging that companies trusted software distribution infrastructure to deploy those pathogens to their customers. Customers will then install these backdoors along with actual bug fixes while believing all is well.

    As a recurring theme, the Windows operating system is still the most common beachhead that is established for this attack to succeed.

    In this talk we will discuss this emerging threat and move on to new advanced detection capabilities to stop those adversary’s from infecting those software companies as well as your organization in the first place. These new detection capabilities are focused on enhancing technologies already part of the Windows operating system.

    As a bonus, each attendee will leave with a copy of the instructions for deploying these advanced Windows detection capabilities.

    June 15th, 2016 13:30 – 14:30
  • Barbarians At The Gate(way): An Examination Of The Attacker's Tool BoxReturn to TOC

    Dave Lewis (Akamai Technologies, CA)

    Dave has almost two decades of industry experience. He has extensive experience in IT operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies . He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast. Dave also serves on the (ISC)2 Board of Directors. Dave also writes a column for CSO Online and Forbes.

    Attackers are always trying their best to breach your network to steal the secret sauce hidden inside. This session will delve into the attacker's tool set and focus on the types of attacks that are being leveraged against companies today. I will examine tools, case studies and my own war stories.

    June 16th, 2016 10:30 – 11:30
  • Barncat: Mining Malware at Scale to Create an Encyclopedia of MalwareReturn to TOC

    John Bambenek (Fidelis Cybersecurity, US)

    John Bambenek is a Sr. Threat Analyst at Fidelis Cybersecurity and an incident handler with the Internet Storm Center. He has been engaged in security for 15 years researching security threats. He is a published author of several articles, book chapters and one book. He has contributed to IT security courses and certification exams covering such subjects as penetration testing, reverse engineering malware, forensics, and network security. He has participated in many incident investigations spanning the globe. He speaks at conferences around the world and runs several private intelligence groups focusing on takedowns and disruption of criminal entities.

    According to Virus Total they received over 500,000 samples of potential malware per day. At times this has peaked to over 1,000,000. The shear deluge of unique malware samples makes it difficult for incident responders to keep up to protect their networks. Even more difficult is the task to investigators and law enforcement to keep up with the size and number of command-and-control networks and criminal operations.

    Barncat was designed to help deal with this problem. This system analyzes incoming streams of malware to identify known RATs and other known malware and then strip out the configurations from them to produce near time intelligence of known command-and-control hostnames and IP addresses.

    The aspiration is to great automated surveillance tools that can monitor criminal infrastructure to make it easy for incident handlers to identify problems on their network, for security analysts to protect their networks and for law enforcement to have reliable near-time information for their operations.

    This talk will discuss how the tool generates information and what the possibilities hold for this kind of analysis.

    Access to the database via MISP is given free of charge to CERTs, law enforcement and trusted industry partners.

    June 14th, 2016 13:00 – 14:30
  • Best Practices and Big Mistakes in Responding to Major IncidentsReturn to TOC

    Chris Butera (US-CERT, US)

    Mr. Christopher Butera serves as an Incident Response Engagement Lead for US-CERT. In this role, he has led response efforts to many large-scale data breaches in both the private sector and federal government, several of which you may have read about in the news. His focus is on discovering and analyzing new forensic artifacts and finding new security controls to prevent APT intrusions and create or enhance opportunities for early detection and containment.

    Mr. Butera is a graduate of the University of Notre Dame and has a Master of Science Degree in Computer Science from the University of Chicago. He holds CISSP, GSEC, and GCED certifications.

    Responding to a over a dozen major incidents every year, US-CERT has observed significant similarities in breaches and intrusions across a range of different institutions. US-CERT also provides a comprehensive set of services as part of our incident response activities, leading to enhanced understanding of how breaches occur, what can be done to minimize the impact, and what works (and what doesn't) in crisis communications. Several of our incident response engagements have taken over two months to close out, providing a wealth of experience to share with the CSIRT community as we deal with ever more frequent and severe intrusions into our constituent and customer networks.

    This presentation will discuss incident response trends from US-CERT's perspective as well as best practices prior to, during, and after response to major incidents. Common missteps, lessons learned and our top five preventative measures for organizations to take will also be described in detail, with a focus on recent experiences dealing with Bulk PII compromises.

    June 15th, 2016 13:30 – 14:30
  • Beyond Sharing: Cyber Threat Intelligence Making a DifferenceReturn to TOC

    Richard Struse (US Department of Homeland Security, US)

    Mr. Struse serves as the Chief Advanced Technology Officer for the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) where he is responsible for technology vision, strategy and implementation in support of the NCCIC’s mission. Mr. Struse is the creator of the STIX and TAXII automated information sharing initiatives which have been widely adopted across the public and private sectors. In October 2014, Secretary of Homeland Security Jeh Johnson presented Mr. Struse with one of the department’s highest honors, the Secretary’s Award for Excellence, in recognition of his pioneering work on STIX and TAXII. In 2015 Mr. Struse was named by Federal Computer Week as one of the “Federal 100” in recognition of his leadership role in the development of cyber threat intelligence technology standards.

    As CSIRTS, ISACs/ISAOs, commercial vendors and others plug into existing and emerging automated Cyber Threat Intelligence ecosystems, the next logical question is “what should we do with all this data?” This talk will explore successful existing applications of CTI and where the CSIRT/IR community is heading based on these interconnected networks. The emphasis will be on approaches that deliver fundamental improvements in defensive cybersecurity operations - at scale. We’ll also ask some thorny questions about how automated CTI ecosystems might disrupt long-standing processes and even beliefs within the security operations community. Finally, promising new uses of CTI will be highlighted and the audience will gain insights into emerging focus areas including: • Prevention at the scale of millions of endpoints simultaneously • Rapid correction of false positives through automated feedback loops • Advanced analysis and meaningful data-driven visuals

    June 13th, 2016 16:00 – 17:00
  • Building an Information Sharing CommunityReturn to TOC

    Katherine Gagnon (United Nations, US)

    Katherine Gagnon has been working in IT for over 22 years, with 19 focused directly in information security after she graduated Johns Hopkins University with a bachelor's degree in Computer Science. She has worked as a consultant performing pen testing, architecture design and review, infrastructure deployment, and more. In addition to 3 years as the program manager for information security at Discovery Communications, Katherine spent substantial time in the public sector having worked for years between USAID and US Department of State before entering the realm of international organizations where she currently serves as an Information Security Officer with the World Bank Group though on assignment to the United Nations as the lead for Common Secure, a information sharing service for UN family organizations. Her expertise after 5.5 years at the World Bank running endpoint engineering followed by cyber threat intelligence teams made her uniquely qualified to build a program at the UN.

    Historically the organizations of the United Nations Common System did not have a meaningful way to communicate cyber security information amongst themselves, nor has there been a presence in the greater infosec sharing communities. Starting in September 2015, there has been a concerted effort to address both problems.

    The United Nations International Computing Centre, under directive of the UN Secretary General and mandate by a steering committee comprised of United Nations CISOs, has taken on the initiative to invest in and build a program dubbed "Common Secure" which all UN and UN "Family" organizations may subscribe to (similar to an ISAC.) However the difference between a traditional ISAC and Common Secure is that an ISAC is more focused on a vertical market, which typically means similar threat actors and some shared threat landscape. Contrary to that, within the UN the "market" is more horizontal in that the breadth of constitutents runs the gammut from world critical infrastructure concerns (IAEA, WHO, OPCW) to more humanitarian efforts (UNICEF, UNESCO.)

    This presentation will discuss the genesis of Common Secure, including how we've socialized the solution, challenges faced, partnerships, and more.

    June 15th, 2016 15:00 – 16:00
  • Building Robust Tabletop Exercises to Strengthen Your Incident Response CapabilitiesReturn to TOC

    Kenneth van Wyk (KRvW Associates, LLC, US)

    Ken is an internationally recognized information security expert and author of three popular books, including Enterprise Security: A Confluence of Disciplines (Pearson, 2014), Secure Coding: Principles and Practices (O’Reilly, 2003), and Incident Response (O’Reilly, 2001). He is also a monthly columnist for Computerworld. Among his numerous professional roles, Ken is a Visiting Scientist at the Software Engineering Institute at Carnegie Mellon University, where he is a course instructor and consultant to the CERT® Coordination Center.

    Ken has previously held executive and senior information security technologist roles at Tekmark's Technology Risk Management practice, Para-Protect Services, Inc., and Science Applications International Corporation (SAIC). Ken was also the Operations Chief for the U.S. Defense Information Systems Agency's DoD-wide incident response team, as well as a founding employee of the CERT® Coordination Center at Carnegie Mellon University's Software Engineering Institute.

    Ken was also on the Board of Directors for the Forum of Incident Response and Security Teams (FIRST), a non-profit professional organization supporting the incident response community. He holds a mechanical engineering degree and is a distinguished alumnus from Lehigh University and is a frequent speaker at technical conferences, including S3, CSI, ISF, and others FIRST.

    Most CSIRTs today know the value of planning, training, and drilling. Indeed, most have elaborate standard operating procedures describing how they will respond to various types of incidents, as recommended by NIST's SP 800-61.

    While that's all well and good, often times those plans focus too much on the technical aspects of incident response, or they fail to adequately address the business or involve the various interdisciplinary key stakeholders in an organization.

    In this practical session, Ken van Wyk will describe how to design and run an interdisciplinary tabletop drill in modern medium- to large-sized organizations. The session will cover who to involve in the tabletop drill, what their roles and responsibilities should be, and how to effectively engage with them during the drill. Additionally, it will give practical guidance on how to construct realistic scenarios that draw various business departments into resolving the simulated incidents. These often include corporate communications, legal counsel, human resources, and other organizations that aren't typically direct components of an incident response team, yet are nonetheless key stakeholders during many real world incidents.

    Getting the right executive decision makers together for a tabletop drill is challenging enough, and chances are you'll only have their attention for a brief period of time. Designing the right tabletop drill for them to understand not just the basics of your CSIRT's processes but also why their own roles are so vital during real world incidents is crucial to the drill's success.

    Van Wyk has built such drills and involved executive teams in dozens of multi-billion dollar corporations. This session will present the practical aspects of making those drills work effectively in your organization.

    June 14th, 2016 10:30 – 11:30
  • Busted! Point of Sale Threat Actor Attribution through POS HoneypotsReturn to TOC

    Kyle Wilhoit (Trend Micro, US)

    Kyle is a Sr. Threat Researcher at Trend Micro. Prior to joining Trend Micro, he worked at Fireeye as a Threat Intelligence expert, hunting state sponsored entities worldwide. He was also the lead incident handler and malware reverse engineer at a large energy company, focusing on ICS/SCADA security and targeted persistent threats. He has also worked at a Tier 1 ISP playing with malware, as a threat analyst and incident response specialist. Kyle has extensive knowledge and experience in the offensive security realm as well.

    What would POS Terminal cybercriminals do if they didn’t know you were watching? Find out in this demonstration in which researcher Kyle Wilhoit will use a combination of physical and virtual honeypots to track POS attackers from the initial infection to the exfiltration and resale of data. This session will provide you with the insights you need to better protect your organization that may be using POS terminals.

    June 16th, 2016 13:00 – 14:00
  • Chasing the operation after the infection of the continuing cyber attacks - Emdivi -Return to TOC

    Takahiro Kakumaru (NEC Corporation, JP) , Hiroki Iwai (Deloitte Touche Tohmatsu LLC, JP) , Kenzo Masamoto (Macnica Networks Corp., JP)

    Takahiro Kakumaru (NEC Corporation), CISSP

    Takahiro Kakumaru is an assistant manager with Cybersecurity Strategy Division at NEC Corporation. His research interests lie in the areas of cyber threat intelligence, network security monitoring, honeypots, interfere with deception, cyber threat sharing. He holds a master's degree in Engineering from Hokkaido University. He holds CISSP certification.

    Hiroki Iwai (Deloitte Japan)

    Hiroki Iwai is a Digital Forensic Analyst with Deloitte Japan and a researcher with Deloitte Tohmatsu Advanced Research Laboratory of Cyber. He analyzes cyber security incidents and advise about security measure to clients in Japan. Forensics instructor specializing in forensics training for law enforcement. Director of Japan Cyber Crime Control Center.

    Kenzo Masamoto (Macnica Networks Corp.)

    Kenzo Masamoto is the Security Researcher, Digital Forensic Analyst and Security Solution Architect at Macnica Networks Corp. He has been responsible for security consulting, monitoring of security products (IDS/IPS, WAF, Sandbox, Monitoring Products) and security event analysis for over a decade.

    RAT (Remote Access Tool) type of malware called Emdivi was shook Japan in 2015. Now also it has been observed continuously. In this presentation, we introduce the results of the attacker's tool that seems to be used, the command that seems to be executed, as well as TTPs (Tools, Techniques, and Procedures), pivoting technology, and clustering analysis of samples. Finally, we try to infer what the attackers are looking for.

    June 13th, 2016 11:30 – 12:00
  • Choose your battles, how to fight the right warsReturn to TOC

    Eyal Paz (Check Point, IL)

    Eyal Paz is a technology leader and security innovation researcher at Check Point. During the past five years, Eyal has been doing application and malware research developing new methods to track risks and anomalies on corporate enterprise networks. Eyal holds a B.Sc. in Software Engineering and currently working on is master degree in Computer Science.

    In recent years threat intelligence awareness has grew rapidly not only with the Fortune 500, but with medium-sized companies as well. There are dozens of threat intelligence IoC feeds by excellent cyber-security companies, start-ups, and by great open and closed communities as well.

    But recent researches published on this issue show that even all feeds combined still barely scratching the surface of the malicious threat actors out there. On the other hand, the opposite problem for some organizations is that they are overloaded with security events, this problem exists even if we assume that the IoC feeds are of high quality and have low false-positive rate.

    On this talk we'll discuss how to choose your battles and how to fight the right wars in your own enterprise network. How to prioritized the incident handling and focus on the most important ones. This is accomplished by running statistical analysis on your network and creating your own customize threat intelligence feed, and by consolidating all of your available threat intelligence resources, open-source intelligence (OSINT) and your own internal security events. By this you maximize your protections against future potential attack.

    We'll demonstrate that this task is relatively simple to perform, but the added revenue of doing so is extremely high. The security gain is even greater when mutual sharing the home-made feed across the relevant community. The demonstrations would be on the recent and actual campaigns.

    June 16th, 2016 13:00 – 14:00
  • Correlating Threats using Internet SnapshotsReturn to TOC

    Brandon Dixon (PassiveTotal, US) , Steve Ginty (PassiveTotal, US)

    Brandon Dixon is the lead developer and co-founder of PassiveTotal. His primary research involves data analysis, tool development and devising strategies to counter threats earlier in the decision cycle. Throughout the years, Brandon has developed several public tools, most notably PassiveTotal, PDF X-Ray and HyperTotal. His research and development on various security topics has gained accolades from many major security vendors and industry peers.

    Steve Ginty, co-founder of PassiveTotal, has more than nine years of experience in the IT Security Industry. Steve has spent the past five years researching targeted intrusions against Fortune 500 organizations. His experience includes leading a team of multi-disciplined researchers implementing proactive methodologies to track threat actor infrastructure and malware associated with attack activity. Steve’s primary areas of research include threat infrastructure analysis and threat data visualization.

    Organizations are bombarded with threat intelligence in the forms of feeds, long form reports and shallow guidance, yet none of these impart the wisdom of the analyst who helped derive the content. Using years of analyst experience, Steve and Brandon from PassiveTotal have created a platform that not only aids in the discovery of new potential threat infrastructure, but also distills their years of subject matter expertise into analyst guideposts that even a junior analyst could follow in order to action data provided from 3rd-party providers.

    In September 2015, PassiveTotal was acquired by RiskIQ and with that brought years of Internet-scanning data that RiskIQ had collected by crawling the web. In this talk, we want to move beyond the popular sources of infrastructure connection like WHOIS and passive DNS and instead, focus on the non-traditional points of correlation derived from the data found within the RiskIQ repositories. Our demonstration will not only show that these non-traditional sources find data WHOIS and passive DNS miss, it will also identify subtle mistakes in an attacker's operational security.

    Attendees should expect to walk-away with knowledge of new datasets, some of which could be collected on their own, and how they could aid them in discovering additional pieces of infrastructure. Additionally, a demonstration will be done highlighting how an analyst could operationalize the data in order to make discoveries by using the PassiveTotal platform or command line tools using the free API. Threats have become more advanced, yet our ways of making connections have largely stayed the same. By giving the analyst more tools and ways of surfacing malicious content, we hopefully succeed in making it harder for attackers to be successful.

    June 15th, 2016 11:30 – 12:30
  • CSIRT Management Workflow: Practical Guide for Critical Infrastucture OrganizationsReturn to TOC

    Nurul Mohd (CyberSecurity Malaysia, MY) , Zahri Yunos (CyberSecurity Malaysia, MY) , Aswami Ariffin (CyberSecurity Malaysia, MY) , Azlan Nor (CyberSecurity Malaysia, MY)

    NURUL HUSNA BT MOHD NOR HAZALIN is a Senior Analyst in CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation, Malaysia. Nurul holds a Bachelor's Degree in Information Technology majoring in Information System Engineering from the Multimedia University (MMU), Melaka, Malaysia. She is a certified Information Security Auditor by ISACA, certified ISO27001 Lead Auditor by British Standard Institution (BSI), certified Associate Business Continuity Professional by the Disaster Recovery Institute International (DRI) USA, certified Security Analyst by EC-COUNCIL, certified ITIL by EXIN, and certified CompTIA Security+ by CompTIA USA.

    DR. ZAHRI YUNOS is the Chief Operating Officer of CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation, Malaysia. Zahri holds a PhD in Information Security from the Universiti Teknikal Malaysia Melaka (UTeM), Melaka, Malaysia. Zahri also holds a Master’s degree in Electrical Engineering from the Universiti Teknologi Malaysia, Malaysia and a Bachelor’s degree in Computer Science from the Fairleigh Dickinson University, New Jersey, USA. He is a certified Associate Business Continuity Professional by the Disaster Recovery Institute International, USA. Zahri has been awarded Senior Information Security Professional Honoree in July 2010 by the (ISC)2, USA. He has contributed various publications and presented papers on topics related to cyber security, cyber terrorism and business continuity management.

    Dr Aswami Ariffin is a digital forensics scientist with vast experience in security assurance, threat intelligence, incident response and digital forensic investigation with various law enforcement agencies/regulatory bodies and provided expert testimonies in court. Aswami was awarded ISLA - Information Security Leadership Award in 2009 by (ISC)2 USA including commendation letter from the Attorney General's Chambers Malaysia and the Royal Malaysia Police in 2010. Aswami is active in research and one of his papers was accepted for publication in the Advances in Digital Forensics IX, 2013. He also involves as a committee member for the digital forensics program of the prestigious International Conference on Availability, Reliability and Security (ARES). Currently, Dr Aswami is Vice President of CyberSecurity Responsive Services at CyberSecurity Malaysia.

    MOHD AZLAN MOHD NOR is the Head of Secure Technology Services Department in CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation, Malaysia. He holds HND in Electronic Engineering from Frederiksberg Teknike Skole, Copenhagen, Denmark. He is at present overseeing Information Security Services operations in CyberSecurity Malaysia. Azlan has working experiences in Information Technology field over 10 years. His areas of expertise are system security, penetration test, web security and ISMS execution. Azlan is a Certified Ethical Hacker (CEH) and Certified Security Analyst (ECSA).

    Cyberspace, including the Internet, has become an indispensable part of modern life. While development in the field of ICT allows for enormous gains in efficiency and productivity, it has created opportunities for those with devious ambitions to cause havoc and harm. The potential for catastrophic cyber attacks that can cripple the operations of critical infrastructures of nations is worrying. Critical National Information Infrastructure (CNII) is deemed critical to the nation; because disruption of the systems and communication networks could significant affect the nation’s economic, political, strategic and socio-economic activities. The capability to have a functional enterprise CSIRT is seen as closely connected to the idea of critical infrastructure protection. This paper proposes for CNII organizations to establish Computer Security Incident Response Team (CSIRT), which provides a systematic guidance for the organization's information security risks management to an acceptable level.

    June 16th, 2016 11:30 – 12:00
  • Cyber Threat Intelligence & Incident ResponseReturn to TOC

    Omar Cruz (US-CERT, US)

    Omar Cruz is the chief of the Cyber Threat Information Sharing branch of US-CERT and a veteran of the US Marine Corps.

    Over the last 18 months, US-CERT has responded to many major security breaches at government agencies and in the healthcare sector. This presentation will describe how US-CERT leverages discoveries from incident response engagements in developing new indicator products, as well as using known cyber threat information to better understand the Modus Operandi and tactics, techniques and procedures of the intruders. US-CERT's procedures for implementing CTI in incident response and lessons learned from real world engagements will be explained, as well as an overview of our information sharing program and how attendees can get involved.

    June 14th, 2016 13:00 – 14:30
  • Cybersecurity Readiness for Tokyo 2020 Olympic/Paralympic GamesReturn to TOC

    Ko Ikai (NISC, JP)

    Ko IKAI joined National Police Agency(NPA) in April 1995. At the early stage of his career, he experienced the planning of cybercrime countermeasure. After 1 year study of cybersecurity in George Washington University in USA, he was posted on Deputy Chief of Cyber Force Center, the technical unit for watch & warning and CII of NPA, in 2002. From 2006 to 2008, he worked for G8 Roma/Lyon Group and G8 Justice and Home Affairs Ministerial Meeting in the International Division, NPA, In 2010, he started his first career at National Information Security Center(NISC) and was in charge of strategic policy making. For 3 years after 2012, he served as a Deputy Director for human resources management of about 4,000 technical officials in NPA. In March 2015, he was posted to NISC again, and he is now working as the Counsellor for Tokyo 2020 Olympic/Paralympic cybersecurity project.

    Cybersecurity of global big events such as Olympic/Paralympic Games is a great challenge for concerned incident response teams. To secure such kind of events requires to build coordination of many and various stakeholders, to consider extremely enormous and sophisticated attacks, to analyze variety of international and social background issues and to adapt the solutions to never-ending technological innovations. The author's presentation will depicts the challenges and how the government of Japan try to address them in terms of preparation the cybersecurity readiness for Tokyo 2020 Olympic/Paralympic Games.

    June 16th, 2016 11:30 – 12:00
  • Data Breach Break Downs - A Review Of The Worst Breach ResponsesReturn to TOC

    Jake Kouns (Risk Based Security, US)

    Jake Kouns is the CISO for Risk Based Security and oversees the operations of the Open Sourced Vulnerability Database ( Mr. Kouns has presented at many well-known security conferences including RSA, Black Hat, DEF CON, CISO Executive Summit, CanSecWest, SOURCE, FIRST and SyScan. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.

    Carsten Eiram is the Chief Research Officer of Risk Based Security and manages the Vulnerability Intelligence (VI) solution, VulnDB, and internal research. Carsten has managed VDBs for 15 years and is considered a leading expert in the VI field.

    As a researcher with a reverse engineering background, Carsten has ~200 vulnerability discoveries credited to his name. Most are critical issues in high-profile products from major software vendors including: Microsoft, Adobe, Symantec, IBM, Novell, SAP, Rockwell, Schneider Electric. Carsten is often quoted in security articles and has presented at conferences such as FIRST, RSA, DEF CON, RVAsec, as well as keynoting Defcamp. He is a regular contributor to the 'Threat of the Month' column in SC Magazine and member of the CVE Editorial Board.

    Since 2005, there have been over 18,000 data breaches exposing approximately 4.5 billion records. The total cost has been astronomical and it has come to a point where it is embarrassing that organizations have not figured out how to prevent even the most basic breaches from happening. More importantly, organizations have not learned how to respond to incidents appropriately.

    This presentation dissects some of the most interesting and worst breaches of the past several years. The focus of the talk will be on the cause, impact, cost, and poor incident handling that resulted. We will go over what could have been done to better respond to many of these incidents.

    Based on the knowledge and insight gained from this discussion, attendees will be better prepared to learn from other people's mistakes, better understand data breaches, and ultimately how to better prevent them from happening.

    June 13th, 2016 13:00 – 14:00
  • DDoS Differentiators: How to gain new insights on attribution from different angles of the same problemReturn to TOC

    Lance James (Flashpoint, US) , Allison Nixon (Flashpoint, US)

    Lance James serves as Chief Scientist at Flashpoint where he helps guide research and engages in thought leadership. Prior to joining Flashpoint, Mr. James was the Head of Cyber Intelligence at Deloitte & Touche LLP.

    An internationally renowned information security specialist, Mr. James has more than fifteen years of experience in programming, network security, digital forensics, malware research, cryptography design, cryptanalysis, counterintelligence, and protocol exploitation. He provides advisory services to a wide range of government agencies and Fortune 500 organizations including America’s top financial services institutions. Credited with the identification of Zeus and other malware, Mr. James is an active contributor to the evolution of security practices and counterintelligence tactics and strategies.

    Mr. James was the founding force behind the CryptoLocker Working Group, where he and his team of researchers were acknowledged for their critical role in disrupting CryptoLocker as part of an FBI-led takedown operation. Over the years, he has championed other takedowns of criminal organizations through his strategic alliances with industry, academia, and law enforcement.

    Allison Nixon is the Director of Security Research at Flashpoint. She has been a background source for numerous investigations and articles that focus on the post-breach issue of "who dunnit?". She performs original threat research and is at the forefront of answering questions that people have not yet thought to ask. In 2013, she spoke at Blackhat about bypassing DDOS protection. In 2014, she released a paper detailing methods for vetting leaked data. She has been looking into the issue of "booters" and DDOS services. She researches DDOS attribution, cybercrime attribution, and criminal communities. In her spare time she grows tomatoes and makes puns.

    DDoS has emerged as a major problem affecting the health of the entire Internet. Very little highlights the asymmetrical nature of cyberwarfare more than DDoS attacks. It has become so easy that children lacking technical skills can shut down online services used by millions of people.

    For five dollars, an attacker can purchase an attack that would cost thousands to mitigate. For some, the solution is to hide behind DDoS protection services. But this is a short term solution. The root of the problem is easily exploitable devices on the Internet, and the people who exploit them.

    This talk discusses the tactics and strategies used by those working on the long term solution, and concrete examples where information sharing can bring down criminal enterprises without bringing any additional risk to the victims.

    June 15th, 2016 11:30 – 12:30
  • Decade of Change: 10 years of Product Incident Response at AdobeReturn to TOC

    Tom Cignarella (Adobe, US) , David Lenoe (Adobe, US)

    Tom Cignarella is the Director of Incident Response at Adobe. He was formerly the director of Product Operations for Adobe's CloudOps group and technical operations for Adobe EchoSign (now part of Adobe Document Cloud). Tom leads Adobe’s response to technical security incidents spanning all aspects of IT operations and our hosted service offerings. Tom partners with the operational incident response teams across the company to set the strategy and build out the framework for day-to-day operations for how teams monitor environments, investigate incidents, and communicate with internal stakeholders and customers. His team also drives the feedback loop of findings and lessons learned from incidents into the security roadmaps that teams use to track & prioritize their proactive investments.

    David Lenoe is Director, Secure Software Engineering at Adobe. In his role, Lenoe manages the Product Security Incident Response Team (PSIRT) dedicated to responding to and communicating about security issues, as well as the Adobe Secure Software Engineering Team (ASSET) responsible for ensuring Adobe's products are designed, engineered and validated using security best practices. Lenoe is also responsible for Adobe’s vulnerability information sharing via the Microsoft Active Protections Program (MAPP). Lenoe represents Adobe on SAFECode's Board of Directors and acts as SAFECode’s Treasurer. Lenoe joined Adobe as part of the Macromedia acquisition in 2004. At Macromedia, Lenoe held several management and engineering positions in the areas of product security, product management and quality assurance. Lenoe earned a BA in Japanese language and literature from Connecticut College.

    Incident Response at Adobe started off 10 years ago when the Product Security team was first formed – mostly coordinated disclosure (called ‘responsible disclosure’ back then) of vulnerabilities from security researchers and partners. After a couple of years, coordinated disclosure practices became more challenging – when exploits in the wild against Adobe runtime products began to proliferate.   As the product and threat landscape evolved further, with hosted services entering into the mix, we began to see that vulnerability response and traditional network incident response were overlapping, and a new approach was required. We’ll talk about our journey, lessons we've learned along the way, and where we see incident response at Adobe going in the future.

    June 14th, 2016 13:00 – 14:30
  • Detecting Lateral Movement in APTs – Analysis Approach on Windows Event LogReturn to TOC

    Shingo Abe (JPCERT/CC, JP)

    Mr. Shingo ABE (JPCERT/CC)

    After being engaged in research and development on IT security such as the implementation of algorithm, the Mobile Device Management (MDM) development for Android Tablet and the development of cryptography key management system, etc. at Toshiba Solution Corporation for 7 years, Mr. Shingo ABE joined JPCERT/CC in October 2014. He is engaged in the response for cyber incidents on industrial control system, information collection/analysis and communication/coordination in the ICS Security Response Group.

    Detecting "lateral movement" – the spreading of an infection after the initial compromise of an internal network – in APT attacks is extremely challenging. This presentation will focus on “Active Directory event log” and introduce our unique visualization of the related activities utilizing event logs, and how to effectively detect attacks. We will also present case studies and findings of JPCERT/CC’s incident analysis. Lastly, through collaborative trial studies with Industrial Control System (ICS) asset owners, we found that this methodology is also effective for principal Windows in ICS, even under an environment where Active Directory is not utilized. The presentation will also discuss results of these studies.

    In 2015, Japan faced numerous advanced attacks. Under this situation, JPCERT/CC gained the cooperation of some of the victim organizations and conducted investigations on the malware and related logs. Through our analysis, we found several cases of lateral movement where the attacker had taken over the user account of Domain Controller administrative privileges under the Active Directory environment. In this presentation, we will cover event log settings and key items that are highly useful in detecting such attacks, and more.

    June 17th, 2016 11:15 – 11:45
  • Detecting Malicious Infrastructure and Calculating Risk Scores Using Contextual Information From Open and Dark Web SourcesReturn to TOC

    Staffan Truve (Recorded Future, SE)

    Staffan Truvé is the co-founder and CTO of Recorded Future. He has co-founded over fifteen software companies, including visualization pioneer Spotfire (acquired by Tibco) and Appgate (now Cryptzone) for network security. Staffan holds a PhD in computer science from Chalmers University of Technology. He has been a visiting Fulbright Scholar at MIT. His research interests include threat intelligence, machine learning, natural language processing and information visualization. He is a member of the Royal Swedish Academy of Engineering Sciences

    Risk scoring of IP addresses and other technical indicators are crucial to running an efficient IT / network security operation. Currently, traditional threat lists are compiled from information provided by honeypots, analyses of log files, and similar sources. This research shows a new approach that uses contextual information derived through text analysis (Natural Language Processing) of documents sourced from the open web, forums, paste sites, and onion sites. The methodology is illustrated by an analysis done on 12 months of historic data from open web sources, forums, and paste sites, showing how a set of IP addresses can be identified as potentially malicious based on their aggregated context from a large number of documents. This presentation contains information e.g. on planned attacks (including lists of target IP addresses that should be scanned for vulnerabilities, and results of such scans) and discussions about how to configure malware with different C&C servers. In conclusion, this new approach provides a higher proportion of malicious outbound IP addresses when compared to traditional threat lists. As a result of this analysis, operational defenders will gain another valuable source of complementary threat information.

    June 13th, 2016 14:00 – 14:30
  • Detecting Targeted Web CompromisesReturn to TOC

    James Sheppard (Cisco Systems, US)

    James Sheppard joined Cisco Systems in 2011 as an Information Security Analyst for the Computer Security Incident Response Team (CSIRT) and later became the Analyst Team Lead. His primary objectives were rearchitecting analyst procedures, streamlining detection techniques, and improving CSIRT's coverage of the rapidly evolving threat landscape. James is now the Lead Threat Intel Analyst and is primarily focused on operationalizing threat intelligence and designing monitoring strategies to protect Cisco from the newest, most relevant threats.

    As an analyst with the Cisco Computer Security Incident Response Team (CSIRT), I have observed and responded to numerous compromises resulting from the exposure of hacked websites. These attacks, growing in popularity, are difficult to detect. Reputation-based scoring doesn’t work, zero-day malware is frequently used, and there are no visible signs of compromise. Regardless of the difficulty, we cannot sit around and wait for hacked machines before discovering the root cause. My job as a practitioner is to create detection capabilities that increase our coverage of the threat landscape, and I would like to discuss how incident response teams can proactively generate their own threat intelligence related to targeted web compromises.

    The main focus of this discussion will be a custom web crawler that detects malicious modifications to websites including iframe redirects, spam injection, and website defacement. Cisco CSIRT is actively taking steps to open source this tool and targets a release date of June 12, 2016. Upon release, incident response practitioners can use this tool in two ways:

    Website monitoring tool – Add your organization’s domains to the crawler’s list of sites to be regularly monitored. An alert will be generated if anything suspicious is found.

    External monitoring solution – Proactively generate your own threat intelligence by scanning potentially compromised websites.

    The web crawler employs variety of detection techniques: it inspects the Document Object Model of each page, calculates the position and size of iframes, analyzes anchor tags using threat intelligence, and calculates differences in screenshots and ssdeep hashes. These capabilities allow detection of iframe redirects, vbscript injection, spam injection on blog posts, raw pastebin injection, email disclosure, and website defacement. Case studies of actual compromises and alerts will be presented at the conference.

    The web crawler was built using three open-source technologies: Scrapy, PhantomJS, and Django. Scrapy is a web scraping and crawling framework written in Python, which serves as the basic foundation of the web crawler. PhantomJS is a headless web driver; in other words, a browser without a graphical user interface (GUI). PhantomJS allows the crawler to load dynamic page content and “browse” websites just like a human would. Django is a Python web framework and was used to build out a web interface so practitioners can easily add/remove domains to crawl and view alerts.

    Finally, the web crawler can be integrated with log aggregation technologies such as a Splunk and ElasticSearch, allowing industry practitioners to search logs for alert data.

    June 13th, 2016 17:00 – 17:30
  • DIY Threat Intelligence with Real-Time DataReturn to TOC

    Paul Vixie (Farsight Security, Inc., US)

    Dr. Paul Vixie is the CEO of Farsight Security, Inc. In 2014, he was inducted into the Internet Hall of Fame for his work related to DNS. Previously, he served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Dr. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He is considered the primary author and technical architect of BIND 8. He earned his Ph.D. from Keio University for work related to DNS and DNSSEC.

    Today most incident response teams rely on vendor threat feeds to gain additional intelligence about the attacks against their network. Yet vendor threat intelligence alone is limited -- if the IOCs, signatures, or other feeds don't match what investigators have found in their network the investigation itself can come to an abrupt end. In this presentation, “DIY Threat Intelligence With Real-Time Data,” Dr. Paul Vixie, an Internet pioneer inducted into the 2014 Internet Hall of Fame for his work related to DNS, will demonstrate how digital investigators can go beyond threat indicators to create their own threat intelligence using real-time data from the Global DNS. For example, using real-time DNS observations, a domain name might lead you to a list of IP addresses and perhaps a list of name servers. Following those IP addresses and name servers will often lead to more domain names of interest, etc. When you're done investigating, you'll have an excellent picture of "what's connected to what" and have created threat intelligence specific to your own incident leading to faster response and mitigation.

    June 17th, 2016 10:15 – 11:15
  • Does it pay to be cyber-insured?Return to TOC

    Marie Moe (SINTEF, NO) , Eireann Leverett (Concinnity Risks, GB)

    Marie Moe is passionate about incident handling and information sharing, she cares about public safety and securing systems that may impact human lives, this is why she has joined the grassroots organisation “I Am The Cavalry". Marie is a research scientist at SINTEF ICT, and has a Ph. D. in information security. She has experience as a team leader at NorCERT, the Norwegian national CERT. Marie also teaches a class on incident management and contingency planning at the Norwegian University of Science and Technology.

    Eireann Leverett has studied psychology, philosophy, artificial intelligence, software engineering, and computer security at various times in his life. He holds a BEng from Edinburgh University and an MPhil from the University of Cambridge in Advanced Computer Science. His research focuses upon technological disasters and the economic impacts of computer security failures or accidents. He has experience of compromising the security of organisations, and assisting them to improve their security postures through a variety of short and long term methods. He is interested in computer security at scale, security economics, systems security, incident response, critical infrastructure protection, safety, firmware signing, exploit markets, vulnerability management, quality assurance, indicators of compromise, modelling, networks, risk, visualisations, and zero knowledge proofs.

    The demand for insurance against cyber attacks is rapidly increasing and insurance companies are entering the field as actors in the incident response food chain. Businesses that want to use cyber insurance as a risk management strategy need to understand the risk they are facing, and how cyber insurance can reduce this risk. This implies a need to understand and evaluate cyber insurance policies. Insurance companies, on the other hand, need to be able to differentiate between potential clients based on the risk they are facing, so as to reduce the risk of adverse selection. They also need to understand the needs of the various market segments, in order to offer cyber insurance products that are relevant.

    For both the supply and the demand side it is important to understand and document costs related to cyber-incidents, in order to agree on a compensation in case there is an incident. Insurance companies are currently partnering with security consultants, managed security service providers and incident response teams to evaluate the cyber security posture of potential customers, and to provide rapid incident response services aimed at minimising damage and cost of cyber incidents. However, this is yet an immature area and more research is needed to establish a cost-benefit framework for cyber insurance and better understand the underlying factors that influence the costs associated with cyber attacks.

    SINTEF has performed a study identifying knowledge gaps in using cyber insurance as a risk management strategy [1], and performed interviews with several insurance companies that offer cyber insurances to the Norwegian market. This spring we will continue this qualitative research with further in-depth interviews with insurance companies, insurance company contractors and customers.

    Some of the key issues that will be discussed in this talk are:

    • Where do insurance companies best fit in to the incident response lifecycle?
    • How can CERTs collaborate with insurance companies to mitigate and minimise costs of cyber incidents?
    • What language do CERTs need to speak to interact efficiently with insurers?

    [1] I. A. Tøndel, P. H. Meland, A. Omerovic, E. A. Gjære and B. Solhaug: Using Cyber-Insurance as a Risk Management Strategy: Knowledge Gaps and Recommendations for Further Research. Technical Report

    June 14th, 2016 15:00 – 16:00
  • Don’t Shoot the Messenger: Understanding Security Notifications At ScaleReturn to TOC

    Frank Li (University of California Berkeley, US) , Zakir Durumeric (University of Michigan, US) , Michael Bailey (University of Illinois Urbana-Champaign, US) , Vern Paxson (University of California Berkeley, US)

    Frank Li is a graduate student at the University of California Berkeley in computer security.

    Zakir Durumeric is a graduate student at the University of Michigan in computer security.

    Michael Bailey is a professor at the University of Illinois Urbana-Champaign in the Department of Electrical and Computer Engineering.

    Vern Paxson is a professor at the University of California Berkeley in the Department of Electrical Engineering and Computer Science.

    In March 2014, researchers found a catastrophic vulnerability in OpenSSL, the cryptographic library used to secure connections in popular server products. While OpenSSL has had several notable security issues during its 16 year history, this flaw---the Heartbleed vulnerability---was one of the most impactful allowing attackers to read sensitive memory from vulnerable servers. As researchers, we analyzed the impact of the vulnerability and tracked the server operator community's responses. While this work gave a detailed view into global patching behavior, perhaps the most interesting lesson from our study of Heartbleed is the surprising impact that direct notification of network operators can have on patching. Even with worldwide publicity and automatic update mechanisms, Heartbleed patching plateaued two weeks after disclosure with 2.4% of HTTPS hosts remaining vulnerable. We emailed network operators about the unpatched systems in their address spaces, in two groups a week apart. Surprisingly, we observed that during the period when only the first group had been contacted, the rate of patching was 47% higher for those notified.

    Although Internet-wide measurement techniques have enabled the mass detection of both vulnerable and compromised systems, many researchers (including us) had assumed that performing mass security notifications for any global incident would be either too difficult or ineffective. Our findings challenge this view. As a result, we now believe more work is needed to understand what factors influence the effectiveness of mass notifications and to determine how best to perform them.

    In this talk, we will briefly summarize our experiences with mass notifications and solicit the community's feedback on our ongoing efforts to answer several core research questions. For example, how do response rates vary for a range of types of security events with varying characteristics and user demographics? What is the best means of reaching the people responsible for managing these systems, and what role do organizations like CERTs play? Finally, how do we construct a notification message for maximum effectiveness? By answering these important questions, we hope to make automatic, measurement-driven mass notifications an important tool in the defensive security arsenal.

    June 13th, 2016 16:00 – 17:00
  • Effective protection against phishing and automated theft Return to TOC

    Dmitry Volkov (Group-IB, RU) , Alexander Kalinin (CERT-GIB (Group-IB), RU)

    Dmitry Volkov, head of threat prevention & the investigation department at Group-IB. Alexander Kalinin, head of CERT-GIB at Group-IB.

    This presentation outlines the actions of a criminal group that created a new phishing kit allowing them to make automated money transfers.

    This tactic has forced us to review the procedures that we use to ensure we are adequately preventing fraudulent activities.

    This presentation will outline how CERT-GIB has achieved automated identification of new phishing pages created by this group.

    In addition, we will also display how we perform automated analysis of compromised credit cards in real-time, and what procedures have been taken to prevent fraud, even when cybercriminals have fell off of our radar.

    June 13th, 2016 14:00 – 14:30
  • Empower researcher with enriched data to find the needle from the hayReturn to TOC

    Hong Jia (ThreatBook, US) , Feng Xue (ThreatBook, CN)

    Hong Jia is the head of response and research in ThreatBook Labs, a startup company based in China providing threat intelligence services. She is also the co-founder. Hong leads ThreatBook’s effort in threat incident response, threat intelligence research, data mining and correlation data study applied to research in threat intelligence. Prior to joining and setting up ThreatBook Labs, Hong worked as the principal lab manager of response and research at Microsoft Malware Protection Center (MMPC), with labs in Redmond (WA), Vancouver (BC) and Beijing. She has been leading MMPC labs’ effort to protect billions of computer from malware through fast incident response, deep malware family threat research and machine learning driven automation for malware clustering and classification. She also served as liaison between MMPC and China security companies, and has helped in a number of MMPC security program’s deployment in China through her strong industry relationships with security organizations and vendors. Hong gained valuable experience working at Microsoft and collaborating with security industry during her 15 service in Microsoft.

    Researchers at security firm often face the two scenarios: After the security incident happened, tracing back the data in house, they found that some of the relevant data have been in existence for nearly half a year, some even almost a year. The presence of these data didn’t raise any noticeable alert to researcher; Another scenario is that facing huge data every day, hundreds of thousands of suspicious program, tens of thousands of indicator of compromise (IOC) records, researchers need to spend a lot of time to investigate and identify the severe and actionable relevant data using a variety of tools. The data dilemma for researchers always seems too much data or too less data. Researchers need a unified platform to raise the potential high risk threat alert from the mass of data in time. Security researchers can immediately investigate, monitor and further strengthen the collection of the data from targeted sensors and source, thus reduce the investigation cycle to track down of the threat, to find the needle from the hay.

    In this talk, I want to share with you a threat intelligence analysis platform via going through two china focused threats ‘s deep dive, share how it helps to gather scalable threat data, provide an interactive unified analysis platform to our researchers, helps researchers to reduce threat analysis cycle, reduce assessment time of the threat infrastructure capability and produce actionable IOC based on threat’s tactics, techniques and procedures (TTP).

    June 13th, 2016 14:00 – 14:30
  • Evaluating National Level Cyber Risk, the DHS ApproachReturn to TOC

    Mark Bristow (DHS/ICS-CERT, US)

    Mark Bristow is the Chief for Incident Response and Management for the Industrial Control Systems Cyber Incident Response Team (ICS-CERT) at the National Cybersecurity and Communications Integration Center (NCCIC) within the Department of Homeland Security. Mark has been with ICS-CERT, and its predecessor organization the control system security program (CSSP) since 2008. Mark has worked previously conducting assessments and penetration tests of industrial control systems equipment in multiple sectors with a focus on electric power generation, transmission and distribution. Mark has a bachelor’s degree in Computer Engineering from The Pennsylvania State University.

    Currently there is no system that is designed to assess the severity of cyber incidents at a national level. Many systems and schemas, including NIST 800-61 r2, provide excellent guidance within the scope of a single entity’s Security Operations Center (SOC) however these system do not address this risk within the national paradigm. Large scale and national cyber operations centers like the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) need to assess risk to accommodate external parties across a diverse set of private critical infrastructure asset owners/operators and USG Departments/Agencies. The NCCIC Cyber Incident Scoring System (NCISS) is designed to provide a repeatable and consistent rating mechanism for evaluating the risk of an incident in this context.

    The NCISS was based on NIST 800-61 r2 and tailored to include entity specific potential impact categories that allow NCCIC to evaluate the severity and prioritize on a national scale. This allows for a similar incident at two different stakeholders to have a significantly different score based on the national level potential impact of the entity.

    The functional methodology uses a weighted average that ultimately produces a score from 0 100. The severity/risk score drives NCCIC processes and determines the necessary incident response prioritization and service level for each individual case. The system is not designed to support cases where multiple correlated incidents may increase severity (i.e., raise the priority).

    The inputs to the scoring system are a hybrid of discrete and analytical assessments that will generate a score approximating the relative risk of the incident. While every attempt to minimize this effect via training and exercise, different individual scorers will have slightly different perspectives on analytical responses to the scoring questions. The use of discrete, verifiable inputs lessens the impact or sway from any individual analytical factor, increasing the overall precision of the system. Ultimately the system is designed to provide a repeatable risk estimation that provides guidance for evaluation by incident response managers rather than set a hard line.

    June 13th, 2016 15:00 – 16:00
  • EvilEngine: Metamorphic Engine for Kernel Mode RootkitsReturn to TOC

    Adhokshaj Mishra (Self, IN)

    Adhokshaj Mishra is a hobbyist programmer with some interest in information security domain. He mostly codes in C, C++, C#, VB.NET and assembly language. His primary domains of interest are cryptography,virology, cryptovirology, kleptography and mutation. He has worked as cyber crime investigator, and trainer of cyber crime investigation for Special Task Force, UP Police. He has also taught hacking(specially malware stuff) in various Indian and overseas locations. He loves to speak in security conferences and meet-ups, and as a result has given talks in C0C0N 2014,DC Lucknow 2015, and various null chapter meets as well as specialized null sessions.He maintains a blog at

    Mutation and rootkits are two very powerful techniques commonly used by malware authors to maximize the lifespan of their malware by hindering the detection and analysis process. Many cases of mutation powered malware have been seen in the wild, however, very few (if at all) cases of rootkits have been spotted which are powered by in-built mutation engine (unlike new variants coming from malware author directly). The talk will focus on design and construction of a metamorphic engine which can be used to mutate loadable kernel modules for recent versions of LINUX kernel. The metamorphic engine operates at object code level, and therefore, object code is mutated, and then linked to generate final kernel object. It supports common mutation techniques like instruction swapping, junk insertion and detection, instruction reordering etc. Possible detections and mitigations will also be discussed.

    June 13th, 2016 13:00 – 14:00
  • Facing the Darkness: Domain Shadowing is ruining the InternetReturn to TOC

    James Pleger (RiskIQ, US) , William MacArthur (RiskIQ, US)

    James Pleger: I am currently the Head of Research at RiskIQ, focusing our efforts on improving our customers lives by taking an outside-in approach to security. Part of this effort is ensuring that ad networks and exchanges are able to combat malware and other sources of malicious activities. Additionally, our team focuses on bringing new technologies and detection methodologies to help ensure that we are keeping up with the threat landscape as it evolves.

    William MacArthur: William MacArthur is a threat researcher for RiskIQ, focusing on the large array of web threats within the company's vast data set. His past has been mainly at a Registrar/Hosting Provider which was highlighted by several large investigations including the identification of domain shadowing victims since 2010, sinkholing c2 domains for Flame Malware, hundreds of thousands of domain suspensions, phishing investigations, server cleanup and, later, mitigation of large-scale DDOS attacks and ISOC duties.

    Our talk will be focused on Domain Shadowing from a unique perspective (being on the registrar end as well as the vendor end of the spectrum). During this 40 minute long presentation we will be showing the history of the threat not only from our point of view but also from the attackers’ methods we observed first-hand. This leads us to showcasing some of the threats associated with this activity including but not limited to malicious traffic distribution, exploit kits, fake tech support scams and other fraudulent activity.

    In addition, we will discuss what it would take in order for any type of mitigation efforts to be taken, and why nothing significant has been done to disrupt this threat since 2010.

    June 15th, 2016 11:30 – 12:30
  • Forensic examination of Critical Infrastructure CompromisesReturn to TOC

    Fyodor Yarochkin (Academia Sinica) , Vladimir Kropotov (Independent Researcher, RU) , Yennun Huang (Academia Sinica, Taiwan)

    Fyodor Yarochkin is currently a Senior Threat Researcher at VArmour and a Ph.D. candidate at EE, NTU and Academia Sinica. His strong technical background combined with his fluency in Russian, English, and Chinese, has allowed him to become a world expert on cyber crime, especially on monetization schemes and the role of digital currencies. An early Snort developer, he frequently speaks at security conferences, including BlackHat US '13 '10 '05, BlackHat Singapore '01, BlackHat HK '01, BlueHat '10, RusCrypto '14, HITCon '14 '13, HoneyCon '14, HITB KL '12, HITB AMS '13, PHDays '14 '13, GroundZero '13, ZeroNights '12 '11, OWASP India '12, Hacklu '12, Nullcon '11, ACAMS APAC '11, SyScan TW '11 '10, OWASP Asia '08 '07, VNSecurity '07, XCon '06 '03, HITB '05 '04, SyScan '05, Bellua '05, Ruxcon '03.

    Vladimir Kropotov is a security researcher with Positive Technologies His main interests lie in network traffic analysis,incident response, botnet investigations, and cybercrime. He is a frequent speaker at a number of conferences including HITB, CARO, PhDays and ZeroNights

    This presentation examines several case studies of critical infrastructure compromises in Asia-Pacific and Eastern European regions, covering in-depth details of identified attacker techniques, procedures and attributes, giving insight of intial detection each incident, timeline of the events, detailed forensic analysis, attribution details, impact on compromised infrastructure as well as discusses primary reasons why, in each case, the initial breach was possible and was not detected for given period of time. The presentation will also walk through set of custom and off-shelf tools, which presenters developed, or used during each investigation.

    June 14th, 2016 10:30 – 11:30
  • Friend or Foe? probably both.Return to TOC

    Yonathan Klijnsma (Fox-IT, NL)

    Yonathan Klijnsma is a senior threat intelligence analyst working for Fox-IT part of NCCGroup. Yonathan specializes in the analysis and tracking of attack campaigns, working out the attacker profiles and investigating the tools and techniques used by attackers. Yonathan's area of focus and expertise lies within espionage related cases.

    Geopolitical relationships between countries are complex and sometimes full of contradictions. Governments that seem to be friendly and cooperative in public, often pursue parallel agendas that are less than obvious. This talk describes systematic espionage aimed at the government and critical infrastructure sector of Myanmar. It specifically focuses on how campaign milestones align with important geopolitical and economic events and outlines the campaign development and the malware being used since 2012, of which nothing is publicly known.

    June 15th, 2016 10:30 – 11:30
  • From Cyber Incident Response to Cyber Resilience: A Case StudyReturn to TOC

    Jr Reagan (Deloitte, US)

    Dr. Reagan is Global Chief Information Security Officer (CISO) of Deloitte Touche Tohmatsu Limited (DTTL) with revenue of $34B, over 210,000 employees and operating in more than 150 countries. As the senior-most information protection officer, he leads the next-generation design of the global security organization. He is a frequent presenter on Cybersecurity, Innovation & Analytics across the globe and has appeared in the Wall Street Journal, Financial Times, CNN and Washington Post.

    Dr. Reagan is Professional Faculty at Johns Hopkins (Carey Business School), Cornell (Johnson Graduate School of Management), Columbia University and has guest lectured at Harvard (Kennedy School of Government), Northwestern University (Kellogg School of Management) and University of Notre Dame (Mendoza College of Business). He also serves on the editorial board of The Public Sector Innovation Journal, the Electronic Journal of e-Government and is a Fellow at the Aspen Institute.

    The uncertainty surrounding cyber incident response presents an opportunity for CIOs to educate the executive team on cyber resilience—the coordinated set of enterprise wide activities designed to help organizations respond to and recover from a variety of cyber incidents, while reducing the cost, impact to business operations, and brand damage.

    This session will provide a case study of bringing Incident Response together across multiple lines of business in multiple countries with a shared responsibility—not one that falls on the CISO’s shoulders alone. This includes coordinated response efforts across legal, communications, HR, and other functions in a case study of building cyber resilience.

    June 16th, 2016 11:30 – 12:00
  • How to Discover Cyber Security Talents Return to TOC

    Moataz Salah (CyberTalents, EG)

    Moataz Salah has been working in cyber security since the last 11 years. Moataz is the founder of Bluekaizen, a company working in cyber security education. Moataz received his bachelor's degree in Communication Engineering from Alexandria University. For the last 6 years, Moataz has been focusing on the human aspect , the weakest link in cyber security chain, In 2010 Moataz founded the most valuable conference in Middle East ( Cairo Security Camp ) . In 2011, The conference released the first capture the flag competition in the region for security professionals. In 2011, Moataz Started issuing the first and only printed magazine devoted to Information Security in Middle East. In the last couple of years, Moataz started to focus on helping fresh graduates and recruiters to get connected through different ways including competitions, bootcamps and cybertalents portal.

    Despite of high technologies that we have reached in securing cyber space starting from next generation firewall, UTMs, Anti Malware and others, Human stay the main asset in Information Security System. Finding a cyber security professional that you can trust to secure your infrastructure became a very hard job.Today there is a severe shortage in cybersecurity workforce. According to Cisco Annual Report in 2014, world suffers a shortage of one million cybersecurity job openings.The shortage of cybersecurity talent might explain why salaries of cybersecurity professionals are expected to rise in the coming five years. Governments, Security agencies, large enterprises are, all, desperately searching for cybersecurity talents that can cope with latest cyber security risks and threats in cyber world. Different governments are working on finding solutions to increase the number of cybersecurity workforce and cybersecurity professionals either by funding cybersecurity professional training, Masters or others. Moreover, Cyber Security is not an entry level position. students or graduates must have some knowledge / experience in programming or network field for example to start working on network security field or application security. Today, with the expansion of the attack surface, students/graduates must have basic knowledge in control systems to work in Industrial Control systems or SCADA system or IOT security.

    However, An important point is missing that cybersecurity is not only a book to read, a certificate to gain or training to attend.Most of Black hat hackers didn’t take any sans / EC Council training or certificate , They might not even joined one of the top ranked universities. you might find a young kid with an age of 13 years old who hacked to a CIA Director mail or a 15 years old who attacked the British broadband and telephone provider TalkTalk website and many others, the examples are endless.So, what is the equation? what is the formula for discovering Cyber Talents

    In this session, we will proof that cybersecurity is a talent. Second, We will share our experience in discovering Cyber talents in different universities. Third, We will present the formula that will help different countries, governments, universities and of course companies to build the workforce they need, the equation that balance the white hat hackers and black hat hackers in our cyber world. Also, The Session will include a demonstration for tools we developed to assess and measure cyber talents

    June 15th, 2016 16:00 – 16:30
  • Hunting Malware across the EnterpriseReturn to TOC

    Greg Hoglund (Outlier Security, US)

    Mr. Taylor is a technical and managerial professional with over 20 years of experience in Computer Security, with 15 of those years being focused on Digital Forensics and Incident Response, who has served both commercial and Federal Government clients. He is a subject matter expert on digital forensics, having supported computer, network, and mobile device forensics cases in both civil and criminal environments. He is a subject matter expert on breach response, having supported and helped build multiple Security Operations Centers (SOC) and Cyber Incident Response Teams (CIRT) as both an internal employee and as an external consultant. He is also a sought after speaker, who has presented at numerous conferences and taught numerous classes related to network security, computer forensics, and intrusion methodology.

    In Incident Response, we frequently want to collect live information from systems in order to determine if they are part of an incident. Knowing information such as current open network connections and running processes helps determine which systems to focus forensic analysis on. This collection frequently requires getting console access to the system, either locally or remotely. We can also frequently obtain this information remotely using built-in remote management features of Windows that provide a cleaner and easier way to obtain even more information than was possible from the console. Using WMIC, PowerShell, and other remote management features that are already present on standard Windows workstations, we will show how to remotely triage systems and collect data useful to forensic analysis.

    June 13th, 2016 15:00 – 17:30
  • Incident response made better by agile robotsReturn to TOC

    Antti Kiuru (NCSC-FI / Ficora, FI)

    Antti Kiuru is the head of Coordination Centre in the National Cyber Security Centre of Finland. He has been with CERT-FI, later NCSC-FI since 2008 and has done his fair share of incident response before moving on to manage the team in the beginning of 2013. Antti has been involved in many areas of the CERT's internals, including system administration, abuse handling, service development and now management among other things.

    Finland is often said to have the cleanest networks in the world. That is not only because of an active CERT, but because of right tooling, right timing and cooperation. Presentation will focus on how we've developed our tools, sometimes on-demand and sometimes during a longer phase.

    The right tools and quick adaptation of available methods have been in many cases the success factor in both mapping threats and responding to large scale incidents. Tools have everything to do with how building automation enables the teams to focus on more important and non-trivial cyber security issues.

    However, tools are not the only thing you'll need. The team, the flow of information inside is the key to success. I will open up how NCSC-FI's team works on daily basis and share some experiences what sort of things you need to take into account when your team triples in size.

    June 15th, 2016 13:30 – 14:30
  • Insider Threat Mitigation GuidanceReturn to TOC

    Balaji Balakrishnan (World Bank, US)

    Balaji Balakrishnan has more than 16 years’ experience in IT and Information security domain specializing in security operations management and incident response. He has worked in major financial services organizations and has managed 24/7 SOCs/incident response teams.

    Insider threats are complex and require planning to create multi-year mitigation strategies. Each organization should tailor its approach to meet its unique needs. The goal of this paper is to provide relevant best practices, policies, frameworks and tools available for implementing a comprehensive insider threat mitigation program. Security practitioners can use this paper as a reference and customize their mitigation plans according to their organizations’ goals. The first section provides reference frameworks for implementing an insider threat mitigation program with the Intelligence and National Security Alliance (INSA) Insider Threat roadmap, Carnegie Mellon University's Computer Emergency Response Team (CERT) insider threat best practices, CERT insider threat program components, National Institute of Standards and Technology (NIST) Cybersecurity Framework, and other relevant guidance. This section provides an implementation case study of an insider threat mitigation program for an hypothetical organization. The second section of this paper will present example use cases on implementing operational insider threat detection indicators by using a risk scoring methodology and Splunk. A single event might not be considered anomalous, whereas a combination of events assigned a high-risk score by the methodology might be considered anomalous and require further review. A risk scoring method can assign a risk score for each user/identity for each anomalous event. These risk scores are aggregated daily to identify username/identity pairs associated with a high risk score. Further investigation can determine if any insider threat activity was involved. This section explains how to implement a statistical model using standard deviation to find anomalous insider threat events. The goal is to provide implementation examples of different use cases using a risk scoring methodology to implement insider threat monitoring.

    June 15th, 2016 15:00 – 16:00
  • Inspecting Linux Malwares using Limon SandboxReturn to TOC

    Monnappa K A (Cisco Systems, IN)

    Monnappa K A is based out of Bangalore,India. He works with Cisco's incident response team as information security investigator focusing on threat intelligence, investigation of advanced cyber attacks, and researching on cyber espionage and APT attacks. He is a core member of the security research community "SecurityXploded." His fields of interest include malware analysis, reverse engineering, memory forensics, and threat intelligence. As an active speaker at security conferences like Black Hat Europe, FIRST/4SICS, Nullcon, C0c0n, and SecurityXploded meetings, he has presented on various topics which include memory forensics, malware analysis, rootkit analysis, and also conducted training at FIRST TC Amsterdam and FIRST/4SICS-SCADA cyber security summit. He has also authored various articles in Hakin9, eForensics, and HackInsight magazines.

    Linux is growing in its popularity and with servers and embedded applications running Linux, it has become target for malware attacks. When an organization is infected with Linux malwares, responding to such incidents become important. To determine the capabilities of Linux malwares, its associated indicators and to establish better security controls, Today there is a need for automated analysis of Linux malwares.This presentation focuses on the analysis of real world Linux malware samples using Limon sandbox. Limon is a sandbox developed to automatically collect, analyze and report on the runtime indicators of linux malware.The presentation covers the details of inspecting the Linux malware before execution, during execution and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using Limon. It covers details of determining the malware's process activity, interaction with file system, network activity and other advanced techniques used by the Linux malwares to bypass live forensics and system administration tools.The presentation also touches on the implementation details of Limon sandbox and will present video demos showing the analysis of a real world Linux malware samples.

    June 16th, 2016 14:00 – 15:00
  • It's Not Just About The Ones And Zeros AnymoreReturn to TOC

    Denise Anderson (NH ISAC, US)

    Denise Anderson has over 25 years of management level experience in the private sector and is President of the National Health Information Sharing and Analysis Center (NH-ISAC), a non-profit organization that is dedicated to protecting the health sector from physical and cyber attacks and incidents through dissemination of trusted and timely information.

    Denise currently serves as Chair of the National Council of ISACs and participates in a number of industry groups such the Cross-Sector Cyber Security Working Group (CSCSWG). She was instrumental in implementing a CI/KR industry initiative to establish a private sector liaison seat at the National Infrastructure Coordinating Center (NICC) to enhance information sharing between the private sector, CI/KR community and the federal government and serves as one of the liaisons. She is a health sector representative to the National Cybersecurity and Communications Integration Center (NCCIC) — a Department of Homeland Security-led coordinated watch and warning center and sits on the Cyber Unified Coordination Group, (UCG) - a public/private advisory group that comes together to provide guidance during a significant cyber event.

    Denise is certified as an EMT (B), Firefighter I/II and Instructor I/II in the state of Virginia, and is an Adjunct Instructor at the Fire and Rescue Academy in Fairfax County, Virginia. She is also certified under the National Incident Management System (NIMS). In addition, she has served on the Board and as Officer and President of an international credit association, and has spoken at events all over the globe.

    Denise holds a BA in English, magna cum laude, from Loyola Marymount University and an MBA in International Business from American University. She is a graduate of the Executive Leaders Program at the Naval Postgraduate School Center for Homeland Defense and Security.

    With the increasing connectivity to the internet in the health sector including electronic medical records, medical applications on smartphones and medical devices, the risks of compromise are rising astronomically. When you take into account that most healthcare systems do not have a CISO or a SOC and spend less than 3 percent of their IT budget on security, the risk magnifies. This session will cover the various threats seen in the medical sector - including specific cases; the threat surface; the challenges that the sector faces; the current activity around medical device security including MDRAP a risk assessment program for medical device security, and a common vulnerability reporting structure for medical devices; and information sharing practices including STIX and TAXII usage in the sector, citing specific examples. Discussion will also cover how the sector is collaborating and work being done on a playbook for sector incident response.

    June 16th, 2016 10:30 – 11:30
  • Java RATs: Not even your Macs are safeReturn to TOC

    Anthony Kasza (Palo Alto Networks, US) , Tyler Halfpop (Palo Alto Networks, US)

    Anthony Kasza is a Senior Threat Researcher for Palo Alto Networks. At Palo Alto Networks, Anthony is responsible for discovering new and tracking known threats to ensure context around customer detections. Prior to Palo Alto Networks, Anthony was responsible for creating scalable classification systems, producing and operationalizing threat intelligence, and researching malware communication protocols. Anthony earned his Master of Science degree from DePaul University in Computer, Information, and Network Security. Anthony often speaks at industry conferences and actively participates in the open source community.

    Java’s “write once, run anywhere” capabilities make it a popular platform for attackers. This talk will perform a deep examination of popular Java malware families capabilities and indicators and will reveal uncommon analysis techniques to immediately help you with investigations. Analysis of Java malware families' behaviors and infrastructure will be delivered to aide with the creation threat intelligence and provide an understanding of the current threat landscape.

    June 13th, 2016 10:30 – 11:30
  • Keynote PresentationReturn to TOC

    Professor Jong In Lim (Korea University, KR)

    Professor of Graduate School of Information Security, Korea University

    Doctor’s degree and Master’s degree in Cryptology at Korea University Bachelor’s degree in Mathematics at Korea University

    2015/01 – 2015/12: the Special Adviser in Security to the President

    2013/06: the Chairman of Digital Investigation Advisory Committee at Supreme Prosecutors’ Office

    2012/06: the Head of Cyber Defense R&D Center, Graduate School of Information Security, Korea University

    2010/01 – 2010/12: the 15th Chairman of Korea Institute of Information Security & Cryptology

    2000 – 2015/12: the Dean of Graduate School of Information Security, Korea University

    The Adviser of Cyber security in National Intelligence Service The Professor of Cyber Defense of Graduate School on Information Security, Korea University

    Note: This session will be in Korean with simul-interpretation service.

    June 13th, 2016 09:15 – 10:15
  • Keynote Presentation: Fostering Security Innovation – Silicon Valley VC PerspectiveReturn to TOC

    Doug Dooley (Venrock, US)

    Doug Dooley focuses on investments in security and infrastructure from Venrock’s Palo Alto office. Before joining Venrock, Doug spent almost two decades as an entrepreneur and technology executive at some of the most innovative and market dominant technology infrastructure companies ranging from large corporations like Cisco and Intel to security and virtualization startups like Neoteris, NetScreen, and RingCube. Doug was the vice president of product management for Coraid, an Ethernet block storage startup. Before working on storage, Doug was an executive leading Cisco’s desktop virtualization product team responsible for the definition, development, and delivery of a complete VDI solution consisting of data center, networking, collaboration, and end-user device elements.

    Before Cisco, he was vice president of marketing and product management at virtual desktop startup, RingCube acquired by Citrix now part of XenDesktop. Prior to RingCube/Citrix, he was one of the early employees of Neoteris who pioneered the SSL VPN market. Doug became a director of technical and product marketing overseeing Juniper Networks entire security portfolio joining through the $4 billion dollar double acquisitions of Neoteris and NetScreen. Earlier in his career, Doug held various management, engineering, sales, and marketing roles at Inktomi, Intel, and Nortel Networks.

    Doug received his B.S. (cum laude) in computer engineering from Virginia Tech

    Sophisticated attackers in the digital world have become extremely innovative in the past decade. As a result of their investments for innovation, many top criminal and state-sponsored cyberattack groups have achieved their financial or strategic goals at the expense of businesses, governments, and private citizens. In addition to global cooperation among FIRST responders, we need to continue to foster disruptive innovation for security. What are some of the characteristics of disruptive innovation? What are some of the exciting new areas we can expect to see in the next 3-5 years in security? What role can each of us play to foster innovation that disrupts our adversaries?

    June 15th, 2016 09:00 – 10:00
  • Leadership TrainingReturn to TOC

    Jeremy Sparks (United States Cyber Command, US)

    Captain Jeremy Sparks is a Weapons and Tactics officer at US CYBER COMMAND. Prior to taking his current post, Capt Sparks oversaw cyber warfare tactics development for the USAF cyberspace force. During his 16 year career he has served as a Crew Commander at the USAF CERT, USAF CERT incident responder, USAF CERT Chief of Digital Forensics, and Cyber Threat and Network Defense instructor and curriculum developer for the USAF undergraduate cyber training schoolhouse. Capt Sparks is a distinguished graduate of Undergraduate Network Warfare Training, USAF Weapons School and a three-time presenter at the U.S. Department of Defense Cyber Crime Conference.

    During FIRST 2015, Capt Sparks gave a presentation on how cyber warfare operators are trained to lead crisis response teams and consistently improve IR practices through a process called debriefing. Debriefing consists of reconstructing and evaluating an event to determine how to replicate success and avoid repeat mistakes. The debrief process encompasses a review of events, identification of problems, determination of root causes and development of lessons learned. Debriefing is not a strategy for protecting a network. It is a method that should be used to evaluate how well you are performing a function, job or mission and provides the tools for constant improvement. The most common feedback item from 2015 was that the attendees would like a hands-on demonstration of the techniques. Based on that feedback, Capt Sparks is offering a 3 hour hands-on session in 2016. The session will be a deep dive of leadership training with practical scenarios and real-world vignettes.

    June 15th, 2016 13:30 – 16:00
  • Leveraging 3rd Party Sinkhole Operations for Computer Network Defense and Threat AnalysisReturn to TOC

    Michael Jacobs (Software Engineering Institute, US)

    Michael has worked in the IT security industry for 16 years in both the private and civilian government sectors. As a network traffic analyst and former US-CERT Section Chief, Michael's interests focused on DNS and network flow traffic analysis. Currently employed as a Member of the Technical Staff at the CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute, Michael's work involves the application of data mining and cyber threat analysis to define structured analytic process development.

    In this talk we will discuss a practical approach to maintaining an inventory of 3rd party sinkhole operations, and applying that knowledge to intrusion analysis. DNS analysis and sinkhole operations have become an essential part of the anti-abuse ecosystem, figuring prominently in network compromise, malware research and in botnet takedowns. But for various reasons, not all organizations have the capacity to maintain their own sinkholes or directly take advantage of the data collected from third party operations.

    We will discuss the need for the identification and tracking of third-party sinkhole operations. We will then address how the third-party sinkhole data can be indirectly leveraged for situational awareness and threat intelligence, local perimeter defense and intrusion analysis, as well as the support of research malware analysis efforts. We will describe a practical methodology for identifying and tracking sinkhole operations, and then share a few success stories identifying previously unknown compromises on a real network. Finally, we will argue the need for a larger collaboration effort in tracking third party sinkhole operations and in doing so we will describe how that effort could benefit the larger community.

    June 14th, 2016 11:30 – 12:00
  • Mach-O Libre: Pile Driving Apple Malware with Static Analysis, Big-Data, and AutomationReturn to TOC

    Aaron Stephens (icebrg, inc., US) , Will Peteroy (icebrg, inc., US)

    Aaron studied Computer Engineering and Computer Science at the University of Washington. Initially set on hardware and software development, his interests shifted towards security after joining student organizations and participating in Capture the Flag (CTF) and Collegiate Cyber Defense Competition (CCDC) events. Hired as an intern at ICEBRG ( over year ago, he is now a full-time associate threat researcher focusing on Apple Static Analysis, Dynamic Analysis environments and large-scale external data source processing and analytics.

    William Peteroy, co-founder of Icebrg Inc., has led diverse technical and strategic efforts in network and product security for government agencies and fortune 50 enterprises. William specializes in security architecture, adversary emulation, network analysis, attack methodologies, incident response, threat intelligence and product security. He has spoken at numerous conferences including RECON, DerbyCon, KiwiCon, BSides PDX, BSides Vancouver and BSides Seattle. Icebrg was formed in large part because of William’s passions for “solving the whole problem, not just part of it” and sees it as his responsibility to leverage a unique set of skills and experience to help others understand risk and bring the next generation of network security to market. William holds a Masters of Science in Engineering and Computer Science from The Johns Hopkins University and was an instructor at the U.S. National Cryptologic School.

    Apple devices are becoming increasingly more common in personal and enterprise computing environments. It's time to bring modern, scalable techniques for analyzing Apple malware. Early tools for analysis are either very costly, closed-source, or difficult to extend, and none of the available tools focus on extracting key data from binaries to enable collaboration and big-data analysis.

    After a brief overview of the Mach-O (Apple binary) file format, we'll take a look at Mach-O Libre, a python-based Mach-O binary metadata parser we've been building and will be sharing publicly for the first time. Where many tools have different approaches to enabling individual analysts, Mach-O Libre extracts and calculates key metadata and outputs it into an extensible, big-data and sharing-friendly format. With our shiny new analysis tool in hand, we'll explore its current features on some real malware samples and discuss how it can automate the process of identifying and dissecting Apple malware at scale. We'll finish with lessons learned and obstacles we had along the way, planned future development, and our vision for Mach-O Libre going forward to enable further attribution and collaboration features.

    June 13th, 2016 10:30 – 11:30
  • MPD: Malicious PDF Files DetectionReturn to TOC

    Samir G. Sayed (EG-CERT, EG) , Mohamed Shawkey (EG-CERT, EG) , Walid Zakarya (EG-CERT, EG) , Sherif Hashem (EG-CERT, EG)

    All authors are in the Egyptian computer Emergency Readiness Team (EG-CERT)

    Portable Document Format (PDF) has become widely-accepted format since its invention by Adobe Systems in 1993. This is because PDF documents are totally independent of operating system, hardware, and software. Although all of these features simplify the handling of documents using computers, they also have made PDF one of the most fascinating vehicle for exploitation by malware writers. As a result, the number of PDF attacks has tremendously increased in the past years. Once the systems have been exploited, they may be used in a class of targeted attacks called Advanced Persistent Threats (APTs) whose goal is espionage on government agencies, financial sectors, and individuals. They might also be used in nontargeted attacks such as worms and botnets. The attackers exploit vulnerabilities in PDF files to inject other malicious files such as JavaScript, portable executable (PE) files, HTML, images, or other malicious PDF files inside PDF documents.

    To gain the advantages of using PDF documents with minimum drawbacks, several research efforts have been introduced to detect and/or prevent malicious PDF documents. The existing tools such as intrusion detection systems (IDSs) and antivirus packages are heuristic and signature-based techniques. However, these techniques are inefficient because they need regular updates with the new malicious PDF files which are increasing every day. In addition, there exists limited number of researchers concerning with creating signatures for the new malicious PDF files. Accordingly, there has been an urgent necessity for alternative techniques to detect malicious PDF.

    In this research a new technique is presented to overcome the drawbacks of these techniques. The proposed algorithm combines one of the optimization techniques called Improved Binary Gravitational Search Algorithm IBGSA as a feature selection algorithm and set of classifiers such as Random Forest and Decision Tree to detect the malicious PDF files. A large data set of malicious and benign PDF files are gathered. To have balanced training set, the number of malicious and binging PDF files in the training data set are the same. A total of 22000 malicious and benign PDF files with no duplication in the data set are obtained from the EG-CERT. The data set is partitioned into three subsets: training, evaluating, and testing. The training and evaluating sets are used to obtain the most effective attributes. The testing set is used to measure the performance of the proposed system over unseen PDF files. The procedure of selecting the training set is based on 10-fold cross-validation Experimental results show that the proposed algorithm can achieve 99:8% detection rate, 99:8% accuracy, and less than 0:2% false positive rate. The proposed algorithm can achieve better performance compared to antivirus packages. In addition, the proposed algorithm is flexible either to integrate it with antivirus packages or a stand-alone tool. The proposed algorithm also can be used with any type of PDF files. For future works, the proposed system can be improved to achieve better false positive rate by combining it with the dynamic analysis algorithms. In addition, the proposed algorithm will be tested against classifier evasion techniques and the mimicry attacks in which malicious PDF files mimic the structure of benign PDF files.

    June 17th, 2016 11:15 – 11:45
  • Practical application of STIX/TAXIIReturn to TOC

    Kevin Thomsen (IBM, US)

    Kevin Thomsen is a seasoned IT professional with over nineteen years of comprehensive business and technical skill sets within the financial services sector. Expertise in cyber security, information security, data center infrastructure, requirements analysis, workflow design, project management, leadership, process modeling, testing/quality assurance, software development and vendor relationships. Kevin joined IBM in 2014 and developed a cyber threat intelligence capability maturity model which helped mature IBM’s Security Intelligence & Operations practice. Kevin has lead consulting teams to assess and recommend security strategy for client's to optimize their security operations center program following IBM's SOC Capability Maturity Model (CMM) framework. Prior to IBM, Kevin worked for

    Citi for seventeen years. While at Citi, Kevin helped creat Citi's Cyber Intelligence Center (CIC) which had the responsibility of acquiring threat intelligence and distributing products and services within the enterprise.
    Kevin lead the Client Services team which established operational and responsibility processes with internal divisions to ensure intelligence acquired by the CIC would be actioned upon by the business unit as well as feedback which was used for operational metrics to demonstrate program value. Kevin is an affiliate board member to the Financial Services - Information Sharing & Analysis Center (FS-ISAC).

    The session will provide a high level overview of STIX/TAXII. How organizations are leveraging tools like Soltra to automate threat intelligence collection, de-duplication and threat mitigation. Reference to JHU APL study on automating cyber defense which shows how leveraging STIX/TAXII allowed organizations participating in the study to reduce the time from threat identification to action from hours to minutes. The session will include a demonstration from a security analyst point of view, how they use collaboration tools (X-Force Exchange) to develop threat intelligence collections. The demonstration will show how Soltra can be configured to automatically ingest those threat intelligence collections into Soltra. The demonstration will also show how the SIEM (QRadar) should be configured to automatically ingest threat intelligence from Soltra and relevant security rules to leverage the threat intelligence.

    June 15th, 2016 16:00 – 16:30
  • Practical DDoS MitigationReturn to TOC

    Krassimir Tzvetanov (A10 Networks, Inc, US)

    Mr. Tzvetanov currently works as a Principal Security Engineer for A10 Networks, and focuses on security and DDoS products. He also runs the PSIRT and DSIRT teams of A10. In the past Mr. Tzvetanov has worked on security and traffic management problems at Cisco and Yahoo!.

    This session goes over the main types of attacks being used at present, why they are effective, what part of the system they affect and how to mitigate them successfully with a reasonable amount of resources.

    In addition it covers some of the tools used by the underground and allow the participants to used them and observe live traffic from them.

    June 16th, 2016 10:00 – 12:00
  • Practical Forensic Readiness in Security OperationsReturn to TOC

    Matthew Scott (BT, GB) , Clem Craven (BT, GB) , Ian Wilson (BT, GB)

    Matthew Scott, GCIH, GCED – A subject matter expert in cyber security operations, with extensive skills in detecting and responding to cyber security incidents and events. Employed within BT CERT as an Investigation Specialist, and also responsible for developing SOC’s within BT, both internal and external commercial, to ensure effective detection and handling of incidents. Have performed these roles within both government and FTSE 100 companies.

    Clem Craven, CISSP, BSI 27001 LA - A highly experienced and reliable subject matter expert and manager with over 25 years’ experience in both the military and civilian Protective Security, Cyber Security & Information Assurance specialist arena. Employed within BT CERT as the Training Manager for the delivery of fundamental and specialist technical instruction to BT and MOD personnel with regards to Cyber Security solutions, processes and associated tools provided by BT in Cyber Operations and associated Global Security Operation Centre investigations. Also responsible for the upskilling of technical teams and Security Operations Analysts with regards to investigations and the analytical mindset.

    Ian Wilson, GCGI, WCNA – A versatile, creative senior intrusion analyst with 25+ years of Information Security experience with in-depth knowledge of security intrusion/incident event management, Intrusion detection/analysis, Information Assurance and establishing/running SOC’s. Currently employed within BT CERT as an Investigation Specialist conducting investigation/remediation of Cyber Security Incidents. Previous roles have included both Physical and Cyber security for both Military/Government and MSSP’s providing services to a range of customers including Financial (PCI DSS) and Petroleum.

    Forensic readiness is a crucial aspect of incident response. Failure to apply forensic practices throughout the entire lifecycle of an incident can prevent a threat actor (both external and internal) from being held accountable. Forensic readiness can also be used to improve the quality of decision making, quality of threat intelligence, and lead to efficiencies in investigating an incident. Whilst many incident responders are aware of the principles of forensic readiness, some organisations struggle to effectively implement those principles. We will demonstrate a variety of novel techniques which we have found to improve the forensic readiness of our incident response capability. Whilst each technique does require some resource to establish, they tend to have minimal resource impact during an incident. We will also demonstrate some case studies where these techniques have been utilised to portray their effectiveness.

    June 14th, 2016 10:30 – 11:30
  • Qualification in the Web – Using NLP for Adversary Identification & PrioritizationReturn to TOC

    Levi Gundert (Recorded Future, US) , Filip Reesalu (Recorded Future, US)

    In his current role as Vice President of Information Security Strategy at Recorded Future, Levi Gundert leads the continuous development of strategic research and intelligence to decrease operational risk for customers. Previously, Gundert was the VP of Cyber Threat Intelligence at Fidelity Investments, where he helped build a capability to identify and respond to relevant threats. Prior to that, Gundert was the Technical Leader for Cisco's Threat, Research, Analysis and Communications (TRAC) team. Gundert also served as a Special Agent with the U.S. Secret Service Los Angeles Electronic Crimes Task Force, where he initiated proactive cybercriminal investigations that resulted in worldwide arrests and prosecutions. Gundert is a prolific blogger and sought-after author/speaker, writing articles for Dark Reading, InformationWeek, and SC Magazine.

    This lab exercise explores the power of NLP in the Web across seven different languages and allows participants to successfully discover, profile, and prioritize adversaries based on TTP recognition.

    Participants will create intelligence by walking through multiple information gathering exercises. This lab will cover proactive and reactive topics including terrorism, virtual currency, and criminal/hacktivist/nation state activities and corresponding TTPs.

    The objective is to highlight the value of intelligence derived from programmatic NLP in the Web. For operational defenders, the value is in general and quick attribution of malicious events, for the wider business, the value is in reducing operational risk, and for law enforcement, the value is in proactively identifying useful leads for criminal prosecution.

    June 15th, 2016 10:30 – 13:30
  • Sharing is Caring: Understanding and Measuring Threat Intelligence Sharing EffectivenessReturn to TOC

    Alex Sieira (Niddel, BR) , Alex Pinto (Niddel, BR)

    Alex Sieira, CTO, Niddel

    Alex Sieira is the CTO of Niddel and a principal at MLSec Project for the last year. He has over 12 years dedicated to information security consulting, managed security services and R&D teams. He is an MBA, CISSP, CISA, besides some other product-specific acronyms. Alex has experience with a great range of security technology and standards, and has gained many gray hairs establishing SOC and SIEM services for large enterprises. He is currently focused on building the information security product his past self would have killed for.

    Alex Pinto, Chief Data Scientist, Niddel

    Alex Pinto is the Chief Data Scientist of Niddel and the lead of MLSec Project. He is currently dedicating his waking hours to the development of machine learning algorithms and data science techniques to support the information security monitoring practice. He has almost 15 years dedicated to all-things information security, and 3 years in Data Science related work. If you are into certifications, Alex is currently a CISSP-ISSAP, CISA, CISM, and PMP. He was also a PCI-QSA for almost 7 years, and still has nightmares about compensating controls.

    For the last 18 months, MLSec Project and Niddel collected threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. In this talk, we have gathered aggregated usage information from intelligence sharing communities in order to determine if the added interest and "push" towards sharing is really being followed by the companies and if its adoption is putting us in the right track to close these gaps. We propose a new set of metrics on the same vein as TIQ-test to help you understand what does a "healthy" threat intelligence sharing community looks like, and how to improve the ones you may be a part of today! We will be conducting this analysis with usage data from some high-profile threat intelligence platforms and sharing communities.

    June 13th, 2016 15:00 – 16:00
  • Levi Gundert (Recorded Future, US)

    In his current role as Vice President of Information Security Strategy at Recorded Future, Levi Gundert leads the continuous development of strategic research and intelligence to decrease operational risk for customers. Previously, Gundert was the VP of Cyber Threat Intelligence at Fidelity Investments, where he helped build a capability to identify and respond to relevant threats. Prior to that, Gundert was the Technical Leader for Cisco's Threat, Research, Analysis and Communications (TRAC) team. Gundert also served as a Special Agent with the U.S. Secret Service Los Angeles Electronic Crimes Task Force, where he initiated proactive cybercriminal investigations that resulted in worldwide arrests and prosecutions. Gundert is a prolific blogger and sought-after author/speaker, writing articles for Dark Reading, InformationWeek, and SC Magazine.

    Phishing is effective, but predictable. A drive-by (watering hole) campaign paired with a zero-day exploit also accomplishes the objective, but identifying and compromising the correct website(s) for specific victim redirection is tricky and time consuming. Contrast those attack vectors with web shells. Identifying a target’s vulnerable web server and implanting a web shell is relatively straight forward and perhaps unexpected. Most organizations maintain a web presence full of application layer software which presents a wide attack surface. Enter the web shell - a tool of convenience that is increasingly being parlayed into an effective and persistent adversary communication mechanism. Web shells are preferred by specific threat actor groups for their small size and ability to maintain unauthorized access. Using numerous web shell samples and natural language processed (NLP) data from the Web, this presentation focuses on malicious web shell attack trends, the current web shell taxonomy, and specific guidance for operational defenders on detecting web shell attacks.

    June 16th, 2016 14:00 – 15:00
  • SOHO router as crutial part of end user securityReturn to TOC

    Zuzana Duracinska (CZ.NIC, team CSIRT.CZ, CZ)

    I have joined CZ.NIC-CSIRT and CSIRT.CZ teams in July 2013. Among my main duties are operation of the web scanning service, preparation and realization of cyber exercises, preparation of general articles on cyber security and representation of the team. Other activities include development of national and international collaboration with members of the security community. Our team is engaged in number of projects that help to build the trust and information exchange in cyber security community not just in Czech republic.

    Home routers are enter point to home network but still do not get appropriate attention. With often outdated software and wrong settings they are very vulnerable device which immediately affects all the devices connected to it. In just last year number of vulnerable home routers were detected which immediately put into risk hundreds of households. Since the router was usually provided by ISP it was rather difficult to determine who should be hold responsible for patches adn rather confusing for end users. That has put end users in the struggle between ISP and router vendor with long windows until the patch was delivered. CZ.NIC has decided to launch a research project of home router that would have build in firewall with weekly updates. 2000 fully open-source routers (SW and HW) were distributed in Czech household and households became integral part of the research. Greylists created upon the anomalies from the routers along with the recent lists of IPs hosting botnets, phishings and other malicious activities are send to routers regularly and monitored whether any home devices are connecting to them. This research projects already helped number of users to detect malicious files in their network without their previous knowledge. The main reason for delivering the presentation lies in crucial need for focus of security community on SOHO routers. With the rise of IoT SOHO routers will play crucial role in securing the home network. More information about our Turris research project are available here: Greylists as a data source are available here:

    June 17th, 2016 11:15 – 11:45
  • Survey on CSIRT Maturity Level in JapanReturn to TOC

    Takuho Mitsunaga (University of Tokyo, JP)

    Mr. Takuho MITSUNAGA Project Associate Professor, Graduate School of Interfaculty Initiative in Information Studies, The University of Tokyo. He is also Technical Advisor at Watch and Warning Group, JPCERT/CC

    After completing his degree at Graduate School of Informatics, Kyoto University, Mr. Mitsunaga worked at the front line of incident handling and penetration test at a security vendor. In FY 2010, he led an R&D project of the Ministry of Trade, Economy and Industry (METI) for encryption data sharing system for cloud with an efficient key managing function. He has been a member of Watch and Warning Group of JPCERT/CC since April 2011, where he is engaged in cyber attack analysis including APT cases. He has also contributed in some cyber security related books as coauthor or editorial supervisor including “Information Security White Paper 2013”.

    With the increase of cyber security incidents in recent years, there are a number of companies and organisations in Japan that launch a CSIRT. To assist those organisations in its better management and information sharing opportunities, Nippon CSIRT Association (NCA) has been established by JPCERT/CC and other internal CSIRTs, which now embraces 106 members (as of December 2015).

    Since there are CSIRTs from diverse sectors existing in the Association, NCA is seeing a huge difference in tasks handled by each team. Consequently, the definition of “CSIRT activities” is now becoming unclear, and there are some “CSIRTs in name only”, which do not possess enough functions as a Computer Security Incident Response Team. In order to examine the current situation in CSIRT activities, JPCERT/CC, NCA and the University of Tokyo jointly conducted a survey based on SIM3 and other original questions.

    This presentation will provide the observations gained through the survey on CSIRT activities and its maturity level, hoping to trigger further discussions at an international level.

    June 14th, 2016 11:30 – 12:00
  • Taking the Red Pill - Incident Response outside The MatrixReturn to TOC

    Lorenz Inglin (Swisscom (Schweiz) AG, CH) , Stephan Rickauer (Swisscom (Schweiz) AG, CH)

    Lorenz Inglin built and has been managing various CSIRTs in multinational companies over the last decade. He has more than 15 years of experience in IT security and incident response. Currently, Lorenz is leading the Swisscom CSIRT.

    Stephan Rickauer works as Incident Manager and Senior Security Analyst at Swisscom. He is leading Swisscom's Red Team and has a 20 year backround in Unix Engineering, Ethical Hacking and Security Testing. In his private life, Stephan enjoys Shito-Ryu Karate (which helps surviving The Matrix).

    Knock Knock … wake up, Neo.

    Have you ever considered taking the Blue Pill? Being fully compliant, ignoring threats of real life, enjoying warm & fuzzy cyber banalities and just sitting back hoping for trust? Would that not just fix all of our IR problems?

    Swisscom has been there. We've felt good, until our new boss has forced us to try the Red Pill … and we realised how deep the rabbit-hole goes.

    The Swisscom CSIRT has been redesigned from scratch in 2014, to diverge from a compliance-driven to a threat-driven approach. This has led to new ways of thinking, questioning established methods and introducing innovative ideas.

    During this presentation we'll cover organisational as well as technical aspects. This includes pDNS, Red Teaming, Bug Bounty, ChatOps, Threat Intelligence and others. We will share our various experiences, illustrate possible pitfalls and reveal the vulnerabilities of Agent Smith.

    June 16th, 2016 14:00 – 15:00
  • Tasty Malware Analysis with T.A.C.O.: Bringing Cuckoo Metadata into IDA ProReturn to TOC

    Jason Jones (Arbor Networks ASERT, US)

    Jason Jones is a Senior Security Researcher for Arbor Networks' ASERT team. His primary role involves reverse engineering malware, development of internal malware processing infrastructure, and other development tasks. Jason has spoken at various industry conferences including BlackHat USA, BotConf, REcon, Ruxcon and AusCERT.

    Bringing run-time information into IDA is not a new concept, but has been a need for some time. Taking run-time behavior and coupling that with other IDA-based tools can give new insight into how a malware behaves and give a malware analyst more insight into where the "interesting" pieces of the malware may lie. This presentation will cover TACO, a recent IDA plugin that aims to incorporate metadata logged during Cuckoo Sandbox tasks in order to speed up the malware analyst's job of discovering key behaviors used by the malware.

    June 13th, 2016 17:00 – 17:30
  • The Dark Side of Online AdvertisementsReturn to TOC

    Daniel Chechik (Trustwave, IL) , Rami Kogan (Trustwave, IL)

    • Daniel Chechik - Daniel Chechik is a Senior Security Researcher at Trustwave's SpiderLabs (Singtel). Among other things, he specializes in malware analysis, reverse engineering, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product. Prior to that, Daniel served in a technological unit in the IDF as a security specialist. During the service, Daniel specialized in Check Point Firewall equipment, AntiVirus products and other IT security products. Daniel, among other things, has spoken at the BlackHat, RSA, DefCon, OWASP, Ruxcon, holds CEH and CCSE certificates and has a patent for 'Detecting Malware Communication on an Infected Computing Device'.

      • Rami Kogan - Rami Kogan is a Security Researcher at Trustwave’s Spiderlabs (Singtel). Rami’s average day is full of obfuscated web pages, exploit kits and coffee. Among other things, Rami has spoken at First (Bangkok 2013) - “Web Malware Outsmarting Security Products” and at the Ruxcon 2014 conference - “Bitcoin-Transaction-Malleability-Theory-In-Practice”. Rami’s motto in life is: “Stay away from Flash”.

    Abstract Google, Yahoo, YouTube & Forbes are some of the big names that recently fell victim to Malvertising. Actually, in the past year, Malvertising became so common and effective that it has been functioning as the main source of traffic to Exploit Kits. In this presentation we will present our Malvertising research and follow the steps of cybercriminals in the world of the online advertising industry. We will show the unbearable lightness of setting up a malicious ad campaign and the endless possibilities that ad networks provide to cybercriminals to achieve the best ROI all the way to vulnerable victims.

    Outline Recent forecasts predict that in 2016 for the first time, advertisers in the U.S. will have spent more money on online advertising than they have on television advertisements. This is good news for online ads networks and online advertisers, but with great power comes great responsibility- as online advertising increases, so does online malicious advertising or, in short, Malvertising.

    The first part of the presentation will quickly cover the recent incidents of high-volume web sites, which unknowingly served malware through hosted ads. Then we will introduce the audience with the basics of online advertisements and all of its aspects: advertisers, publishers and ad-networks.

    The second part of the presentation will explain what Malvertising is and why it is a preferred attack vector by cyber-criminals costs and coverage. We will list the different types of Malvertising and the techniques used by cyber-criminals to achieve the best ROI.

    The third part will present our research of setting up a pseudo-malicious ad campaign with its amazing results and the different mitigations of ad networks to avoid Malvertising, as well as techniques used to bypass them.

    Takeaways The attendees will be exposed to the cybercriminal's perspective of the benefits that online advertising industry offers to spread malware affectively. We will discuss the various possible methods to reduce the attack surface used by cybercriminals.

    June 13th, 2016 15:00 – 16:00
  • The Emergence of CSIRTs as Political Actors: Representing Ourselves and Our Stakeholders by Effectively Informing PolicyReturn to TOC

    Tom Millar (US-CERT, US)

    Tom Millar serves as the United States Computer Emergency Readiness Team’s (US-CERT) Chief of Communications, a role which finds him at the intersection of outreach, awareness, standards development, and technical interoperability initiatives. In this role, Mr. Millar is focused on modernizing US-CERT's approaches to information sharing, knowledge exchange and coordination. Since joining US-CERT in 2007, he has played a significant role in US-CERT's response activities during major cyber events such as the Distributed Denial of Service (DDoS) attacks on Estonia in 2007, the outbreak of the Conficker worm, and the DDoS attacks on major U.S. Government and commercial Web sites in 2009.

    Mr. Millar has previously worked as a team lead for intrusion detection and analysis at the FBI’s Enterprise Security Operations Center. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force.

    Mr. Millar has a Master’s of Science in Engineering Management from the George Washington University.

    Cybersecurity issues have risen to the attention of many different political actors: regulators, diplomats, legislators, special interest groups. As a result, CSIRTs and their members are coming into increasingly frequent and consequential contact with policymakers and governmental institutions. While CSIRTs should remain non-partisan, as cybersecurity and cryptography become increasingly political, our teams and our community of practitioners will play an important role in informing policy discussions, by providing accurate technical guidance and encouraging decisions that help, not harm, our stakeholders.

    In the years to come, issues of regulatory policy, privacy, law enforcement, and diplomacy will demand greater attention and input from CSIRTs of all stripes -governmental, commercial, academic, and NGO - not only because the wrong decisions could make it more difficult to do our jobs, but because we owe it to our leaders, our constituents and our partners to help make the right choices that will help the Internet become a safer place for all. This presentation will discuss experiences in dealing with the growing policy implications of CSIRT operations, survey recent research and publications covering political aspects of CSIRT and cybersecurity work, and share some first-hand lessons learned about navigating unfamiliar territory and contributing effectively in political spaces and contexts.

    June 15th, 2016 15:00 – 16:00
  • The evolution of Russian Android banking Trojans Return to TOC

    Dmitry Volkov (Group-IB, RU) , Alexander Kalinin (CERT-GIB (Group-IB), RU)

    Dmitry Volkov, head of threat prevention & the investigation department at Group-IB. Alexander Kalinin, head of CERT-GIB at Group-IB.

    This part of the presentation will outline the changes in banking Trojan functionality for the Android platform over the past year.

    Additionally, we will outline the reasons why in 2014 mobile Trojans were not a serious threat for the clients of European and American banks, but why 2016 will be the year of explosive growth associated with these kinds of threats.

    We will speak about the economic indicators related to mobile Trojans, show their control systems, and describe the basic schemes used to commit fraud, which we forecast to be used extensively in the near future.

    June 13th, 2016 11:30 – 12:00
  • Yurii Khvyl (CSIS Security Group A/S, DK)

    Yurii Khvyl is Senior Malware Analyst at CSIS Security Group A/S, Denmark. Have more than 10+ years experience of revers analysis and investigation of banking malware thread. Member of HoneyNet Project, DeepEndResearch, DCC. Yurii have presenting talks at many different security conferences.

    For professional e-crime researchers, it should be little surprise that we oftentimes observe overlaps in various criminal operations and criminal actions carried out by individuals.
    When digging deeper into analysis of both malware and infrastructure of the criminal operations, we can sometimes even document and attribute different operations to individuals. The goal of this presentation is to draw a link between Neverquest, Shifu and Gotkit, i.e. malwares that have already caused significant losses to online banking primarily in Europe. In fact, the potential for even higher short term losses is easily predictable, as will be shown in our presentation..

    Our investigation will furthermore uncover and illustrate the criminal infrastructure, the modus operandi and cooperation with other criminal gangs and freelancers. This is the soul of e-crime research.

    June 13th, 2016 10:30 – 11:30
  • The role of intel and IR for risk managementReturn to TOC

    Toni Gidwani (ThreatConnect, US)

    Toni Gidwani is the Director of Research Operations at ThreatConnect. In this capacity, she leads ThreatConnect’s threat intelligence research team, an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. Toni previously built and led analytic teams at the Defense Intelligence Agency and joined ThreatConnect from the Office of the Secretary of Defense.

    What is the relationship between threat intelligence, incident response and risk management? Many treat them as separate disciplines with separate teams and separate deliverables, but is that the way it should be? We make the case that intelligence and response isn’t just tracking bad guys and putting out fires. Rather, these tactical functions play a critical role in informing strategic decisions to assess and manage risk to the organization's information assets. I'll discuss exactly what that role is and provide intel and IR analysts with practical recommendations on how to interface with and influence risk managers and decision makers in their organizations.

    June 14th, 2016 15:00 – 16:00
  • Towards a methodology for evaluating threat intelligence feedsReturn to TOC

    Andrew Kompanek (CERT/CC, US) , Pawel Pawlinski (CERT Polska / NASK, PL) , Piotr Kijewski (CERT Polska / NASK, PL)

    Andrew Kompanek is the Deputy Director of the Threat Directorate at the CERT Coordination Center. Prior to joining CERT, he worked at several startups, and as part of a research group in the School of Computer Science at Carnegie Mellon University. Drew holds a BS in Mathematics and Computer Science from Carnegie Mellon University.

    Pawes Pawlinski is a senior specialist in the Security Projects Team at CERT.PL, within Research and Academic Computer Network, Poland (NASK). In this role, he leads the information exchange program, in particular he is responsible for the design and deployment of the n6 platform for sharing security-related data. He is also the main author of the recent ENISA good practice guide for CERTs on processing and sharing of information ("Actionable Information for Security Incident Response"). Pawel's main interests in the domain of network security include intrusion detection systems, anomaly detection algorithms, honeypots and data visualization. His past experience include work on automated tools for large-scale analysis of both client- and server-side attacks: Honeyspider Network, ARAKIS.

    Piotr Kijewski is the Head of CERT Polska, which is a part of NASK. Previously for many years he was in charge of multiple projects and security research in the CERT Polska team. His interests include threat detection, malware analysis, botnets and honeypots. Piotr has engaged in many different innovative network security projects, both at the national and international level (including EU FP7, NATO and ENISA projects). Piotr also orchestrated and coordinated the takedown of multiple botnets. Author of a couple of dozen publications and articles on network security, as well as frequent speaker and panelist at conferences both in Poland and abroad (including FIRST, NATO Cyber Defense Workshop, Honeynet Project Workshop, Microsoft Digital Crimes Consortium, Microsoft Security Research Alliance Summit, APWG eCrime etc.). In 2011, Piotr set up the Polish Chapter of the Honeynet Project. He holds an MSc degree in Telecommunications from the Warsaw University of Technology.

    In this talk we will discuss our efforts to develop a methodology to assess the quality and potential operational value of a threat intelligence data feed being considered for adoption. During the past several years, we've witnessed security operations and commercial vendors move away from traditional detect and respond models toward an intelligence-oriented approach to network defense that emphasizes information sharing and the synthesis of many data sources in order to paint a multi-faceted, higher-level picture of threats. However, evaluating the usefulness of this approach (and the feeds themselves) has remained an open problem.

    We will propose a series of practical metrics to assess data quality, the rationale behind their use, and then apply them to a number of data feeds, including those available in the public domain. Next, we will cover case studies where we look at the potential overlaps across different types of threat intelligence feeds, including bulk reputation data, selective IoCs for specific threats, and vulnerability information. This will be an initial step to evaluate the usefulness of threat intelligence feeds in characterizing the threat landscape. A reference implementation of tools will be released enabling evaluation of data feeds.

    This work is being done in coordination with the efforts of a working group initiated at the 2015 Annual Technical Meeting for CSIRTs with National Responsibility (

    June 15th, 2016 10:30 – 11:30
  • Trainer Training - How to become a better trainer and presenter!Return to TOC

    Don Stikvoort (MSc CTNLP, NL)

    Train the Trainers

    June 17th, 2016 13:00 – 19:00
  • Tutorial: Coordinated Vulnerability Disclosure for VendorsReturn to TOC

    Art Manion (CERT/CC, US) , Christopher King (CERT/CC, US)

    Art Manion is a senior member of the Vulnerability Analysis team in the CERT Coordination Center, part of the Software Engineering Institute at Carnegie Mellon University. He has studied vulnerabilities and coordinated responsible disclosure efforts since joining CERT in 2001. After gaining mild notoriety for saying "Don't use IE" in a conference presentation, Manion now focuses on policy, advocacy, and rational tinkering approaches to software security, including standards development in ISO/IEC JTC 1 SC 27 Security techniques. Prior to joining CERT Manion was the Director of Network Infrastructure at Juniata College.

    Do you deal with externally reported vulnerabilities in your organization's products and services Coordinate vulnerability reports on behalf of others? Not sure how or when to assign CVE IDs? Considering offering a bug bounty?

    This tutorial is intended to help vendors, providers, and CSIRTs grow their capability to handle vulnerability reports from external researchers. Drawn from a longer course, material is based on the CERT/CC's decades of experience working with vendors, security researchers, CSIRTs, and other stakeholders towards coordinated vulnerability disclosure.

    Topics include:

    Coordinated vulnerability disclosure process overview, vulnerability lifecycle

    Terms and definitions, process stakeholders

    Receiving and triaging vulnerability reports from external researchers

    Publishing advisories, deploying fixes and mitigations

    Multiple vendors, services, libraries, and other supply chain complications


    Community norms and expectations, reputation, public relations

    Dealing with researchers, bug bounties, legal concerns

    Working with other coordinators and CSIRTs

    Organizing and building a team, personnel, tools, and infrastructure

    Commercial research, bug bounty, and coordination options

    References to international standards on vulnerability disclosure (ISO/IEC 29147) and vulnerability handling (ISO/IEC 30111)

    Hands-on Exercises!

    This session is designed for vendors, providers, and CSIRTs who are looking to start or expand coordinated vulnerability disclosure capabilities. More experienced teams are welcome but may not benefit as much from the more introductory material.

    June 13th, 2016 13:00 – 15:00
  • Usability and Incentives for Threat Information Sharing TechnologyReturn to TOC

    Tomas Sander (Hewlett Packard Labs, US) , Brian Hein (Hewlett Packard Enterprise, US)

    Tomas Sander Dr. Tomas Sander is a senior researcher at Hewlett Packard Enterprise Labs in Princeton, New Jersey. He is a member of the Security and Manageability Lab at HPE which conducts research in security, privacy and cloud technologies. Before joining HP, he worked for STAR Lab, the research lab of InterTrust Technologies in Santa Clara, California on a broad range of topics relevant to advanced digital rights management (DRM). Tomas Sander received a doctoral degree in Mathematics from the University of Dortmund, Germany in 1996. From September 1996 to September 1999 he was a postdoctoral researcher at the International Computer Science Institute (ICSI) in Berkeley, California. His research interests include computer security, privacy and cryptography. In the last few years he has been researching and developing technology to implement good privacy practices in large organizations. Based on this research a privacy decision support tool is now deployed globally across HP globally that assists employees in making proper decisions for handling PII. Tomas is the lead scientist for the creation of HPE’s Threat Central solution, a platform developed for automated and manual threat information sharing.
    In 2014 Tomas was the founder and PC Chair for the ACM Workshop on Information Sharing and Collaborative Security (WISCS 2014), the first scientific workshop focused on the topic. He was also the PC Co-Chair for WISCS 2015.

    Brian Hein Brian Hein is a Senior Security Analyst at HPE Security Research group. Brian has worked at HP(E) since 2004, initially joining as part of the TippingPoint acquisition (an IPS vendor.) Brian’s past experience includes helping build Fortinet (a Firewall and AV vendor) in Central Europe. He also has experience in pre-sales, building relationships with North America, Central EMEA and Eastern Europe and supporting high profile Middle Eastern customers. Brian’s current responsibilities at HPE include being the subject matter expert for Threat Intelligence Sharing as well as being the liaison between customers and various Threat Intelligence teams within HPE. Brian has contributed to more than 11 Network and Security books and has been awarded numerous patents in the Information Sharing and Threat Intelligence domain.

    Besides the significant progress in automating sharing of Cyber Threat Intelligence, e.g. using Threat Information Sharing Platforms (TISPs), much actionable or contextual Threat Intelligence still requires human analysts for its creation, validation or consumption.

    Existing work has mostly focused on data formats, what data to share and on data quality. There is no good understanding yet of the value-proposition for end-users of a TISP. However without high quality user contributions TISPs won’t live up to their promise of collaborative defense against sophisticated attacks, e.g. because lower level observables alone do not carry enough context. In response we recently initiated the systematic study of the human elements of participating in a TISP. We approached this problem from one of the primary HCI and UX methods | personas. Using observational study and open-form interviews we constructed representative profiles of different classes of end-users, known as Personas. We have constructed personas for Level 1 analysts, Incident Responders and CTI analysts. We also recently added personas for CSIRT managers and CISOs.

    Building on this prior work that focused on identifying user needs in this will talk present novel solutions that address the requirements identified using personas. For example our work shows that the personas differ significantly in the type of information they contribute and consume from a TISP. We show how to optimize TISP features and the data they provide for these different user groups to maximize their respective contributions and the value they receive. One technique is to turn “raw intelligence” into relevant and useful intelligence based on user type. We also designed UIs that make TISP use simple for novel users but offer advanced capabilities to power sharers.

    Another insight from our personas research is that in order to maximize sharing, TISPs should not only maximize user’s corporate (i.e. their organization’s) motivations but also their personal motivations. For example, younger analysts are keenly interested in advancing their career, enhancing their skill level and building a professional network. To serve these needs we designed a system of badges users can earn based on their TISP activities. Badges attest to analyst’s skill level (e.g. ‘Malware Expert’), personal achievements (“Top TISP Contributor”), social validation (“Trusted User”) etc. Users can add badges to their TISP profile and use them as credentials for promotions and interviews. We are currently running a trial in a large SOC and will present the results in the talk. Our solution also addresses the privacy and confidentiality concerns that arise.

    A remaining question for future research is how to establish a badging system in a cross-organizational and cross-TISP context and to develop mutually recognized criteria.

    June 14th, 2016 15:00 – 16:00
  • Webshell classification at scaleReturn to TOC

    Thomas Kastner Msc. (nimbusec Gmbh, AT)

    After graduating from his masters on Secure Information Systems Thomas jumped right into practical application of his academic research. He joined the nimbusec team in Austria and devoted his time to detecting and analyzing online malware ever since. His weapons of choice are machine learning algorithms, Java and Go.

    Based on the FIRST 2015 presentation “A Study on the Categorization of Webshell” (Lee, Lee, Jeong, & Park, 2015) we show an automated process to classify webshells and our evaluation results based on real world data obtained from a commercial application over the period of 26 months. Lee  et.  al  defined  webshell  as  a  “backdoor  program  which  is  used  for  web  hacking” and  proposed  a  schematic to classify webshells based on multiple indicators like language, function, fingerprint etc. We have  focused  specifically  on  the  aspect  of  function-­based  classification  and  developed  a  system  for  automatic classification. The  most  common  method  for  malware  classification  still  is  signatures.  Yet  due  to  polymorphism,  obfuscation and simple transformation of webshells, detection and classification rates are low. We aim at  multi-class classification  through  the  combination  of  two  machine-learning  stages.  In  stage  one  we  classify sample data into a malicious and a benign category using SVMs. Stage two further improves classification with 8 function categories based on an adapted k-NN algorithm. In  2015 we  successfully  employed  this  concept  across  multiple  enterprise  web  server  environments.  Resulting data shows that our webshell focused machine learning produces false positive rates below 0.1%.

    During this talk we will present:

    our approach to machine learning webshell classification an evaluation of this approach based on real world data measures to lower false positive rates
    June 15th, 2016 10:30 – 11:30
  • Workshop: MISP, the threat sharing platform, a developer perspective to extensions and collaboration.Return to TOC

    Alexandre Dulaunoy (CIRCL - Computer Incident Response Center Luxembourg, LU) , Andras Iklody (CIRCL - Computer Incident Response Center Luxembourg, LU) , Raphael Vinot (CIRCL - Computer Incident Response Center Luxembourg, LU)

    Andras Iklody is a software developer working for CIRCL and has been the main developer of the Malware Information Sharing Platform since the beginning of 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.

    Alexandre Dulaunoy - Enjoy when human are using machines in unexpected ways. I break stuff and I do stuff.

    Raphaël is a CERT operator at CIRCL, the CERT for the private sector, communes and non-governmental entities in Luxembourg. His main activity is developing or participating to the development of tools to improve and ease the day-to-day incident response capabilities of the CSIRT he works for but also for other teams doing similar activities.

    MISP is becoming a key open source package for indicator and threat sharing in the information security community. MISP improved its modularity in the recent versions and propose various ways to use and extend the platform. The workshop will introduce developers and contributors on how to tame the MISP platform and customize it for your needs.

    The following practical examples will be described:

    • Overview of the APIs and developer tools available.
    • Practical examples of existing integration of MISP with reversing platforms like Viper Framework.
    • Simple programming examples on how to use MISP for automatic expansion, import and export of indicators.

    VM machines will be distributed in advance including MISP and sample scripts.

    June 17th, 2016 10:15 – 14:00
  • Yara: An Introduction and Real-World Use CaseReturn to TOC

    Matt Brooks (Chevron, SG)

    Matt Brooks has been in the information security field for 7 years and has experience across the US public and private sectors. His daily focus is leading the intelligence, monitoring, and incident response functions for a large organization capable of 24x7 coverage. His personal research interests include malware analysis and tracking threat groups. This paper is being submitted as independent analysis, not on behalf of any organization.


    Yara is a tool with many uses, including malware analysis, memory analysis, and packet capture analysis. This paper will focus on using Yara for malware analysis to an audience new and curious about the tool.

    It will be organized as follows:

    Section 1 (5 minutes of speaking time) - the basics of Yara, including versions and syntax. Section 2 (5 minutes of speaking time) - example rule sets written by the author to study samples attributed to the Naikon APT campaign. Section 3 (5 minutes of speaking time) - a real-world situation of discovering Naikon’s newest 2015 malware family, not yet publically published by any security company or other researcher. Section 4 (5 minutes of speaking time) - a conclusion about using Yara to identify malware families and turning that malware research into enterprise protections.


    The paper can be presented in 20 minutes before the expected question and answer question. If desired, it could be expanded to fit a 45 minute presentation by adding a discussion of the differences in the malware families and a useful tool, Relyze, for analyzing malware in bulk.

    June 14th, 2016 11:30 – 12:00
  • Your Money is My Money: The Dynamics of a Banking TrojanReturn to TOC

    Tim Slaybaugh (Northrop Grumman Corporation, US)

    Tim Slaybaugh is a Senior Intrusion Analyst for Northrop Grumman Corporation in support of the Department of Homeland Security's US-CERT program. Tim conducts in-depth forensic and malware analysis, and extensive research into identifying intrusion activity as well as providing investigative reports and threat briefs to various government agencies and private industries. Previously, Tim worked with the Investigative Analysis Unit of the FBI conducting complex investigations on an array of digital platforms. Tim also provided advanced forensic and specialized malware analysis training for law enforcement agents. Tim has presented at the Federal Law Enforcement Training Center (FLETC) and often speaks at national and international conferences on current topics in computer forensic analysis. He currently holds multiple certifications with the SANS Institute and the Department of Defense Cyber Investigations Training Academy (DCITA).

    Its sole purpose is to take your money. Vawtrak, aka Neverquest, is considered to be one of the most dangerous pieces of financial stealing malware detected.

    Among its sophisticated capabilities is the ability to bypass authentication by injecting itself into user initiated sessions to banking, finance, payroll services, and insurance sites. In addition, Vawtrak can surreptitiously modify data in encrypted web traffic, turn off antivirus applications and even intercept warning notices about fraudulent activity from online banking sites. Vawtrak's nefarious methods of stealing personal data have established it as a premier provider of Crimeware-as-a-Service in the underground banking fraud market.

    For the incident responder, the deceptive techniques deployed by the malware makes it critical to acquire memory and network data during an investigation, when possible. As you are guided through the Vawtrak network, various forensic methodologies will be presented to detect indicators of compromise within memory samples and images that are associated with the banking trojan. Mitigation techniques targeting the attack vectors of the trojan will also be discussed.

    June 16th, 2016 13:00 – 14:00