During last decade the number of DDoS attacks has been significantly on the rise in terms not only of volume, but target industries as well. In the past, DDoS attacks might target gambling or government sites as an expression of resentment or anger. Moreover, DDoS attacks were not that easy to launch, and skills, tools and right equipment needed.

Nowadays though, with 200Gbps optical transceivers available, and prices for 10Gbps decreasing and all over the place, RAM and CPU/GPU more than ever and at approachable prices, D(D)oS attacks are on ones’ fingertips. Adding on top of the latter the availability of open source tools, tutorials on how to use them and the new legal web DDoS tools known as stress testers such attacks are easier than ever.

During this short presentation, the need for DDoS mitigation infrastructure will be stated by means of the recent “DDoS Survey” pointed at GÉANT APMs and relevant audience. In particular, it has been found that 30% of the respondents deal with attacks that can’t mitigate themselves. That is an early indicator for GÉANT that a mitigation infrastructure should be in place for future and more demanding situations.

The tools tested will be discussed, amongst the network design that used to facilitate these following a short demo.

TLP: Green

In October 2016 SURFcert & SURFnet organised a two-day cybersecurity exercise under the name OZON. 28 constituents participated in this exercise which had a challenging and realistic scenario for both technicians and board members. More than 200 individuals played two days with a near real life exercise, linking IT specialists, lawyers, communication experts, security and privacy officers, and the board of directors together. The exercise simulated a complicated, multi stage attack form a hacker group with strategic dilemmas for ICT management and board members, and tactical and technical dilemmas for the ICT departments.

In this presentation, we will discuss how we designed and prepared this exercise and do a brief walkthrough of the scenario, with both strategic and operational elements. We also will present the outcome of the exercise in terms of recommendations for both the way you can organise crisis exercises and for improving your crisis organisation, processes and tooling. As a conclusion we will discuss different kind of exercises and the benefit of each for organisations.

TLP: White

A short introduction to the CLAW Crisis Management Exercise with a short interactive session to gain input from TF-CSIRT to make sure the event will also speak to their needs.

TLP: White

There are several public sources (OSINT) on the Internet that can
provide information about vulnerabilities in computer systems. Commonly
used OSINT sources are Censys and Shodan.The reliability and accuracy of such sources go often beyond the information organizations have themselves. In addition, these sources are often designed to detect specific vulnerabilities and therefore are quite accurate. SURFnet in collaboration with GDI is collecting OSINT sources and visualizing them in an Elastic Stack environment. Constituent CERT/CSIRT teams will get access to a Kibana dashboard and therefore will be able to see relevant OSINT reports and be able to create their own queries on the data.

TLP: White

At the 49th TF-CSIRT meeting, members agreed to support the consolidated FIRST Traffic Light Protocol definitions.  This short session will invite members to vote on accepting the wording changes into the Trusted Introducer accreditation process.

At the 50th TF-CSIRT meeting, participants were involved in break-out discussion groups to review the current status of listed teams within the Trusted Introducer process and look at future proposals for how to manage listed teams. This presentation will give an update on that discussion and proposed next steps.

TLP: White

Backscatter traffic is a side effect of spoofed DDoS packets. The analysis of backscatter leads to knowledge about ongoing attacks and the targeted IP addresses. The gathered information may help to mitigate the attacks and could give additional insights.

TLP: Green

The CSIRT Code of Practice is one of the documents that Accredited TI teams are asked to support as part of the accreditation process.  This was last updated in 2005.  At the 48th TF-CSIRT Meeting in Riga, Don presented on some of the proposed updates.  This session will present on the most up-to-date changes. The latest draft is available for review

TLP: White

Pawel will give an introduction to CERT PKO BP – a newly listed TI Team.

TLP: White

CyberGreen: Improving Cyber Health Through Measurement and Mitigation: Yurie Ito

TLP: White

DLL hijacking vulnerability CVE-2016-4116 in Adobe Flash Player has been discovered during our analysis of an older public-available malware sample. This presentation describes our analysis of this vulnerability, responsible disclosure, additional research and identification of other similar flaws. Exploitation of this vulnerabilities in signed programs for bypassing the User Access Control (UAC) and DLL hijacking.  The presentation will also includes description and demonstration of two unresolved 0-day vulnerabilities in Microsoft Windows 7 and Google Chrome installer.

TLP: Green

The Common Vulnerabilities and Exposures (CVE) program uniquely identifies and names publicly-disclosed vulnerabilities in software and other codebases. CVE Numbering Authorities (CNAs) are an important part of the CVE program and are given the ability to identify and name CVE IDs in coordination with the MITRE CVE team. Participating as a CVE CNA allows organizations to have more control over their vulnerability management and disclosure processes while also ensuring a consistent level of service and a high quality of content within the CVE list. Becoming a CNA can be beneficial to vendors, coordination centers, and their customers, and it helps build a community of practice that continues to help improve the state of vulnerability management across many sectors. Join Daniel Adinolfi of the CVE program to learn about these benefits and how to participate.

TLP: White

This meeting will look at 2 issues:

• API and data requirements for the TI database to enable wider sharing and usage of TI data;
• Agreement on incident types used by teams.

During abuse handling project, CERT-Bund came up with the problem that some of the types used by IntelMQ seem to overlap. One example for rather unclear incident types would be “botnet drone” and “ransomware”. For reporting it may be preferable to group them as “malware infection”. As this topic interferes with other taxonomies I see the need for better agreement and would like to discuss this with a broader audience. Ideally the eCSIRT.net taxonomy should form an agreed basis.

This meeting will take place in room “Africa” on the ground floor of the World Forum, on the left-hand side of the World Forum Theatre.