The Call for Speakers submission is now closed.
Since the late 80s, incident response and security teams have been fighting all kinds of IT based crime and misconduct. Attacks and incidents, social engineering, phishing, malware and many of the objectives of the actors involved were designated "criminal" by most jurisdictions – if not all. While attributing such acts to particular individuals has always been a real world problem with its own challenges, it has become much more difficult today.
With the rise of terrorism and the increased interest in cyber "defense" by nation states, other groups have joined in what can look like a world-wide conflict zone, formerly known as the Internet. Though practitioners and politicians may be reluctant to call it that way, it is obvious that civil infrastructure has at least dual use and that attacks, probes or "intelligence activities" are going on continuously. Specialized security companies link those with nation states on a regular basis.
Many of us started to adopt the term "nation state capability" to politely refer to such attackers – and it seems highly unlikely that no national agencies are involved. Because many of these activities are in their actions and results the same as those perpetrated by "ordinary" cyber criminals, it is reasonable to assume that many such activities would still be considered illegal in various jurisdictions. Depending on your own perspective and situation, your view may vary.
Therefore, the day to day work of incident response and security teams worldwide is no longer only about incidents caused by the usual suspects such as the typical script kiddie, disgruntled employee or organized (cyber) criminal, but we now also need to deal with intelligence agencies and military forces, and groups funded, protected or sponsored by nation states.
This is much like the situation of old on the seas, when various navies, pirates and privateers fought for their own or third party interests – a time in history well known in Puerto Rico. The motivation to utilize privateers for those battles was not too different from what it is today – plausible deniability, an agile and motivated workforce, scaling up without fixed cost, and a short time to market. It should not be surprising if some states still support active recruitment of privateers to protect national interests.
From June 11-16, 2017, the Forum of Incident Response and Security Teams (FIRST) will be holding their Annual Conference in San Juan, Puerto Rico. FIRST brings together a wide variety of security and incident response professionals from public, private and academic sectors around the world to exchange information, build trust relationships and co-operate on issues of mutual interest.
The conference will offer the opportunity for information security experts and managers to engage in meaningful conversation and learn from one another about relevant technical and managerial topics and ideas. We intend to have three major tracks running in parallel, covering various subjects which are explained in detail below.
Novice members of incident response and security teams are always welcome and are strongly invited to become part of our worldwide community. Perspectives from all experience levels are valuable in the security and incident response fields, and new members often bring new solutions to the problems we all face.
FIRST Conferences are known for presentations and tutorials/workshops taught by leading researchers or practitioners in the operations of incident response, product security or other security teams. Presentations are great opportunities for practitioners, who do not have the time to write a full paper as usually expected at other conferences. What we are looking for are leading-edge research, challenging discoveries, working solutions and established best practices already adopted by more than a single team. We also invite fresh ideas and challenges presented to the global community for discussion and consideration. Such presentations might be scary or optimistic about the current state of practice; what we look for are perspectives that should have an impact for the work of CSIRTs, PSIRTs, SOCs, or other security teams. We also invite original contributions as research papers, tutorials/workshops, panels, demonstrations, or posters!
We regard the audience as experts from the field, either technical or managerial. Therefore, introductory presentations on routine topics such as how cryptography or intrusion detection systems work, the need for a CSIRT for a particular constituency, or the basic plans necessary to establish a new team are probably not appropriate. This can be considered a given, or the dissemination of such basic topics is not the objective of a FIRST conference. However as explained above we would consider new attacks on cryptography, new IDS evasion techniques or the need for a new type of incident response team not heard of before would be considered.
Submitted proposals will undergo an initial triage (yes, indeed ;) process to filter out sales pitches and to confirm whether there is enough information available. Please take into account that five or even nine lines of text might not relay the concept or idea you have in your head or discussed in your peer group to others. In such cases we will request more information about the content of the submission before continuing our review process.
We will ensure that each selected proposal is relevant to our audience and will assess the overall value for our audience through an international Program Committee. This is composed of experts and practitioners from the field, representing a diverse set of teams and organizations across six continents.
The following list is not exhaustive, but indicates the wide range of topics that are considered of interest to the global audience:
Team Set-up and Maturity
Best Practices in Incident Management / Product Security Operations / Forensics
Management of Collaboration and Coordination
Emerging Challenges and New Insights
The above is simply a list of suggestions to get potential presenters thinking. We welcome new, original ideas from people in research, academia, industry, government, and law enforcement, or from service providers and vendors who are interested in sharing their results, knowledge, and experience. Submitters are strongly encouraged to demonstrate the applicability of their work to practical issues.
We do not allow presentations with the aim of gaining the audience's interest in any commercial application, solution or product. In other words, NO MARKETING PRESENTATIONS.
The language of the Annual Conference is English. Submissions with fewer than 10 lines (not counting biographical or other meta-information) will be disregarded automatically. In such cases, you will get a chance to re-submit within 14 days. We will ask for more concrete and informative text enabling the members of the Program Committee to really understand the topic and your views on this topic that you like to raise or present at the conference. Only then the submission will be considered for further review!
A submission should typically answer the following questions:
All materials (PDF only) and proposals must be submitted through the EasyChair site at:
The Call for Speakers submission is now closed.
Submissions received after the deadlines (see "Important Dates" below) may not be considered. Contact the Program Committee Chair for cases of exceptions.
We invite the following types of submissions:
Presentations by practitioners or researchers may be either 20 minutes (with 5 minutes of questions) or 30 minutes (with 10 minutes of questions). The Program Committee may decide to structure Q&A sessions differently in the final conference program, such as having multiple presentations followed by a combined Q&A session at the end.
Tutorials or workshops may be either 90 minutes or 180 minutes (with one break after 90 min). These are distinct from training sessions, as the training offerings during the Annual Conference are separated from the main program and are organized by the FIRST Educational Committee.
Panel submissions should include an estimate of how long the submitters believe they will need for a successful, lively and interactive panel. Further discussion after the selection process will give both the submitters and the Program Committee a chance to select the best time slot.
Demonstrations and posters will be presented as "lightning talks" and should not require more than 10 minutes each.
Speakers with 40-60+ minute presentations (including Q&A) will receive a complimentary conference admission (1 per presentation). Speakers for 20-30 minute presentations will receive their choice of a complimentary 1-day pass, or a discounted rate of $1200 USD for a full registration pass (1 per presentation).
Please note that all deadlines are firm:
FIRST requires a non-exclusive copyright license for all materials delivered at the Conference.
Where employer, client or government authorization is needed, it is the responsibility of the author(s) to obtain that authorization prior to submitting the final materials.
Accepted submissions will be published in the Conference Proceedings with associated speaker biographies and head shots (if applicable), for which the same usage rights are required by FIRST.
Materials will be distributed on the FIRST websites. The Proceedings are provided free of charge to Conference attendees. After the Conference, materials will be published to the "Members Only" area of the FIRST website.
FIRST welcomes media to attend the Conference and report on activities. If your presentation is sensitive in nature and requires special handling, please discuss this with the Program Committee Chair before submission of the final materials.
Questions about submission topics or sensitivity issues can be sent via email to the chair of the Program Committee:
Please do not ask questions regarding acceptance or review status, such emails will not be answered and silently ignored.
Sincerely, on behalf of FIRST and the Program Committee,
Prof. Dr. Klaus-Peter Kossakowski