With a total of 7 generations of automated abuse handling, CERT-EE and CERT-FI are now looking into bringing the tools and workflows for community-wide use. We call for multilateral collaboration, by sharing the lessons-learned and offering a starting point. With public/private collaboration we have bootstrapped an open framework, which we have experimented on together. In this framework we have documented the available feeds of information, use cases, processes, workflows, architectures, terminology, and the context of abuse fighting. We have identified different interest groups and how we could provide them with process building blocks and supporting software, such as the AbuseHelper toolkit. We believe that we are now ready to demonstrate effective trusted sharing in action. In this presentation we explain the lessons learned and how the current generation manages them. Together with you we will also take a step towards the future, considering how the integration of abuse data with network monitoring and audit findings could serve to provide much-needed information for the management of infrastructure risks.


(This presentation can be linked to 'CERT-FI Autoreporter and the automated abuse handling concept')

The increased prevalence of malicious Portable Document Format (PDF) files has generated interest in techniques to perform analysis on such document.We have observed a lot of attacks try to abuse the PDF vulnerabilities by hosting malicious pdf files on the Internet. The modus operandi involved in lurking people to open malicious PDF files by using social engineering attack. The emails were sent with a link to PDF file, by attaching the malicious PDF file directly to trap victim to open the files. .

In this presentation we will share with you on how to analyze malicious PDF files which abusing JavaScript for exploitation and as well as using it as attacker payloads. What you will learn here will help you to analyze malicious PDF files on your own by using freely available tools.

Competitive data, research information, and intellectual property are being stolen everyday from across the globe. Most of the targets have no idea its occurring and are not prepared to deal with the threat. It's not just Government agencies and the Defense industry that are the targets. Fortune 500 companies, small research firms, lobbyist groups, human rights organizations, and so many more are victimized daily. We will look into how the attacks are perpetuated and talk about why a paradigm shift in necessary for how we look at security. It's time to wake up.

General details:

Presentation will detail various attack methodologies such as targeted attacks via e-mail with PDF, DOC, PPT, XLS, files etc. It will discuss various levels of attacks in terms of sophistication. We will dive into some of the recent 0day vulnerabilities that we disclosed.. such as the JBIG2Decode and the most recent CVE-2009-4324 that is currently unpatched. I have data that has been pulled from cyber espionage groups form victims -- I probably present some of this data scrubbed or given examples that are very similar.

Incident response happens when your secure development lifecycle fails. At Immunity, my job is to directly attack the overall process of SDLC of large companies in a measurable, concrete way. This talk sheds light on lessons learned, metrics, and growing trends in the attack space.

Each day corporations and government agencies defend against countless attacks each day. But how do we identify threats that are larger than individual networks and to the infrastructure as a whole? This dynamic panel, comprised of those who developed the IT Sector Baseline Risk Assessment, will present on the findings of the IT Sector Baseline Risk Assessment, which assessed risk to six “Critical Functions” maintained by the IT Sector. The panel will describe the unique "functions based" methodology, detail how the results of the assessment are being used to develop protective programs, prioritize R&D, and produce outcome based metrics, and how the Risk Assessment can add value to individual corporations and agencies.

CyberWar has been a controversial topic in the past few years. Some say the the mere term is an error. CyberCrime on the other hand has been a major source of concern, as lack of jurisdiction and law enforcement have made it one of organizaed crime's best sources of income.
In this talk we will explore the uncharted waters between CyberCrime and CyberWarfare, while mapping out the key players (mostly on the state side) and how past events can be linked to the use of syndicated CyberCrime organization when carrying out attacks on the opposition.
We will discuss the connections between standard warfare (kinetic) and how modern campaigns use cybersecurity to its advantage and as an integral part of it.

Security in a peer to peer world

How does Skype provide protection not just of its good customers but from it bad customers.

In the peer to peer world there are many new issues that come to light, for instance SPAM, perception and misconceptions of p2p and trust of "the cloud". How does Skype manage these and more issues?

Where do we see the peer to peer communications technology taking us, what responsibility comes with a 20million strong cloud.

The Event Management Automation Protocol (EMAP) is comprehensive framework to facilitate the processing of a variety of computer generated events in a standardized fashion. EMAP is comprised of two major elements. Firstly, a suite of specifications, also known as the protocol. The protocol represents the event data model, syntax, transports, and interactions. Secondly, the content, which adds context and meaning (Taxonomy and Classifications) surrounding events, and the system configurations that are recommended to capture certain events. EMAP also provides the means by which event data can categorized and filtered to pinpoint desired information.

This presentation will address the current state of EMAP, it's use cases, details on the specifications, planned work, and illustrative examples of EMAP data and interactions.

In 2007, the CISO of General Electric decided to invest in a dedicated program to detect and respond to intrusions, as a centralized, formal function within GE. Since then, GE has built a Computer Incident Response Team (CIRT) by hiring analysts, deploying dozens of sensors across the planet, aggregating billions of log records, and institutionalizing its detection and response processes. At the same time, GE has continued to face the sorts of information security challenges found in many global organizations. In this presentation, GE's Director of Incident Response (Richard Bejtlich) will describe his experience building and leading GE-CIRT. Richard will describe how lessons learned at a Fortune 5 company can apply to any organization, from the smallest start-up to the largest multinational. Richard will pay special attention to the role of Defensible Enterprise Architecture, Network Security Monitoring, team building and operations, preparing and applying for FIRST membership, and justifying resources through metrics and communication with leadership.

Responding to threats in the enterprise is a challenging problem. But when the enterprise goes global and perpetually expands its reach, the challenges take on a new dimension. The impact of globalization on IT security is rarely discussed at the threat level, but on the ground, an all too real problem. Pieces of this may be well understood problems, such as adhering to local regulations and technical standards in a given country or region of the world. However, other pieces may not be so clear, such as software that is only prevalent in one particular country being subject to targeted attacks and 0day vulnerabilities. In this talk, we will go over real world examples of locale-specific impacts to traditional IT security challenges, particularly in the realms of: vulnerabilities, 0days, compliance, threat monitoring and prioritization, and the impact various global CERT organizations play.

Companies have been working for years to implement anti-virus across thier enterprise and working toward regular updates of signature files. However, recent attacks have shown the deficiencies in this approach. Whitelisting, which effectively takes a "snapshot" of a clean system and prevents any activities that are not authorized. However, whitelisting across a complex environment is daunting. This presentation will present a case study of whitelisting by reviewing the steps being undertaken by InterContinental Hotels to implement this technology globally.

The FISHA (Framework for Information Sharing and Alerting) is a collaboration between NASK/CERT Polska, CERT-Hungary and the University of Gelsenkirchen to build a common European information and alerting system within the framework of the EU EPCIP programme, based on the findings of the EISAS study of ENISA. The project addresses the issue of improving security awareness amongst home users and SMEs through the creation of a European information sharing and alerting system. The focus on home users and SMEs stems from the fact that these groups play a critical role in the security of the Internet as a whole, and as such, the European critical information infrastructure. At the same time both groups remain an easy target of attacks, due to low awareness of security issues and the lack of required technical skills to handle them in a proper manner. There is therefore a need of a channel that can be used to reach these groups and supply them with timely best practice information, alerts and warnings phrased in an easy to understand, non-technical way. While a number of national initiatives with a similar goal exist, these initiatives do not cooperate as actively in this field as they could. There is therefore much to be gained by pooling their resources and building upon existing information exchange initiatives, developed in particular, in the CERT community. Previous studies in the watch and warning field have shown that there are a lot of different views and interpretations by experts from different countries as to what really should be done at a European level. These differing views have hindered past European wide efforts, with relevant stakeholders firmly opposing a creation of a large centralized structure. The presentation will introduce our vision of the framework for information sharing and alerting, which we plan will act as a meta-information broker for various stakeholders (including CERTs), and explain the rationale behind the choices made, both technical (including a description of the proposed P2P network) and organizational. Our vision takes into account not just our own ideas or ideas inspired from previous work, but comments from experts (particularly from CERTs) that have taken part in our first FISHA workshop organized in October 2009 in Rotterdam.

To minimize the threat posed by malicious software, or malware, making its way into the enterprise, Intel IT has established a process that actively seeks to identify and take action against the malware before it reaches Intel’s user base. This process focuses on real-time monitoring and interpretation of security events on the network and taking immediate action against any identified threats. The paper describes the process of detecting and addressing new malicious code threats in a global enterprise environment. Since implementing our security event monitor and detection processes, we have seen a 40 percent decrease in the number of formal incident response events.

When risk managers assess threats to information assets, they have to understand the potential human threat agents: the categories of people who can harm those information assets. Historically, however, this has been challenging. A key problem is the lack of industry standards or reference definitions of agents. Assessors often have different concepts of even the most common agents, and interpret a seemingly simple term such as “spy” very differently, making it difficult to share information or apply it consistently.

As a result, risk management projects often experience threat creep-- threat definitions are repeatedly re-negotiated as the project progresses, causing many delays. Even if a team agrees on the definitions, information about threats is often fragmented and sensationalized, making it difficult to understand the real threat and how to prioritize it. Additionally, some agents attract considerable publicity, resulting in the most-publicized agents appearing as the biggest threat and receiving a disproportionately large amount of limited mitigation resources.

A cross-organizational team of senior Intel information security specialists decided to create a standardized set of threat agent archetypes, with the goal of improving the accuracy and efficiency of risk assessments. Unable to find a suitable set already in use, they developed their own Threat Agent Library of 23 agent archetypes, each uniquely defined. The library includes both the “usual suspects” and characters that are easily overlooked if not explicitly listed.

The standardized threat agent approach was only recently deployed internally but is already making an impact. It was incorporated into Intel’s main business security and acquisitions risk assessment tools, where it has dramatically streamlined the process. A key manufacturing group reported a 60% improvement in total threat assessment time, reducing the negotiation period from months to days. The agent archetypes also enable focused data collection and accurate threat ranking, allowing Intel IT architecture and mitigation groups to better prioritize resources. Externally, the US DHS has incorporated the library as a cornerstone methodology of its IT Sector Baseline Risk Assessment.

This presentation will describe these elements in further detail, so that the audience can understand the problem we addressed, basics of the library itself and where to access it, and how to apply the concepts to common risk assessment situations.

Incident response in large production environments is challenging enough. Add layers of virtualization, a constantly dynamic state, as well as a broad external customer base and the challenges deepen exponentially.

This presentation aims to provide recommendations and guidance based on experience and information gathered while conducting incident response in such environments including large virtualized caching networks and cloud-based services. Logging, tooling, forensic methods, and egress-based network security monitoring are amongst the topics to be discussed. This presentation also intends to allow active discussion with participants to share their experiences.

Each day corporations and government agencies defend against countless attacks each day. But how do we identify threats that are larger than individual networks and to the infrastructure as a whole? This dynamic panel, comprised of those who developed the IT Sector Baseline Risk Assessment, will present on the findings of the IT Sector Baseline Risk Assessment, which assessed risk to six “Critical Functions” maintained by the IT Sector. The panel will describe the unique "functions based" methodology, detail how the results of the assessment are being used to develop protective programs, prioritize R&D, and produce outcome based metrics, and how the Risk Assessment can add value to individual corporations and agencies.

Given the complexity of modern Communication and Information Systems (CIS) and the speed at which cyber attacks can progress, the need for automated Cyber Defence processes is clear. Such automation ranges from correlating data from different sources, so as to provide more meaningful information to computer security incident response team (CSIRT) analysts, to taking immediate defensive action in a network without human intervention. To provide the intended results, automated processes require standardized and accurate data. This Cyber Defence data can be broken down in two categories: the operational data that describes the organisation’s CIS being protected, and reference data that describes common knowledge not specific to that organisation, such as lists of vulnerabilities and software products. The presentation presents a solution for improving the management of Cyber Defence reference data to adequately support automated Cyber Defence processes.

The DRG Distro is a minimized Linux distribution designed to operate
as part of a distributed Internet-based security research network. The
Distro, or "pod", is Slax-derived and comes with a useful set of
utilities that provides the pod "runner" an easy way to develop
awareness of local network security conditions. When integrated into
the pod network, this tool also provides a broad view of malicious
activity gleaned from other networked pods. The ultimate goal is to
combine local pod network activity with DRG insight, analysis and
tools to provide actionable intelligence to the Internet security
community. For more information see http://drg.team-cymru.org/

With a total of 7 generations of automated abuse handling, CERT-EE and CERT-FI are now looking into bringing the tools and workflows for community-wide use. We call for multilateral collaboration, by sharing the lessons-learned and offering a starting point. With public/private collaboration we have bootstrapped an open framework, which we have experimented on together. In this framework we have documented the available feeds of information, use cases, processes, workflows, architectures, terminology, and the context of abuse fighting. We have identified different interest groups and how we could provide them with process building blocks and supporting software, such as the AbuseHelper toolkit. We believe that we are now ready to demonstrate effective trusted sharing in action. In this presentation we explain the lessons learned and how the current generation manages them. Together with you we will also take a step towards the future, considering how the integration of abuse data with network monitoring and audit findings could serve to provide much-needed information for the management of infrastructure risks.


(This presentation can be linked to 'CERT-FI Autoreporter and the automated abuse handling concept')

The perception that forensic investigation and response tools are too costly to be purchased by most organizations is a myth. Many organizations are forced to decide if the costs associated with forensic analysis exercises overshadow the risk of turning a blind eye. However, without knowing the details of how a breach or malware infection occurred, there is no way of knowing how to prevent it from happening again. This presentation will show that the costs of undertaking forensic investigations, using freely available tools, can easily find a place in the smallest of budgets.

“Spies in the Wires” is a term used to refer to an entity’s ability to surreptitiously gather data from a remote victim organization through the Internet, often used in conjunction with foreign governments. In most instances the victim organization does not even realize it has been penetrated. Once the victim organization has been notified of the breach, the daunting task of cleaning up the breach, notifying appropriate parties, and dealing with the ramifications of data loss, begins.

The talk will begin with a discussion of some of the more serious intelligence gathering threats faced by government, DIB, and contracting organizations today, followed by real world case studies to better demonstrate some of the threats. After a discussion of the threats, the talk will discuss various tools and techniques to combat major facets of each threat: Initial Exploitation, Lateral Infection, Persistence, Attacker Visibility, and Damages. Each facet will be discussed in detail and analyzed from the perspective of an attacker, an incident responder, and a security architect. This in-depth breakdown of each facet will ensure that the intricacies of each threat are understood before combative tools and techniques are discussed.

The tools and techniques discussed during this talk to combat “Spies in the Wires” were derived from countless hours of being on the frontlines at many unique organizations dealing with these threats. This talk approaches security from an operational “what works” standpoint and not from a theoretical, or best practices, standpoint.

Keynote presentation

What was in is now out.

This metaphor holds true not only as an accurate analysis of adoption trends of disruptive technology and innovation in the enterprise, but also parallels the amazing velocity of how our data centers are being re-perimiterized and quite literally turned inside out thanks to cloud computing and virtualization.

One of the really scary things that is happening with the massive convergence of virtualization and cloud computing is its effect on security models and the information they are designed to protect. Where and how our data is created, processed, accessed, stored, backed up and destroyed in what is sure to become massively overlaid cloud-based services ? and by whom and using whose infrastructure ? yields significant concerns related to security, privacy, compliance, and survivability.

Further, the "stacked turtle" problem becomes incredibly scary as the notion of nested clouds becomes reality: cloud SaaS providers depending on cloud IaaS providers which rely on cloud network providers. It's a house of, well, turtles.

We will show multiple cascading levels of failure associated with relying on cloud-on-cloud infrastructure and services, including exposing flawed assumptions and untested theories as they relate to security, privacy, and confidentiality in the cloud, with some unique attack vectors.

Over the past few years botnets and malware controllers have evolved into very sophisticated environments. Using bulletproof hosting, fast flux and other techniques they have become more and more sustainable. Going after infected machines is like playing a whack-a-mole game and the fact that malware is hiding deep in the system and staying below users' radars does not help at all. At the same time e-crime has become a serious and organized business. Threats like DDoS and phishing are common, result in huge losses, and their mitigation requires prompt actions - something that law enforcement is not very good at. Do we have to lose this fight? Not if the ISPs start to act. Limiting users'
access to harmful parts of the net can effectively cut communication between drones and controllers. It can also help to combat phishing and drive-by-downloads. The presentation will discuss self-regulations of ISPs in Poland, joint cooperation based on trust, technologies involving BGP and DNS blackholing, legal challenges, and the role of
lawmakers and law enforcement.

Currently unavailable.

This talk will present visualization techniques for IT-security events and incidents.

Conficker demonstrated that sinkholing botnets and logging relevant IT-security events on a massive scale is a powerful weapon for mitigation and remediation. However, naturally these data collections quickly grow to sizes too large to understand or handle.
Visualization can prove to be an invaluable tool for the IT security handler to gain insights into the dimensions of a problem as well as for management and even politicians.

Therefore this presentation will show - based on a concrete example - how we can extract understandable information out of a multitude of data sources. The concrete example will deal with DNS, DNScap and NFSen / NFDump visualizations. Since DNS is a hidden treasure box for IT Security and since DNS requests can hint to lots of problems (misconfigurations as well as abuse), visualizing DNS is in our opinion a promising fresh approach.

Finally, a list of practical tools will be presented which participants can use in their own organizations and thus improve their own incident handling.

With a total of 7 generations of automated abuse handling, CERT-EE and CERT-FI are now looking into bringing the tools and workflows for community-wide use. We call for multilateral collaboration, by sharing the lessons-learned and offering a starting point. With public/private collaboration we have bootstrapped an open framework, which we have experimented on together. In this framework we have documented the available feeds of information, use cases, processes, workflows, architectures, terminology, and the context of abuse fighting. We have identified different interest groups and how we could provide them with process building blocks and supporting software, such as the AbuseHelper toolkit. We believe that we are now ready to demonstrate effective trusted sharing in action. In this presentation we explain the lessons learned and how the current generation manages them. Together with you we will also take a step towards the future, considering how the integration of abuse data with network monitoring and audit findings could serve to provide much-needed information for the management of infrastructure risks.


(This presentation can be linked to 'CERT-FI Autoreporter and the automated abuse handling concept')

Our presentation will describe the WOMBAT API, an API developed by the WOMBAT (Worldwide Observatory of Malicious Behaviors and Attack Threats) project consortium that allows different organizations to give access to their security-related datasets in a simple but consistent manner. Unlike most standards, the WOMBAT API places only a few general requirements on an entity wishing to implement the API. It enables users to explore and compare datasets from different organizations through a powerful interactive command line level interface, without knowledge of underlying database architecture. The HoneySpider Network (a hybrid client honeypot solution) dataset is described in detail, with examples of usage. Other datasets that are WAPI-enabled are also introduced. This is followed by an example scenario which shows how a real-life incident can be handled by using information from a diverse group of datasets, from the moment that a security breach is detected, initial assessment of the compromise, up to identification of possible infection vectors, IPs, URLs and malware responsible. We believe that the WOMBAT API has the potential to become a powerful tool and be a catalyst enabling CERTs and security researchers to share security related data in a much more open and effective manner than has been possible up till now.

The FISHA (Framework for Information Sharing and Alerting) is a collaboration between NASK/CERT Polska, CERT-Hungary and the University of Gelsenkirchen to build a common European information and alerting system within the framework of the EU EPCIP programme, based on the findings of the EISAS study of ENISA. The project addresses the issue of improving security awareness amongst home users and SMEs through the creation of a European information sharing and alerting system. The focus on home users and SMEs stems from the fact that these groups play a critical role in the security of the Internet as a whole, and as such, the European critical information infrastructure. At the same time both groups remain an easy target of attacks, due to low awareness of security issues and the lack of required technical skills to handle them in a proper manner. There is therefore a need of a channel that can be used to reach these groups and supply them with timely best practice information, alerts and warnings phrased in an easy to understand, non-technical way. While a number of national initiatives with a similar goal exist, these initiatives do not cooperate as actively in this field as they could. There is therefore much to be gained by pooling their resources and building upon existing information exchange initiatives, developed in particular, in the CERT community. Previous studies in the watch and warning field have shown that there are a lot of different views and interpretations by experts from different countries as to what really should be done at a European level. These differing views have hindered past European wide efforts, with relevant stakeholders firmly opposing a creation of a large centralized structure. The presentation will introduce our vision of the framework for information sharing and alerting, which we plan will act as a meta-information broker for various stakeholders (including CERTs), and explain the rationale behind the choices made, both technical (including a description of the proposed P2P network) and organizational. Our vision takes into account not just our own ideas or ideas inspired from previous work, but comments from experts (particularly from CERTs) that have taken part in our first FISHA workshop organized in October 2009 in Rotterdam.

Wherever they are, CERTs (Computer Emergency Response Teams) as security incident handlers have hands-on experience with the latest attack techniques on the Internet. This is the result of direct contact with their constituency and other CERT teams, which often serve as the first line of support when faced with new threats. The dynamic development of threats remains a never ending challenge not just for them, but the entire security industry. Research and development projects that are launched in response to analyzing threats, often have a problem keeping up and developing adequate tools that can be applied in practice. Nevertheless, creating new platforms that can facilitate detection and improve situation awareness is critical in order to stop these threats.
We will present technical issues concerning national and international research and development projects conducted by the CERT Polska team, operating within NASK structures. We will also present how these projects support the operational activity of CERT, which determines the requirement for new tools and research – namely for projects having practical application in e.g. threat monitoring, correlation, early warning, malware analysis or effective transfer of information to proper recipients. A few examples of building synergy between projects being implemented will be described. We believe that the most valuable part of our work is a very effective approach to the problem of relationship between practical needs of an operational work of CERT team and the outcomes of security projects and systems development within such team. We are convinced that such relationship should be very strong and we try to ensure it in our technical work. Thus the technical projects undertake the most important and the most novel topics related to the ICT security. We believe that a major idea of our work is the positioning of different projects in a way the enables them to work together, creating a synergy that results in a solution to today's security problems of the Internet. In each of the presented projects, we come up with novel algorithms that enable the achievement of specific project goals.

Our presentation will describe the WOMBAT API, an API developed by the WOMBAT (Worldwide Observatory of Malicious Behaviors and Attack Threats) project consortium that allows different organizations to give access to their security-related datasets in a simple but consistent manner. Unlike most standards, the WOMBAT API places only a few general requirements on an entity wishing to implement the API. It enables users to explore and compare datasets from different organizations through a powerful interactive command line level interface, without knowledge of underlying database architecture. The HoneySpider Network (a hybrid client honeypot solution) dataset is described in detail, with examples of usage. Other datasets that are WAPI-enabled are also introduced. This is followed by an example scenario which shows how a real-life incident can be handled by using information from a diverse group of datasets, from the moment that a security breach is detected, initial assessment of the compromise, up to identification of possible infection vectors, IPs, URLs and malware responsible. We believe that the WOMBAT API has the potential to become a powerful tool and be a catalyst enabling CERTs and security researchers to share security related data in a much more open and effective manner than has been possible up till now.

The domain name system (DNS), a key component upon which much of the
Internet communications relies, has undergone intense scrunity and
analysis the past few years. DNSSEC, a suite of extensions that helps address some potential problems, has been gaining steam and is set to
see a significant increase in deployment beginning this year. Yet, there are at least 13 things that organizations who rely on DNS, which
is to say everyone, should consider with or without DNSSEC, but ideally
before embarking on their own DNSSEC roll-out.

In this session, we will highlight 13 of the most important questions
an organization should be asking about their own usage of DNS. While
DNSSEC is an important technology, none of the answers require DNSSEC as the answer. The answers include all the types of things a proper DNS implementation should have even before DNSSEC. How well do you fare?

The 13 topic areas include:

* Authoritative name server RRset size
* Geographic and network diversity DNS servers
* Parent and child delegation consistency
* Open Resolvers
* Answer spoofing protection
* Domain name registration protection
* Co-mingled services on DNS servers
* DNS server administrative processes
* DNS server physical resource limitations
* TCP and DNS
* Monitoring and auditing
* Time synchronization
* IETF RFC 2870

CIRT organizations are expected to handle any type of incident thoroughly but quickly. In a past life as a pure researcher I made many assumptions about what could and couldn't be done in a CIRT. This talk is about how I integrated everything I learned in my previous world into a CIRT environment. Targeted attack discovery and response will be high on the discussion list. Specifically this talk will focus on standing up tools to automate high volumes of incidents and to discover unknown intrusions. During the talk I will include discussions of many tools, both open source and custom made that can be replicated for use in other CIRTs. I will maintain the talks focus on no-cost tools and techniques that can be implemented by anyone, anywhere in the world, without any budget.

Very little incident data surrounding cyber attacks of control systems is public and the little that is public is pretty much boring or uninformative. This presentation will focus on public research available on hacking control systems. It will take a technical look at the new exploits and techniques being applied and what their consequences are. For example, a number of recent exploits have been published that allow the attacker to recover the encryption keys used in ZigBee meshes. What does that actually mean to the critical infrastructure?

The presentation will examine hardware hacking techniques and secure key storage as it applies to the new generation wireless devices that are entering the market. It will also try to take a crystal ball approach to security when vendor solutions that attach iPhone and Window Mobile devices to control systems come out later this year.

The presentation focus will be on the technical security measures and will largely ignore policy and best practices. It will attempt to be high level enough that it’s accessible to most audiences.

Permission management and patch management are difficult challenges in larger corporate environments. Many organizations have nevertheless successfully implemented processes and tools to cope with the constant stream of software updates for desktop and server systems, with the goal of maintaining a secure and reliable corporate infrastructure. For historical, technical and practical reasons, however, most networks are still designed around the perimeter security paradigm, considering the inside to be protected and the outside to be potentially malicious. Within the networks, traffic interception, manipulation or Denial of Service attacks are considered unlikely. Embedded devices are the core of the networks as well as the edges of the daily workflow. From routing and switching equipment to printers, copiers, desktop phones and embedded mass storage solutions, they handle at least as much critical data as the well-managed servers do. But neither security processes nor network designs currently take these devices into account. The presentation will highlight some of the fundamental problems when dealing with embedded device security in an enterprise environment, the gap in software quality, security response and patch options between the embedded and the server world, and how attacks can leverage the low visibility of that Other Network to easily circument all these security measures put in place.

Wherever they are, CERTs (Computer Emergency Response Teams) as security incident handlers have hands-on experience with the latest attack techniques on the Internet. This is the result of direct contact with their constituency and other CERT teams, which often serve as the first line of support when faced with new threats. The dynamic development of threats remains a never ending challenge not just for them, but the entire security industry. Research and development projects that are launched in response to analyzing threats, often have a problem keeping up and developing adequate tools that can be applied in practice. Nevertheless, creating new platforms that can facilitate detection and improve situation awareness is critical in order to stop these threats.
We will present technical issues concerning national and international research and development projects conducted by the CERT Polska team, operating within NASK structures. We will also present how these projects support the operational activity of CERT, which determines the requirement for new tools and research – namely for projects having practical application in e.g. threat monitoring, correlation, early warning, malware analysis or effective transfer of information to proper recipients. A few examples of building synergy between projects being implemented will be described. We believe that the most valuable part of our work is a very effective approach to the problem of relationship between practical needs of an operational work of CERT team and the outcomes of security projects and systems development within such team. We are convinced that such relationship should be very strong and we try to ensure it in our technical work. Thus the technical projects undertake the most important and the most novel topics related to the ICT security. We believe that a major idea of our work is the positioning of different projects in a way the enables them to work together, creating a synergy that results in a solution to today's security problems of the Internet. In each of the presented projects, we come up with novel algorithms that enable the achievement of specific project goals.

When risk managers assess threats to information assets, they have to understand the potential human threat agents: the categories of people who can harm those information assets. Historically, however, this has been challenging. A key problem is the lack of industry standards or reference definitions of agents. Assessors often have different concepts of even the most common agents, and interpret a seemingly simple term such as “spy” very differently, making it difficult to share information or apply it consistently.

As a result, risk management projects often experience threat creep-- threat definitions are repeatedly re-negotiated as the project progresses, causing many delays. Even if a team agrees on the definitions, information about threats is often fragmented and sensationalized, making it difficult to understand the real threat and how to prioritize it. Additionally, some agents attract considerable publicity, resulting in the most-publicized agents appearing as the biggest threat and receiving a disproportionately large amount of limited mitigation resources.

A cross-organizational team of senior Intel information security specialists decided to create a standardized set of threat agent archetypes, with the goal of improving the accuracy and efficiency of risk assessments. Unable to find a suitable set already in use, they developed their own Threat Agent Library of 23 agent archetypes, each uniquely defined. The library includes both the “usual suspects” and characters that are easily overlooked if not explicitly listed.

The standardized threat agent approach was only recently deployed internally but is already making an impact. It was incorporated into Intel’s main business security and acquisitions risk assessment tools, where it has dramatically streamlined the process. A key manufacturing group reported a 60% improvement in total threat assessment time, reducing the negotiation period from months to days. The agent archetypes also enable focused data collection and accurate threat ranking, allowing Intel IT architecture and mitigation groups to better prioritize resources. Externally, the US DHS has incorporated the library as a cornerstone methodology of its IT Sector Baseline Risk Assessment.

This presentation will describe these elements in further detail, so that the audience can understand the problem we addressed, basics of the library itself and where to access it, and how to apply the concepts to common risk assessment situations.

In today’s enterprise environment an incident responder must not only be a technical expert but also posses a good understanding of the legal, economic and human aspects of dealing with a security incident. This increase in complexity has resulted in incident response becoming one of the most challenging disciplines in the filed of information security. During this presentation three real life incident cases will be discussed; a social engineering, one a targeted phishing email and a DDoS attack. In each of these cases the dependencies between an information security team and the legal, financial, HR and executive team will be analyzed. The processes tools and roles used by each of the groups involved will be discussed in detail as well as the impact that geography and culture have on the incident handling process. Lesson learned, containment, mitigation and recovery strategies will also be shared with the audience during this presentation.

Computer Security Information Response Teams (CSIRTs) are service organizations, highly-specialized task forces that handle security incidents at either coordination or operational level. Malicious Internet activities recognize no boundaries; therefore, in order to be able to carry out their tasks as efficiently as possible, CSIRTs must establish relationships of trust that will allow them to share information.

In order to be acceptable, this information sharing must also comply with the information security policies of each security team’s parent organization and, in order to be as effective as possible, they must be capable of being automated.

The problem opens various research avenues, including but not limited to: (a) streamlining trust relationship establishment; (b) automatic sanitization according to a stored, machine-executable information security policy; (c) efficient access to event repositories through remotely-callable APIs and (d) efficient storage of large volumes of security-related event data.

This paper contains an introduction to this information exchange scenario among CSIRTs and then analyzes some relevant tools and architectures found in the literature with the aim of preparing an analysis of the requirements and proposing a high-level architecture for the automatic exchange of information among CSIRTs through administrative domains such that it complies with each organization’s information security policies.

Incident response in large production environments is challenging enough. Add layers of virtualization, a constantly dynamic state, as well as a broad external customer base and the challenges deepen exponentially.

This presentation aims to provide recommendations and guidance based on experience and information gathered while conducting incident response in such environments including large virtualized caching networks and cloud-based services. Logging, tooling, forensic methods, and egress-based network security monitoring are amongst the topics to be discussed. This presentation also intends to allow active discussion with participants to share their experiences.

Over the past few years, we have seen an evolution of malware that integrates itself into the functionality of the victim’s web browser, in what is commonly called a “Man-In-The-Browser” (MITB) attack. The ultimate goal of malware with this capability is to take advantage of the trust boundary between the user and application to perform sophisticated information theft attacks. Traditionally, these attacks were largely focused against the financial sector. However, we have seen indications these types of attacks affecting more diverse targets. In this presentation, we will review several malware families that utilize MITB capabilities and discuss strategies for recognizing and mitigation against these threats from the point of view of a targeted organization.

Computer Security Incident Response Teams (CSIRTs) can be set up within organizations in a variety of ways depending on their constituencies and the nature of services that the teams provide. Yet according to the classic textbook approach, it is preferable to set up CSIRTs directly below the management level in the organization and endow the teams with the authority they need to carry out their responsibilities. Indeed, this arrangement may be the optimum solution for many American companies. However, the way Japanese companies are organized and governed, particularly Japanese large corporations, are very different from the U.S., so setting up CSIRTs in the classic textbook manner is not only very difficult but may not even be appropriate. In light of these cross-cultural differences, a number of Japanese large firms have established and are now operating CSIRTs that are tailored to their own unique organizational and governance requirements, and performance results for these teams are now starting to become available. This paper describes (1) results of the survey about some successful implementations of CSIRTs in Japanese large firms, (2) analyses on reasons why these implementations have succeeded, and (3) suggestions about how CSIRTs can be set up to meet the unique organizational requirements of Japanese large firms. The organizational principles uncovered here are not just confined to Japanese big companies, but are expected to be useful in setting up CSIRTs in other countries where companies are organized similarly to those in Japan.

For the last few years social networking services have grown in breadth, scope and popularity. Their ability to attract huge groups of like-minded individuals from around the world and coordinate global protest actions and cyber attacks has also not gone unnoticed. 2009 saw many instances where new social networking groups appeared overnight, attracting tens-of-thousands members to a specific cause, and served as a centralized command and control for coordinated attacks. In several public instances participants willing installed classic botnet agents on their systems to take more active and damaging roles in the attacks. We’ve already seen some of the tools and baby-steps in to taking protesting online, but what will it look like when things get really start to get serious? What happens when you embrace Social Networking sites to further your cause and harness hundreds-of-thousands of compatriots, arm them with new-generation cyber-warfare tools, and launch coordinated attacks? How has online protesting jumped from classic Web denial of service or mail flooding, and in to social jihad botnets that embrace other channels such as blogosphere disinformation and telephony services? Next generation tools are already being created. The reasons for taking up cyber-arms are increasingly prevalent. How should you deal with attacks that may be targeted at your organization by your own customers? What are the implications of being a facilitator when your own employees take up cyber-arms and join a social jihad?

Brazilian banks are constantly changing their websites and adding new security measures to try to contain the tsunami of new phishing malware that arrives every day on the net.
Recently some banks started taking radical approaches, like accepting transactions only from pre-registered computers and using off-the-band mechanisms like SMS messages. This presentation shows the latest advances on security regarding Brazilian online banking, trends and the latest types of malware found on the wild. There will be some demonstrations of the latest malware that target the latest
security measures of the online banking sites.

The talk will also present the latest moves of the Police and Justice to put the criminals behind bars, and the impact of this new security measures on the end user. Since this presentation will cover the
latest developments the final material will be given only at the conference.

The DRG Distro is a minimized Linux distribution designed to operate
as part of a distributed Internet-based security research network. The
Distro, or "pod", is Slax-derived and comes with a useful set of
utilities that provides the pod "runner" an easy way to develop
awareness of local network security conditions. When integrated into
the pod network, this tool also provides a broad view of malicious
activity gleaned from other networked pods. The ultimate goal is to
combine local pod network activity with DRG insight, analysis and
tools to provide actionable intelligence to the Internet security
community. For more information see http://drg.team-cymru.org/

Over the last decade, the Malware Industry has grown at a phenomenal rate. The volume of unique Malware, the sophistication of Malware techniques, and the number of participants in the overall Malware environment have all reached a critical mass – they have surpassed the ability of the Security Industry to provide comprehensive protection. The Security Industry is changing, adapting, and growing in an effort to catch up to the Malware Industry. In my presentation, "Fingerprinting Malware Developers,” I will discuss how to fingerprint -- and potentially identify -- the developers behind each piece of Malware.

Fingerprinting Malware has emerged as a significant concern in today’s security environment. Forensic Investigators, Security Consultants, Software Vendors, Network Administrators, and CISOs all want to determine who is behind the attacks on their victims, clients, customers, products, and networks. They want to utilize this information for a variety of purposes—prosecute the attackers, identify related attacks, and secure against future attacks.

This presentation will outline a number of methods, and some myths, related to the more general field of fingerprinting software developers. Methods covered include instruction usage, analysis of code patterns, debug information, language attribution, linked third-party libraries, embedded product keys, compiler and linker information, compiler signatures, machine signatures, and globally unique identifiers. These methods are then applied to the more specific context of Malware, and the success or failure of each method will be discussed. Finally, I will discuss some of the reasons that fingerprinting Malware developers can be a difficult problem to solve.

The FISHA (Framework for Information Sharing and Alerting) is a collaboration between NASK/CERT Polska, CERT-Hungary and the University of Gelsenkirchen to build a common European information and alerting system within the framework of the EU EPCIP programme, based on the findings of the EISAS study of ENISA. The project addresses the issue of improving security awareness amongst home users and SMEs through the creation of a European information sharing and alerting system. The focus on home users and SMEs stems from the fact that these groups play a critical role in the security of the Internet as a whole, and as such, the European critical information infrastructure. At the same time both groups remain an easy target of attacks, due to low awareness of security issues and the lack of required technical skills to handle them in a proper manner. There is therefore a need of a channel that can be used to reach these groups and supply them with timely best practice information, alerts and warnings phrased in an easy to understand, non-technical way. While a number of national initiatives with a similar goal exist, these initiatives do not cooperate as actively in this field as they could. There is therefore much to be gained by pooling their resources and building upon existing information exchange initiatives, developed in particular, in the CERT community. Previous studies in the watch and warning field have shown that there are a lot of different views and interpretations by experts from different countries as to what really should be done at a European level. These differing views have hindered past European wide efforts, with relevant stakeholders firmly opposing a creation of a large centralized structure. The presentation will introduce our vision of the framework for information sharing and alerting, which we plan will act as a meta-information broker for various stakeholders (including CERTs), and explain the rationale behind the choices made, both technical (including a description of the proposed P2P network) and organizational. Our vision takes into account not just our own ideas or ideas inspired from previous work, but comments from experts (particularly from CERTs) that have taken part in our first FISHA workshop organized in October 2009 in Rotterdam.

The ongoing network transformation impacts the business environment of all the actors in communications. While many more millions of people get access to services improving their daily lives, the whole networked community is exposed to the security threats that a global communication system entails.

The session starts with a discussion about how the change to all-IP networking and convergence of fixed and mobile communications creates new possibilities for attackers. Ensuring security while maintaining appropriate privacy has been challenging in communication networks in the past. In the coming years, it will be even more of a challenge due to changes that takes place. The session continues with how network convergence, the opening up of networks and security de-perimeterization lead to an emergence of serious threats that were previously unapplicable. Both networks and end-users will be targeted with traffic that serves other purposes than what the communications solutions were designed for. CERT teams need skills, tools and collaboration to understand and adapt to a continuously changing security environment while equipment vendors must provide proper security in their products, solutions and services.

The session will cover how evolving networks place strict demands on distributed protection mechanisms and the relevance of possible countermeasures like event sensoring, traffic separation, traffic protection and node protection in increasingly untrusted telecommunication network environments.

Keynote

Our paper,“Building A Cyber Supply Chain Assurance Reference Model”, marked the culmination of a seven-month research project which sought to fuse together the fields of cybersecurity and supply chain risk management by applying proven supply chain practices to this evolving cyber domain. This presentation will take a cross-functional risk perspective of Cyber Supply Chain Assurance referencing cutting edge models, tools, and practices extending the initial findings in this paper. The audience will learn through case study and example threat vectors, details of known incidents, and best practices for creating resilient cyber supply chains. Of particular focus will be the role of the incident response and security teams as actors in the cyber supply chain. We will explore tools and tactics that might be used including technical and contractual means to influence response capability throughout the cyber supply chain. The cyber supply chain encompass the information and communications technology components, products, services, and integrated systems created and transported by global supply chain.

This presentation is the result of a collaboration between SAIC and the Supply Chain Management Center (SCMS) of the Robert H. Smith School of Business, University of Maryland (UMD) at College Park. Our research assessed the dynamics, risks, and management challenges and opportunities of the cyber supply chain in its role as a critical public system/private infrastructure.

Among the research team's key findings are:
- A fully integrated cyber supply chain requires the coordination of what researchers describe as "defense in depth," the process of securing/hardening core systems and their constituent parts during the build and deploy phases of the lifecycle; and "defense in breadth," the process of securing the global web of actors who use and maintain a system including customers, system integrators and suppliers.
- There is a lack of visibility and coherence across the cyber supply chain which prevents effective orchestration and synchronization.
- There is a clear need for structured incentives and relationship drivers which facilitate management of shared risk.
- Lack of communication between the cyber and physical supply chain domains is constraining advancement. Most organizations mistakenly view themselves as the terminus in the cyber supply chain and do not recognize the need for accountability within all internal function areas, as well as among all suppliers, customers and partners.
- Information security operations is not sufficiently aligned with the supply chain risk management function to be capable of performing joint operations during an incident

The central challenge is that global cyber supply chains today are as fragmented as physical supply chains were 15 years ago. Since the release of our paper we have been diligently conducting on-site case studies with several government and commercial organizations to better understand the application of the model.

In this session we will introduce our model and present one industry and one government case study covering a cross-functional executive perspective of its application paying particular attention to the challenges an incident response team faces in aligning the CERT/CIRC function with conventional supply chain risk management.

This talk could be extended into a tutorial if desired. I have attached the executive summary for the paper to this submission. The full paper is available at: http://www.saic.com/news/resources/Cyber_Supply_Chain.pdf

Cloud computing is a buzzword that has many meanings and ramifications. Platforms are getting faster and faster and forensics is becoming more challenging as memory sizes increase into the hundreds of gigs on a single server, networks all run at 10 Gbps and servers are almost directly connected to multi-terabyte and even petabyte storage area networks. The 3 main things you need to do effective IR are network traffic, physical memory, and access to disk. If you have an incident response team and walk into one of these environments, how can you obtain those 3 items to begin to do analysis? This talk looks at the new Cisco UCS platform which has been getting a lot of attention from very large organizations and service providers from an IR perspective and shows some of the challenges that you will face on these platforms and how you can overcome them and acquire that type of evidence if you find yourself as an incident responder walking into this type of environment.

In order to analyze file systems, incident responders and computer forensic examiners commonly rely on a couple of well-known tools, like EnCase, X-Ways Forensic, and FTK. But what do you do if your tools fail to parse a file system correctly? This course will instruct attendees how to get an examination started even under those circumstances and how to improvise their own tools. Sample disk images for this course were obtained from live systems that could be found in an arbitrary office environment.

Wherever they are, CERTs (Computer Emergency Response Teams) as security incident handlers have hands-on experience with the latest attack techniques on the Internet. This is the result of direct contact with their constituency and other CERT teams, which often serve as the first line of support when faced with new threats. The dynamic development of threats remains a never ending challenge not just for them, but the entire security industry. Research and development projects that are launched in response to analyzing threats, often have a problem keeping up and developing adequate tools that can be applied in practice. Nevertheless, creating new platforms that can facilitate detection and improve situation awareness is critical in order to stop these threats.
We will present technical issues concerning national and international research and development projects conducted by the CERT Polska team, operating within NASK structures. We will also present how these projects support the operational activity of CERT, which determines the requirement for new tools and research – namely for projects having practical application in e.g. threat monitoring, correlation, early warning, malware analysis or effective transfer of information to proper recipients. A few examples of building synergy between projects being implemented will be described. We believe that the most valuable part of our work is a very effective approach to the problem of relationship between practical needs of an operational work of CERT team and the outcomes of security projects and systems development within such team. We are convinced that such relationship should be very strong and we try to ensure it in our technical work. Thus the technical projects undertake the most important and the most novel topics related to the ICT security. We believe that a major idea of our work is the positioning of different projects in a way the enables them to work together, creating a synergy that results in a solution to today's security problems of the Internet. In each of the presented projects, we come up with novel algorithms that enable the achievement of specific project goals.

BlackEnergy is a popular DDoS trojan written by "Cr4sh", a member of the Russian hacking group "Hell Knights". Recently a major new version of the trojan in extremely limited circulation was identified in the wild by the presenter of this talk. This new rewrite of the trojan expands BlackEnergy's capabilities from a simple DDoS trojan to a stealthy modular platform for DDoS, spam and banking fraud

In recent years, the computer security collective has made significant progress in categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposure (CVE) dictionary (http://cve.mitre.org) and Common Vulnerability Scoring System (CVSS) (http://nvd.nist.gov/cvss.cfm). However, one major gap in vulnerability standardization remains: there is no common framework for reporting and sharing vulnerability documentation among multiple organizations.

Current methods of vulnerability reporting, such as embedding security metric and vulnerability data inside response reports, are vendor-specific, non-standard, and non-cooperative. Additionally, because each producer of vulnerability reports employs a unique document structure that does not facilitate automated processing, users must manually parse individual vulnerability reports to find information that is germane to their environments.

In an effort to solve these problems, The Internet Consortium for Advancement of Security on the Internet (ICASI) has initiated the Common Vulnerability Reporting Framework (CVRF) project. CVRF will standardize vulnerability reporting in the form of an XML framework. Once CVRF is available, discoverers, vendors, users and coordinators of security response efforts worldwide will be able to use it to share critical vulnerability-related information, speeding information dissemination, exchange, and incident resolution. Producers of vulnerability reports will benefit from faster reporting, and end users will gain the ability to find relevant information more quickly and easily.

The FISHA (Framework for Information Sharing and Alerting) is a collaboration between NASK/CERT Polska, CERT-Hungary and the University of Gelsenkirchen to build a common European information and alerting system within the framework of the EU EPCIP programme, based on the findings of the EISAS study of ENISA. The project addresses the issue of improving security awareness amongst home users and SMEs through the creation of a European information sharing and alerting system. The focus on home users and SMEs stems from the fact that these groups play a critical role in the security of the Internet as a whole, and as such, the European critical information infrastructure. At the same time both groups remain an easy target of attacks, due to low awareness of security issues and the lack of required technical skills to handle them in a proper manner. There is therefore a need of a channel that can be used to reach these groups and supply them with timely best practice information, alerts and warnings phrased in an easy to understand, non-technical way. While a number of national initiatives with a similar goal exist, these initiatives do not cooperate as actively in this field as they could. There is therefore much to be gained by pooling their resources and building upon existing information exchange initiatives, developed in particular, in the CERT community. Previous studies in the watch and warning field have shown that there are a lot of different views and interpretations by experts from different countries as to what really should be done at a European level. These differing views have hindered past European wide efforts, with relevant stakeholders firmly opposing a creation of a large centralized structure. The presentation will introduce our vision of the framework for information sharing and alerting, which we plan will act as a meta-information broker for various stakeholders (including CERTs), and explain the rationale behind the choices made, both technical (including a description of the proposed P2P network) and organizational. Our vision takes into account not just our own ideas or ideas inspired from previous work, but comments from experts (particularly from CERTs) that have taken part in our first FISHA workshop organized in October 2009 in Rotterdam.

Cyber crimes committed by malicious insiders continue to represent one of the most significant threats to networked systems and data. It is important to consider the insider threat perspective when developing policies and procedures for responding to cyber security events.

Since 2001 CERT’s insider threat team has built an extensive library and comprehensive database containing hundreds of actual cases of insider cyber crimes. This presentation will focus on three primary types of insider cyber crimes: IT sabotage, theft of intellectual property (e.g. trade secrets), and employee fraud. For each type of crime, a “crime profile” will be presented which describes who committed the crimes, their motivation, organizational issues surrounding the incidents, methods of carrying out the attacks, impacts, and precursors that could have served as indicators to the organization in preventing the incident or detecting it earlier. Insight will be provided regarding the technical means and methods used by malicious insiders including where to gather data on insider activity for event reconstruction. We will convey the "big picture" of the insider threat problem - the complex interactions, relative degree of risk, and unintended consequences of policies, practices, technology, insider psychological issues, and organizational culture over time. Each crime profile will describe the patterns evident in the crimes so that attendees can recognize these patterns in their own organizations, and implement effective countermeasures to mitigate the threat.

Attendees will leave with an understanding of the scope of the insider threat problem, patterns to watch for that could signify increased risk, and proactive measures that they can put into place for prevention and detection of insider threats. Actual cases will be presented throughout the presentation to provide concrete examples and lessons learned.

THIS IS A SIMILAR PRESENTATION TO THE ONE OFFERED BY DAWN CAPPELLI, GEORGIA KILLCRECE, AND GREG LONGO AT THE FIRST TECHNICAL COLLOQUIUM IN HAMBURG GERMANY (JANUARY 2010).

Today's web-based software applications have grown substantially in
importance over those of just a few years ago. As a result, the
impact of security failures has increased commensurately, often with
potentially large-scale financial impact to the enterprise. Yet,
security failures occur in often times spectacular ways.

A common failing occurs in how enterprise software interacts with
security infrastructures, from enterprise event logging through
intrusion detection and prevention systems. These security facilities
frequently go untouched by application developers, leaving security
staff to seek bolt-on solutions to application-layer security issues.

In this session, a common web application user interface component
known as a servlet is examined and enhanced, to build a web app
example that is not only secure against attack, but able to stand up
to the rigors of a modern enterprise computing environment. Starting
from a simple, highly vulnerable servlet is examined and discussed as
a case study, with particular attention paid to some of today's most
prevalent web-based attacks like SQL injection and cross-site
scripting. First, security features are added to the servlet to
provide defense against these most common attacks (e.g., OWASP Top-10
2010). Next, enterprise event logging is added, with the use cases of
the CSIRT in mind specifically. Finally, the servlet is enhanced to
provide the ability to take evasive actions when attacks are detected,
based on policies set by the CSIRT and/or CISO staff.

By highlighting these building blocks in source code case studies, we
clearly illustrate the urgent need for close collaboration among the
CSIRT, software development, and business staff.

In 2009, Intel Corporation used a novel business intelligence approach to address needs in the protection of its intellectual property. A team inside Intel developed a flexible architecture that uses business intelligence to implement risk models, determine actual likelihood and impact, and measure risk reduction. As the solution grows, it is part of an end-to-end process to protect intellectual property in the company. This talk covers the hardest problems to solve, and the solutions Intel found. Learn how business intelligence concepts were benchmarked against risk concepts like likelihood and impact. Detailed, working code will be shared on how to implement risk models that detect intellectual property misappropriation.