Supported by:

European Union logo

Gold Sponsors:


Merril Lynch

Silver Sponsors:

Guidance software


Etisalat Academy

Terminal Room Sponsor:


Bag Sponsor:

Brazilian Internet Steering Committee

Shirt Sponsor:


Binder Sponsor:


Lanyard Sponsor:


Welcome Reception Sponsor:

Network Coordinaton Centre of Hungarian ISPs

Coffebreak Sponsor:

Register now!

Tutorials Abstracts

Tutorial Track 01
Creating and Managing Computer Security Incident Response Teams (CSIRTs)
Georgia Killcrece, Robin Ruefle, and Mark Zajicek
The CERT/CC, Software Engineering Institute,
Carnegie Mellon University

A full-day tutorial devoted to issues and topics relevant to creating and managing an effective CSIRT.

The tutorial will provide:

  • an introduction to the purpose and structure of CSIRTs;
  • insight into the type of work that CSIRT managers and staff may be expected to handle;
  • an overview of the incident handling process and the nature of incident response activities;
  • best practices in creating and managing a CSIRT.

Intended Audience:

This tutorial is designed to provide managers and other interested staff with an overview of the issues involved in creating and operating a CSIRT. It will also provide an introductory view of CSIRTs to anyone new to the field who is interested in what a CSIRT is and what type of activities a CSIRT performs.

Interested attendees may include:

  • individuals who may be tasked with creating a CSIRT
  • chief information officers (CIOs)
  • chief security officers (CSOs)
  • CSIRT managers
  • project leaders
  • project team members
  • system and network administrators
  • existing security staff
  • other upper management
  • human resources
  • media relations
  • constituent members
  • law enforcement members
  • legal counsel

No previous incident-handling experience is required.

Content Outline:

  • Introduction
  • Creating an Effective CSIRT
    • What needs to be done
    • Implementation recommendations and steps
    • Information to collect
    • Who needs to be involved
  • CSIRT Components
    • Constituency
    • Mission
    • Organizational Issues
    • Funding
    • Services
    • Policies and Procedures
  • Operational Management Issues
    • CSIRT staffing issues
    • Managing CSIRT infrastructures
    • Evaluating the CSIRT's effectiveness
  • Incident Handling Activities
    • Capturing critical information
    • Triage (categorizing and prioritizing incident reports)
    • Coordinating response
    • Handling major events
  • Summary

Tutorial Track 01
Creating a Process Map for Incident Management
Georgia Killcrece, Robin Ruefle, and Mark Zajicek
The CERT/CC, Software Engineering Institute,
Carnegie Mellon University

A half-day tutorial devoted to creating and defining a process map for incident management processes.

The tutorial will provide:

  • an introduction and overview of process mapping
  • a rationale for applying processing mapping to incident
  • an overview of a best practices process map for incident
    management developed at the SEI
  • a discussion focusing on applying incident handling process maps in the creation of new CSIRTs or in benchmarking an existing CSIRT

Intended Audience:

This tutorial is designed for CSIRT managers or those involved in planning and benchmarking CSIRT activities and operations.

Interested attendees may include:

  • individuals tasked with creating a CSIRT
  • chief information officers (CIOs)
  • chief security officers (CSOs)
  • information security officers (ISOs)
  • CSIRT managers
  • project leaders
  • project team members
  • system and network administrators
  • existing security staff
  • other upper management
  • auditors
  • risk management specialists

No previous incident-handling experience is required.

Content Outline

  • Introduction
    • History and Rationale of the CSIRT Mapping Process Project
    • Team Members and Current Status
  • Overview of Process Mapping
    • What is it?
    • How can it be applied to CSIRT operations?
  • CERT CSIRT Development Team Best Practices Process Map for Incident Management
    • Overview of Process Components
      • Prepare
      • Protect
      • Detect
      • Triage
      • Respond
      • Improve/Sustain
    • Overview of First Level Processes
    • Overview of Second Level Processes
    • Corresponding services, artifacts, infrastructure, and practices
    • Applying risk analysis to the process map
  • The Future of this Project
    • Next Steps
    • Creating an Assessment or Evaluation Process

Tutorial Track 01
Fighting Internet diseases: DDoS, worms and miscreants
Nicholas Fischbach (COLT Telecom)
Hank Nussbacher (Riverhead Networks)

The topic and objectives:

The tutorial is about network infrastructure security, (distributed) denial-of-service attacks detection and mitigation, and router and network forensics as part of incident response.

We will also cover historical information on DDoS and worms, trends, and filtering on the Internet. Tools, protocols features, technologies and processes will be presented and discussed.

A detailed outline of the content:

  • DDoS: what is it and history of DDoS
    • Looking back
  • DDoS ammunition
    • Summary of attacks and attack tools
  • Statistics
  • Detection
    • Common techniques - backscatter
    • Netflow
  • Mitigation
    • Router anti-DDOS security
    • Router forensics
    • BGP/DNS (in)security and risks
    • Infrastructure security and new ACL types
    • Network forensics
    • Trends and changes (edge filtering, from blocking to "cleaning")
    • MPLS-based traffic diversion
    • NSP community: nsp-security
  • Overview of anti-DDOS companies
  • Future
    • DDoS, worms, SPAM
    • IPv6, MPLS, Lawful traffic Intercept

Some presentation examples:

Tutorial Track 02
Seeing Vulnerability: The art, science, law, and politics of vulnerability discovery
William Fithen
CERT Coordination Center


The CERT/CC has been receiving and acting upon vulnerability reports for most of its 15 years of existence. Over this period, the quantity of these reports has exponentially increased. However, the quality of these same reports has not substantially changed over most of that period. Recently, several organizations have made significant progress in approaching vulnerabilities of certain classes in a more rigorous way. The CERT/CC recognizes this effort and, in response, is starting a new initiative to help organizations be even more effective in this regard.

This tutorial/workshop is one of the initial steps we are taking as a part of the new CERT Vulnerability Discovery Initiative. The overall mission of the initiative is to understand, codify, extend, and promulgate effective methods, techniques, and organizational structures to dramatically improve the ability of the community to find meaningful vulnerabilities and to develop engineering strategies to avoid such vulnerabilities in the future.


  • to describe to CERT/CC Vulnerability Discovery Initiative to participants
  • to elicit feedback from participants on strategic and tactical directions they feel would be relevant for the CERT/CC to consider supporting under the initiative
  • to present a survey the current technical state of the practice in vulnerability discovery
  • to present the fundamental approaches that have or can be taken to finding vulnerabilities is technology
  • to cover the legal and political aspects of engaging in vulnerability discovery
  • to construct a set of specific goals for the involvement of the FIRST community in the initiative

Outline of content:

Follow the objectives defined above

Level of technical detail:

Varying. In some areas, the detail, especially for selected vulnerabilities, can be very great. For other areas, such as legal and political, the material is only meant to be thought provoking and encourage participants investigate their
specific situations when they return home.

Intended audience:

Any organization that is engaged in or is seriously considering creating a vulnerability discovery activity should definitely attend.

Any individuals who have interest in the idea of improving vulnerability discovery are encouraged to attend, but the content of the tutorial assumes meaningful knowledge of vulnerability at the engineering level.

Tutorial Track 02
Inside Microsoft Security
Simon Conant
Microsoft Corporation

To talk about the details rather than abstracts of Microsoft's security efforts.
Introduce attendees to "who does what" in MS security.
How Microsoft handles security vulnerabilities, the lifecycles of a vulnerability, and why they take so much time.
Help attendees understand the vuln handling process, and enable them to make "educated guesses" on timeframes.
Discuss the concepts of workarounds, and how to be proactive about these as a defense-in-depth measure.
Present inovations in security patches, new features.
Understand in detail what Microsoft is doing differently, in building software in a secure fashion.
Discuss some of the other areas we are working in to improve internet security.
Why must MS limit support lifetimes?

The goal is to equip attendees with detailed information and background knowledge, to help them in working in real-world environments with MS software.

This can be a very proactive presentation, and an opportunity for attendees to field, and hopefully have answered, their questions in this area. Also a chance to give concrete feedback and advise to MS.

Tutorial Track 02
Workshop on Network Flow Analysis
Nils Mignus

Tracing either active attackers or investigating their traces is one of the major tasks for active incident investigation. Checking netflows is helpful to get the "big picture" but sometimes you want more details.

This is a hands-on workshop (can be set-up as a simple talk in about one hour, a workshop with examples in 2 hours or as a full half-day tutorial) providing the attendee with well-grounded information and techniques about how to look at single packets and how to read them.

The workshop explains important tools and utilities to caputure and analyze packets from the wire or from previously stored data. Integration with Intrusion Detection Systems (IDS) is covered. The main focus of the workshops is based on a number of major use cases, where actual data will be live analyzed: One scenarion covers more detailed information about ongoing attacks including the attackers location, usage of spoofing techniques, and other means of penetration. Another use case explains how these procedures can also be used to analyze captured malware.

The foundations and tools of the presentations are not particularly new, however the transfer of experience may prove very helpful for new team members or people heading to more technical investigations. A good general understanding of TCP/IP and its other family members is necessary.

Tutorial Track 02
The Common Announcement Interchange Format - CAIF
Oliver Goebel
RUS-CERT, Stuttgart University

CAIF is an XML-based format to store and exchange security announcements in a normalized way. It provides a basic but comprehensive set of elements that is designed to describe the main aspects of an issue related to security. The set of
elements can easily be extended to reflect either temporary, exotic or new requirements in a per-document manner. Besides addressing more than one problem within a single document the format allows to group information for more than one target group of readers as well as multi-lingual textual descriptions within one document. This can be used to selectively produce different renderings of an announcement for the intended target groups addressing one, a sub-set, or all problems multi- or mono-lingual in the languages provided.

Tutorial Track 02
Incident Response in the Research University
Sherri Davidoff and Bob Mahoney
Zanshin Security

Successful incident response in large research universities requires an understanding of the organizational and cultural complexities of the university environment. Strategies for university incident response and large event handling will be explored in this paper, using examples from the experiences of the MIT Network Security Team. This material may prove useful and informative for other university response teams, outside security professionals, and law enforcement agencies whose work brings them into contact with university networks.

Tutorial Track 02
From Incident response to Incident Response Management
Lillian Rostad
Centre for Information Security (SIS)

Industry and the society in general, are becoming increasingly dependent on the use of information and communication technology (ICT) in all areas. The ICT systems and the use of such systems are becoming more complex. At the same time, there has been an increase of ICT security related incidents in such systems, from internal as well as external sources.

There is an immediate need for research, development and implementation of improved methods for appropriate handling of ICT security incidents. The aim of this project is to improve information security in critical national infrastructure (CNI) by developing a new methodology and tools for incident response (IR), and supporting risk management methodologies.

Incident response (IR) is the process of handling a computer security related incident involving infrastructure and data. Traditionally, incident response has been about putting out the fire and returning all systems to normal operation - the ultimate goal being to minimise downtime, loss of business and economical consequences. However, ICT security encompasses many different aspects including technology, human resources and organisation. So far, emphasis has been put on technical system issues, while organisational and cultural issues have been ignored. Human related factors have, however, often been found to be the weakest link. Therefore, an optimal incident response planning methodology needs to include the human aspects as well as the technical. Often, the possible employment of new countermeasures or adjustment of existing defences after an incident will necessitate adjustments in the management and employee attitudes and procedures (e.g. skill development, cultural changes and increased awareness) as well as appropriate technical changes. In this paper we propose the development of a methodology for efficient handling of computer security related incidents. Such a methodology should include technical, cultural, and organisational issues.

Tutorial Track 02
Intrusion Prevention System for Databases: The Sandbox Approach
Ulf Mattsson
Protegrity Inc.

Modern intrusion detection systems are comprised of three basically different approaches, host based, network based, and a third relatively recent addition called procedural based detection. The first two have been extremely popular in the commercial market for a number of years now because they are relatively simple to use, understand and maintain. However, they fall p rey to a number of shortcomings such as scaling with increased traffic requirements, use of complex and false positive prone signature databases, and their inability to detect novel intrusive attempts. This intrusion detection systems represent a great leap forward over current security technologies by addressing these and other concerns. This paper presents an overview of our work in creating a true database intrusion detection system. Based on many years of Database Security Research, the proposed solution detects a wide range of specific and general forms of misuse, provides detailed reports, and has a low false-alarm rate. Traditional database security mechanisms are very limited in defending successful data attacks. Authorized but malicious transactions can make a database useless by impairing its integrity and availability. The proposed solution offers the ability to detect misuse and subversion through the direct monitoring of database operations inside the database host, providing an important complement to host-based and network-based surveillance.


Copyright 2004 by FIRST.Org, Inc.