Saturday, August 29, 2009

5th Annual GFIRST Conference Atlanta 8/23/09-8/28/09

I was very fortunate enough to attend the GFIRST conference here in Atlanta. My manager allowed me to attend for most of the week. I was really only able to go because it was local and it did not cost much to attend. The previous four GFIRST conferences were held in Orlando, but this year, it was in downtown Atlanta at the Omni Hotel which is next to the CNN Center. Most of the attendees either worked in the federal government in some capacity or for the vendors which sell products to the government and private sector. I had the pleasure of meeting some very interesting federal employees as well as those who work for large companies such as IBM ISS, McAfee, Symantec, and others.


TRAC Class

On Sunday and Monday (8/23 -8/24) I took a class called TRAC to learn how to use IDS tools such as Wireshark, Splunk and SNORT. It was an Incident Response initiative. I had already known how to use SNORT, but was quite rusty. Our class was divided up into teams to compete in scenarios. A hypothetical situation is you are in charge of solving the problem of a small business network that you are assigned to "fix". You have to figure out what is wrong with the small network. TRAC was taught by some fine qualified individuals at Carnegie Mellon's CERT team. In particular, I enjoyed talking to Rob Floodeen, a very knowledgeable member of the CERT team. I met other great people as well, who were on my team and others in the class. The first day was pretty comfortable for me, but the second day was much more challenging in reading the logs. CERT had these VMWare computers setup for these exercises, we would remote into them to diagnose the problems.

Tuesday through Friday at GFIRST, there were presentations by Federal Government representatives and private sector. I sought out the technical presentations, particularly on botnets and spam. Unfortunately due to work obligations, I could not attend all the presentations that I wanted to hear.

Highlights of Presentations
I made a few notes of highlights about each of the presentations I attended and will post them here as time permits (almost 90% done as of 8/29/09).

Tuesday 8/25/09


On Tuesday, I was able to stay most the time and talk to some interesting people. Seth Geftic of RSA, "Intelligence Report from the Online Criminal Underground: Latest Threats & Challenges"
This speech was geared toward the general audience, but mentioned some great highlights of recent cybercrime cases. McColo shutdown of late 2008, etc,

I had attended some "CHIPS" presentations only in part due to time constraints. CHIPS basically is (Cybercriminal prosecutions and legal cases involving the US Justice Department and FBI) The highlight was Howard Cox, who I have seen speak before. Mr. Cox, Assistant Deputy Chief of the Computer Crime and Intellectual Property Section of the Criminal Division of the US Department of Justice, is a dynamic speaker and makes legal cases very interesting. Mr. Cox highlighted some recent legal cases involving computer hard-drive searches and benchmark federal lawsuits relating to cyber-criminality. One thing I noticed about Mr. Cox as a personal observation is those who work with him really seem to like him a lot.

I also went to a presentation by Phil Poras of SRI International. "Botnet Hunter" - Mr. Poras runs the website bothunter.net and it is a tresure drove of information about botnets. I was only vaguely familiar with it before. Also, a similar website to mention is Shadowserver, which also tracks botnets. Shadowserver, particularly, was mentioned in passing on at least a few occasions. These guys really do great work behind the scenes and work closely with law enforcement for tracking purposes and eventual capture of some of the criminals who are behind the very sophisticated botnets.


Wednesday 8/25/09

On Wednesday, August 25th, I enjoyed MANDIANT's Wendi Rafferty's presentation on The State of the Hack - Combating the Advanced Persistent Threat" - she covered some very relevant information, however, I had missed part of this presentation due to time constraints to get some work done.

I also caught only part of CERT's Will Dormann's presentation on "ActiveX Vulnerability Mitigation with Dranzer" - this was a very technical presentation about ActiveX vulnerabilities in web applications in particular when using Internet Explorer. This definitely satisified the geek side of me (learning more detail about malware code and registry edits).


Thursday 8/26/09

Unfortunately, on Thursday, 8/26, was the last day I attended GFIRST, I was only able to attend fewer presentations in part. There were some great presentations I missed out on, maybe some other attendee can comment on my blog or let me know how some others were that I did not attend or mention here.

I managed to catch most of Ashar Aziz of FireEye regarding "Examining the Nexus of Cyber Crime, Cyber Warfare and Stealth Malware" was pretty technical in general, which, I of course, enjoyed. Mr. Aziz was talking about various malware and in particular he mentioned Zbot. Zbot was the most interesting mention regarding botnet activity. I then had to leave close to the end of his presentation.

Overall, I enjoyed my presentations. To get another view about the recent GFIRST conference, Andy Willingham, an infosec specialist in Atlanta wrote about his view of the GFIRST conference in these recent blog entries. Andy noted that there was this apparent theme of FUD found through out the conference. I also got to meet up with local infosec guru, Martin Fisher, who is very fun to follow on Twitter as @armorguy. Martin was able to get a few of us people who "twitter" at #GFIRST to meet on Tuesday. It was a great opportunity to network and meet some very interesting people, particularly the local infosec group we have in Atlanta.

I would also like to thank a few vendors who gave me nice amounts of swag as the booths were being closed down. A complete list of vendors that participated is here. A few mentions: IBM ISS, McAfee, Verisign, and ForeScout. ForeScout gave me generous helpings of reusable "green" friendly bags, thanks, guys!