Last updated: 
4 days 7 hours ago
Blog Manager
We are the Computer Security and Incident Response Team (CSIRT) for the Janet network. Part of Jisc's Security Operations Centre, our mission is to safeguard the current and future network security of Janet (steering the security policies for all Janet connections) and of our customers, creating a secure environment to conduct your online activities. Our primary function is monitor and resolve any security incidents that occur on the Janet network, with specialists tracking a range of platforms, including Unix, Linux and Windows.

FIRST Conference 22/06/2014 - 27/06/2014

Wednesday, July 9, 2014 - 12:30

Janet CSIRT are a member of a global non-profit organisation called the Forum of Incident Response and Security Teams, or FIRST. There are a number of FIRST member events throughout the year including an annual conference.
The annual conference is a 5-day conference open to both member and non-member teams in an effort to share knowledge and grow as a community. This year, the conference was held at the Park Plaza Hotel in Boston, Massachusetts with the highest attendence rate to date of around 750 attendees. This was my first FIRST conference and I'd like to share some details of my experience highlighting why going to the conference is worthwhile.

Although the conference itself started on the Monday, it all kicks off on the evening of the Sunday with a welcome reception where you are encouraged to meet attendees and "network" with the helping hand of alcohol and light snacks. It is also tradition during this reception that Masato Terada starts his mission in meeting all attendees and carrying out what he refers to as a "sticker injection" attack. Those compromised by this attack will carry their conference pass graffitied in hello kitty stickers, whilst those without stickers simply remain vulnerable to exploitation (whether they know it or not!). The all important infection stats are then read out in the closing remarks of the conference.

The opening keynote was presented by Kieran Ramsey and Kevin Swindon of the FBI Boston Division. This presentation gave an overview on incident response following the Boston Marathon Bombings, the amount of data they had collected and their challenges in processing this data. The sheer amount of information sent to the FBI through various forms of media including emails, photos taken on cameras and CCTV footage from nearby businesses required a task force that spanned the entire country and required the input from various agencies. This was a great example of how team work is a key part of effective incident response.
A session later in the day by Steve Zaccaro of George Mason University reinforced the need for team work by discussing approaches to multiteam working and how communication between multiple teams can positively impact incident response.

One of the main themes running throughout the conference was information gathering and sharing, in particular the importance of actionable data. I attended a number of sessions on this topic including the n6 tool created by CERT.pl, processing multiple data formats by the US Department of Energy, integrating IFAS by CSIRT Foundry and CERT.at and a more forensics-focused data sharing presentation by Johan Berggren of Google. With the many feeds of data available, these systems are becoming more critical for incident response teams in order to assist in detection and prevention of security incidents. A key point was that this data is only useful if it is actionable. As well as complete log data, this also requires your system be able to take in multiple formats and then output to multiple formats making it accessible for your customers. The team at the DoE particularly highlighted this importance with examples of their Flexible Transform approach. Janet CSIRT are currently looking into the way in which we process our data and how we can best do that to the benefit of our customers so keep your eyes peeled for further announcements over the coming months.

I'll quickly note some of the more technical sessions that I went to which were of particular interest. Most of the presentations can be found at http://www.first.org/conference/2014/program.

 - Paul Vixie's talk on passive DNS.
 - Tim Slaybaugh and his talk on pass-the-hash. This included a number of example tools used to extract and replay password hashes on Windows systems with some notes on some security measures in place in Windows 8.1.
 - CERT.pl and their efforts in sinkholing.
 - Konrads Smelkovs from KPMG discussing making networks defendable against zeroday attacks.
 - First line malware analysis with Garrett Schubert of EMC Corporation.
 - John Kristoff of Team Cymru with a talk on Everyday Cryptography.
 - Holly Stewart from the Microsoft Malware Protection Center (MMPC) talking about eradicating malware and coordinated efforts with other CERTs, ISPs and ecommerce companies.

Other keynote speakers included Eugene Spafford and Bruce Schneier who discussed the current state of security and touched on how attacks are becoming more sophisticated and the importance of building security from the ground up. Eugene commented that if we do not change our short term thinking and start thinking long term with security then we are deemed to fail, whilst Bruce noted that with more companies using cloud-based services and BOYD devices, we are losing control of our infrastructure.

From my experience the conference is an ideal opportunity to learn about security topics, and to network with other teams, hopefully making some contacts along the way. As well as learning about different tools that are available, it allows you to think about the way your team does incident response and the way in which you interact with your customers;
 - Are we using the best tools available to make us as productive as possible?
 - Are we providing a useful service to our customers? Are there other services that we *could* provide to our customers that we currently aren't?
 - What could we do more of to benefit our community and/or the security community at large?

It's also interesting to meet others who are responsible for similar constituents to discuss what each team does, the challenges they encounter and how they overcome those challenges where possible. I was approached by different companies who recognised the Janet name and wanted to discuss how we use certain tools and our information sharing practices. It's these interactions that can prove very beneficial and often only occur at industry conferences such as FIRST.

The 2015 annual conference is in Berlin from 14-19 June and I would urge those who have found my post informative to look in to attending. There are other technical conferences such as Blackhat and BSides which are useful, but very few branch out in to incident response and other topics that we deal with on a day-to-day basis like FIRST does. For more information on FIRST, please go to www.first.org.