Two members of OxCERT attended the annual conference of FIRST (Forum of Incident Response and Security Teams). This year it was held in the Hilton Hotel in St. Julian’s, Malta. Situated in the heart of the beautiful Portomaso waterfront in fashionable St. Julian’s, just fifteen minutes from the UNESCO World Heritage City of Valletta.
On the day prior to the conference start, OxCERT attended a meeting of educational and research networks, the Academic CSIRT Meeting, hosted by TERENA. The aim of this second Academic CSIRT meeting (the first being during the 2011 conference) was to discuss issues affecting CSIRTs whose constituencies include National Research and Education Networks, Universities, research institutions and/or other related organisations. Andrea Kropacova from Czech Republic’s National Research and Education Network (NREN) gave a few inspiring presentations including ‘Academic Security Policies’ and ‘Trends in security incidents’ which stimulated constructive and ongoing discussions among the audience. Two sources of security incident information (Shadow Server, TeamCymru) of five that she frequently mentioned in her talk (the others being UCEprotect, DSheild, NASK Polska) have also been widely used by our team and gives us a chance to learn about other sources. Also a team from Brazil which connects 15 countries of Latin-America attracted quite some interest. They work on malicious activity monitoring, incident handling and providing assistance to CSIRTS.
On the first full day of the conference, we enjoyed two plenary talks ‘IT Security @ European Commission’ and ‘DigiNotar Crisis’ given by Francisco García Morán and Aart Jochem respectively. Discussion over coffee break revealed the significance of actual incidents as being critical support to policy making especially for EC, but also for any organisation working to put IS policies in place. As traditional, the conference split into separate tracks in the afternoons. One talk was about how to examine network activity of PoisonIvy and to detect their command and control servers, which should prove very useful for our own monitoring.
The second session of Tuesday morning was given by Jean-Christophe Le Toquin from Microsoft. His main message is that security teams should go nationally and be cross-disciplinary – to quote: “find a hammer and break your own silo!”. Of the ‘TECHNICAL FOUNDATIONS’ track in the afternoon, Christopher Smithee from Lancope, Inc. talked about detecting advanced persistence threats (APT) using netflow, which requires different approaches that traditional means, mainly monitoring the interactions of your own internal systems to spot compromises.
In the evening of Wednesday, we moved by coach to the magnificent Mdina (the old capital of Malta) for the conference banquet. After a drink reception on the top of this 2700-yr old town, we started the lovely dinner with live music. A big chat with our friends from Warwick and Janet certainly brightened up the night.
On Thursday we enjoyed a talk by a representative (Chad Greene) from Facebook who convinced the audience that Facebook had been compromised, however the compromise was in fact only a test of Facebook’s incident handling procedures. Something of a smaller scale would certainly be a useful exercise to test a CERTs readiness.
During a networking break with CERT Polska we learned of many useful detection techniques they employ, particularily on peer2peer ZeuS malware and found they also host an IT Security conference.
A hardware vendor showed off a sophisticated Portable Malware Lab, which uses their proprietary virtualization to run the malware lab Operating System alongside a fully functional Windows or Ubuntu OS, each having a dedicated processor for their own use. A very useful product but with a $15K price tag, likely out of reach for many CERT teams.
The final day of the conference began with Lance Spitzner from the SANS Institute, US exploring ‘The Past, Present and Future of Surviving the World of Security’. The focus of the talk was one of educating users and communicating effectively, and encouraged phishing assessments on organization staff as an educational tool.
In all, it has been a great conference which shall keep inspiring and motivating greater advancement in IT security throughout the world. We look forward to attending 2013 FIRST.