This is a working draft agenda. Agenda is subject to change.
Pentland Auditorium | Level 3
Sidlaw | Level 3
Fintry | Level 3
Workshop – Tinto | Level 0
Workshop – Kilsyth | Level 0
Other – Moorfoot | Level 0
SIG Meetings – Menteith | Level -1
Pentland Auditorium | Level 3
Sidlaw | Level 3
Fintry | Level 3
Workshop – Tinto | Level 0
Workshop – Kilsyth | Level 0
SIG Meetings – Menteith | Level -1
Pentland Auditorium | Level 3
Sidlaw | Level 3
Fintry | Level 3
Workshop – Tinto | Level 0
Workshop – Kilsyth | Level 0
SIG Meetings – Menteith | Level -1
Pentland Auditorium | Level 3
Sidlaw | Level 3
Fintry | Level 3
Workshop – Tinto | Level 0
Workshop – Kilsyth | Level 0
Workshop – Lowther | Level -1
SIG Meetings – Menteith | Level -1
Pentland Auditorium | Level 3
Sidlaw | Level 3
Fintry | Level 3
Workshop – Lowther | Level -1
SIG Meetings – Menteith | Level -1
08:00 – 09:00 | Registration for Sunday FIRST Training ONLY Strathblane Hall & Atrium Foyer |
10:00 – 12:00 | Registration Strathblane Hall & Atrium Foyer |
13:00 – 17:00 | Lammermuir | Level -2 |
14:00 – 20:00 | Registration Strathblane Hall & Atrium Foyer |
15:00 – 16:00 | Session Chair Meeting (closed meeting) Harris 1 | Level 1 |
18:30 – 21:00 | Strathblane Hall & Atrium Foyer |
Pentland Auditorium Level 3 | Sidlaw Level 3 | Fintry Level 3 | Workshop – Tinto Level 0 | Workshop – Kilsyth Level 0 | Other – Moorfoot Level 0 | SIG Meetings – Menteith Level -1 | |
---|---|---|---|---|---|---|---|
08:00 – 18:15 | Registration Strathblane Hall & Atrium Foyer | ||||||
09:00 – 17:30 | Security Lounge: FIRST CTF HQ & AWS Jam HQ Café 5 | Level 1 | ||||||
09:15 – 10:00 | Welcome Remarks Pentland Auditorium – Level 3 | ||||||
10:00 – 11:00 | GB Keynote: Backdoors in Back Doors Ken Munro (Pen Test Partners LLP, GB) | ||||||
11:00 – 11:45 | Networking Break Lennox / Moffat / Lammermuir – Level -2 | ||||||
11:45 – 12:45 | GB Five Years of BGP Hijacking by Email Spammers Richard Clayton (University of Cambridge, GB) TLP:AMBER | US Software Bill of Materials: Progress toward transparency of 3rd party code Allan Friedman (NTIA / US Department of Commerce, US); Art Manion (vu.ls – CERT/CC, US) TLP:CLEAR | US A Practical Model for Developing an Integrated IT/OT SOC and Monitoring Christopher King, Umair Masud (Rockwell Automation, US) TLP:CLEAR | LU Training (1 day) - Threat Intelligence Analyst and Administrators Alexandre Dulaunoy, Andras Iklody (CIRCL, LU) TLP:CLEAR 11:45 – 13:15 | LU Paul Jung (Excellium Services, LU); Rémi Chipaux (Qintel) TLP:CLEAR 11:45 – 13:15 | PSIRT SIG Meeting 11:45-13:15 | |
12:45 – 13:15 | LU BGP Ranking & IP-ASN History: Making Something Useful Out of Old Massive Datasets Raphael Vinot (CIRCL, LU) TLP:CLEAR | US Advancements in Publishing Vulnerabilities and Security Advisories. Chandan Nandakumaraiah (Juniper Networks, US) TLP:CLEAR | DE Desiree Sacher (Finanz Informatik, DE) TLP:CLEAR | ||||
13:15 – 14:30 | Lunch Lennox Suite / Moffat / Lammermuir – Level -2 | Cyber Threat Intelligence SIG Meeting 13:45-15:15 | |||||
14:30 – 15:30 | CN Protect Enterprise Against Cryptojacking: Lessons From Tracing 8220 Miner Group Lion Gu (360 Enterprise Security Group, CN) TLP:CLEAR | MY Cyber Threats Incident Response Model for CNII Organizations Aswami Ariffin, Megat Mutalib (CyberSecurity Malaysia, MY) TLP:CLEAR | US Carson Zimmerman (Microsoft, US) TLP:CLEAR | LU Training (1 day) - Threat Intelligence Analyst and Administrators Alexandre Dulaunoy, Andras Iklody (CIRCL, LU) TLP:CLEAR 14:30 – 16:00 | LU Paul Jung (Excellium Services, LU); Rémi Chipaux (Qintel) TLP:CLEAR 14:30 – 16:00 | ||
15:30 – 16:00 | JP Cryptocurrency Breaches and Financial Regulators in Japan Natsuko Inui (Financial Services Information Sharing and Analysis Center, JP) TLP:GREEN | GB Harry W (NCSC-UK, GB) TLP:GREEN | AU Josh Lemon (Salesforce, AU) TLP:CLEAR | 15:30-16:30 | |||
16:00 – 16:45 | Networking Break Lennox / Moffat / Lammermuir – Level -2 | CVSS SIG Meeting 16:30-18:00 | |||||
16:45 – 17:45 | Swimming in the Cryptonote Pools Emilien Le Jamtel (CERT-EU) TLP:CLEAR | US How to Manage the Tangled Web of Dependencies Jessica Butler, Lisa Bradley (NVIDIA, US) TLP:CLEAR | US Adversary Modeling and Emulation in Operational Technology Environments Marie Collins, Otis Alexander (MITRE, US) TLP:CLEAR | LU Training (1 day) - Threat Intelligence Analyst and Administrators Alexandre Dulaunoy, Andras Iklody (CIRCL, LU) TLP:CLEAR 16:45 – 18:15 | US Jermaine Roebuck (HIRT, US) TLP:CLEAR 16:45 – 18:15 | FIRST Update: Financial & Business Review FIRST Members Only | |
17:45 – 18:15 | FR Analyze & Detect WebAssembly Cryptominer Patrick Ventuzelo (QuoScient, FR) TLP:CLEAR | FI A Tool for Vulnerability Management in a Large Company Umair Bukhari (Ericsson, FI) TLP:CLEAR | GB A Dragon In Wolf’s Clothing: When Stopping the APT Could be Easy Keir P (NCSC-UK, GB) TLP:GREEN | ||||
19:15 – 22:15 | Contini George Street | 103 George Street, Edinburgh |
Pentland Auditorium Level 3 | Sidlaw Level 3 | Fintry Level 3 | Workshop – Tinto Level 0 | Workshop – Kilsyth Level 0 | SIG Meetings – Menteith Level -1 | |
---|---|---|---|---|---|---|
08:30 – 17:00 | Registration Strathblane Hall & Atrium Foyer | |||||
09:00 – 17:30 | Security Lounge: FIRST CTF HQ & AWS Jam HQ Café 5 | Level 1 | |||||
09:15 – 09:30 | Opening Remarks Pentland Auditorium – Level 3 | |||||
09:30 – 10:30 | GB Keynote: Who's Afraid of the Big Bad Smart Fridge: Governance Challenges of the Internet of Things Leonie Tanczer (University College London, GB) | |||||
10:30 – 11:00 | Networking Break with Exhibits Lennox / Moffat / Lammermuir – Level -2 | |||||
11:00 – 12:00 | US Finding Dependencies Between Adversary Techniques Andy Applebaum (The MITRE Corporation, US) TLP:CLEAR | JP DE Attacks on Industrial and Manufacturing Networks Bakuei Matsukawa (Trend Micro FTR Team, JP); Vladimir Kropotov (Trend Micro FTR Team, DE) TLP:CLEAR | US CSIRT Schiltron: Training, Techniques, and Talent James Sheppard, Jeff Bollinger (Cisco Systems, Inc., US) TLP:CLEAR | US Vulnerability Response Capability Development for PSIRT Teams Art Manion (vu.ls – CERT/CC, US); Deana Shick, Madison Oliver (CERT/CC, US) TLP:CLEAR 11:00 – 12:30 | LU Training (day 2): Extending and Integrating MISP to Fit Your Use Case Alexandre Dulaunoy, Andras Iklody (CIRCL, LU) TLP:CLEAR 11:00 – 12:30 | 11:00-14:30 |
12:00 – 12:30 | TW Improving the Efficiency of Dynamic Malware Analysis with Temporal Syscall Measure Dr. Chih-Hung Lin (Taiwan Network Information Center (TWNIC), TW) TLP:GREEN | AE GB TRITON - The First Documented Attack on ICS Safety Systems Daniel Caban (Mandiant (a FireEye Company), AE); Peter Barbour (Mandiant (a FireEye Company), GB) TLP:CLEAR | NL Building a Global Maturity Measurement and Development Process for National CSIRTs Don Stikvoort (representing NCSC-NL, NL); Dr. Hanneke Duijnhoven (TNO, NL) TLP:CLEAR | |||
12:30 – 13:30 | Lunch Lennox Suite / Moffat / Lammermuir – Level -2 | |||||
13:30 – 14:30 | GB Magecart Activity and Actors - How Thousands of e-Commerce Sites are Being Compromised Terry Bishop (RiskIQ, GB) TLP:CLEAR | US Chip Greene, Conrad Layne (GE, US) TLP:GREEN | NL What a Code of Ethics Means for You and for FIRST Jeroen van der Ham (NCSC-NL, NL); Shawn Richardson (Palo Alto Networks) TLP:CLEAR | US Vulnerability Response Capability Development for PSIRT Teams Art Manion (vu.ls – CERT/CC, US); Deana Shick, Madison Oliver (CERT/CC, US) TLP:CLEAR 13:30 – 15:00 | LU Training (day 2): Extending and Integrating MISP to Fit Your Use Case Alexandre Dulaunoy, Andras Iklody (CIRCL, LU) TLP:CLEAR 13:30 – 15:00 | |
14:30 – 15:00 | HU The Evolution of GandCrab Ransomware Tamas Boczan (VMRay, HU) TLP:CLEAR | DE Applying Security Metrics for Quality Control and Situational Awareness Jan Kohlrausch (DFN-CERT, DE) TLP:CLEAR | EU Building a Common Language to Face Future Incidents Rossella Mattioli (ENISA - European Union Agency for Network and Information Security, EU) TLP:CLEAR | Cyber Insurance SIG Meeting 14:30-16:00 | ||
15:00 – 15:30 | Networking Break with Exhibits Lennox / Moffat / Lammermuir – Level -2 | |||||
15:30 – 16:30 | US Anthony Talamantes, Todd Kight (Johns Hopkins University Applied Physics Laboratory, US) TLP:CLEAR | GB PL Obtaining a Global Picture of the IoT Attack and Malware Landscape David Watson (The Shadowserver Foundation, GB); Piotr Kijewski (The Shadserver Foundation, PL) TLP:CLEAR | US CZ Denise Anderson (H-ISAC, US); Eva Telecka (MSD, CZ) TLP:AMBER | US Vulnerability Response Capability Development for PSIRT Teams Art Manion (vu.ls – CERT/CC, US); Deana Shick, Madison Oliver (CERT/CC, US) TLP:CLEAR 15:30 – 17:00 | LU Training (day 2): Extending and Integrating MISP to Fit Your Use Case Alexandre Dulaunoy, Andras Iklody (CIRCL, LU) TLP:CLEAR 15:30 – 17:00 | 16:00-17:00 |
16:30 – 17:00 | US Optimized Playbook, Roll out! How an Optimized Playbook can Reduce Time-to-Detect Christopher Merida, Jason Kmack (Cisco Systems Inc, US) TLP:CLEAR | TW JP Malware in IoT Devices: Detection and Family Classification Using ELF Opcode Features Chin Wei Tien (Institute for Information Industry, National Taiwan University, TW); Shang Wen Chen (Institute for Information Industry, TW); Tao Ban (National Institute of Information and Communication Technology, JP) TLP:CLEAR | NL Protect your Castle by ‘Poldering’: Create a Network of Cybersecurity Clans Gijs Peeters (National Cyber Security Centre the Netherlands (NCSC-NL), NL) TLP:GREEN | |||
17:00 – 19:00 | Vendor Showcase Lennox / Moffat / Lammermuir – Level -2 |
Pentland Auditorium Level 3 | Sidlaw Level 3 | Fintry Level 3 | Workshop – Tinto Level 0 | Workshop – Kilsyth Level 0 | SIG Meetings – Menteith Level -1 | |
---|---|---|---|---|---|---|
08:30 – 16:00 | Registration Strathblane Hall & Atrium Foyer | |||||
09:00 – 17:30 | Security Lounge: FIRST CTF HQ & AWS Jam HQ Café 5 | Level 1 | |||||
09:15 – 09:30 | Opening Remarks Pentland Auditorium – Level 3 | |||||
09:30 – 10:30 | AU Keynote: Developing a Conceptual Model for Insider Threat Monica Whitty (University of Melbourne, AU) | |||||
10:30 – 11:00 | After ShadowHammer - Maintaining Trust in Auto-Updates Panel Discussion | |||||
11:00 – 11:45 | Networking Break with Exhibits Lennox / Moffat / Lammermuir – Level -2 | |||||
11:45 – 12:45 | US Information Convergence for Efficient Product Security Incident Management Chandan Nandakumaraiah (Palo Alto Networks, US) TLP:CLEAR | US Detecting Covert Communication Channels via DNS Dhia Mahjoub (Cisco, US); Thomas Mathew (Umbrella (Cisco), US) TLP:GREEN | ID The Asian Games 2018 Cyber Security, A Lessons Learned Andika Triwidada (Indonesia Computer Emergency Response Team (IDCERT), ID); Bisyron Wahyudi Masduki (Indonesia Security Incident Response Team on Internet Infrastructure (Id-SIRTI/CC), ID) TLP:CLEAR | JP Blue-team vs. Red-team Tabletop Exercise to Train the Process of Attack Investigation Yoshihiro Masuda (Fuji Xerox Co., Ltd., JP); Chiyuki Matsuda, Fumie Watanabe (DeNA Co., Ltd., JP); Yusuke Kon (Trend Micro Inc., JP); Keisuke Ito (NTT DATA INTELLILINK Corporation, JP); Hajime Ishizuka (NTT Security Japan KK, JP); Toshiaki Ohta (Yahoo Japan Corporation, JP) TLP:CLEAR 11:45 – 13:15 | CA Hunting Linux Malware for Fun and Flags Marc-Etienne M.Léveillé (ESET, CA) TLP:CLEAR 11:45 – 13:15 | 11:45-13:15 |
12:45 – 13:15 | US What Information Security Can Learn from Design Douglas Wilson (Self, US); Nguyet Vuong (Civil / Consensys, US) TLP:CLEAR | US How a Severity 2.2 Issue can Cost us so Much Lisa Bradley (NVIDIA , US) TLP:AMBER | US "Excuse me While I Kiss this Guy" - What You Said isn't What they Heard. Matt Linton (Google, US) TLP:CLEAR | |||
13:15 – 14:30 | Lunch Lennox Suite / Moffat / Lammermuir – Level -2 | Vulnerability Coordination SIG Meeting 13:45-15:30 | ||||
14:30 – 15:30 | BE Practical and Affordable Side-Channel Attacks Francois Durvaux (Thales, BE) TLP:CLEAR | FI Distributed Model for Targeted Threat Intelligence - Cyber Defence Cells Juha Haaga (Artic Security, FI) TLP:CLEAR | The Past, Present, and Future of DNS Resolution Paul Vixie (Farsight Security, Inc.) TLP:CLEAR | US Hands-on: Practical tabletop drills for CSIRTS Kenneth van Wyk (KRvW Associates, LLC, US) TLP:CLEAR 14:30 – 16:30 | CA Hunting Linux Malware for Fun and Flags Marc-Etienne M.Léveillé (ESET, CA) TLP:CLEAR 14:30 – 16:00 | |
15:30 – 16:00 | US Malicious Encrypted Document Analysis Tyler Halfpop (Palo Alto Networks, US) TLP:CLEAR | DE Threat Detection based on Deep Learning at Scale Jan Pospisil, Karl Peter Fuchs (Siemens, DE) TLP:CLEAR | GB Working at Scale - How to Kill Botnets Quickly and Efficiently David Watson, Stewart Garrick (The Shadowserver Foundation, GB); Piotr Kijewski (The Shadowserver Foundation) TLP:AMBER | |||
16:00 – 17:00 | Lightning Talks Pentland Auditorium – Level 3 Networking Break with Exhibits Lennox / Moffat / Lammermuir – Level -2 | 16:00-17:00 | ||||
17:00 – 18:30 | 17:00-18:30 | |||||
18:30 – 22:00 | Cromdale Hall - Level -2 |
Pentland Auditorium Level 3 | Sidlaw Level 3 | Fintry Level 3 | Workshop – Tinto Level 0 | Workshop – Kilsyth Level 0 | Workshop – Lowther Level -1 | SIG Meetings – Menteith Level -1 | |
---|---|---|---|---|---|---|---|
08:30 – 16:00 | Registration Strathblane Hall & Atrium Foyer | ||||||
09:00 – 17:30 | Security Lounge: FIRST CTF HQ & AWS Jam HQ Café 5 | Level 1 | ||||||
09:15 – 09:30 | Opening Remarks Pentland Auditorium – Level 3 | ||||||
09:30 – 10:30 | US Merike Kaeo (Double Shot Security, US) | ||||||
10:30 – 11:00 | Networking Break with Exhibits Lennox / Moffat / Lammermuir – Level -2 | ||||||
11:00 – 12:00 | GB Seeing Clearly and Communicating Effectively to Address Event Overload Thomas Fischer (FVT SecOps Consulting, GB) TLP:CLEAR | NL TIDE -- Proactive Threat Detection Using Active DNS Measurements Olivier van der Toorn (University of Twente, NL) TLP:CLEAR | US Top Common Tabletop Exercise Failures Michael Murray, Robert Lelewski (Secureworks, US) TLP:CLEAR | US Hakan Nohre (Cisco Systems, US) TLP:CLEAR 11:00 – 12:30 | JP Fast Forensics against Malware Infection Hiroshi Suzuki, Hisao Nashiwa (Internet Initiative Japan Inc., JP) TLP:AMBER 11:00 – 12:30 | 11:00-14:30 | Traffic Light Protocol SIG Meeting 11:00-12:00 |
12:00 – 12:30 | US Effective Victim Interview Techniques for Incident Responders Alison Naylor (Red Hat, Inc., US) TLP:CLEAR | PL CSIRT in the Era of Information Operations. Should we be Involved? Mirosław Maj (Cybersecurity Foundation, Open CSIRT Foundation, ComCERT.PL, PL) TLP:CLEAR | US Building a Clan of Security Warriors Kristen Pascale, Tania Ward (Dell, US) TLP:GREEN | Passive DNS SIG Meeting 12:00-13:00 | |||
12:30 – 13:30 | Lunch Lennox Suite / Moffat / Lammermuir – Level -2 | ||||||
13:30 – 14:30 | US Hunting and Automation Using Open Source Tools Brian Baskin, John Holowczak (Carbon Black, US) TLP:CLEAR | GB Eireann Leverett (Concinnity Risks, GB) TLP:GREEN | US Incident Response: Make it a Family Affair Anthony Talamantes, Todd Kight (Johns Hopkins University Applied Physics Laboratory, US) TLP:CLEAR | US OPSEC for Investigators and Researchers Krassimir Tzvetanov (Purdue University, US) TLP:AMBER 13:30 – 15:00 | JP Fast Forensics against Malware Infection Hiroshi Suzuki, Hisao Nashiwa (Internet Initiative Japan Inc., JP) TLP:AMBER 13:30 – 15:00 | Industrial Control Systems SIG Meeting 13:30-14:30 | |
14:30 – 15:00 | BE Where's Wally? Hands-on Threat Hunting in Elasticsearch using ee-outliers Daan Raman (NVISO, BE) TLP:CLEAR | GB Alexander Vetterl (University of Cambridge, GB) TLP:CLEAR | US Attack the News Cycle Before it Attacks You Jerry Bryant (Intel, US) TLP:CLEAR | ||||
15:00 – 15:30 | AGM Registration Outside of Pentland Auditorium - Level 3 Networking Break with Exhibits (for non-members) Lennox Suite / Moffat / Lammermuir – Level -2 | ||||||
15:30 – 18:00 | Annual General Meeting (AGM) - Members Only Pentland Auditorium - Level 3 |
Pentland Auditorium Level 3 | Sidlaw Level 3 | Fintry Level 3 | Workshop – Lowther Level -1 | SIG Meetings – Menteith Level -1 | |
---|---|---|---|---|---|
08:30 – 11:00 | Registration Strathblane Hall & Atrium Foyer | ||||
09:00 – 12:00 | Security Lounge: FIRST CTF HQ & AWS Jam HQ Café 5 | Level 1 | ||||
09:15 – 10:15 | SE Hunting for Unknown Unknowns in Network Traffic Erik Hjelmvik (Netresec, SE) TLP:CLEAR | GB Saving the World with DGA DNS RPZ David Watson (The Shadowserver Foundation, GB); Piotr Kijewski (The Shadowserver Foundation) TLP:GREEN | FI Three Circles to Improve Health Care Cyber Security - This is How We do it in Finland Perttu Halonen (National Cyber Security Centre Finland, Finnish Communications Regulatory Authority, FI) TLP:CLEAR | US A Design Thinking Facilitation Workshop Doug Wilson (Self, US); Nguyet Vuong (Civil / Consensys, US) TLP:CLEAR 09:15 – 10:45 | FI hACME: A Social Engineering Workshop Victor Sant'Anna (Nixu, FI) TLP:CLEAR 09:15 – 10:45 |
10:15 – 10:45 | JP Threat Hunting with SysmonSearch - Sysmon Log Aggregation, Visualization and Investigation Wataru Takahashi (Japan Computer Emergency Response Team Coordination Center, JP) TLP:CLEAR | JP TBD: To Block Connection to Malicious Host by Using “DQB” and "Shutdowner" Kunio Miyamoto (NTT DATA Corporation, JP) TLP:CLEAR | NL Defending the Dutch Healthcare Sector Jasper Hupkens (Z-CERT, NL) TLP:GREEN | ||
10:45 – 11:30 | Networking Break Lennox / Moffat / Lammermuir – Level -2 | ||||
11:30 – 12:30 | GB Keynote: Things That Go Bump in the Night: Detecting Problems in the Internet of Things Miranda Mowbray (University of Bristol, GB) | ||||
12:30 – 13:15 | Closing Remarks & Raffle Drawing | ||||
13:15 – 14:30 | Lunch Lennox Suite / Moffat / Lammermuir – Level -2 | ||||
14:00 – 18:00 | National CSIRT Meeting NCSIRT Members Only |
Doug Wilson (Self, US), Nguyet Vuong (Civil / Consensys, US)
Doug Wilson (Ex-Mandiant, FireEye, Uptycs) has almost 20 years in security, but if you look way back, his college degree is actually in design! When not doing security, he has spent a fair bit of the past 15 years attending events that focus on design, and believes that design elements are critical to success in security pursuits. He has presented at numerous security conferences over his career, as well as talks and a workshop at FIRST.
Nguyet Vuong has 16 years of experience as digital designer, and is currently a Co-Founder and Design Lead for Civil (www.civil.co). She has won design industry awards, given numerous presentations, and facilitated workshops on design. She believes in honest and transparent design patterns that respect people’s time and intelligence. She regularly tries to spread the word of how design thinking and processes can make other fields better, including security.
Security practitioners often struggle with collaboration, especially on projects where there are competing or contentious points of view. Design Thinking is a set of tools coming from the world of user experience design that allow for facilitation of discussion so that groups have a more equitable exchange of ideas, and come up with outcomes that more accurately represent a wide variety of views compared to traditional discussion forums.
By participating in a demonstration of a facilitated workshop, participants will realize the benefits of design thinking. This will include how to properly frame problems, ask the right questions, uncover unrealized components of both problems and solutions, and maintain empathy throughout the process so that diverse views are included in all parts of the process. We will attempt to keep the workshop pertinent by tackling a current concern in the security industry today.
June 21, 2019 09:15-10:45
wilson-vuong-FIRST-90-workshop-2019-06-12.pdf
MD5: dd239b4524a9cd771e305548647aab56
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.5 Mb
Keir P (NCSC-UK, GB)
Keir is a National Cyber Incident Coordinator at the UK's National Cyber Security Centre (NCSC). The Incident Coordination team are responsible for aligning the UK government's response to cyber incidents of a highly significant or critical nature.
Having been an Incident Responder and Coordinantor in the NCSC's precursor organisation, CERT-UK, Keir has had wide experience at both a technical and strategic level in dealing with a variety of prominent incidents with significant impact in both the UK, and across the globe.
Your CTI (Castle Tower Installation) vendor has just sold you a quick-raise drawbridge, fast-load catapults, and tar covered fence (literally, a firewall). That stuff was super expensive and next gen - there is no way a dragon/marauding army is getting in there!
So why is half the town on fire, and other half full of nasty people with swords?
Did you let guards take the keys to the bar again?
Did you ever check that the broken wooden fence at the back of the castle had been replaced with that stone wall, like you asked?
We are seeing APTs neglect the 0day and hardened front door, instead using simple, easily accessible methods, with devastating efficiency. With a change in commodity malware use, this means we underestimate the threat, just as the danger grows.
Pull up a stool by the fire for some cautionary tales and how best to prevent them.
June 17, 2019 17:45-18:15
Christopher King (Rockwell Automation, US), Umair Masud (Rockwell Automation, US)
Chris King is the Chief Security Architect and former Cyber Defense Manager for Rockwell Automation, a leading industrial automation company. In his role at Rockwell, Chris is responsible for security architecture for the company, and formerly ran global cyber defense operations, vulnerability management, application security, and digital forensics. Before coming to Rockwell, Chris was a vulnerability analyst at the CERT Coordination Center (CERT/CC), where he conducted research into vulnerabilities in connected and automated vehicles for the Departments of Transportation and Homeland Security, developed strategies in coordinated disclosure, as well as development of secure architectures for the Department of Defense.
Adversaries are finding new opportunities to inflict damage to organizations by impacting their operational technology (OT) operations and supply chain. At the same time tooling, monitoring, and response at the OT level has remained ad hoc and siloed. Now more than ever we must have a disciplined approach to not only detect threats impacting our OT environments but more importantly be able to respond in an efficient way that leads to a timely recovery. A single team providing integrated incident response for both IT/OT environments can help achieve these objectives. Come learn about operational models, techniques and workflows that Rockwell Automation has been implementing to improve mean times to respond and recover from cyber events and foster knowledge sharing between IT and OT experts.
June 17, 2019 11:45-12:45
Umair Bukhari (Ericsson, FI)
Coming soon.
In a large company with hundreds of software products, following up and fixing vulnerabilities in open source and commercial components is a big and complex task. Co-ordination of accurate vulnerability information between the vulnerability information sources, product development units, product management, customer support organizations, customers and sometimes even executives and public relations would be impossible without automated tools.
This talk presents the Ericsson Vulnerability Management Service (EVMS), a full-fledged vulnerability management system developed in-house. Various Ericsson employees globally use the service in different roles: Ericsson PSIRT provides the vulnerability management service through EVMS, product development submits their mitigation plans into EVMS, customer support searches for information about specific products and managers search for recently created security alerts to keep up with the security landscape. EVMS is the place where all the above information can be found.
June 17, 2019 17:45-18:15
11:00-14:30
Open to academic teams and organizations.
Some themes to consider presenting:
June 18, 2019 11:00-12:00
Chandan Nandakumaraiah (Juniper Networks, US)
Chandan Nandakumaraiah is a senior manager of incident response at Juniper Networks, co-founder and director of OpenGrok Foundation for the advancement of human understanding of complex software and systems and a member of the CVE Automation Working Group. He has served in various software engineering and security incident response roles for large corporations since the start of this millennium. Chandan is a member of Vulnerability Coordination SIG, Vendor SIG and Ethics SIG, and has been attending FIRST annual conferences since 2005. Chandan holds a Master's degree in Computer Science and Engineering from the Indian Institute of Science.
Communicating information related to vulnerabilities, including CVE IDs, is often one of the core services offered by product security teams. Describing vulnerabilities in a factual and precise language is critical for efficiency in response and remediation activities throughout the response ecosystem. Encoding the vulnerability related information in a machine readable format is essential for automation and for handling issues at scale.
We will discuss the latest developments in automation and encoding formats related to vulnerabilities and CVE IDs. This includes demonstrating tools and techniques related to creation, dissemination and consumption of the new CVE-JSON format. This presentation also shares our experience in streamlining vulnerability response processes at Juniper Networks by taking advantage of the new standards and techniques.
June 17, 2019 12:45-13:15
Marie Collins (MITRE, US), Otis Alexander (MITRE, US)
Otis Alexander joined the Mitre Corporation as a Cyber Security Engineer in 2014. He currently leads the development of the ICS ATT&CK model and focuses on the categorization and emulation of adversary behavior in cyber physical systems. Otis holds a BS and MS in Computer Science from the University of Washington.
Operators of Industrial Control Systems (ICS) like those used in the electric power substations lack the capability for active defense of their systems from cyber adversaries. Critical to building defenses is understanding potential and past cyber adversary behavior. Building a threat model for ICS systems, e.g. ATT&CK for ICS will enable the industry to prioritize and enhance defenses, sharing threat information relative to adversary Tactics and Techniques, and enable more effective incident response. MITRE will present their ATT&CK for ICS model with associated use cases of past and recent incidents.
June 17, 2019 16:45-17:45
Panel Discussion
Moderator:
- Cristine Hoepers, CERT.br/NIC.br, BR
Cristine Hoepers is the General Manager of CERT.br, the Brazilian National CERT. In the past she served as a member of the FIRST Board of Directors, as a Lead Expert of the UN IGF Best Practice Forum on CERTs, and as a member of the ITU HLEG (High Level Experts Group). She holds a degree in Computer Science and a PhD in Applied Computing.
Panellists:
- Art Manion, CERT/CC, US
Art Manion is a senior member of the Vulnerability Analysis team in the CERT Program at the Software Engineering Institute (SEI), Carnegie Mellon University. Since joining CERT in 2001, Manion has studied vulnerabilities, coordinated disclosure efforts, and published advisories, alerts, and vulnerability notes for CERT/CC and US-CERT. Manion currently focuses on vulnerability discovery and other areas of applied research, including ways to automate and improve operational vulnerability response. Prior to joining the SEI, Manion was the Director of Network Infrastructure at Juniata College.
- Marissa Quebbeman, Microsoft, US
Marissa Quebbeman is a Senior Security PM Manager in the Microsoft Security Response Center’s (MSRC) PSIRT where she leads a team to collaborate with researchers and developers to remediate security issues identified in Microsoft’s products and services. Prior to Microsoft, Marissa worked in cyber threat intelligence, digital forensics, and in the intelligence community. She earned both a M.S. and B.S. in Computer Science, and currently holds SEPP, GCIH, and GPEN certifications.
- Maarten Van Horenbeeck, Zendesk, US
Maarten Van Horenbeeck is Chief Information Security Officer of Zendesk, a customer service and engagement software company headquartered in San Francisco. He is also a Board member of the Forum of Incident Response and Security Teams (FIRST). Van Horenbeeck holds a master’s degree in information security from Edith Cowan University in Western Australia and a master’s degree in international relations from the Freie Universitat Berlin, and is a fellow in New America’s Cybersecurity Initiative.
On March 25th 2019, journalist Kim Zetter reported the discovery by Kaspersky Lab that thousands of laptop computers had had malware installed through abuse of their vendor's signed auto-update process [1]. This was not the first time this happened and it might not be the last. Professor Steve Bellovin described this as "A Dangerous, Norm-Destroying Attack", pointing out that "trust in the update channel is utterly vital" [2]. If end-users, organisations or third party vendors conclude - almost certainly wrongly - that it is less risky to disable updates of their connected devices and systems, then much of this century's progress in Internet security will be lost.
In this panel we will invite a number of experts to share their ideas on how the FIRST community can help ensure that auto-update processes are both trustworthy and trusted, and that Professor Bellovin's "sure-fire recipe for disaster" doesn't happen.
[2] http://www.circleid.com/posts/20190326_a_dangerous_norm_destroying_attack/
June 19, 2019 10:30-11:00
Patrick VentuzeloPatrick Ventuzelo (QuoScient, FR)
Patrick Ventuzelo is a French security researcher working for Quoscient GmbH. Previously, he worked for P1 Security, the French Department of Defense (DoD) and Airbus Defense & Space Cybersecurity.
He is mainly focused on Reverse Engineering and Vulnerability Research on various platforms with a strong interest on new research areas such as WebAssembly, Smart Contracts and Blockchain.
Patrick has been speaker and trainer multiple time at various international security conferences such as BlackAlps, hack.lu, Toorcon, REcon Montreal, SSTIC, REcon Brussels.
Patrick is the creator of Octopus (https://github.com/quoscient/octopus), an open-source security analysis tool that support WebAssembly to help researchers/analysts.
WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C.
More than one year after the “official” release, it’s heavily used in the wild to perform Cryptojacking (illegitimate in-browser mining) using online services, like Coinhive, that provides simple Javascript API and uses WebAssembly module to make mining even more efficient and profitable than using pure JavaScript.
First, I will introduce WebAssembly concepts and how it is currently used. Secondly, I will analyze some Cryptominer module using static and dynamic analysis (reversing, decompilation, DBI, ...) applied on WebAssembly. Finally, I will expose some techniques to detect and mitigate them.
Along the talk, I will used multiple open source tools but also Octopus, a Security Analysis tool for WebAssembly module, that I have developed and already available on Github (https://github.com/quoscient/octopus).
June 17, 2019 17:45-18:15
FIRST2019_wasm_cryptominer_full_Patrick-Ventuzelo.pdf
MD5: 5b0c665f495a6655f5b9f4f5c934a5e2
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.76 Mb
Pentland Auditorium - Level 3
The AGM is FIRST's Annual General Meeting, where the FIRST members meet and discuss and decide about FIRST and its road ahead. This includes the elections for the 5 Board of Directors slots that go vacant each year at the AGM.
Attendance and participation at the FIRST Annual General Meeting is limited to FIRST team members, FIRST liaison members and their invited guests, subject to approval by the Board of Directors.
June 20, 2019 15:30-18:00
Jan Kohlrausch (DFN-CERT, DE)
Jan Kohlrausch received a Diploma in computer science from the University of Hamburg in June 2000. Since July 2000 he works as a Senior member of the development and research team at the DFN-CERT Services GmbH. His research interests include Honeypots, malware analysis, and network forensics.
Security metrics allow to quantify information in order to support threat intelligence processes. In this contribution we propose to apply metrics to security data of a clearing house in order to provide quality feedback and situational awareness to the user group as well as to the general CSIRT community. The clearing house collects events submitted by the user group (ISPs and CSIRTs) whereas the data is gathered by a combination of honeypots, IDS, and other sensors such as AV software. Our aim is to advise and to motivate other teams in application of security metrics and to promote information sharing.
June 18, 2019 14:30-15:00
FIRST2019_metrics_kohlrausch_brin.pdf
MD5: 8ffe38c1e1e6a469ab921037d0f5d531
Format: application/pdf
Last Update: June 7th, 2024
Size: 748.63 Kb
Chip Greene (GE, US), Conrad Layne (GE, US)
Chip Greene
A leader in the GE CIRT, Threat Management Team responsible for the Operational Readiness of all analysts, technology and processes within Incident Response. The GE CIRT provides monitoring, detection and response services for all environments including enterprise, cloud and operational technology, across multiple businesses. Chip holds a Bachelor of Science Degree from Virginia Commonwealth University in Information Systems, and a Master’s Degree from the University of Richmond in Disaster Science, along with IT and Security industry certifications.
Conrad Layne
Conrad Layne is a senior cyber intelligence analyst with General Electric since 2013. In this role, Conrad tracks more than 50 Nation-state actors, their attacks, and TTPs with efforts focused on cyber-attacks affecting industrial control systems. Conrad holds a Bachelor of Science Degree in Digital Forensic Science from Defiance College and a Masters Degree in Cyber Security Intelligence from Utica College.
As industrial systems become increasingly cloud connected, threat actors are developing more sophisticated attacks against the IT/OT space. Unlike enterprise level attacks that have often targeted intellectual property or sought financial gain, the IT/OT space is particularly at risk for critical and destructive attacks by these threat actors. New defenses are needed. In this talk, GE CIRT will propose new strategies to track and respond to threat actors using frameworks like the Lockheed Martin Kill Chain and the MITRE ICS/SCADA ATT&CK framework. The presentation will also demo how these frameworks have been used to track, simulate, and stop malicious activity.
June 18, 2019 13:30-14:30
FIRST-ATTACKING-THE-CASTLE-GREENE-Attendee-Slides.pdf
MD5: 7b18ef27ba076443c555ab21b4251c55
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.13 Mb
Jerry BryantJerry Bryant (Intel, US)
Jerry Bryant is the Director of Security Communications for the Intel Product Assurance and Security team (IPAS). Before joining Intel in 2019, he worked in the Microsoft Security Response Center where he was involved in almost every major security/product vulnerability incident since 2001. Jerry is a co-author of the PSIRT Services Framework and of the PSIRT Maturity Profiles companion document. He is also the producer of the PSIRT Services Framework video training hosted by FIRST.org.
Jerry has been a regular speaker at the Microsoft Executive Briefing Center where he educates customers on vulnerability handling, incident response, crisis management, and threat intelligence sharing. When not working or traveling, he is an avid dirt and adventure bike rider with a passion for European motorcycles.
Containment. That is the job of the incident responder once an issue is known but what happens when news of that vulnerability or breach become public? Too often an organization let’s a third-party voice become the authority, and then becomes reactive which only makes bad news worse. In a world where headlines are built on Fear, Uncertainty, and Doubt (FUD), responders must be proactive and earn the right to tell their own story and control the narrative. It takes purpose, preparation, and influence to make awful news just bad and turn bad news into good news.
June 20, 2019 14:30-15:00
MD5: 0fef31c9f24b45456957c7e4493a376d
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.57 Mb
Vladimir KropotovBakuei Matsukawa (Trend Micro FTR Team, JP), Vladimir Kropotov (Trend Micro FTR Team, DE)
Bakuei is a researcher with Trend Micro FTR team. He has been with Trend Micro since 1997, and worked as Japan product technical support team leader, malware analysis team leader of Japan Regional TrendLabs before he joined Forward-looking Threat Research (FTR) team in 2012. He was seconded to INTERPOL Global Complex for Innovation (IGCI) in Singapore from October 2014 to September 2017 to work for INTERPOL as Cyber Researcher under strategic partnership agreement between INTERPOL and Trend Micro, and was involved on the SIMDA botnet takedown, BEC investigations, a joint research paper on West African Underground, and more. He returned to FTR team in October 2017 as a Senior Threat researcher. Currently, he is actively working based in Japan, and cybercrime and Industry 4.0/Manufacturing are his current specialized areas for research.
Vladimir Kropotov is a researcher with Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, Black Hat EU and many others
The presentation examines vulnerabilities and attack vectors in Industrial and Manufacturing Environment. The attack vectors are illustrated with detailed case studies of the past incidents. Initial detection of incidents, forensic examination and lessons learned are discussed in each case. We examine several industry-specific attack surfaces and then further dive into incidents where cyberciminals and sophisticated malicious actors targeted industrial environments. These attackers have different objectives, from ransomware attacks to blackmail and industrial espionage, but all ended up being detected in industrial environment. We will identify several groups and organized criminal gangs, which focus on industrial targets end elaborate how they use industry specific attack vectors, lures, and malware in their actions. We will demonstrate modern trends in attacks on industrial environments, highlight the scale of attack campaigns along with attacker objectives depending on the targets, their geo-locations and geo-political context.
June 18, 2019 11:00-12:00
1100-FIRST2019_Attacks-on-Industrial-and-Manufacturing-Networks.pdf
MD5: 9b006460f786bc9b882271f3e67299c0
Format: application/pdf
Last Update: June 7th, 2024
Size: 28.68 Mb
Lammermuir | Level -2
Join us for an afternoon of fun challenges with an IR twist. We will provide the beat and the incident response scenarios where you can learn new skills and practice current ones against a set of simulated security incidents. Can you identify what caused the blues? What would you do differently? How can you architect multiple AWS services to prevent it from happening again? How do you automate the incident response? Take part in our jam to find out!
As the challenges develop, you will take the initial infrastructure, and challenge by challenge, improve it into a resilient and secure deployment. Use your knowledge of AWS services and information security to perform incident response in the cloud and forensic analysis to find out whodunit! We will have a number of experienced AWS experts in the room that will be available to discuss ideas, provide guidance and in general help your team get through any roadblocks that pop up. New to AWS? New to security? Come and join us! Our activities are structured to accommodate AWS users of all levels. We have AWS experts, plus guided exercises, that will ramp up your security knowledge. We will form team on the spot and provide challenges for you to tackle. Just bring your laptop to score the points by solving and get some cool prizes!
If you plan to join in on the fun Sunday, please submit your registration here so we can plan ahead for numbers: https://capsllc.wufoo.com/forms/first-2019-aws-security-jam-sunday-session/
June 16, 2019 13:00-17:00
Harry W (NCSC-UK, GB)
Harry is the Technical Director for Incident Management in the UK's National Cyber Security Centre with over 15 years’ experience in cyber security.
One of the key tasks for a national CSIRT is to be a clearing house for cyber-incident notifications. The UK's NCSC receives information potentially related to incidents in the UK from a wide range of sources. Turning these raw notifications into actionable information packs and delivering them to the right person at the right organisation in the shortest time possible is a key responsibility for us. Drawing on case studies, this talk will discuss the challenges that we have had in this area, the steps we've taken to improve already and the steps we are still taking. These steps will be useful to other national CSIRTs and large enterprise CERTs as they are likely to have similar challenges and also to smaller CERT teams to understand the issues and to be a more informed consumer of these notifications.
June 17, 2019 15:30-16:00
Raphael VinotRaphael Vinot (CIRCL, LU)
Raphaël is a CERT operator at CIRCL, the CERT for the private sector, communes and non-governmental entities in Luxembourg. His main activity is developing or participating to the development of tools to improve and ease the day-to-day incident response capabilities of the CSIRT he works for but also for other teams doing similar activities.
We all receive massive amount of notifications about compromised/malicious/weird IPs and it is pretty difficult to keep track of all them on the long term.
Most of the time, they will be ingested by the SIEM, discarded after a while and that's it.
This talk will swho a method and an open source software that can be used to aggregate them by autonomous system (AS) and see the evolution of the maliciousness of a specific AS over time.
June 17, 2019 12:45-13:15
MD5: fc615dfca0af3c4cf539b31b9495f707
Format: application/pdf
Last Update: June 7th, 2024
Size: 133.8 Kb
16:00-17:00
Open meeting.
Agenda:
June 19, 2019 16:00-17:00
Yoshihiro Masuda (Fuji Xerox Co., Ltd., JP), Chiyuki Matsuda (DeNA Co., Ltd., JP), Yusuke Kon (Trend Micro Inc., JP), Keisuke Ito (NTT DATA INTELLILINK Corporation, JP), Fumie Watanabe (DeNA Co., Ltd., JP), Hajime Ishizuka (NTT Security Japan KK, JP), Toshiaki Ohta (Yahoo Japan Corporation, JP)
Yoshihiro Masuda (CISSP, CISM, CRISC) Yoshihiro Masuda, CISSP, CISM, CRISC is a manager for Fuji Xerox Co., Ltd. He has led launch of Fuji Xerox CERT, and is currently engaged in cyber security management of software products and cloud services Fuji Xerox offers. Also, he is devoted to development and dissemination of tabletop exercise method as a chief of Incident Simulation Exercise working group of Nippon CSIRT Association, Japan.
Chiyuki Matsuda is currently studying Finance at UC Berkeley after engaging in cyber security at an IT company in Japan for 5 years, where one of her main missions was incident handling. She has also contributed to CSIRT community in Japan (called NCA; Nippon CSIRT Association) by joining several working groups. This is second time speaking at FIRST Annual Conference as showing an accomplishment of a working group in NCA on incident handling exercises.
Yusuke Kon (CEH,CHFI,ECSA,CISSP) Yusuke Kon is a security analyst for Trend Micro Inc., and his current work is threat information sharing and product support. He has an experience on developing incident response exercising kits for eight years. Also, he is a member of TM-SIRT, a CSIRT of Trend Micro Japan.
Keisuke Ito Keisuke Ito is a member of IL-CSIRT, a CSIRT of NTT DATA INTELLILINK Corporation. Since 2014, he has been engaged in security incident handling in his company and customers. Also his another mission is support of CSIRT construction and application at customers.
Fumie Watanabe has been engaged in cyber security at IT company in Japan for 6 years. As a member of DeNA CERT, one of her main missions is cyber security training for employees. For her recent activity, she runs table-top workshops for employees. She is also actively running several CSIRT workshops of Nippon CSIRT Association, and contributing to activation of communication among CSIRTs in Japan.
Hajime Ishizuka is a senior consultant for NTT Security Japan KK, and his main work involves security planning, security assessment, support of setting up CSIRT, and CSIRT maturity assessment. He is also an expert advisor of Nippon CSIRT Association.
Toshiaki Ohta is an engineer for Yahoo Japan Corporation. He has experience in developing telephone exchanges for five years. After joined Yahoo! Japan in 2000, he has been responsible for the production of web content for entertainment (comics, music, and fashion). He is working as a project manager for cyber-range project "Yahoo! JAPAN Hardening" from 2016.
Tabletop exercise is an effective way to improve the capability of resiliency on incident response. Last year, we conducted a hands-on demonstration of our tabletop exercise method which provides two features: red team vs. blue team interaction, and random scenario creation using condition cards at the workshop in FIRST conference 2018. From the experience of the tabletop exercise done so far, we recognized the need to include the process of investigating cause of attack in the training so that a more realistic incident response training to be implemented.
We will conduct a hands-on demonstration of our tabletop exercise method which introduced investigation steps such as checking logs on a network architecture diagram. Basically, no prior knowledge/skills that attendees will be assumed, and hopefully it is desirable to have basic knowledge about network and system architecture.
June 19, 2019 11:45-13:15
Blue-team-vs.-Red-team-Tabletop-Exercise-to-Train-the-Process-of-Attack-Investigation.pdf
MD5: 4b9affd161959863a0c305ed9daad222
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.39 Mb
Tania WardKristen Pascale (Dell, US), Tania Ward (Dell, US)
Tania Ward has worked as a program manager within Dell Product Security Incident Response Team for just under 6 years. In that time, she revamped the vulnerability response program, instituted company wide KPIs and participated in a number of FIRST initiatives. Tania is from Northern Ireland, graduated with a degree in Computer Science from the University of Wales and moved out to the US in 1999 with Microsoft where she spent just over 14 years. Tania is a responder at heart, whether it’s responding to public disclosures or 911 calls as an EMT volunteer. She believes that the quality of response is closely connected to having the right tools, procedure and communication in place.
Kristen Pascale, Principal, Technical Program Manager, has worked as part of the Dell Product Security Incident Response Team (Dell PSIRT) for over six years. While Kristen’s time at Dell EMC is primarily focused on leading the company’s response to vulnerabilities in thirdparty software, she has also been instrumental in driving its operational efficiencies. Kristen participated as a reviewer of SAFECode’s whitepaper, “Managing Security Risks Inherent in the Use of Third-party Components,” and is an active member in several MITRE/CVE working groups. Prior to her time at Dell EMC, Kristen worked at Fidelity Investments for over 14 years, supporting implementations and data management in the 401(k) retirement sector.
The security landscape is a tapestry of changing exploits woven with script kiddies to adversaries each with their own motives. Security warriors are constantly adapting to this changing landscape by defining new techniques, processes and tools to counteract these exploits. What happens if you don’t have your own security warrior? We are all looking for new, innovative ways to build a security culture and inspire our clansmen to take ownership of security, so if you can’t find a security warrior you adopt a security champion program that builds warriors. Come and learn to some of the best practices in rolling our a security champion program so while the arrows are coming and the axes are sounding, your clan can ceilidh on while protecting your castle!
June 20, 2019 12:00-12:30
Rossella Mattioli (ENISA - European Union Agency for Network and Information Security, EU)
Reference Security Incident Taxonomy Working Group – RSIT WG was created by ENISA and TF-CSIRT. The aim of this working group is to enable the CSIRT community in reaching a consensus on a reference taxonomy and improve incident classification https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force
Rossella Mattioli joined ENISA, the EU Cybersecurity Agency, in 2013. Over the years she has worked on threat modelling and security measures for Internet infrastructure, ICS/SCADA, smart grids, Internet of Things, smart cars and aviation. She is currently focusing on supporting European CSIRTs communities to build and advance their incident response capabilities, the “CSIRTs Network” and the Reference Security Incident Taxonomy Working Group.
As the need for information exchange and incident reporting increases, together with the use of automation, it is becoming evident that there is need for a common language to support incident response. Following a discussion among the CSIRT community @ 51st TF-CSIRT meeting, it was concluded that there is an urgent need for a taxonomy that serves as a fixed reference for everyone. This is why ENISA and TF-CSIRT created ‘‘Reference Security Incident Taxonomy – RSIT WG". This talk will present the latest version of the taxonomy, how the WG works and how this makes incident classification easier and more effective. All info at https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force
June 18, 2019 14:30-15:00
1430-Rossella-Mattioli-RSIT-FIRST.pdf
MD5: f12f5083cffb7ccb4c6841a47298715a
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.57 Mb
Don StikvoortDr. Hanneke DuijnhovenDon Stikvoort (representing NCSC-NL, NL), Dr. Hanneke Duijnhoven (TNO, NL)
Don Stikvoort graduated in theoretical physics in 1987, with highest honours. He joined the Dutch national research network in 1988: he was among the pioneers who created the European Internet, RIPE, the European cooperation of CSIRTs (TF-CSIRT) and the NL domain registry. He started his own company in 1998, and in that capacity specialises in two diverse but synergetic areas, cyber security, and executive coaching. Don has worked in the security area for over 25 years. Many CSIRTs were created with his help and guidance, among which the Dutch national CSIRT NCSC-NL. Audits and maturity assessments in this field have become a specialty – and in that capacity Don developed SIM3 in 2008. SIM3 is now under the wings of the “Open CSIRT Foundation”, co-founded by Don in 2016.
Since 1992 Don is on the forefront of the global incident response community, and an individual member of FIRST and TF-CSIRT. Together with Klaus-Peter Kossakowski he initiated and fostered the closer cooperation of European teams ever since 1993. In 1998 he finished the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown. Don was chairman of the Program Committee for the 1999 FIRST conference in Brisbane, Australia, and kick-started the international FIRST Secretariat in the same year. Don authored and taught several training modules for the CSIRT community, some of which are being used worldwide today. He also trains trainers.
Don is a sought after motivational and keynote speaker. He seeks to increase the awareness of his audiences and thereby their personal power and effectiveness, and has done so all over the world.
Hanneke Duijnhoven holds a PhD in Organization Science from the VU University Amsterdam (2010). Since 2012 she works for TNO as senior scientist in area of the National Security. Hanneke specializes in research on complex (organizational) processes in the Defense, Safety and Security field. She is lead researcher for TNO's involvement in The Netherlands National Network of Safety and Security Analysts (ANV) which is tasked with the Netherlands National Risk Assessment. Within the network, TNO coordinates all analyses of cyber and critical infrastructure related risks. Further, Hanneke is involved in TNO's long term research program on Cyber Security and Resilience, focusing in particular on collaborative initiatives, governance and CSIRT related studies.
You will learn how to globally apply a best-practice based methodology to step-wise improve the maturity of national CSIRTs.
To deal with information security threats worldwide requires to build more CSIRT capacity. National CSIRTs play a central role there. Capacity building is not just about quantity but also maturity. We propose a framework aimed at developing the maturity of national CSIRTs all over the world. By applying it, national teams will know how to measure their maturity (using SIM3). Additionally, 3 stages of increasing maturity are proposed (ENISA approach). This allows a CSIRT to define a gradual maturity development. Also this can be used for membership/quality baselines and facilitating cooperation/trust.
This project frames and adapts existing approaches so they will be taken up globally. To enable that, the Global Forum for Cyber Expertise (GFCE) supports it and good cooperation with FIRST, ITU, ENISA and OCF is in place.
June 18, 2019 12:00-12:30
15:30-16:30
Open meeting.
Meeting Agenda:
June 17, 2019 15:30-16:00
Denise AndersonDenise Anderson (H-ISAC, US), Eva Telecka (MSD, CZ)
Denise Anderson, MBA, is President of the Health Information Sharing and Analysis Center (H-ISAC), a non-profit organization dedicated to protecting the health sector from physical and cyber attacks and incidents through dissemination of trusted and timely information. Denise currently serves as Chair of the National Council of ISACs and participates in a number of industry groups and initiatives. In addition, she has served on the Board and as Officer and President of an international credit association, and has spoken at events all over the globe. Denise was certified as an EMT (B), and Firefighter I/II and Instructor I/II in the state of Virginia for twenty years and was an Adjunct Instructor at the Fire and Rescue Academy in Fairfax County, Virginia for ten years. She is a graduate of the Executive Leaders Program at the Naval Postgraduate School Center for Homeland Defense and Security.
Eva is the Hub Lead for the IT Risk Management & Security function, and a liaison for the EMEA region. Key responsibilities of the function are to collaborate with ITRMS Platform Leads to assure our company is being protected against cyber threats, and to assure compliance and risk management processes are established and maintained. The EMEA Risk Liaison function is key to assure that specific country needs of ITRMS services and cooperation are understood, captured & executed.
Eva has over 15 years’ experience in ICT management, previously working in the mobile telecommunication industry leading technical operations and support teams across the ICT landscape.
Eva holds a Master’s Degree in Management and Economy of Telecommunications and Transportation from the Czech Technical University, and holds a certification in ITIL (Manager`s Certificate), Project Management (PRINCE Practitioner) and ISO 19770 (Software Asset Management).
On June 27, 2017, threat actors unleashed a massive destructive campaign against the Ukraine, know globally as Petya/NotPetya. One company affected by the attack was MSD. During the course of the incident and for months afterwards, MSD employees across the globe worked hard to mitigate against the attack and recover from it. In addition, much information was shared within the health sector via the Health ISAC (H-ISAC), where a team of analysts from numerous competing organizations banded together to collaborate and help mitigate. Eva Telecka, Director IT Risk Management & Security, MSD and Denise Anderson, President. H-ISAC will tell the story of the incident from the perspective of MSD and from the ISAC and the lessons learned by MSD as it recovered and has developed a program for resilience. Attendees will learn how the sector collaboration that occurred is a perfect case for global sharing.
June 18, 2019 15:30-16:30
Cromdale Hall - Level -2
Banquet Cocktail Reception Sponsored by VMRay Conference Banquet Sponsored by IBM Resilient
June 19, 2019 18:30-22:00
Natsuko Inui (Financial Services Information Sharing and Analysis Center, JP)
Natsuko Inui works with FS-ISAC colleagues in the AP region to foster the community in sharing, collaboration and engagement in the Asia Pacific region. Previous to FS-ISAC, she was an Analyst at Cyber Defense Institute involved in government research projects regarding incident response and cyber-exercises. She is also Vice Chair of the Nippon CSIRT Association, the CSIRT community of Japan.
Cryptocurrency exchanges in Japan have been breached in the year of 2018, resulting in millions of losses. This presentation will cover a timeline of the major Coincheck breach that occurred in January 2018, what actually happened based on a report by the company, and how the Financial Regulators have been responding to cryptocurrencies and their breaches. This will give insight into how regulations and breaches in a new industry unfolds, the issues both sides are struggling with, and how both sides are addressing and trying to resolve the current issues. Many of the issues stem from cultural differences, including the gap between well prepared companies and emerging industries who have yet to address cybersecurity as part of their risk assessment. The information will be based on open source information that can only be found in Japanese.
June 17, 2019 15:30-16:00
Mirosław Maj (Cybersecurity Foundation, Open CSIRT Foundation, ComCERT.PL, PL)
More than 20 years of experience in ICT security. Founder and president of the Cybersecurity Foundation, leader of the ComCERT.PL team and former leader of CERT Polska team. In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures as well as establishing international cooperation on the field of cyberdefence. Initiator of Polish Civic Cyberdefence organization. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model.
European Network Information Security Agency expert and co-author of many ENISA publications including CERT exercises and papers on improvement CSIRT maturity. He organised 9 editions of cyber exercises in few countries for most essential sectors (e.g energy, banking). Speaker on many international conferences including the FIRST conferences. He is also the originator organiser Security Case Study conference.
The disinformation campaigns in the internet became the real problem. Most of these campaigns, especially those which are well organised, involve technical mechanisms, including malicious activities (like botnets). Thus CSIRT teams are asked for help and direct involvement. Should your team be involved? Should you agree on that and if so, what could be a real value brought by your team to resolve the problem? Are these value related to the monitoring services or rather surly reactive ones?
In Cybersecurity Foundation we run the project dedicated to this topic. We try to do practical things. We co-organised the dedicated exercises (tighter with ITU) for CSIRT representatives to check out how they could help INFOOPS specialists to better react to INFOOPS incidents. This topic is not only about general best practices but also about concrete technical activities, which CSIRT specialists could do during INFOOPS incident management.
June 20, 2019 12:00-12:30
Jeff BollingerJames Sheppard (Cisco Systems, Inc., US), Jeff Bollinger (Cisco Systems, Inc., US)
Jeff Bollinger joined Cisco Systems in 2002 supporting Cisco's security technologies and solutions in Cisco's global technical support organization. Jeff later moved to the Computer Security Incident Response Team (CSIRT) and rapidly developed its global security monitoring and incident response capabilities.
Jeff helped build and operate one of the world's largest corporate security monitoring infrastructures. Jeff regularly speaks at international FIRST conferences, and occasionally writes for the Cisco Security Blog. He is also the co-author of "Crafting the InfoSec Playbook". Jeff's recent work includes log mining, search optimization, cloud threat research, and security investigations.
James Sheppard is an Information Security Investigator for Cisco's CSIRT team. His primary focus involves data analysis, tool development, and building novel detection techniques to find bad guys. James is also passionate about developing public tools, most notably Malspider, and hopes to share more security research with the community in the near future.
One of the most famous battles in Scottish history was the Battle of Bannockburn in 1314. Outnumbered Scottish soldiers defeated the cavalry of Edward II of England and forced the remaining English army to retreat 140km back to safety. A large part of their success was credited to a specialized defensive formation called the schiltron that foiled attacks from mounted riders and eventually pinned the retreating English against a river and thick marshland.
Their strategic planning and innovative defense techniques led to a major victory.
With the Scottish schiltron as our inspiration, this talk will demonstrate how Cisco’s security team practices their own schiltron drills by arming its analysts and investigators with the training, tools, and the preparation necessary to defend castles in new places, detect advanced marauders, and mend walls. Learn how we use internal "Capture the Flag" programs as training, and how we encourage development with an internal "IR Bounty Program"
June 18, 2019 11:00-12:00
1100-CSIRT-Schiltron-Final.pdf
MD5: e2db3774105961811fbe7a179fc4af9f
Format: application/pdf
Last Update: June 7th, 2024
Size: 11.13 Mb
13:45-15:15
Open meeting.
Agenda:
June 17, 2019 13:15-14:30
Hakan Nohre (Cisco Systems, US)
Hakan Nohre is a Technical Solutions Architect with Cisco Systems specialising in Cyber Security and Secure Access. Hakan has over 20 years experience in IT security working with Enterprise customers. Prior to joining Cisco Hakan was working in Software Development and and as a Manager at Ericsson.
Hakan holds the CISSP and GIAC Pen tester certifications.
The Cyber Threat Response (CTR) Clinic has been built as a training platform based on the Cisco Security Integrated Threat Defense (ITD) architecture and solutions. Students will get to experience life-like cyber security attack situations in a virtualized enterprise lab environment, where they will get to play both the role of attacker and defender. Utilizing an environment that models after many enterprise networks, students will learn and understand how their own environments get compromised, how security breaches get detected, and how to respond with maximum effectiveness.
June 20, 2019 11:00-12:30
Aswami Ariffin (CyberSecurity Malaysia, MY), Megat Mutalib (CyberSecurity Malaysia, MY)
MEGAT MUAZZAM BIN ABDUL MUTALIB is the Head of Malaysia Computer Emergency Response Team or in short, MyCERT - a department within CyberSecurity Malaysia. He is responsible in Cyber999 Incident Handling and Emergency Response daily operation, which primarily focuses on incident alert or threat issue, related to Malaysia constituency and the Malware Research Centre. Has experience in IT Security for more than 10 years such as network security, penetration testing, web security, malware research and honeypot technology
DR. ASWAMI ARIFFIN is a digital forensic scientist with vast experience in security assurance, threat intelligence, incident response and digital forensic investigation. Aswami is active in research and one of his papers was accepted for publication in the Advances in Digital Forensics IX. Currently, Aswami is a Senior Vice President of CyberSecurity Responsive Services Division at CyberSecurity Malaysia.
The nation needs to develop a cyber-protective strategy that is able to provide adequate protection and response mechanisms at the national level and across CNII sectors. Computer Emergency Response Team (CERT) / Computer Security Incident Response Team (CSIRT) manage the organization's information security risk management to an acceptable level. The capability to have a functional CERT/CSIRT is seen as closely connected to the concept of CNII protection.
In addressing cyber threats at national level, several services that provide proactive response to malware threats are proposed. This presentation discusses reported cyber security incidents focusing on APTs and malware threats in Malaysia. The presentation further highlights several case studies on services being implemented in Malaysia, namely CyberDEF (Detection, Eradication, Forensic) and CMERP (Coordinated Malware Eradication & Remediation Project). The objective of these services is to reduce the number of malware infection in Malaysia. The presentation highlights the importance of having these services to ensure a secure, resilient and sustainable CNII.
June 17, 2019 14:30-15:30
FIRST-2019-Slides-Dr-Aswami-Ariffin_Megatv2.pdf
MD5: f925d54f72ecac760a46d328468f7a5a
Format: application/pdf
Last Update: June 7th, 2024
Size: 16.85 Mb
Jasper Hupkens (Z-CERT, NL)
Jasper currently works for Z-CERT as a Security Specialist. Jasper has been involved in security for some years now and likes to think that he brings the other view to the table. In his own time he likes to tinker with all sorts of technologies from analogue to digital ones and also plays the trumpet.
The healthcare sector is complex, consisting of a lot of different parties, standards and products. All of these parties have different threats. Attendees will be presented with an overview of the threat landscape for the Dutch healthcare sector including examples of responsible disclosures or incidents. One of the new threats is medical devices moving into patients’ homes. This change brings new risks, often overlooked by manufacturers. With this presentation Z-CERT hopes start new international collaborations within the FIRST community.
June 21, 2019 10:15-10:45
1015-FIRST-2019-Z-CERT-Jasper-Hupkens-Defending-the-Dutch-Healthcare-sector.pdf
MD5: 03e8bba325e0a105ebea51ebb81c7ed3
Format: application/pdf
Last Update: June 7th, 2024
Size: 682.98 Kb
Dhia MahjoubThomas MathewDhia Mahjoub (Cisco, US), Thomas Mathew (Umbrella (Cisco), US)
Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He works with his team on building large scale threat detection and threat intelligence systems and driving new product features. Dhia has over 15 years experience in network security, has co-authored patents with OpenDNS and holds a PhD in graph data analysis. He regularly works with prospects and customers and speaks at conferences worldwide including Black Hat, Defcon, Virus Bulletin, FloCon, Infosecurity Europe, RSA, FS-ISAC, NCSC One Conference, RIPE conference, Hack in the Box, FIRST, and TF-CSIRT.
Thomas Mathew is a Senior Security Researcher at Cisco Umbrella (OpenDNS) where he works on implementing pattern recognition algorithms to classify malware and botnets. His interest lies in using time series techniques on network sensor data to identify malicious threats. Previously, Thomas was a researcher at UC Santa Cruz, the US Naval Postgraduate School, and as a Product and Test Engineer at handsfree streaming video camera company Looxcie, Inc. He presented at Black Hat, Defcon, BruCon, FloCon, Kaspersky SAS, Infosecurity Europe, and O'Reilly Security.
Attackers increasingly use DNS tunneling as a covert communications channel to either exfiltrate data, contact a C2 server, or download further payloads on an infected machine. Today's talk will provide an overview of the types of DNS tunneling seen in the wild as well as possible methods to detect tunneling. One method we propose to detect tunneling relies on the statistical similarity of DNS tunneling messages compared to other DNS queries. By extracting a set of features we show that there exists clear clusters of DNS-tunneling like messages compared to regular DNS traffic. This forms the basis of a simple classification model. However, we also show some of the false detections that can arise from ad-networks or spam reputation services.
June 19, 2019 11:45-12:45
Juha HaagaJuha Haaga (Artic Security, FI)
Juha Haaga is currently a Solutions Architect for Arctic Security. He has spent the last seven years exploring different methods of helping national CSIRT teams to deal with the deluge of network abuse information that they must handle on a daily basis. With a background in software engineering, solutions architecture, and product management, he’s currently interested in how to raise the capability level of emerging and established CSIRTs in the most efficient way. A key part of that is in how to extend these national level capabilities to SOC teams at enterprises and critical infrastructure, and how to engage the ISPs in managing national scale network abuse.
We present results from a defense cell case study in a national context. Automated threat intelligence sharing in a Hub-Node configuration was demonstrated in collaboration with a Finnish university, where received intelligence at the Node end is used in direct network monitoring to complement existing security infrastructure. Feedback provided to the Hub shows how different threats are affecting the stakeholders. The data covers a 3 month observation period.
June 19, 2019 14:30-15:30
Alison NaylorAlison Naylor (Red Hat, Inc., US)
Alison Naylor is a Principal Information Security Analyst at Red Hat, Inc. based in Raleigh, North Carolina, USA.
As Incident Responders, we sometimes overlook the importance of conducting effective, compassionate victim interviews. Simply asking a standard list of technical questions isn’t enough! Victims often approach interviews in a heightened emotional state: afraid of possible disciplinary action, embarrassed that they made a mistake, or angry at the attacker that duped them. By exploring active-listening techniques and improving our emotional intelligence, we can elevate our IR-specific interviewing skills. This allows us to collect higher-quality and more consistent data, provide education and reassurance, and ultimately leave our victims with a positive impression of their friendly neighborhood Infosec team.
June 20, 2019 12:00-12:30
1200-Alison-Naylor-FIRST-2019-Interview-Techniques-revised.pdf
MD5: 1495a30cb5e75aaf4f330020b15626ca
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.06 Mb
16:00-17:00
Open meeting.
June 18, 2019 15:30-16:30
Matt Linton (Google, US)
Matt Linton is a Senior Security Engineer in Google's "Incident Management" team responsible for detection, response and remediation of serious security and privacy related issues. He is formally trained in Emergency Management, is an active Urban Search & Rescue Specialist, and has 20 years of experience in the information security industry. Prior to working at Google, he was Deputy CISO at NASA's Ames Research Center and a senior Security engineer for the Constellation space program.
In any crisis, communication issues are the most frequent cause of an incident going awry. Security and Privacy incidents are a stressful time when the ability to communicate clearly and quickly is both at its most necessary and most difficult to accomplish. Using proven methods for formal incident management which helped Google smoothly and clearly communicate during the Spectre and Meltdown disclosures (among others), this talk outlines how comms can go awry and provides concrete suggestions for how incident responders can prepare for and improve communications before, during, and after an incident.
June 19, 2019 12:45-13:15
Hiroshi SuzukiHisao NashiwaHiroshi Suzuki (Internet Initiative Japan Inc., JP), Hisao Nashiwa (Internet Initiative Japan Inc., JP)
Hiroshi Suzuki is a malware & forensic analyst. His main jobs are malware and vulnerability analysis, threat intelligence, digital forensics, and incident response for his company and its customers. He is especially interested in targeted attacks, its RATs and its attack tools, such as PlugX, Mimikatz and so on. He has over 13 years dedicated to the areas.
Hisao Nashiwa is a threat analyst. His main jobs include incident response, analyzing malware and analyzing network traffic, observing malicious activities over nine years. He has been researching cyber crimes such as exploit kits and malware. He has six years of experience and knowledge in analyzing malware.
They work for Internet Initiative Japan Inc. They are members of IIJ-SECT which is the private CSIRT of their company. They are speakers and hands-on trainers for international conferences such as Black Hat (USA, Europe and Asia) and FIRST TC multiple times.
NOTE: There's a limit of 30 seats for participating attendees (first-come, first-serve). Additional attendees may attend, but only observe.
There are a lot of malware infection incidents such as targeted attacks, ransomware and banking trojan these days. In order to discover malware infection on a machine, you need skills of digital forensics and incident response (DFIR) techniques. You will need to use them quickly in the first response phase. In this course, attendees will learn several fast forensics techniques to find out malware rapidly. We will provide an analysis environment as a virtual machine with various artifacts such as in-the-wild malware, Prefetch, registries and file system metadata.
-- Prerequisite & Skills –
A working understanding of Windows OS (file system, registry and command-line)
A working understanding of VMware/VirtualBox (importing VMs, handling snapshots, modifying configurations)
PC spec (hardware, software)
2.0+ GHz, multi-core CPU
8+ GB of RAM
30+ GB of storage space (You must have a SSD, not a HDD)
At least one USB 3.0 port (not USB type-C) and you must have a physical access permission for the USB port
A wireless network interface card
HOST OS: Windows OS (7+) / macOS (10.13+) as a HOST OS with administrator rights
VMware Workstation Pro (12+) / Fusion (9+) or VirtualBox (5.1+)
You CANNOT use VMware Workstation "Player" / VMware Player.
Full access rights for USB devices
We will distribute a virtual machine image of the analysis machine on site with a USB thumb drive.
June 20, 2019 11:00-12:30, June 20, 2019 13:30-15:00
Andy Applebaum (The MITRE Corporation, US)
Andy Applebaum is a Lead Cyber Security Engineer at The MITRE Corporation, where he works on applied and theoretical security research problems. Most of Andy’s work is in MITRE’s internal research and development portfolio on projects at the intersection of security, automation, and reasoning, including as one of the lead researchers on the CALDERA automated adversary emulation project. Outside of research, Andy is a member of MITRE’s ATT&CK team, where his current focus is on using ATT&CK for SOC assessments. Prior to working at MITRE, Andy received his PhD in computer science from the University of California Davis, where his dissertation topic was using argumentation logic for reasoning in security. Andy’s work has been published in multiple conferences and workshops and he has spoken at various industry and academic conferences. In addition to his PhD, Andy holds a BA in computer science from Grinnell College and the OSCP certification.
Adversaries rarely do things in a vacuum: many adversary techniques are stepping-stones that open doors to further execution opportunities, and not ends-in-themselves. Indeed, most techniques have functional requirements that must be met before execution; e.g., to use remote desktop protocol, an adversary must first have access to valid credentials. Understanding these relationships is important for defenders, as it can enable them to hunt more effectively and write better detections.
In this talk, we’ll present three studies we’ve conducted to find dependencies between adversary techniques. Our approaches include a data-driven approach that leverages the MITRE ATT&CK framework and a logical approach that shows how some techniques explicitly enable others. We’ll also present experimental results where we leveraged an automated adversary (CALDERA) to observe how techniques are interleaved in practice. Our results have wide applicability for defenders, and attendees should leave with a better understanding of the importance of technique dependencies.
June 18, 2019 11:00-12:00
MD5: f70f15595382cab75ec501c29d3f5843
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.53 Mb
Desiree Sacher (Finanz Informatik, DE)
Desiree is a Security Architect for a Security Operation Center in the financial industry. But through her career she worked in engineering positions for different security vendors and products, until in 2014 she finally became a Security Analyst. She now draws all of her experience from these jobs and her connection into the Infosec scene into creating efficient SOCs. Desiree is also a certified GCIA Forensic Analyst, Network Forensic and Cyber Threat Intelligence Analyst.
Have you ever wondered how to get a good sense about your security monitoring rules, but you didn't want to invest in yet another tool? Sometimes, we have all the solutions laying right in front of us and all we need is a different perspective. This talk is about giving this new perspective of the data you are already commulating, by making a small change to your security monitoring process. With a potential huge change in your workflow, and improved results.
June 17, 2019 12:45-13:15
FIRST-Fingerpointing_Falsepositives-Public.pdf
MD5: 9afcf604112a87d17ef7cb9ee9225cd6
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.05 Mb
Richard ClaytonRichard Clayton (University of Cambridge, GB)
Dr Richard Clayton is Director of the Cambridge Cybercrime Centre at the University of Cambridge. He has been investigating abuse for over two decades and for just as long he has been proposing and implementing innovative solutions for dealing with it. Since 2014 he has been assisting the Yahoo (now VerizonMedia) mail team understand, monitor, and counter various styles of BGP hijacking.
A number of email spammers use BGP hijacking to obtain "new" IPv4 address space for their activities. This talk will reveal how this activity has been monitored and dealt with since 2014 -- explaining how attack and defence have evolved over that period.
June 17, 2019 11:45-12:45
Victor Sant'Anna (Nixu, FI)
Victor Sant’Anna (Nixu.com FI)
Victor Sant’Anna is a Senior Security Consultant working currently with PSIRT coaching and Digital Identity. Victor has worked in the Information Security industry for the past 18 years in various roles usually revolving PSIRT activities, Vulnerability management and Identity and Access Management. Human interactions and especially social engineering have always been a subject of interest, currently he is studying Social Psychology to complement his social engineering practical knowledge.
How to prevent you and your staff from being manipulated? A Social Engineering role-playing game to create awareness and introduce the methods for social engineering attacks and prevention. Security experts can use it to train their own organizations.
SE basic concepts, methods and techniques will be explained during the game. Play the roles of attackers and victims, identify the valuable social clues that can be exploited and engage in social attack scenarios. A lessons learned, wrap-up and discussions will follow to ensure assimilation by the participants.
No previous experience needed, no computers required during this session. Pen, paper & some imagination required.
June 21, 2019 09:15-10:45
Kenneth van WykKenneth van Wyk (KRvW Associates, LLC, US)
Ken is an internationally recognized information security expert and author of three popular books, including Enterprise Security: A Confluence of Disciplines (Pearson, 2014), Secure Coding: Principles and Practices (O’Reilly, 2003), and Incident Response (O’Reilly, 2001). He is also a monthly columnist for Computerworld. Among his numerous professional roles, Ken is a Visiting Scientist at the Software Engineering Institute at Carnegie Mellon University, where he is a course instructor and consultant to the CERT® Coordination Center.
Ken also served for 11 years on the Board of Directors for the Forum of Incident Response and Security Teams (FIRST), a non-profit professional organization supporting the incident response community. He holds a mechanical engineering degree and is a distinguished alumnus from Lehigh University and is a frequent speaker at technical conferences.
You’ve built your CSIRT and planned for every conceivable situation, right? How do you know they’ll succeed when pushed to the breaking point? In a prior FIRST session, Ken van Wyk presented a practical session on how to design and deliver tabletop drills to test your incident response capabilities. This proposal takes that to the next level in a hands-on role play session to spotlight the practical aspects of running a tabletop session. The session will use audience volunteers to take key roles in a fictional company and CSIRT. The team will include key stakeholders in the fictional CSIRT’s general counsel, human resources, media communications, and executive decision team. Van Wyk will then run a tabletop drill with the fictional CSIRT. Following the drill, the audience will then critique the fictional CSIRT’s performance. Attendees will gain practical guidance on how to deliver meaningful tabletop drills that test their CSIRT’s capabilities under fire.
June 19, 2019 14:30-16:30
FIRST-Conference-2019-06-Edinburgh-Practical-Tabletops-for-CSIRTs.pdf
MD5: 32e176d9df1cdfcd461288d5e1b40aa0
Format: application/pdf
Last Update: June 7th, 2024
Size: 13.41 Mb
Lisa Bradley (NVIDIA , US)
So you think you are doing pretty good with your vulnerability management practices and then wham a severity 2.2 turned your world upside down. Yup I said a CVSS score of 2.2. This talk will tell an interesting story of a severity 2.2 issue that not only cost our company tons of hours of work, but caused our CEO to come asking about it. Stories of real situations are always great to learn from. We at NVIDIA learned a pretty good lesson about a third party reported issue and how better to handle it next time. Come walk through this story to learn about the mistakes we made and how we now have a better approach to all third party reported issues regardless of the score. Let our story be your story to better improve your PSIRT practice.
Dr. Lisa Bradley is the Senior Manager for NVIDIA’s PSIRT. Her responsibilities include the management and resolution of product security vulnerabilities involving all NVIDIA products. Lisa has 20 years of Enterprise-class engineering and leadership experience including 6+ years of experience leading PSIRT programs as she previously ran IBM’s. Lisa is part of FIRST’s PSIRT committee and contributed to the FIRST PSIRT Services Framework and training and PSIRT Maturity document. Lisa has spoke at many tech-related events including FIRST, BSIMM, DerbyCon, ISACA and Security Journey White Belt modules.
June 19, 2019 12:45-13:15
Jessica Butler (NVIDIA, US), Lisa Bradley (NVIDIA, US)
Dr. Lisa Bradley is the Senior Manager for NVIDIA’s PSIRT. Her responsibilities include the management and resolution of product security vulnerabilities involving all NVIDIA products. Lisa has 20 years of Enterprise-class engineering and leadership experience including 6+ years of experience leading PSIRT programs as she previously ran IBM’s. Lisa is part of FIRST’s PSIRT committee and contributed to the FIRST PSIRT Services Framework and training and PSIRT Maturity document. Lisa has spoke at many tech-related events including FIRST, BSIMM, DerbyCon, ISACA and Security Journey White Belt modules. *****
Jessica Butler is a Senior Application Developer for NVIDIA’s Security Tools team and is the lead developer for NVIDIA’s Portfolio Manager Tool. Jessica has over 12 years experience and earned her MS in Computer Engineering from Washington University in St Louis. She has certifications in Java, Ruby and a CCNA. In her free time Jessica enjoys gardening, kiteboarding and traveling with her family, BJ, Sebastian (4) and Eliza (2).
Did you know a software product is only as strong as what it consumes? The internal components, Open Source Software (OSS), and vendor products that your product relies on can leave you at risk if they do not have a strong security posture and vulnerability management process. We will cover NVIDIA’s path to better dependency management by integrating security into the design of internal components, putting together vendor/OSS questionnaires, creating a product profile tool to map dependencies, utilizing an OSS scanning system, and automatically creating bugs when a dependency has a vulnerability or update. A demo of NVIDIA’s product profile tool will be included.
June 17, 2019 16:45-17:45
How-to-manage-the-tangled-web-of-dependencies.pdf
MD5: 2b8c7d7beb265607d664021f9eaed622
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.03 Mb
Brian Baskin (Carbon Black, US), John Holowczak (Carbon Black, US)
John Holowczak began his cyber security career in Carbon Black's Security Operations Center (SOC), focusing on defense. With his domain knowledge, John moved onto Carbon Black's Threat Analysis Unit to focus on automation of threat detection and building out infrastructure for large scale malware analysis. Within the field of threat detection and analysis, John focuses on binary classification, dynamic analysis and Threat Hunting. He maintains an interest in tool development, both for CarbonBlack's SOC and for threat research.
Brian Baskin is a Threat Researcher with Carbon Black’s Threat Analysis Unit with a specialty in digital forensics, incident response and malware analysis. Baskin was previously an intrusions analyst for the US Defense Cyber Crime Center. For over 15 years he has researched responses to cyber threats. He has authored multiple security books and develops software for more efficient malware analysis.
Visibility is the core component in any SOC, from continual monitoring to incident response. While having a simple interface helps to display data, sometimes advanced hunting requires moving beyond the interface and delving into data that’s likely never been documented. This presentation focuses on building a better understanding of your environment and hunting for unknown threats that lie within.
June 20, 2019 13:30-14:30
Public-_Hunting-and-Automation-Using-Open-Source-Tools_FIRST.pdf
MD5: 2bbabeaf90c3d8a615e440fd3ba8bfc9
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.21 Mb
Erik HjelmvikErik Hjelmvik (Netresec, SE)
Erik Hjelmvik has spent many years doing incident response and network forensics. He started analyzing network traffic from a security perspective while working at the R&D department a major energy company, where he focused on SCADA and industrial control system security. Erik has also worked as an incident responder for 5+ years at the Swedish Armed Forces CERT, where he got the chance to focus even more on network forensics and network security monitoring. Nowadays Erik runs the company Netresec where he develops software, such as NetworkMiner and CapLoader, for doing network forensics.
APT groups as well as narrowly targeted malware campaigns can remain undetected for months or even years in a victim network. As these campaigns are unknown to defenders and AV companies there won't be any IOCs, AV signatures or IDS rules available to detect them. So, how can we go about to hunt for these unknown unknowns? In this talk Erik presents techniques for detecting previously unknown intrusions and malware infections by analyzing network traffic. The presented techniques do not rely on overly complex solutions, such as machine learning or artificial intelligence, but are straight-forward techniques that can be fully understood by analysts and incident responders.
June 21, 2019 09:15-10:15
Marc-Etienne M.LéveilléMarc-Etienne M.Léveillé (ESET, CA)
Marc-Etienne is a malware researcher at ESET since 2012. He specializes in malware attacking unusual platforms, whether it’s fruity hardware or software from south pole birds. Marc-Etienne focused his research on the reverse engineering of server-side malware to discover their inner working and operation strategy. His research led to the publication of the Operation Windigo white paper that won Virus Bulletin’s Péter Szőr Award for best research paper in 2014.
Outside his day job, Marc-Etienne enjoys designing challenges for the NorthSec CTF competition. He is also a co-organiser of the MontréHack monthly event. He presented at multiple conferences including CSAW:Threads, CARO Workshop and Linuxcon Europe. When he’s not one of the organizer, he loves participating in CTF competitions like a partying gentleman. Outside the cyberspace, Marc-Etienne plays the clarinet and read comics. He tweets sporadically at @marcetienne.
Server-side Linux malware is a real threat now. Unfortunately, as for its Windows counterpart, most system administrators are inadequately trained or don’t have enough time allocated by their management to analyze and understand the threats that their infrastructures are facing. This tutorial aims at creating an environment where Linux professionals have the opportunity to study such threats safely and in a time-effective fashion.
In this introductory tutorial you will learn to fight real-world Linux malware that targets server environments. Attendees will have to find malicious processes and concealed backdoors in a compromised Web server.
In order to make the tutorial accessible for a range of skill levels several examples of malware will be used with increasing layers of complexity — from scripts to ELF binaries with varying degrees of obfuscation. Additionally, as is common in Capture-The-Flag information security competitions, flags will be hidden throughout the environment for attendees to find.
June 19, 2019 11:45-13:15, June 19, 2019 14:30-16:00
Strathblane Hall & Atrium Foyer
Join us for the opening reception of the 31st Annual FIRST Conference! Beverages and light refreshments will be served. Newbies (first-time attendees and first-time members) are encouraged to arrive early to meet and greet with the FIRST membership committee and board.
June 16, 2019 18:30-21:00
Jermaine Roebuck (HIRT, US)
Mr. Jermaine Roebuck serves as the Chief of Hunt and Incident Response Team for the Cybersecurity and Infrastructure Security Agency (CISA). Mr. Roebuck oversees a team of technical subject matter experts who perform operational and strategic-level analysis to support network defense and resilience across the DHS stakeholder community. His team leads the federal effort to respond to cyber incidents and proactively hunt for malicious cyber activity in public and private sector organizations and critical infrastructure. Mr. Roebuck and his team works closely with law enforcement, the intelligence community, and international partners to provide a coordinated and comprehensive response.
Mr. Roebuck brings a wealth of experience to his role with over 15 years in various cybersecurity and IT leadership positions. Most recently, he served as Chief of the Network Analysis Group and as an Engagement Lead within the Hunt and Incident Response Team. As an Engagement Lead, he led the federal government’s efforts to provide technical assistance to significant cyber incidents, including many large-scale data breaches in both the private sector and federal government. During large-scale breaches he leads teams focused on discovering and analyzing new forensic artifacts, finding new security controls to prevent and detect APT intrusions, and creating or enhancing opportunities for early detection and containment.
Mr. Roebuck holds a Bachelor of Science degree in Cyber Security from the University of Maryland University College and he possesses CISSP, GSEC, GCED, GCIH, and GCFA certifications to name a few.
Come learn to defend ICS! In this capture the flag competition, participants will be able to analyze live industrial control systems processes and data to identify the root cause of an intrusion. There are many levels to the CTF so even if you are not an ICS expert there will still be challenges for you to learn! Please bring your own laptop and any tools you desire to use.
June 17, 2019 16:45-18:15
Dr. Chih-Hung Lin (Taiwan Network Information Center (TWNIC), TW)
Dr. Chih-Hung Lin has been in the ICT industry for over 20 years and focused on cyber security in the latest 15 years. His research covers Threat Hunting, Malware Analysis, Penetration Testing, and Digital Forensics. He is currently the director of TWCERT/CC at TWNIC in Taiwan. He previously led ICS security teams at Institute for Information Industry and was the head of Research and Development Team at National Center for Cyber Security Technology in Taiwan. He has been in close collaboration over years with universities, national and private research institutes and industries. He received Ph.D. in Computer Science from National Taiwan University of Science and Technology (NTUST) in Taiwan. He is the certificate holder of GCFA, GPEN and CHFI.
As the number of malware continues to increase rapidly, waiting two or three minutes for a sandbox to analyze a piece of malware has become intolerable. To improve detection efficiency, several sandboxes with multiple virtual machines (VMs) simultaneously to perform parallel computation have been developed. However, a few moments is still needed to perform dynamic malware analysis using the sandbox. This talk aims to reduce the latency of dynamic analysis by using temporal syscall measure for early stopping technology. This makes the proposed Sandbox consume less time performing dynamic analysis than the usual wait time needed for timeout. This solution does not serve as a substitution technology, but an augmentation.
June 18, 2019 12:00-12:30
FIRST-2019-VTC_Dr.-Chih-Hung-Lin.pdf
MD5: 4e625275f50dc3fe7f1c6bfbd7ccbc81
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.07 Mb
Anthony Talamantes (Johns Hopkins University Applied Physics Laboratory, US), Todd Kight (Johns Hopkins University Applied Physics Laboratory, US)
Anthony Talamantes
Anthony Talamantes has over 18 years’ experience in Cyber Security Operations and Threat Intelligence, with the last 11 years working for Defense contractors. He managed the Information Security and Incident Response efforts at RAND Corporation, where he focused on cyber defense and incident response from Advanced Persistent Threats. Anthony joined Johns Hopkins University Applied Physics Laboratory in 2013 and is Manager of Defensive Cyber Operations, where he created intelligence and threat based cyber teams that specifically target advanced adversaries by blending Research, Threat Emulation, DevOps and Analytics to gain visibility in identifying Advanced Persistent Threats.
In performing Incident Response at multiple organizations, we have found that there is normally too much focus on the Cyber Teams as Incident Responders and following their prescribed playbooks. During an impactful Incident, representatives from an entire organization may be part of the Incident Response effort.
We will discuss how we have extended the love, Cyber Incident Response, to our family, other areas within Information Technology & Services. The goal is to build their skill levels to a level where they can participate and contribute to an Incident Response effort. Having a dynamic and extended team has definitely augmented our Incident Response capabilities.
Next steps is extending the love to other areas within the organization, including Legal, Human Resources, Public Relations and others to better prepare them for a significant Incident.
June 20, 2019 13:30-14:30
Chandan Nandakumaraiah (Palo Alto Networks, US)
Chandan Nandakumaraiah is a senior manager of incident response at Juniper Networks, co-founder and director of OpenGrok Foundation for the advancement of human understanding of complex software and systems and a member of the CVE Automation Working Group. He has served in various software engineering and security incident response roles for large corporations since the start of this millennium. Chandan is a member of Vulnerability Coordination SIG, Vendor SIG and Ethics SIG, and has been attending FIRST annual conferences since 2005. Chandan holds a Master's degree in Computer Science and Engineering from the Indian Institute of Science.
PSIRTs have to keep track of diverse set of information from multiple sources for effective incident response. This includes communication with vulnerability researchers, coordinators, vulnerability related new feeds, social media, internal defect tracking systems, remediation management, product inventories and third party dependencies, people, release timelines, third party product vulnerability tracking, standard dictionaries, advisories, CVE ID assignments to name a few.
This presentation shares my experience at Juniper Networks in streamlining and automating PSIRT processes by pulling information from diverse sources and making use of new technologies to solve multiple challenges.
June 19, 2019 11:45-12:45
Ken MunroKen Munro (Pen Test Partners LLP, GB)
Ken Munro is Partner and Founder of Pen Test Partners LLP, a firm of ethical hackers. He regularly blogs on everything from maritime security to hacking cars and the Internet of Things. This has gained him notoriety among the national press, leading to regular appearances on BBC TV and BBC News online as well as the broadsheet press. He’s also an Executive Member of the Internet of Things Security Forum and spoke out on IoT security design flaws at the forum’s inaugural event.
He also writes for various newspapers and industry magazines in an effort to get beyond the unhelpful scaremongering put about by many security vendors. Ken has become a voice for reform and legislative change in the largely unregulated IoT, briefing UK and US government departments as well as being involved with various EU consumer councils.
The Internet of Things is shot through with flaws. While some are unique and device dependant, many are systemic. We often find that a security flaw in one product will affect every other device within that product line. This means that intended functionality can be turned against the user, allowing an attacker to open “smart” door locks, to eavesdrop on conversations, even to locate and interact with unsupervised children.
How can these problems be fixed when the cat is already out of the bag? The only practical means we have is through responsible disclosure, meaning that the security industry is now the only group effectively policing the IoT.
June 17, 2019 10:00-11:00
Monica WhittyMonica Whitty (University of Melbourne, AU)
Professor Monica Whitty holds a Chair in Human Factors in Cyber Security at the University of Melbourne, in Australia. She is a member of the Global Futures Communities for Cyber Security for the World Economic Forum and the World Economic Forum Cyber Security Centre. She is also a visiting Professor in Cyber Security at Royal Holloway, University of London. Her work, in particular, examines identities created in cyberspace, online security risks, behaviour in cyberspace, insider threat, as well as detecting and preventing cyberscams. Monica is the author of over 100 articles and 5 books, the latest being: 'Cyberpsychology: The study of individuals, society and digital technologies' (Wiley, 2017, with Garry Young). She has lead research projects for both government and industry amounting to over $10 million AUD. More recent projects include the psychology of cyberscams – with an emphasis on how to protect citizens from becoming victimized by these crimes, cultural enablers of cyberscams, protecting privacy in online spaces, educational and training methods in cybersecurity, and developing a conceptual model for insider threat. Prof Whitty is also developing courses for industry, at the University of Melbourne, on how to train employees to act more safely online, and how to develop cybersecurity training courses for the public. She welcomes opportunities to work with new partners.
Insiders can be malicious or non-malicious (e.g., accidently clicking on a link or leaking a password). This talk, however, focuses on the malicious insider. I will be discussing case studies of insider attacks that took place in the UK to develop a conceptual model for insider threat. The case studies involved interviewing investigators, heads of security, information technologists, law enforcement, security officers, human resource managers, line managers and co-workers who knew the insider. The talk will outline some of the archetypal insiders identified in the research, such as ‘the disgruntle employee’ (often found in studies on insider threat), the show off, the career criminal, and the addict. The work highlights the multiple pathways to an attack, demonstrating the various types of insiders and methods they employed to attack the organization. I conclude by setting out a conceptual model for insider threat, which stressors the need to continuously seek out methods to close down opportunities as well as to monitor behavior change. It also elucidates potential deterrence and prevention strategies and how these might be ethically and legally applied.
June 19, 2019 09:30-10:30
930-Whitty_insider-threat_FIRST_June-2019-compressed.pdf
MD5: cc19a1501b5afe8780df442ef1ac06ff
Format: application/pdf
Last Update: June 7th, 2024
Size: 775.88 Kb
Miranda MowbrayMiranda Mowbray (University of Bristol, GB)
Miranda Mowbray is a lecturer at the University of Bristol, where her research interests include data science for cyber security, and big data ethics. Before moving to the University she did industrial research at HP Labs. She was an invited panellist at the 2017 Global Cybersecurity Summit. In 2018 she did a research project with two postgrad students on subverting the security of a swarm of a hundred small autonomous robots. Miranda is a Fellow of the British Computer Society. Her PhD is in Algebra, from London University.
The Internet of Things is growing fast, and it's not secure. I'll describe some attacks on Things, and discuss how they might have been detected. Analysis of Internet of Things data can detect misconfigurations and other unwanted behaviour as well as attacks: I'll give examples. I'll end by discussing why some Things are so insecure, and what might be done to improve the situation.
Keynote will be held on Pentland Auditorium – Level 3
June 21, 2019 11:30-12:30
MD5: 0379017b146808d3cda64cc453b263f4
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.43 Mb
Merike KaeoMerike Kaeo (Double Shot Security, US)
Merike Kaeo is CEO and founder of Double Shot Security. She has over 25 years of experience in pioneering Internet technology deployments and developing strategic security initiatives. Her passion for building cooperation and collaboration between operational, technical, law enforcement and policy sectors in all things related to ‘information security’ has led to many unofficial global liaison roles. In 2007, Merike was instrumental in fostering cooperation and trust among the global operational security community and the Estonian National CERT during the cyber attacks against Estonia.
Merike instigated and led the first security initiative for Cisco Systems in the mid 1990s and authored the first Cisco book on security, Designing Network Security, which was translated into multiple languages and widely used in security accreditation programs. She has held a variety of executive leadership positions and has a deep rooted history in the global Internet community.
Merike is a member of the IEEE, a pioneer member of ISOC and has been an active contributor in the IETF since 1992. She was named an IPv6 Forum Fellow in 2007 for her continued efforts to raise awareness of IPv6 related security paradigms. She is on ICANN’s Security and Stability Advisory Council (SSAC) and the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC).
In recent years Merike has led and contributed to several global threat intelligence sharing initiatives. In 2014 she was part of the EU Network and Information Security (NIS) Working Group 2 that created guidelines and recommendations to promote the sharing of cyber threat information and incident coordination in both the public and private sectors in the EU. She is also the co-chair of the FIRST Information Exchange Policy SIG.
Merike earned a MSEE from George Washington University and a BSEE from Rutgers University.
In the last year we’ve seen more sophisticated attacks exploiting the fundamentally trusted building blockes of the Internet - routing, the domain name system and even digital certificates. How can we regain trust and control of where our data goes and by whom it is seen? This talk focuses on causes of broken trust relationships between protocol developers, software implementers, network operators, corporate executives, security researchers and legal compliance teams. It is time to start renewed vigilance and create effective feedback loops to have continued forward momentum in a chaotic environment that inherently must deal with unverified trust. Which will ironically enable renewed trust for the evolving digital society we are creating.
June 20, 2019 09:30-10:30
930-FIRST2019-Keynote-Merike_FINAL.pdf
MD5: 894b5c3ce8a1c770ac070dce8fba4a82
Format: application/pdf
Last Update: June 7th, 2024
Size: 26.39 Mb
Leonie TanczerLeonie Tanczer (University College London, GB)
Dr Leonie Maria Tanczer is Lecturer in International Security and Emerging Technologies at University College London’s (UCL) Department of Science, Technology, Engineering and Public Policy (STEaPP). She is member of the Advisory Council of the Open Rights Group (ORG), affiliated with UCL's Academic Centre of Excellence in Cyber Security Research (ACE-CSR), and former Fellow at the Alexander von Humboldt Institute for Internet and Society (HIIG) in Berlin. Her research focuses on questions related to Internet security and she is specifically interested in the intersection points of technology, security and gender.
Prior to her lectureship appointment, Tanczer was Postdoctoral Research Associate for the EPSRC-funded PETRAS Internet of Things (IoT) Research Hub, where she was part of its "Standards, Governance and Policy" research team. She holds a PhD from the School of History, Anthropology, Philosophy and Politics (HAPP) at Queen's University Belfast (QUB). Her interdisciplinary PhD project included supervision from both social sciences and engineering (ECIT) and focused on hacking and hacktivism. More about her work and current research projects can be found on her website.
The “Internet of Things” (IoT) is creating a range of uncertainties, opportunities, and risks which stretch across technical, economic, and societal domains. As the scale and scope of IoT is meant to drastically increase over the next decades (i.e., 25 Billion connected devices by 2020), it is important to consider “smart” technologies privacy, security, as well as safety implications at an early stage. Drawing on Dr Leonie Tanczer’s extensive research experience as part of the UK-wide PETRAS IoT Research Hub as well as her ongoing work on IoT’s implications for domestic violence and abuse victims and survivors, this talk will cover the ongoing governance challenges that characterise the IoT environment as well as the human factors that need to be considered when developing both technical as well as regulatory measures to secure the evolving IoT ecosystem.
June 18, 2019 09:30-10:30
MD5: 79342ea23d6f062b03a5baeac861988b
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.44 Mb
Terry BishopTerry Bishop (RiskIQ, GB)
Terry Bishop, Technical Director, EMEA, RiskIQ
Terry has over 20 years of experience in IT Security & Networking working with both private and public sector organisations to deploy and manage security solutions, in both technical and leadership roles. His experience ranges from the endpoint to enterprise wide monitoring for security and compliance. Terry is currently EMEA Technical Director at RiskIQ, delivering a unique approach to security, providing an outside in view of its customers external attack surface.
Magecart is an umbrella term given to at least seven cybercriminal groups that are placing digital credit card skimmers on compromised e-commerce sites at an unprecedented rate and with frightening success. In a few short months, Magecart has gone from relative obscurity to dominating international headlines and ascending to the top of the e-commerce industry's public enemy list.
Responsible for recent high-profile breaches of global brands Ticketmaster, British Airways, and Newegg, in which its operatives intercepted thousands of consumer credit card records, Magecart is only now becoming a household name. However, its activity isn't new and points to a complex and thriving criminal underworld that has operated in the shadows for years.
In this session we'll cover the evolution of the groups from 2014/2015 to the present day, detailing their the current tactics and techniques used to compromise website JavaScripts.
June 18, 2019 13:30-14:30
Tyler Halfpop (Palo Alto Networks, US)
Tyler Halfpop is a senior malware researcher at Palo Alto Networks. In the past he has worked at General Dynamics Fidelis Cybersecurity and Salesforce. He has presented research at a variety of conferences and meetings including SANS, DerbyCon, Shakacon, and Hushcon.
Encrypted Office documents pose a difficult challenge to organizations and security vendors and attackers know it and are starting to utilize this tactic more and more. This talk will highlight analysis of multiple major campaigns utilizing encrypted documents as well as encrypted document file formats and different encryption methods utilized by Office. Attendees will also learn how to create automated systems to crack and analyze encrypted documents.
June 19, 2019 15:30-16:00
Chin Wei Tien (Institute for Information Industry, National Taiwan University, TW), Shang Wen Chen (Institute for Information Industry, TW), Tao Ban (National Institute of Information and Communication Technology, JP)
Chin-Wei Tien is a deputy director in CyberSecurity Technology Institute at Institute for Information Industry(III). Besides, he is also a PhD. candidate in the department of electrical engineering at National Taiwan University. His research area includes cloud virtual machine introspection, malware behavior analysis, IoT security, and blockchain security. Recent years, cyber security threats have become increasingly dangerous. Hackers have fabricated fake emails to spoof specific users into clicking on malicious attachments or URL links in them. This types of threat is called an APT attack. Because APT attacks use unknown exploits to trigger malicious activities, it is difficult to effectively defend against them. Thus, Chin-Wei focuses on this type of challenges security industry faced, and developed a Cloud-threat Inspection Appliance (CIA) system to defend against APT threats. Chin-Wei received 6 awards and 14 patents in his career life at III. These results demonstrated his past achievements and also his great potential in security profession.
The threats of malware in IoT devices are increasing in recent years, the amount of malware in IoT of 2018 has already over 120 thousand which is three times than 2017 and 10 times than 2016. However, we still have too less understanding about how to analyze IoT malware effectively unlike what we did in windows malware analysis. Thus, in this talk, we are going to introduce a framework for IoT malware analysis including detection and family classification. Differentiating to the best of our search for related works, this study chooses ELF opcode as main feature and conducting machine learning mechanisms to detect and classify IoT malware. We collect over 30 thousand of IoT malwares (Caught by IoT honeypot since 2016) for this study and design 19 features from ELF format and 8 categories of opcode instruction sets. The experiment result obtains 99% and 98% accuracy of detection and classification which can be used to demonstrate the effectiveness of our method.
June 18, 2019 16:30-17:00
Paul Jung (Excellium Services, LU), Rémi Chipaux (Qintel)
Paul Jung
Paul Jung is since a long time a security enthusiast. He works in the security field in Luxembourg since more than a decade. During this time, Paul has covered operations as well as consulting within various industries. He possesses a wide range of skills and experiences that enable him to perform multiple roles from offensive security audit to security incident handling. From 2008 to 2014, prior to join Excellium Services, Paul was Senior Security Architect in the Managed Network Security department of the European Commission. In this previous position, Paul was responsible for leading technical aspects of security projects. He also wrote a few articles in MISC magazine (French) about DDos, Botnets and incident response. Since 2014, Paul works at Excellium Services as senior security consultant. He leads Excellium Services CSIRT (CERT-XLM). Within this position, Paul lead the response team involved in incident handling and intrusion responses. He provides security awareness and recommendations to Excellium Services customers. Paul is often speaker at local event and was multiple times speaker at Hack.lu and Botconf security conferences. His mother tongue is French, and he speaks English.
Rémi Chipaux
Rémi Chipaux aka Futex – @futex90. He is Working at Qintel as a Security researcher, thread intelligence and malware reverser. He works previously in Unix/Linux administration and since a decade in computing security in various industry (Bank, European institutions, etc..). He is a member of the organizer team of BSides Luxembourg and speaker. He also plays CTF challenges. Passionate by all hacking stuff since his young age, electronics, D.I.Y and beers (drinking and making).
We will propose a 3h Workshop and we are open to repeat it multiple time during the conference event. In the workshop, we aim to learn to the public how malware packers usually works to hide the original payload. We will learn to the audience tricks used by reverse engineers to unpack samples and dumps protected executables. Between each formal "lessons" slides, we will have hand on practice to unpack real malwares. We will show where breaking the application flow and what looking for in order to dump the real non obfuscated payload.
June 17, 2019 11:45-13:15, June 17, 2019 14:30-16:00
11:45-13:15
Open meeting.
Meeting Agenda:
June 19, 2019 11:45-12:45
David Watson (The Shadowserver Foundation, GB), Piotr Kijewski (The Shadserver Foundation, PL)
Piotr is a member of The Shadowserver Foundation, a non-profit with a mission of making the Internet a more secure environment. He has a strong CSIRT background, previously working in incident response at a national level for 14 years in the CERT Polska (CERT.PL) team. He managed the team for nearly 7 years up till 2016, building up its various security data gathering and analysis projects as well as managing its anti-malware operations, including numerous botnet disruptions. Piotr currently also serves on the Board of Directors of the Honeynet Project, a well-known and respected non-profit that is committed to the development of honeypot technologies and threat analysis.
David Watson, a member of the Shadowserver Foundation since 2008, a Director who leads the Special Projects Team in support of international Law Enforcement. David regularly presents and teaches classes at information security events and is passionate about helping network owners and cybercrime victims to defend themselves using tools and information sources that freely available. David was previously the Chief Research Officer and a Director of the Honeynet Project (2006-2016), helping develop and deploy security tools worldwide.
Nearly every day brings us news about how big IoT related attacks are and how much damage they cause. But how large are they really? The talk will provide an overview of how The Shadowserver Foundation collects information about IoT related attacks, malware and potentially vulnerable devices. These data collection processes are in many ways unique due to their sheer size and scope, hence able to give insight (even if of course incomplete) into the scale of the IoT problem. From daily large scale open services/vulnerable services scanning of the entire IPv4 address space, to sinkholing operations, honeypots and darknets, all these techniques give their unique views of current IoT attack and threat landscape. They do however come with their own set of problems and areas for improvement. We will provide some concrete solutions that can make things better. We will also demonstrate how Shadowserver conducts deeper dives into particular IoT threats and builds customized platforms for their monitoring to obtain more detailed insight. As a result of this wide set of activities, Shadowserver is able to present global and per country views of IoT-related problems, of which the most interesting cases will be highlighted in the presentation. By using a data driven approach to identify relevant threats, it is hoped that CSIRTs responsible for particular countries or networks can gain an understanding of where to focus their remediation actions to be most cost effective and offer the best return of investment in making their constituency and environment secure.
June 18, 2019 15:30-16:30
Anthony Talamantes (Johns Hopkins University Applied Physics Laboratory, US), Todd Kight (Johns Hopkins University Applied Physics Laboratory, US)
Anthony Talamantes has over 18 years’ experience in Cyber Security Operations and Threat Intelligence, with the last 11 years working for Defense contractors. He managed the Information Security and Incident Response efforts at RAND Corporation, where he focused on cyber defense and incident response from Advanced Persistent Threats. Anthony joined Johns Hopkins University Applied Physics Laboratory in 2013 and is Manager of Defensive Cyber Operations, where he created intelligence and threat based cyber teams that specifically target advanced adversaries by blending Research, Threat Emulation, DevOps and Analytics to gain visibility in identifying Advanced Persistent Threats.
The adversaries are evolving and we needed the agility to evolve with them. Our new philosophy of targeting the adversaries evolving TTPs with cyber hunting, needed the people, processes and technology to support it. We will discuss how we operationalized cyber hunting. We started with simple behavioral use cases and then expanded to more advanced use cases, looking for PowerShell, WMI and Kerberos manipulation activity. We will outline open source reporting, reference the MITRE ATT&CK model and discuss how we used threat emulation to operationalize hunt procedures. We are going to illustrate how we created analytics to identify advanced methodologies, used by some of the most advanced Nation States.
June 18, 2019 15:30-16:30
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University, US)
Krassimir Tzvetanov has worked for hardware vendors like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation features, product security and best security software development practices. Before joining Cisco, Krassimir was Dedicated Paranoid (security) at Yahoo!, Inc. where he focused on designing and securing the edge infrastructure of the production network. Part of his duties included dealing with DDoS and abuse. Before Yahoo! Krassimir worked at Google, Inc. as an SRE for two missing critical systems, the ads database supporting all incoming revenue from ads and the global authentication system which served all of the company applications.
Krassimir is very active in the security research and investigation community, has number of contributions to FIRST SIGs, as well as participates in the Honeynet Project.
In addition, Krassimir ran the BayThreat security conference and has contributed to a number of other events like DefCon, where he ran the Radio Communications group, and ShmooCon and DC650.
Krassimir holds Bachelors in Electrical Engineering (Communications) and Masters in Digital Forensics and Investigations.
OPSEC
Whether performing an in-depth investigation or merely quick research, the investigator (or researcher) and the investigation itself are exposed to certain risks.
This workshop focuses on security and safety issues pertaining to online research and investigations. It covers different areas of the investigative process and how tools and particular techniques can leak information detrimental to the case or the investigator.
Furthermore, it goes deeper into how investigators and blue teams can be profiled and targeted. Those can be either direct attack against their computer or supporting infrastructure, their person or the investigation, which in turn may be as subtle as steering the it in the wrong direction or making the evidence inadmissible in court.
More specifically the workshop will cover different browser and infrastructure fingerprinting techniques, browser hooking, instant message programs, email security and tracking.
As it covers the dangers, this workshop provides series of countermeasures and mitigations, which can help the investigator increase their level of safety and security and decrease their digital footprint.
In addition, the workshop introduces containerization and how it can be used to segment and streamline the process.
Requirements: Students must bring: VMWare Player or VBox. (*Note the latter does not perform as well.)
June 20, 2019 13:30-15:00
Christopher Merida (Cisco Systems Inc, US), Jason Kmack (Cisco Systems Inc, US)
Chris Merida is an InfoSec Engineer for Cisco's CSIRT team. Before making a transition to Cisco, Chris was the founder of the InfoSec program at a health organization in Maryland where he participated in several local, state, and Federal events to shape the future of information security for healthcare in the region. After joining Cisco, Chris was assigned to the team that deploys, maintains, and optimizes CSIRT's SIEM on which the playbook is executed. He enjoys making "good" processes "better" and finding ways to utilize an organization's existing technology to improve security. In his free time, Chris enjoys music, organic coffee, and fine liquor (occasionally at the same time).
Jason Kmack is a an InfoSec engineer that works for Cisco's CSIRT team. His main focus is on developing software tools for security analysts to more efficiently do their jobs. Additionally, he works on improving backend processes and creating and improving data models for security reporting. In his spare time, Jason tries as often as possible to get lost in video games, television, and pints of micro brews.
Optimize Prime demonstrates how a CSIRT team can improve the efficiency of their SIEM to run plays faster and near real-time.. The tool receives a query from a user or playbook management tool, optimizes it, and provides feedback on how the user can restructure the query to be more effective. In this case, we use Splunk's built in optimizer, best practices for query structure from query experts, data source analytics (size of data being searched, measure of entropy for frequently used fields), and deployment benchmarking to provide the user with a faster query execution time. Operation of this tool reduced time-to-detect across all plays by 20 days over a year.
June 18, 2019 16:30-17:00
MD5: f42b94776834fd19605eb0de1dc53436
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.35 Mb
Francois Durvaux (Thales, BE)
Francois did his PhD in the Crypto Group at UCLouvain in Belgium. His research topic was on the evaluation of side-channel attacks. Now, Francois is working as a security engineer at Thales Belgium. He continues research activities both during work and on his free time. Francois is interested in all security aspects, and is never bored to learn new things. Beers and video games are great too!
What if an attacker can get closer to your sensitive devices? This talk demonstrates how to exploit the electro-magnetic radiations emitted by electronic devices in order to recover cryptographic keys within seconds. We will first show how an affordable side-channel attack setup can be built. We will then show how the implementation of an AES-256 running on a 8-bit microcontroller can be attacked.
June 19, 2019 14:30-15:30
Lion Gu (360 Enterprise Security Group, CN)
Lion Gu is security analyst of 360 Enterprise Security Group. He has been a security professional over 15 years. He graduated with a B.A. in Electrical Engineering, and holds several security certificates, including CISSP, CEH, CCNP. His interests covers all aspect of cyber security, especially malware analysis, cybercrime in general, and web security. He is an active member of local security community, where he helps businesses, academic institutions, and governments to improve security. He also has presented at conferences, including BlackHat, RSA, AVAR, CNCERT Annual, and so on. He was formerly with Forward-looking Threat Research Team of Trend Micro.
Driven by the increased value of cryptocurrency, cybercriminals are hijacking millions devices to mine cryptocurrencies by using cryptojacking malware. Unlike common malware which target small consumer devices, modern cryptojacking malware is designed to go after enterprise networks. Critical business can be impacted as a consequence of crashing application and even damaging hardware. This new kind of malware is one of major concerns of incident response teams.
Our talk attempts to bridge knowledge gap about cryptojacking malware and shed light on threat actors behind the malware. We will illustrate tactics, techniques and procedures of 8220 Miner Group which has been conducting cryptojacking attack for one year, and still active. We also give protection measures which derive from our comprehensive survey on 9 cryptomining malware families, including WannaMiner, MsraMiner, ZombieboyMiner, etc.
June 17, 2019 14:30-15:30
Protect_Enterprise_Against_Cryptojacking.pdf
MD5: 2beb448859b756bccac835517e9a6729
Format: application/pdf
Last Update: June 7th, 2024
Size: 12.25 Mb
Gijs Peeters (National Cyber Security Centre the Netherlands (NCSC-NL), NL)
Gijs Peeters works as an senior advisor on public-private cooperation and international relations at the National Cyber Security Centre the Netherlands (NCSC-NL). Gijs has been working for some years now on stimulating different forms of public-private cooperation in the Netherlands and is one of the authors of different NCSC guides on how to set up your own cooperation in your sector (ISAC), region or supply chain (https://www.ncsc.nl/english/cooperation).
The Netherlands has a history of active public-private cooperation in different forms. This talk will present our long-term vision. We want share our journey of getting to where we are now, how we initially set up these different forms of cooperation and where we will go in the future. We’ll share our lessons-learned so that others can benefit from our positive and negative experiences and also create a network of clans in their country.
NCSC-NL has been working closely together with private companies for many years now — bottom-up and by ‘poldering’. We have learned a lot in setting-up sixteen sectoral Information Sharing and Analysis Centres (ISACs). This has worked well, but we want to keep improving. As cybersecurity is gaining importance and permeating our society, we believe central coordination is no longer possible. Thus we are striving towards creating a nationwide network of cybersecurity partnerships, including ISACs but also collective CSIRTs and regional forms of cooperation.
June 18, 2019 16:30-17:00
Josh LemonJosh Lemon (Salesforce, AU)
Josh Lemon is a Director at Salesforce.com in their international Salesforce Security Response Centre (SSRC). Josh heads up the SSRC Strategic Response and Research Unit which is responsible for looking at new cutting edge ways to approach incident response at scale. Josh is also a Certified Instructor for the SANS Institue where he teaches the “Advanced Incident Response and Threat Hunting” (FOR508) course.
Prior to Salesforce, Josh was the CSIRT Manager for the Commonwealth Bank of Australia leading one of the largest dedicated incident response teams in the Australian commercial sector. He has previously worked as a Managing Consult for BAE Systems Applied Intelligence, where he was responsible for all technical cybersecurity services for the Asia Pacific region, included overseeing large and complex incident response and offensive security engagements.
Josh has provided incident response, digital forensics and penetration testing services to Government, Law Enforcement, and the Commercial sector. He was one of the co-creators for SecTalks in Sydney Australia, a monthly information security community event dedicated to presenting and teaching technical information security skills to others.
Josh has a varied background in the cybersecurity industry ranging from; Project Management, Lead Incident Responder, Forensics Analysis, Reverse Engineer, Penetration Testing, Secure Network Design, and Software Development. He currently holds a GREM, GCFA, GNFA, GCIH, GPEN, GPYC and lectures on investigating cyber attacks at Universities in Sydney and to international audiences for the SANS Institute.
Bring a team of Incident Responders together and getting them to all work together accurately and efficiently while under pressure is not an easy task, let alone trying to scale a CSIRT across multiple countries with an infrastructure network that services over 150,000 business. This presentation will look at how the Salesforce CSIRT went through a number of changes over four years to build a CSIRT that is efficient and scales to the company's needs. It will explore the challenges of redefining how CSIRT staff work together at scale, along with our learnings on how to build better CSRITs to reduce pressure on staff, increase maturity, decrease time to close incidents and extend the overall career of an individual within a CSIRT.
June 17, 2019 15:30-16:00
Carson ZimmermanCarson Zimmerman (Microsoft, US)
Carson Zimmerman is a veteran cybersecurity specialist, author, and speaker. In his current role at Microsoft, Carson leads the integration and deployment of next generation cybersecurity monitoring platforms for key Microsoft environments. In his previous role, at The MITRE Corporation, Carson specialized in cybersecurity operations center (CSOC) architecture and CSOC consulting. His experiences over 15 years as a CSOC analyst and engineer led Carson to author Ten Strategies of a World-Class Cybersecurity Operations Center, which can be downloaded for free at http://bit.ly/1sKCOH9. He received a BS in Computer Engineering from Purdue University and an MS in Information Systems from George Mason University.
Co-Author: Christopher Crowley has 15 years of industry experience managing and securing networks. He currently works as an independent consultant in the Washington, DC area focusing on effective computer network defense. His work experience includes penetration testing, security operations, incident response, and forensic analysis. Customers include large and small companies in varying industries: cyber security, defense, education, energy, and finance.
Mr. Crowley is a Senior Instructor with the SANS Institute, and the course author for for SANS Management 517 - Managing Security Operations and SANS Management 535 - Incident Response Team Management.
Metrics are intended to demonstrate performance, and change in performance, over time. However, there are few global standards which allow Security Operations Center (SOC) teams to compare performance across organizations and industries.
This talk will first explore the existing systems of metrics for security operations, then select a triad of metrics to report to different groups within a canonical organization. These groups represent the executive concerns of the organization and the constituents who are protected by the SOC, the management responsible for overseeing the SOC, and the internal staff of the SOC. The intention of this separation is to provide measures relevant to the parties concerned.
The final portion of this talk will attempt to provide data on application of these metrics to sample institutions to help to provide movement toward comparative analytical capability to judge performance relative to peer SOCs.
June 17, 2019 14:30-15:30
Public__SOC-Metrics-for-FIRST-v07-002-.pdf
MD5: 9adf93af10b668ae6af601320ad6d91a
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.78 Mb
11:00-14:30
Open meeting.
June 20, 2019 11:00-12:00
Eireann Leverett (Concinnity Risks, GB)
Eireann is not a PhD student, though he is a lifelong student. He also believes in repeatable research. He lives in Edinburgh, and might even be wearing a kilt as he types his bio in the third person (though he copied and pasted Ankit's to preserve his dignity).
We do the economics to see what it would take to build a socialised ransomware response programme, stripping payment information from binaries, websites, onions. Then we use frequency analysis and the proportion of people who pay to work backwards into the sizes of infections. From there, we look at the wide variety of factors that determine how much it costs to clean up (DEFOCUS HOW MUCH IS PAID IN RANSOM), and come to some funding numbers about how we might approach this collectively, instead of individually as CERTs.
June 20, 2019 13:30-14:30
David Watson (The Shadowserver Foundation, GB), Piotr Kijewski (The Shadowserver Foundation)
David Watson, a member of the Shadowserver Foundation since 2008, a Director who leads the Special Projects Team in support of international Law Enforcement. David regularly presents and teaches classes at information security events and is passionate about helping network owners and cybercrime victims to defend themselves using tools and information sources that freely available. David was previously the Chief Research Officer and a Director of the Honeynet Project (2006-2016), helping develop and deploy security tools worldwide.
Piotr is a member of The Shadowserver Foundation, a non-profit with a mission of making the Internet a more secure environment. He has a strong CSIRT background, previously working in incident response at a national level for 14 years in the CERT Polska (CERT.PL) team. He managed the team for nearly 7 years up till 2016, building up its various security data gathering and analysis projects as well as managing its anti-malware operations, including numerous botnet disruptions. Piotr currently also serves on the Board of Directors of the Honeynet Project, a well-known and respected non-profit that is committed to the development of honeypot technologies and threat analysis.
Domain Generation Algorithms (DGAs) are now used across almost all popular malware families to increase their resilience against botnet takedown attempts. However, DGAs have their weakness: they can be reverse engineered and current and future domains predicted. This can be done on an industrial scale, using malware datasets such as those of The Shadowserver Foundation (nearly 1 billion unique samples). Still, the problem of how to make DGA lists actionable for effective mitigation/remediation remains. Blocking or sinkholing DNS DGAs at the Registrar/Registry level is possible, but requires a significant amount of resources. However, what if we could blackhole/sinkhole DGAs at a recursive DNS resolver level instead? Enter the DNS Response Policy Zone (RPZ) mechanism. This talk will describe how any organization that runs its own recursive DNS server can gain access to Shadowserver’s new DGA DNS RPZ services to obtain real-time lists of DGA domains, that they can subsequently utilize in their own DNS servers to filter out queries from malware, locate victims in their network and collaboratively help save the world from DGA-enabled cybercrime!
June 21, 2019 09:15-10:15
Thomas FischerThomas Fischer (FVT SecOps Consulting, GB)
Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated.
Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.
SOC Analysts and Incident Responders are faced with a mounting increase in events generated by the tools we keep adding to “defend” our systems, in some conditions event collectors are consuming 10s of millions of events per day. The tendency is to look for new technologies like automation to help. Is technology the only answer? Criminal forensics in the initial investigation phases relies heavily on the ability to visual identify artefacts. For the past few years, I’ve been looking at improving the processing of events for SOCs, incident response and threat hunting through better visualisation and communications. The conclusion is that there is nothing better than a pair of eyes to identify things. In this talk, we will examine how we can apply better seeing and proper communications to facilitate identification of incidents and their artefacts into reports and IOCs despite the flood of events being generated by the tools.
June 20, 2019 11:00-12:00
MD5: 2c613236d64aa4909c15bef6c6830ff3
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.38 Mb
Allan FriedmanAllan Friedman (NTIA / US Department of Commerce, US), Art Manion (CERT/CC, US)
Dr. Allan Friedman is Director of Cybersecurity at the National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA’s multi-stakeholder processes on cybersecurity, convening cross-sector working groups with a focus on resilience in a vulnerable ecosystem. This has included pioneering government engagement on coordinated vulnerability disclosure, IoT security, and software component transparency. Prior to joining the Federal government, Friedman spent over 15 years as a noted cybersecurity and tech policy scholar at Harvard’s Computer Science Department, the Brookings Institution and George Washington University’s Engineering School. He is the co-author of the popular text Cybersecurity and Cyberwar: What Everyone Needs to Know, has a degree in computer science from Swarthmore College and a PhD in public policy from Harvard University.
Art Manion is a senior member of the Vulnerability Analysis team in the CERT Program at the Software Engineering Institute (SEI), Carnegie Mellon University. Since joining CERT in 2001, Manion has studied vulnerabilities, coordinated disclosure efforts, and published advisories, alerts, and vulnerability notes for CERT/CC and US-CERT. Manion currently focuses on vulnerability discovery and other areas of applied research, including ways to automate and improve operational vulnerability response. Prior to joining the SEI, Manion was the Director of Network Infrastructure at Juniata College.
A “software bill of materials” that lists third party components can help the open source community, software vendors, and enterprise customers address security risks, vulnerabilities, and supply chain concerns. In 2018, NTIA launched an open process of experts from many sectors to identify challenges in assembling, sharing, and using data on third party components. This talk will present on the substantial progress made, sharing draft best practices, and highlighting use cases and use of existing standards. We will map out the work that remains to be done, and how the FIRST community can play an important role.
June 17, 2019 11:45-12:45
SBoM_Friedman_Manion_FIRST2019_v5-compressed-min.pdf
MD5: 17707e1b72978c2411273857b8139803
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.31 Mb
Emilien Le Jamtel (CERT-EU)
Emilien Le Jamtel is security analyst for CERT-EU since more than 4 years.
In the world of cryptocurrency-related malware, mining botnets are a growing threat for organizations. We can observe that interest of malicious actors in CryptoNote-based currencies (likeMonero or Bytecoin) has increased dramatically because of the specificities of those cryptocurrencies.
In this presentation we explain why such cryptocurrencies are appealing to malicious actors, and how to leverage publicly available sources for hunting of CryptoNote-related malicious activities. We present tools to hunt and process CryptoNote-related malware samples, as well as how to use the generated data for threat analysis and indicator-driven monitoring activities.
June 17, 2019 16:45-17:45
Kunio MiyamotoKunio Miyamoto (NTT DATA Corporation, JP)
Dr. Miyamoto is a member of NTTDATA-CERT since 2010 and works as incident responder, and researcher of preventing incidents and reducing damage.
He received Ph.D. in Informatics(INSTITUTE of INFORMATION SECURITY, Yokohama, Japan) degree in 2011, and he registered as Professional Engineer Japan(Information Engineering) in 2014.
To prevent accessing to malicious hosts, many solutions have been released and operated. Many of these solutions work effectively, but if these solutions have poor useability or complex UI, it's difficult for operators to use such solutions.
For example, if URL filtering solutions has poor useability or complex UI, registering malicious URLs to such systems will make operators work harder.
We developed "DQB"(DNS Query Blocker) to decept DNS reply ,"Shutdowner" to decept TCP SYN-ACK reply, and operation application of these systems to simplify operations. These systems have been working for 3 years.
In our presentation, we will talk about design and implementation of "DQB","Shutdowner", and operation application. Also knowledge obtained in daily operation, and "rapid incident response case detected by DQB will be described.
June 21, 2019 10:15-10:45
TBD_FIRST2019_Final_for_public.pdf
MD5: a876bfa6e1137d856af0c9cd552aeefd
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.98 Mb
Andika Triwidada (Indonesia Computer Emergency Response Team (IDCERT), ID), Bisyron Wahyudi Masduki (Indonesia Security Incident Response Team on Internet Infrastructure (Id-SIRTI/CC), ID)
Bisyron Wahyudi is the Vice Chairman of ID-SIRTII/CC (Indonesia Security Incident Response Team on Internet Infrastructure/Coordination Center) for Data Center Application and Database. He pursued his postgraduate study in Software Engineering from Institute of Technology Bandung and Université Thomson, France. Now he is a doctoral student at Universitas Indonesia in the field of network security. He is a computer scientist with over twenty years of professional experience in Software Application development. Broad range Solution Architect with various exposures on enterprise solution development, solution architecture design and solution delivery. He's also been working for more than ten years in the field of network and information security. He is actively involved in several information and network security working groups, workshops, and trainings in the area of cyber security collaboration, capacity building, critical information infrastructure protection, information security standard and compliance, incident handling and CERT/CSIRT establishment & management.
Asian Games is the type of high-profile event where every operational mistake can get blown up into a global incident and national crisis. The Asian Games is the biggest multi-sport games after the Olympic Games, the most prestigious event organized by the Olympic Council of Asia (OCA).
Every four years, the Asian Games capture the world’s attention as thousands of top athletes of Asia compete for medals, glory and national pride. As this mega event become further digitized, turning physical event into the most computer connected games, event organizers and sport officials are ever more concerned about cyber threats looming over the games.
Indonesia Asian Games 2018 Organizing Committee (INASGOC) is an official committee formed by the Indonesian government after Indonesia's appointment as the host of the 18th Asian Games. Id-SIRTII/CC as the national CSIRT of Indonesia together with IDCERT as the national CERT community were assigned by the government to assist INASGOC to guarantee IT (cyber) security during the holding of ASIAN GAMES 2018. The goal of IT security is to ensure that Asian Games Information System (AGIS) and the related working staff are protected from any uncontrolled issues, problems or risks that could compromise the performance and/or the usability of the AGIS services.
The implementation of the Asian Games requires very complex IT system support. All sport games cannot be run without IT. Organizing the IT Asian Games is equivalent to an IT service for companies with more than 50,000 employees and serves millions of customers and operates 24/7, with a variety of systems involving many multinational vendors. Given the criticality of IT to both event organizers and attendees, one area of critical concern was cyber security. Disruption to the digital side of the game can interrupt the overall implementation of sports games.
Turning the strategy and policies into an operational security program required us to develop measurements and associated infrastructure to provide a continuous view of its security posture, a data collection and analysis platform that could evaluate the millions of security alerts and telemetry to assess risk, design and build the network infrastructure to provide the appropriate security domains and control points and create an operations center to run the whole thing and respond to incidents. Integrated monitoring system was created to help collect, collate, sift, analyze and share vast amounts of information being collected by various sensors.
In this presentation, we intend to share our experience and describe the integrated monitoring system was provided to get end to end visibility and centrally manages all the sensor data collected and log elements of the network, server, application and endpoint device. This system’s ability to quickly analyze, adapt, and respond to threats at tactical speeds can mean the difference between success and failure. Additionally, this offers analysts and security officials the ability to detect and act early. Furthermore, we will also share the process of risk identification and assessment. This element is essential to developing the appropriate controls and the subsequent process of identifying potential threats and risks, developing mitigation plans, building audit processes, putting it into operation and optimizing operational efficiency.
June 19, 2019 11:45-12:45
MD5: 6c214e37d91342c9e5bb5e2905791579
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.47 Mb
Tamas Boczan (VMRay, HU)
Tamas is a Senior Threat Analyst at VMRay. He is responsible for finding and analyzing relevant malware samples and improving VMRay's detection capabilities. He is mostly interested in evasive in-the-wild samples, and exploitation. He is a regular contributor of deep technical blog posts in VMRay's technical blog.
In 2018 the ransomware-as-a-service black market has been taken over by a single malware family, Gandcrab. Besides its prevalence and rapid development, the family is also notable for burning a zero-day exploit of an antivirus software – something we expect from APTs, but is unique in commercial non-targeted malware of recent years. We tracked and analyzed each version of the malware from the start.
In this talk we present the various delivery methods used to spread the ransomware, and show how agile development allowed it to rapidly evolve and react to countermeasures. Based on our analysis of the malware variants and the zero-day, we also present upper and lower bounds of the capabilities of the adversary.
June 18, 2019 14:30-15:00
MD5: 15405a712c5e8f95859c51d1b05bb4d9
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.62 Mb
Paul Vixie (Farsight Security, Inc.)
Paul Vixie was responsible for BIND from 1989 to 1999, and is the author of a dozen or so IETF RFC documents about DNS. He also started the first anti-spam company (MAPS) where he co-invented the DNS RBL (Realtime Blackhole List) that now protects all e-mail planet-wide, and was the founder and later president of the first U.S.-based commercial Internet Exchange (PAIX). Today he serves as CEO of Farsight Security, home of the Security Information Exchange (SIE) and the world's leading Passive DNS database (DNSDB). He managed the F-root DNS server from 1996 to 2012, and wrote the Cron software used on all UNIX-type computers today. He is also co-inventor of the DNS Response Rate Limiting (RRL) and Response Policy Zone (RPZ) feature-sets now in wide use to protect the operational Internet Domain Name System against online attacks. He received his Ph.D. from Keio University in 2011, and was inducted into the Internet Hall of Fame in 2014.
The Domain Name System has been a critical enabler of Internet growth since its inception in 1987. In the decades since then, the DNS resolution process has evolved from the LAN to the WAN, and to Anycast; it now includes DNSSEC validation, Extended DNS (EDNS) Client Subnet, larger message sizes, and I18N. The resolution processs has also been abused for surveillance, advertising insertion, and exfiltration. Today the DNS resolution process is poorly understood, and yet under forced revision. The trend is for DNS to be carried inside HTTPS where it cannot be monitored or controlled except by servers and clients themselves, and the dangers this will yield must be studied and discussed while the future remains flexible. Dr. Vixie will describe the past and present of DNS, and discuss its likely near term future.
June 19, 2019 14:30-15:30
230-DNS-Past-Present-Future-FIRSTCON2019.pdf
MD5: 72ccb7365c6c5f3fb0888c763bfa7a7e
Format: application/pdf
Last Update: June 7th, 2024
Size: 558.91 Kb
Jan Pospisil (Siemens, DE), Karl Peter Fuchs (Siemens, DE)
Jan Pospisil: Jan is Senior Data Scientist at the Siemens Cyber Defense Center. He has a background in Artificial Intelligence and Machine Learning. Currently his focus is on building a Siemens-wide cyber defense platform based on AI. Before joining the Cyber Defense Center, Jan was Head of Data Science at Siemens MindSphere IoT platform. There, his focus was on manufacturing optimization, predictive maintenance, and digital twin.
Karl Peter Fuchs: Karl is Functional Lead for Security Monitoring at Siemens’ Cyber Defense Center. His focus is on improving the threat detection capabilities of Siemens and on automating related processes to prevent Security Analysts from repetitive work. Karl has a strong passion for trying out and applying new technologies and approaches. Before joining Siemens, he worked for several R&D facilities on Security, Privacy, Usability, Machine Learning, and Big Data.
Deep Learning has become practical in many domains, including Self-Driving Cars, Language Translation, Healthcare, and IT Security. Yet, the actual use cases in those domains where Deep Learning and AI can add real value are still eminently limited. Especially in Threat Detection it is a big challenge to design approaches that introduce an acceptable number of false positives when applied to large networks. In this talk, we show how we solved this challenge for a concrete use case: the detection of domain names generated by Domain Generation Algorithms utilized by malware to obfuscate communication. We give insights on the design and capabilities of the threat detection model and the underlying Big Data platform that enables continuous threat detection across more than 500.000 hosts on the Siemens corporate network.
June 19, 2019 15:30-16:00
Threat-Detection-based-on-Deep-Learning-at-Scale_PUBLIC_presentationFirst2019-upload.pdf
MD5: aab747baa3de69b55a0070254a25b319
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.66 Mb
Wataru TakahashiWataru Takahashi (Japan Computer Emergency Response Team Coordination Center, JP)
Wataru was previously engaged in security system integration and service development at an IT vendor where he learned expertise in securing servers and access controls against servers. He joined JPCERT/CC in October 2016 and ever since he has been committed to malware analysis and forensics, especially dealing with ever-evolving malware and attack techniques with his persevering attitude.
Sysmon log is important in incident investigation. Sysmon records various Windows OS events in the logs such as running applications, created registry entries and network communication. Most commonly, many analysts convert Sysmon logs into text format and search for specific events, however, it is difficult to conduct investigation on multiple devices simultaneously. Also, SIEM products can be applied for this analysis, which on the other hand are often expensive and not a feasible option for all the analysts.
As an alternative, we considered about a new method for Sysmon log analysis and identified that it can be conducted more smoothly by aggregating the logs and showing it in a visual image. For this purpose, we developed and released an open source tool which is freely available on the Internet.
In this presentation, we will propose a method to visualise and analyse Sysmon logs and introduce the tool “SysmonSearch”. We will also demonstrate how the visualised image of event correlation makes it easier to analyse logs, and how this tool can help in identifying suspicious behavior based on monitoring rules.
JPCERTCC/SysmonSearch: Investigate suspicious activity by visualizing Sysmon's event log
https://github.com/JPCERTCC/SysmonSearch
Visualise Sysmon Logs and Detect Suspicious Device Behaviour -SysmonSearch- - JPCERT/CC Eyes | JPCERT Coordination Center official Blog
June 21, 2019 10:15-10:45
1015-31st_FIRST_Annual_conference_SysmonSearch-Wataru-Takahashi.pdf
MD5: 76224a92c2a52e75f6ac80b8240b1766
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.94 Mb
Perttu Halonen (National Cyber Security Centre Finland, Finnish Communications Regulatory Authority, FI)
Mr. Perttu Halonen works as information security specialist at the National Cyber Security Centre Finland where he is one of the responsibles for cooperation with social welfare and health care sector. In addition, he contributes to the national CERT function as a situation awareness coordinator. Prior to joining the NCSC-FI, he worked as research specialist at Nokia Corporation.
Health care sector cyber security is a hot topic. Improving the sector's cyber security is challenging: educating the large health care personnel that traditionally is not very inclined to security; protecting various connected medical devices from misuse; managing the cyber security in collaboration networks. Finland has taken an approach to develop the sector's cyber security with multiple concurrent actions with stakeholders on regional and national levels and influence on all levels. This presentation describes the goals and results of health ISAC, Cyber-Health development project and national cyber preparedness guidelines on health care sector.
June 21, 2019 09:15-10:15
Halonen-Three-circles-to-improve-health-care-cyber-security_-FIRSTCON19-2019-06-04.pptx
MD5: 48595ec7009ded09b06b919fded0c08b
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 3.67 Mb
Olivier van der Toorn (University of Twente, NL)
Olivier is a Ph.D. student from the Design and Analysis of Communication Systems (DACS) group at the University of Twente. As a Ph.D. student he is working on malicious domain detection through active DNS measurements, for the last two years. Next to his Ph.D., Olivier is a voluntary system administrator at two study associations since the last five years. Because of his Ph.D. work he is closely involved with the OpenINTEL measurement project. This project is well established within the academic community, OpenINTEL data has been used in more than 20 academic published papers and helped in establishing academic collaboration worldwide.
In this talk (long presentation) we introduce the idea of pro-active threat detection using active DNS data. We give examples on how pro-active detection approaches can be applied to different types of attacks. We will detail the case of snowshoe spam, for which we have developed an pro-active detection approach, currently in use in the mail filter of a large Dutch operator.
Snowshoe spam is a hard to detect type of spam based on a large number of low-volume spammers, which typically evade traditional spam detection methods. We uncovered that domains set-up for snowshoe spam differ significantly from regular, benign, domains. We are not only able to detect those domains, but we show that we can do that considerably earlier than regular spam detection methods.
Our intuition is that predicting if a domain will be used for malicious intent might reduce the damage done by attackers. CERT teams may configure their systems to be extra vigilant towards domains predicted to be malicious. Our ultimate goal is to make the Internet a safer place by making an early prediction to the nature of a domain via pro-active blacklists.
June 20, 2019 11:00-12:00
TIDE_-Proactive-threat-detection.pdf
MD5: eea20578fb5d8276031383526256d041
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.44 Mb
Michael MurrayRobert LelewskiMichael Murray (Secureworks, US), Robert Lelewski (Secureworks, US)
Robert Lelewski is a cybersecurity leader with fifteen years of experience providing computer forensic, incident response, and affiliated consulting services with a specific focus on proactive cybersecurity consulting services. In his position at Secureworks as the Senior Manager for Secureworks proactive incident response consulting services, Robert is continually helping clients prepare for the inevitable via tabletops, technical trainings, development of incident response plans, and other proactive services, while working with both technical teams as well as Board of Directors for large and small organizations. Prior to joining Secureworks, Robert functioned as an expert witness on computer forensic legal matters in both civil and criminal courts and taught collegiate courses on information security topics.
Robert holds the following degrees and certifications: MBA, MS, GCIH, CISM, CISA, CRISC, CISSP-ISSMP, EnCE, ACE, CCE, CASP
Michael Murray serves as a Senior Manager for the Secureworks Security and Risk Consulting - Incident Response (SRC-IR) team, focused on delivering proactive incident response services that prepare our clients to act when an incident strikes by ensuring that they have defined, implemented, and exercised the necessary plans and processes, and by augmenting client incident management capabilities during an incident response event. Prior to joining the Secureworks team, Michael was a member of the technical staff at the CERT Coordination Center (CERT/CC), and previously served on the Board of Directors of the Forum of Incident Response and Security Teams (FIRST).
Increasingly, organizations are performing tabletop exercises to help gauge and increase their overall readiness for a cybersecurity event. These exercises range from short lunch time event to multi-day affairs. Unfortunately, these exercises are often stymied by very simple shortcomings, which causes diminished value to the exercise.
Through their experience in conducting hundreds of tabletops, the presenters have recognized a variety of trends that continually repeat themselves regardless of the organization’s vertical or maturity level, and ultimately impact the efficacy of the tabletop exercise. The presenters will describe each of these common failures, which range from the simple to complex, and present strategies to avoid said failures when planning your next tabletop exercise.
June 20, 2019 11:00-12:00
FIRST-2019-Top-Common-Tabletop-Exercise-Failures_Final.pdf
MD5: 6f18f43077d217407c7aad34ee41f751
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.27 Mb
11:00-12:00
Closed meeting - members only.
If you would like to join the TLP SIG, please e-mail your request to Don Stikvoort at tlp-chairs@first.org or talk to him at the conference.
June 20, 2019 11:00-12:00
Alexandre DulaunoyAndras IklodyAlexandre Dulaunoy (CIRCL, LU), Andras Iklody (CIRCL, LU)
Besides being an expert gardener, Alexandre has been known to have an inhuman capacity for consuming dark chocolate. Legend has it that he occasionally sleeps.
Andras is a caffeine guzzling code monkey that has been known to occasionally troll others.
In a continuous effort since 2016, CIRCL frequently gives training sessions about MISP project and especially the MISP threat intelligence software. The purpose is to reach out to security analysts using MISP as a threat intelligence platform along with users using it as an information sharing platform. This is an opportunity for the users to meet the developers and exchange about potential improvements or use-cases using MISP as a threat-intelligence platform.
The MISP training will demonstrate how the platform functions; explain how to share, comment and contribute data, and describe the future developments. This part of the training focuses on the analyst aspect along with the management of your own MISP instance especially how to connect to other MISP communities.
More information about MISP: https://www.circl.lu/services/misp-malware-information-sharing-platform/
About the MISP project: https://www.misp-project.org - https://twitter.com/MISPProject
Requirements:
For more information: https://www.circl.lu/services/misp-training-materials/
June 17, 2019 11:45-13:15, June 17, 2019 14:30-16:00, June 17, 2019 16:45-18:15
Alexandre DulaunoyAndras IklodyAlexandre Dulaunoy (CIRCL, LU), Andras Iklody (CIRCL, LU)
Besides being an expert gardener, Alexandre has been known to have an inhuman capacity for consuming dark chocolate. Legend has it that he occasionally sleeps.
Andras is a caffeine guzzling code monkey that has been known to occasionally troll others.
This full-day training aims to cover a wide range of aspects that should help attendees integrate MISP in their environments as well as modify both the libraries/knowledge bases on which the software relies as well as the extend the functionalities thereof.
Furthermore, the training aims to be useful for those that use the MISP vocabularies in their tooling landscape, even without ever using MISP itself.
The audience is expected to have a basic understanding of MISP concepts and CTI in general.
Requirements:
For more information: https://www.circl.lu/services/misp-training-materials/
June 18, 2019 11:00-12:30, June 18, 2019 13:30-15:00, June 18, 2019 15:30-17:00
Daniel CabanDaniel Caban (Mandiant (a FireEye Company), AE), Peter Barbour (Mandiant (a FireEye Company), GB)
Dan Caban is a Consulting Manager for Incident Response and Forensics at Mandiant and is based in Dubai, UAE. Dan has more than thirteen years of experience in digital forensics, incident response, and remediation consulting. At Mandiant, he has responded to intrusions involving targeted threat actors in many market verticals, including government, finance, transportation, and energy.
Peter Barbour is a Principal Consultant with Mandiant in the UK. He has 12 years experience leading Threat Intelligence and Incident Response teams in both the public and private sector.
Last year, Mandiant responded to a suspected intrusion at an ICS facility. What was revealed shocked the ICS security industry: a remote threat actor had been targeting the safety systems that physically secure the ICS process. This talk will provide a background on the intrusion and the TRITON malware and will include in-depth details on the threat actors methodologies, tools, techniques, and procedures. The talk will highlight the attribution that linked the attack to an institute in Russia.
June 18, 2019 12:00-12:30
17:00-18:30
Open meeting.
June 19, 2019 17:00-18:30
13:45-15:30
Open meeting.
June 19, 2019 13:15-14:30
Art Manion (CERT/CC, US), Deana Shick (CERT/CC, US), Madison Oliver (CERT/CC, US)
Art Manion is a senior member of the Vulnerability Analysis team in the CERT Program at the Software Engineering Institute (SEI), Carnegie Mellon University. Since joining CERT in 2001, Manion has studied vulnerabilities, coordinated disclosure efforts, and published advisories, alerts, and vulnerability notes for CERT/CC and US-CERT. Manion currently focuses on vulnerability discovery and other areas of applied research, including ways to automate and improve operational vulnerability response. Prior to joining the SEI, Manion was the Director of Network Infrastructure at Juniata College.
Leigh Metcalf has a PhD from Auburn University in Mathematics. She has been at CERT for 9 years as a Cybersecurity researcher and is the co-Editor-in-chief of ACM Digital Threats: Research and Practice. She is also the primary author of the book Cybersecurity and Applied Mathematics and a co-author on the book The Science of Cybersecurity (in preparation with World Scientific). Leigh specializes in analyzing assumptions found in Cybersecurity research and has written and released open source software.
Madison Oliver is a vulnerability analyst in the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University Software Engineering Institute. She has been performing coordinated vulnerability disclosure at the CERT/CC for just over a year and supports Common Vulnerabilities and Exposures (CVE) efforts both at the CERT/CC and in multiple CVE working groups. Before joining the CERT/CC, Oliver studied cybersecurity for six years at both the Pennsylvania State University and Carnegie Mellon University. She has presented at ShmooCon and other local conferences. When she is not busy trying to make the Internet a safer place, she serves on the alumni board at the Pennsylvania State University mentoring young women studying cybersecurity.
This one-day course is designed for those responding to vulnerabilities. It will provide an overview of key issues, processes, and decisions that must be made to either create or better support the response efforts of a PSIRT team. Attendees will develop an action-plan for vulnerability response as they work through their current processes, or during design a PSIRT capability if one does not exist.
The course is composed of lectures and class exercises. Participants will learn the requirements for establishing an effective PSIRT team, the various organizational models, the variety and level of services that can be provided, and the types of resources and infrastructure needed to support a team.
This course supports the FIRST PSIRT Services Framework, and explores a subset of the elements covered by the Framework.
June 18, 2019 11:00-12:30, June 18, 2019 13:30-15:00, June 18, 2019 15:30-17:00
Alexander VetterlAlexander Vetterl (University of Cambridge, GB)
Alexander Vetterl is a PhD student at the University of Cambridge where he is part of the Security Group and the Cambridge Cybercrime Centre. His research interests include honeypot architectures, intrusion detection systems and cybercrime, with a particular focus on the Internet of Things (IoT).
He has been working on techniques to fingerprint low- and medium interaction honeypots at Internet scale and providing insights into how honeypots are configured and deployed in practice. Recognizing the need for better honeypots to combat cybercrime, Alexander is currently developing a new "IoT honeypot" that can accommodate various devices and emulate their functionality within a virtual environment.
Honeypots are intended to be covert and therefore little is known about how many are deployed or who is using them. I present a generic technique for systematically fingerprinting low- and medium interaction honeypots at Internet scale with just one packet. I conduct Internet-wide scans and identify 7,605 honeypot instances across nine different honeypot implementations for the most important network protocols SSH, Telnet, and HTTP. Since the probes do not leave meaningful log entries in any of our tested honeypots, operators will not be aware that their honeypot has been detected.
I further show that these deployments are not kept up to date – 27% of the honeypots have not been updated within the last 31 months and only 39% incorporate improvements from 7 months ago. I believe the findings to be a ‘class break’ in that trivial patches to the current generation of honeypots cannot address the issue.
June 20, 2019 14:30-15:00
Vetterl_fingerprinting_honeypots_FIRST-19.pdf
MD5: 4989cd5d71d005bc72fbcc70a19e203f
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.01 Mb
Jeroen van der Ham (NCSC-NL, NL), Shawn Richardson (Palo Alto Networks)
Jeroen van der Ham is researcher at NCSC-NL and assistant professor in the Design and Analysis of Communication Systems (DACS) group at the University of Twente. At NCSC-NL he focuses on coordination of academic cyber security research, the many developments in coordinated vulnerability disclosure and ethics of the security profession. At the University of Twente he focuses his research on ethics of internet security research, denial of service attacks, and anonimization in network measurements.
Shawn Richardson is the technical lead for Palo Alto Networks Product Security Incident Response Team (PSIRT), driving product security incidents from initial disclosure to full resolution with security researchers, engineering, quality assurance, and customers for the company. Prior to joining Palo Alto Networks, she spent over 15 years at Microsoft in various security and privacy roles including in the Microsoft Security Response Center. Ms Richardson was also a contributor to the ISO 29147 and ISO 31111 standards.
In this talk we will walk through the current work in progress in the Ethics SIG, describe our goals and explain what it will mean for you to have a code of ethics for FIRST.
June 18, 2019 13:30-14:30
Douglas Wilson (Self, US), Nguyet Vuong (Civil / Consensys, US)
Doug Wilson (Ex-Mandiant, FireEye, Uptycs) has almost 20 years in security, but if you look way back, his college degree is actually in design! When not doing security, he has spent a fair bit of the past 15 years attending events that focus on design, and believes that design elements are critical to success in security pursuits. He has presented at numerous security conferences over his career, as well as talks and a workshop at FIRST.
Nguyet Vuong has 16 years of experience as digital designer, and is currently a Co-Founder and Design Lead for Civil (www.civil.co). She has won design industry awards, given numerous presentations, and facilitated workshops on design. She believes in honest and transparent design patterns that respect people’s time and intelligence. She regularly tries to spread the word of how design thinking and processes can make other fields better, including security.
The fields of security and design are eerily similar. Both are interested in challenging the status quo for processes, products and applications. Both spend a lot of time examining unusual and unplanned behaviors from both users and applications. And both are fields where success or failure tends to come down to the humans involved, despite amazing technical innovation
Security practitioners, however, are sometimes overly focused on the negative. This may cause them to lose track of some ideals that are core to design, and can lead to problems in communication, inclusiveness, and the creation of equitable solutions.
By adopting practices that come from the positive side of the equation in the design field, security practitioners can improve their communication and solve problems at different levels. This talk will introduce several tools that designers use in their work on a daily basis, and propose how they can help security practitioners.
June 19, 2019 12:45-13:15
1245-wilson-vuong-FIRST-presentation.pdf
MD5: 624674bce3b96acabc575b80736dcc5d
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.21 Mb
Daan RamanDaan Raman (NVISO, BE)
Daan is a co-founder and active partner of the Belgian cyber security firm NVISO. At NVISO, Daan is in charge of NVISO Labs, the research arm of NVISO. Together with the team, he drives initiatives around innovation to ensure we stay on top of our game; innovating the things we do, the technology we use and the way we work form an essential part of this.
Outside of his professional activities, Daan has been an active member of the information security community for several year, attending and presenting at conferences, as well as developing open-source software.
The collection of millions of endpoint and network events in modern IT environments opens up great opportunities for the security analyst to perform Threat Hunting activities in search of adversary activity. However, the Threat Hunter faces several challenges: how do we create a baseline of “normal” or “expected” activity out of millions (or billions!) of events? How do we introduce the human feedback loop in our Threat Hunting activities? How do we deal with false positives?
In this talk we introduce ee-outliers, an open-source framework we developed to detect statistical outliers in events stored in an Elasticsearch cluster, in support of the Threat Hunter. The framework contains a number of statistical models which can be used and extended using a basic configuration file format: no coding skills required!
Examples of malicious activity that can been detected using ee-outliers include: beaconing, improbable geographical acitivity, phone home activity, infected processes, and lots of other use cases that are only limited by the Threat Hunter's creativity.
June 20, 2019 14:30-15:00
David Watson (The Shadowserver Foundation, GB), Piotr Kijewski (The Shadowserver Foundation), Stewart Garrick (The Shadowserver Foundation, GB)
David Watson (The Shadowserver Foundation, GB)
David Watson, a member of the Shadowserver Foundation since 2008, a Director who leads the Special Projects Team in support of international Law Enforcement. David regularly presents and teaches classes at information security events and is passionate about helping network owners and cybercrime victims to defend themselves using tools and information sources that freely available. David was previously the Chief Research Officer and a Director of the Honeynet Project (2006-2016), helping develop and deploy security tools worldwide.
Stewart Garrick (The Shadowserver Foundation, GB)
Stewart Garrick is a former Senior Investigating Officer with Scotland Yard and latterly the UK’s National Crime Agency. He led many of the NCA’s high priority cybercrime operations. Upon ‘retiring’ he joined The Shadowserver Foundation’s Special Projects Team, where he uses his 30 years of experience to help Law Enforcement around the world lead complex, successful cybercrime disruption operations.
Botnet takedowns are challenging and complex activities, requiring long-term technical analysis and highly coordinated, cross-jurisdictional cooperation between public/private entities. They also involve fighting back with the skill, agility and imagination matching the criminals. Success culminates in a shutdown of cybercriminal operations, sinkholing of botnet C&C infrastructures, ideally actor arrests, and media attention. Botnets can be massive, global and abuse DNS at scale. Shadowserver’s privileged position as a go-to partner to many international LEAs allows us to provides a candid insight and lessons learned to better understand how to combat these significant threats.
We describe Shadowserver’s first-hand experiences in this niche arena, drawing on recent cases (e.g. Kovter/Boaxxe, VPNFilter, Magecart, Kelihos, Mirai, Avalanche/Andromeda) as well as newer operations by the time of the conference. We also consider opportunities for engaging CSIRTs in communities of interest as active providers of information, as well as traditional victim remediators.
June 19, 2019 15:30-16:00