Program Overview

• Tuesday, 15 September

• Wednesday, 16 September

• Behind CERT-RO's Annual Report on Cyber Incidents

  Catalin PATRASCU (CERT-RO)

  One mandatory task for national CERT/CSIRT organizations, including CERT-RO, is to act as a national point of contact for collecting cyber incidents reports. This reports, whether they are directly reported by organization and individuals within national constituency or collected from external feeds or own detection capabilities, can be used to obtain a cyber security overview (visualization) of the cyber space monitored. This overview help the authorities to take the proper measures/actions to keep the national cyber space more safe and secure. Catalin Patrascu is a cyber security expert with more then 8 years of experience and holds the position of Chief of Information Security and Monitoring Office at CERT-RO since 2012, position in which he coordinated the incident handling process, cyber exercises and technical projects implemented by CERT-RO.

  September 15, 2015 13:30-14:30

• Case Studies in Fighting Cybercrime

  Pitor KIJEWSKI (CERT-Polska / NASK)

  The talk will cover various cybercrime operations analyzed by CERT Polska in the last 1-2 years. These primarily involved various forms of malware and botnets that used Polish network properties for C&C purposes or that were specifically targeting Polish users. Many of these include banking trojans (such as VMZeus/Gozi2/Kronos), specifically webinject malware. We will show how these evolve and use more and more sophisticated social engineering techniques to fool users into losing their money. We will also cover other cases as well that did not involve malware, but that employ similar social engineering tricks - such as mass hackings of home routers for financial gain. We will explore some cases unique to the Polish scene, including the rise of Banatrix (a relatively simple malware that is surprisingly effective in stealing money by substituting bank account numbers when these are rendered by the browser) and its friends. We will present specific case studies on how our team counters these threats and on how effective these cybercrime campaigns really are. Piotr Kijewski is the Head of CERT Polska, which is a part of NASK. Previously for many years he was in charge of multiple projects and security research in the CERT Polska team. His interests include threat detection, malware analysis, botnets and honeypots. Piotr has engaged in many different innovative network security projects, both at the national and international level (including EU FP7, NATO and ENISA projects). Piotr also orchestrated and coordinated the takedown of multiple botnets. Author of a couple of dozen publications and articles on network security, as well as frequent speaker and panelist at conferences both in Poland and abroad (including FIRST, NATO Cyber Defense Workshop, Honeynet Project Workshop, Microsoft Digital Crimes Consortium, Microsoft Security Research Alliance Summit, APWG eCrime etc.). In 2011, Piotr set up the Polish Chapter of the Honeynet Project. He holds an MSc degree in Telecommunications from the Warsaw University of Technology.

  September 15, 2015 11:30-12:30

• How to Make IOC Search Campaigns Easier

  Matthieu GARIN (CERT-Solucom), Vincent NGUYEN (CERT-Solucom)

  In order to fulfill a growing need for IOC search campaigns, CERT-Solucom released CERTitude, an open-source IOC network scanning tool. Indeed, more and more companies are being requested by national cyber-security agencies to perform "IOC search" on their Information System. Moreover, during incident response missions, there is a frequent need for CERT-Solucom analysts to find the scope of compromise. However, most solutions on the market use previously deployed agent and/or send IOC on the IS network: the attacker becomes aware of the search method. CERTitude is an agentless tool with the ability to "hide" itself from the attacker with the use of encryption protocols. Despite a lot of conditions from OS compatibility to performance impacts, various Windows' IOC can be processed by CERTitude such as registry data, files, processes, services, prefetch data, network connections… We will be pleased to share with you the challenges faced and solutions that we've adopted. At last, but not least, a demo of CERTitude will be performed and the new development roadmap revealed. Matthieu GARIN is manager within Solucom's Security & Risk Management Practice. For the last 10 years, he has been leading security transformation projects for Solucom's clients. He is in charge of the cybersecurity activities, and more particularly of the CERT-Solucom's strategy : guidelines definition, new tools development, business development... Vincent NGUYEN is the technical leader of CERT-Solucom. He is in charge of the CERT-Solucom's technical projects and, in incident response cases, is leader of analysis teams. More particularly, he is in charge of the development of the CERTitude tool which is presented during the talk.

  September 15, 2015 16:00-17:00

• Incidents Solved by CERT.GOV.GE

  David TSKITISHVILI (CERT-GOV-GE)

  This presentation will cover cyber attacks which occurred in Georgian cyberspace and how ERT-GOV.GE responded to those incidents. The first will be Georbot (c. 2011) which was one of the biggest cyber incidents ever to happen in Georgia. The second will cover a more current incident (c. 2015) called SSDP, a DDoS attacks whose main target was the financial services market. David Tskitishvili works as a CERT specialist in governmental CERT of Georgia which is part of Data Exchange Agency if the Ministry of Justice of Georgia. In early ages he worked in immunotherapy and chemotherapy clinic Medula as system administrator, afterward he started to work in Wireless based ISP in which his major duty was system administration and for minor he took over Cyber Security field from that points he started his road to CERT-GOV-GE's team. Mr. Tskitishvili has experience in conducting trainings in the field of information security. He has SANS and Transit Certificates.

  September 15, 2015 14:30-15:30

• Lessons Learned From Three APT Victims

  Don SMITH (Dell SecureWorks)

  The “A” in APT often stands for “Advanced,” however, in these case studies the “A” in APT probably should stand for “Adequate.” In this presentation, Don will describe three organization’s experience with “APT” actors, looking at techniques deployed for intrusion, persistence, lateral expansion and exfiltration. In parallel, the presentation will consider where changes to the detective or preventative control frameworks could have prevented the attackers from achieving their objectives. Don Smith is a leading information security expert and a recognized subject-matter expert in areas as diverse as state-sponsored APT attacks and identity and access management. Don has worked in IT security for 21 years and joined Dell SecureWorks in 2005. Don leads the Dell SecureWorks Counter Threat Unit Security Research team in EMEA. Prior to Dell SecureWorks, Don was responsible for security architecture and operations for a multi-billion dollar enterprise and took a lead role in successfully integrating 14 acquisitions.

  September 16, 2015 11:30-12:30

• Operational & Collaborative Approach to Incident Response

  Calvin DICKINSON (Amgen)

  This presentation will discuss how operations teams interact with specialist Subject Matter Experts (SMEs) and bring together the necessary skills at the right time to respond to security incidents. Calvin Dickinson is the Director – Security Operations and Business Resilience for Biotechnology firm Amgen. Calvin has over 30 years’ experience in the security sector with the last 10 years actively involved in incident and crisis management. Calvin has held senior positions in Corporate and information security with Nationwide Building Society, Electronic Arts and more recently Amgen. He also served with the Royal Air Force Police for 13 years before becoming a Regional lead with Securitas UK. Calvin has built, developed and led two Cyber Security operations Centers with responsibility for recruiting specialist Information Security specialist and dedicated incident handlers and has been at the forefront of tackling the latest Cyber trends impacting the industry. Calvin holds a MSc in Security and Risk Management from Leicester University.

  September 16, 2015 09:30-10:30

• Ransomware: Evolution & Countermeasures

  Jose ALEMÁN (S21Sec), David CONDE (s21Sec)

  Ransomware, cryptolocker, and cryptowall are common words in the day-to-day routine of a malware analyst. Companies are facing this type of Trojans on a daily basis. In this presentation, we are going to look at the origin of this ransomware malware-type: it exists before Internet appeared as a network of networks, we will also look at the new scenarios where this type of malware is being more and more present such as mobile devices. We will also look at infection vectors, together with the use of cryptography as a type of art. Is it worth paying? Can I consider my environment is protected with the security solution? What can I do to secure my organization? We will be reviewing and developing all these questions so that companies can cope with one of the main threats in the ever-changing malware world. Jose Alemán is the Business Development Manager for ACSS and Ecrime at Spanish Infosec consultancy S21Sec. He has been working as a Service Delivery Manager for more than 4 years, leading Security Services and working on Projects for International customers all over the globe, providing critical incident response, proactive solutions, intel requests, etc. Mr. Alemán is passionate about Security, a problem solver and always keeping an eye for detail. I'm involved in the current scene, participating in CONs, and sharing my own vision over day-to-day incidents.

  September 16, 2015 10:30-11:30

• Seven Rules of Fight Club

  Jon RAMSEY (Dell SecureWorks)

  Over the years, Dell SecureWorks has amassed a significant amount of knowledge and methodology when it comes to handling cyber attacks. In this presentation, CTO Jon Ramsey distills seven of the most pertinent “rules” that have come out of these experiences and uses real world examples to illustrate whey each has played an imprint part on how Dell SecureWorks approaches indecent response. Join us for an entertaining and informative presentation. Jon Ramsey is the Chief Technology Officer at Dell SecureWorks in Atlanta, GA and a Dell Fellow. Ramsey has 25 years of hands-on experience at every level: system administrator, software engineer, analyst, security penetration specialist and senior engineer. Prior to joining Dell SecureWorks, Ramsey worked for the Computer Emergency Response Team (CERT), Siemens, and the University of Pittsburgh. Ramsey earned a Master's degree in software engineering from Carnegie Mellon University and a Bachelor of Science in computer science from the University of Pittsburgh.

  September 15, 2015 10:30-11:30

• Theory & Practice of Cyber Threat-Intelligence Using STIX and CybOX

  Thomas SCHRECK (Siemens)

  Based on Siemens CERT's experiences with developing and operating the Open Source MANTIS Cyber-Threat Intelligence Framework, this talks will provide and overview of central issues with cyber-threat intelligence management using STIX and CybOX: • Finding correlations — With more and more data sources based on STIX and CybOX becoming available, finding correlations in the supplied data becomes essential. We will present work in progress on finding correlations. • Information tagging — Because the same basic observation (e.g. an IP address) may give rise to many distinct CybOX observables, information tagging on the object level is insufficient for many use-cases. We will present on MANTIS's approach towards information tagging: by tagging atomic facts rather than objects a single tagging action applies to all relevant objects. • Managing actionable threat intelligence — In theory, it should be easy to manage and extract actionable threat intelligence from STIX/CybOX data for use in detection and prevention systems. In practice, this proves surprisingly hard. We will present on our approach towards this problem. Thomas Schreck is a Senior Engineer at Siemens CERT and the head of the Incident Response Team. He is the Team Representative of Siemens in FIRST, TF-CSIRT, and other organizations. Since 2015 he serves on the Board of Directors of FIRST.Org.

  September 16, 2015 13:30-14:30

• Bucharest 2015 FIRST TC
  • Program Overview
  • Hotel Information
  • Travel Information