« back to Papers & Presentations

Papers & Presentations

16th Annual FIRST Conference on Computer Security Incident Handling

June 13–18, 2004 — Budapest, Hungary

  • A Framework for Collection and Management of Intrusion Detection Data SetsReturn to TOC

    Ben Uphoff


    Two areas in intrusion detection research receive little attention: data collection and data management. Gigabit Ethernet is becoming widely deployed, with ten gigabit Ethernet not far behind. Many current solutions strain under such bandwidth rates, resulting in data loss. This is unacceptable for accurate, reliable intrusion detection systems. Data management solutions vary greatly from product to product. Typically, older data is periodically migrated to some archived format. Once archived, the data set cannot be easily queried or analyzed without being imported back into the original tool. This makes forensics and trend analysis extremely difficult. This paper addresses data collection and management for intrusion detection by providing a framework designed to accommodate high-volume, heterogeneous data sets. This framework solves many of the problems of conventional approaches to intrusion detection. Distributed computing is leveraged to assure scalability. Data can be captured, queried and analyzed in real-time; data set sizes are limited only by available storage. Benchmarks of the initial prototype are also provided.

    http://www.first.org/conference/2004/papers/c01.pdf

    Size: 229 Kb


  • ARAKIS - An Early Warning and Attack Identification SystemReturn to TOC

    Piotr Kijewski (CERT POLSKA)


    The paper describes the concept of an early warning and new attack identification system, called ARAKIS, being developed by CERT Polska. The system is meant to detect and identify the characteristics of new threats, such as self-propagating malicious code and other automated attacks that span across multiple sites. Its goals also include the automated creation of attack signatures for dissemination to intrusion detection systems and providing attack statistics. The paper presents the rationale behind the system. The problems encountered, current stage of development and future work are also outlined. The level of technical detail is medium. Targeted at an audience with security experience, in particular, knowledge of the underlying principles of intrusion detection, honeynets and firewalls is helpful.

    http://www.first.org/conference/2004/papers/c08.pdf

    Size: 82 Kb


  • Creating and Managing Computer Security Incident Response Teams (CSIRTs)Return to TOC

    Georgia Killcrece (CERT/CC), Robin Ruefle (CERT Coordination Center), Mark Zajicek (CERT/CC)


    A full-day tutorial devoted to issues and topics relevant to creating and managing an effective CSIRT

    http://www.first.org/conference/2004/papers/t1_01.pdf

    Size: 1.31 Mb


  • Creating a Process Map for Incident ManagementReturn to TOC

    Georgia Killcrece (CERT/CC), Robin Ruefle (CERT Coordination Center), Mark Zajicek (CERT/CC)


    A half-day tutorial devoted to creating and defining a process map for incident management processes

    http://www.first.org/conference/2004/papers/t1_02.pdf

    Size: 490 Kb


  • Critical Infrastructure Protection - a business viewReturn to TOC

    Rolf Schulz (ComCERT)


    Critical Infrastructure Protection (CIP) becomes more and more important - for the Governments, for the Industry and for the Cert Community. First mentioned in the late 90's under President Clinton, and rediscovered at 9/11, CIP is also an important business factor. It guarantees press attention and opens budgets for security projects, which normally are impossible to accomplish. However, if you ask 10 people about a definition of CIP, you will receive a minimum of 10 different explanations. Also a critical topic is the different view from the Government on the one side and the Industry on the other side on CIP. This presentation will give a deeper look on Critical Infrastructure Protection out of the perspective of the involved Industry in central Europe, based on some basics to be defined in the first part of the presentation.

    http://www.first.org/conference/2004/papers/c15.pdf

    Size: 2.16 Mb


  • Cyber Intelligence: Why a Business needs to set-up a Cyber Threat Analysis UnitReturn to TOC

    Ian Cook (MLCIRT)


    This presentation will cover ways in which good intelligence procedures can be applied to the corporate sector to better enable senior management to take strategic decisions.

    http://www.first.org/conference/2004/papers/c14.pdf

    Size: 1.35 Mb


  • Defence in Depth: Protecting Against Zero-Day AttacksReturn to TOC

    Chris McNab


    The objective is to: demonstrate known issues in compiled applications demonstrate and categorize attack vectors and types define strategy and technologies to mitigate each attack risk By going through this process, delegates will understand how to protect their environments against zero-day attacks. Even if vulnerable components exist, the risks can be mitigated, and incident response procedures used.

    http://www.first.org/conference/2004/papers/c07.pdf

    Size: 200 Kb


  • Deploying new Wireless Standards in Corporate EnvironmentsReturn to TOC

    Laurent Butti


    This paper is about wireless secure deployements with new wireless standards. It will describe a current solution based on IPsec, and will provide the reader with a precise snapshot of standardization process: this is the theorical part. Regarding all these informations, a deployment guideline and a case study (FT R&D) will be fully explained: this is the practical part.

    http://www.first.org/conference/2004/papers/c09.pdf

    Size: 153 Kb


  • Fighting Internet diseases: DDoS, worms and miscreantsReturn to TOC

    Nicholas Fischbach, Hank Nussbacher


    The tutorial is about network infrastructure security, (distributed) denial-of-service attacks detection and mitigation, and router and network forensics as part of incident response. We will also cover historical information on DDoS and worms, trends, and filtering on the Internet. Tools, protocols features, technologies and processes will be presented and discussed.

    http://www.first.org/conference/2004/papers/t1_03.pdf

    Size: 6.36 Mb


  • FIRST at WSIS: The Security in the emerging Information SocietyReturn to TOC

    David Crochemore (CERTA)


    The objectives of the presentation at the conference are to explain to FIRST members and non-members what has been and will be the active role of FIRST in the whole process, and what would be the benefits for all of us: the increasing importance of Incident Response in the texts of reference the worldwide development of CSIRTs a better recognition of FIRST

    http://www.first.org/conference/2004/papers/c13.pdf

    Size: 157 Kb


  • From Incident response to Incident Response ManagementReturn to TOC

    Lillian Rostad


    Industry and the society in general, are becoming increasingly dependent on the use of information and communication technology (ICT) in all areas. The ICT systems and the use of such systems are becoming more complex. At the same time, there has been an increase of ICT security related incidents in such systems, from internal as well as external sources. There is an immediate need for research, development and implementation of improved methods for appropriate handling of ICT security incidents. The aim of this project is to improve information security in critical national infrastructure (CNI) by developing a new methodology and tools for incident response (IR), and supporting risk management methodologies.

    http://www.first.org/conference/2004/papers/t2_06.pdf

    Size: 434 Kb


  • Incident Response in the Research UniversityReturn to TOC

    Sherri Davidoff


    Successful incident response in large research universities requires an understanding of the organizational and cultural complexities of the university environment. Strategies for university incident response and large event handling will be explored in this paper, using examples from the experiences of the MIT Network Security Team. This material may prove useful and informative for other university response teams, outside security professionals, and law enforcement agencies whose work brings them into contact with university networks.

    http://www.first.org/conference/2004/papers/t2_05.pdf

    Size: 205 Kb


  • Inside Microsoft SecurityReturn to TOC

    Simon Conant


    To talk about the details rather than abstracts of Microsoft's security efforts. Introduce attendees to "who does what" in MS security. How Microsoft handles security vulnerabilities, the lifecycles of a vulnerability, and why they take so much time. Help attendees understand the vuln handling process, and enable them to make "educated guesses" on timeframes. Discuss the concepts of workarounds, and how to be proactive about these as a defense-in-depth measure. Present inovations in security patches, new features. Understand in detail what Microsoft is doing differently, in building software in a secure fashion. Discuss some of the other areas we are working in to improve internet security. Why must MS limit support lifetimes?

    http://www.first.org/conference/2004/papers/t2_02.pdf

    Size: 4.09 Mb


  • Internet Threat Detection System Using Bayesian EstimationReturn to TOC

    Masaki Ishiguro


    We present an Internet security threat detection system using Bayesian estimation method. This system analyzes security state of the Internet using Bayesian estimation with transition of frequencies of IP packet arrival events to some specified IP addresses such as port scanning, worm activities and so on. While the system calculates the frequency of access events in each time interval, Bayesian updating has been repeatedly applied to improve the confidence in degree of Internet critical states. When the system detects security threat(s) on the Internet, a security alert message is automatically sent to registered E-mail addresses, such as system administrators', and the system issues security alert details on our Web site. We also provide compact HTML and HDML for mobile phone browsers aka NTT DoCoMo's i-mode and KDDI's EZweb. Since the security state of the Internet changes dynamically, application of Bayesian estimation for threat detection is considered suitable because parameters of the model of Bayesian estimation are considered as dynamically changing quantities. This paper is focused on mechanism of detecting security threat using Bayesian estimation and our experimental evaluation. Some knoweldge on TCP/IP network technologies and statisics are required for this presentation. The intended audience of this paper presentation are network experts, network security researchers, system administrators, and data analysis researchers.

    http://www.first.org/conference/2004/papers/c05.pdf

    Size: 440 Kb


  • Intrusion Prevention System for Databases: The Sandbox ApproachReturn to TOC

    Ulf Mattsson


    Modern intrusion detection systems are comprised of three basically different approaches, host based, network based, and a third relatively recent addition called procedural based detection. The first two have been extremely popular in the commercial market for a number of years now because they are relatively simple to use, understand and maintain. However, they fall p rey to a number of shortcomings such as scaling with increased traffic requirements, use of complex and false positive prone signature databases, and their inability to detect novel intrusive attempts. This intrusion detection systems represent a great leap forward over current security technologies by addressing these and other concerns. This paper presents an overview of our work in creating a true database intrusion detection system. Based on many years of Database Security Research, the proposed solution detects a wide range of specific and general forms of misuse, provides detailed reports, and has a low false-alarm rate. Traditional database security mechanisms are very limited in defending successful data attacks. Authorized but malicious transactions can make a database useless by impairing its integrity and availability. The proposed solution offers the ability to detect misuse and subversion through the direct monitoring of database operations inside the database host, providing an important complement to host-based and network-based surveillance.

    http://www.first.org/conference/2004/papers/t2_07.pdf

    Size: 388 Kb


  • Network Monitoring and web portal site Project in AP regionReturn to TOC

    Arnold Yoon (KrCERT/CC), Yurie Ito (JPCERT/CC)


    Based on the activities of KrCERT/CC and JPCERT/CC for prevent security incidents, both organization agreed to develop several joint projects.

    http://www.first.org/conference/2004/papers/c04.pdf

    Size: 398 Kb


  • Public MonitoringReturn to TOC

    Damon Morda (CERT Coordination Center)


    Public monitoring is the process of gathering incident and vulnerability related information from publicly available sources such as web sites, newsgroups, and mailing lists. With the increasing number of new incidents and vulnerabilities being reported, it is essential that organizations have the capability to prioritize the monitoring of multiple sources and identify, assess, and respond to threats that may affect their infrastructure. This talk will focus on the CERT/CC's approach to public monitoring by describing tools, processes, and techniques we use to effectively manage the information. Through the public monitoring capability, information is collected that can be analyzed by the vulnerability, incident, and artifact handling teams. As with any process, there are also limitations and areas for improvement which will be discussed.

    http://www.first.org/conference/2004/papers/c02.pdf

    Size: 184 Kb


  • Security Implications of IPv6Return to TOC

    Michael H. Warfield (Internet Security Systems)


    IPv6 is a new, widely available version of the Internet Protocol that carries a number of significant performance and security advantages over earlier versions. These same benefits also work to the advantage of IPv6-savvy attackers against, network administrators have not deployed IPv6. IPv4 administrators are unaware that IPv6 is available nearly anywhere IPv4 is available and that IPv6 traffic can pass through their networks without their awareness. Because they have ignored IPv6 as something to worry about in the future, they frequently lack the expertise to manage it and they assume it is not present on their networks. But IPv6 and IPv6 transitional mechanisms offer new security issues and open new avenues of attack even on IPv4 based networks.

    http://www.first.org/conference/2004/papers/c06.pdf

    Size: 170 Kb


  • Seeing Vulnerability: The art, science, law, and politics of vulnerability discoveryReturn to TOC

    William Fithen


    The CERT/CC has been receiving and acting upon vulnerability reports for most of its 15 years of existence. Over this period, the quantity of these reports has exponentially increased. However, the quality of these same reports has not substantially changed over most of that period. Recently, several organizations have made significant progress in approaching vulnerabilities of certain classes in a more rigorous way. The CERT/CC recognizes this effort and, in response, is starting a new initiative to help organizations be even more effective in this regard. This tutorial/workshop is one of the initial steps we are taking as a part of the new CERT Vulnerability Discovery Initiative. The overall mission of the initiative is to understand, codify, extend, and promulgate effective methods, techniques, and organizational structures to dramatically improve the ability of the community to find meaningful vulnerabilities and to develop engineering strategies to avoid such vulnerabilities in the future.


  • TF-CSIRT Activity UpdateReturn to TOC

    Gorazd Bozic (SI-CERT)


    European CSIRTs have been examining different ways of cooperation since early 1990s. After trying several organisational models, the task force TF-CSIRT was formed in 2000 under the umbrella of TERENA (Trans-European Research and Education Networking Association). TF-CSIRT encompasses teams from academic, commercial and governmental organisations. The group spawned several projects addressing common issues: trust relationships between teams, a formal model for exchange of incident-related data, the training of CSIRT staff, problems related to differences in legislation, and soon. In continuous communications with the European Commission, TF-CSIRT has established itself as a credible partner in the area of network security. The growing number of participants in TF-CSIRT, as well as teams from elsewhere expressing interest in particular results of the group, can be regarded as a sign of the successfull efforts European CSIRTs have undertaken.

    http://www.first.org/conference/2004/papers/c12.pdf

    Size: 136 Kb


  • The Common Announcement Interchange Format - CAIFReturn to TOC

    Oliver Goebel (RUS-CERT)


    CAIF is an XML-based format to store and exchange security announcements in a normalized way. It provides a basic but comprehensive set of elements that is designed to describe the main aspects of an issue related to security. The set of elements can easily be extended to reflect either temporary, exotic or new requirements in a per-document manner. Besides addressing more than one problem within a single document the format allows to group information for more than one target group of readers as well as multi-lingual textual descriptions within one document. This can be used to selectively produce different renderings of an announcement for the intended target groups addressing one, a sub-set, or all problems multi- or mono-lingual in the languages provided.

    http://www.first.org/conference/2004/papers/t2_04.pdf

    Size: 1.33 Mb


  • The CSIRT and Wireless Security Breaches: Specialized Methods, Tools, and Techniques for Proactive and Reactive Wireless LAN Incident ResponseReturn to TOC

    Lance Hayden


    This paper will serve as a primer to computer security incident response teams (CSIRTs) on ways to incorporate wireless security expertise into their existing methodological and technical toolkits. While many aspects of wireless security incident response are similar to traditional network security incident response, an understanding of the additional threats posed by wireless networks, and the tools for mitigating and responding to those threats can inform and improve the capabilities of the CSIRT to manage new networking risks in the organizations for which they are responsible. The paper will include recommendations and insights at both high- level and technical levels.It will be appropriate for managers and network staff alike, and anyone with responsibility for creating or managing a CSIRT in an organization that is considering, or already has deployed, wireless networked infrastructures.

    http://www.first.org/conference/2004/papers/c10.pdf

    Size: 97 Kb


  • The Incident Response Team object in the RIPE database - the direct link from IP numbers to CSIRTsReturn to TOC

    Don Stikvoort (S-CURE), Wilfried Wöber (ACONET-CERT)


    Description of the concept, implementation and deployment of the database object describing an incident response team - the so-called IRT object - and its relationship with the IP-address space, in particular the so-called inetnum (or IP number) object. The essence of this relationship is that, after proper implementation in real life (which has started in the summer of 2003), it enables e.g. CSIRT professionals (or indeed the general public) to easily find the CSIRT (or CSIRTs) that are responsible for dealing with the security incidents related to specific parts of the IP address space.

    http://www.first.org/conference/2004/papers/c03.pdf

    Size: 128 Kb


  • UNIX and Linux based Rootkits Techniques and CountermeasuresReturn to TOC

    Andreas Bunten


    The paper will present as much technical details as required for distinction of the different types of rootkits while concentrating on the conceptional ideas. A technical audience familiar with the topic will be updated on the current developments. A general audience with technical interest will get a good idea of what is possible and what has to be expected on a compromised UNIX system.

    http://www.first.org/conference/2004/papers/c17.pdf

    Size: 147 Kb


  • Update the APCERT activities (Under the Regional Initiative Activities Update slot with TF-CSIRT)Return to TOC

    Yurie Ito (JPCERT/CC)


    Among the FIRST members draw the needs of coordination and information sharing not just for incident handling but to prevent incident and share those activities of AP region. To provide one of the Regional Initiative activity model for other regions, to encourage to set up its own RI for efficient collaboration between CSIRTs.

    http://www.first.org/conference/2004/papers/c11.pdf

    Size: 77 Kb


  • What Went Wrong?Return to TOC

    Ken van Wyk


    The paper is a recounting of numerous incidents that we have handled, along with detailed lessons learned and our suggestions of how to avoid or otherwise effectively handle similar difficulties. Some of the difficulties and lessons that we discuss are technical in nature, although many are procedural/human situations.

    http://www.first.org/conference/2004/papers/c16.pdf

    Size: 107 Kb


  • Workshop on Network Flow AnalysisReturn to TOC

    Nils Magnus (SecuCERT)


    Tracing either active attackers or investigating their traces is one of the major tasks for active incident investigation. Checking netflows is helpful to get the "big picture" but sometimes you want more details. This is a hands-on workshop (can be set-up as a simple talk in about one hour, a workshop with examples in 2 hours or as a full half-day tutorial) providing the attendee with well-grounded information and techniques about how to look at single packets and how to read them.

    http://www.first.org/conference/2004/papers/t2_03.pdf

    Size: 261 Kb