In 2016, we began hosting FIRST Technical Colloquiums (or TCs for short) at APNIC and APRICOT conferences.
The collaboration has been important, as it has allowed APNIC to increase awareness and understanding of network security in the APNIC community by tapping into a wealth of resources and experience of the FIRST and APCERT communities, especially in terms of building trust, information sharing, and experience in dealing with security breaches. At the same time, it has introduced different security stakeholders to the APNIC community.
Since the FIRST TC event in Auckland (APRICOT 2016) we have organized TCs in eight cities in the Asia Pacific region: Mumbai (India), Colombo (Sri Lanka), Ho Chi Minh City (Viet Nam), Taichung (Taiwan), Kathmandu (Nepal), Noumea (New Caledonia), Daejeon (South Korea) and most recently in Chiang Mai (Thailand).
The relationship between FIRST and APNIC has strengthened considerably since that first event back in 2016. At APNIC 48, the TC was no longer a co-located event, but a fully integrated track in the main APNIC 48 program.
What was presented at APNIC 48 Chiang Mai
At APNIC 48, we had 12 presenters speaking on a diverse range of topics during the APNIC-FIRST Security track.
Kenneth Teo of Alsid’s presentation on securing Microsoft’s Active Directory (AD) was one of the most well received talks. He detailed how AD is an important piece of infrastructure in many enterprises and naturally this has made it an attractive target. Kenneth shared some scenarios on how ADs are compromised before sharing a list of things system administrators can do to make AD more secure.
Collaboration is an easy word to mention but it requires persistence and patience to get it to work. Kitisak Jirawannakul from TB-CERT (Thailand Banking Sector CERT) spoke about how the security community within the Banking and Finance sector in Thailand got together a few years ago and worked on a couple of initiatives to improve security, together.
There were a few interesting projects mentioned by Kitisak including training, sharing of security awareness materials and desktop exercises. The establishment of TB-CERT — which later became a member of FIRST — was a success story for their community, and there are certainly some lessons that we can all learn from their experience.
There are many considerations when organizing a conference, one of which is securing a conference’s network — an increasingly important but sometimes under-resourced task. Kiran and Kailash from CISCO CSIRT shared some of the challenges they’ve experienced with assisting conferences with their network security, including recent FIRST.org events. Personally, it was both an entertaining and educational talk with some tips on detection and protection of endpoints (attendees).
We had two talks from national CERTs. The first was by Joy Chan and Chih-Hung Lin from TWNIC and TWCERT who shared outcomes from their work on anonymizing datasets so that it was possible to share sensitive information with relevant parties. Setthawhut Saennam from ThaiCERT shared some interesting observations about a technique used by adversaries called LOL (Living off the Land). For this technique, adversaries use legitimately installed or built-in programs to achieve their goals, evading detection and bypassing security mechanisms; nothing to ‘lol’ about here for security practitioners.
As always, the program included presentations from industry-based researchers and security personnel, who shared their unique insights. Vicky Ray talked about Palto Alto’s Unit42 work on active APT (Advanced Persistent Threat) actors in the last decade. This work is certainly useful for those in the field trying to understand the motivations and capabilities of these actors. Additionally, the talk was a good reminder that security is affected by geopolitical tensions and economic reasons.
On the enterprise side of things, Pasan Rawana Lamahewa, spoke about why organizations should have a bug bounty program. He also shared some of his experiences helping organizations to improve their security and explained how those who are interested can get started with BugCrowd and HackerOne.
Speaking of continuous improvement, Jordi Aguila Vila shared how La Caixa Bank has expanded its risk management program to include red-teaming. The highlight of his presentation was a video showing red-teaming activities – it’s pretty awesome!
We also had presentations from APNIC, GEANT and ICANN. For the last two years, APNIC has been supporting GEANT with CSIRT training for the Research and Education Network (REN) communities, including an event at APNIC 48. It was great to have Sigita Jurkynaite (GEANT) to give an update about those activities and other initiatives by them.
Edward Lewis from ICANN gave a thorough overview about DNS abuse and misuse. This is probably not new to the community, but what I liked about his presentation was how he discussed the benefits of several means of mitigation, the roles of stakeholders such as CSIRTs and the public safety community, and initiatives that ICANN is implementing including supporting the DNS Abuse (Mitigation) SIG at FIRST.
Thanks for reading until the end! I am very aware that I am not able to do justice to and report on all the good things on all that were shared and presented. The good news is that we have the slides on the conference website and you can also see the recordings of most of the sessions on our YouTube channel.
We look forward to continuing the FIRST-TCs in 2020 — if you’re planning on attending APRICOT 2020, the FIRST community will see you soon in Melbourne.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.