7th NM-SIG: Workshop 'Monitoring & Analyzing Client-side Attacks'

2009-June-30, Kyoto, Japan

The Network Monitoring Special Interest Group (NM-SIG) has scheduled the workshop 'Monitoring & Analyzing Client-side Attacks' during the week of the FIRST annual conference (June 28-July 3 2009, Kyoto, Japan).

This workshop will take place on Tuesday, 30 June 11:00-17:00, at the 5F Kokin Naka of Hotel Granvia Kyoto.

This workshop is open for everyone (NM-SIG members, FIRST members and non-FIRST members).

A part of the workshop material is provided by ENISA. This material comes from the 'CSIRT exercises' program. More information about this program is available at section 'Links' of this announcement.

Introduction

Starting in 2007, criminals began to switch their focus from targeting remote operating systems to targeting vulnerabilities in client applications which can be misused to bypass all kinds of security restrictions, such as firewalls.

Looking at the average protected corporate environment, end users still have internet access for certain client applications. For example, in most environments end users have access to external web services and email services from their corporate protected environment. Criminals can misuse this by offering exploit codes via these services. Therefore, nowadays they focus on making use of vulnerabilities in client side applications like browsers, office applications, media players and PDF documents.

A website is an effective vehicle to exploit vulnerabilities in client applications. Web content can contain codes to directly exploit browser vulnerabilities. On the other hand web content can offer specially crafted files, such as media or document files, which can be executed automatically in client applications. Criminals use different techniques to exploit vulnerabilities via malicious websites.

The NM-SIG workshop 'Monitoring & Analyzing Client-side Attacks' consists of hands-on experience for analyzing infected websites that tries to exploit vulnerabilities in browsers and browser plugins. Its the ambition of the NM-SIG to help incident handlers in getting more experience with a thoroughly and accurate analysis of client-side attacks.

Instructors

• Tomasz Grudziecki (NASK, CERT-POLSKA)
• Piotr Kijewski (NASK, CERT-POLSKA)

Agenda

Notes

1. Are part of the 'Network Forensics' chapter of the ENISA CSIRT exercises.
2. Are not part of ENISA. These agenda items presents the experience coming from the HoneySpider Network project.

Course Material

The ENISA CSIRT exercise is a hands-on session where you will work with provided PCAP dumps. These PCAP dumps are available in two formats:

• VMware image

  This is a VMware image with a Debian Lenny distribution which contains the necessary PCAP dumps and Wireshark. You can run the VMware image in a VMware Player. The VMware Player can be downloaded via:
  http://www.vmware.com/download/player/

  You can download this VMware image via:
  http://gror.nask.waw.pl/kyoto-materials/VirtualMachine.zip

  WARNING: The size of this VMware image is 642MB.

• ZIP file

  A ZIP file which only contains the PCAP dumps. You need to install Wireshark yourself. You can download Wireshark via:
  http://www.wireshark.org/

  The ZIP is available via:
  http://gror.nask.waw.pl/kyoto-materials/PCAP_files.zip

  WARNING: The PCAP files that should be rather used for linux based analysts. These files contain real windows malware, and AV software may block usage attempts.

  We recommend participants of the NM-SIG workshop to download and install the necessary tools and images before the start of the workshop. This will help to have everyone prepared.

Contact

Send an email to the Carol Overes (carol.overes@govcert.nl) if you want additional information about this workshop.

Links

• ENISA CSIRT exercise material:

  http://www.enisa.europa.eu/csirt_exercise_material/index_exercise_material.htm

• HoneySpider Network project:

  http://www.honeyspider.net/

Sponsors

This workshop is sponsored by ENISA and FIRST.