Thursday morning began with a keynote from Prof Kilnam Chon of KAIST, entitled The Other Billion, considering the demands and challenges posed by the internet users expected to come online over the next few years, mostly in Africa and Asia. The speaker noted that FIRST currently has membership from around seventy nations and called upon us to look to double this as soon as we can. FIRST is working on this through its Fellowship Programme and through the running of smaller-scale regional meetings specifically targeting developing nations.A presentation followed on security metrics, with the message that one should always be thinking of novel metrics, explore the data, then see whether they are useful. Many good examples were presented, generally based on data readily available from Shodan. My favourite was a table of “universities needing toner”, determined from querying unfirewalled printers on their networks. Perhaps thankfully for us, this only looked at US universities!
Later talks included one on a detailed analysis of a banking trojan (Vawtrak, also known as Neverquest) and another on Limon Sandbox, a toolkit for examining Linux malware. This uses all of static, dynamic and memory and analysis, and is definitely worthy of further investigation.
The day concluded with the annual ritual of the AGM, including the all-important elections to the Board of Directors, hotly contested this year with the final place on the being a tie and having to be determined by a coin toss. Another important vote was to amend the quorum for future AGMs – with the expansion of the organisation, it has been increasingly difficult to ensure that the required number of team representatives (or their proxies) have been in attendance.
Friday’s keynote was from Christopher Clark of Palo Alto Networks, looking at lessons learned from building a global security response team. While their team is on a vastly different scale to ours, it was interesting to see the similarities. In particular, while staff will have their own specialisations, they are nevertheless expected to have skills across a range of different areas, and all will have a balance of response and research as part of their role. Also there was a culture of automation; as a rule of thumb, any task performed three or more times should be considered for automation. Past talks from companies such as Google have encouraged a similar philosophy.Next up was internet pioneer Paul Vixie on DIY threat intelligence, in particular leveraging DNS Response Policy Zones. This is something we are using ourselves but there is scope to take much further. Some suggestions were hypothetical but might be appropriate for some sites, for instance, blocking entire top-level domains by default when they are widely abused (typically because they are very cheap or even free to use). He considered reputation-based filtering of domain registrars, and even considered the possibility of a “default deny” approach to DNS – probably a little too drastic for our environment!
Finally was a talk on using Windows event logs to track the movement of so-called “advanced persistent threats” (APTs) – essentially, looking for unusual activity such unauthorised use of domain administrator accounts.
Formal proceedings drew to a close at lunchtime, with the draw for sponsors’ prizes, thanks and closing remarks. Some delegates stayed on for various associated meetings or training in the afternoon and over the weekend, while others relaxed, started out for home, or else took some time to explore the city before doing so. (As indeed I did myself, not least to take some of the photos for these blog posts.)
Once again, a superb conference, packed with interesting presentations, information on useful tools and approached, and just as importantly, the value gained through informal conversations with other delegates over the course of the week. Next year’s conference will be another long-haul trip but in a different direction, namely in Puerto Rico, and we hope that once again OxCERT can be represented.