Another APRICOT has been and gone, and once again we were able to connect with our friends and colleagues in the security space, contribute to security discussions, sign a memorandum of understanding (MoU), as well as continue with tradition and run another FIRST-TC event – FIRST-TC Daejeon — this time as a conference track!
Below is as brief a summary as I could write from a jam-packed week.
Cooperating to mitigate cyber threats session
During APRICOT 2019, APNIC hosted a session to discuss the cyber threat landscape, the need for strong security and skilled security personnel, what operators are doing — or not doing — to secure networks and routing, and why cooperation is needed to defend Internet infrastructure.
Jeeyoung Hong from KrCERT/CC (KISA) talked about the role her organization plays in educating and helping their constituents (both public and enterprises) in mitigating cyber threats. She also shared the top seven threats they faced today.
I also had the opportunity to highlight some of our own efforts, including the APNIC Community Honeynet Project, that was done through cooperation with other organizations.
The session concluded with the announcement of two MoUs that APNIC had signed with APCERT and CERT Tonga. Both APCERT and CERT Tonga have played instrumental roles in enabling us to reach out to the Asia Pacific Community in the last couple of years; this step will help to ensure continuity, and solidifies our relationships.
#APRICOT2019 Cooperating To Contain Security Threats culminated in MoUs being exchanged between APNIC and @apcert and APNIC and Tonga CERT pic.twitter.com/H0Otm5TrSo
— APNIC (@apnic) February 26, 2019
FIRST-TC Daejeon
In a nutshell, the TC was ‘intense’ with 10 talks from 15 presenters (5 female and 10 male). Luckily, I received support from my APNIC colleagues Jamie Gillespie and Klée Aiken to help with chairing the sessions.
It is worth mentioning that for the first time at an APRICOT conference, we were able to stream the session live (with permission of the presenters of course) so others could participate remotely. I highly recommend that folks watch the presentations, download the slides, and reach out to the presenters to discuss of topics of interest further — there were a lot of good insights and words of wisdom that I will not be able to mention in this short post.
Malware everywhere (still)
There were a few good lessons learned from real incidents shared by Malaysia Computer Emergency Response Team (MyCERT) and JPCERT/CC. Security duo Farah and Nurul talked about a mobile malware incident affecting MyCERT’s constituency and reflected on their experience integrating ‘threat intelligence’ with their incident response process.
Read: Threat intelligence sharing, awareness keys to cybersafety in Malaysia
On a similar note, Shoko Nakai also talked about a mobile malware campaign known as FakeSpy in Japan. She gave a nice overview of how the infection works, touching on the infrastructure and techniques used by attackers. Most importantly, she highlighted current challenges in coordinating with stakeholders that JPCERT/CC needed to work with such as mobile operators, ISPs and domain registrars, and victims.
From these two presentations, I can see that more work is required to help operators deal with malware related abuses. Which was why I was happy to listen to the updates from Severin Walker about M3AAWG activities – the three M’s here refers to messaging, mobile and malware. One activity that got my attention was the workshop for abuse desks at ISPs and service platforms operators.
Furthermore, M3AAWG is keen to increase participation in the Asia Pacific region and has been making some progress with the establishment of Japan Anti-Abuse Working Group (JPAAWG), which was held in November last year. We also had the pleasure of getting an update from Shuji Sakuraba on the JPAAWG 1st General Meeting.
Supply chain security
Inseung Yang (KrCERT/CC) highlighted a few case studies where attackers achieve their goals by targeting software companies and developers. This is one of those situations where you can say ‘my security depends on your security’.
How can we be sure that entities who make software we use daily — commercial or otherwise — have not been compromised? Do they have the capabilities to detect malicious activities in their infrastructure and react quickly to them? Obviously, security must exist in many areas — not just the software development process but also the infrastructure for working, building codes, and issuing patches.
Philip Paeps (FreeBSD Foundation) also touched on this issue but from the experience of a developer of a popular UNIX-like operating system. Philip, who also did a tutorial on ZFS at APRICOT 2019, shared a lot of insights on the challenges of managing an OS ecosystem that has a large code base (kernel, userland, third-party components and ports/packages) with the help of a community of volunteers.
When it comes to security there is an expectation on the provisioning of timely fixes. However, behind the scenes there are a lot of tasks that security officers must consider, including issuing advisories, responding to vendor inquiries, coordinating vulnerability disclosures, auditing code, and continuous monitoring of anything that may affect the security of a FreeBSD system. That is certainly a lot of work and I truly appreciate the hard work and passion of the FreeBSD community; please consider supporting the FreeBSD Foundation too.
Security initiatives that benefit everyone
One thing I really like about the security community is the spirit of taking the initiative to fix or tackle specific problems. In addition to the M3AAWG (mentioned above), our partners ICANN and ISOC also gave updates about their current work and invited the community to collaborate.
David Huberman shared ICANN’s effort to help the community identify DNS abuse activities. Domain Abuse Activity Reporting System (DAAR) is a system for reporting on domain name registration and abuse (read: spam, bots, phishing and so forth) data across TLD registries and registrars. Take a look at a sample report for January 2019.
I remembered having Andrei Robachevsky (ISOC) at our security track at APRICOT 2015 in Fukuoka where he promoted the newly launched (at the time) MANRS. He came back to: enlighten us on risks related to (the lack of) routing security; update us on the progress of MANRS activities; and encourage the CSIRT community to lend more support in this space. MANRS now not only has more supporters (network operators, IXPs) but the project now offers practical hands-on labs and many other resources available for free on their website.
Read: MANRS — Measuring routing (in)security
Doing security
We also had a couple of presentations that fit in the ‘this is how we do security in our day job’ category.
Suman Saha (Amber IT Ltd) and Allan Watanabe (Pipeline Security) demonstrated how they configure and operate DNS RPZ in real life. I also learned they decided to do a joint presentation in Daejeon after Allan saw Suman’s presentation on using DNS to block malicious activities at our TC in Kathmandu (APRICOT 2018) last year!
Jordi Aguila Vila and Alba Barreiro Manero (La Caixa Bank) shared their ‘red team’ experience at La Caixa Bank. It was interesting to understand how the team works and, more importantly, how this proactive approach helps to improve the overall security posture of the organization.
Another presenter from the financial sector was Keisuke Kamata (FS-ISAC Japan) who showed us how the banking security community in Japan collaborated to organize CyberQuest — a mix of ‘cyber range and tabletop’ exercise. For the record, Keisuke had written about this in the past for the APNIC Blog and I had the opportunity to observe the event held in 2017. But I am still impressed to learn about the amount of work put in by volunteers to plan, create, run and do the exercise as part of a community effort among competing enterprises.
Security is hard but we keep on trying
Many will probably agree that addressing security is hard. However, based on what I saw and heard at the FIRST-TC Daejeon and APRICOT 2019 last month, there are many efforts that are trying to break down the problem into smaller more manageable pieces. Yes, we might be a bit overwhelmed with the number of breaches reported on the daily basis but seeing different communities within the security community trying to reach out to one another makes me optimistic and wanting to be part of the story. So yeah, we’ll keep on trying!
By the way, we are already thinking about our FIRST-TC track at APNIC 48 in Chiang Mai, Thailand (10-12 September). If you are interested in sharing your efforts, please don’t hesitate to let us know!
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.