Cold Incident Response 2018

by Frode Hommedal, Telenor CERT & SOC Monday, November 5th, 2018

Last week 15 trainers and speakers and over 200 members of the incident response and security community came together for three days of learning and inspiration at the Norwegian community conference FIRST TC Oslo: Cold Incident Response.

Now that it's all over and we've concluded that it all went very well, it's time for a short recap for the history books, and for those of you who missed it – or should I say missed out.

Day 1: Threat intel workshop

Wednesday was dedicated to a workshop hosted by Martin Eian, Fredrik Borg and Geir Skjøtskift from mnemonic. The workshop was on ACT, a really exciting project on threat intelligence consumption and graph-oriented analysis that mnemonic is pouring quite a lot of research and development into – and that they graciously have decided to open source.

Around 50 people attended the workshop, that was fully signed within days of the announcement. The feedback was clear: ACT is awesome and immediately useful. So, if you haven't tested it yet you should check it out on Github. If you work with making sense of threat indicators from various sources, including PDF reports, you will not regret it.

Day 2: Security monitoring

Thursday was the first conference day, and dedicated to topics related to security monitoring. Eleanor Saitta delivered an inspiring talk titled Towards Security Engineering, where she pointed out that we're not really doing security engineering – though we really should. Then Siri Bromander from mnemonic talked us through threat ontologies for cybersecurity, before Rossella Mattioli went through the ENISA catalogue for CSIRTs.After lunch we got an update from the national CSIRT of Norway (NorCERT) on their next generation national sensor grid, before Lars Arne Sand from DNB IRT shared some very interesting insight into security monitoring in AWS. For many, this talk was a real eye-opener.

We ended the day with Joakim von Brandis, who explained the stream processing part of mnemonic's data processing platform Argus, that he's been the main architect and developer of for 15 years.

Day 2

Conference dinner

Thursday afternoon we shipped – much to our surprise – more than 90 people off to dinner and drinks at Vippa at the harbor of downtown Oslo. This was almost double the attendance of any dinner we've hosted before, which was cool. People really seemed to like it at Vippa, with all it's different food stalls, and there were lots of interesting discussions going on throughout the evening.

The staff had to throw in the towel pretty early, but we know for a fact this didn't apply to everyone. This was a FIRST conference after all. That someone will insist on delivering 24/7 operations is to be expected...

Day 3: Incident response

Friday was dedicated to topics related to incident response, and a lot of the talks circled around APT. We started out with Steven Adair, founder of Volexity and international man of mystery and APT, who gave us an update on an APT operation dubbed Ocean Lotus. Next out was Raymond Lund from Nordic Financial CERT, who gave an account of how they work with threat intelligence. And right before lunch Matias Bevilacqua from Mandiant followed up with a technical walk through of techniques used by the threat group referred to as Platinum.

Day 3

After lunch Jason Smart from PwC UK talked us through a good handful of different threat actors from different regions, before Karl Bernhard Gudmundsen from Sykehuspartner gave a very interesting account of an incident that had previously been mentioned in the news. This was probably the most anticipated talk of the whole conference, and it was very well received.

The final talk of the day and the conference was my colleague Lars Erik Bråtveit and myself giving the audience our account of a big, open world, APT incident response exercise Telenor CERT hosted in May – that many of the organizations and people in the audience actually attended.

And then it was over, and we could all go home and enjoy a much needed weekend!


For those of you who don't know FIRST, it's an almost 30 year old organization for incident response and security teams, created to help coordinate the response teams being formed after the first internet worms in the late 80's. Today over 400 teams are members of FIRST, and over 800 security professionals attended its 30th annual conference in Kuala Lumpur, Malaysia, last June.

In addition to the annual conference, FIRST organizes regional symposiums, and will also support teams that want to arrange smaller community conferences called TCs – or technical colloquiums. The conference in Oslo is a community driven TC, and a big one as such.

Since we started we have set new records of attendees almost yearly. An important reason for that is the Norwegian FIRST community. This, I'm happy to report, is being noticed. These are the words of the chairman of the board of FIRST, Thomas Schreck:

For years the Norwegian CSIRT community has organized a very successful TC in Oslo. This is only one example of how strong the community within FIRST is. 

The Norwegian FIRST community

Out of the over 400 teams, only a little more than ten are Norwegian. Despite this, the Norwegian FIRST community is vibrant. Unlike most FIRST teams, we meet up regularly to discuss operational matters and share experiences.

Apparently this doesn't happen very often. A while ago I talked about this with long time FIRST contributor and former chairman of the board, Maarten van Horenbeeck. He had the following comment:

To the best of my knowledge the Norwegian FIRST community is the only one that actually meets regularly like this – under the FIRST umbrella – to work together and share information and experiences. 

This makes me pretty proud to be part of the Norwegian FIRST community. And of course, one way we work together is to make our yearly TC happen.

But even if it is a community effort, someone must always take lead and organize. Luckily there is no lack of willing participants. Right now Telenor and mnemonic are doing the heavy lifting, supported by KraftCERT and Nordic Financial CERT. We foot the bill and do all the practical stuff. The other teams take turns pitching in talks and support in other ways.

The result is our yearly TC, which has turned into a great little conference – if you ask us.

Conference identity

One thing we think has been important in making it a success is that we have decided to stick pretty closely to our identity as an incident response conference. We want everything going on at the conference to be as useful as possible for responders. This is the rationale behind having a security monitoring day and an incident response day.

We are also very clear on the fact that we are a community conference: by the community, for the community. A lot of people who come to our TC already know each other. This is good for trust and sharing, which contributes to the quality of the talks and the discussions during breaks.


The breaks are actually also part of our identity. We have lots of them. We start late, we finish early, and there are never less than 10 minutes between talks, often longer.

This might seem odd, but it's the people that are important, so we want them to be able to mingle and talk. The real value comes from meeting people and engaging with them. And the feedback is clear: people agree and really like it.

Next year

This year's conference is over, but there will be another one next year. We already booked the venue for week 42 next year: Tuesday 15th to Thursday 17th of October.

If you have ideas for talks, please let us know. If you want to come, please monitor the FIRST mailing list and website, because this year the conference filled up really fast. We were fully booked already in mid September.

And with the official conference shot it's time to say thank you to everyone who organized, everyone who contributed and everyone who attended.

See you again next year!


On behalf of the conference crew.


P.S. My fellow – and totally amazing – crew members are: