The Twelfth Forum of Incident Response and Security Teams

June 25-30, 2000 Chicago, USA 

Review by  Cristina Serban, AT&T Labs


The 12th FIRST (Forum of Incident Response and Security Teams) International Conference was held June 25-30 in Chicago, IL. [If you are not familiar with FIRST, it is the international organization of CERTs, or Computer Emergency Response Teams, including teams from literally all over the world, representing universities, industry, defense organizations or even whole countries. A lot more info at if you are interested.] 

The 2000 conference had two full days of tutorials, followed by three days of paper and panel presentations, with the FIRST annual general meeting in between. Among tutorials, we had "Internet Cryptography" by Bruce Schneier and "Intrusion Detection and Network Forensics" by Marcus Ranum - both high-level overviews of the respective fields, along with "Firewalls: What am I seeing?" by NetworkICE's Robert Graham for the technical-detail minded participants. [I believe some of the information presented in the latter is still available from if you are into firewalls or sniffing business.] 

The conference had keynote addresses from Bruce Schneier, Joseph D'Angelo (Citigroup), and Scott Charney (formerly DoJ, now Pricewaterhouse Coopers). Consensus: Risk management, not threat avoidance; What is secure today won't be tomorrow; Theft of info, DoS and extortion are growing significantly. Another important change noted is in staff composition: Current staff has many consultants and temps with the *same* access as full-time employees; Former staff do not have all access rights removed when they leave. These, coupled with high turn over, make security a lot harder to manage. Among the topics discussed in papers and panels:

 -- Using a Protocol Tunnel to Defeat a Firewall (BT Labs): Context of applications is rarely considered by commercial firewalls, allowing for attacks through protocol tunneling (encapsulating a protocol within another protocol firewalls would let pass). The bad news: tools are already available httptunnel is one for wide use. Only one compromised host behind the firewall is needed, then client/server setting for tunneling *any* protocol over http. Solutions proposed: Maintaining domains similar to CMW at host level, IPSec segmentation at network level (separate stacks, 1 per sensitivity level). Implementation: firmware on special networking card for "bump in the wire." 

-- Honeynets (Sun): The idea: build a mirrored environment of your production and use it to test and develop security technologies and procedures, exploit vulnerabilities, track hackers, gather and log data, etc. The purpose is to have these systems probed, attacked, and compromised, while gathering information in real time (analysis later). [This is a nice extension of the honey pot concept, but who can afford a *full* mirrored environment in real life?]

 -- Intrusion Detection Technology Today and Tomorrow (AT&T Labs): Lessons learned from years of IDS work include: Most IDS products are still rapidly evolving (commercial IDS are still maturing, security companies are re-structuring); Too many false positives make operators ignore alerts or re-configure thresholds (risking to miss important alarms); While ID (Intrusion Detection) is addressed to different extents, IR (Intrusion Response) is not. Data correlation is necessary on IDS products and cross-product, and an expert-system approach to ID could be the right way to go. 

-- We did hear about "defense/security in depth" A LOT during this conference it is becoming a mainstream concept. There were also a lot of lively discussions during the sessions and outside, several bofs, plus many exchanges of real-life experiences and information. 

Chicago was sunny (not windy), and the local organizers from Northwestern University did a great job. Overall, it was an excellent conference for all those involved in incident response security work.