The recent Equifax and WannaCry attacks have highlighted within the network security community the need for an improved incident response. A goal of the FIRST organization is to provide a trusted forum for the community to share lessons they’ve learned in monitoring and responding to attacks, as well as discuss potential solutions to addressing the root cause of attacks.
The event started with a two-day workshop on Network Forensics for Incident Responders, led by instructors from JPCERT/CC. In the workshop, participants learned best practices for analyzing network packet captures.
— FIRST.Org (@FIRSTdotOrg) September 9, 2017
The plenary session took place on 11 September, with about 50 participants including speakers in attendance.
There was a lot of interesting content shared during the event, most of which was confidential as per the forum’s values and the need to establish trust among attendees. Below are some of the highlights that I can discuss:
Adnan Baykal, from the Global Cyber Alliance (GCA), shared GCA’s efforts in promoting Domain-based Message Authentication, Reporting and Conformance. DMARC helps email receivers determine if a message ‘aligns’ with what the receiver knows about the sender; if not, the system provides guidance on how to handle the ‘non-aligned’ messages.
Adnan also encouraged attendees to consider using GCA’s free DNS service, which can help prevent end-points from accessing domain names that are associated with malware or malicious content.
There were quite a number of presentations that shared lessons learnt from case studies or security incidents, including those by:
- Yurii Khvyl (CSIS Security Group), who spoke about the evolution of banking trojans such as Dyreza, Ramnit, and Shylock.
- Jeremy Chiu (CyCarrier), who spoke about some of the challenges faced when handling incidents. He stressed the need for the security community to change our approach to doing incident detection and response, including considering using artificial intelligence approaches.
- Speakers from Team T5 Research — Ashley and Sung Thing Tsai — who also highlighted the shortcomings of the traditional incident response approach, by analyzing case studies of Advanced Persistent Threat (APT) attacks they had handled previously.
- Lenart Bermejo (Trend Micro), who shared some insights on threat actors in the Middle East, including the actors’ targets and techniques.
- Charming Lin (TWNCERT), who spoke about increasing concerns and TWNCERT’s work to address the security of IoT devices. Taking advantage of the work of providers such as Shodan, they were able to identify risks and worked with stakeholders such as network operators and relevant government agencies to mitigate these risks.
Threat Intelligence has been a popular term for a few years now. Simply put, it is knowledge that helps you identify security threats and make informed decisions. Franki Li (Dragon Advance Tech Consulting) investigated the origin of the term, what it means to different communities, and its relevance to incident response and incident investigation.
Finally, Edward Lewis (ICANN) reminded participants on the upcoming Key Signing Key (KSK) Rollover in October 2017.
Overall, attendees commented that the event provided a great platform for security response teams and analysts in the region to get together and share knowledge.
It was also a good example of the continuous collaboration between APNIC, FIRST, APCERT, and other stakeholders to improve network security together.
Visit FIRST.org for more information about FIRST events.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.