Program Overview

Overview

April 7th (Monday)Return to overview

FIRST Technical Colloquium
08:00 – 09:00

Registration

09:00 – 09:15

Welcome

Gavin REID (CISCO)

09:15 – 10:00

Beyond Zone File Access: Discovering Novel Domain Names Using Passive DNS

Henry STERN (Farsight)

10:00 – 11:00

Threat Actor Techniques

Jeremy JUNGINGER (CISCO)

11:00 – 11:30

Networking Coffee Break

11:30 – 12:30

SecAdmin – Mitigating Attacks Targeting Administrator Credentials

Dave JONES (CISCO)

12:30 – 13:30

Lunch Break

13:30 – 14:00

On the Actors Behind Sefnit / Mevade

Feike HACQUEBORD (TrendMicro)

14:00 – 15:00

Targeted Attack Case Study

Gavin O'GORMAN (Symantec)

15:00 – 15:30

Networking Coffee Break

15:30 – 16:30

CERT Portal Demonstration & Snowshoe Spamming

Carel VAN STATEN (Spamhaus)

16:30 – 17:15

Using the Big Data Ecosystem to Look for Evidence of Botnets.

Steven POULSON (CISCO)

17:15 – 18:45

Social Event

April 8th (Tuesday)Return to overview

FIRST Technical Colloquium
08:00 – 09:00

Registration

09:00 – 09:30

dnstap: High Speed DNS Logging Without Packet Capture

Henry STERN (Farsight)

09:30 – 10:30

CSIRT Playbook 2.0: Choose Your Own Misadventure

Jeff BOLLINGER (CISCO), Matthew VALITES (CISCO)

10:30 – 11:00

Networking Coffee Break

11:00 – 12:00

CVSS v3 – This One Goes to 11

Seth HANFORD (CISCO)

12:00 – 13:00

Lunch

13:00 – 13:45

Ingesting 1.2 Million Network Packets per Second Using HBase in Real Time

Michael BURG (CISCO), Pablo SALAZAR (CISCO)

13:45 – 14:30

The Internet of Everything (Compromised)

Martin LEE (CISCO)

14:30 – 15:00

Networking Coffee Break

15:00 – 15:45

DNS TTL Project

Levi GUNDERT (CISCO), Armin PELKMANN (CISCO)

15:45 – 16:30

Beyond 400 Gbps: Abusing NTP and Other Protocols for DDoS

Mr. Christian ROSSOW (Vrije Universiteit Amsterdam)

16:30 – 17:00

Closing

Margrete RAAUM (FIRST SC)

  • Beyond 400 Gbps: Abusing NTP and Other Protocols for DDoSReturn to TOC

    Mr. Christian ROSSOW (Vrije Universiteit Amsterdam)

    In amplification DDoS attacks, an adversary abuses the fact that public servers of UDP-based network protocols respond to requests without further validating the identity of the sender. In Feb 2014, attackers abused the NTP protocol to launch the largest-ever DDoS attack to-date (about 400 Gbps attack traffic volume). This talk describes amplification vulnerabilities in 14 network protocols. We raise a discussion of what can be done to counter such vulnerabilities.

    rossow-christian-slides.pdf

    MD5: e3f54ea0250ed69d9b2f78c3b3ce3516

    Type: Slides

    Format: application/pdf

    Last Update: April 29th, 2014

    Size: 1012.7 Kb

    April 8th, 2014 15:45 – 16:30

    Cisco Campus (Amsterdam (NL))

  • Beyond Zone File Access: Discovering Novel Domain Names Using Passive DNSReturn to TOC

    Henry STERN (Farsight)

    Security practitioners make use of data about domains obtained through Zone File Access to find newly-registered malicious domains. This is limited in scope by the number of registries offering such access and by the participating registries’ limit of one download per 24-hour period. This talk will demonstrate a method of extracting novel domain names from passive DNS data in real time, will present historical data about domain registrations per TLD over time, and will discuss the advantages and disadvantages of using passive DNS data versus downloaded zone files for research.

    Estimated time: 45 minutes

    April 7th, 2014 09:15 – 10:00

    Cisco Campus (Amsterdam (NL))

  • CERT Portal Demonstration & Snowshoe SpammingReturn to TOC

    Carel VAN STATEN (Spamhaus)

    Carel van Straten is an investigator at The Spamhaus Project, where he finds out what makes the spammers' infrastructure tick - and makes sure it stops ticking. He investigates malware, snowshoe spam, DNS, abused free services, domains, their owners and anything in between. This talk will cover two topics:

    Part 1: A demonstration of the CERT portal and the data available there. Part 2: A look at snowshoe spamming and (abandoned) network hijacking.

    April 7th, 2014 15:30 – 16:30

    Cisco Campus (Amsterdam (NL))

  • CSIRT Playbook 2.0: Choose Your Own MisadventureReturn to TOC

    Jeff BOLLINGER (CISCO), Matthew VALITES (CISCO)

    Cisco's CSIRT has evolved beyond the traditional SIEM based incident response model towards a data-centric log mining approach. CSIRT calls this approach and its associated techniques, ”The Playbook".

    This presentation will detail our progress in reducing the complexity of our old systems into basic, functional elements that can be incorporated into any incident response team's incident handling strategy.

    We will share Cisco's lessons learned in redefining our incident detection strategy, outline our modular framework, and provide some real examples of successful “plays” along with a discussion about what makes them effective. We believe any IR team can effectively use this approach, and we want to change how you think about incident detection and response.

    Estimated time: 60 minutes

    April 8th, 2014 09:30 – 10:30

    Cisco Campus (Amsterdam (NL))

  • CVSS v3 – This One Goes to 11Return to TOC

    Seth HANFORD (CISCO)

    Software vulnerabilities — love em or hate em, they're crucial to your job. Likewise, you may have a love/hate relationship with vulnerability classification and severity scoring (like CVSS v2 or any number of proprietary methods). In this talk we will look at statistics and characteristics for thousands of vulnerabilities to see if we can determine what CVSS v2 did wrong, what it did right, and what we (the CVSS v3 Special Interest Group) intend to do to fix it. We will also come away with a better understanding for why systems like CVSS are important to security practitioners, even those who'd rather be popping shells than pushing off patches whose scores are "too low to care about".

    Estimated time: 45 minutes

    April 8th, 2014 11:00 – 12:00

    Cisco Campus (Amsterdam (NL))

  • DNS TTL ProjectReturn to TOC

    Levi GUNDERT (CISCO), Armin PELKMANN (CISCO)

    DNS open resolvers are regularly leveraged by threat actors to create un-attributable distributed denial of service (DDNS) attacks against unsuspecting (and often helpless) victims. It's time we use open resolvers for a positive purpose to the benefit of the good guys. We discuss the underlying methodology and details related to our new free tool, which is intended to provide law enforcement and security researchers with a better understanding of specific domain resolution activity. Provide an input domain, and find out how we triangulate general victim and/or attacker locations.

    April 8th, 2014 15:00 – 15:45

    Cisco Campus (Amsterdam (NL))

  • dnstap: High Speed DNS Logging Without Packet CaptureReturn to TOC

    Henry STERN (Farsight)

    The DNS protocol presents interesting logging challenges. Common approaches to DNS logging include instrumentation internal to the DNS server which generates textual log messages ("query logs"), and external passive observation of DNS network traffic ("packet capture"). This presentation will outline some of the strengths and weaknesses of these two approaches and will showcase a hybrid vendor-neutral logging implementation, "dnstap", that can provide at high speed the high quality data needed for DNS monitoring applications such as passive DNS replication and query logging.

    Estimated time: 30 minutes

    April 8th, 2014 09:00 – 09:30

    Cisco Campus (Amsterdam (NL))

  • Ingesting 1.2 Million Network Packets per Second Using HBase in Real TimeReturn to TOC

    Michael BURG (CISCO), Pablo SALAZAR (CISCO)

    Real time network packet analysis is extremely critical for any network security. Ability to collect all the network traffic and analyze it in real time is an elephantine challenge. Especially, during Denial of Service attacks, there could be millions of packets travelling over network per second. Not many systems can capture, analyze, store and provide alerts/insights at this rate. We at Cisco and Hortonworks together built a solution named OpenSOCthat can capture, deeply inspect and analyze these packets; at the rate of 1.2 million packets per second in real time. This talk covers the use case and our use of HBase alongwith Kafka-Storm–ElasticSearch to ingest 1.2 million network packets per second in real time. Specifically, we discuss how we started with just 5K packets per second and scaled the system to handle 1.2 million packets per second, the solution choices, different techniques and strategies, traditional and innovative approaches that made the performance jump through the roof. Attendees can take away learnings from our real-life experience that can help them understand various tuning methods, their tradeoffs and apply them in their solutions.

    April 8th, 2014 13:00 – 13:45

    Cisco Campus (Amsterdam (NL))

  • On the Actors Behind Sefnit / MevadeReturn to TOC

    Feike HACQUEBORD (TrendMicro)

    The number of Tor users dramatically increased in August 2013. This was shown to be caused by a botnet called Sefnit / Mevade. In this talk we present explicit evidence that an adware company has been behind Sefnit / Mevade malware for years.

    April 7th, 2014 13:30 – 14:00

    Cisco Campus (Amsterdam (NL))

  • SecAdmin – Mitigating Attacks Targeting Administrator CredentialsReturn to TOC

    Dave JONES (CISCO)

    How do we do administration of critical infrastructure with something more than just passwords? This talk will go into details about mitigations for that problem such as:

    • How to solve problems with multi factor authentication such as
      • How to require multi factor authentication for critical infrastructure that doesn’t support it
      • Ideas for multi factor on a budget
    • Creation of Administration boundaries to limit where administration can be done from
    • Separation of duties in your daily life

    Critical infrastructure examples will span across multiple operating systems (Linux, BSDi, Windows, IOS) and virtual environments (VMWare, OpenStack/KVM) with real examples of each.

    Estimated time: 45 minutes

    April 7th, 2014 11:30 – 12:30

    Cisco Campus (Amsterdam (NL))

  • Targeted Attack Case StudyReturn to TOC

    Gavin O'GORMAN (Symantec)

    Most 'targeted' attacker groups tend to target a number of industries and have quite a wide range of victims. There are however, a number of more discreet attackers active who focus on very specific targets and have done so for a number of years. This presentation will describe one of those groups, how they work, who they target, and how long they have been active.

    April 7th, 2014 14:00 – 15:00

    Cisco Campus (Amsterdam (NL))

  • The Internet of Everything (Compromised)Return to TOC

    Martin LEE (CISCO)

    Advances in integrated circuits mean that processors are becoming more powerful in terms of functionality, yet consuming less power, and becoming smaller in size. These features coupled with the ubiquity of internet connectivity means that all sorts of devices are being connected to the internet. The ability to remotely monitor and react to changing conditions may bring advantages in terms of reducing waste and increasing efficiency. But what are the implications from a security perspective?

    Unpatched devices, running obsolete code, communicating with insecure protocols to lowest price remote facilities management centres enable many new and interesting means by which miscreants can attack organisations. In this session we shall discuss the implications of the “internet of everything” and how security professionals need to consider and manage the risks entailed.

    lee-martin-slides.pdf

    MD5: f4eb5e39a9d359dd9af9ea2e9b82ee8b

    Type: Slides

    Format: application/pdf

    Last Update: April 29th, 2014

    Size: 8.09 Mb

    April 8th, 2014 13:45 – 14:30

    Cisco Campus (Amsterdam (NL))

  • Threat Actor TechniquesReturn to TOC

    Jeremy JUNGINGER (CISCO)

    Demonstrate leveraging real world configuration flaws to compromise an example "Acme Corporation." Specific techniques will include cross-site scripting, phishing, client-side exploitation, pivoting, token impersonation, lateral movement and data exfiltration techniques. The presentation will consist of powerpoint slides and live demos with videos to be used if the demos go awry.

    Estimated time: 45 (to 60) minutes

    April 7th, 2014 10:00 – 11:00

    Cisco Campus (Amsterdam (NL))

  • Using the Big Data Ecosystem to Look for Evidence of Botnets.Return to TOC

    Steven POULSON (CISCO)

    Over 15 Billion HTTP request a day pass thru Cisco’s Web Security infrastructure. This creates both opportunities and problems in looking for the footprints of botnet activity. The opportunities are that this huge amount of data allows us to better separate signal from noise and events that previously seemed random now start to show a pattern. The problems are that this amount of data in itself is difficult to search thru and this is further compounded by the fact that analytics of choice require higher order processing such as distance measures, differencing and so forth. As such this processing is unfeasible on traditional systems.

    Fortunately, in recent years developments such as Hadoop and its ecosystem allow the processing of this data to be decomposed into a large number of smaller problems on distributed hardware that can be recombined to give the solution. We show how this approach is used and how analytics can be applied to look for certain signs of botnet activity such as identifying common hosts on infected machines and unusual numbers of posts.

    April 7th, 2014 16:30 – 17:15

    Cisco Campus (Amsterdam (NL))