Last week saw the annual conference of FIRST, the Forum for Incident Response and Security Teams, this time held in Seoul, South Korea. As usual this is a big event, with 670 attendees this year from over seventy nations, covering a very diverse range of companies and organisations.
The programme was as usual a busy one, with keynote sessions starting each day followed by a choice of breakout sessions (and a number of other meetings) running in parallel, at times resulting in a difficult decision as to which to attend.Following a welcome reception on the Sunday evening, presentations began the following morning with a keynote from Professor Jong In Lim of Korea University, former Special Adviser to the President for National Security, discussing some of the security challenges faced at a national level, not least those coming from North Korea.
The next talk was technical analysis of Java remote access trojans and how they operate. It was interesting, if concerning, to hear that they are not just limited to Windows but that some variants exist for for Mac OS X, Linux, and Android. I followed this on one discussing the threats to corporate Exchange systems. Later I attended one on threats to corporate Exchange systems, of significantly greater concern than the the standard user account compromises such as those we encounter on a near-daily basis.Further talks on Monday included the mechanisms behind online advertising, and just how easy (and cheap) to present malicious adverts to thousands of vulnerable systems; then a talk on security notifications, in particular informing website owners of vulnerabilities on their sites, contacting them based on publicly available data. The day ended with a look at Cisco’s Malspider, a custom crawler for detecting website compromises. This is an open source tool and something that I feel warrants further investigation as a possible tool for us to use internally.
Several talks at the conference mentioned use of machine learning, particularly in terms of looking for suspicious activities in large volumes of data. At present, usage is not that extensive in threat detection but speakers predicted it becoming commonplace over the next 2-3 years.Tuesday’s keynote was from Clay Lin of the World Bank entitled The Journey of Building a 24×7 Incident Response Operation, an interesting view of how to establish a security team on a far larger scale than we have ourselves. Next was the initial meeting of a new Malware Special Interest Group, discussing its aims and means of operation.
The afternoon’s talks included one on creating a database of malware threat intelligence through analysis of the masses of samples submitted to Virustotal, and making this available through a malware information sharing platform or MISP. Another talk was on cyber-insurance and the value to be gained in at least considering it as part of a risk management strategy. This was followed by a series of brief “lightning” talks covering a diverse range of topics, and a vendor reception, an opportunity to keep up to date with some of the security products available, although many of them clearly come with a fairly hefty price tag.