Wednesday’s keynote was from Philipp Amann of the European Cybercrime Centre, examining the subject of cybercrime. The boundaries between the “real” and online worlds are rapidly disappearing. Indeed plenty of “traditional” crime is now online – for instance drug sales are common on the “dark” internet through services such as Silk Road, and may reduce “traditional” crime, for instance by removing the need to operate on street corners.
Law enforcement must adapt to the changes and challenges, and cope with the ever-increasing volume of communications. Increasingly, to be successful law enforcement agencies need to work as part of international collaborations. An appropriate balance between protecting the privacy of their citizens while being able to conduct the investigations necessary to protect those same citizens, but of course the right balance is the subject of considerable debate.
Next was a talk on “passive SSL“, the use of passive information to monitor for vulnerabilities, making use of existing public data sources to track X.509 certificates and look for possible weaknesses, an area that has been of particular concern over the past year or so following vulnerabilities such as POODLE.
If there were an award for the best presentation title of the conference, it would surely have to go to that entitled “How We Saved the Death Star and Impressed Darth Vader”, given by two members of Cisco’s CSIRT. From a security perspective, a popular movie could be described in terms of Princess Leia stealing data, evading monitoring systems and exfiltrating data to unauthorised parties, who consider themselves “rebels”. The stolen data reveal a major vulnerability, exploitation of which leads to a disastrous compromise. Naturally Lord Vader calls for a new security team, and wants to see results. So how does a security team demonstrate its effectiveness? What metrics are called for in order to demonstrate how team members are performing, which alerting systems are providing the most useful results, and where should resources be best deployed?
Many of this year’s talks have considered the subject of threat intelligence, and I attended two during the afternoon. The first used statistical techniques to assess the effectiveness of different sources of threat information. Many sources are available, both free and paid services, but which are the good ones? It’s vital to look at the rates of false positives and false negatives in a statistically-sound manner. Don’t consider just the amount of information in the feed, but how many new entries are being added? Are they removed promptly or left to go “stale”? Recognise also that, even if one were able to combine all available sources of intelligence, it would still be far from comprehensive.
The other looked at how to ensure that threat intelligence feeds are turned into useful alerts. Testing that simple threat indicators can be used reliably to detect malicious behaviour is fairly straightforward. Testing that they won’t generate false positives is a much harder problem – you cannot test with absolutely all circumstances that might arise, but repeat tests every time the environment is changed, and adjust rules and retest in response to feedback. Good intelligence requires associated metadata to represent the level of confidence that something bad is going on, and the criticality – just how bad is it? Prioritise use of the intelligence that is most effective at finding the things which matter the most to you.
The final session was another series of lightning talks. Topics covered included “cyber insurance”, data visualisations and information exchange. However, for me the most interesting one was by Alexander Talos-Zens of the University of Vienna. He described a useful analogy of password security to aid user understanding, thinking in terms of an evil knight trying to gain access to a castle and his techniques for doing so, for instance by overhearing a farmer on legitimate business providing the correct password when challenged, the equivalent of eavesdropping on an unencrypted session.
The conference banquet this year took us to the Postbahnhof, a former railway station for mail trains on the opposite side of the city, close to the longest surviving stretch of the Berlin Wall. Having travelled there on the city’s excellent S-bahn network, a drinks reception was followed by an excellent sit-down dinner, and then by live musical entertainment, prompting many of the attendees to take to the dance floor. A most enjoyable evening.