Thursday opened with a keynote from Olaf Kolkman of the Internet Society, looking at how to maintain an open but secure internet through effective collaboration. The open nature of the internet has meant that individuals and organisations have been at liberty to innovate, but that same openness that allowed Tim Berners-Lee to develop the web has allowed the bad guys to invent malware. He stressed that “if you are on the internet, you have a responsibility towards it”. Likewise manufacturers and vendors of internet-connected equipment have a similar responsibility to ensure that their products. CSIRTs have a role to play not just in responding to incidents but in promoting industry best practice within their communities, for instance mutually agreed norms for routing security (MANRS).
Next was our good friend Andrew Cormack of Jisc on “Protecting Privacy through Incident Response”. Security teams will inevitably be working with data which has the potential to breach users’ privacy, but should only do so lawfully and in a minimally-intrusive manner, proportionate to the threats they are trying to address. Simple measures can reduce the invasiveness of routine work, such as ensuring that access logs are kept separate from login records, only bringing the two together at the point where a person clearly needs to be identified – for example at the point at which a system has been confirmed to be infected with malware and its owner or user needs to be traced and informed.One presentation described a study of how incident responders think, working with four experts on a small selection of incident scenarios and studying their decision-making processes. It was interesting that that the experts responded to some of the scenarios in quite different ways, although it was noted that there was more commonality when the incident report was more structured, something that might be improved if those reporting incidents are encouraged to do so in a more structured manner.
Jeremy Sparks of the US Air Force gave an interesting talk entitled “Effective Team Leadership and Process Improvement For Network Security Operators”. This looked at taking established techniques used on military missions and applying them to security incident response, with well-defined phases of detailed planning, brief, execute and debrief. The importance of effective debriefing must not be underestimated, and no team member should be afraid to speak up, even if their superior made a mistake.
The talks ended earlier than usual to make way for the annual ritual that is the FIRST AGM, limited to team representatives, their proxies and invited guests only. A vital component is the steering committee elections, which were hotly contested this year. Much of the meeting was spent reviewing the many activities of FIRST and the plans for the future.
The final morning began with Chema Alonson of Telefonica/Eleven Paths looking at the evolution of cybercrime towards the world of mobile applications. Most mobile malware is for the Android platform, where unfortunately Google Play are struggling to tackle the problem on their app store; as an iOS user it came as something of an eyeopener as to just how bad the problem can be. Often several apps will purport to do the same thing but it is hard for less savvy users to identify which are legitimate. Sadly it takes time for the rogue applications to be noticed and to receive negative reviews or be removed as a result of antivirus detections. The speaker examined the possibilities of using profiling techniques to identify likely malicious applications.
It was then time for the final breakout sessions, where I attended a talks by two national CERTs, firstly Id-SIRTII (Indonesia) on the use of machine learning in improving the accuracy of intrusion detection signatures. This was followed by JPCERT/CC (Japan) on “ChkDeface”, a tool they have written for the identification of defaced websites, capturing contents and taking screenshots in a “safe” environment but with a single request, aware that behaviour may change if they attempt a reload. We are all too familiar with the problem of defaced websites, and if the tool is made public we would certainly be interested in making use of it.
The conference was then wrapped up for another year, with the all-important prize draw, farewell speeches, good wishes for safe journeys home, and the hope of seeing us again at next year’s conference, which will be in South Korea.
As usual it has been a very enjoyable conference, with numerous excellent talks, whether strategic, deeply technical or taking the operational management perspective. It’s also been a great opportunity to meet with teams from all over the world and spanning many different industries. We look forward to attending further FIRST events, whether annual conferences or smaller regional events, in the future.