Borderless Cooperation, Seamless Action
- Towards a Cleaner, Greener Cyber Space -
24-27 October 2016
Royal Park Hotel, Tokyo, Japan


24 - 26 October 2016: Closed sessions for APCERT members and invited guests
 Closed session materials for APCERT members and invited guests
27 October 2016: Open Conference for general public (Pre-registration required)
 Open Conference materials for all participants
*Please note that the program is still in development and is subject to change.

Closed sessions

Monday, 24 October 2016 Event Venue: Royal Park Hotel
8:00 Registration Open
9:00 – 12:00 Working Group Meetings Harumi B (2F)
12:15 – 17:30 Lunch and APCERT Team Building
18:00 – 20:00 Welcome Cocktail Shinonome (2F)
Tuesday, 25 October 2016 Event Venue: Royal Park Hotel
8:30 Registration Open
9:00 – 11:00 TSUBAME Workshop
(by Invitation only)
Harumi B (2F)
11:15 – 13:15 CyberGreen Workshop Harumi B (2F)
13:15 – 14:30 Lunch Shinonome (2F)
14:30 – 17:00 Steering Committee Meeting Harumi B (2F)
Wednesday, 26 October 2016 Event Venue: Royal Park Hotel
8:30 Registration Open
9:00 – 12:10 Closed Conference Harumi B (2F)
12:10 – 13:30 Lunch Ruri (4F)
13:30 – 17:30 Annual General Meeting Harumi (2F)
19:00 – 21:00 Gala Dinner Shinonome (2F)

APCERT Open Conference

Thursday, 27 October 2016 Open Conference Venue: Harumi (2F), Royal Park Hotel
Time Session Speakers
9:00 Registration Open
9:30 – 9:40 APCERT Chair Welcome Remarks APCERT Chair
9:40 – 9:45 Opening Speech 1 National center of Incident readiness and Strategy for Cyber Security (NISC)
9:45 – 9:50 Opening Speech 2 Ministry of Economy, Trade and Industry (METI)
9:50 – 10:20 IoT Threat and IoT Botnet Kai Chi Chang (TWNCERT)
10:20 – 10:50 Protecting CNII against Malware Threats: A Coherent Response through Cooperation Amongst OIC Countries Noraini Abdul Rahman (MyCERT)
10:50 – 11:05 Morning Break
11:05 – 11:20 Sponsor speech:
CSIRT as a part of Risk Management:
Haruhito Kitano
(Deloitte Tohmatsu Risk Services Co., Ltd.)
11:20 – 11:50 APT Campaign Targets Japanese Critical Infrastructure Yoshihiro Ishikawa (LAC)
11:50 – 13:30 Lunch (APCERT Members, Invited Guests and Sponsors only) Ruri (4F)
13:30 – 14:00 Ransomware Tracking and AP Region Footprint Arnold S Yoon (SecureWorks)
14:00 – 14:30 Who’s That Knocking on My Back Door: A Jboss Case Ryan Pentney David Liebenberg (CISCO)
14:30 – 14:45 Sponsor speech:
Cybersecurity Trends - How to strengthen your cyber capabilities -
Naoshi Matsushita
(NRI SecureTechnologies, Ltd.)
14:45 – 15:15 Sophisticated Financial Fraud Malware (Mobile) in Korea Inseung Yang (KrCERT/CC)
15:15 – 15:30 Afternoon Break
15:30 – 15:50 Collaborative Research for Development of CSIRTs in Vietnam Nguyen Trong Duong (VNCERT)
15:50 – 16:10 Best Practices and Common Missteps in Responding to Major Incidents Christopher Butera (US-CERT)
16:10 – 16:30 Engaging the ISPs in Effective National Network Abuse Handling Juha Haaga (Synopsys)
16:30 – 16:50 Panel Discussion Moderator: Koichiro Komiyama (JPCERT/CC)
16:50 – 17:00 Wrap up & Closing Kazumasa Utashiro (JPCERT/CC)

Speaker Information and Presentation Abstract

Kai Chi Chang
Section Head, Network Security Data, Taiwan National Computer Emergency Response Team (TWNCERT)

K.C. is the Section Head of Network Security Data at TWNCERT, he leads team to research NIDS, Honeynet and tracing Botnet technology. His job is to combat Botnet spread and wants to shorten the time of the hackers control bots. And also to develop honeypots and sandbox to collect and analyze more cyber threat.

As we know, we are already facing IoT threat and under IoT attacks. However, there are only a few discussions on, how to analyze this kind of cyber threat and malwares. There are 2 phase introduction and real case in this talk.

Introduction phase, will introduce IoT threat which captured by TWNCERT Honeynet. According to that. could proof, we are under IoT attack. And I will introduce how to analyze and trace IoT botnet. Even malware which has different kind of CPU architecture.

Real case phase, will introduce a real IoT botnet trace case in Taiwan. Until now, we found that at least 71,148 IP have been compromised. Some of them are IoT devices (DVR, Web Camera, Router WiFi Disk, Set-top box) and others are ICS devices (Heat pump and ICS data acquisition server) in the world. Those result are based on our analysis and detection technology.

TWNCERT can discover some IoT threat in an early stage. This could help IT manager or security experts to analysis and determine IDS rules. We hope this research can prevent IoT threat and enhance IoT Security in the near future.

Protecting CNII against Malware Threats: A Coherent Response through Cooperation Amongst OIC Countries
Noraini Abdul Rahman
Head of International Engagement Department, International & Government Engagement Division, CyberSecurity Malaysia (MyCERT)

Noraini is currently the Head of the International Engagement Department of CyberSecurity Malaysia, an agency under the Ministry of Science, Technology & Innovation of Malaysia. She is responsible to plan and administer strategic alliances and engagement with foreign entities especially with regards to the APCERT and OIC-CERT collaboration. She is also leading some international collaborative initiatives such as the OIC-CERT Malware Research and Coordination Center.

Noraini has been with CyberSecurity Malaysia since June 2008 and has a Master of Science in Information Management System from the Mara University of Technology and Bachelor of Science in Electrical Engineering from University of South Alabama, Mobile, USA.

In a threat landscape that evolves rapidly and unpredictably, we recognize that many organizations need to protect their entire ICT environment against both external and internal threats. Cyber criminals use various approaches to compromise their targets such as through sophisticated mix of phishing, social engineering and malware, to name a few.

Critical National Information Infrastructure (CNII) is crucial for a nation because the disruption of systems and communication networks could significantly affect the nation’s economic, political, strategic and socio-economic activities. Successful cyber attacks on CNII organizations can have serious and cascading effects on others, resulting in potentially catastrophic damage and disruption. For many organizations, CSIRT/CERT is responsible to respond to cyber security incidents in order to minimize the effects of cyber attacks.

In view of this, CSIRTs/CERTs around the world should collaborate in responding to incidents in a timely and coherent manner. One possible approach is having a collaborative initiative in malware research. CyberSecurity Malaysia has introduced the Malware Research and Coordination Facility initiative as a collaborative effort amongst the Organization of Islamic Cooperation (OIC) member countries in mitigating malware threats.

In this paper, a case study on collaborative malware research initiative amongst the OIC member countries will be presented. The case study presented in this paper highlight an overview of malware threat landscape for participating OIC members countries based on primary data and specific malware threat analysis from the Malware Research and Coordination Facility project.

Such analysis provides early detection of malware; whereby appropriate measures can be taken by the CNII organizations to react against malware threats. In addition, the trend landscape report will be produced, which provides useful information to the relevant stakeholders in protecting their economies against the detrimental effect of malware intrusion and attacks.

APT Campaign targets Japanese Critical Infrastructure
Yoshihiro Ishikawa
Researcher, IT Professional, LAC

Having worked at LAC for 11 yrs, Mr. Ishikawa is now one of the top leading cyber security experts who specialises in malware analysis and threat analysis.

<Work History>
2005/4 – (LAC)
- Penetration Testing for Web Apps.
- Vulnerability Research and Vulnerability Information Sharing
- Network Forensics
- Malware Analysis, Threat Analyst ( current )

- Research Report on Advanced Persistent Threats in Japan
publications assistant in December 2014
- Member of Nippon CSIRT Team JSOC

APT Malware called "Daserf" has targeted to Japanese critical infrastructure since early this year and it's continuing.
Based on our research, this presentation describes and advocates the followings;
- Characteristics of Daserf
- Special features of Daserf
- Impact
- How it has damaged to Japanese critical infrastructure
- ASEAN environment
As a conclusion, it stress out the "Importance of Information Sharing among trusted people", namely ASEAN members.

Ransomware tracking and AP region footprint
Arnold S Yoon
Information Security Research Consultant, Counter Threat Unit (CTU), SecureWorks

Arnold S. Yoon is a senior researcher of Counter Threat Unit, SecureWorks. Mr. Yoon is responsible for researching and providing actionable intelligence on major security breaches and security threats that each industrial sector or organization is targeted. By providing intelligence on security threats, the deliverable assists on identifying security threats, vulnerability and incident response activity of the possibly impacted organizations. Mr. Yoon is involved in many international organizations throughout his career that helps to coordinate with local and international partners in the industry. He is especially focusing on developing an intelligence network in Asia Pacific region to expand the current focus of his organization.

Before joining the current position, Mr. Yoon mostly served in public sector, which is based in both S. Korea and U.S.A. that helps to bridge and coordinate various approaches and efforts in the regions. Mr. Yoon had served as a Security Officer in S. Korean Navy, Ministry of National Defense, and a Coordination Manager of KrCERT/CC, KISC, Korea Information Security Agency. He also had been a member of technical staff of CERT Coordination Center, SEI, Carnegie Mellon University for supporting the international coordination program in Department of Homeland Security and a Cyber Security Operations team lead for NETL, U.S. Department of Energy.

SecureWorks has been tracking ransomware activities and multiple variants. The presentation will talk about the ransomware malicious activity in common but also differentiate the features for understand the trend on how it evolved.

Another aspect of the presentation is understanding the timeline of ransomware activity in geographical perspective. The timeline analysis will help the audience to understand not only the trend of adversaries' approach but also the importance of coordination and information sharing.

The presentation will also demonstrate how the shared indicators can help security teams to defend against the commodity threat - ransomware.

Who's That Knocking on My Back Door: A JBoss Case Study
Ryan Pentney and David Liebenberg
Research Engineers, Talos, Cisco

David M. Liebenberg is the principal China analyst for Cisco Talos. His research interests include DDoS as a service in China, Chinese hacker forums and chat rooms, as well as PRC military reform.

Before joining Cisco, David worked as a research analyst at CNA, a federally funded research center in the Washington DC area. He conducted detailed research on politics, international relations, and defense in East Asia, using Mandarin-language sources, and produced written analysis for U.S. government clients. Before that, he worked at the Council on Foreign Relations in the Asia Studies department, where he wrote comprehensive economic, political, and security analyses on China and translated Mandarin articles, essays, microblogs, press releases etc.

David holds an M.A. in East Asian studies from Columbia University and a B.A. in international studies from Kenyon College. He has also studied Mandarin Chinese at the Middlebury Summer Language Program, the CET Chinese language program at Zhejiang Technical University, and the Inter-University Program at Tsinghua University.

"Ryan Pentney is the technical lead for Cisco Talos's hunting team, a self-contained threat discovery, analysis, response, and reporting body that works to investigate and identify threat actor campaigns and generate actionable intelligence. He specializes in malware analysis, reverse engineering and attack research.

He has been a security researcher with Cisco Talos for nearly eight years. His cumulative contributions have included authoring detection content for Snort IDS and Clam AV, developing for the Clam AV and Razorback open-source projects, and working on the vulnerability development team, where he was responsible for 0-day and binary patch diff analysis, crash triage, and various reverse engineering efforts."

This presentation will cover how Cisco Talos addressed the widespread exploitation of several vulnerabilities in the JBoss application server. JBoss had vulnerabilities discovered in 2007 that allowed attackers to bypass authentication and gain administrative access via direct requests. Not long ago, a tool called jexboss was released which scans for and exploits vulnerable JBoss servers. Shortly thereafter, we observed a spike in compromised servers infected with ransomware called SamSam. Attackers appeared to be using jexboss to gain a foothold in vulnerable networks. While investigating Samsam ransomware, Talos learned about a delay in the time between a server was compromised and the encryption phase of the ransomware. We then developed a tool to conduct an internet-wide scan to identify compromised JBoss servers. This provided insight into the nature and scale of the JBoss threat as well as the tools and techniques employed by the threat actor throughout various stages of the attack.

This presentation will use JBoss as one example of the way in which a threat intelligence organization can respond to these types of threats. We will outline the anatomy of the attack, with a focus on insertion mechanism and lateral movement. In addition, we will review our approaches to intelligence gathering, scanning, detection, and response.

Sophisticated Financial Fraud Malware (Mobile) in Korea
Inseung Yang
Deputy General Researcher, Analysis Team, KrCERT/CC, KISA

Analysis Team at KrCERT/CC, KISA (6 years)
Mobile malware analyst

Lately, I have spoken at 2015 FIRST Conference in Berlin
- Recent Trends of Android Malicious Apps: Detection And Incident Response in South Korea

According to Kaspersky's report, The volume of new mobile malware targeting users of android devices tripled in last year.
In Korea, in particular, hackers have distributed sophisticated and complexity financial fraud malware through various distribution means, such as SMS phishing, compromised web server.

This presentation will describe recent case study and compare to specific similarities between financial fraud mobile malware and pc malware Pharming through same compromised web server. We focus on various protection techniques for obstructing analysis of malware such as obfuscation, packing, anti-debugging. We also find out that bad guys could easily change new command and control (C2) servers via SMS, blog sites.

We will discuss the activities of KrCERT/CC in response to these sophisticated financial fraud malware.

Collaborative research for development of CSIRTs in Vietnam
Nguyen Trong Duong
Director General, VNCERT, Ministry of Information and Communications

Mr. Nguyen Trong Duong is the Director General of Vietnam Computer Emergency Response Team (VNCERT) of Ministry of Information and Communications of Vietnam (MIC). He is also the Deputy Chief of the Office of the National Steering Committee of Information and Communications (NSC-ICT), Government of Vietnam.
VNCERT is a Government’s agency who has its main functions to coordinate all information security organizations to response to cyber security incidents in the whole Vietnam; to monitor network; to release watch and warning alerts to community; to play main role in government network system protection in Vietnam. VNCERT also provide big contribution in regulating and making policies, strategies, master plans, projects to promote the use and development of information security in Vietnam. VNCERT is the contact point of Vietnam in cybersecurity international cooperation. As the leader of VNCERT, Mr. Duong has been leading a network of incident response teams to protect the most critical information systems in Vietnam.
Mr. Duong graduated in Hanoi, Vietnam as an Engineer in Signals Control; Received Graduate Diploma in Communication Systems in Melbourne, Australia; Achieved Master of Engineering Science in Telecommunication Engineering also in Melbourne, Australia.
Mr Duong joins Ministry of Post and Telematics (former name of Ministry of Information and Communications of Vietnam) as a policy maker in the Department of IT Industry since 2003. His former job is in FPT Corporation, the biggest Vietnam ICT Corporation, as the Manager of the Government Projects (2000-2003). Before that he worked in a Member Company of the General Corporation of Electronic and Information Technology of Vietnam, as an Electronic Design Engineer (1991-1994); Manager of the Electronic Factory (1994-1996); Director of Technical and Productivity Department (1995-1999).

As Vietnamese economy develops rapidly, fast-growing private companies in Vietnam face threats from cyber-attacks such as DDOS attack and falsification of websites. Once these companies suffered from security incidents, they cause an enormous impact on national security and economy in Vietnam.
In Vietnam, building CSIRT is unfamiliar to private companies, and these companies have to respond by all themselves to the incidents when cyber security incidents occur. As cyber-attacks are rapidly developed, collaborative action by various companies and government is required in order to prevent and protect to the attacks. Especially the protection of government institutions and critical infrastructures such as communications companies is an urgent issue in Vietnam.
Efficient and effective establishment of CSIRTs in private companies requires appropriate tools and support from experienced professionals.

Financially supported by APT grant, VNCERT started promotion activities to raise awareness of needs for building CSIRTs in Vietnamese private companies with support from Japanese leading institutions and companies in cyber-security (JPCERT/CC, NCA, NTT-CERT and NTT EAST-CIRT).

This research project has three phases.

Phase 1: Sharing the experiences and knowledge with Japanese experts

We have in-depth discussions with Japanese professionals such as JPCERT/CC. One-month training at NTT-CERT provides us substantial experience in a leading CSIRT in Japan and show us how it works.

Phase 2: Localizing Japanese “CSIRTs starter kit” in Vietnam

By interviewing with major Vietnamese company, we translate and upgrade “CSIRTs starter kit” to fit their needs.

Phase 3: Introducing Vietnamese “CSIRTs starter kit” to Vietnamese private companies

We introduce Vietnamese “CSIRTs starter kit” at the presentation meeting for Vietnamese private companies to understand needs to build their own CSIRTs.

In this presentation we would like to introduce the activities and results of the project in each phase.

Best Practices and Common Missteps in Responding to Major Incidents
Christopher Butera
Chief of Incident Response, United States Computer Emergency Readiness Team (US-CERT)

Mr. Christopher Butera serves as Chief of Incident Response for US-CERT. In this role, he has led response efforts to many large-scale data breaches in
both the private sector and federal government, several of which you may have read about in the news. His focus is on discovering and analyzing new forensic
artifacts and finding new security controls to prevent APT intrusions and create or enhance opportunities for early detection and containment.
Mr. Butera is a graduate of the University of Notre Dame and has a Master of Science Degree in Computer Science from the University of Chicago. He holds CISSP, GSEC, and GCED certifications.

Responding to over a dozen major incidents every year, US-CERT has observed significant similarities in breaches and intrusions across a range of different institutions. US-CERT also provides a comprehensive set of services as part of our incident response activities, leading to enhanced understanding of how breaches occur, what can be done to minimize the impact, and what works (and what doesn't) in crisis communications. Several of our incident response engagements have taken over two months to close out, providing a wealth of experience to share with the CSIRT community as we deal with ever more frequent and severe intrusions into our constituent and customer networks.
This presentation will discuss incident response trends from US-CERT's perspective as well as best practices prior to, during, and after response to major incidents.
Common missteps, lessons learned and our top five preventative measures for organizations to take will also be described in detail, with a focus on recent experiences dealing with Bulk PII compromises.

Engaging the ISPs in effective national network abuse handling
Juha Haaga
Product Manager, Software Integrity Group, Synopsys

Juha Haaga is currently a Product Manager for Synopsys SIG, responsible for the threat intelligence platform unit. He has spent the last five years exploring different methods of helping national CSIRT teams to deal with the deluge of network abuse information that they must handle on the daily basis. With a background in software engineering, he’s currently interested in how to raise the capability level of emerging and established CSIRTs most efficiently, and how to engage the ISPs in managing national scale network abuse.

The long-term effectiveness of a CSIRT operating on a national level is, to a large extent, determined by the team's ability to increase the responsiveness of Internet Service Providers (ISPs) within its constituency.

The dependency is in part due to the ISPs role as the primary source for public connectivity. While national CSIRTs recognise ISPs as being key stakeholders, finding viable methods to increase their responsiveness to information provided by CSIRTs has proven elusive.

From the perspective of CSIRTs, it may seem like the ISPs do not have strong motivators to react on the information provided. However, we have identified several applicable motivators that they may not have considered. Likewise, for the ISPs, they may not have the necessary infrastructure nor processes to react to the information at the volumes that a modern CSIRT can throw at them. Being overwhelmed leads to the ISP ignoring most of what is provided for them.

In this talk, we will examine this challenge from the perspectives of both the national CSIRT and the ISP, based on practical experiences from several different countries, and examine some of the both failed and successful approaches.