I’m just back from the 2018 edition of the FIRST TC (“Technical Colloquium”) organized in Amsterdam. This was the second edition for me. The format was the same, one day of workshops and two days with normal presentations. And always 100% free! During the quick introduction, Jeff Bollinger from Cisco, which is hosting the event, gave some numbers about this edition: 28 countries represented, 91 organizations (mainly CERTS, SOCs, etc) and 31 FIRST teams amongst them. 3 trainer, 14 speakers and 6 sponsors. Here is my quick review of the talks that I followed. Some of them were flagged as TLP:RED.
Alan Neville (Symantec) presented “The (makes me) Wannacry investigation“. He made a review of the infection which started in May 2017 but also explained that Symantec identified previous versions of the malware already in February. Of course, Alan also covered the story of the famous kill-switch and gave a good advice: Create a sinkhole in your organization, set up a web server and capture all the traffic sent to it. You could detect interesting stuff!
Mathias Seitz (Switch) presented an updated version of his talk about DNS Firewalling (“DNS RPZ intro and examples“). He re-explained how it works and why a DNS firewall can be a great security control and not difficult to put in place. Don’t forget that you must have procedures and process in place to support your users and the (always possible) false positive. FYI, here is a list of DNZ RPZ providers active in 2018:
- Farsight security
And organizations providing DFaaS (“DNS Firewall as a Service“) if you don’t run a resolver:
- Akamai AnswerX
- Cisco OpenDNS Umbrella
- Comodo Secure DNS
- Neustar Recursive DNS
Krassimir Tzvetanov (Fastly) presented “Investigator Opsec“. For me, it was one of the best presentations of this edition. Krassimir explained the mistakes that we are all doing when performing investigations or threat hunting. And those mistakes can help the attackers to detect that they are being tracked or, worse, to disclose some details about you! By example, the first advice provided was to not block the attacker too quickly because you learn them how to improve! Sandboxes must be hardened and tools used must be properly configured and used. Example: data enrichment may lead to resolve domain names or contact IP addresses without your prior consent! Do we have to say something about services like VirusTotal? It was very constructive and opened my eyes… Yes, I’m making a lot of mistakes too!
Melanie Rieback (Radically Open Security) presented “Pentesting ChatOps“. Also, a very attractive talk where Melanie explained how she started a business based on freelancers and fully “virtual”. There is no physical office and all the communications between consultants and also customers are performed but chat rooms! Event logs are sent to chat rooms.
Abhishta (University of Twente) presented “Economic impact of DDoS attacks: How can we measure it?“. It started with a description of the DDoS business. They are very profitable and even more with the huge amount of vulnerable IoT devices that are easier to compromise. In 75%, costs to build a DDoS infrastructure is ~1% of the revenue! What’s the main impact of DDoS? Reputation! But it can quickly turn into money loss. Why? Victim of DDoS, the organization has a negative view in the media, there is a decrease in stock demands and then a fall of stock price! Abhista also explained how they use Google Alerts to get news about companies and correlate them with the DDoS reports.
(Cisco – Talos) presented “It’s a Trap
“. It explained how spammers are working today, how campaigns are organized. Then, he explained how to build an effective spam trap based (tip: the choice of the domain names is a critical key to get as much spam as possible).
The last presentation for me was an update from a previous one by Tom Ueltschi (Swiss Post): “Advanced Incident Detection and Threat hunting with Sysmon & Splunk“. Tom explained again how he successfully deployed Sysmon with Splunk on all end-points in his company and how he is able to detect a lot of malicious activity thanks to the power of Splunk.
The audience was mainly based on Incident Handlers, it was a good opportunity for me to increase my network and make new friends as wall as discussing about new projects and crazy ideas 😉