Program Overview

While still at NTH, long before AV was declared dead, Henrik wrote his own anti-virus program. Then he went on to building the Internet of Norway at Nextra and then Telenor. The natural progression was to try securing the infrastructure producing the Norwegian Internet backbone. After several years with various security positions within Telenor, this eventually lead to him heading the newly formed Telenor CERT. One of the biggest challenges Henrik is currently facing is helping Telenor establishing a global CERT/SOC operations for Telenor ASA, which own 13 telcos internationally, with more than 200 million customers.

This is a story about how Nets CERT discovered and handled an Incident which potentially could have led to catastrophe for Nets as a company.

Hans Christoffer Gaardløs, Security Analyst in Nets CERT Incident Handler, Threat Analyst & Process architect (Incident Hunting, Threat Hunting, Forensic Investigation). Previously: Malware analyst and heuristic detection specialist in Norman Antivirus

This presentation will address the position of CTI duties in an organizational context, the typical (im)maturity of present day CTI practices and the need for automation in CTI operations. The latter will include some perspective on present day automation solutions and as well as mid and long term innovations through which CTI could be processed more effectively.

Richard Kerkdijk MSc. is a Senior Security Consultant at TNO. He obtained his master's degree in applied physics in 1997 and has been an active player in cyber security ever since. His present role involves strategic advisory work, technical and non-technical security evaluations and coordination of cyber security research and innovation projects. Richard mostly conducts assignments for (CISOs of) telecoms providers (across Europe) and financial institutions (NL), but he has also done commissions for the Dutch National Cyber Security Center (NCSC), the Dutch Cyber Security Council and the Dutch MoD. In addition he acts as vice-chair of the ETIS Information Security WG, an industry body that facilitates collaboration among the CISOs of European telecoms providers. Richard has been involved in a variety of CTI oriented research and advisory projects. Among other things, he led pan-European trials for automated cyber threat intelligence sharing among telecoms providers.

The presentation will detail the Lazarus waterhole campaign that became public February 2017. Specifically around the Nordic targets, and how we used our network around us to followed the attack and track the actor.

Raymond Lund, Incident Response Manager in Nordic Financial CERT – 12 years’ experience as member and manager of SIRT teams.

Per Morten Sandstad, Threat Intelligence Manager in Nordic Financial CERT - 16 years’ experience with security and incident handling.

Ryan is relatively new to the CERT, having joined only a few short months ago! However he spent the past five years working in Incident Response at the Australian Signals Directorate, leading the Australian Government’s operational responses to Advanced Persistent Threat actor intrusions on significant Australian networks. Drawing on his knowledge of incident response within Government, Ryan is now expanding his understanding of the real world, working closely with organisations within Industry on both detection and response operations to a broad range of cyber threats.

Chris is an experienced Incident Responder, and is well versed in the tools, tactics and procedures deployed by malicious cyber actors targeting Australian networks. He has sound technical knowledge, as well as a comprehensive understanding of what good incident response looks like. As a recovering YARA addict, Chris spends his down-time playing next-generation cyber buzzword bingo while preparing for the next hunt!

Effective security event analysis teams depend on efficient capture, storage and search capabilities across potentially massive data sets. At Cisco, we collect enormous amounts of data from scores of data sources, spanning billions of daily transactions. To reliably sift through this data in search of compromise indicators we developed a "playbook" process in which we define specific searches (plays) and maintain those plays through a tuning lifecycle. As our playbook inventory grew both in number of plays and data sources, our analysts required a digitized capability to support play management, scheduling, and execution.

In this presentation, we introduce the CSIRT Playbook Execution Platform, a specialized software framework which allows our Security Monitoring team to:

• Define customized playbook execution schedules
• Assign individual plays to teams or team members
• Avoid missed coverage via error checking
• Track individual play executions (runs) via the Run Workspace
• Collect detailed run statistics and play tuning metrics
• Automate high fidelity plays

The presentation will detail the platform’s development, usage, and future plans. We intend to include a strong focus on metrics, demonstrating improved productivity and efficacy as compared to our prior event analysis processes. We also provide baseline requirements for team interested in setting up their own platform. Security monitoring and incident response teams, information security managers and security architects interested in how to put a playbook into operation should attend this session.

Logan Wilkins has over 25 years of software development and information security experience. He has worked in academic, research, and corporate settings, specializing in object-oriented distributed software architecture, data science, and information security. Logan currently manages Cisco's CSIRT Engineering Delivery team, which is responsible for Security Monitoring and Incident Response systems development and deployment.

Frode Hommedal is a senior incident responder and CSIRT leader. He is currently head of incident response and security analytics at Telenor CERT, and part of the team that is establishing the global CERT/SOC capability of Telenor. He previously worked seven years for the Norwegian national CSIRT, NorCERT, and he has extensive experience with countering digital espionage. One of Frode’s goals is to contribute to the infosec curriculum, hoping it will help more CSIRTs to find, face and fight the ever growing number of advanced threats.

Mats Koteng is a former police investigator with experience from organized crime, electronic evidence gathering and analysis. After 12 years within multiple branches of the police, he left NCIS Norway for Telenor CERT where he works as team lead for Analysis and Incident Response.

This talk will present a case study from a recent compromise with the focus on tools and action made by the threat actor.

Jan Anders Myklatun has a background from the Norwegian military and is now a senior engineer at NorCERT. He currently works in the department for Technical Analysis. In his spare time, he likes to do EDB and take care of his dog.

Cyber-attacks are becoming more sophisticated and harder to detect, and existing technology to detect and prevent attacks are increasingly inefficient. The challenges for cybersecurity companies and their systems is to reveal the nature of attacks and stop them as early as possible. In 2016, mnemonic launched the research project "Semi-Automated Cyber Threat Intelligence (ACT)" to address these challenges. The project partners are UiO, NTNU, NSM, FinansCERT Norge and KraftCERT.

The ACT project develops a platform for cyber threat intelligence to uncover cyberattacks, cyber espionage and sabotage. The project researches new methods for data enrichment and data analysis to identify threat agents, their motives, resources and attack methodologies. In addition, the project develops new methods, work processes and mechanisms for creating and distributing threat intelligence and countermeasures, to stop ongoing and prevent future attacks. This talk will present the ACT project, current results, and lessons learned. The talk will also include a live demonstration of the platform prototype.

Dr. Martin Eian works as a Senior Security Analyst in mnemonic's Threat Intelligence group, and he is the Project Manager for the research projects "Semi-Automated Cyber Threat Intelligence (ACT)" and "Threat Ontologies for CyberSecurity Analytics (TOCSA)". He has more than 15 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is a member of the Europol EC3 Advisory Group on Internet Security. He holds a PhD in Telematics/Information Security from NTNU, and he has previously worked as an Adjunct Associate Professor at the Department of Telematics, NTNU.

Through security policies, standards and guidelines we have a set of principles and guides on how to secure our organisation, including how to do incident response. But is the ISO27000 stack of policies enough to respond to major incidents? Efficient handling of incidents requires clearly defined roles, responsibilities and the authority to make decisions and take actions. In this talk we will present our Incident Response Mandate, how it has matured over the last decade and how it complements our security policies.

Roger Schage Storløkken has been part of DNB's incident response team since 2015. Prior to that he has 10 years of experience as a consultant working with security monitoring and incident response.

Course level: Intermediate

Pre-requisites:

• Understanding of Windows Internals and Operating System.
• Familiarity with x86 and x86_64 assembly preferred.
• Attendees must bring their own laptop (Macbook preferred) with Virtualbox installed.

Course abstract: Introduction to Reverse Engineering will enable analysts, incident responders and researchers to quickly dissect various malicious artifacts (executable, document, *script), triage the severity and extract indicators in a short amount of time. This workshop is designed for anyone who wants to start their journey into disassembling and debugging malicious binaries. Statically analyzing the artifacts helps in creating better detection and understanding the severity of the attack.

In this workshop we will learn how to extract and analyze malware found at different stages of an attack. We will walk through various tools used for debugging and disassembling such as OllyDbg, Ida, x64dbg etc. We will also look at reversing malware written in various languages such as C, .NET, Java, Autoit etc. The course will progress into identifying some advance tricks used by malware for anti-vm detection and anti-analysis.

Topics Covered:

• Basics of Sandboxing (Networking, File Sharing)
• Static analysis first steps (file, strings, packer, imports, imphash)
• Analyzing first stage droppers ( powershell, vba macros)
• Decompiling/Analyzing .NET binaries
• Intro to OllyDbg and x64dbg
• Analyzing first executable malware
• Identifying packers and unpacking
• Anti-VM, anti-analysis and persistence tricks
• Brief overview of a banking trojan or ransomware
• Special topics (if time permits)

Please note - Lunch is not sponsored on this day. Meals are available at the Telenor cafeteria for the price of 50 NOK. There are also several shops on and around the Telenor campus. Coffee/tea and light snacks will be available throughout the day.

Attacks on industrial control systems have potentially catastrophic consequences, and the threats towards such environments have escalated in the later years. One of the main challenges in securing these systems is their reliance on old network protocols that are unfamiliar, inherently insecure and have little to no support in modern security products. In this presentation, we discuss how we aim to solve this and other real-world challenges in general, and the development of an IEC104 decoder in particular.

Rafael Lukas Maers is a Security Analyst and Incident Responder at mnemonic. He specializes in network security and ICS/SCADA networks, and leads the development of mnemonic's purpose-built security appliance for industrial environments - the Argus ICS Defender.