Program Overview

•  BE

  A Walk through Logs Hell

  Xavier MertensXavier Mertens (Xavier Mertens Consulting, BE)

  Once upon a time, an ogre called “SIEM" was invented…
  
  Today, if your organization does not have a SIEM, you look like the "Little Tom Thumb” among your peers. During infosec meetups, many people like to brag about the power of the monster they deployed: “We can ingest 5K events per second!” or “We index 3TB a day!”. That looks indeed nice but does not impress me so much. Are you sure that you can still find the needle from a haystack? Being involved with such technologies and environments for a while, I had the opportunity to face many situations where the ogre SIEM was not able to return interesting data due to misconfigurations, topology changes, lack (or absence) of logs, wrong normalization and many more... Managing logs and events is not an easy job. This presentation will tell you some nightmare stories that you could also face in your organizations. And, of course, some ideas to prevent them.

  January 29, 2020 15:00-15:30

  Xavier-Mertens-January-29th-1500-1530.pdf

  MD5: 43bd18c586f72a682ec76b5434c247d5

  Format: application/pdf

  Last Update: January 13th, 2020

  Size: 5.95 Mb

•  EE

  An Inside View to Domain Typosquatting Operation

  Jüri Shamov-LiiverJüri Shamov-Liiver (Spectx, EE)

  This talk takes a look at four years of internal processing data retrieved from a typosquatting site. In total, ~37 GB of records reflecting redirection traffic gives a unique insider view to the whole operation: campaigns, visitors, traffic. What can we learn about the targeted sites, who visited them? Was the operation successful? Is it just about making easy money or is there a more sinister side to it? Let’s take a look at the data.

  January 30, 2020 14:00-14:30

  JA-ri-Shamov-Liiver-January-30th-1400-1430.pptx

  MD5: 8d7bcfa0767f53a07c83a18e2d18c000

  Format: application/vnd.openxmlformats-officedocument.presentationml.presentation

  Last Update: January 13th, 2020

  Size: 23.88 Mb

•  GB

  Creating the Human Firewall

  Michael FortuneMichael Fortune (British Telecom, GB)

  This talk will cover:

  • Insider threat (the behavioral risk) and what it really means for each of us personally.
  • Social engineering: why we are all prone to falling for it, the human syndrome, and effective measures to help protect ourselves and our businesses.
  • How we have created the personal engagement model to help make security personal and real to people.
  • Real, current social engineering examples and case studies we have done of how, through OSINT data mining, malicious social engineers can build a profile on targets; then, how they could use this information to launch attacks on both individuals and businesses; then, how we have taken this and used it in personal and real experience for our people.
  • Our learning journey and how we have adapted to ensure we are developing the effective people awareness models to win hearts and minds in creating a strong security and compliance culture across all our people.

  January 30, 2020 11:15-11:45

• CyberPeace Institute

  Stéphane DuguinStéphane Duguin (CyberPeace Institute)

  Stéphane Duguin is CEO of the CyberPeace Institute.

  The Cyber Peace Institute is an independent, non-governmental organization focused on peace in cyberspace. We aim to decrease the frequency, impact, and scale of cyber-attacks by sophisticated actors that have significant, direct harm on people. The CyberPeace Institute believes that civilians need to be brought back to the forefront in cybersecurity discussions and be empowered in understanding how their infrastructures are attacked. Through collective analysis of cyberattacks and capacity-building measures grounded in internationally accepted norms, the CyberPeace Institute is confident that positive changes will be made towards the protection of civilians and the overall stability in cyberspace.

  Stéphane Duguin will talk on closing the accountability gap: a proposal for an evidence-led accountability framework.

  January 29, 2020 14:15-14:45

  Cyberpeace-TF-CSIRT-meeting-FIRST-Regional-Symposium-Europe-004-.pdf

  MD5: 5b7dc908e34927a506b7f4ba8b46e9bd

  Format: application/pdf

  Last Update: March 26th, 2021

  Size: 230.42 Kb

  PUBLIC-Stephane-Duguin-CyberPeace.pptx

  MD5: 28c881b0729e47dff5010c65cf5ddf9c

  Format: application/vnd.openxmlformats-officedocument.presentationml.presentation

  Last Update: January 27th, 2020

  Size: 265.46 Kb

•  ES

  Disinformation 2.0

  Fabian Elias VroomFrancisco CarcañoFabian Elias Vroom (Ingeniería e Integración Avanzadas (INGENIA) S.A., ES), Francisco Carcaño (Ingeniería e Integración Avanzadas (INGENIA) S.A., ES)

  In 2022, more than half of the news we will consume on the network will be false. This was one of the technological predictions that Gartner made for 2018. Two years later, the disinformation scenario is not encouraging.
  
  

  In this paper, the main characteristics and psychology of disinformation campaigns will be addressed, to detect false news early. In turn, a series of recommendations and good practices for identification are collected.
  
  

  Several examples are presented (PizzaGate, Veles-Macedonia, WhatsApp-Metro Bank) and statistics, whose purpose is to focus on the magnitude of the problem and the effects and consequences that may result from a disinformation campaign, especially if it is carried out by state actors.
  
  

  Besides, different research techniques are presented to detect campaigns of this type. Through metadata analysis, ELA error analysis, SNA analysis or reverse image search, it is possible to discern between the veracity of an image that accompanies a particular publication or analyze a disinformation campaign through Social Networks. Use cases are presented (image of immigrant minors in cells blamed on the Trump Administration, creation of a network of bots on Twitter that massively shared content contrary to a particular Spanish political party, or the analysis of the conflict in eastern Ukraine, with the Russian disinformation campaign, through bots on Twitter, viral hashtags, fake news, etc.) where these techniques are applied. In turn, a series of resources (websites, applications or browser extensions) are presented, which make it easier for an average user to identify fake news.

  January 30, 2020 13:30-14:00

  PUBLIC-Fabian-Vroom-Francisco-Carcano-Disinformation_FIRST_Ingenia-final.pdf

  MD5: ed2365f5d0b5e355336757a0bd7fa442

  Format: application/pdf

  Last Update: January 31st, 2020

  Size: 3.55 Mb

•  US CH

  DNS: Prevention, Detection, Disruption and Defense

  Carlos Alvarez del PinoMichael HausdingCarlos Alvarez del Pino (ICANN, US), Michael Hausding (SWITCH, CH)

  The training on DNS: Prevention, Detection, Disruption and Defense offers a comprehensive introduction from a basic to an advanced level on how adversaries abuse and leverage the Domain Name System and domain registration services to carry out different types of attacks.

  Looking at both the technical aspect of the domain resolution process to the lifecycle of domain names, with a focus on the vulnerabilities in the processes and systems, participants in the training will gain an understanding on how they can prevent the malicious activity, detect and disrupt it, as well as defend their specific constituencies.

  The training consists of the following modules:

  1. DNS Basics and Ecosystem

     • How do domains resolve?
     • What are the components in the DNS?
     • How does a domain get registered?
     • Who is who in the domain ecosystem and why this matters?

  2. Phishing - Hands-on: Participants will learn which steps to take, with real-life examples, when addressing phishing cases against their constituencies:

     • Detect the phishing
     • Identify the relevant entities
     • Gather the evidence
     • Decide who to submit reports of abuse
     • Decide on information sharing

  3. Advanced DNS

     • Delegation
     • Relevant Resource Records
     • Authoritative vs. Recursive Resolvers
     • Exercise

  4. Sophisticated DNS attacks

     • Examples of sophisticated attacks
     • Possible countermeasures for detection, disruption, and defense
     • Techniques and good practices to prevent DNS threats
     • Table-top exercise based on 4 scenarios:
       1. Hijacking
       2. DNS amplification
       3. Random subdomain attack
       4. DNS as a covert channel for exfiltration

  January 31, 2020 09:00-10:30, January 31, 2020 10:45-12:30, January 31, 2020 13:30-15:00, January 31, 2020 15:15-17:00

•  LU

  Forensics Lessons II

  Michael HammMichael Hamm (CIRCL, LU)

  New lessons learned in a forensic lab based on real cases.

  January 29, 2020 15:30-16:00

  PUBLIC-Michael-Hamm-circl_dfir_lessons-Jan-29th.pdf

  MD5: 371a015fca694018fa7796016c91a563

  Format: application/pdf

  Last Update: January 30th, 2020

  Size: 531.95 Kb

• Futures WG Meeting (invite only)

  Meeting Location: Hotel Vincci Selección Posada del Patio 5*, Pasillo Santa Isabel s/n | 29005 Malaga

  January 28, 2020 13:00-15:00

•  US

  Global Trends/Regional Cooperation Panel

  (ENISA), (CERT/CC, US)

  This panel of experts will discuss global trends in the incident response community and how to help mitigate risk through regional and transnational cooperation and collaboration.

  Topics may include, but are not limited to: • Information Sharing • CSIRT outreach and regional projects • Best practices for enhancing CSIRT services • Collaboration with peer and mentor teams • Lessons learned from collaboration with other incident response teams

  January 30, 2020 16:20-16:55

•  BE

  Incident Response in the Cloud: Foggy with a Ray of Sunshine

  Jeroen VandeleurJeroen Vandeleur (NVISO, BE)

  Over the past few years, we have seen organizations move a part of, or even their entire infrastructure, to the cloud. With on-premise infrastructure, it used to be clear that the security needed to be taken care of by the organization itself. With cloud infrastructure, there is quite some confusion about who takes care of which security controls. This confusion has led to several painful incident response cases where we were called in only to discover we hardly had any data to work with. In general, we observe 3 common problems with incident response in the cloud:

  • Lack of knowledge about the different logging options within cloud environments. What is enabled by default and what is not?
  • Increased response times due to the lack of visibility and security knowledge about the cloud environments.
  • Lack of resources available to respond to the incidents, most organizations are not capable due to the limited amount of people and tools to respond timely.
    
    

  This presentation consists of three key parts highlighting incident response challenges in the cloud, but also how we can purposely use what cloud providers offer us to improve our security operations.
  
  

  The first section includes some key examples of what went wrong during incidents in cloud environments and lists some key challenges that we face as an incident response team to investigate security incidents in depth.
  
  

  A second section in the presentation describes the overview of critical logs that are required to do incident response. These logs and settings are mapped on the 2 main cloud providers; Amazon AWS and Microsoft Azure. This will allow you to understand which logs are there by default and which logs should be activated for incident response and forensic investigations.
  
  

  A third section will introduce automated response, by explaining a use case where a system gets infected, server-less code will be executed to protect other systems and enable advanced analytics on the compromised system. This example is based on Microsoft Azure Security Center and azure functions to enforce actions in case a specific alert is triggered.

  January 29, 2020 13:10-13:45

•  AT

  IntelMQ

  Aaron KaplanAaron Kaplan (CERT.at, AT)

  In 2014, several CERTs joined their resources to start an open source toolbox solution for automated incident handling with the goals of simplicity, adaptability, and extensibility. The outcome of their efforts is the IntelMQ software, which is subsequently being used by a great number of CERTs worldwide.

  This workshop will show you how the tool works and how you can implement your own workflows. After an introduction about the concepts and the architecture of the tool, we start with hands-on exercises in a virtual machine. The appliance with a pre-installed toolset is provided in advance.

  January 31, 2020 09:00-10:30, January 31, 2020 10:45-12:30

  PUBLIC-Aaron-Kaplan-IntelMQ-malaga-20200131.pdf

  MD5: ecea5b6df4e5e63e43c7afe2801e4b61

  Format: application/pdf

  Last Update: February 4th, 2020

  Size: 6.82 Mb

•  NL

  NCSC-NL Team Update

  Hielke BontiusHielke Bontius (NCSC-NL, NL)

  Hielke Bontius is responsible for incident response and technical research within the National Cyber Security Centre of The Netherlands (NCSC-NL). His team is primarily responsible for supporting organisations within Dutch central government and critical infrastructure in case of incidents as well as preventing incidents from happening by doing proactive technical research. Before starting working at NCSC-NL in 2011 as an information security specialist he worked for an international financial institution.

  January 30, 2020 16:00-16:20

•  CH

  Opening Remarks

  Dr. Serge DrozDr. Serge Droz (FIRST, CH)

  Serge Droz is the Vice President OS-CERT at Open Systems, one of the leading managed security service providers in Europe. He studied physics at ETH Zurich and the University of Alberta, Canada and holds a PhD in theoretical astrophysics. Before joining Open Systems, he worked in academia in Switzerland and Canada, later as a Chief Security Officer of Paul Scherrer Institute, as well as in different security roles at SWITCH for more than 15 years. Serge is a member of the board of directors of FIRST. He also served for 2 years in the ENISA (European Union Agency for Network and Information Security) permanent stakeholder group. Serge is an active speaker and a regular trainer for CSIRT (Computer Security Incident Response Team) courses around the world.

  January 30, 2020 09:30-10:30

•  LV

  Pastelyzer — the Paste Analyzer

  Jānis DžeriņšJānis Džeriņš (CERT.LV, LV)

  This presentation highlights a tool developed by CERT.LV in the framework of the CEF project "Improving Cyber Security Capacities in Latvia" named Pastelyzer. The purpose of the tool is to detect leaks of sensitive data (credentials, bank card numbers, etc.) in text documents, but it can also detect and automatically process encoded and/or compressed (e.g., base64, gzip) content. The tool can be used as a command-line utility, or a background service receiving documents from a feed or using HTTP requests.
  
  Currently (in January 2020), the tool is in the beta stage with the source code available. During the presentation, we will give a general overview of the tool, and a few example use cases as well as encourage other CSIRTs to start using Pastelyzer. We're already using Pastelyzer at CERT.LV and hope it will be useful for the wider TF-CSIRT/FIRST community.

  January 30, 2020 14:30-15:00

  PUBLIC-janis-dzerins.pdf

  MD5: 9e2ba0461d4fa50255521b23c275d3d6

  Format: application/pdf

  Last Update: January 30th, 2020

  Size: 527.2 Kb

•  US

  Routing Security: RPKI Usage and Consistency

  John KristoffJohn Kristoff (DePaul University, US)

  BGP, the Internet's routing subsystem that helps guide IP packets from a source to destination network, has recently seen the flourishing of a resource public key infrastructure (RPKI). The RPKI is populated with cryptographically signed Route Origination Authorization (ROA) objects, enabling the authentication of route announcements.
  
  How do these new route authentication mechanisms work? What are the current limitations and areas of ongoing work? How do you measure the deployment and utility of these security protections? What do the current measurements of RPKI usage and deployment tell us? These are some of the questions we attempt to answer in this short talk from a network architect and researcher in the field.

  January 30, 2020 15:30-16:00

•  GB CH

  Security Operation Centre Workshop

  David CrooksLiviu VâlsanDavid Crooks (EGI CSIRT, GB), Liviu Vâlsan (EGI CSIRT, CH)

  The information security threats currently faced by the research community are not only sophisticated but also in many instances highly profitable for the actors involved. Evidence suggests that targeted organisations take on average more than six months to detect a cyber attack; the more sophisticated the attack, the more likely it is that it will pass undetected for longer.
  
  

  One means by which to mount an appropriate response is through the use of a Security Operations Centre (SOC). A SOC can provide detailed traceability information along with the capability to quickly detect malicious activity. The core building blocks of such a SOC are an Intrusion Detection System and a mechanism to work with the threat intelligence, shared within a particular community, that is required for spotting potential cybersecurity threats. In this context, the Worldwide LHC Compute Grid (WLCG) Security Operations Centre Working Group has produced a reference design for a minimally viable Security Operations Centre, applicable at a range of scientific computing sites of varying sizes. The initial design developed by this group uses data sources including the Zeek IDS and netflow/sflow, as well as the MISP threat intelligence sharing platform, and the Elastic stack for data ingestion, storage and visualisation.
  
  

  We propose a workshop focusing on the tools and processes used in this design, as well as the MISP topology and access methods employed by the working group. The agenda for a half-day workshop would include:

  • design requirements
  • demonstration of Dockerised version of the initial model (PocketSOC)
  • choice of data sources and pipelines
  • MISP access methods
  • alerting methods
    
    

  A full-day workshop would include these elements with the addition of:

  • additional deployment discussion
  • data source tuning
  • extended discussion of enrichment techniques
    
    

  The audience for this workshop would be teams interested in deploying a SOC at their own facility, or those with an interest in the technology and techniques used. The design is in principle designed to be applicable to a wide range of organisations; these include sites with a few nodes, large scale organisations such as CERN (whose work in this area laid a foundation for the work of the group) with tens of thousands of nodes, and NRENs.

  January 31, 2020 13:30-15:00, January 31, 2020 15:15-17:00

  PUBLIC-David-Crooks-and-Liviu-Valsan.pdf

  MD5: a34f012630d116ceec8078cc2f254d62

  Format: application/pdf

  Last Update: February 5th, 2020

  Size: 7.56 Mb

•  ES

  SysMon Threat Hunting

  Roberto Amado GimenezRoberto Amado Gimenez (S2 Grupo, ES)

  Nowadays, a good “hunting” process of malicious artifacts is not complete without a review of the activity of the servers and the user’s equipment. This activity can be tracked and monitored by means of different tools, but Sysmon by Sysinternals is the one that has gained more popularity due to its power and versatility. The aim of this workshop is to teach the attendees how to “hunt” both for generic malware and for specimens belonging to APT groups by means of the correct use of tools and the generation of a series of hunts based on actual attacks. Its totally practical approach will have a twofold perspective; on the one hand, the attendees will be able to carry out attacks to a set of preconfigured virtual machines and see how Sysmon is able to register these attacks. Therefore, the students will not only receive training on the intrusion techniques but will also learn about the hunts that permit them to identify them. These will be grouped under the following techniques in the Sysmon logs: lateral movement, check-up, persistence, and exploitation.

  January 31, 2020 09:00-10:30, January 31, 2020 10:45-12:30, January 31, 2020 13:30-15:00, January 31, 2020 15:15-17:00

• Taxonomy Working Group Meeting (invite only)

  Meeting Location: Hotel Vincci Selección Posada del Patio 5*, Pasillo Santa Isabel s/n | 29005 Málaga

  January 28, 2020 15:00-17:00

• TF-CSIRT Steering Committee Meeting (closed)

  Meeting Location: Hotel Vincci Selección Posada del Patio 5*, Pasillo Santa Isabel s/n | 29005 Málaga

  January 28, 2020 09:00-12:00

•  NL

  The Shadowserver Foundation: Updates and Highlights From Recent Activities

  Piotr KijewskiPiotr Kijewski (Shadowserver, NL)

  The non-profit Shadowserver Foundation collects many types of large scale security data sets and provides free daily infection data to network owners for remediation purposes. It regularly works with national CSIRTs, ISPs/hosting companies and law enforcement agencies combating malware, botnets and cybercrime activities. This talk will give an overview of activities undertaken in 2019 and upcoming CSIRT relevant projects.

  January 30, 2020 11:00-11:15

•  DE

  Trusted Introducer: Technical Updates

  Jochen SchönfelderJochen Schönfelder (DFN-CERT, DE)

  As the last years saw a lot of internal work within the TI tooling, the upcoming months will be more focussed about new or replaced applications. This talk shall provide an overview about the upcoming tools and (technical) services TI will provide. .

  January 29, 2020 13:45-14:15

•  CZ

  Wait, ICS Doesn’t Stand for "Internet-Connected Systems"?

  Jan KoprivaJan Kopriva (ALEF, CZ)

  Although most of us are aware that not all Industrial Control Systems (ICS) are well-protected, it can be quite startling to actually take a look at how many of these systems are accessible on the Internet. A couple of months back, ALEF CSIRT started to monitor the number of internet-connected ICS devices, both on a global scale as well as in specific countries. In this presentation, we will go over the data we've gathered and we will take a look at a couple of the Industrial Control Systems which are/were out there.

  January 30, 2020 11:45-12:15

  Jan-Kopriva-January-30th-1145-1215-public-slides.pdf

  MD5: 6bfea1c9667b1d00d33c751ce8466f50

  Format: application/pdf

  Last Update: January 13th, 2020

  Size: 943.68 Kb