OpenDNS Security Labs is pleased to announce the S4 Incident Responder and Researcher Conference being held at our HQ on September 18th, 2014 in beautiful San Francisco, California. S4 is a free one-day conference for in-the-trenches Incident Responders and Security Researchers. The conference includes training on some of the most useful open source tools and services presented by some of the top experts in the industry, followed by talks in the evening and networking at night.

S4 Incident Responder and Researcher Conference Details

Who: Incident Responders, Security Researchers, Security Analysts
What: S4 (San Francisco Security Series): Incident Responder and Researcher Conference
When: September 18, 2014 (registration starts at 8:30 AM. First training at 9:00AM)
Where: OpenDNS HQ, 135 Bluxome St., San Francisco, CA 94107


Price: Free
Food and Drinks: Provided

Registration Link:

Confirmed Training (2 hours each)

Confirmed Speakers (20 – 30 minutes each)

Threat intelligence for Incident Responders – by Sam LilesCyberforensics Laboratory at Purdue


Abstract: To be sure the first step in any threat intelligence process is “know thyself”.

If you can’t write down on a whiteboard 10 adversarial actors to your enterprise you are not thinking deep enough. For each adversary you should be able to pinpoint targets. Model the primary channels of access and then look for sideways access. Examples of sideways access include things like shipping or order fulfillment systems that check credit card approval status. Oh yeah that system! Once again your #DFIR team can be a great addition to the gaining of evidence (not probative but still important).

At some companies they maintain a threat briefing for general counsel and their board of directors. At an unnamed company I looked their very technically astute report on current threats to the enterprise. I asked them what was the cause of their three biggest unexpected outages. In two cases it was weather. Yet their report didn’t even mention weather going out to any level of planning. A focus on the bits and bytes misses lighting and floods.

Modeling adversary access attempts to the organization takes some skill. You will never do this perfectly. It is difficult to get people to understand that an adversary does not have to work within your rules, procedures, or capabilities. That freedom allows them to analyze and evaluate how to work outside our organizational structure and use enterprise risk to their advantage. This kind of analysis does not come in a threat feed. It is not a list of IPs and most assuredly it isn’t something you should be sending outside of your organization.

Measuring the IQ of your Threat Intelligence Feeds – by Alex PintoMLSec Project


Abstract: Threat Intelligence feeds are now being touted as the saving grace for SIEM and log management deployments, and as a way to supercharge incident detection and even response practices. We have heard similar promises before as an industry, so it is only fair to try to investigate. Since the actual number of breaches and attacks worldwide is unknown, it is impossible to measure how good threat intelligence feeds really are, right? Enter a new scientific breakthrough developed over the last 300 years: statistics!

This presentation will consist of a data-driven analysis of a cross-section of threat intelligence feeds (both open-source and commercial) to measure their statistical bias, overlap, and representability of the unknown population of breaches worldwide. Are they a statistical good measure of the population of “”bad stuff”” happening out there? Is there even such a thing? How tuned to your specific threat surface are those feeds anyway? Regardless, can we actually make good use of them even if the threats they describe have no overlap with the actual incidents you have been seeing in your environment?

We will provide an open-source tool for attendees to extract, normalize and export data from threat intelligence feeds to use in their internal projects and systems. It will be pre-configured with current OSINT network feed and easily extensible for private or commercial feeds. All the statistical code written and research data used (from the open-source feeds) will be made available in the spirit of reproducible research. The tool itself will be able to be used by attendees to perform the same type of tests on their own data.

Join Alex on a journey through the actual real-world usability of threat intelligence to find out which mix of open source and private feeds are right for your organization.

Building Your Own DFIR Sidekick – by Scott J Roberts, GitHub


Abstract: Even though Decepticons, Cylons, and Johnny 5 may eventually control the world with humanity destroyed or as their pets but we can still get a lot of use out of them until then. Hubot is an open source multi-service chat bot built for finding cat pictures and deploying servers as a part of GitHub’s ChatOps workflow.

ChatOps is meant to enable rapid response, automation, collaboration, and use of cutting edge techniques in operations, but can also help with incident response, reverse engineering, OSINT, and other computer network defense tasks. For this we created Hubot Variable Threat Response. Hubot VTR to let us automate & collaborate on security operations. You’ll learn how to use Hubot for devops and security, how to build your own commands with CoffeeScript or Python, and basically how to build your own personal robot for fighting bad guys.

And finding cat pictures. Man is he good at cat pictures.

FastResponder: New Open Source weapon to detect and understand a large scale compromise – by Sébastien LarinierGuillaume Arcas, and Olivier Zheng, Sekoia


Abstract: With the huge size of new hard drives, memories and cloud computing, it is now impossible to make traditional forensic computer by computer to collect evidences and design a compromission plan. With APT and large attacks like EK, many computers are infected during a campaign. We decided to develop a collector which dumps just enough information to be able to detect signs of compromission and identify the infected computers on all kind of networks.

We started from the SANS institute poster of the FOR 408 “Windows forensic” which details the the main artifacts needed to be collected and we also added some more that we found relevant in the use cases of #FastForensic.

FastResponder has been developed in Python and is composed of multiple modules. A collection profile has been configured using CLI or a configuration file is used to enable the acquisition of a chosen module only, which enable to use fewer memory and time. A specific artifact can also be collected to search for a specific attack using your own threat intelligence with yara rules or specific md5 file. All evidences are recorded in UTF-8 CSV files. The files can be processed in logstash/Kibana/ElasticSearch or Splunk to make supertimeline and define query to quickly find out if computers are infected or compromised.

Please reserve soon as space is limited. Again, the registration link can be found here:

We look forward to seeing you!

This post is categorized in: