Overview
The 54th TF-CSIRT took place from 24th – 25th May 2018 in Warsaw, Poland kindly host by CERT-OPL and and CERT.PL. Slides are included in the programme below subject to permission from the authors.
Venue
Wednesday
NASK Research and Academic Computer Network (Kolska 12, 01-045 Warsaw)
Thursday & Friday
Orange (CERT-OPL) Conference Centre (Aleje Jerozolimskie 160, Warsaw).
Accommodation
Please find a list of recommended hotels here.
Registration
Registration is now closed. Unfortunately the capacity for the 54th TF-CSIRT meeting has been reached. Please contact Nicole Harris or Sigita Jurkynaite to be added to the waiting list.
Please register separately for:
- TRANSITS Train the Trainer: 10:00 – 17:00, Wednesday 23rd May 2018. (Venue: NASK, Kolska 12, Warsaw)
- Taxonomy Meeting: 15:30 – 17:00, Wednesday 23rd May 2018.
(Venue: NASK, Kolska 12, Warsaw)
Programme
Wednesday 23rd May 2018
(Venue: NASK, Kolska 12, Warsaw)
| TIME | EVENT |
|---|---|
| 09:00 – 15:00 | TF-CSIRT Steering Committee – Invitation only |
| 10:00 – 17:00 | TRANSITS Train the Trainer – registration |
| 15:30 – 17:00 | Taxonomy Meeting – registration |
| 18.00 | Social event at Pub Lolek (informal, self-paid) |
Thursday 24th May 2018
(Venue: Orange CERT-OPL Conference Centre, Aleje Jerozolimskie 160, Warsaw)
| TIME | SPEAKER | SUBJECT |
|---|---|---|
| 09:00 – 12:00 | Various | TF-CSIRT Closed Meeting – Invitation only for accredited and certified teams and TI Associates |
| 12:00 – 13:00 | LUNCH | LUNCH |
| 13:00 – 13:10 | Baiba Kaskina, TF-CSIRT SC |
Welcome |
| 13:10 – 13:40 | TF-CSIRT / TI Team | TF-CSIRT Steering Committee Update A brief update from the TF-CSIRT Steering Committee, reviewing SC membership, certifications, GDPR, WHOIS and other topics. Trusted Introducer Update An update from the Trusted Introducer team on team stats, efforts to clean the TI Directory and technical changes. |
| 13:40 – 14:00 | Panos Chatziadam, FORTH-CERT | FORTHCert Update In this presentation, Panos will give an update on the FORTH-CERT team and some of the projects they have been involved in recently. TLP:WHITE |
| 14:00 – 14:30 | Antoine Neuenschwander, SWITCH | Web Cryptominers in the .CH Zone Blockchain is hip. Not only do crypto valley startups have high hopes in making groundbreaking innovations, cyber criminals also see high potential in crypto currencies for profit generation. Since fall 2017, ransomware has seemingly left the field to cryptominers. Instead of extorting Bitcoins from users, the malware runs silently in the background and parasites the system resources for cryptomining. With the advent of altcoins specifically designed for mining on general purpose CPUs and corresponding Javascript implementations (e.g. coinhive.com), webcryptominers are now proliferating.The SWITCH foundation as operator of the .CH registry is required by the Ordinance on Internet Domains (OID) to block domain names being used for the distribution of harmful software. In this session, Antoine will present how webcryptominers affect the .CH zone and how SWITCH deals with such cases. Elements of this presentation were TLP:GREEN, the slides made available are TLP:WHITE. |
| 14:30 – 14:45 | Bilgehan Turan, EATM-CERT | The Different Usages of Splunk In this presentation, Bilgehan will present on the following areas:
TLP: WHITE |
| 14:45 – 15:00 | Edvard Rejthar, CSIRT.cz | CSV-Parsing Tool: Convey CSIRT.CZ uses Open-source Ticket Request System to handle reported incidents. The need to distribute relevant information took a lot of time, notably because our partners send the reports in various CSV formats. The presentation will introduce the functionality of Convey, an open-source application that we developed to parse and handle any CSV file.It might help you to perform filtering operations if the file is too large for your spreadsheet processor, split the contents to smaller files by a column value to be sent automatically at various e-mail addresses, batch pull whois information or change CSV dialect for whatever reason. TLP:GREEN |
| 15:00 – 15:30 | BREAK | BREAK |
| 15:30 – 16:00 | Torsten Juul-Jensen, TDC SOC CERT |
The Incident Responders Toolkit Torsten will give a walkthrough of the TDC SOC CERT kit (called the “jumpbag”), which they prepared in their CSIRT and use in their incident crime zone.This will be a hardware focused presentation with small stories of how and why the different pieces were selected. |
| 16:00 – 16:15 | Wojciech Świeboda, CERT OPL | Sality botnet peer-to-peer traffic Sality is a malware family comprising of a polymorphic file infector and a P2P component, used primarily as a malware distribution platform.In this talk Wojciech will briefly discuss Sality’s P2P traffic patterns, as well as the structure and coverage of the underlying botnets. TLP: WHITE |
| 16:15 – 16:45 | Kevin Meynell, Internet Society | Routing Security Initiative (MANRS) MANRS attempts to address some of the trust-based issues of BGP by encouraging network operators to subscribe to four actions including filtering, anti-spoofing, coordination and address prefix validation. The Internet Society developed and are developing some resources to support this (including a monitoring/warning system). TLP: WHITE |
| 16:45 – End | Baiba Kaskina, TF-CSIRT SC | End of Day Comments |
| 19:00 | SOCIAL EVENT | Participants are warmly invited to join us at Level 27 for evening entertainment. |
Friday 25th May 2018
(Venue: Orange CERT-OPL Conference Centre, Aleje Jerozolimskie 160, Warsaw)
| TIME | SPEAKER | SUBJECT |
|---|---|---|
| 09:00 – 09:10 | Baiba Kaskina, TF-CSIRT SC | Welcome |
| 09:10 – 09:40 | Varis Teivans, CERT.LV | Building an Efficient Backdoor Distribution System
This talk will provide some insight on techniques used by Cyber-Criminals to build an efficient backdoor distribution system so that the dirty job is actually done by other hackers/script-kiddies who will become minions without consent (backdoored backdoors). A story of
how investigation of one compromised website led to ~400 unique victims with webshells, notifying the victims and fixing at least one small part of the Internet.
Presenter will also describe how same of these simple techniques have been observed in numerous incidents with “code reuse” or what seems to be a legitimate open source code.
TLP: WHITE
|
| 09:40 – 10:00 | Javier Berciano, INCIBE | Fraudulent stores .es Case Study A recent Report on Online Business Models Infringing Intellectual Property Rights from the European Union Intellectual Property Office (EUIPO) detects a pattern of a specific use of the domain name system (DNS) taking place on several country code top level domain (ccTLD). One of the identified countries was Spain and our ccTLD .es.Based on this report and increase number of reports from Spanish end customers, we decided to start an internal investigation to be able to detect those domains as soon as it was registrar, involving domain name registrars and .es ccTLD registry, relationship with end customers and information about real impact. We would like to share our experience and information about this topic, how we are detecting those domains, management process involving ccTLD registry and domain name registrars and impact in Spanish end customers. TLP: WHITE |
| 10:00 – 10:30 | BREAK | BREAK |
| 10:30 – 10:50 | SISSDEN Consortium Presentation: Piotr Kijewski, Shadowserver | The SISSDEN Honeypot Sensor Network This talk will cover the framework developed under SISSDEN to facilitate the rapid large scale deployment of honeypot sensors. It will describe the status of the currently deployed honeypot sensor network under the EU H2020 SISSDEN project, introduce the management platform, the data collection and storage methods. It will also give an overview of how data collected with honeypots is shared with the CSIRT community and how the CSIRT community can help in this process. TLP:WHITE |
| 10:50 – 11:05 | SISSDEN Consortium Presentation: Johannes Krupp, Saarland University | Honeypot-based Monitoring of Amplification DDoS Attacks In recent years, Amplification DDoS attacks have gained popularity and become a serious threat to Internet participants, with reported attack bandwidths exceeding hundreds of Gigabit/s. However, beyond anecdotal evidence, little is known about the global amplification DDoS threat landscape. We present AmpPot, a novel honeypot that allows to monitor attacks in real-time and our findings from a globally deployed sensor network. TLP:WHITE |
| 11:05 – 11:25 | SISSDEN Consortium Presentation: Piotr Bazydło, NASK | Observations of Malicious Activities in Darknet – from DoS detection to botnet Fingerprinting Darknet (network telescope) is an unused space of IP addresses, where typically we should observe no network traffic. However, a lot of network packets can be spotted in the darknet and these can be divided into three main categories: (1) misconfiguration of network devices/applications, (2) scanning activities, (3) backscatter from DoS attacks. This presentation presents general statistics for NASK’s darknet traffic and case-studies from observations of DoS attacks, massive scanning activities and scanning activities connected with vulnerabilities disclosure or exploits publications. Moreover, the presentation describes the idea behind Packet Generation Algorithm (PGA)analyzer, which detects signatures in network packets, thus making it possible to fingerprint specific botnets and tools in network traffic. TLP:GREEN |
| 11:25 – 11:45 | SISSDEN Consortium Presentation: Paweł Srokosz, CERT.PL / NASK |
mtracker – Our Approach for Tracking botnets In CERT.PL, we focus a lot on studying and analyzing inner workings of various botnets in order to learn more about how they operate. We found out that the best strategy for getting information from a botnet is tricking it into sending all the interesting information to us. In this talk, we will describe our latest project, which does exactly that: mtracker. We want to share our insights from a year of tracking, compare our approach with black-box solutions, discuss the main emerging challenges and consider possible solutions. Although we will not focus on specific malware protocols, we will mention them in passing. TLP:WHITE |
| 11:45 – 12:00 | SISSDEN Consortium Presentation: Arturo Campos, CyberDefcon |
Striking the Right Balance Between Legal Data Protection and Remediating Cyber Threats Projects collecting attack data using honeypots and performing analysis face the legal challenges how to store and share such information within and outside the security communities. The presentation will focus on such legal challenges and how it is possible to design a data sharing process that can technically and legally accommodate to the new legal requirements in Europe, namely the GDPR. TLP:AMBER |
| 12:00 – 13:00 | Lightning Talks | 10 five minute presentations Andrew Cormack – GDPR Quotable quotes Andrew Cormack – GDPR DPIA for SOC/CSIRT |