FIRST Security Symposium highlights need for better incident response

By on 14 Sep 2017

Categories: Community Events

Tags: , ,

Blog home

The recent Equifax and WannaCry attacks have highlighted within the network security community the need for an improved incident response. A goal of the FIRST organization is to provide a trusted forum for the community to share lessons they’ve learned in monitoring and responding to attacks, as well as discuss potential solutions to addressing the root cause of attacks.

The FIRST Regional Symposium for Asia Pacific, held from 9 to 11 September in Taichung, Taiwan, was one such forum. This event was hosted by APNIC as part of the APNIC 44 conference.

The event started with a two-day workshop on Network Forensics for Incident Responders, led by instructors from JPCERT/CC. In the workshop, participants learned best practices for analyzing network packet captures.

The plenary session took place on 11 September, with about 50 participants including speakers in attendance.

There was a lot of interesting content shared during the event, most of which was confidential as per the forum’s values and the need to establish trust among attendees. Below are some of the highlights that I can discuss:

Adnan Baykal, from the Global Cyber Alliance (GCA), shared GCA’s efforts in promoting Domain-based Message Authentication, Reporting and Conformance. DMARC helps email receivers determine if a message ‘aligns’ with what the receiver knows about the sender; if not, the system provides guidance on how to handle the ‘non-aligned’ messages.

Adnan also encouraged attendees to consider using GCA’s free DNS service, which can help prevent end-points from accessing domain names that are associated with malware or malicious content.

There were quite a number of presentations that shared lessons learnt from case studies or security incidents, including those by:

  • Yurii Khvyl (CSIS Security Group), who spoke about the evolution of banking trojans such as Dyreza, Ramnit, and Shylock.
  • Jeremy Chiu (CyCarrier), who spoke about some of the challenges faced when handling incidents. He stressed the need for the security community to change our approach to doing incident detection and response, including considering using artificial intelligence approaches.
  • Speakers from Team T5 Research — Ashley and Sung Thing Tsai — who also highlighted the shortcomings of the traditional incident response approach, by analyzing case studies of Advanced Persistent Threat (APT) attacks they had handled previously.
  • Lenart Bermejo (Trend Micro), who shared some insights on threat actors in the Middle East, including the actors’ targets and techniques.
  • Charming Lin (TWNCERT), who spoke about increasing concerns and TWNCERT’s work to address the security of IoT devices. Taking advantage of the work of providers such as Shodan, they were able to identify risks and worked with stakeholders such as network operators and relevant government agencies to mitigate these risks.

Threat Intelligence has been a popular term for a few years now. Franki Li (Dragon Advance Tech Consulting) investigated the origin of the term, what it means to different communities, and its relevance to incident response and incident investigation.

Finally, Edward Lewis (ICANN) reminded participants on the upcoming Key Signing Key (KSK) Rollover in October 2017.

Read KSK Rollover Q&A with ISC’s Eddy Winstead

Overall, attendees commented that the event provided a great platform for security response teams and analysts in the region to get together and share knowledge.

It was also a good example of the continuous collaboration between APNIC, FIRST, APCERT, and other stakeholders to improve network security together.

Visit for more information about FIRST events.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *