Amsterdam 2015 FIRST Technical Colloquium

Local Host & Sponsor:


Program Overview


  • May 4th (Monday)


  • May 5th (Tuesday)


  • May 6th (Wednesday)


    Social Event Sponsored by Lancope


  • May 4th (Monday)

    Memory Forensics for Incident Responders

  • May 5th (Tuesday)

    Hey! You! Get Off of My Cloud! Attacks Against Cloud Server Honeypots

    Cisco IOS and IOS-XE Integrity Assurance

    Red + Blue = Purple (Taking security testing to the next level)

    Challenges in Applied Threat Intelligence

    The internet, a fun place of interconnected devices

    Cybercrime Trends: 2014 Review and 2015 Outlook

  • May 6th (Wednesday)

    Building and Leveraging Your Own VirusTotal, on the Cheap

    Interactive computer network activity analysis using graph techniques

    Mobile Threats - MyCERT Case Study

    CIIP and NIS directives and their implication for CERTs - Recent German activities

    SSHCure: Flow-based Compromise Detection using NetFlow/IPFIX

    Emerging Threats - The State of Cyber Security

May 4th (Monday)Return to overview

08:30 – 09:00
09:00 – 12:00
12:00 – 13:00
13:00 – 17:00

May 5th (Tuesday)Return to overview

08:00 – 09:00
09:00 – 09:30
09:30 – 10:30
10:30 – 11:30
11:30 – 12:30
12:30 – 13:30
13:30 – 14:30
14:30 – 15:00
15:00 – 15:30
15:30 – 16:30
16:30 – 17:00

May 6th (Wednesday)Return to overview

08:00 – 09:00
09:00 – 10:00
10:00 – 11:00
11:00 – 12:00
12:00 – 13:00
13:00 – 14:00
14:00 – 14:30
14:30 – 15:30
15:30 – 16:30
16:30 – 17:00
17:00 – 18:00
  • Building and Leveraging Your Own VirusTotal, on the CheapReturn to TOC

    Steven WEINSTEIN (Lookingglass)

    VirusTotal freely provides invaluable data related to malware and IOCs, and offers the ability to search and pivot throughout their dataset. Paying for access to their VirusTotal Intelligence service and Private API offer even more capabilities beneficial to security professionals. However, many companies prefer to "build vs. buy". This talk will focus on how to design and build your own VirusTotal-like system to aid in incident response or threat research while minimizing the cost to your organization. Operationalizing the resulting datasets will also be covered.
    May 6th, 2015 09:00 – 10:00

    (Cisco HQ)

  • Challenges in Applied Threat IntelligenceReturn to TOC


    The CERT/CC at the Software Engineering Institute is engaged in a variety of research efforts related to the application of so-called threat intelligence to more effective network defense. Organizations have begun to invest significant resources in information sharing efforts that include sharing information incorporating contextual knowledge of threats. The hope is that by incorporating knowledge of actors, TTPs, infrastructures and families of malicious tools into analysis they can adopt a more robust defensive posture. In this talk, we discuss some of the practical challenges faced by organizations attempting to incorporate this sort of intelligence-oriented approach into their operations.
    May 5th, 2015 13:30 – 14:30

    (Cisco HQ)

  • CIIP and NIS directives and their implication for CERTs - Recent German activitiesReturn to TOC

    Benjamin KLEIN (KPMG), Paul WEISSMANN (KPMG)

    The Internet and ICT have become a viral part of our society and cyber attacks become more critical. In this context, the European Union actively promotes activities for more cyber resilience. Critical Information Infrastructure protection (CIIP) and the Network and Information Security Directive (NIS Directive) are two recent endeavors to set the path for defending our ICT infrastructure against cyber attacks. This talk concentrates on the current development of cyber security directives in the European Union and its implications for the activities of CERTs in the EU. Information presented in this talk are based on the speakers activities in the past months and a study analyzing CIIP and NIS in the German ICT sector. Outline of the talk: - Current CIIP and NIS developments in Europe: EU directives and national legislation - The German IT-Security law - current developments in Germany between industry and government - Challenges and implications for CIIP sectors actors and CERTs - The future role of CERTs in CIIP sectors under CIIP legislation
    May 6th, 2015 13:00 – 14:00

    (Cisco HQ)

  • Cisco IOS and IOS-XE Integrity AssuranceReturn to TOC

    Stefano DE CRESCENZO (Cisco), Xavier BROUCKAERT (Cisco)

    The trends in security attacks have shown increase interests in network devices. Routers, firewall and other network devices are targeted not only to create a denial of service but to control the traffic flow and to have access to information flowing through the nodes. During this session, we will discuss possible attack vectors to Cisco IOS and Cisco IOS-XE devices, how to verify the integrity of image and run-time memory for forensic purpose, how to create and analyze Cisco IOS memory dump, look for indicator of compromises (IoC), and security best practices to prevent and detect a possible intrusion.
    May 5th, 2015 10:30 – 11:30

    (Cisco HQ)

  • Etay MAOR (Trusteer (IBM))

    During 2014 we experienced several developments in cybercrime vectors. In this presentation we will take a closer look at the major stories of 2014, including a deep dive into the Dyre malware and different trends that will affect how cybercrime is committed in 2015. We will then take a look into what we can expect in 2015 for PC based malware, mobile as well as follow several underground discussions that hint towards what cybercriminals are preparing. Last but not least we will review emerging technologies and products that may shape security challenges.
    May 5th, 2015 15:30 – 16:30

    (Cisco HQ)

  • Emerging Threats - The State of Cyber SecurityReturn to TOC

    Craig WILLIAMS (Cisco)

    The Talos Security Intelligence and Research Group (Talos) is made up of leading threat researchers supported by sophisticated systems to create threat intelligence, analyze and protect against both known and emerging threats. Talos’ renowned security experts are a combined team from Sourcefire’s Vulnerability Research Team, Cisco’s Threat Research and Communications and Cisco Security Applications group. The team’s expertise spans software development, reverse engineering, vulnerability triage, malware investigation and intelligence gathering. In this talk Talos outreach will examine latest threats as well as cover mitigation strategies.
    May 6th, 2015 15:30 – 16:30

    (Cisco HQ)

  • Hey! You! Get Off of My Cloud! Attacks Against Cloud Server HoneypotsReturn to TOC

    Martin LEE (Alertlogic), Neil RANKIN (Alertlogic)

    The widespread adoption of cloud infrastructure exposes organisations to new threats and present new opportunities for attackers. Deploying honeypots in the cloud allows the collection and analysis of attack data showing how attackers are seeking to compromise servers in this environment. Understanding and reacting to the different strategies used by attackers allows security teams to optimise defenses against threats in realtime. In this presentation we will discuss how honeypots can be deployed in the cloud, and present detailed analysis of attacks against Alert Logic’s cloud honeypot system.


    MD5: 2bcf937a060dd9552492c57f93fb7517

    Type: Slides

    Format: application/pdf

    Last Update: May 12th, 2015

    Size: 1.37 Mb

    May 5th, 2015 09:30 – 10:30

    (Cisco HQ)

  • Interactive computer network activity analysis using graph techniquesReturn to TOC

    Eric DULL (Deloitte and Touche, LLP)

    In cyber security analysis, everything is growing at prodigious rates: data feeds, numbers of computers and phones on the network, number of users, and the number of threats that security and information technology professionals must evaluate, prioritize, and mitigate. The one thing that isn’t growing in enterprises is the number of security professionals available to perform this security. Without enough expert staff, every enterprise only gets further and further behind the curve in analyzing odd, suspicious activities on their networks. Enterprises need a different analytic approach and strategy to make every one of their personnel more effective. Graph analytics is that approach. Graph analytics uses cyber security data and threat data to identify potential network threats, prioritizes them, and highlights them for analyst consideration. Graph analytics can be used to focus the available analyst time in the enterprise to the most important threats and anomalies present within the enterprise by combining the multitudinous computer security information using graph algorithms. Graph algorithms have been applied to computer network data in multiple contexts, including botnet identification , unknown tradecraft-unknown threat identification , and high-speed network analysis . Graph algorithms, such as subgraph-isomorphism / pattern-matching, Jaccard similarity coefficient, community detection, shortest path, Betweenness centrality, badness propagation, and anomaly identification, can be applied to Cyber-threat analytic problems, including subgraph identification and extraction, botnet infrastructure identification, server community identification and content distribution network analysis, information flow across the network, key node identification, threat clustering, and unknown tradecraft-unknown threat identification. Cray, through engagements with its customers and partners, has utilized graph analytics in performing computer network analysis and identify threats and risks to enterprise-scale networks. One of these networks is SCinet. SCinet is the high-bandwidth network that supports the SC technical conference and exhibit hall. SC14 had the largest network to date, with 1.2 terabits per second reaching the show floor and 11,000 devices using SCinet. SCinet has a /17 (32K IP addresses) of publicly routable IPv4 space (and some IPv6 space). SCinet is a volunteer organization of 300+ individuals working together over the entire year to design, construct, operate, and dismantle the network every year. SCinet’s scale of data (18 billion triples from 5 days of data), time-to-first solution (analytics need to be developed in minutes to an hour or two), and time-to-solution (answers need to be generated in seconds to minutes to be useful) requirements make it a great analogue for enterprise networks and analytic challenges. This presentation describes SCinet’s computer network data, applicable graph algorithms, and a use case where these have been applied together to perform interactive analysis on an enterprise-scale network.
    May 6th, 2015 10:00 – 11:00

    (Cisco HQ)

  • Memory Forensics for Incident RespondersReturn to TOC

    Monnappa KA (Cisco Systems)

    Memory forensics is an investigative technique used in malware analysis, reverse engineering, digital forensics and incident response. With adversaries becoming more sophisticated and carrying out advanced attacks targeting critical infrastructures, Data Centers, private and public organizations, detecting, responding to, and investigating such intrusions are critical for information security professionals. Memory Forensics has become a must-have skill for fighting advanced malware, targeted attacks and security breaches. This training touches on the topic of malware, Windows internals, and techniques to perform malware and Rootkit investigations of real world memory samples using open source advanced memory forensics framework (Volatility). The training also teaches how to incorporate memory forensics into malware analysis and sandbox technology. The training provides practical guidance and attendees should walk away with the following skills: Understanding how malware and Windows internals work Ability to acquire a memory image from suspect/infected systems Use memory forensics to improve digital investigations Perform investigative steps for detecting stealth and advanced malware Use memory forensics in malware analysis and sandbox technology Use open source advanced memory forensics framework (Volatility)
    May 4th, 2015 09:00 – 12:00

    (Cisco HQ)

  • Mobile Threats - MyCERT Case StudyReturn to TOC

    Norlinda JAAFAR (MyCERT), Ahmad Aizuddin AIZAT (MyCERT)

    For the year 2014, MyCERT has continued to receive, observe and analyze reported incidents within Malaysian constituency. The 2 case studies were involving APT and mobile threats however had impacted two major CNII (Critical National Infrastructure Institution). Spear-phishing was detected as the attack vector against a high-profile target on the campaign for APT attack. Spear-phishing via e-mail with attachment had been disseminated to the target organization as bait to install malware and this attack has also pulled the trigger on tackling such incident in government agencies entirely. On the other hand, the revolution of mobile technology has likely begun to threat or becoming as a favorite target of cyber criminals, mostly to organizations whose have allowed their customers to do transactions via mobile/apps. The infected smartphones can be hijacked remotely and potentially used for fraudulent purposes and its becoming focused on making profit more effectively. The infected device had also been used for spreading the malware to other smartphones by sending a link or attachment via popular text communication such as SMS. The presentation will describe how these attacks were detected and its implications.
    May 6th, 2015 11:00 – 12:00

    (Cisco HQ)

  • Red + Blue = Purple (Taking security testing to the next level)Return to TOC

    Stan HEGT (KPMG)

    We need to close the gap between security testing and real-world attacks. Your typical penetration tester will portscan the network, fire up his vulnerability scanner and then do some manual verification of exploitability of the identified weaknesses. While this is fine for obtaining a broad overview of vulnerabilities in your preventive controls, it is by no means a test of your resilience against actual attacks. Penetration tests lack real-world attack aspects like malware, social engineering and creating persistence and hence are no realistic test case for your detective and responsive capabilities. In this talk, we will discuss our experience and best practices in red/blue teaming exercises that help you to realistically test resilience against real-world attacks. We will provide insight into our bag of dirty red team techniques, but will also disclose some of the coolest tricks that blue teams have pulled on us. Lastly, we will advocate a new trend in security testing called purple teaming: joining forces of the offensive red team and defensive blue team to get most value out of security testing.


    MD5: 047cc46ae8cdae47992ac62babc2a3dd

    Type: Slides

    Format: application/pdf

    Last Update: May 12th, 2015

    Size: 5.9 Mb

    May 5th, 2015 11:30 – 12:30

    (Cisco HQ)

  • SSHCure: Flow-based Compromise Detection using NetFlow/IPFIXReturn to TOC

    Rick HOFSTEDE (University of Twente, The Netherlands)

    Dictionary attacks against SSH daemons are a common type of brute-force attack, in which attackers perform authentication attempts on a remote machine. By now, we are used to observing a steady number of SSH dictionary attacks in our networks every day; however, these attacks should not be underestimated. Once compromised, machines can cause serious damage by joining botnets, distributing illegal content, or participating in DDoS attacks. The threat of SSH attacks was stressed again by the Ponemon 2014 SSH Security Vulnerability Report, which states that 51% of the surveyed companies have been compromised via SSH in the last 24 months. Numbers provided by several renowned organizations, such as OpenBL and DShield, show that even more attacks should be expected in the future. The vast numbers of SSH brute-force attacks emphasize the need for a scalable solution that tells security teams exactly which systems have been compromised and should therefore be taken care of. This is where our open-source IDS SSHCure comes into play. SSHCure is a flow-based Intrusion Detection System (IDS) and the first network-based IDS that is able to detect whether an attack has resulted in a compromise. By analyzing the aggregated network data received from edge routers, it analyzes the SSH behavior of all hosts in a network. Successful deployments—in networks ranging from Web hosting companies and campus networks up to nation-wide backbone networks—have shown that SSHCure is capable of analyzing SSH traffic in real-time and can therefore be deployed in any network with flow export enabled. The latest version of SSHCure features a completely overhauled compromise detection algorithm, together with a brand-new GUI that aids security teams in their day-to-day work.


    MD5: e7d146c88a26f37ea4d23d69383e54f7

    Type: Slides

    Format: application/pdf

    Last Update: May 7th, 2015

    Size: 6.68 Mb

    May 6th, 2015 14:30 – 15:30

    (Cisco HQ)

  • The internet, a fun place of interconnected devicesReturn to TOC

    Yonathan KLIJNSMA (FOX-IT)

    The internet is a place with billions of devices are interconnected. These devices are the ones you connect to when you visit a website, when you chat to your friend someone on the other side of the planet or its your remotely accessible power meter at home. These > devices all talk some sort of known (or unknown) protocol to each other. Because these devices are connected to the internet anyone can visit them.
    May 5th, 2015 15:00 – 15:30

    (Cisco HQ)

Social Reception

Wednesday there will be a Social Hour for TC attendees from 4:30-5:30pm sponsored by Lancope.

Amsterdam 2014 FIRST Technical Colloquium