Poison Ivy sells itself as a remote administration tool. It has been used in wide variety of attacks, from fake screen saver trojans for the masses to the highly targeted attacks against RSA (1) and the chemical industry (2).

The presentation will start with a brief introduction into Poison Ivy, its capabilities and configurable options. We will then have a closer look at the generated binary and learn how code and configuration data blocks are combined. We develop signatures that can help an incident responder to detect PoisonIvy in memory and to reconstruct its configuration without time-consuming reverse engineering.

Next, we will examine network activity, especially the session initialization handshake. A brief cryptanalysis will reveal a weakness that incident responders can leverage to identify PoisonIvy command and control servers and to mount a brute-force attack on the attacker's shared secret.

(1) Anatomy of an Attack
(2) Nitro Attacks Whitepaper

No special equipment required.

Where do people in the security community go to share insight and collaborate? How do you become a part of the private, so-called "trusted" communities? What can you do to maximize security community relationships? We try to answer these sorts of questions by surveying the security community, including it's collaborative successes and failures.

CERT.be is the Belgian National CSIRT and has asked the help of a bureau specialized in branding strategy development and marketing in order to better fulfill it’s wide ranging tasks that include treating and coordinating highly sensitive incidents, day-to-day abuse reports and creating awareness for the general Belgian public.

The result of this collaboration was a communication plan and strategy for CERT.be, including a tagline to be added to the CERT.be logo. It also turned out that a National CSIRT is a very “sexy” product to market due to the unique qualities of “the product” and some very surprising results surfaced after applying techniques and tools normally used to brand an position products and/or big companies.

We will implement the findings starting from January 2012 and we would like to present our findings and the results of this approach. Our aim is to give more visibility to CERT.be and this at all the levels involved: law enforcement, political, the general public, ISP’s and large companies and last but not least: the press. CSIRTs are in fact all about communication and using the press as a very strong ally in our fight against cybercrime and abuse should allow us to do our work more efficiently.

In this presentation I would like to present some of the very interesting conclusions of this collaboration and moreover I should be able to give valuable feedback and lessons learned after some six months into the implementation of this strategy.

Duqu threat made a big noise in media in autumn of 2011. Although its impact was hard to estimate, everyone felt that something major was happening behind that name.

We, at Kaspersky Lab, spent a lot of time working on this threat as it seemed to have cutting edge malware technologies and unknown 0-days used in the attack.

The presentation is going to show some results of a Duqu workgroup and will explain what was Duqu, why people think it was similar to Stuxnet, how it was controlled, how long it had been used and what traces were erroneously left by the attackers on a set of compromised systems. Please expect only technical information about the threat as we are not going to speculate on who may have developed and controlled it and for what reasons.

Also, we would like to share some of our experience (wins and fails) in international collaboration with CERTs, LE and private companies during the investigation.

NTT-CERT and Meiji University collaborate to study "storytelling" in organization. The storytelling influences to realities people have and occurs dynamic responses in the organization. Eventually, we expect that understanding a “storytelling” can correctly help us to build up and keep on a good team under high-pressured situations, where CSIRTs are.

The purpose of this paper is to investigate the organizational side of security response in cases of Japanese CSIRTs.

As incidents usually occur in new forms and under new situations, it makes responding to them be difficult. Therefore, when an incident occurs, members of the CSIRT assign a meaning to the effect of the incident. At this point, the members analyze the incident in the light of a recent incident through storytelling based on their current experiences and decide upon appropriate countermeasures. In this manner, the organization’s reality about security is constructed through “storytelling”.

Researches on storytelling have developed in organization studies in recent years. Storytelling is shown in the context of the management that is engineering the organizational change. Moreover, it is especially shown in the context of the efforts that the leader makes to help his subordinates understand the ramifications of the changes that are sought to be introduced in the organization. However, this case shows that storytelling in an organization does not only imply downward communication flowing from the leader to the other members but also interactive storytelling that occurs between the members of the organization. Therefore, we will present alternative storytelling perspectives different from that of established studies. To make that difference clear, first we explain the established view stemming from past researches on storytelling. Second, we show an alternative viewpoint from that adopted in existing storytelling researches. To investigate the cases of Japanese CSIRTs, we do not focus on an established study that views storytelling as a leadership tool or a tool that effects organizational change but on how various stories are formed within an organization and on the organization’s reality, which gives rise to various stories. Finally, we will show the importance of organizational perspectives of security response.

While there has been extensive reporting on TDSS malware, dubbed the ‘Indestructible’ botnet by Kaspersky, most reporting has focused on reverse engineering the various components of the Trojan. This presentation will instead concentrate on the forensic attributes of TDSS activity to assist the analyst in identifying its presence on an image or on the network. Topics covered will include an overview of the malware including analysis of the pagefile.sys, unallocated space, applicable live memory forensics techniques as well as malicious activity from affiliate programs. Emphasis will be placed on the recent TDL-4 variant.

BGP prefix hijacking is a well-known weak spot in the Internet's global routing system. An attacker who is able to successfully hijack a route prefix could for example re-direct large amounts of traffic to his own systems, where he could perform packet sniffing or manipulation. Also a hijacked prefix could allow a phisher to present authentic-looking URLs to his/her victims through redirecting traffic from the "correct" from the correct web server to his own compromised ones.

The ability to tweak the Internet's routing system to his/her own advantage could present an attacker with novel and very interesting tools to bypass current security mechanisms and entrenched user best-practices.

The main goal of the Resource Certification Public Key Infrastructure is to improve the general security and stability of the global routing system. The RPKI allows legitimate resource holders to create digital certificates and other cryptographic proofs of routing policy that can be verified up to a trust anchor. Validating routers can use these proofs in order to assign validity properties to BGP UPDATES, thus allowing router operators to apply policy decisions to routes according to the validity of said proofs.

This presentation starts with a description of the general guidelines for Internet number resources management followed by a high level description of the current system of Internet Registries and the global routing system and the security problems it currently presents.

Some security aspects of the routing system that require improvements will be also described. The Resource Public Key Infrastructure will be also described at a high level showing how it will mitigate the risks associated with these aspects by allowing rightful owners to assert their usage rights over Internet resources.

Some well known and well publicized cases of route and traffic hijacking will be presented since they provide one of the main drivers behind RPKI.

Finally the current state of the project both from the IETF'S and the RIRs point of view will be described and the current planned project roadmap as well as some statistics gathered by the RIRs after one year and a half of production operation.

Since the RPKI is currently scheduled for a Jan 1 2011 production release by LACNIC and the other RIRs with the sole exception of ARIN, the presentation will also include results and experiences from the first 6 months of operation.

The Domain Name System (DNS) is recognized as one of the most critical services in the Internet infrastructure and plays today an important role on society and also in the daily life of the citizen. DNS is an interconnected and interdependent infrastructure. Any significant DNS disruption or malfunctioning affects sensitively the correct functioning of the entire Internet components, including web applications, service oriented systems, cloud infrastructures and distributed applications more generally. Among the others, on the DNS services rely today several of the so-called Critical Infrastructures, such as Energy Grids, Transportation Systems etc. DNS security requires a trusted body for all parties involved to address security incidents. Hence born the need of DNS CERT. Such an idea was firstly presented by ICANN in 2010, with their “April 2010 DNS-CERT Operational Requirements & Collaboration Analysis”. In this report the need for a DNS-CERT was underlined, as well as were identified 10 requirements a similar structure should satisfy. However, after this initiative, the theme of DNS-CERT seems to have been abandoned by the community, mainly due to the fact that the current CERT model does not easily apply to the DNS ecosystem. In this speech, starting from the early results of the ICANN and DNS-OARC efforts in designing a DNS-CERT, taking into accounts the comments raised by the DNS community on this matter, and considering the peculiar, totally distributed and weakly regulated nature of the DNS, we propose a new distributed and hierarchical CERT model, tailored on the needs of the DNS community and based on coordination and cooperation capabilities, exercises and close working relationship between all DNS actors.

This presentation will provide technical insight into the crimekit and outfit known as Carberp.

In late 2010 Denmark was hit with a malvertizing attack launched from a popular news website. With in short time approx 10,000 PC's got infected through client side drive-by attack.

Soon afterwards we got reports about luxury goods being bought in eCommerce stores around the country using stolen credit cards. The goods was being reshipped through a package mule network.

We decided to team up with a few of the reshippers and planted a GPS transpoder in some of the packages. This toke us from Denmark to Poland into Ukraine and finally to end up in Moscow.

This is the story told by the reshippers and CSIS and Danish National television driving to Poland and Ukraine to get insight into how this scam is established.

Our team has fought phishing for nearly ten years. Thanks to our clients' and partner's data, and a recent not-for-profit public phishing reporting platform, www.phishing-initiative.com, we believe we have now a nearly complete vision of the phishing landscape in France. We indeed took action against more than 15,000 different attacks that have been conducted in 2011. Our review of phishing attacks at the scale of a country such as France points out how specific local phishing trends can be compared to large scale phishing trends analyses, and highlights the importance of specific (regional, linguistic, etc.) phishing reporting platforms to better assess these trends.

French companies have been targeted by a handful of groups of phishers originating mainly from one of France's historical colony, Morocco. In recent years, banks have adapted to more and more efficient countermeasures, whether they be on a global scale, ie. phishing blacklists, or on a local scale, ie. how the organisations defend themselves.We have thus observed various phishing techniques which recently (re-)surfaced indicating that phishers are making efforts to delay detection and takedown of the fraudulent websites. These techniques include :
- blacklisting of antiphishing organizations
- access restricted by geolocalisation,
- increase in email-attached phishing forms,
- theft of credit-card details through scam pages (fake surveys, fake
e-commerce/e-service websites),
- text-free phishing pages and emails,
- real-time validation of phished credentials,
- etc.

Phishers have also shifted their targets as they have been intensifying their attacks against french non-banking entities with success. France is not the only country where phishers are testing new strategies as some man-in-the-middle phishing websites have been spotted in other countries.

Our observations of these groups show that years of experience without being threatened by local law enforcement have unfortunately allowed these phishers to increase their skills and moved to using banking malware or code obfuscation.

After presenting trends on the techniques used by the bad guys, we compare the use of reactive vs proactive detection techniques, such as email reporting by victims vs. log monitoring, and show how strategic the latter are. It is our belief that, although already publicily documented, advanced log monitoring techniques are not well-known in the cybercrime community. Also, given the variety and highly evolving trends of phishing attacks, a combination of phishing detection systems is shown to be more effective.

We provide data on phishing impacts, measured both directly from compromised websites and indirectly from log monitoring. Issues related to antiphishing are also discussed : takedown ROI, discrepancies in data exchange laws, connecting cases to reach "prosecution's treshhold".

We finally focus on some promising phishing detection and mitigation techniques through domain-based email authentication or reputation protocols (i.e DMARC ARFR feed, DNS RPZ, VBR) and the commercial initiatives trying to leverage them.

In 2008 and 2009, the number of exploits targeting Adobe products grew considerably. In addition to working to secure the targeted applications, the Adobe Secure Software Engineering Team (ASSET) investigated how to leverage the broader security community to help protect customers with more effective layers of defense. Adobe proposed sending detailed technical information describing Adobe product vulnerabilities via the Microsoft Active Protections Program (MAPP) to protection providers. Two giant software companies, competing head-to-head in some areas, agreeing to cooperate and help secure their mutual customers? It sounded just crazy enough to work. Since the fall of 2010, Microsoft and Adobe have worked together to provide information describing vulnerabilities in Adobe products to MAPP participants. Today, 84 security firms from around the world are participating in MAPP, providing protections for hundreds of millions of customers. This talk will discuss how the Adobe/Microsoft collaboration came to be, how Adobe and Microsoft currently work together to provide vulnerability guidance, and how this effort has helped MAPP partners improve protections for customers globally.

Pinkslipbot is a malware family originally created to steal personal and financial data from infected machines, and to provide complete control of the target machine through a back door. Initial versions of Pinkslipbot appeared around 2007, but only in recent years has the malware started to become more successful, due to improved spread methods and the fact that it started to target corporate networks. It was at this point that Pinkslipbot caught the attention of the media.

In this presentation, we will analyze the historical data about Pinkslipbot outbreaks and look at what has changed between each version — in order to understand the modus operandi of its authors and what we may expect in future variants. This data will include an in depth look at the modus operandi of the malware authors during the most recent outbreak, to show how the malicious code is changed and adapted to counter actions by the Antivirus industry.

We shall focus on specific features of Pinkslipbot that may be of use to both antivirus research as well as to enterprise and law enforcement entities trying to understand this threat.

You have all heard the term cybercrime, and you have heard about all things cybercrime – stolen credentials, identity theft, fraud, blackmail, DDOS and more. You may have heard that there are markets for goods connected to computer crime. You may have heard that there’s a lot of money in it (enough to pay off the national debts of most states including the USA, if you total all reports on damages by cybercrime). As usual the problems lie in connecting the dots. What are the mechanisms behind these black markets? What are the goods? Who pays for them and by which means? Surely you cannot just walk into a chat room, drop your credit card number and part with the digital loot, or can you? What if you end up being a trade object yourself? Screenshots are shown of actual high profile advertisements such as post about mysql.com root access for sale.

IT security companies and law enforcement organizations have a vested interest in investigating these mechanisms. The information is vital for everyone implementing IT security as well. You have to know who is up against you and why. This is the basic information every defender needs to possess, and proper knowledge is one of the few advantages you can use for the protection of your assets.

Almantas Kakareka will address these questions in his talk Insight Into Russian Black Market. He will give you an insight into the underground and explain which “products” are traded by criminals. If you are in charge of securing the digital heart of your enterprise or implement security, then you should listen to this talk.

Coaching means support in reaching specific goals and results. In CERT context, coaching of a new or relatively inexperienced team can be performed by a more experienced partner (another team or an individual) and it can extend from the stage of establishing a new team to reaching certain operational capabilities. While there is an increasing number of training programs available for CERT teams and their members, individual coaching seems to be unpopular, most likely due to the fact that it requires relatively high costs in money and resources. However, once the resources can be allocated, the “return on investment” should be unparalleled.
Between 2007 and 2009 CERT Polska had been running a project with Central and Eastern European Networking Association (www.ceenet.org), with an ambitious goal of building a network of operational CERTs in countries associated by that organization, particularly in Caucasus and Silk Road Regions, as well as some other countries of former USSR and Balkan States. The project involved coaching and mentorship which should result in new teams joining FIRST and becoming Accredited by Trusted Introducer. The project was called CLOSER, and while it was not entirely successful, it yielded some success stories as well as valuable lessons learned.

The presentation will briefly cover the CLOSER project, its virtues and shortcomings, as well as stories of some of the coached CERTs from the perspective of two years after completion of the project. I will also discuss possible goals that can be achieved in similar projects, their metrics, and incentives for all involved parties.

In 2005, Florian Weimer introduced the world to Passive DNS Replication at FIRST. In 2007, ISC took up the challenge of implementing a production system and scaling and improving upon it. ISC has written and published a technical paper about his advances in design and operation of the open-source sensor and collection infrastructure and has built a scalable database used by many in the operational security community. Eric will present the technology used in the project and discuss lessons learned.

Abstract will be available shortly

Becoming a botnet free country is an unachievable goal. Nevertheless this headline was choosen to coordinate different national initiatives by Swiss ISPs, CERTs, the .ch registry and security researches against malware.

The cooperation started in 2011 when we met to discuss measures against botnets and find out that most ISPs and the registry already support their customers when they are infected with malware or their website is abused for drive-by-infections. Measures that are already in place include the notification of affected DSL-line subscribers and domain-owners and supporting them with the removal of Malware and/or drive-by-code. But they go as far as turning off DSL-lines or removing second-level domains from the DNS. We all agreed that a cooperation would be much more effective in removing malware and preventing new malware infections in Switzerland.

There are currently different activities, from informal meetings to discuss best practices to the discussion of an official anti botnet initiative like the German anti botnet initiative or the Japanese Cyber Clean Center. We dont know yet the formal way of cooperation but we want to present the challenge and results of our cooperations as well as the single measurements we already have in place to prevent infections via drive-by on .ch websites and to remove malware from infected PCs in Switzerland.

DNS, like security, is not an island and it respects no borders. It is a morass. The Domain Naming System is one of the critical core infrastructure protocols upon which the entire Internet depends, yet it is often ignored, particularly on the client side of the house. In recent years, we've seen cache poisoning attacks and resource amplification attacks. Operation Ghost Click involved redirecting DNS clients through DNSChanger malware. Much of this could have been detected through DNS monitoring. On the other hand, Operation Aurora was uncovered through datamining detailed DNS logs and DNS forensics has been mentioned in more than one study.

A lot can be gleaned from datamining DNS traffic alone, if the facilities have been set up for it in advance. Even more can be acquired by correlating DNS activity with other network activity or lack thereof. The challenge is in establishing and maintaining baselines against which anomalies stand out.

This talk will look at several areas where behavioral anomalies may be detected by monitoring DNS traffic and correlating it with expected behavior and against other expected network traffic. These anomalies can often unveil classes of malicious activities and intrusions before other techniques have a change to catch them. This will also cover managing the baseline to improve the signal to noise ratio that inherently plagues anomaly detect methodologies.

From WikiLeaks to Anonymous and LulzSec, 2011 has been marked by an explosion of high-profile cyber attacks. This steady stream of directed attacks is expected to continue, if not increase, in 2012. Due to the extreme motivation behind today’s attacks, technologies that are designed to block them at the perimeter, or use signatures to detect malware, are no longer enough to protect corporate and government networks. Attendees will learn how leveraging NetFlow (and other flow data) can provide the end-to-end visibility and situational awareness required to protect them from the full spectrum of threats facing today’s enterprises. Having a complete picture of everything happening on the network makes it easier for IT administrators to investigate and mitigate anomalous behaviors that could signify APTs. By collecting and analyzing flow data inherent in their network infrastructure, organizations can seamlessly and cost-effectively create an always-on sensor grid for proactively detecting and thwarting advanced attacks that bypass external defenses.

Microsoft has been driving a sustained fight against botnets for almost a decade and in recent years has adopted a proactive disruption strategy to protect our customers. Examples of this new approach, dubbed Project MARS, can be seen in the operations against prominent botnets like Waledac, Rustock, Kelihos and most recently Zeus. With each operation, the Digital Crimes Unit at Microsoft and our partners have been striving to find new ways to further protect the community.

One example of the success of this approach can be found in the botnet cleanup effort the Digital Crimes Unit supported by our Microsoft colleagues in Trustworthy Computing and the Microsoft Malware Protection Center to work with ISPs and CERTs around the world to help effected computer owners regain control of their malware-infected computers. By sharing our botnet takedown data with ISPs and CERTs, Microsoft has been able to provide the information necessary to inform affected computer owners as well as offer free tools to help them clean their systems. This effort has already helped drastically reduce the global infection of the Waledac and Rustock botnets. Building on the success of this program, the Digital Crimes Unit is continuing to explore new ways to make this type of information available to those who can help our customers. The Digital Crimes Unit is currently developing a new system which aims to offer customers and partners a valuable, reliable and secure mechanism for actionable real-time intelligence on threats.

We all want a magic button that fixes our network security problems. Automated tools can improve a weak computer security posture by preventing new infections and disrupting command and control channels. In reality, though, the scope of these tools will always be limited to the most basic of attacks. A strong security posture requires not only automated equipment, but people to program the equipment and to act on its output. Cisco CSIRT has taken a pragmatic approach where automated equipment better serves the purpose of providing intelligence to highly-trained IT staff, rather than attempting to replace the security staff altogether. This talk focuses on the philosophy that Cisco CSIRT uses to protect its own network

Incident response in a large environment hosting multiple businesses such as mail, retail, online advertising, digital media and news can be a complex and arduous task. During this presentation the audience will be guided through the process that allows an incident response team to successfully deal with issues that cross all of these sometimes disparate business lines. The presenters will discuss tools and processes used, the role that open source intelligence and counter intelligence play in having a successful incident response process. The presenters will also discuss two real incidents (one fraud case/one application security issue) during the presentation that will allow the audience to see the process, procedures and tools discussed in action during the incident response process.

DNS "firewalls" are a potent protective measure against botnets, spear phishing and APT attacks, preventing compromised computers on your networks from communicating with their C&C's and drop zones. However, the same technology that can be used to protect enterprise and other organizations' networks is also in-play at the nation state level, where various policies and laws are leading to filtering of the Internet based on the DNS. As more nation-states are looking to legislate blocking at ISPs or even deeper, what implications does that have, especially for new attack vectors as people circumvent such measures? Also, how do you as a CERT or network security professional implement a "DNS Firewall" for the networks you protect using a variety of resources out there, and then manage it properly. Great technology is almost always a two-edged sword, and using your DNS resolvers to dictate how your users see the world is one of the ultimate examples of this. This session will examine the pros, cons, and how-to's of the technology.

The objective of this 45-minute presentation is to show how we decrypted and accessed the contents of the files generated by three different malwares, specially designed to steal sensitive information from a very particular environment belonging to a client. The activities were performed based only on the encrypted files and the malware binaries, since we did not have access to the live systems and the specific hardware employed by them. Besides this restriction, we were able to shorten the amount of time spent with dynamic and static analysis, thanks to the strategy and cryptanalytic techniques that we employed.

This talk will cover the following topics: introduction; detection of weak cryptosystems; description and cryptanalysis of classic algorithms; review of block ciphers; review of DES and 3-DES; identification of the possible encryption mechanisms employed by the malware; deciding what to look for; confirmation of the algorithm used; searching the key within the malware code; searching the key within main memory; finding the key; decrypting the files; worst scenario.

The Diginotar attack calls into question the foundations of secure communications and the role of part of important players in the security industry (the CAs).

This talk would discuss ENISA's (recently published) analysis of the Diginotar case, and discuss the issues with HTTPS at large. Topics that will be discussed are: the security of HTTPS (Blaze's Spy in the Middle), the relation with the existing security legislation for telco's (Article 13), if and how to enforce incident reporting and minimum security measures for critical service providers, how to quickly shore up weaknesses and flaws in HTTPS, if and how to overhaul the HTTPS scheme, who or what could be new trust anchors, et cetera.

This talk should provide for a discussion with the audience rather than present one particular proposal for solving the problems.

This presentation is composed jointly by CERT-FI and Ericsson PSIRT under the conference theme "Security is not an island". The presentation outlines practical cases where a national CSIRT and a vendor can work effectively together to solve security problems with a potential to have a negative impact on third parties.

One often hears claims that cooperation between government authorities and commercial organizations cannot and does not work. The presenters argue that cooperation is not only possible but yields fruitful results. CERT-FI and Ericsson PSIRT have a long history of working together on a variety of product security cases and share information on a regular basis.

The presentation first gives a brief background on both organizations' approach to PPP and then proceeds to show practical examples on cases involving bilateral or multilateral cooperation. Lastly, the presentation summarizes the benefits of such cooperation in terms of lessons-learned and shares some proven hints and tips for the audience how to realize something similar in other countries.

What works in Finland, should work anywhere else. Or is Finland after all an island where we have been lucky enough to find ourselves stranded together?

Security threats have grown from network annoyances to attacks on your sensitive infrastructure. Evidence indicates that security threats are growing more sophisticated and aimed at embedded deployment. This presentation will share Cisco CSIRT's evolving architecture for addressing sophisticated, embedded threats.

Topics will describe how CSIRT has evolved its network infrastructure over the past 10 years, and will give detailed architectural examples and guidance regarding their multi-petabyte global deployments of:
* Log/event collection of syslog, DNS, web proxy logs, ModSecurity logs
* NetFlow collection
* Host and user attribution techniques (using DHCP, NAT, VPN logs to identify users)

It will also include a description of how CSIRT Engineering is integrating the following solutions into their global deployment:
* Nascent APT detection using precursors
* Challenges and solutions for multiple filtered detection using SPANs and taps (IDS, DNS collection, web proxy, DLP)
* Data loss protection (DLP)
* Rapid operationalization of collaborative, commercial, and home-grown intelligence
* Pulling this all together in a free-form custom SEIM.

Most commonly adopted models for cybersecurity incident handling can trace their origins back to a model developed over 20 years ago, in a very different climate than the one incident response and security teams operate in today. That model focuses on a linear approach to identifying, containing and remediating incidents in your own local environment first, and sharing information with others after the fact.

Modern threats consistently cut across national, organizational and sector boundaries, requiring coordinated collaboration on the part of any network defense operation that hopes to be truly successful. Modern networks can also present "information overload" problems for watch standers, analysis teams and decision makers, presenting additional challenges for identification, escalation and follow-through whenever significant incidents arise.

US-CERT is developing a coordinated model for cybersecurity incident management to improve cooperative operations, shape the adoption of standards for incident data exchange, and streamline the flow of necessary information to the right participants at the right time throughout the cycles of identification and response. This is an opportunity for the FIRST community to learn about the progress of our efforts, provide feedback on the model and pursue avenues for future collaboration.

Every country is a special case of fitting malware and disinfection plan and in my presentation I will go to explain what are the procedures we are applying in QATAR to manage fitting malware on national level in cooperation with ISP and how we can use this system to contact public everywhere at home, corporate, and governmental entities to disinfect their machines from malware , furthermore we will go through a demonstration about how to use this system for major incident, and optimizing our malware disinfection life cycle

Although initially an Internet phenomenon, perpetrators of many types of crime and their victims are now routinely in different jurisdictions which inhibits investigation follow-up and prosecution. This is sub-optimal if the good guys want to respond to the speed and offensive capacity of the cybercrime gangs the global coordination of crime intelligence is a hard problem. This presentation will identify and discuss a number of current projects trying to improve the flow of eCrime and traditional crime reporting between victims, private-sector investigators and law enforcement organizations in different or multiple jurisdictions. Some of the treaty-organization led efforts identified important issues and suggested potential solutions while other efforts have run table-top or pilot exercises to test out various scenarios. Additional lessons-learned and issues uncovered in these projects, along with future plans, will be discussed to inform the audience about these efforts so they may decide to participate, or at least, not be surprised when asked to participate by their local governments.

Using some real-life cyber espionage incidents in Norway as a basis, Marie and Eldar from NorCERT will drill down in some of the challenges modern national CERTs have to live with. Including aspects like: -how to put sensors in the basements of private companies (voluntarily), when you are the "secret-service” -how not to be a competitor to private security consultant companies -how to build a good basis of signatures for intelligence, detection and early warnings -malware analysis, and how this becomes an important tool for incident handling and discovery of new attacks -how some CERTs move from traditional incident response and abuse handling to counter-intelligence operations -how difficult it is to handle media, wanting to create awareness, but at the same time not telling Who (is targeted), What (is taken) and Who (is behind).

CERTs play an important role in helping to mitigate the impacts of cyber attacks and data provided by CERTs may also help industry and government to better understand threat patterns and attack trends, thereby improving the application of preventative measures and reducing the scope for future attacks. In order to mitigate the impact of cyber attacks, responses may require extensive cross-border coordination between CERTs, especially national/governmental CERTs, which are a particular type of CERT playing an important role at a national level in supporting such cross-border coordination. This coordination can include the sharing of certain types of data, in real time, concerning the source or destination of attacks (usually IP addresses) or log files of suspicious types of Internet traffic. Usually CERT cooperation and sharing takes place informally on the basis of trustful relationships.

Nonetheless, the complexity of legal factors surrounding this cross-border collaboration could present issues and can complicate the delicate balancing act that CERTs have to perform their role and contributing to a better understanding of the relative state of cyber security, and protecting those rights and obligations provided for by certain legal and regulatory frameworks.

In this presentation we will focus on the ENISA’s study into the legal and regulatory aspects of information sharing and cross-border collaboration of national/governmental CERTs in Europe. Some of the legal and regulatory factors identified in the study will be presented, such as definitions and criminal sanctions concerning different types of computer and network misuse, the European legal framework governing data protection and privacy, and mandate and competences of the CERTs.

We will also look at some of the existing initiatives to overcome the legal challenges and at some recommendations proposed in the study to further improve the work of CERTs will be addressed, such as the identification of ways to support operational coordination between CERTs, the dissemination of Declared Level of Service templates, ensuring that EU-level legislation takes account of the scope of national/governmental CERTs and the articulation of why CERTs need to process personal data.

This training is intended to educate attendees on current threats affecting most organizations. The hands on training has participants build, deloy and operate current crimeware as well as deploy targeted attacks that leverage advanced persistent threat (APT) software in a safe and controlled environment. By seeing and operating the tools used by malicious actors, computer network defenders will have a greater understanding of the threats and brainstorm on how to combat these subtle intrusions. The training can be attended by those without a great deal of experience in incident handling as well as by those with more experience - the content in addition to the mix of attendees will provide a great learning opportunity for all those involved.

For years, post-intrusion forensics has been a poorly codified field. While significant research has gone into exploitation and network intrusion, it’s traditionally been difficult to hone in on the various motivations of attackers. Subsequently, accurate prediction of post-intrusion activities has been problematic. The hacker as “mythical unicorn” has been difficult to track. The hacker as state-sponsored agent of espionage and cyberwar, however, is an entirely different beast.

We always thought we had a hacking problem. Only recently, however, have we started to divide our attackers into classes more useful than ‘script kiddie’ and ‘hacker’. It has become glaringly obvious that true distinctions lie in motivation. In the Post-Aurora world, disclosure of intrusions have become increasingly more common place. Recent high-profile intrusions have involved theft of CA certificates, key materials, and the communications of dissidents and political figures. Rather than view these intrusions as ‘hacking’ they can more usefully be discussed as ‘electronic espionage’.

We see post-intrusion forensics as counter-espionage anti-tradecraft. In order to perform a proper counter-espionage forensic examination, you must understand your adversary’s motivations & goals. By identifying goals, you can then identify the actions and targets required to achieve these goals, and focus your investigation on the collection and analysis of these artifacts. We identify and examine these artifacts at three stages of post-intrusion espionage: Pivoting (moving through the network), Persistence (maintaining access), and Property (destruction or theft) attacks. Adopting such a methodology will prove an enabler for not only increased forensic capability, but also in providing a foundation for aggressive defense.

World markets gyrate seemingly almost daily with 100 point swings barely worth a mention. Yet, as these high level indicators try to hint at the overall direction of the economy, a number of other data points can show a more detailed picture of where we're headed. From an IT Security perspective, much can be gleaned from this including the impact on vendors, budgets and of course, attackers. Peter Kuper's presentation distills the macro-economic data right down to how it impacts the IT security professional role as well as offer some perspectives on ways to engage successfully in the current environment.

Malicious web pages that use either drive-by downloads or social-engineering to exploit systems of unsuspecting users are presently one of the most serious threats in computer security. This presentation will introduce an open-source framework for detection of client-side attacks, developed by NASK and NCSC (formerly GOVCERT.NL) - Honey Spider Network 2.0. Version 1.0 was a unique combination of high-interaction client honeypot (Capture-HPC NG - see
http://pl.honeynet.org) with a custom low-interaction honeypot, resulting in a system that is able to use different approaches for analysis of web pages. Building on the experience gathered from the previous version of the system, we completely redesigned the architecture, focusing on creating a flexible and scalable framework.

At the core of the solution is a high-performance engine that controls the flow of tasks that are being processed and distributes the workload using AMQP (Advanced Message Queuing Protocol). HSN 2.0 leverages the functionality of multitude of services (plugins) for data acquisition and analysis. It is possible to create new ones in a straightforward way
- they can be implemented in any language, our protocol is well documented and AMQP is a standardized transport layer. Existing honeypot, crawler or threat analysis solutions can be easily plugged in.
All this allows the system to go beyond analyzing just URLs but also inspecting files such as PDFs, Office documents, Flash, etc. Furthermore, the architecture is very fault tolerant, meaning that a failure of any service does not lead to the system being unusable.

Building such an open and universal architecture is necessary if the security community is to keep up to date with the dynamically shifting threat environment. In our experience, this goal is only achievable through a collaboration of many experts, each contributing knowledge - and code - about certain types of exploits and threats.

Apart from the overview of the system's architecture, preliminary results of the system's performance in real-world scenarios will be discussed. A demonstration of the system detecting various threats through multiple plugins will be carried out.

With preliminary funding secured in early 2011, the Icelandic Post and Telecommunication Administration (PTA) was tasked with establishing a CERT team in Iceland. In this presentation we will reflect on the major challenges faced by the PTA team in the months leading up to the official launch for the Icelandic national CERT team (CERT-IS). The primary goal of the PTA, is to have the team provide information and if needed, assistance to its initial constituency members (the Icelandic telecommunication companies) when dealing with computer security incidents.

From the start, time and budgetary constraints imposed on the project played a significant role in how the PTA chose to approach the many challenges of creating a CERT team from scratch. With assistance from the Finnish national CERT team and Clarified Networks, CERT-IS launched the AbuseHelper framework for internal use in October 2011. This turned out to be a pivotal moment for the CERT-IS team, as it provided the team with fairly detailed insight into the current state of security incidents within its constituency networks as well as providing means for continuous situation awareness.

We will cover in detail the 60 days following the AbuseHelper framework implementation, with emphasis on some of the key issues that emerged and the lessons learned during that period. We will focus on a) location and evaluation of available sources for incident related data, b) control of the flow of data through automation and c) extending AbuseHelper in order to respond to specific requirements by the constituency.

With AbuseHelper serving as a central data aggregation storage in conjunction with the ability to extend its functionality, the CERT-IS team could focus more on adding value to the processing of incident data, rather than simply ensuring a timely report-to-contact transactions. We will explore some of these value adding processes as well as look towards the future and view the CERT-IS goals in the coming months.

Ths panel will discuss incident reporting, giving first-hand experience on the tools, issues encountered and lessons learned (applied to the local scene) in monitoring security activity on the Government ICT infrastructure with an emphasis on information gathering to ensure it is tangible evidence in the courts of justice.

Love it or hate it, Apple's iOS mobile platform has arrived in the enterprise, now exceeding even RIM's (Blackberry) numbers. Often, the task of overseeing these systems's security falls on the IT Security team. So, what will you do?

This session looks at the major security pitfalls to avoid in iOS, and then surveys the various tools and techniques available to the IT Security teams. These include:

- Creating secure configuration profiles for iPhones and iPads with the Apple iPhone Configuration Utility.
- Managing fleets of iOS devices remotely, using MDM products, including configuration profiles, x.509 certificates, and security policies.
- Overseeing in-house app repositories of enterprise-approved apps.
- Static and dynamic testing of apps for enterprise approval. Tools and techniques for testing are covered and demonstrated.

These are the practical issues that many IT Security teams will face in order to oversee iOS deployments, from small numbers of devices through thousands of distributed devices worldwide.

In this presentation, I show the concept of "scenario based self training material for incident response".

Research motivation is "How we can provide a training resource for the general users and new comers that helps their understanding for incident response of old (ex. network worm infection etc.) and new type (ex. Advanced Persistent Threat etc.) ?".

Keywords for the solution are "a self training" and "scenario based".

Many incidents disclose some snapshot information (ex. privacy information disclosure, SQL injection and etc.), but we can't acquire incident details such as response scenario. In other words, we can't publish our incident details in many cases, too.

Therefore, we propose the concept of "scenario based self training material for incident response" that makes new incident scenario by selecting and combining part from many facts.

We make new incident scenario by selecting and combining part from customized blocks. That scenario is virtual story and is not fact. But it is base on fact.

Also, in "scenario based self training material for incident response", scenario writer presents a learning and discussion points.

This panel will explore the role of CERTs in growing global and regional efforts focusing on reducing the outbreak and risks associated with cyber conflict. The focus will be on how CERTs can play a role in agreements, both formal and informal, that improve crisis communication and build confidence between nations and other actors in order to reduce the degree of escalation of cyber conflicts and to improve understanding of likely behavior of actors involved. The panel will build on both recently published academic and policy writings on this topic as well as the engagement of the panelists in on-going negotiations and operations in this area to include the US-China and US-Russian cyber bilateral discussions, the China-Japan-Korea Joint MOU on Collaboration on Cyber Security Incident Response, the APCERT efforts on cyber clean up, the Nordic CERT framework for collaboration and the OIC cybersecurity collaboration efforts.

In recent years, Finland has topped the list of least infected countries in the world according to reports such as the Microsoft Security Intelligence Reports (SIR). The goal of this presentation is to shortly introduce the approach we believe contributed to these results. In this approach the security community is organizing itself to collaborate and protect citizens and the critical infrastructure from organized crime. This talk focuses on the experiences of CERT-FI on using AbuseHelper, an open source framework for handling incident data, within the Autoreporter and HAVARO projects. Autoreporter is a system for automatically reporting to internet providers on masses of incidents reported by third parties. Information is gathered, elaborated, sanitized, and reported to gathered contacts. The HAVARO project is a co-operation between CERT-FI and the Finnish National Emergency Supply Agency. HAVARO is a versatile network monitoring and early warning system for Finnish critical information infrastrucure providers. The intelligence CERT-FI gathers on network abuse through its international contact network is put into operational use in the HAVARO system. HAVARO collects observations of possibly malicious activities based on IDS rules, flow data and traffic to known bad networks and systems. Full packet traces of suspected incidents are retained for investigation. Reports and alerts are sent to the system owners after investigation. We explain how the underlying AbuseHelper framework enables these systems to co-operate and allows CERT-FI to gain broad visiblity into the security of Finnish networks. The underlying AbuseHelper framework enables the systems to co-operate. Finally, we present outlines on how the Finnish National Bureau of Investigation is using AbuseHelper to enable information sharing between the cert and law enforcement communities in its Collabro project.

Cyber security exercises (cyber drills) are pretty common these days. It has been observed certs/csirts, both at the national and regional levels organizing them regularly. In this respect, The Malaysia CERT has been coordinating the national cyber security exercises, known as X-Maya, since 2007. The exercises are hands-on in nature and carried out as part of the critical information protection program. While a lot can be said about the benefits of this activity, some are questioning about its effectiveness when it comes to dealing with real incidents. This presentation will a technical overview of designing and executing X-Maya 4 in 2011. Most importantly, some reflections on the effectiveness of the exercise in the light of Anonymous #opsMalaysia in June 2011 will also be shared withe audience.

Initially developed during the WOMBAT Project (EU-FP7), TRIAGE is a software tool that provides advanced analytical capabilities for automating cyber intelligence tasks on massive security data sets. One of the rationales for developing such tool is to enable rapid triage analysis of security events with respect to any number of features, and therefore help analysts to quickly attribute various waves of Internet attacks to the same phenomenon, e.g., an attack campaign likely run by the same individuals. The framework will soon be enriched with new features such as interactive visualizations developed in VIS-SENSE, a European research project that aims at developing visual analytics technologies suited for network security and attack attribution. Using real-world examples from the analysis of a large set of targeted attacks identified by Symantec in 2011, we will illustrate how TRIAGE analytics can shed some light on large-scale cybercrime campaigns and the modus operandi of their presumed authors.

The REN-ISAC is a federation of diverse research and education institutions concerned with operational computer and network security. What slowly started out with some people, some hacked up mailing lists, a wiki and some magic perl glue to share intelligence, quickly snowballed into a vast sea of data that no one could keep track of or use in their day to day operations.

Over the last few years we've invested most of our development time and effort into building tools that lower the barrier to entry for our community to share data intelligently. These tools have not only been developed with our own CSIRT constituencies in mind, but also based on feedback from the international CSIRT community.

This talk will focus on how our community went from a set of extremely raw tools to an automated end-to-end process of sharing data within a large heterogeneous community. First we'll detail how institutions currently share data directly into each other's IR process with little or no human interaction. We'll also discuss how we've enhanced various international standards that enable our constituency to further share data with law enforcement agencies as well as our trusted mitigation partners. Additionally, this talk will review the most common data-sharing hurdles when partnering with external organizations, and why most global data-sharing ventures have failed to scale in this space. This will include things like data parsers, information sharing agreements and data formats. And finally, we'll talk about how we plan to evolve this application into the big-data environment (hundreds of billions of things per day) over the next three years.

Attendees should walk away with a real life set of tools and lessons learned, both technical and strategic, that they can use to scale internal intelligence operations past their own borders.

Launched in 1999, FS-ISAC was established by the financial services sector in response to 1998's Presidential Directive 63. That directive - later updated by 2003's Homeland Security Presidential Directive 7 - mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure.

Constantly gathering reliable and timely information from financial services providers, commercial security firms, federal, state and local government agencies, law enforcement and other trusted resources, the FS-ISAC is now uniquely positioned to quickly disseminate physical and cyber threat alerts and other critical information to your organization. This information includes analysis and recommended solutions from leading industry experts.

Rapid and Trusted Protection for Our Companies, Our Industry and Our Country

The recent successful completion of our Critical Infrastructure Notification System (CINS) allows the FS-ISAC to speed security alerts to multiple recipients near-simultaneously while providing for user authentication and delivery confirmation. The FS-ISAC also provides an anonymous information sharing capability across the entire financial services industry. Upon receiving a submission, industry experts verify and analyze the threat and identify any recommended solutions before alerting FS-ISAC members. This assures that member firms receive the latest tried-and-true procedures and best practices for guarding against known and emerging security threats.

Joining the FS-ISAC is one of the best ways financial services firms can do their part to protect our industry and its vital role in the U.S. critical infrastructure. To that end, FS-ISAC membership is recommended by the U.S. Department of the Treasury, the Office of the Comptroller of Currency, the Department of Homeland Security (DHS), the United States Secret Service, and the Financial Services Sector Coordinating Council. In fact, both Treasury and DHS rely on the FS-ISAC to disseminate critical information to the financial services sector in times of crisis.

Handling huge amount of data is difficult. Organizations have been deploying Firewall, SIEMS, log management systems and still, attacks occur and find their way into their networks. Events that are being handled are stored in databases, dealt with a dashboard, etc. All these cutting straight access to data for the analyst. Using visualization, when done properly, can not only make you understand the whole picture, but also make you find clues faster than any sort of pattern matching against known attacks. This talk will give examples on how successful visualization has been used by several banks and governmental institutions to quickly find targeted attacks.

National and other active CSIRTs are facing huge amounts of incoming data from automated sources (e.g.: Shadowserver, Team Cymru Services, Clean MX, own honeypot and sensor data, etc.) as well as manual reporting. Processing all this valuable information in a timely manner poses a serious challenge (day after day) and can lead to frustration because valuable data, resources and time are being wasted, to cross-reporting complications and multiple reports for the same incident amplifying the whole problem. CSIRTs are trying to combat organized crime but sometimes they feel like they are “unorganized superheroes”.

Partially automating the process of treating automated sources with projects like AbuseHelper, Megatron or homebrew scripting can bring some relief but unfortunately this won’t solve the cross-reporting and other issues.

A second issue is how to create a global view of the data. National CSIRTs have an “island-view” on what’s happening inside their country (or a partial one) but are barely aware of what is happening in the neighboring countries.

By interconnecting automation systems one can create a global overview. Each island can share with peers legally and politically allowed information in order to benefit from more worldwide intelligence to solve major incidents. There are some natural geopolitical archipelagoes like the US, the EU, the Benelux, etc.

The goal of this presentation is to talk about the challenges and solutions on how to tackle the problems described above. Both legal and technical challenges will be included and we hope it will inspire the community to further collaborate in order to get rid of the CSIRTs island-view while still respecting its constituency, its autonomy and local legislation. This would help the Superheroes to get organized, enabling them to pose a much stronger opposition to organized Internet crime and abuse.

In order to automate incident reports after evaluating existing services, INTECO-CERT decided to develop an internal service for retrieving information and abuse contacts of IP addresses involved in cyber incidents. Service backend uses ARIN Whois-RWS and RIPE-NCC database REST API to retrieve abuse contacts in an efficient manner. These external services offers information for different RIRs, ARIN Whois-RWS provides information from ARIN IP addresses and delegated netblocks, and RIPE-NCC database REST API feeds the same information for RIPE, AfriNIC and APNIC netblocks. As LACNIC doesn´t have any similar service, INTECO-CERT signed an agreement with the purpose of obtain bulk data from this RIR to optimize as much as possible the extraction of technical information from LACNIC netblocks.

This service also has national CERTs contacts collected from FIRST directory members and CERT-CC National CSIRTs database. So for any query it returns the abuse contact published in RIR databases and a national CSIRT contact.

Besides of abuse and national CSIRT contact information, this service offers other technical details like the provided by “IP to ASN Mapping” service offered by Team Cymru

INTECO-CERT is interested in sharing this service with the FIRST community so they can make use of it by signing an agreement. So that other security teams can benefit from the advantages of this service, and give feedback to us for future improvement and desired features.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides cyber incident response, analysis, and information sharing to address the cyber security threats and vulnerabilities unique to industrial control systems (ICS). Two key functions of ICS-CERT are incident response, and ICS product vulnerability coordination.

ICS-CERT provides asset owners of US critical infrastructure onsite assistance and offsite analysis to support discovery, forensics analysis, and recovery efforts associated with cyber security incidents. ICS-CERT focuses on control environments within critical infrastructure. Onsite assistance consists of fly-away teams being made available to deploy onsite to review affected entities’ network architectures, collect applicable forensic data, assist with immediate mitigation efforts when appropriate, and work with the stakeholder to identify future defense strategies. Offsite services include providing analytical findings, including determination of origin and breadth and depth of compromise from data captured during the onsite deployment to the affected asset owner.

In 2011 ICS-CERT experienced a 753% increase in reported disclosures of vulnerabilities in industrial control system (ICS) products. Security researchers (white, gray, and black hats) across the globe are increasing their research in the ICS product arena and the potential impact to critical infrastructure. Coordinated vulnerability disclosures of control system products are increasing rapidly, but so are the instances of unanticipated or full disclosures. The overall pace for ICS vulnerability disclosure is rising at a dramatic pace. There is a tremendous interest in the security of the world’s industrial control systems that is continuing to grow.

This presentation will discuss lessons learned from ICS-CERT incident response efforts and the daunting trends in the disclosure of ICS product vulnerabilities, who is disclosing new vulnerabilities, and the coordination process used by ICS-CERT. Current data and new events up to the day of the presentation will be included. Gain knowledge of how to be aware of new vulnerability announcements and how control system owners and operators can mitigate new control system vulnerabilities that can affect the security of critical infrastructure.