As Hacknowledge is a member of FIRST community, between 16thand 21stof June I had a pleasure to take part in the Annual FIRST Conference. The event was a very interesting experience from both technical and networking perspective.
The content of the talks and workshops was very diverse covering topics from methodologies, techniques and tools used by CSIRT and PSIRT teams, followed by cybersecurity and networking fields research or even discussing how to communicate efficiently in CSIRT team.
Security of IoT devices
smart == insecure?
The topic that has been underlined a lot during the conference was the security of IoT devices. There were three keynote speeches on that topic and all of them provided similar conclusions that it is still one of the biggest challenges both from technical and legal perspective.
Two technical talks (one of them here) presented countless examples of IoT gadgets that usually improves our lives a tiny bit, while introducing often serious vulnerabilities to our networks. They also showed that safety measures provided by using IoT like children or cars trackers, at the end made the people and things, that we wanted to protect, more vulnerable and actually exposed to potential attackers.
The most important conclusion of the talks was in a form of advice to be critical when choosing IoT devices, to check carefully source of hardware and asses if those devices are worth risking introducing vulnerabilities in our life. In addition, it was pointed out that with the increased usage of IoT devices should be followed by education of people of all backgrounds.
The last point was also supported by less technical keynote talk. However here, the speaker tried to shift a responsibility from users towards government and vendors. To support that shift IoT devices were compared to other daily products like food, that is ensured by government those products would not harm a potential buyer. For the time being, most governments do not force any level of security, but advice and encourage security by introducing labelling and certifications. The last aspect mentioned by the speaker was liability, which is still not well defined in the world of IoT/smart devices.
Abusing networking protocols
One of extremely interesting talks presented the evolution of using and detecting BGP hijacking for SPAM distribution. However, due to confidential policy, I am not allowed to share the content with public audience.
On the other hand, there is an interesting exchange of emails at NANOG which could demonstrate the status of BGP hijacking.
The other very interesting presentation was concerning DNS protocol. The speaker presented whole history of the protocol from pre-DNS times when hosts.txt was used up to now with extended features of DNS. Those extended features were also a focus of the talk. Getting DNS to the era of Reverse DNS and resolving names based on location to shorten path brought also a downside of monitoring and selling data to advertisement industry. In order to mitigate that side effect there were works on encrypting DNS traffic that led to solutions as DNS Crypt, DNS over TLS (DoT) and DNS over HTTPS (DoH). The first solution wasn’t broadly adopted but the two other ones are being currently deployed. DoT provides new transport protocol for DNS and uses port 853 instead of 53. However, it can be easily blocked by Internet Providers. On the other hand, DoH while also providing new transport protocol, uses port 443 which cannot be as easily blocked by ISPs without impacting other traffic. The downside of that is that it provides little increase of privacy (by monitoring the connection initiated after the request, it is not difficult what the query was about), it introduces obstacles for security services like parenting control or monitoring by security teams. So, it may force common intercepting HTTPS protocol causing at the end decrease of privacy instead of its increase.
The full presentation can be found here.
Communicating efficiently in CSIRT team
Although most of efforts of security teams is focused on technical aspects, tools and skills, efficient communication is also critical for handling incidents. That topic was brought up by one of the presentations and provided useful, real-life advices.
One of the most important points of the talk concerned phrasing the message. It was pointed that in case of missing information, people have tendency to fill up the gaps and an AD outage note without efficient level of details may be turned by gossips into an announcement of a successful attack and company compromise. Such a fake information may harm the of the company, so it is important to provide all necessary details to avoid such a gossiping.
In addition, it is important to keep the people working on the incident response informed of reasons for certain actions. It was pointed by a speaker that people get stressed if they do not know a motivation behind tasks they are being assigned to.
On the other hand, it is essential to remember of a concept that only necessary details should be shared and the distributed message should be tailored to suit the audience, even internally (e.g. management vs engineers).
Another useful tip was to take time while communicating even if facing a serious incident. It was pointed out that an extra few minutes to review an urgent message costs usually much less than fixing damage cause by sending a rushed one.
To ensure having time for communication and driving the incidents response in general, the speaker advised leaders to delegate as many tasks they can to avoid being a bottleneck of the whole process.
The last, but not least, the talk touched upon preparation phase to ensure having OPsec rules and clear roles divisions between people and teams in order to avoid chaos in face of a serious incident.
Conclusions
I consider the conference was a great experience. I have attended more talks than mentioned above, but some of the content was confidential and dedicated only to members of the community.
Due to several parallel tracks (3 tracks of talks and 2 tracks of workshops) it was unfortunately impossible to see all interesting presentations.
The event was a great networking hub gathering almost 1100 (a record number of participants) security professionals from around the world building together a great community as FIRST is.
The program of the conference with some of publicly available presentation can be found here.
