The presentation takes a closer look at TROJAN.FOXY, a family of remote-access trojans that is being used to mount APT-style attacks against industry and governmental organizations.

The first part of the presentation elaborates on the atter's toolset. Information from the portable executable file format and implementation details of cryptographic algorithms lead to a signature to detect and classify "foxy" samples. Apparently this family stems from the well-known Downbot and evolved into malware strains like Govdj.A, Namsoth.B, Crapmisc.A, Danginex and tools to move laterally through the victim organization.

The second part analyzes how the attackers leverage their tools in order to gain access into an organization. We will observe how they manage to elevate their privileges and how they proceed from system to system. Finally, it will be shown how the attackers filter, package and exfiltrate sensitive data.

The CERT Assessment Tool application was developed to enhance the Security Incident Response Program. The CERT Assessment Tool augments an responder’s ability to efficiently conduct critical systems protection assessments while delivering a range of important information to support the final security plan. Within the CERT Assessment Tool responder's can perform several tasks: instantly access historical site information; utilize a decisions support system to guide them through interview questions; receive real-time expert-systems alerts about possible vulnerabilities and risks; and quickly complete data entry and reporting via a user friendly interface that pre-populates blank entries with previously captured reusable information, and allows responders to manually tag and enter notes without restricting the field interview process. This presentation outlines a specific case studies of the conception of the tool, highlighting the successes and lessons learned during the development process.
Supplemental Prototype We developed an application for a client that, due to the sensitive nature of that application, we’ve had to rebuild it to remove the sensitive elements and methodology. It is in the process of going through our organization’s Export Control approval path; unfortunately, it is not available for submittal at this time. Once we have Export Control Approval from our Organization, we will share it for the purpose of this submission.

Cyber-EXE Poland 2012 (the official name of the exercises) was a successful example of cooperation between the public administration and the private sector in Poland. The exercises included representatives from the government sector - e.g. Government Centre for Security, Polish military CERT, Polish Police - as well as representatives from some of the most important players in the critical infrastructure sector like the national gas system, power grid operators and representatives from the academic sector - e.g. Polish Military University of Technology. On international level the organisers received the support from European Network and Information Security Agency (ENISA).

Speakers will present the conclusions and recommendations after the exercises as well as practical tips how to organise this kind of event, e.g.:
- How to convince important players to be part of an exercise team?
- How to organise long-term preparations to this kind of event?
- How to prepare exercisevscenarios?
- How to conduct cyber exercises on day "zero"?

In addition to the success stories, we will also share the lessons learned and actions that should be avoided during the preparation of this type of event.

When a security incident occurs, by the time the issue surfaces, it is often too late

Did you ever want to have a solid proof that your organization was attacked before things got out of hand?

We rely on security assessments and perimeter defense solutions to identify issues and protect the organization's assets, while forensics investigations are usually used when there's a visible effect to an incident. However, even when application-level issues are located in either, there's no consistent attempt to verify whether or not the vulnerabilities were exploited in the past. Likewise, organizations that don't enforce the use of perimeter solutions, such as IDS or WAF, might not even be aware of attacks used against them: their target, their diversity, the quantity of these attacks, or even their impact.

Using proactive forensics, organizations can pinpoint actual application attacks performed against various common platforms, and identify the type of attacks and the status of the target system. Proactive forensics can also identify the type and diversity of attacks, locate hacking incidents before severe damage is caused, dramatically reduce the costs of hazardous scenarios, and enhance organizations defense strategies.

This talk will introduce a step by step methodology for detecting incidents of specific application level attacks in common infrastructures, and methods for using this information to enhance the organizations security strategy.

My first introduction to incident response teams was attempting to mitigate more than 10,000 industrial control systems directly facing the internet and vulnerable to known exploits. After two years of that, I have more than a few case studies to share, and more importantly those numbers have grown to more than 100,000 when other researchers used the same techniques to find even more industrial systems online. Now that publicly accessible control systems have been recognised as a general trend and not simply a fluke, it's time to discuss global and national scale case studies of mitigation. More importantly, we can't 'pen-test' all these companies into good behaviour. So we need to engage incident response teams.

It's time for some retrospective, and to analyse whether the problem is getting better or worse over time. Let's examine the metrics we can and see if we were effective in reducing ICS exposures globally over the last two years.

Over the last few years there have been quite a few large scale natural disasters, including (but not limited to) earthquake in Japan, flooding in Thailand, Hurricane Sandy in the US. During this discussion, our panelists will share their personal experiences during / after the disaster, but how they were able to continue their work or if work processes stopped for a period of time, how they were brought back into operation.

This presentation will provide an analysis of the high-profile 'Triple Crown' DDoS attacks launched against major US financial institutions beginning in late 2012 and continuing into 2013. Covered topics will include details of the attack methodology; attack success factors; comparison/contrast of these attacks with previous and current DDoS attack trends and methodologies; and successful attack mitigation strategies.

Whitehat security entities pay a lot of attention to the Blackhole exploit kit, so there are an abundance of news sites and blogs that discuss the kit in detail. However, some unknown or custom exploit kits are seldom reported in the industry. The question is whether these custom kits escape the attention of the industry because they are in the minority, or they remain unclassified by the industry? The danger of remaining unclassified makes it difficult for an incident response team to know the threat they are facing. They have to rely on end-point anti-virus solutions that are not able to detect the payload or the various exploits that are packaged in an exploit kit. In addition, blacklisting of domains and IP addresses can be a less than successful way to prevent exploit kit drive-by-downloads. Obfuscation, changing domains names and IP addresses, and failure to detect the payload or exploits in the exploit kit are the main reasons, apart from the prevalence of the custom kit, that custom exploit kits evade notice and classification.

This presentation will look at several custom exploit kits in detail and discuss the issues with classifying or blocking the kits. We will also discuss the relevance and impact of such exploit kits to the incident response community.

Many organizations don’t understand the relationship between threats, malware, and intelligence. This talk is geared to outline each concept, and how the three co-mingle. In conjunction, the talk will cover a front to back intelligence program and how to set up an effective program in your organization.

Core concepts to be covered include, but are not limited to:
- Using military-esque signal intelligence and human intelligence concepts for combating modern malware and threats
- Concepts on how to build your own threat intelligence program
- Concepts for building your Incident Response Team in conjunction with threat intelligence programs no matter your team size!
- Effective Intelligence (Accurate, Complete, Precise, Predictive, Relevant, Reliable, Tailored, Timely, Usable)

Participants will gain knowledge on how to start their own IR program, as well as how to stand up a threat intelligence program in their organization. The concepts conveyed will also show how to utilize traditional military intelligence tactics in their IR/Threat Intel programs.

The talk will include not only a walk-through (including PowerPoint),but a handout with key concepts on breach mentality.

What do honeynet attackers and victim bipartie graphs look like? How do they evolve over time? How do rumors and viruses propagate on real graphs? We collect large-scale Honeynet and spamming Botnet from distributed sites in Chinese Taipei. Based on distributed computation techniques, the Hadoop, Mahout, Lucene, Pegasus have been constructed to provide powerful, fast and rich algorithms to analyze the collected malicious behavior. Based on these series mining infrastructure, we can discover malicious patterns and review some static and temporal 'laws', fast algorithms to spot deviations and outliers. In this talk, we will show the modern big data analysis and mining mechanism in the practical operations. The real-case would be presented in this talk.

The Windows Operating system has become the remote access channel for miscreants to gain access to your network.

In this session Gavin and David will discuss individual threats and strategies for mitigating those threats. Topics will include items such as protecting the base operating system components as well as administrator hygiene changes required to deter exploits of Windows' single sign on mechanisms which are known in the field as "Pass the Hash".

We are increasingly more dependent upon Information Technology (IT) and the ‘cyber’ space; the World Wide Web, social networks, mobile Internet, online shopping, e-banking are just a few examples of our technology driven society. While there are vast advantages to our digital culture and economy, it is also clear that our increased use and dependence upon IT and the Internet has not gone unnoticed by those with malicious motives: the cybercriminals.

Cybercrime doesn’t obey boundaries: it is volatile and it is evolving. This makes it very difficult for contemporary law enforcement authorities (LEAs), if not impossible, to fight this battle alone. Collaboration with foreign law enforcement authorities is a must, but it takes a team of professionals - Computer Emergency Response Teams (CERTs), Internet Service Providers (ISPs), banks, security vendors - both on a national and a cross-border level to comprise a complete cybercrime fighting team.

Various steps have been taken to improve cooperation, but there is still a long road ahead. Data protection, privacy and a number of practical issues still pose a challenge when it comes to information sharing information and collaboration.

This talk will cover several cybercrime fighting/countermeasure best practices that are already in place while also illustrating major gaps and barriers still present from an operational and legal point of view.

In late January and early February 2013, Polish Research and Academic Computer Network (NASK) and CERT Polska took control over 43 domain names in .pl which had been used to control the Virut botnet and
distribute malicious software. This move was backed up with detailed legal and technical analysis as well as additional evidence provided by Spahaus and VirusTotal. The list of domains included some that were vital to the infrastructure of the complete botnet, including parts
outside .pl domain. As a result, all connections from machines infected
with Virut to its command & control center (C&C) were redirected to a
server controlled by CERT Polska. This prevents miscreants from controlling the botnet and allows for gathering of valuable data. The sinkhole has been receiving connections from ca. 270 thousand unique IP addresses per day, which can be a rough upper estimation of the botnet's size at the moment it had been taken over. Almost half of the infected machines are located in just three countries: Egypt, Pakistan and India. The presentation will describe legal and technical background of the
Virut takedown, as well as some findings made after sinkhole data were analysed, showing connections with different types of e-crime, eg. fake
AV business.

This presentation is divided into three sections:

The first section is a basic introduction - introduction on my background, my organization and domain knowledge of Botnet. We will also display our tools: Botnet Analysis Module (BAM), C&C Tracer and Botnet Tracer.

The second section will focus on a case study - I will share two cases regarding tracing Botnet. In both cases, will introduce the Botnets and narrate what we see and what we do with the Botnets.

The final section will focus on cooperation - I will discuss the cooperation in Chinese Taipei. When and how we find the information of those Botnet or received cyber threats; how we handle those information.

The idea of "Declared Level of Response" (DLoR) presented in this abstract is an attempt to analyze and possibly address an issue of lack of committed reaction scope and time between cooperating teams during incident handling. The lack of information about set of services, reaction times and information sharing rules offered by particular CERT team which receives security information or request from other team, and on the other hand concrete needs and expectations concerning response, eg. response time, during incident handling in cooperation chain can be perceived as one of the barriers of professional communication. The potential role of FIRST as a facilitator of DLoR will be examined.

The BlackHole Exploit Kit is one of the most notable exploit toolkit used in 2012. Years after the release, BlackHole has grown tremendously in term of vulnerabilities coverage, obfuscation technique, good underground business model, and infection rate. It has shown some improvement in exploits used, obfuscation and antivirus avoidance techniques. These ‘features’ have drawn the attention to the security researchers and the media. However, there are still a few information on BlackHole, which has not yet been emphasized to the public.

This presentation will cover the introduction and the evolution of BlackHole Exploit Kit along with the toolkit's features that is not widely pointed up and discussed today.

At the end of 2011, Mandiant took an internal standard for automating the sharing of threat intelligence, and made it available under an Open Source license as OpenIOC. This was done to enable and promote the sharing of threat intelligence indicators in the security community, using a mechanism that has worked well internally at Mandiant for years. In the year and change since then, we've learned a lot about the pros and cons of trying to get organizations to share information in an open, automated manner.

This presentation will cover some of the key ideas behind how an organization can benefit from automating sharing indicators of threat intelligence, and a brief introduction to OpenIOC and how it can be used with some free and/or Open Source tools. It will also discuss the current status quo of other efforts in the Open Source community to share threat intelligence in an automated fashion, and how we are working to enable OpenIOC to work in conjunction with other efforts such as the IETF's MILE working group (and standards such as IODEF), and MITRE's STIX Framework. In addition, the presenter will discuss some of the lessons learned from using machine-readable indicators in day to day workflow, and how they interact with other facets of Incident Response in the enterprise. In conclusion, we will discuss some of the numerous challenges still facing the community in this area, how organizations can get involved, and the next steps toward better collaborative solutions.

In recent years FIRST and other CERT/CSIRT community organisations, e.g. the TF-CSIRT, have experienced a rapid growth in membership. Following this growth, these organisations are dealing with issues impacting the cooperation and sharing amongst members. The formerly close cooperation and information sharing between members relied strongly on direct relationships between teams and the trust that was established by team members with colleagues of other teams. To personally know a team or individuals of a team, gave an impression of and insight in maturity and professionalism of their work. With the large number of members today, it is hardly possible to personally know every team or any individual team member. Sharing detailed or sensitive information is not done as freely as in the past and close cooperation seems to be restricted to the few you really know and trust. A certification scheme for CERTs/CSIRTs may resolve some of the issues. It may not only help teams to mature during the certification process, but it will show some degree of maturity and professionalism to others/the outside world as well after being certified.

In this presentation, we will present the SIM3 model - a new maturity model for CERTs/CSIRTs. The SIM3 model and the related TI certification scheme were developed by senior members of the CERT/CSIRT community – individuals with long practical experience in CERT/CSIRT work and not by any standardization organisation or working group and specifically developed to fit the needs of CERTs/CSIRTs. We will highlight the SIM3 model itself, the certification process, the experiences of the pilot program (started in Vancouver 2008) and review the seven successful certifications thus far. At the end we want to entertain some discussion on how the model could be of wider use to the community.

Due to constantly increasing volumes of traffic, storing and processing netflow data in a timely manner requires bigger, faster and eventually more expensive equipment. This presentation focuses on the effort to combine Nfsen/Nfdump* and Apache Hadoop** together into a distributed netflow storage and processing solution which enables cheaper storage capacity expansion and faster long period data analysis. The talk reviews technical challenges encountered during the development, gives examples of weak and strong points with various use case scenarios and finally some thoughts for possible further improvements

A prototype is currently used at LITNET CERT for everyday incident response and traffic analysis. Once the prototype testing will be completed, it will be made open to the security community.

* Nfsen/Nfdump is a tool developed by Peter Haag from SWITCH (Swiss national research and educational network).

** Apache Hadoop software library is a framework that allows distributed processing of large data sets across clusters of computers.

Everyone has come to terms with the fact that even the best perimeter defenses are permeable, but where does that leave us? What is going on inside the network? How do you detect exfiltration by malicious insiders? How do you deal with sophisticated attackers who come in with legitimate access credentials? The answer comes from understanding the adversary – what their motivations and behaviors are and how they differ from the normal user population – and setting up processes that can help detect them. Malicious insiders, and those who infiltrate a network using stolen credentials, often steal or damage data using authorized access to systems and networks. This activity can be difficult to differentiate from legitimate network transactions and is often not detected by signature-based security systems that are designed to identify malware and the use of software exploits. This talk will cover recent research on the characteristics and behaviors associated with insider threats and targeted, external attacks, as well as discuss technologies like NetFlow collection and analysis that can be effective at detecting these attacks when coupled with other technical and business controls.

Every minute counts when exploit code for a widely used product becomes public and no patch is available. Systems administrators worldwide are forced to turn to any available defense they can deploy, be it antivirus, IDS, WAFs, firewalls, or some other tool. This presentation will present realistic response timelines for responses to 0-day attacks from a security vendor point of view, both with and without information sharing. Based on actual incidents from the speaker's experience as a security first responder, the talk will attempt to quantify the benefit of vendor-neutral, broad-based information sharing among defenders, in terms of economic "casualties" prevented by rapid response. Discussions of specific information-sharing fora - including benefits and drawbacks, how to participate, and suggestions for improvement - will be included throughout, in an overt attempt to spur cooperation among participants at the conference. Additionally, the broader problem of damage caused by exploits for which a patch is available, but information is scarce, will be reviewed. This portion of the talk will include discussion of exploit telemetry, the difficulty of handling obfuscations in complex protocols and file formats, and how to best focus oversubscribed resources for maximum return in real-world conditions.

As we know, the security of DNS is very important for normal Internet operations. From data, we can find some interesting things. In the presentation, I will introduce a DNS security monitoring system and its applications. This system can analyze the traffic of DNS system and monitor network security DNS-related events. I will present some security problems/examples of DNS system; important security events of DNS in China; and the analysis methods of the traffic of DNS system will be showcased. Data for this presentation comes from the DNS sever of China telecom operators.  I will introduce how to analyze DNS data and the result. Botnet, phishing and other security events can be found from these data.

When doing an analysis, we always struggle with scripts and such in order to perform a simple grep afterwards. Reasons for this are many: we are looking for a specific pattern in a binary file, we want to get some meta-data over a word document, jpeg, png, pdf or want to make some sense out of a pcap. The amount of code available is huge and sadly often specific to a given problem. We want through this talk, provide tools working out of the box to normalize and make this part easy for the rest of us. We will compare results that are available with the current way of doing and this type of data transformation.

The increased intensity and effectiveness of targeted attacks has created the need to share and exchange incident and indicator information for preparedness as well as for incident handling. The efficient sharing of this information is the only way to win! Many of us are sharing information today, but in highly inefficient ways requiring the use of cut-n-paste activities and difficulties in setting up trusted communication channels. To overcome these issues, the Managed Incident Lightweight Exchange (MILE) working group in the IETF is updating and creating open international standards to solve these problems.

As co-chair of the MILE working group, I’ll begin the talk providing background on the problems addressed in the MILE working group and discuss active work to ensure the secure interoperable exchange of cyber security information. This standards work enables vendors a common, open, and international method to securely exchange incident and indicator information between products to enable sharing to win!  The talk will also provide an analysis of multiple data models in development or use, breaking down the efforts into the applicable user groups and use cases to demonstrate the complementary aspects.

The key standards I will address include:

- Incident Object Description Exchange Format (IODEF) [RFC5070]
- Transport protocols in MILE:
---Real-time Inter-network Defense (RID) [RFC6545]
---a RESTful architecture for repository access
---and XMPP.

- IODEF with IODEF extensions, OpenIOC, and STIX with CybOX , sorting through the confusing sets of data models for incident and indictor sharing and how they are complimentary.

Based on the fact that Malware is using DNS more and more, Swisscom is deploying a system which detects Malware-infected devices by correlating the DNS queries coming from 1.7 million broadband users, while respecting the unique data and privacy protection laws of Switzerland. Some preliminary results and lessons learned are layed out in this presentation.

Your organization is under attack every few minutes. Your organization will be hacked, and you might expose someone's data. You are ok though, you have network security tools, antivirus, and a firewall, right? Will your incident response team be able to clean-up after an attack? Will your incident response team even be able to detect an attack?  You do have an incident response team, right?

Any good attacker will tell you: your expensive security monitoring tools are not enough to keep you secure.

Incident response teams (CIRTs) have realized that intrusions are inevitable, and the best response is vigilant monitoring for early detection and response. Cisco's CIRT (CSIRT) has focused on collecting and mining as many data sources as possible to find security events. CSIRT has labeled this bundle of detection logic and techniques "the playbook”. There are some fundamental approaches to detecting security incidents and the criteria for building a successful playbook can be standardized. This presentation will show how to boil down complex security monitoring and incident response into its most basic elements that can be incorporated into any incident response team's incident handling playbook. We will share how Cisco regularly updates its incident detection strategy, and why these strategies common to the industry should be shared and critiqued by peers.

The large-scale hack at KPN early 2012, as well as further major security problems throughout the year, forced the company to radically change its security strategy. While KPN-CERT used to be a virtual team of security experts, it is now a formal team of seven FTE with budget and mandate, reporting directly to a Board of Directors. A full-fledged SOC (Security Operating Center) has been set up to monitor and respond to security incidents detected in the company and ISP networks.

The presentation will be about all of the above - fundamental change in security organization, mandate change, new services such as monitoring capabilities and a new team of ethical hackers, etc.

As the goal is to really share our experiences and hopefully inspire other organizations, it should be a no-press session.

When you ask those doing malware analysis what’s most important, you often hear things like “command and controls”, “mutexes”, “strings” and other traits that aid users in identifying the sample either on the network or on an infected host. Malware authors recognize this fact and sometimes go to great lengths to hide these valuable resources that defenders concern themselves with so much. Given the high load of malware, analysts can’t handle this all manually and thus systems have been created to automate the discovery process of finding indicators, but they have a flaw. These systems run for a couple minutes and then revert themselves back to an original state. True, you walk away with valuable indicators, but are you missing more valuable data and connection points?

This talk will cover the process of incubation, a technique that expands on the process of sandboxing malware, to identify who is actually infecting your systems, what they want and most importantly, the discovery of additional indicators. This technique surfaced when traditional methods to extract indicators out of cyber espionage malware failed. Focus will be placed on the process of incubation, defining what it is and then sharing numerous real-world examples of recorded infections. Users will see first-hand how different operators use their trojans, deploy additional tools and steal information off the victim’s system without ever making their presence known. Analysts will walk away with a new technique to extract indicators and a deeper understanding of malware operators.

In 2012 ENISA along with CERT Polska conducted a study on available honeypot solutions. The main goal of this study was to improve the operational capabilities of computer emergency response teams with a truly proactive approach for detecting security incidents. Triggers for the 2012 study where other ENISA studies from 2011 (Proactive detection of security Incidents, Operational gaps and overlaps) also surveys among national/governmental CERTs in EU.

The Traffic Light Protocol (TLP) is a relatively straightforward system for designating how information can be shared between individuals and organizations. It originated in the UK to help critical industries communicate vulnerability and threat information with one another and has since been adopted by security and information sharing communities worldwide. On first glance, it seems extremely simple; however, in practice with dozens of partner groups, TLP can be dauntingly complex.

US-CERT, like many national CSIRTs, lies at the intersection of civil government, national defense, major industries and corporations, research institutions and international counterparts. Every trust relationship we have with our partners is a little bit different (and can change over time). In this talk, we'll explore the challenges we faced as a national CSIRT in adopting and operationalizing TLP, how we overcame them, and how we continue to adapt to our dynamic environment and teach our partners about the value of TLP and how to leverage it.

Too often when an incident responder arrives on the scene, the intruder has departed, the data has been taken, and all logical evidence of the malicious activity has been deleted from the victim's machine. For the forensic examiner, unallocated space can provide a plethora of useful information. However, in many cases it is difficult to understand the context behind data found in this location when only file fragments are available. This presentation explains how to identify where the data in unallocated space came from and what additional information can be retrieved even without the full file present. Focus will be placed on data that is particularly significant for forensic analysis of APT type cases, including unallocated remnants from the Master File Table (MFT), event logs, Prefetch files and executables.

This is a technical insight into the criminal gang behind the Shylock malware family. The presentation will focus on reversing of the binary and the infrastructure of the Shylock gang. As this is an end to end crime network we shall also explore the money mule recruitment setup and the drive-by servers leading to client side Shylock infections. Shylock is an advanced crimekit capable of circumventing 2FA. We shall demonstrate just how they accomplish that and how Shylock performs active and realtime "Man in the chat" inside the browser.

Incident responders often get the itch to develop tools to automate the more tedious parts of their jobs - log parsing, web site scraping, and reporting among others. Often, that "one-use" shell script whipped up on a Friday afternoon quickly grows into a mission-critical data processing system held together with duct tape and string.As it turns out, a great many CSIRTs have a part-time software development group hidden within them. This presentation is aimed at teams who don't have a formal software development team, but nonetheless build software and scripts on a regular basis. You'll hear about simple, quick ways to bring some order to all those Friday afternoon scripts (and bigger systems too).We will cover:- The nature of CSIRT software development: how to meditate in a swarm of bees- Scripts, web sites and mobile: what type of software works well- Choosing a development language for new teams- Source control done simply- Automated testing- Automated deployment- Distributed data processing on the cheap- Documentation- Bug tracking- Open source considerations- Useful libraries for incident response software

It is unquestionable, that ZeuS is one of the most popular spyware family used in last few years. In the second half of 2010, researchers discovered a new branch of ZeuS (called gameover) that was using the p2p network as a basic communication channel. In the first half of 2011, 'gameover' received an that effectively eliminated the bottleneck - centralized CnC.

In my presentation I will concentrate on technical details of innovations introduced by this spyware :

- basic p2p layer : network structure, UDP and TCP communications.
- second layer of network - p2p-proxies (mechanism is used for transportation of HTTP requests and responses via p2p network)

I will also present various tools that can be used for emulation of perrs nodes
and decryption of p2p traffic - including a live demo.

When conducting Pen/Trap and Trace orders (18 USC § 3121) the utilization of pcap (packet capture) is not optimal, and under some circumstances, may result in the inadvertent collection of content. Current practices utilize internet surveillance tools based on packet capture data. Packet data (PCAP) represents raw data being captured directly from Ethernet transmissions utilizing one of several methods. The purpose of this discussion is to make the case for more reliable methods for network collection.

We will cover:
Defining the law enforcement mission/goals
Flaws of packet collection for the law enforcement mission
Flow vs Packet Capture
Efficiencies of Flow
-collection
-analysis

Over the past decade, Internet Identity (IID) has worked on hundreds of thousands of Internet security incidents ranging from brand-based attacks like phishing to complex botnet shut-downs. Sharing information with key partners that protect users, information exchanges like the APWG, and networks of service providers is critical to rapid, successful mitigation efforts. Despite this, as an industry, we're barely scratching the surface of what could be done to better work together to not only mitigate current events, but proactively tackle issues prior to major damage occurring. Rod will review some of IID's experiences and reflect on efforts of the APWG he's been part of since entering the fray in 2003. From that we will pivot towards the future - what are the key lessons we've learned, our pain points today, and the major obstacles preventing us from scaling up our data, collaboration, and communications efforts. Finally, we'll discuss proposed initiatives and directions forward.

Our talk will be dealing with evasion techniques employed by malware authors, aimed at bypassing most of the current security products such as AV solutions and even advanced Dynamic Analysis engines. In our everyday work we analyze a great volume of various web based malware, mostly consisting of malicious HTML/Javascript pages, PDF files, Java applets and Flash applications. For each of these domains there are feature rich environments installed on the clients systems, and these are the environments targeted by the exploits within. Today it's not enough to just throw in a recent exploit, as many security products will detect and block it. Malware authors cleverly take advantage of the broad capabilities presented to them within the application environments, in order to hide their malicious intent. Things get even more complicated when one has to account for the inter-communication between some of those environments, e.g. a flash application can interact with the hosting page DOM objects. In order to truly identify the nature of a sample at hand, one should be able to properly comprehend the underlying technologies and be able to identify all the environment dynamics during the parsing and loading of the malicious content. We'll be presenting techniques we found in the wild and demonstrate how each of the techniques can be utilized in order to bypass various security products, starting from simple obfuscation methods and move up the ladder of creativity and sophistication. We will present the samples we've created and the results from various security products trying to detect those samples. The talk will be at an advanced level, presenting obfuscated code intended to execute within client side applications. The attendees are expected to have basic understanding of the DOM concept, Javascript and bytecode compiled languages (Java and Actionscript).We will try to explain what are the motives behind each technique we present and the guiding concepts to create new evasive samples.

NRI SecureTechnologies, Ltd. has announced the 9th report of "Cyber Security Trend - Annual Review 2013", based on data collected through solution services of information security during FY 2012. Series of the reports have been issued annually since FY 2005, as a purpose of support for strengthening security systems against virus and hackers in public sectors and companies.

By sharing our reports and data we would like to contribute some supports to other CSIRTs.

In September 2012 Adobe became aware of 3 malicious binaries that were signed using its code signing certificate. Adobe acted promptly to mitigate the issue and secure its customers. This talk describes the code signing incident, the response and the key lessons learned while dealing with the situation. The incident had a direct impact on our engineering infrastructure including short and long term changes that were introduced to contain the immediate damage and avoid a similar situation in future. Adobe, through this talk, would like to share the key lessons learned from the incident response and our approach to engineering infrastructure with the wider security community.

Mobile devices, including "Bring Your Own Device" (BYOD) devices, are playing an ever-increasing role in enterprise computing. When they are involved in security incidents, CSIRTs need to be able to perform non-invasive analysis of the devices so they can correctly identify and correct the root causes of the incidents.

In this talk, we'll look at techniques and tools for doing static and dynamic analysis of Apple iOS devices. We'll explore the information available on Apple devices, as well as the limitations of what can reasonably be found on a compromised device. We'll do this using readily available tools and techniques, including tools for scouring the installed apps' sandbox filespaces, capturing and analyzing network traffic, and doing lower level file-by-file and raw disk copies on iOS devices.

For *at least* three years, an intrusion spree has been going on in South East Asia, with particular focus on the South Korean software industry. The attackers are in several cases proven to be the same or at least connected. In this presentation we:

- review these intrusions including several that are at time of writing undisclosed
- show the methods we have used to uncover these attacks
- detail some of the methods used by the attackers
- perform limited attribution
- look at possible disclosure and sharing issues.peers.

Vulnerabilities in your products or online services can be complex to investigate and resolve. ISO processes are normally a topic so dry that you'd rather chew glass than hear about it. Luckily, this talk is going to be the most excitement you've ever had hearing about standards. Organizations need a consistent approach to handling vulnerabilities in their products or services to ensure thorough remediation of the vulnerability, and to deal with helpful hackers. Katie Moussouris, editor of the ISO standard on vulnerability handling processes, to be published in 2013, will walk you through the engineering and communication capabilities needed to address vulnerabilities. Katie has served as a liaison for FIRST to the ISO/IEC SC 27 Working group 3, as well as a lead subject matter expert of the US National Body. She will lead a session designed to help attendees understand and comply with the new standard, without having to resort to torture to keep you awake.

Over the past years DDoS attacks have gained increased attention from the research community. In the past DDoS attacks were just a nuisance but increasingly it is used by cybercrime groups as an effective weapon, sometimes even as a form of diversion to the main attack. DDoS attacks have also become the main choice of weapon for protest groups such as Anonymous. Not all DDoS botnets are alike. Anonymous use simple tools such as LOIC which require the active participation of a user to launch an attack, and often used in protest campaigns. While more professional criminal organizations rely on an array of DDoS malware and maintain DDoS botnets. These criminal organizations are financially motivated. DDoS infrastructure is often offered as a service in the criminal underground. DDoS as a service infrastructure is reused over and over again to target organizations. Recognizing and monitoring these large high impact DDoS services provide excellent opportunity for organizations to be better prepared and protect critical infrastructure. Observing the behavior of these botnets will allow researchers to effectively predict future attacks. As any other network DDoS botnets operated as services, have distinct identifiers such as the Command and Control servers, ISPs they operate from, Motivations, and operational characteristics. This presentation will discuss how to monitor and how to recognize important DDoS botnets to provide advance notice.

The United States' National Institute of Standards and Technology (NIST) has updated their Incident Handling Guide (NIST Special Publication 800-61, Revision 2) with added information on sharing and collaboration of incident data. NIST and the US Department of Homeland Security are now collaborating on a new publication detailing many of the salient technical and policy issues that arise from effectively sharing and collaborating on incidents on a large scale. Such issues include incident work flow, what technical and provenance data can be shared under what constraints (legal, temporal, policy, etc.). What types of data at what stage with what actors can be exchanged? What types of data are actually useful at the machine and human levels to accelerate and enhance situational awareness, response, and mitigation? The panel will outline these challenges, offer some paths forward, and engage in a spirited dialogue on the next steps to be taken.

Are the miscreants aware of and leveraging IPv6 to conduct their malicious activities? Are there real-world attacks specifically and purposefully utilizing IPv6 infrastructure? What are the most pressing IPv6-related security challenges facing the community? We aim to provide some answers to these questions by examining what is occurring on actual networks, what is most likely to be of growing concern given past internetwork security trends and what is required to help mitigate IPv6-specific threats.

It can be argued that the domain name system and the routing infrastructure are the two main pillars on which the operation of the whole Internet is based. The topic is currently being discussed in the IETF (Internet Engineering Task Force). This presentation will include a review of some well-known and well publicized cases of route and traffic hijacking as well as a phenomenon known as 'route leaking', including a recent occurrence where all Google services were rendered unavailable for a wide portion of Internet users in South-East Asia.

We will also discuss the main vulnerabilities or soft spots in the Internet's routing infrastructure, separating the issues of wrong origination and path vulnerabilities. We will describe currently available tools for mitigating these incidents.

The presentation will introduce the Resource Certification Public Key Infrastructure and the technique known as origin validation. Origin Validation is a first step into securing the Internet's routing, allowing routers to validate the originating autonomous system of each route they receive from the Internet. The RPKI is a globally distributed RPKI system that can be used for issuing proof of right of use for Internet number resources (IPv4 and IPv6 prefixes), and in turn for creating digitally-signed route origin attestations (ROAs).

In this presentation, Yusuke will talk about how they implement the application security into the subsidiaries which are acquired by Rakuten. Rakuten has been paid efforts on the application security for more than 10 years. And now they are facing the difficulties toward implementation Secure Development Lifecycle into Agile Development Process, that is let by some of group companies in abroad.

Yusuke will describe the change of approach for application security in 10,000 employee-scale company in this decade.

This presentation introduces an analysis result of malware used in a targeted attack.

By methods of defense in cyber security develop, the number of techniques in which malicious softwares are implemented, has increased. It is important for a cyber security specialist to understand these techniques in deeply, to fight with malwares. To avoid harm of these softwares, it could be better not to use real machines. However, in this case, attackers are implementing their armored malwares with the capability of realizing enumerated platforms. This presentation discusses a research on dynamic analysis of next generation malwares and suggests amendments in their techniques. More specifically, this is the presentation of a research, discussing technical details of analysis methods, used dynamic analysis tools, done by Researchers in Cyber Security Institute of Scientific and Research Council of Turkey, by using real most discussed malware samples: Stuxnet, Duqu, TDSS(TDL4,Olmarik), Spyeye and most-discussed dynamic analysis tools: Norman Sandbox, Anubis, GFI (CW) Sandbox, Comodo Camas, ThreatExpert, Xandora, Cuckoo, Minibis, Malbox. Technical reasons of success and failure of them are clarified and futureworks are proposed.

Part 1: EU Cyber Security Strategy and proposal for a NIS Directive
Over the last two decades, the Internet and more broadly cyberspace have had a tremendous impact on all parts of society. Our daily life, fundamental rights, social interactions and economies depend on information and communication technology working seamlessly.

For cyberspace to remain open and free fundamental rights, democracy and the rule of law need to be protected in cyberspace. But freedom online requires safety and security too. Cyberspace should be protected from malicious activities and misuse; and governments have a significant role in defending a free and safe cyberspace. Furthermore, since the private sector owns and operates significant parts of cyberspace, any initiative aiming to be successful in this area has to recognise its leading role.

Recent years have shown that while the digital world brings enormous benefits, it is also vulnerable. Cybersecurity incidents are increasing at an alarming pace and could disrupt the supply of essential services we take for granted such as water, sanitation, electricity or mobile networks. Threats could originate from many different areas—including criminal, politically motivated or terrorist attacks. The increase of economic espionage and state-sponsored activities in cyberspace poses a new category of threat for EU governments and companies.
The EU economy is already seriously affected by vast numbers of cybercrime activities against the private sector. Cybercriminals are using ever more sophisticated methods for intruding into information systems, stealing critical data or holding companies to ransom.

The time has come for the EU to step up its actions in this area. The European Commission has put forward the EU cybersecurity strategy that outlines the EU's vision in this domain, and sets out the actions required, based on strongly protecting and promoting citizens' rights, to make the EU's online environment the safest in the world with the following general objectives .

• explaining the principles and values that will guide EU action in the field of cybersecurity.
• becoming "cyber resilient", by increasing capabilities, preparedness, cooperation, information exchange and awareness in the field of Network and Information Security, for the public and private sectors and at national and EU level.
• drastically reducing cybercrime by strengthening the expertise of those in charge of investigating and prosecuting it, by adopting a more coordinated approach between Law Enforcement Agencies across the Union, and by enhancing cooperation with other actors.
• developing an EU Cyber Defence Policy and capabilities in the framework of the Common Security and Defence Policy.
• fostering the industrial and technological resources required to benefit from the Digital Single Market: to stimulate the emergence of a European industry and market for secure ICT; contribute to the growth and competitiveness of the EU economy; and to increase the public and private spending on cyber security Research and Development (R&D).
• enhancing the EU's international cyberspace policy to promote the respect of EU core values, define norms for responsible behaviour, and advocate the application of existing international laws in cyberspace.
• assisting countries outside the EU, through building cyber security capacity, strengthening the resilience of information infrastructures.
• clarifying the roles and responsibilities of the various actors in the field of cyber security.
Part 2 Case Study in the EU institutions: Malware containment and eradication through CERTs collaboration

The European Institutions are continuously the target of attacks of different nature. Over the last three years there has been an increase in the number and sophistication of the attacks and many institutions have been subject to the same kind of attacks. Exchange of information, mutual support has proved to be essential in these cases with an important role for the CERT-EU as the privileged point of contact with national CERTs and the industry. The case study speaks about the way a pass-the –hash type attack has been identified, contained and eradicated as well as the lessons learned and the action plan to reinforce the prevention and detection capacities.

Existing network and host detection is becoming more advanced to combat malicious threats, however remains restricted to two primary detection mechanisms: signature based and behavioural based. Signature based mechanisms are designed to detect malicious activity based upon information that we know, for example, filenames or known bad domains. Behavioural based detection mechanisms are designed to identify a series of activities which is known to be an indicator of compromise, such as periodic beaconing. Both of these measures deployed in parallel work well to detect a range of threats, but still focus on the malicious activity we already know. In our presentation, Context will introduce pioneering research which focuses on instead finding the malicious activity we do not know; whether malicious activity is using unknown domains, or activities not matching currently known malicious behaviour. This research is based upon taking information related to domain and IP address registration details and applying artificial intelligence algorithms to identify the domains which are potentially linking to malicious activity, from financial malware to more advanced targeted campaigns.

Internet resources are one of the publicly available resources that can be used in such research. This includes domains and IP addresses which are linked to registrant information; for example a name, address and email of an individual or organisation who are responsible for that resource. This information provides a sizable source of data pertaining to a domain or IP address. By mining this information, it is possible to apply a combination of network analysis algorithms and artificial intelligence to distinguish whether the related internet resource maybe malicious. Based upon this research Context have developed an application which will collect the registrant details of a given domain or IP address and, using the data that is received, an intelligent judgment can be made regarding the likelihood of the domain being malicious. As with all artificial intelligence machines, the system requires training sets of confirmed good and bad domains which the decision is based upon. Different algorithms, from Bayesian inference to social network analysis techniques, have been applied to the datasets with varying degrees of success, and these will be covered during the presentation.

The developed system has been shown to successfully find malicious domains, leading to identification of compromised machines with a low false positive rate. During the presentation the effectiveness of research will be demonstrated using anonymous real world case studies. Context will show how results can be fed back into the system to influence subsequent decisions and thus refine its decision making capabilities.

December 21, 2012 came and went, and the end of the world Mayan prophecies did not occur. Unfortunately, this could mislead many to perceive this date as meaningless and miss the true significance of this prophetic date. In 2012, we saw a dramatic rise in solar disturbances, economic crises and a massive rise in data breaches. No matter how many new shiny information security appliances are purchased, data breaches continue to happen at alarming rates. It doesn’t matter what industry or the size of an organization, as no company seemed to be immune. The number of incidents in 2012 hit record highs with close to 2,800 breaches, representing an over 128% increase from 2011. With over 267 million records exposed in 2012, the costs to organizations simply cannot be ignored. This presentation will review the year of data breaches focusing on the following:-Dissect several high profile breaches in 2012 -Review general statistics about average numbers of records lost, prevalent breach types, -Review what are the most often causes, average costs for organizations.-And ultimately provide detailed breach information and advice to help your organization prioritize risk management efforts

This presentation will cover the massive number of cyber attacks on Japan in 2012 each of which were triggered by "territorial conflicts" between Japan and its neighboring nations. We will discuss how CDI-CIRT analzyed each case and discuss the patterns in the mechanisms in which massive cyber attacks emerge.

The class introduces some of the new analysis features of Volatility versions 2.2 and 2.3. Students will analyze memory images and detect various malware hiding techniques, reconstruct command lines and screen contents, and inspect file system artifacts in memory.

Students should have completed one of the Volatility classes that were presented at FIRST TCs and Conferences during past years, or have similar knowledge. An Ubuntu-based training environment with Volatility 2.3(alpha) and real-world RAM images will be provided. Participants are expected to provide their own laptop, with at least 1 GB RAM free for applications, 10 GB free disk space, and the latest version of VMware (either Workstation, Player, or Fusion) installed. The virtual machine image will be available for download from http://r.forens.is/volbkk starting June 14, 2013.

After trying to solve reported security incidents for over twenty years SURFcert is taking the next step. The key is sharing. Within our own constituency we are very successful with SCIRT. Members learning from each other and sharing through the traffic light protocol. Many large scale incidents could successfully be stopped this way.

Through participation in the take down of several botnets SURFcert now also have lots of data (IP addresses) to share. Unfortunately the number of IP addresses to share for every single botnet seem to decrease very slowly. Thus it looks like we need even better sharing. Maybe even go one step further, or would that be one step too far?

Sometimes our drive to share leads to undesired results, like massive denial of service attacks. Rather difficult to find a fool proof solution against such attacks. Although careful studies provided us with some insight we could share with our own constituency in their fight with dissatisfied students.

We all win by sharing. Lets share.

Looking back ten years, cybercrime has gone through a huge change, from exploits developed in garages with no real motivation in most cases to sophisticated malware used by well-organized highly-technical gangs, which are typically motivated by financial gains. Malware is also used now by intelligence agencies and other nation-funded forces. Cyber threats are increasingly challenging the security software industry. They closely follow technological trends such as malware for mobile devices or malware exploiting online bank services in various ways. This session attempts to predict how cyber-attacks are going to evolve in the next ten years. Taking into account the expected technology revolutions such as the shift of computer services to the cloud and, on the other hand, the lagging law enforcement and the fact that malware is gradually becoming a weapon in the arsenal of several nations, it is possible to make some educated estimates how cybercrime will continue to evolve. This session will include several recent examples of targeted attacks, APT threats and exploit techniques and discuss how collaboration between the security industry and the FIRST community can help fight the evolving cybercrime.

The Warden project is a sharing platform for detected security events, whose characteristics can be watched and used by members of the network for evading possible security threats.

Computer Security Incident Response Teams (CSIRTs) are responsible for the security of the operated networks and services offered. In general, these teams serve as a foothold to which users can turn concerning any detected security issue (or with a suspicion that an issue is about to arise) that relates to the computer network or any of the services provided.

However, there exists large body of data generated automatically, be it honeypot machines or IDS systems at campuses, golden mine of netflow data or dictionary attacks from log data of production machines. Manual distribution of this events is laborious and generates further work which the team is usually not able to cover, causing distortion, losses and unneeded delays.

In our CESNET2 national research and educational network, we attempted to solve these dilemmas by designing the Warden early warning system, which enables CERTS/CSIRT teams (and security teams in general) to proactively and efficiently share and use information relating to detected network and service anomalies that had been generated by various systems.

Incident Response, Digital Forensics, Cyber, Attack, Defend… There are a plethora of buzzwords being used right now in the Cyber world. Speaking of that, what is Cyber? What is this box that I’m supposed to think outside of? Why do I spend millions of dollars on security products and training and still get “hacked”? What does hacked really mean? In the computer age, Moore’s law seems to have taken over not only computing speed but the technologies we are supposed to understand and utilize correctly. If you have been wondering if there is a better way to think about and operate in the Cyber space, there is. Welcome to “The Art of Cyber Warfare”. Incident Response does not have to be a massive, chaotic event that traumatizes your staff. Cyber Security doesn’t have to be an arcane science known only to a select few super technical, caffeine fed engineers. There is a better way, and it’s where science becomes an art.

During recent years, Critical Infrastructure Protection or CIP is one of the most important challenges in almost any country. Under such circumstances, Cyber Defense Institute (CDI) is focusing on cybersecurity of industrial control systems by conducting tabletop-research and research and analysis of actual equipment and networks. Currently we are engaged in some CIP-related works such as assessing cybersecurity of ICS, conducting sandbox cyber exercises for an energy sector, and providing advice to utilities and vendors. Our presentation describes the processes and procedures of our assessment of cybersecurity capabilities of ICS and findings from our studies.

As a National Computer Security Incident Response Team (National CSIRT) Id-SIRTII is assigned the responsibility for coordinating and supporting the response to computer security event or incident in national scope, especially in Critical Information Infrastructure. As a national initiative Id-SIRTII established to address the protection of key strategic resources and critical information infrastructures, and to build a national CSIRT community. Some of the goals of Id-SIRTII include:

- establishing a national focal point within national or region to coordinate incident handling activities
- analyzing and synthesizing incident and vulnerability information disseminated by other teams, vendors, and technology experts
- facilitating communications across a diverse constituency—bringing together multiple sectors (government and military, critical services and infrastructures, commercial, academic, banking and finance, transportation, etc.) to share information and address computer security problems, such as widespread computer security incidents, threats and vulnerabilities.
- developing mechanisms for trusted communications within these communities In this paper we will explain how Id-SIRTII established as a national CSIRT and a range of steps in building national CSIRT community in multiple sectors (government and military, critical services and infrastructures, commercial, academic, banking and finance, transportation, etc.). In this regard Indonesia as a country with many islands have a unique Internet infrastructure with many IPS / NAP and many international internet gateway.