BoFs & Scheduled Side Meetings

Following discussions during and after #FIRSTCON22, INTERPOL has formulated a proposal to create a Special Interest Group (SIG) to discuss issues relating to cybercrime law enforcement with the FIRST community. The proposed Law Enforcement-CSIRT Cooperation SIG aims to enable contact and exchange of experience and best practices between FIRST members within law enforcement, CERTS / CSIRTs, and to foster better mutual understanding on work relating to the prevention and disruption of cybercrime and other cyber threats.

This BOF talk aims to solicit further comments and inputs regarding the drafted SIG Proposal Checklist which will be submitted to the FIRST Secretariat and onward to the FIRST Board of Directors. Current proposed main areas for engagement and discussion within the SIG include:

• Fostering better understanding of the law enforcement component of disruption and investigation
• Threat assessment and notification processes within private entities and non-law enforcement public entities (CERTs / CSIRTs)
• Current / best practices for collaboration and exchange between law enforcement agencies and CERTs / CSIRTs, and for engagement / activation of their respective capacities before the commencement of operational planning and disruption investigations (e.g. threshold for activation, process and legal regulation of such engagement)
• Modalities for collaboration and coordination of joint disruption operations between law enforcement and CERTs / CSIRTs
• Understanding modi operandi of threat actors and how CERTs / CSIRTs and law enforcement can better align efforts to disrupt these actors

Carlos was born in Lisbon (Portugal), and graduated in Computer Science at the University of Lisbon in 1999. He was a Systems Engineer at University of Lisbon from 1996 to 2000 -- with a short spell at FCCN, working for the Portuguese Schools' Network Team and ccTLD .PT. Back to FCCN during 2000, he managed the Portuguese Internet Exchange (Gigapix) for 15 years. Since late 2015 he moved into CyberSecurity, taking a leadership role at RCTS CERT, the Portuguese R&E Network's Computer Emergency Response Team. From 2016 to 2018 he was the Chairman of the Portuguese CSIRT Network's General Assembly (redecsirt.pt).

The initial part will cover how IP address blocks are distributed, and the "market dynamics" in recent years triggered by scarcity. The Internet has evolved and Global routing can't rely anymore on "confidence". Practice still enables the use of LoA (Letters of Authorization) which can be easily forged. Tools in place such as RPKI and ROV enable any person to check the holdership of any given IP address space block anytime, and it is the perfect solution to drop the use of LoA. This presentation intends to discuss path to change current status quo, and thus enable a more secure routing plane for the Internet.

I work at Truesec as a Threat Research Analyst were my role is to reverse engineer malware that we find in our SOC and we find in our incident response engagement. Before joining Truesec I worked the national CSIRT, CERT-SE, as a CSIRT Officer.

The last year we have seen an increase in malware distributed by USB, at Truesec we have now +100 cases of Raspberry Robin and a few cases of PlugX that utilize USB as the payload carrier but also can exfiltrate data that is air-gapped. In this presentation I would like to show the findings we have done and share insights but also to discuss with other practitioners what they have discovered and how we can help each other in detecting and stopping malware distributed by USB drives.

Do you count vulnerabilities? Characterize or measure them in some way? Predict the occurrence or distributions of new vulnerabilities? Predict characteristics of new vulnerabilities? Why? What are your use cases? Do you work with acronyms like CVE, GSD, CVSS, SSVC, EPSS, CWE? If any of the above are true, you might be interested in this BoF.

CFP submission page: https://easychair.org/my/conference?conf=v4ctc

Art Manion is the Deputy Director of ANALYGENCE Labs where he and his team perform in-depth vulnerability analysis and coordinated vulnerability disclosure. Art has lead and contributed to a variety of vulnerability-related efforts in ISO/IEC JTC 1/SC 27, the CVE Program (Board member), the Forum of Incident Response and Security Teams (FIRST), and the (US) National Telecommunications and Information Administration (NTIA). Art works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA) and previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).

Éireann Leverett is the co-author of Solving Cyber Risk, and a cyber risk entrepreneur. His career has taken him from hardhats and steel toed boots in industrial control systems to the implications for critical national infrastructure in policy. He works regularly with the international CERT community at FIRST.org, and writes papers when he finds the time. His proudest achievement is co-authoring a paper which has inspired legislation in the EU. He loves nature, travel, and reading when he gets away from computers.

This BoF Session will provide attendees with an opportunity to discuss the issues raised in the "UMQ? What Comes After TLP" presentation to be delivered by Tom Millar (CISA) on Monday of the conference. The goal is to discover whether attendees are interested in establishing a new SIG (or augmenting an existing SIG) to advance information sharing beyond the limitations of TLP, IEP, etc.