Poison Ivy sells itself as a remote administration tool. It has been used in wide variety of attacks, from fake screen saver trojans for the masses to the highly targeted attacks against RSA (1) and the chemical industry (2).

The presentation will start with a brief introduction into Poison Ivy, its capabilities and configurable options. We will then have a closer look at the generated binary and learn how code and configuration data blocks are combined. We develop signatures that can help an incident responder to detect PoisonIvy in memory and to reconstruct its configuration without time-consuming reverse engineering.

Next, we will examine network activity, especially the session initialization handshake. A brief cryptanalysis will reveal a weakness that incident responders can leverage to identify PoisonIvy command and control servers and to mount a brute-force attack on the attacker's shared secret.

(1) Anatomy of an Attack
(2) Nitro Attacks Whitepaper

No special equipment required.

Where do people in the security community go to share insight and collaborate? How do you become a part of the private, so-called "trusted" communities? What can you do to maximize security community relationships? We try to answer these sorts of questions by surveying the security community, including it's collaborative successes and failures.

CERT.be is the Belgian National CSIRT and has asked the help of a bureau specialized in branding strategy development and marketing in order to better fulfill it’s wide ranging tasks that include treating and coordinating highly sensitive incidents, day-to-day abuse reports and creating awareness for the general Belgian public.

The result of this collaboration was a communication plan and strategy for CERT.be, including a tagline to be added to the CERT.be logo. It also turned out that a National CSIRT is a very “sexy” product to market due to the unique qualities of “the product” and some very surprising results surfaced after applying techniques and tools normally used to brand an position products and/or big companies.

We will implement the findings starting from January 2012 and we would like to present our findings and the results of this approach. Our aim is to give more visibility to CERT.be and this at all the levels involved: law enforcement, political, the general public, ISP’s and large companies and last but not least: the press. CSIRTs are in fact all about communication and using the press as a very strong ally in our fight against cybercrime and abuse should allow us to do our work more efficiently.

In this presentation I would like to present some of the very interesting conclusions of this collaboration and moreover I should be able to give valuable feedback and lessons learned after some six months into the implementation of this strategy.

Duqu threat made a big noise in media in autumn of 2011. Although its impact was hard to estimate, everyone felt that something major was happening behind that name.

We, at Kaspersky Lab, spent a lot of time working on this threat as it seemed to have cutting edge malware technologies and unknown 0-days used in the attack.

The presentation is going to show some results of a Duqu workgroup and will explain what was Duqu, why people think it was similar to Stuxnet, how it was controlled, how long it had been used and what traces were erroneously left by the attackers on a set of compromised systems. Please expect only technical information about the threat as we are not going to speculate on who may have developed and controlled it and for what reasons.

Also, we would like to share some of our experience (wins and fails) in international collaboration with CERTs, LE and private companies during the investigation.

Virustotal is a free file scanning service that aggregates information from a number of antivirus engines plus several other tools. Made public in 2004, it has become a popular tool but in some cases it is used incorrectly or some of the information generated is not well understood. This talk aims to explain how it works and proper ways of using it, using examples of how people and companies has used and misused it over the years.

NTT-CERT and Meiji University collaborate to study "storytelling" in organization. The storytelling influences to realities people have and occurs dynamic responses in the organization. Eventually, we expect that understanding a “storytelling” can correctly help us to build up and keep on a good team under high-pressured situations, where CSIRTs are.

The purpose of this paper is to investigate the organizational side of security response in cases of Japanese CSIRTs.

As incidents usually occur in new forms and under new situations, it makes responding to them be difficult. Therefore, when an incident occurs, members of the CSIRT assign a meaning to the effect of the incident. At this point, the members analyze the incident in the light of a recent incident through storytelling based on their current experiences and decide upon appropriate countermeasures. In this manner, the organization’s reality about security is constructed through “storytelling”.

Researches on storytelling have developed in organization studies in recent years. Storytelling is shown in the context of the management that is engineering the organizational change. Moreover, it is especially shown in the context of the efforts that the leader makes to help his subordinates understand the ramifications of the changes that are sought to be introduced in the organization. However, this case shows that storytelling in an organization does not only imply downward communication flowing from the leader to the other members but also interactive storytelling that occurs between the members of the organization. Therefore, we will present alternative storytelling perspectives different from that of established studies. To make that difference clear, first we explain the established view stemming from past researches on storytelling. Second, we show an alternative viewpoint from that adopted in existing storytelling researches. To investigate the cases of Japanese CSIRTs, we do not focus on an established study that views storytelling as a leadership tool or a tool that effects organizational change but on how various stories are formed within an organization and on the organization’s reality, which gives rise to various stories. Finally, we will show the importance of organizational perspectives of security response.

While there has been extensive reporting on TDSS malware, dubbed the ‘Indestructible’ botnet by Kaspersky, most reporting has focused on reverse engineering the various components of the Trojan. This presentation will instead concentrate on the forensic attributes of TDSS activity to assist the analyst in identifying its presence on an image or on the network. Topics covered will include an overview of the malware including analysis of the pagefile.sys, unallocated space, applicable live memory forensics techniques as well as malicious activity from affiliate programs. Emphasis will be placed on the recent TDL-4 variant.

BGP prefix hijacking is a well-known weak spot in the Internet's global routing system. An attacker who is able to successfully hijack a route prefix could for example re-direct large amounts of traffic to his own systems, where he could perform packet sniffing or manipulation. Also a hijacked prefix could allow a phisher to present authentic-looking URLs to his/her victims through redirecting traffic from the "correct" from the correct web server to his own compromised ones.

The ability to tweak the Internet's routing system to his/her own advantage could present an attacker with novel and very interesting tools to bypass current security mechanisms and entrenched user best-practices.

The main goal of the Resource Certification Public Key Infrastructure is to improve the general security and stability of the global routing system. The RPKI allows legitimate resource holders to create digital certificates and other cryptographic proofs of routing policy that can be verified up to a trust anchor. Validating routers can use these proofs in order to assign validity properties to BGP UPDATES, thus allowing router operators to apply policy decisions to routes according to the validity of said proofs.

This presentation starts with a description of the general guidelines for Internet number resources management followed by a high level description of the current system of Internet Registries and the global routing system and the security problems it currently presents.

Some security aspects of the routing system that require improvements will be also described. The Resource Public Key Infrastructure will be also described at a high level showing how it will mitigate the risks associated with these aspects by allowing rightful owners to assert their usage rights over Internet resources.

Some well known and well publicized cases of route and traffic hijacking will be presented since they provide one of the main drivers behind RPKI.

Finally the current state of the project both from the IETF'S and the RIRs point of view will be described and the current planned project roadmap as well as some statistics gathered by the RIRs after one year and a half of production operation.

Since the RPKI is currently scheduled for a Jan 1 2011 production release by LACNIC and the other RIRs with the sole exception of ARIN, the presentation will also include results and experiences from the first 6 months of operation.

This presentation is composed jointly by CERT-FI and Ericsson PSIRT under the conference theme "Security is not an island". The presentation outlines practical cases where a national CSIRT and a vendor can work effectively together to solve security problems with a potential to have a negative impact on third parties.

One often hears claims that cooperation between government authorities and commercial organizations cannot and does not work. The presenters argue that cooperation is not only possible but yields fruitful results. CERT-FI and Ericsson PSIRT have a long history of working together on a variety of product security cases and share information on a regular basis.

The presentation first gives a brief background on both organizations' approach to PPP and then proceeds to show practical examples on cases involving bilateral or multilateral cooperation. Lastly, the presentation summarizes the benefits of such cooperation in terms of lessons-learned and shares some proven hints and tips for the audience how to realize something similar in other countries.

What works in Finland, should work anywhere else. Or is Finland after all an island where we have been lucky enough to find ourselves stranded together?

This presentation will provide technical insight into the crimekit and outfit known as Carberp.

In late 2010 Denmark was hit with a malvertizing attack launched from a popular news website. With in short time approx 10,000 PC's got infected through client side drive-by attack.

Soon afterwards we got reports about luxury goods being bought in eCommerce stores around the country using stolen credit cards. The goods was being reshipped through a package mule network.

We decided to team up with a few of the reshippers and planted a GPS transpoder in some of the packages. This toke us from Denmark to Poland into Ukraine and finally to end up in Moscow.

This is the story told by the reshippers and CSIS and Danish National television driving to Poland and Ukraine to get insight into how this scam is established.

Our team has fought phishing for nearly ten years. Thanks to our clients' and partner's data, and a recent not-for-profit public phishing reporting platform, www.phishing-initiative.com, we believe we have now a nearly complete vision of the phishing landscape in France. We indeed took action against more than 15,000 different attacks that have been conducted in 2011. Our review of phishing attacks at the scale of a country such as France points out how specific local phishing trends can be compared to large scale phishing trends analyses, and highlights the importance of specific (regional, linguistic, etc.) phishing reporting platforms to better assess these trends.

French companies have been targeted by a handful of groups of phishers originating mainly from one of France's historical colony, Morocco. In recent years, banks have adapted to more and more efficient countermeasures, whether they be on a global scale, ie. phishing blacklists, or on a local scale, ie. how the organisations defend themselves.We have thus observed various phishing techniques which recently (re-)surfaced indicating that phishers are making efforts to delay detection and takedown of the fraudulent websites. These techniques include :
- blacklisting of antiphishing organizations
- access restricted by geolocalisation,
- increase in email-attached phishing forms,
- theft of credit-card details through scam pages (fake surveys, fake
e-commerce/e-service websites),
- text-free phishing pages and emails,
- real-time validation of phished credentials,
- etc.

Phishers have also shifted their targets as they have been intensifying their attacks against french non-banking entities with success. France is not the only country where phishers are testing new strategies as some man-in-the-middle phishing websites have been spotted in other countries.

Our observations of these groups show that years of experience without being threatened by local law enforcement have unfortunately allowed these phishers to increase their skills and moved to using banking malware or code obfuscation.

After presenting trends on the techniques used by the bad guys, we compare the use of reactive vs proactive detection techniques, such as email reporting by victims vs. log monitoring, and show how strategic the latter are. It is our belief that, although already publicily documented, advanced log monitoring techniques are not well-known in the cybercrime community. Also, given the variety and highly evolving trends of phishing attacks, a combination of phishing detection systems is shown to be more effective.

We provide data on phishing impacts, measured both directly from compromised websites and indirectly from log monitoring. Issues related to antiphishing are also discussed : takedown ROI, discrepancies in data exchange laws, connecting cases to reach "prosecution's treshhold".

We finally focus on some promising phishing detection and mitigation techniques through domain-based email authentication or reputation protocols (i.e DMARC ARFR feed, DNS RPZ, VBR) and the commercial initiatives trying to leverage them.

In 2008 and 2009, the number of exploits targeting Adobe products grew considerably. In addition to working to secure the targeted applications, the Adobe Secure Software Engineering Team (ASSET) investigated how to leverage the broader security community to help protect customers with more effective layers of defense. Adobe proposed sending detailed technical information describing Adobe product vulnerabilities via the Microsoft Active Protections Program (MAPP) to protection providers. Two giant software companies, competing head-to-head in some areas, agreeing to cooperate and help secure their mutual customers? It sounded just crazy enough to work. Since the fall of 2010, Microsoft and Adobe have worked together to provide information describing vulnerabilities in Adobe products to MAPP participants. Today, 84 security firms from around the world are participating in MAPP, providing protections for hundreds of millions of customers. This talk will discuss how the Adobe/Microsoft collaboration came to be, how Adobe and Microsoft currently work together to provide vulnerability guidance, and how this effort has helped MAPP partners improve protections for customers globally.

Pinkslipbot is a malware family originally created to steal personal and financial data from infected machines, and to provide complete control of the target machine through a back door. Initial versions of Pinkslipbot appeared around 2007, but only in recent years has the malware started to become more successful, due to improved spread methods and the fact that it started to target corporate networks. It was at this point that Pinkslipbot caught the attention of the media.

In this presentation, we will analyze the historical data about Pinkslipbot outbreaks and look at what has changed between each version — in order to understand the modus operandi of its authors and what we may expect in future variants. This data will include an in depth look at the modus operandi of the malware authors during the most recent outbreak, to show how the malicious code is changed and adapted to counter actions by the Antivirus industry.

We shall focus on specific features of Pinkslipbot that may be of use to both antivirus research as well as to enterprise and law enforcement entities trying to understand this threat.

Social engineering is starting to become a topic of great scrutiny. People are realizing that technology and policy are only providing a small portion of the risk mitigation they were promised.

For every dollar spent in technology a simple phone call or email can circumvent millions of dollars in protective, proactive, and preventative controls. Worse if done successfully the company in question may not know they have been compromised.

This presentation will cover the basics of social engineering and extend into techniques you can use and how to defend against those techniques in your own environment.

Foundations:
What is Social Engineering
How or why does social engineering work?
Steps to social engineering
1) Recon
2) Preloading
3) Pretexting
4) Interactive (In Person/Over the phone)
5) Delayed interactive (Email)
6) Non interactive (drops/USB's/Phishing)
7) Execution
8) Cake (maybe its a lie)

Individual skills:
NLP Eye Access Queues
Acting
Question Overloading
Illiciting confusion
Authority claiming
Identification of Authority
Pattern Interupts
Physical Stressors (Micro Expressions / Subtle Expressions / Lymbic Responses)
Logical Confusion
Repport

Influence Techniques:
Sympathetic Exploits (empathy)
Hostile Exploits (anger / fear)
Obligation
Reciprocation
Liking
Concession
Consistency
Framing
Consensus
Value Systems
Prioritization
Scarcity

Psychology:
How the brain works
Time splitting
Left Brain / Right Brain
Short term behavior modification
Long term behavior modification

This could either be a 3 hour intense session or I could trim down some of the content to be more core critical depends on the needs of the conference.

Coaching means support in reaching specific goals and results. In CERT context, coaching of a new or relatively inexperienced team can be performed by a more experienced partner (another team or an individual) and it can extend from the stage of establishing a new team to reaching certain operational capabilities. While there is an increasing number of training programs available for CERT teams and their members, individual coaching seems to be unpopular, most likely due to the fact that it requires relatively high costs in money and resources. However, once the resources can be allocated, the “return on investment” should be unparalleled.
Between 2007 and 2009 CERT Polska had been running a project with Central and Eastern European Networking Association (www.ceenet.org), with an ambitious goal of building a network of operational CERTs in countries associated by that organization, particularly in Caucasus and Silk Road Regions, as well as some other countries of former USSR and Balkan States. The project involved coaching and mentorship which should result in new teams joining FIRST and becoming Accredited by Trusted Introducer. The project was called CLOSER, and while it was not entirely successful, it yielded some success stories as well as valuable lessons learned.

The presentation will briefly cover the CLOSER project, its virtues and shortcomings, as well as stories of some of the coached CERTs from the perspective of two years after completion of the project. I will also discuss possible goals that can be achieved in similar projects, their metrics, and incentives for all involved parties.

In 2005, Florian Weimer introduced the world to Passive DNS Replication at FIRST. In 2007, ISC took up the challenge of implementing a production system and scaling and improving upon it. ISC has written and published a technical paper about his advances in design and operation of the open-source sensor and collection infrastructure and has built a scalable database used by many in the operational security community. Eric will present the technology used in the project and discuss lessons learned.

Nearly all major organizations have established Computer Security Incident Response Teams (CSIRT) and incident response (IR) processes to respond to cyber security events that affect their infrastructure. In general, the phases of CSIRT response include detection, verification, containment, mitigation, recovery, and post-event analysis. The objective, typically, is to return to normal business operations as quickly as possible. What many enterprises may not have, however, is the capability to respond to and investigate Advanced Persistent Threats (APT).

APT attacks are sophisticated cyber attacks against a carefully selected target, or even an industry sector, in which attackers infiltrate the target with the objective of stealing intellectual property or other information. Upon successful infiltration, attackers will establish persistent access to the enterprise through elevating privileges and will move laterally throughout the company until they find the data they are after. These types of attacks are generally well-funded, and attackers are not likely to walk away from the target until their objective has been achieved.

Because of the differences in attack methodologies and targeted attacks, the response to these attacks requires a different approach. Legal and regulatory issues may force you to have different response processes, and because of the nature of the attack, having a better grasp on what happened, how it happened, and what was taken will be important questions to answer.

This paper looks at the types of things that might come up in the detection phase of IR that could represent APT. It introduces new phases, observation, eviction, and disclosure and how each plays a role unique to APT response.

Becoming a botnet free country is an unachievable goal. Nevertheless this headline was choosen to coordinate different national initiatives by Swiss ISPs, CERTs, the .ch registry and security researches against malware.

The cooperation started in 2011 when we met to discuss measures against botnets and find out that most ISPs and the registry already support their customers when they are infected with malware or their website is abused for drive-by-infections. Measures that are already in place include the notification of affected DSL-line subscribers and domain-owners and supporting them with the removal of Malware and/or drive-by-code. But they go as far as turning off DSL-lines or removing second-level domains from the DNS. We all agreed that a cooperation would be much more effective in removing malware and preventing new malware infections in Switzerland.

There are currently different activities, from informal meetings to discuss best practices to the discussion of an official anti botnet initiative like the German anti botnet initiative or the Japanese Cyber Clean Center. We dont know yet the formal way of cooperation but we want to present the challenge and results of our cooperations as well as the single measurements we already have in place to prevent infections via drive-by on .ch websites and to remove malware from infected PCs in Switzerland.

DNS, like security, is not an island and it respects no borders. It is a morass. The Domain Naming System is one of the critical core infrastructure protocols upon which the entire Internet depends, yet it is often ignored, particularly on the client side of the house. In recent years, we've seen cache poisoning attacks and resource amplification attacks. Operation Ghost Click involved redirecting DNS clients through DNSChanger malware. Much of this could have been detected through DNS monitoring. On the other hand, Operation Aurora was uncovered through datamining detailed DNS logs and DNS forensics has been mentioned in more than one study.

A lot can be gleaned from datamining DNS traffic alone, if the facilities have been set up for it in advance. Even more can be acquired by correlating DNS activity with other network activity or lack thereof. The challenge is in establishing and maintaining baselines against which anomalies stand out.

This talk will look at several areas where behavioral anomalies may be detected by monitoring DNS traffic and correlating it with expected behavior and against other expected network traffic. These anomalies can often unveil classes of malicious activities and intrusions before other techniques have a change to catch them. This will also cover managing the baseline to improve the signal to noise ratio that inherently plagues anomaly detect methodologies.

From WikiLeaks to Anonymous and LulzSec, 2011 has been marked by an explosion of high-profile cyber attacks. This steady stream of directed attacks is expected to continue, if not increase, in 2012. Due to the extreme motivation behind today’s attacks, technologies that are designed to block them at the perimeter, or use signatures to detect malware, are no longer enough to protect corporate and government networks. Attendees will learn how leveraging NetFlow (and other flow data) can provide the end-to-end visibility and situational awareness required to protect them from the full spectrum of threats facing today’s enterprises. Having a complete picture of everything happening on the network makes it easier for IT administrators to investigate and mitigate anomalous behaviors that could signify APTs. By collecting and analyzing flow data inherent in their network infrastructure, organizations can seamlessly and cost-effectively create an always-on sensor grid for proactively detecting and thwarting advanced attacks that bypass external defenses.

In my talk at FIRST 2011, I detailed remediation efforts associated with takedowns of the Waledac and Rustock botnets. I talked about the partnership with ISPs that enabled this and the tactics being utilized to share data and tools to better target infected machines. I also raised a challenge... for a CERT to work towards the eradication of malware in their country. I had several CERTs approach me to discuss this type of work. In this talk, I will detail the work we have undertaken, the protocol by which we propose such work to be effective, as well as challenges and progress to date.

On startup of a new enterprise CSIRT the advice given is often to purchase a very expensive SIEM solution. We will talk about our multi-year experiences with SIEMS what works (and doesn't) and tell the story of how we moved away from SIEM solution.

Incident response in a large environment hosting multiple businesses such as mail, retail, online advertising, digital media and news can be a complex and arduous task.

During this presentation the audience will be guided through the process that allows an incident response team to successfully deal with issues that cross all of these sometimes disparate business lines. The presenters will discuss tools and processes used, the role that open source intelligence and counter intelligence play in having a successful incident response process.

The presenters will also discuss two real incidents (one fraud case/one application security issue) during the presentation that will allow the audience to see the process, procedures and tools discussed in action during the incident response process.

Will be updated soon.

The objective of this 45-minute presentation is to show how we decrypted and accessed the contents of the files generated by three different malwares, specially designed to steal sensitive information from a very particular environment belonging to a client. The activities were performed based only on the encrypted files and the malware binaries, since we did not have access to the live systems and the specific hardware employed by them. Besides this restriction, we were able to shorten the amount of time spent with dynamic and static analysis, thanks to the strategy and cryptanalytic techniques that we employed.

This talk will cover the following topics: introduction; detection of weak cryptosystems; description and cryptanalysis of classic algorithms; review of block ciphers; review of DES and 3-DES; identification of the possible encryption mechanisms employed by the malware; deciding what to look for; confirmation of the algorithm used; searching the key within the malware code; searching the key within main memory; finding the key; decrypting the files; worst scenario.

The Diginotar attack calls into question the foundations of secure communications and the role of part of important players in the security industry (the CAs).

This talk would discuss ENISA's (recently published) analysis of the Diginotar case, and discuss the issues with HTTPS at large. Topics that will be discussed are: the security of HTTPS (Blaze's Spy in the Middle), the relation with the existing security legislation for telco's (Article 13), if and how to enforce incident reporting and minimum security measures for critical service providers, how to quickly shore up weaknesses and flaws in HTTPS, if and how to overhaul the HTTPS scheme, who or what could be new trust anchors, et cetera.

This talk should provide for a discussion with the audience rather than present one particular proposal for solving the problems.

The Domain Name System (DNS) is recognized as one of the most critical services in the Internet infrastructure and plays today an important role on society and also in the daily life of the citizen. DNS is an interconnected and interdependent infrastructure. Any significant DNS disruption or malfunctioning affects sensitively the correct functioning of the entire Internet components, including web applications, service oriented systems, cloud infrastructures and distributed applications more generally. Among the others, on the DNS services rely today several of the so-called Critical Infrastructures, such as Energy Grids, Transportation Systems etc. DNS security requires a trusted body for all parties involved to address security incidents. Hence born the need of DNS CERT. Such an idea was firstly presented by ICANN in 2010, with their “April 2010 DNS-CERT Operational Requirements & Collaboration Analysis”. In this report the need for a DNS-CERT was underlined, as well as were identified 10 requirements a similar structure should satisfy. However, after this initiative, the theme of DNS-CERT seems to have been abandoned by the community, mainly due to the fact that the current CERT model does not easily apply to the DNS ecosystem. In this speech, starting from the early results of the ICANN and DNS-OARC efforts in designing a DNS-CERT, taking into accounts the comments raised by the DNS community on this matter, and considering the peculiar, totally distributed and weakly regulated nature of the DNS, we propose a new distributed and hierarchical CERT model, tailored on the needs of the DNS community and based on coordination and cooperation capabilities, exercises and close working relationship between all DNS actors.

Cyber security drill is a simulation of a cyberspace attack on the ICT infrastructure. In Malaysia, XMAYA is a national cyber security drill covered for critical national information infrastructure (CNII) sector, conducted annually, running since 2008. XMAYA cyber security drill is using a practical and hands-on concept for the artifacts. It is intended towards evaluating the readiness of CNII in handling a cyber attack. One of the many objectives of a cyber security drill is to create awareness among the CNII personnel regarding the possibility of cyber attacks and the severity of the outcomes of such attacks. Thus creating scenario and artifacts related to scenario is crucial. The scenario and artifacts need to closely represent real attacks environment. Many considerations have to be carefully evaluated to design and engineering the scenario and the artifacts. In this presentation, the presenter will share his experiences and lesson learned when designing scenario and artifacts for national cyber security drill after four years of running the drill.

Security threats have grown from network annoyances to attacks on your sensitive infrastructure. Evidence indicates that security threats are growing more sophisticated and aimed at embedded deployment. This presentation will share Cisco CSIRT's evolving architecture for addressing sophisticated, embedded threats.

Topics will describe how CSIRT has evolved its network infrastructure over the past 10 years, and will give detailed architectural examples and guidance regarding their multi-petabyte global deployments of:
* Log/event collection of syslog, DNS, web proxy logs, ModSecurity logs
* NetFlow collection
* Host and user attribution techniques (using DHCP, NAT, VPN logs to identify users)

It will also include a description of how CSIRT Engineering is integrating the following solutions into their global deployment:
* Nascent APT detection using precursors
* Challenges and solutions for multiple filtered detection using SPANs and taps (IDS, DNS collection, web proxy, DLP)
* Data loss protection (DLP)
* Rapid operationalization of collaborative, commercial, and home-grown intelligence
* Pulling this all together in a free-form custom SEIM.

Most commonly adopted models for cybersecurity incident handling can trace their origins back to a model developed over 20 years ago, in a very different climate than the one incident response and security teams operate in today. That model focuses on a linear approach to identifying, containing and remediating incidents in your own local environment first, and sharing information with others after the fact.

Modern threats consistently cut across national, organizational and sector boundaries, requiring coordinated collaboration on the part of any network defense operation that hopes to be truly successful. Modern networks can also present "information overload" problems for watch standers, analysis teams and decision makers, presenting additional challenges for identification, escalation and follow-through whenever significant incidents arise.

US-CERT is developing a coordinated model for cybersecurity incident management to improve cooperative operations, shape the adoption of standards for incident data exchange, and streamline the flow of necessary information to the right participants at the right time throughout the cycles of identification and response. This is an opportunity for the FIRST community to learn about the progress of our efforts, provide feedback on the model and pursue avenues for future collaboration.

Android on mobile smartphones is rapidly becoming the dominant platform with thousands daily activations, millions of users worldwide and dozens of devices to choose from, thus making it the perfect target for cybercriminals. Starting in 2010 simple virus appeared but is in 2011 when the virus infections have skyrocketed with new viruses appearing every month.

This talk presents the research results done on android malware focusing on infection vectors, the why and how, case studies of real virus such as simple virus that send SMS to sophisticated malware that make use of botnets, exploits, encryption, covert channels and more. We will also be covering the research methodology and tools of trade so other can perform their own research on the topic.

In short, a technical voyage into android malware chronicles.

Every country is a special case of fitting malware and disinfection plan and in my presentation I will go to explain what are the procedures we are applying in QATAR to manage fitting malware on national level in cooperation with ISP and how we can use this system to contact public everywhere at home, corporate, and governmental entities to disinfect their machines from malware , furthermore we will go through a demonstration about how to use this system for major incident, and optimizing our malware disinfection life cycle

Most commonly adopted models for cybersecurity incident handling can trace their origins back to a model developed over 20 years ago, in a very different climate than the one incident response and security teams operate in today. That model focuses on a linear approach to identifying, containing and remediating incidents in your own local environment first, and sharing information with others after the fact.

Modern threats consistently cut across national, organizational and sector boundaries, requiring coordinated collaboration on the part of any network defense operation that hopes to be truly successful. Modern networks can also present "information overload" problems for watch standers, analysis teams and decision makers, presenting additional challenges for identification, escalation and follow-through whenever significant incidents arise.

US-CERT is developing a coordinated model for cybersecurity incident management to improve cooperative operations, shape the adoption of standards for incident data exchange, and streamline the flow of necessary information to the right participants at the right time throughout the cycles of identification and response. This is an opportunity for the FIRST community to learn about the progress of our efforts, provide feedback on the model and pursue avenues for future collaboration.

"Machines have won the war and the human race is destined to become little more than house pets" - Steve Wozniak

Stuxnet was the first known malicious code to demonstrate how ICS systems can be controlled, and what can be done when you have the resources and desire to attack a specific target, be it a nation state or a high profile company. When the world was still recovering from this finding, Duqu came and showed that this type of activity have been happening for quite some time, and not only focusing on Stuxnet targets, but is more widely spread as a general tool for information cyber espionage and warfare, blended with Zero-Day kernel vulnerabilities. In this presentation we’ll look at the current state of targeted attacks, the characteristics behind Stuxnet and Duqu and what we could learn from them to try to protect our companies of such attacks. We will also look at ICS (Industry Control Systems) incidents and attacks, and point out certain danger zones of the past and nearby future.

This presentation will cover some of the incidents NSM NorCERT has handled the last couple of years, where we have seen several sophisticated attacks from what appears to be advanced threat actors targeting Norwegian interests. We have chosen to go public about this to create awareness.

Most of the attacks start out as spear phishing e-mails sent to employees in the targeted company. Many of these come from spoofed company e-mail addresses or seemingly from individuals working for the company or working
for a business partner. The threat actor behind the attacks often send the e-mails through Yahoo, Hotmail or Gmail accounts, or from a compromised account within the organization.

The subject of the e-mails could be related to a company project or be of particular interest to the recipients. Some of these attacks have occurred when the companies are in the middle of buyouts or in a contract negotiation process.

The spear phishing e-mails often contain malicious attachments, such as .PDF, .XLS, .DOC, .WRI or .CHM files with exploits to software vulnerabilities. The e-mails could also contain a URL with a link to such files or link to a web site containing exploits to browser or browser add-ons.

NSM NorCERT have also seen low tech social engineering attacks, where the e-mails just contain trojans within in .ZIP or .RAR files. Often there might just be an URL link to such files. In either way the end user is convinced to open these files and thereby compromising their system.

Once the malicious attachments or links has been executed successfully, new malware is downloaded to the compromised computer and the threat actors might be inside the network setting up a stronger foothold.

The malware used in the attacks, might go undetected by anti-virus engines for months. Many IPS/IDS and web proxies do not have detections for the beaconing and backdoor traffic that these types of malware use.

Often these types of attacks are spotted by user awareness when receiving e-mail attachment or users complaining about suspicious behavior. System administrators may detect a compromise by anomalies such as the creation of new user accounts and privilege escalations. NSM NorCERT has detected several attacks in our nation-wide early warning system (VDI), which is a private-public partnership where member-organizations which are part of Norway’s critical infrastructure have installed VDI-specific IDS sensors.

CERTs play an important role in helping to mitigate the impacts of cyber attacks and data provided by CERTs may also help industry and government to better understand threat patterns and attack trends, thereby improving the application of preventative measures and reducing the scope for future attacks. In order to mitigate the impact of cyber attacks, responses may require extensive cross-border coordination between CERTs, especially national/governmental CERTs, which are a particular type of CERT playing an important role at a national level in supporting such cross-border coordination. This coordination can include the sharing of certain types of data, in real time, concerning the source or destination of attacks (usually IP addresses) or log files of suspicious types of Internet traffic. Usually CERT cooperation and sharing takes place informally on the basis of trustful relationships.

Nonetheless, the complexity of legal factors surrounding this cross-border collaboration could present issues and can complicate the delicate balancing act that CERTs have to perform their role and contributing to a better understanding of the relative state of cyber security, and protecting those rights and obligations provided for by certain legal and regulatory frameworks.

In this presentation we will focus on the ENISA’s study into the legal and regulatory aspects of information sharing and cross-border collaboration of national/governmental CERTs in Europe. Some of the legal and regulatory factors identified in the study will be presented, such as definitions and criminal sanctions concerning different types of computer and network misuse, the European legal framework governing data protection and privacy, and mandate and competences of the CERTs.

We will also look at some of the existing initiatives to overcome the legal challenges and at some recommendations proposed in the study to further improve the work of CERTs will be addressed, such as the identification of ways to support operational coordination between CERTs, the dissemination of Declared Level of Service templates, ensuring that EU-level legislation takes account of the scope of national/governmental CERTs and the articulation of why CERTs need to process personal data.

This training is intended to educate attendees on current threats affecting most organizations. The hands on training has participants build, deloy and operate current crimeware as well as deploy targeted attacks that leverage advanced persistent threat (APT) software in a safe and controlled environment. By seeing and operating the tools used by malicious actors, computer network defenders will have a greater understanding of the threats and brainstorm on how to combat these subtle intrusions. The training can be attended by those without a great deal of experience in incident handling as well as by those with more experience - the content in addition to the mix of attendees will provide a great learning opportunity for all those involved.

For years, post-intrusion forensics has been a poorly codified field. While significant research has gone into exploitation and network intrusion, it’s traditionally been difficult to hone in on the various motivations of attackers. Subsequently, accurate prediction of post-intrusion activities has been problematic. The hacker as “mythical unicorn” has been difficult to track. The hacker as state-sponsored agent of espionage and cyberwar, however, is an entirely different beast.

We always thought we had a hacking problem. Only recently, however, have we started to divide our attackers into classes more useful than ‘script kiddie’ and ‘hacker’. It has become glaringly obvious that true distinctions lie in motivation. In the Post-Aurora world, disclosure of intrusions have become increasingly more common place. Recent high-profile intrusions have involved theft of CA certificates, key materials, and the communications of dissidents and political figures. Rather than view these intrusions as ‘hacking’ they can more usefully be discussed as ‘electronic espionage’.

We see post-intrusion forensics as counter-espionage anti-tradecraft. In order to perform a proper counter-espionage forensic examination, you must understand your adversary’s motivations & goals. By identifying goals, you can then identify the actions and targets required to achieve these goals, and focus your investigation on the collection and analysis of these artifacts. We identify and examine these artifacts at three stages of post-intrusion espionage: Pivoting (moving through the network), Persistence (maintaining access), and Property (destruction or theft) attacks. Adopting such a methodology will prove an enabler for not only increased forensic capability, but also in providing a foundation for aggressive defense.

World markets gyrate seemingly almost daily with 100 point swings barely worth a mention. Yet, as these high level indicators try to hint at the overall direction of the economy, a number of other data points can show a more detailed picture of where we're headed. From an IT Security perspective, much can be gleaned from this including the impact on vendors, budgets and of course, attackers. Peter Kuper's presentation distills the macro-economic data right down to how it impacts the IT security professional role as well as offer some perspectives on ways to engage successfully in the current environment.

Malicious web pages that use either drive-by downloads or social-engineering to exploit systems of unsuspecting users are presently one of the most serious threats in computer security. This presentation will introduce an open-source framework for detection of client-side attacks - Honey Spider Network 2.0. Version 1.0 was a unique combination of high-interaction client honeypot (Capture-HPC NG - see http://pl.honeynet.org) with a custom low-interaction honeypot, resulting in a system that is able to use different approaches for analysis of web pages. Building on the experience gathered from the previous version of the system, we completely redesigned the architecture, focusing on creating a flexible and scalable framework.

At the core of the solution is a high-performance engine that controls the flow of tasks that are being processed and distributes the workload using AMQP (Advanced Message Queuing Protocol). HSN 2.0 leverages the functionality of multitude of services (plugins) for data acquisition and analysis. It is possible to create new ones in a straightforward way - they can be implemented in any language, our protocol is well documented and AMQP is a standardized transport layer. Existing honeypot, crawler or threat analysis solutions can be easily plugged in. All this allows the system to go beyond analyzing just URLs but also inspecting files such as PDFs, Office documents, Flash, etc. Furthermore, the architecture is very fault tolerant, meaning that a failure of any service does not lead to the system being unusable.

Building such an open and universal architecture is necessary if the security community is to keep up to date with the dynamically shifting threat environment. In our experience, this goal is only achievable through a collaboration of many experts, each contributing knowledge - and code - about certain types of exploits and threats.

Apart from the overview of the system's architecture, preliminary results of the system's performance in real-world scenarios will be discussed. A demonstration of the system detecting various threats through multiple plugins will be carried out.

With preliminary funding secured in early 2011, the Icelandic Post and Telecommunication Administration (PTA) was tasked with establishing a CERT team in Iceland. In this presentation we will reflect on the major challenges faced by the PTA team in the months leading up to the official launch for the Icelandic national CERT team (CERT-IS). The primary goal of the PTA, is to have the team provide information and if needed, assistance to its initial constituency members (the Icelandic telecommunication companies) when dealing with computer security incidents.

From the start, time and budgetary constraints imposed on the project played a significant role in how the PTA chose to approach the many challenges of creating a CERT team from scratch. With assistance from the Finnish national CERT team and Clarified Networks, CERT-IS launched the AbuseHelper framework for internal use in October 2011. This turned out to be a pivotal moment for the CERT-IS team, as it provided the team with fairly detailed insight into the current state of security incidents within its constituency networks as well as providing means for continuous situation awareness.

We will cover in detail the 60 days following the AbuseHelper framework implementation, with emphasis on some of the key issues that emerged and the lessons learned during that period. We will focus on a) location and evaluation of available sources for incident related data, b) control of the flow of data through automation and c) extending AbuseHelper in order to respond to specific requirements by the constituency.

With AbuseHelper serving as a central data aggregation storage in conjunction with the ability to extend its functionality, the CERT-IS team could focus more on adding value to the processing of incident data, rather than simply ensuring a timely report-to-contact transactions. We will explore some of these value adding processes as well as look towards the future and view the CERT-IS goals in the coming months.

DNS "firewalls" are a potent protective measure against botnets, spear phishing and APT attacks, preventing compromised computers on your networks from communicating with their C&C's and drop zones. However, the same technology that can be used to protect enterprise and other organizations' networks is also in-play at the nation state level, where various policies and laws are leading to filtering of the Internet based on the DNS. As more nation-states are looking to legislate blocking at ISPs or even deeper, what implications does that have, especially for new attack vectors as people circumvent such measures? Also, how do you as a CERT or network security professional implement a "DNS Firewall" for the networks you protect using a variety of resources out there, and then manage it properly. Great technology is almost always a two-edged sword, and using your DNS resolvers to dictate how your users see the world is one of the ultimate examples of this. This session will examine the pros, cons, and how-to's of the technology.

Love it or hate it, Apple's iOS mobile platform has arrived in the enterprise, now exceeding even RIM's (Blackberry) numbers. Often, the task of overseeing these systems's security falls on the IT Security team. So, what will you do?

This session looks at the major security pitfalls to avoid in iOS, and then surveys the various tools and techniques available to the IT Security teams. These include:

- Creating secure configuration profiles for iPhones and iPads with the Apple iPhone Configuration Utility.
- Managing fleets of iOS devices remotely, using MDM products, including configuration profiles, x.509 certificates, and security policies.
- Overseeing in-house app repositories of enterprise-approved apps.
- Static and dynamic testing of apps for enterprise approval. Tools and techniques for testing are covered and demonstrated.

These are the practical issues that many IT Security teams will face in order to oversee iOS deployments, from small numbers of devices through thousands of distributed devices worldwide.

In this presentation, I show the concept of "scenario based self training material for incident response".

Research motivation is "How we can provide a training resource for the general users and new comers that helps their understanding for incident response of old (ex. network worm infection etc.) and new type (ex. Advanced Persistent Threat etc.) ?".

Keywords for the solution are "a self training" and "scenario based".

Many incidents disclose some snapshot information (ex. privacy information disclosure, SQL injection and etc.), but we can't acquire incident details such as response scenario. In other words, we can't publish our incident details in many cases, too.

Therefore, we propose the concept of "scenario based self training material for incident response" that makes new incident scenario by selecting and combining part from many facts.

We make new incident scenario by selecting and combining part from customized blocks. That scenario is virtual story and is not fact. But it is base on fact.

Also, in "scenario based self training material for incident response", scenario writer presents a learning and discussion points. In this case, focus on building a Web site, confservA.

This panel will explore the role of CERTs in growing global and regional efforts focusing on reducing the outbreak and risks associated with cyber conflict. The focus will be on how CERTs can play a role in agreements, both formal and informal, that improve crisis communication and build confidence between nations and other actors in order to reduce the degree of escalation of cyber conflicts and to improve understanding of likely behavior of actors involved. The panel will build on both recently published academic and policy writings on this topic as well as the engagement of the panelists in on-going negotiations and operations in this area to include the US-China and US-Russian cyber bilateral discussions, the China-Japan-Korea Joint MOU on Collaboration on Cyber Security Incident Response, the APCERT efforts on cyber clean up, the Nordic CERT framework for collaboration and the OIC cybersecurity collaboration efforts.

In recent years, Finland has topped the list of least infected countries in the world according to reports such as the Microsoft Security Intelligence Reports (SIR). The goal of this presentation is to shortly introduce the approach we believe contributed to these results. In this approach the security community is organizing itself to collaborate and protect citizens and the critical infrastructure from organized crime. This talk focuses on the experiences of CERT-FI on using AbuseHelper, an open source framework for handling incident data, within the Autoreporter and HAVARO projects. Autoreporter is a system for automatically reporting to internet providers on masses of incidents reported by third parties. Information is gathered, elaborated, sanitized, and reported to gathered contacts. The HAVARO project is a co-operation between CERT-FI and the Finnish National Emergency Supply Agency. HAVARO is a versatile network monitoring and early warning system for Finnish critical information infrastrucure providers. The intelligence CERT-FI gathers on network abuse through its international contact network is put into operational use in the HAVARO system. HAVARO collects observations of possibly malicious activities based on IDS rules, flow data and traffic to known bad networks and systems. Full packet traces of suspected incidents are retained for investigation. Reports and alerts are sent to the system owners after investigation. We explain how the underlying AbuseHelper framework enables these systems to co-operate and allows CERT-FI to gain broad visiblity into the security of Finnish networks. The underlying AbuseHelper framework enables the systems to co-operate. Finally, we present outlines on how the Finnish National Bureau of Investigation is using AbuseHelper to enable information sharing between the cert and law enforcement communities in its Collabro project.

Cyber security exercises (cyber drills) are pretty common these days. It has been observed certs/csirts, both at the national and regional levels organizing them regularly. In this respect, The Malaysia CERT has been coordinating the national cyber security exercises, known as X-Maya, since 2007. The exercises are hands-on in nature and carried out as part of the critical information protection program. While a lot can be said about the benefits of this activity, some are questioning about its effectiveness when it comes to dealing with real incidents. This presentation will a technical overview of designing and executing X-Maya 4 in 2011. Most importantly, some reflections on the effectiveness of the exercise in the light of Anonymous #opsMalaysia in June 2011 will also be shared withe audience.

NSM NorCERT have also seen low tech social engineering attacks, where the e-mails just contain trojans within in .ZIP or .RAR files. Often there might just be an URL link to such files. In either way the end user is convinced to open these files and thereby compromising their system.

Once the malicious attachments or links has been executed successfully, new malware is downloaded to the compromised computer and the threat actors might be inside the network setting up a stronger foothold.

The malware used in the attacks, might go undetected by anti-virus engines for months. Many IPS/IDS and web proxies do not have detections for the beaconing and backdoor traffic that these types of malware use.

Often these types of attacks are spotted by user awareness when receiving e-mail attachment or users complaining about suspicious behavior. System administrators may detect a compromise by anomalies such as the creation of new user accounts and privilege escalations. NSM NorCERT has detected several attacks in our nation-wide early warning system (VDI), which is a private-public partnership where member-organizations which are part of Norway's critical infrastructure have installed VDI-specific IDS sensors.

TRIAGE is a software analysis framework recently developed by Symantec Research Labs to automate cyber intelligence tasks and reduce the time needed to get insights into organized cybercrime activities. One of the rationales for developing this analysis tool is to enable rapid triage analysis of large security data sets, and therefore help analysts to quickly attribute various waves of Internet attacks to the same phenomenon, e.g., an attack campaign likely run by the same individuals.
The TRIAGE analytics components take advantage of multi-criteria decision analysis techniques (MCDA) to effectively cluster attacks that are likely due to the same root cause. More recently, we started developing some interactive visualizations for the framework in the context of VIS-SENSE, a European research project that aims at developing visual analytics technologies specifically suited to network security analysis and attack attribution.

Initially developed during the WOMBAT Project (EU-FP7), TRIAGE has since then been used to analyze the strategic behavior of criminals involved in various phenomena, such as Rogue AV campaigns [1] and spam botnets operations [2]. Providing new or updated examples of applications - e.g., an analysis of the targeted attacks landscape in 2011 - we will demonstrate how TRIAGE analytics can help security analysts to quickly identify and understand attack phenomena, and how it can shed some light on cybercrime campaigns and the modus operandi of their authors.

[1] Marco Cova, Corrado Leita, Olivier Thonnard, Angelos D. Keromytis, and Marc Dacier. An analysis of rogue AV campaigns. In Proc. of the 13th International Conference on Recent Advances in Intrusion Detection (RAID'10).
[2] O.Thonnard, M.Dacier. A Strategic Analysis of Spam Botnets Operations. CEAS'11, Perth, WA, Australia, Sep 2011.

The REN-ISAC is a federation of diverse research and education institutions concerned with operational computer and network security. What slowly started out with some people, some hacked up mailing lists, a wiki and some magic perl glue to share intelligence, quickly snowballed into a vast sea of data that no one could keep track of or use in their day to day operations.

Over the last few years we've invested most of our development time and effort into building tools that lower the barrier to entry for our community to share data intelligently. These tools have not only been developed with our own CSIRT constituencies in mind, but also based on feedback from the international CSIRT community.

This talk will focus on how our community went from a set of extremely raw tools to an automated end-to-end process of sharing data within a large heterogeneous community. First we'll detail how institutions currently share data directly into each other's IR process with little or no human interaction. We'll also discuss how we've enhanced various international standards that enable our constituency to further share data with law enforcement agencies as well as our trusted mitigation partners. Additionally, this talk will review the most common data-sharing hurdles when partnering with external organizations, and why most global data-sharing ventures have failed to scale in this space. This will include things like data parsers, information sharing agreements and data formats. And finally, we'll talk about how we plan to evolve this application into the big-data environment (hundreds of billions of things per day) over the next three years.

Attendees should walk away with a real life set of tools and lessons learned, both technical and strategic, that they can use to scale internal intelligence operations past their own borders.

Cyber based exercises are quickly becoming the defact-o way to test systems and networks in preparation for the next cyber based emergency. The concept of large scale cyber based emergencies has become a daily threat to those in the CERT profession, and to those which we protect. In order to ensure that we are prepared to handle the worst case scenario, industry has taken to planning and participating in numerous cyber based exercises to support the ability to respond. However, bigger is not always better, and more is not always best. Having participated in and planned many cyber based exercises over the past 5 years, I will provide an experienced overview that will highlight the key areas and considerations that are essential to the development and deployment of well rounded scenarios. Participants will leave the presentation with knowledge of lessons learned from the multiple cyber based exercises that I have been involved with, ranging from cyber storm II and cyber storm III, Olympic readiness Exercises, and private sector and government collaboration exercises.

Handling huge amount of data is difficult. Organizations have been deploying Firewall, SIEMS, log management systems and still, attacks occur and find their way into their networks. Events that are being handled are stored in databases, dealt with a dashboard, etc. All these cutting straight access to data for the analyst. Using visualization, when done properly, can not only make you understand the whole picture, but also make you find clues faster than any sort of pattern matching against known attacks. This talk will give examples on how successful visualization has been used by several banks and governmental institutions to quickly find targeted attacks.

National and other active CSIRTs are facing huge amounts of incoming data from automated sources (e.g.: Shadowserver, Team Cymru Services, Clean MX, own honeypot and sensor data, etc.) as well as manual reporting. Processing all this valuable information in a timely manner poses a serious challenge (day after day) and can lead to frustration because valuable data, resources and time are being wasted, to cross-reporting complications and multiple reports for the same incident amplifying the whole problem. CSIRTs are trying to combat organized crime but sometimes they feel like they are “unorganized superheroes”.

Partially automating the process of treating automated sources with projects like AbuseHelper, Megatron or homebrew scripting can bring some relief but unfortunately this won’t solve the cross-reporting and other issues.

A second issue is how to create a global view of the data. National CSIRTs have an “island-view” on what’s happening inside their country (or a partial one) but are barely aware of what is happening in the neighboring countries.

By interconnecting automation systems one can create a global overview. Each island can share with peers legally and politically allowed information in order to benefit from more worldwide intelligence to solve major incidents. There are some natural geopolitical archipelagoes like the US, the EU, the Benelux, etc.

The goal of this presentation is to talk about the challenges and solutions on how to tackle the problems described above. Both legal and technical challenges will be included and we hope it will inspire the community to further collaborate in order to get rid of the CSIRTs island-view while still respecting its constituency, its autonomy and local legislation. This would help the Superheroes to get organized, enabling them to pose a much stronger opposition to organized Internet crime and abuse.

The Tentáculos project is a successful project being held by the Brazilian Federal Police Cybercrime Unit to use Police Intelligence on mapping bank fraud criminal organizations and organize information received by federal banks. With this project the Federal Police were able to significantly reduce crimes on federal banks and reduce in 90% the amount of paperwork in bank fraud investigation.

This presentation will talk about the Tentáculos project, including how it works, its practical results, and its ongoing successor, the Oráculo project. The Oráculo project shares the same foundation as the previous one, but aims on building an intelligence database on high technology crimes, instead of bank fraud. With the Oráculo database, the Federal Police will be able to map, see trends and other information to prevent, mitigate and fight high technology crimes.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides cyber incident response, analysis, and information sharing to address the cyber security threats and vulnerabilities unique to industrial control systems (ICS). Two key functions of ICS-CERT are incident response, and ICS product vulnerability coordination.

ICS-CERT provides asset owners of US critical infrastructure onsite assistance and offsite analysis to support discovery, forensics analysis, and recovery efforts associated with cyber security incidents. ICS-CERT focuses on control environments within critical infrastructure. Onsite assistance consists of fly-away teams being made available to deploy onsite to review affected entities’ network architectures, collect applicable forensic data, assist with immediate mitigation efforts when appropriate, and work with the stakeholder to identify future defense strategies. Offsite services include providing analytical findings, including determination of origin and breadth and depth of compromise from data captured during the onsite deployment to the affected asset owner.

In 2011 ICS-CERT experienced a 753% increase in reported disclosures of vulnerabilities in industrial control system (ICS) products. Security researchers (white, gray, and black hats) across the globe are increasing their research in the ICS product arena and the potential impact to critical infrastructure. Coordinated vulnerability disclosures of control system products are increasing rapidly, but so are the instances of unanticipated or full disclosures. The overall pace for ICS vulnerability disclosure is rising at a dramatic pace. There is a tremendous interest in the security of the world’s industrial control systems that is continuing to grow.

This presentation will discuss lessons learned from ICS-CERT incident response efforts and the daunting trends in the disclosure of ICS product vulnerabilities, who is disclosing new vulnerabilities, and the coordination process used by ICS-CERT. Current data and new events up to the day of the presentation will be included. Gain knowledge of how to be aware of new vulnerability announcements and how control system owners and operators can mitigate new control system vulnerabilities that can affect the security of critical infrastructure.