Papers & Presentations

FIRST organizes and participates in many events per year, and lots of papers and presentations offered. Annual Conferences presentations are available to the public 6 months later, while Technical Colloquia presentations and papers are restricted to members only.

FIRST Members may view all the Technical Colloquia presentations when SIGN-IN above.

  • FIRST Training Prague

    January 27, 2016 — Prague, Czech Republic

    • Incident Coordination (Module 5)
    • Information Sources (Module 4)
  • Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training

    October 26–27, 2015 — Istanbul, Turkey

    • Building blocks of a cyber resilience program
    • Cybercrime, cyber-espionage, information warfare and “cyber war”: the fil rouge which connects the dots
    • Incident Response and its role in protecting critical infrastructure
    • Panel: Building an effective National CERT team
    • Panel: Challenges of Cybercrime
  • 27th Annual FIRST Conference on Computer Security Incident Handling

    June 14–19, 2015 — Berlin, Germany

    • 3J4E - JIGSAW, JUMPSTART, JUNCTURE: Three Ways to Enhance Cyber-Exercise-Experience
    • A Cognitive Study to Discover How Expert Incident Responders Think
    • A Day in the Life of a Cyber Intelligence Professional
    • A Funny Thing Happened on the Way to OASIS: From Specifications to Standards
    • A Study on the Categorization of Webshell
    • Barriers and Pathways to Improving the Effectiveness of Cybersecurity Information Sharing Among the Public and Private Sectors
    • Behind the Scenes this Week at FIRST - Potsdam I
    • BetterCrypto.org Workshop and Hands-on Training
    • Bring Your Own Internet Of Things (BYO-IoT)
    • Building CERT Team and Responding Incidents in the Large Energy Company.
    • Building Community Playbooks for Malware Eradication
    • Building instantly exploitable protection for yourself and your partners against targeted cyber threats using MISP
    • Case Study: Creating Situational Awareness in a Modern World.
    • Ce1sus: A Contribution to an Improved Cyber Threat Intelligence Handling
    • Collecting, Analyzing and Responding to Enterprise Scale DNS Events
    • Crisis Communication for Incident Response
    • CSIRT Info Sharing Workshop
    • CVSS v3 Hands-on Training
    • Cyber Security Challenges in the Financial Sector: Internal and External Threats
    • Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling Indicators
    • Defining and Measuring Capability Maturity for Security Monitoring Practices
    • Discovering Patterns of Activity in Unstructured Incident Reports at Large Scale
    • DSMS: Automating Decision Support and Monitoring Workflow for Incident Response
    • Effective Team Leadership and Process Improvement For Network Security Operators
    • Enabling Innovation in Cyber Security
    • ENISA Threat Landscape: Current and Emerging Threat Assessment
    • Evaluating the Effectiveness of Fuzzy Hashing Techniques in Identifying Provenance of APT Binaries
    • Fact Tables - A Case Study in Reducing Reactive Intrusion Time-to-Know by 95%
    • Global Standards Unification - How EU NIS Platform, NIST and IETF Standards are Breaking Barriers for Information Sharing and Automated Action
    • Hands-on Network Forensics
    • Hands-on Pen Testing iOS Apps
    • I'm Sorry to Inform You...
    • Implementation of Machine Learning Methods for Improving Detection Accuracy on Intrusion Detection System (IDS)
    • Incident Response Programming with R
    • IPv6 Security Hands-on
    • Keeping Eyes on Malicious Websites - “ChkDeface” Against Fraudulent Sites
    • Keynote Presentation: Collaborative Security - Reflections about Security and the Open Internet - Potsdam I
    • Machine Learning for Cyber Security Intelligence
    • Malware in Your Pipes: The State of SCADA Malware
    • Maximizing Value of your Threat Intelligence for Security Incident Response
    • Passive Detection and Reconnaissance Techniques to Find, Track and Attribute Vulnerable "Devices"
    • Prepare Your Cybersecurity Team for Swift Containment Post Incident
    • Protecting Privacy through Incident Response
    • Quality Over Quantity—Cutting Through Cyberthreat Intelligence Noise
    • Sector Based Cyber Security Drills - Lessons Learnt
    • Security Operations: Moving to a Narrative-Driven Model
    • Seven Years in MWS: Experiences of the Community Based Data Sharing for Anti-Malware Research in Japan
    • Sinfonier: Storm Builder for Security Intelligence
    • So You Want a Threat Intelligence* Function (*But Were Afraid to Ask)
    • Technology, Trust, and Connecting the Dots
    • The Daily Show Agenda
    • The Needle in the Haystack
    • Theory and Practice of Cyber Threat-Intelligence Management Using STIX and CybOX
    • Threat Information Sharing; Perspectives, Strategies, and Threat Scenarios
    • Unifying Incident Response Teams Via Multilateral Cyber Exercise for Mitigating Cross Border Incidents: Malaysia CERT Case Study
    • Validating and Improving Threat Intelligence Indicators
    • VRDX-SIG: Global Vulnerability Identification
    • When Business Process and Incident Response Collide: The Fine-Tuning of the IR Program
    • Working Towards the Tokyo 2020 Olympics - Situation in 2015
  • Amsterdam 2015 FIRST Technical Colloquium

    May 05–06, 2015 — Amsterdam, Netherlands

    • Hey! You! Get Off of My Cloud! Attacks Against Cloud Server Honeypots
    • Red + Blue = Purple (Taking security testing to the next level)
    • SSHCure: Flow-based Compromise Detection using NetFlow/IPFIX
  • Las Palmas 2015 FIRST/TF-CSIRT Technical Colloquium

    January 26–28, 2015 — Las Palmas de Gran Canaria, Spain

    • Actionable information for security incident response
    • Agile Security
    • Cyber-EXE Georgia Project
    • INTECO-CERT Team Update
    • Monoculture - Is it working?
    • Radically Open Security: Smashing the Stack for Fun and Non-profit
    • RTIR
  • 2014 FIRST Symposium, Tbilisi

    October 14–16, 2014 — Tbilisi, Georgia

    • CERT-GOV-GE
    • Defense of your Energy sector through good incident response
    • Presentation by the Ukrainian National CERT
    • Shadowserver Report Processing and Analysing System
    • Snake aka Uroburos - The Big Picture
  • FIRST TC - Incident Response in the Healthcare Sector

    August 18, 2014 — San Diego, United States

    • iOS Security for Incident Responders
    • Vulnerability Management
    • Welcome Remarks/FIRST Overview
  • 26th Annual FIRST Conference on Computer Security Incident Handling

    June 22–27, 2014 — Boston, United States

    • A Forensic Analysis of APT Lateral Movement in Windows Environment
    • A Survey of Vulnerability Markets
    • At the Speed of Data: Automating Threat Information to Improve Incident Response
    • Attacks Using Malicious Hangul Word Processor(HWP) Documents
    • Avoiding Information Overload: Automated Data Processing with n6
    • Back to the Roots - Incident Case Study
    • Bitcoin for the Incident Responder
    • Common Vulnerability Scoring System v3
    • Credential Honeytoken for Tracking Web-based Attack Cycle
    • Cyber Security for Board of Directors and Senior Management
    • Cyber Threats Targeting High Level Individuals: Is Your Organization Prepared?
    • Cyber-EXE Polska 2013. Cyber Exercises for Banking Sector - the CERT Role.
    • Developing Cybersecurity Risk Indicators - Metrics (panel)
    • Don’t Panic! Case studies of Incident Response from the Field
    • Enabling Cross-Organizational Threat Sharing through Dynamic, Flexible Transform
    • Enterprise Security Monitoring: Comprehensive Intel-Driven Detection
    • Everyday Cryptography
    • Exfiltration Framework (ExF)
    • First Step Guide for Building Cyber Threat Intelligence Team
    • Identifying the 'Root' Causes of Propagation in Submitted Incident Reports
    • Incident Response Coordination on a Global Scale: Your Assistance is Requested...
    • Investigator of Interest – Our Philosophy of Adaptive Incident Response to Turn the Tables During an Investigation
    • Looking Back at Three Years of Targeted Attacks: Lessons Learned on the Attackers’ Behaviors and Victims’ Profiles
    • Malware\Host Analysis for Level 1 Analysts
    • Managing Your Managed Security Service Provider: Improve Your Security Posture
    • Merovingio: Mislead the Malware
    • National-level Collaborative Multi-Lateral Defensive Framework based on Big Data Analytics Paradigm
    • Network Security Analytics Today
    • Open DNS Resolver Check Site
    • Open Source Software Environment Security Issues
    • Operational CyberThreat Intelligence: 3 Years of IOC Processing at EMC.
    • Our Turbine Got Hacked! - Performing Forensic Investigations of Industrial Control Systems
    • Pass-the-Hash: Gaining Root Access to Your Network
    • pBot botnets: An Overview
    • Playing Hide and Seek with Rootkits in OS X Memory
    • Preparing for the Inevitable Zeroday or What Makes Networks Defendable?
    • Processing Intelligence Feeds with Open Source Software
    • Protecting the Computer from Ring 0 – A New Concept in Improving Incident Response
    • Rogue Pharma in .CO: The 33DRUGS.CO Case
    • Scaling Threat Intelligence Practices with Automation
    • Securing National Segment of the Internet from Cyber-Threats. CERT-UA's Practical Approach
    • Security Operations, Engineering, and Intelligence Integration Through the Power of Graph(DB)!
    • The Art of Sinkholing
    • The Dutch Responsible Disclosure Policy
    • The MANTIS Framework: Cyber Threat Intelligence Management for CERTs
    • Transparency and Information Sharing in Digital Forensics
    • Two-tiered, Multi-team Assessment of CSIRTs
    • Understanding Cyber Security Incident Response Teams as Multiteam Systems
    • Use of Passive DNS Databases in Incident Response and Forensics
    • Using Anthropology to Study Security Incident Respons
    • YARA: Advanced Topics
  • Amsterdam 2014 FIRST Technical Colloquium

    April 07–08, 2014 — Amsterdam, Netherlands

    • Beyond 400 Gbps: Abusing NTP and Other Protocols for DDoS
    • The Internet of Everything (Compromised)
  • FIRST Energy Symposium

    October 28–29, 2013 — Leesburg, Virginia, United States

    • (ISC)² Breakout - Half Day: Forensics
    • Changes in the Threat Landscape and the Potential Impacts to Incident Response Activities
    • iOS Security for Incident Responders
    • PACS-WG: Lessons Learned and Future Work in the Energy Sector
  • Amsterdam 2013 FIRST Technical Colloquium

    April 02–03, 2013 — Amsterdam, Netherlands

    • CVSS v3 Preview
    • Overview of Cuckoo Sandbox
    • Re-writing the CSIRT Playbook
  • 2012 FIRST Symposium, São Paulo

    March 27–30, 2012 — São Paulo, Brazil

    • CVSS
    • How to Communicate with your Government (Lessons from Japan)
    • Phishing and Trojan Banking cases affecting Brazil
    • Security incidents overview in Brazilian academic networks
    • The OWASP Top 10 Mobile Security Risks
  • 2010 FIRST Symposium, Hamburg

    January 25–27, 2010 — Hamburg, Germany

    • Building a CSIRT in an ITIL Driven Organization
    • CZ.NIC presentation
    • Delivering services in a user-focused way
    • Detecting and Analyzing Malicious PDF Files
    • DNS community efforts to enable Security Stability and Resiliency
    • GN3 Security Activities
    • Grid Security developments
    • Incident Response in a Collegiate University
    • Mass Malware Analysis: A Do-It-Yourself Kit
    • Security made in Luxembourg
    • Tales From the War Room
    • TRANSITS update
  • 2009 FIRST Symposium, Riga

    January 19–21, 2009 — Riga, Latvia

    • A Quantitative Cross Comparative Analysis of Tools for Anomaly Detection
    • Analyzing Malware with a dead Angle: PRG vs Torpig
    • Feasability Study of DoS attack with P2P System
    • Team Update - CERT-GE Presentation
    • Team Update - INTECO Presentation
    • Whitelist implementation for DNS servers
  • January 2008 FIRST Technical Colloquium

    January 28–31, 2008 — Prague, Czech Republic

    • An evening in the life of a hacker
    • Building a simple & effective Walled Garden
    • Enriching security toolbox in Solaris with Netcat
    • FIRST Update
    • London Action Plan
    • RADARE: Easing binary analysis for fun and profit
    • Teams Update/Work in progress session
  • January 2006 FIRST Technical Colloquium

    January 23–26, 2006 — Amsterdam, Netherlands

    • A civil rights' perspective on data retention
    • An overview of the German Honeynet Project
    • Compulsory Data Retention: Issues for CSIRTs
    • CSIRT interactions with law enforcement and intelligence services
    • ENISA update
    • IRT object
    • NoAH project
    • NREN server certificate service
    • Presentation about Sender Policy Framework
    • Reporting Security Vulnerabilities: Defining Best Practices For Industry and Third Party Co-Ordinators
    • Solaris 10 security design considerations
    • SURFnet IDS - A distributed intrusion detection system
    • TRANSITS courses
    • Update on e-coat forum
    • Update on EC funded projects - GN2/JRA2 progress report
    • Update on RTIR working group
    • Update on Vulnerability and Exploit Description and Exchange Format WG
    • US Operational Security Exercise
    • WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats
    • Zero-day work detection
  • October 2005 FIRST Technical Colloquium

    October 01–07, 2005 — Buenos Aires, Argentina

    • An evening with Kha0s
    • Cisco PSIRT - Incident Management
    • Common Vulnerabilities Score Systems
    • Digital crimes under different perspectives
    • FIRST: Global Incident Handling
    • Forensics Discovery
    • Fraud and Phishing Scam Response Arrangements in Brazil
    • Honeypots for Security Operations
    • ICMP Attacks Against TCP
    • Incident Response and Early Warning Initiatives in Brazil
    • Incident Response in Latin America
    • Information Security Attack Trends
    • Latin-American Forensic challenge V.2: Conclusion
    • Recent Activity in Phishing Malware
    • Recycling IPv4 exploit for IPv6
    • Regional Initiatives in Incident Response
    • Taxonomy of Mexican Online Banking 2005: Threats and Mitigation
    • The SANS Internet Storm Center (ISC): A Collaborative Information Security Community
    • Trends in Internet Attack Technology and the Role of Artifact
    • Work in Progress Session
  • February 2000 FIRST Technical Colloquium

    February 07, 2000 — Den Haag, Netherlands

    • Auditing Windows NT 4.0
    • CERTs in Europe
    • Lies, Damned Lies, and Statistics
    • Practical Tool for checking on Windows NT security
    • Telecommunications fraud: Organized approaches to fight it.
    • TIPSI - A Trusted Introducer for European