Conference Program

This is a working draft agenda. Agenda is subject to change.

June 11th (Sunday)Return to overview

Pre-Conference
11:00 – 17:00

FIRST Hackathon - Flamingo A

18:30 – 19:00

Newbie Reception - Atlantic Garden

19:00 – 21:00

Ice Breaker Reception - Atlantic Garden

June 12th (Monday)Return to overview

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Workshops
09:30 – 09:45

Opening Remarks

Klaus-Peter Kossakowski

09:45 – 10:45

Keynote

Alex Stamos (Facebook)

10:45 – 11:15

Coffee Break

11:15 – 12:00
 US

Measuring Similarity Between Cyber Security Incident Reports

Samuel Perl, Zachary Kurtz (Software Engineering Institute, US)

 US

Beyond Matching: Applying Data Science Techniques to IOC-based Detection

Alex Pinto (Niddel, US)

 US

Navigating the High Seas of Ransomware

Prince Donyina (Cyber Defense Solutions, LLC, US); Tim Slaybaugh (Northrop Grumman Corporation, US)

 US

Windows Credentials, Attacks, and Mitigation Techniques

Chad Tilbury (SANS Institute, US)

11:15 – 12:45

12:00 – 12:45
 FR

Active Directory : How To Change a Weak Point Into a Leverage for Security Monitoring

Vincent Le Toux (Engie, FR)

 GB AT

IoCannon: Blasting Back on Attackers with Economics -or- How do we Improve the Power of IoCs?

Eireann Leverett (Concinnity Risks, GB); Marion Marschalek (Independant, AT)

 US CR

The Ransomware Odyssey: Their Relevance and Their Kryptonite

Kevin Figueroa (CNSI, US); Marco Figueroa, Ronald Eddings (Intel Corporation, US); Sue Ballestero (Intel, CR)

12:45 – 14:00

Lunch Break

14:00 – 14:45
 US

Building a High Performing Cyber Security Team on the Cheap

Christopher Payne (Target, US)

 NO

Threat Ontologies for Cyber Security Analytics

Siri Bromander (mnemonic as, University of Oslo, NO)

 US

Cyber Terrorist Activity: The New Way to Cause Chaos

Kyle Wilhoit (DomainTools, US)

 US

OSS Security: That’s Real Mature Of You!

Christine Gadsby (BlackBerry, US); Jake Kouns (Risk Based Security, US)

14:00 – 15:30

14:45 – 15:30
 CA

Building a Product Security Team – The Good, the Bad and the Ugly - Lessons from the Field

Peter Morin (Forcepoint, CA)

 FI

Best Practices for Building a Large Scale Sensor Network

Juhani Eronen (NCSC-FI / FICORA, FI)

 ES

Are West African Cybercriminals on Safari in your Network?

David Sancho (Trend Micro, ES)

15:30 – 16:00

Coffee Break

16:00 – 16:30
 PL

Trying to Know Your Own Backyard (A National CERT Perspective)

Paweł Pawliński (CERT Polska / NASK, PL)

 US GB

WatchEvaluateEnrichPunch (WEEP): A Poor Man’s Self-Defence Host Monitor.

Adrian Sanabria (451, US); Konrads Smelkovs (KPMG LLP, GB)

 JP

SDN Control System Based on Threat Level of Shared Information

Takuho Mitsunaga (The University of Tokyo, JPCERT/CC, JP)

FIRST Update: Financial & Business Review

FIRST Members Only

16:00 – 17:00

16:30 – 17:00
 CA

Digital Supply Chain: The Exposed Flank In 2017

Dave Lewis (Akamai Technologies, CA)

 LU

AIL Framework - Analysis Information Leak Framework

Alexandre Dulaunoy, Steve Clement (CIRCL - Computer Incident Response Center Luxembourg, LU)

 US

HIRT Locker 2.0 - Next Generation Hunting

Christopher Butera (US-CERT, US)

June 13th (Tuesday)Return to overview

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Workshops
09:30 – 09:45

Opening Remarks

Klaus-Peter Kossakowski

09:45 – 10:45

Keynote

Darren Bilby (Google)

10:45 – 11:15

Coffee Break

11:15 – 11:45
 US

Communicating Risk: A Comparative Approach to Vulnerability Remediation

Mark-David Mclaughlin (Cisco, US)

 DE

Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification

Ben Stock, Christian Rossow (CISPA, DE)

 MY

A Practical Workflow for Automation and Orchestration of Threat Intelligent Information for Global Mitigation of Large-Scale Cyber Attacks: Case Study on Mirai Botnet Takedown in Malaysia

Megat Muazzam Abdul Mutalib, Sharifah Roziah Mohd Kassim (CyberSecurity Malaysia, MY)

 US

Narrative of Google’s Security and Privacy Efforts - Threats and Detection

Chris John Riley, Johan Berggren (GOOGLE, US)

11:15 – 12:45

11:45 – 12:15
 US

The Arrr in PSIRT

Beverly Finch (Lenovo, US)

 TW RU

Hunting for Threats in Academic Networks

Fyodor Yarochkin (TrendMicro, TW); Vladimir Kropotov (Trend Micro, RU)

 US

Panel Topic: Mirai: How Did We Do?

Merike Kaeo (Farsight Security, US)

11:45 – 12:45

12:15 – 12:45
 US

Beware! Krakens be Here: Safely Sailing the Oceans of Open Source

Christopher Robinson (Red Hat Inc, US)

 DE

Experiences and Lessons Learned from a Siemens-Wide Security Patch Management Service for Products

Manuel Ifland (Siemens AG, DE)

12:45 – 14:00

Lunch Break

14:00 – 14:45
 PL

How To Ruin Your Weekend (And Business) In Few Simple Steps

Przemek Jaroszewski (CERT Polska/NASK, PL)

 CH

Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)

Tom Ueltschi (Swiss Post, CH)

 DE

Dismantling the Avalanche Botnet

Kaspar Clos, Thomas Hungenberg (CERT-Bund / BSI, DE)

Workshop (continued)

14:00 – 15:30

14:45 – 15:30
 BE

Handling an Incident in CERT-EU

Emilien Le Jamtel (CERT-EU, BE)

 US

Defensive Evasion: How APT Adversaries Bypass Security Controls

Phil Burdette (SecureWorks, US)

 FI

Disrupting IoT Worms in Finland (2016 Edition)

Markus Lintula (NCSC-FI / FICORA, FI)

15:30 – 16:00

Coffee Break

16:00 – 16:30
 US

These Aren't The IR Processes You're Looking For

Jake Kouns (Risk Based Security, US)

 CZ

Malicious Proxy Auto-Configs: Harvesting Credentials From Web Forms Made Easy

Jan Sirmer, Jaromir Horejsi (Avast Software, CZ)

 GB

IoPCoOCT – The Internet of Poorly Configured or Otherwise Compromised Things

Kevin O'Sullivan (BT Plc, GB)

 US

Narrative of Google’s Security and Privacy Efforts - Incident Management

Chris John Riley, Johan Berggren (GOOGLE, US)

16:00 – 17:30

16:30 – 17:00
 FI

From Bullet Journal to Lessons Learned: How to Manage Coordination and Cooperation Development in Ad-hoc Working Environment?

Jarna Hartikainen (NCSC-FI, FI)

 MY

Collaborative Information Sharing Model for Malware Threat Analysis

Aswami Ariffin, Zahri Yunos (CyberSecurity Malaysia, MY)

 US

Panel Topic Friend or Foe? Named Flaws, the Impact to Your Products and Your Customers

Christopher Robinson (Red Hat Inc, US); Lisa Bradley (NVIDIA, US)

16:30 – 17:30

17:00 – 17:30
 NL

Revising the TLP - Lessons Learned

Don Stikvoort (Open CSIRT Foundation, NL)

 DE

Countering Innovative Sandbox Evasion Techniques Used by Malware

Carsten Willems, Frederic Besler, Ralf Hund (VMRay, DE)

17:30 – 19:30

June 14th (Wednesday)Return to overview

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Workshops
09:30 – 09:45

Opening Remarks

Klaus-Peter Kossakowski

09:45 – 10:45

Keynote: Cybersecurity and the Age of Privateering

Florian Egloff (University of Oxford)

10:45 – 11:15

Coffee Break

11:15 – 12:00
 NL

Ozon: Running a Gap Bridging Cybercrisis Exercise

Remon Klein Tank (SURFcert, NL)

 AE

CSIRT Under Attack

Riccardo Tani (duSIRT, AE)

 US

THINKPWN: PSIRT Case Study of a Zero-Day

Amy Rose, Bill Jaeger (Lenovo, US)

Workshop (continued from previous day)

11:15 – 12:45

12:00 – 12:45
 US

Steel Sharpens Steel: Using Red Teams to Make Blue Teams Better

Christopher Payne (Target, US)

 DK

Hunting Down MazarBOT

Peter Kruse (CSIS Security Group, DK)

 US

The Budding World of Cloud Storage Abuse and Exploitation : A Technical Deep Dive

Aditya K Sood (BlueCoat, A Symantec Company, US)

12:45 – 14:00

Lunch Break

14:00 – 14:45
 US

Things That Make You Go HMM: Using a Simple Hunting Maturity Model to Establish and Improve your Threat Hunting Program

David J. Bianco (Target, US)

 IL

A Look into the Long Tale of Cyber Threats

Eyal Paz, Gadi Naveh (Check Point, IL)

 US

You’re Leaking: Incident Response in the World of DevOps

Jerry Dixon (Crowdstrike, US); Levi Gundert (Recorded Future, US)

 US

Managerial Strategies for Improving the Social Maturity of Cybersecurity Incident Response Teams and Multiteam Systems: A Workshop

Daniel Shore, Stephen Zaccaro (George Mason University, US)

14:00 – 15:30

14:45 – 15:30
 US

Building a Threat Hunting Framework for the Enterprise

Joseph Ten Eyck (Target Company, US)

 US

Going Undetected: How Cybercriminals, Hacktivists, and Nation States Misuse Digital Certificates

Christine Drake, Kevin Bocek (Venafi, US)

 NO

The Incident Responder and the Half Year APT

Dr. Martin Eian, Jon Røgeberg (mIRT/mnemonic AS, NO)

15:30 – 16:00

Coffee Break

16:00 – 17:00

Lightning Talks

 US

Panel Topic: Incident Response Providers: Casework Trends

Brian Klenke (Morphick, US); Eric Szatmary (SecureWorks, US); Robert Floodeen (PwC, US)

 US CA

Panel Topic: Issues Surrounding Internet of Things (IoT) Security Upgradibility and Patching

Alan Friedman (National Telecommunications and Information Administration, US); John Banghart (Venable LLP, US); Kent Landfield (Intel Corporation, US); Vic Chung (SAP, CA)

17:00 – 22:00

June 15th (Thursday)Return to overview

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Workshops
09:30 – 09:45

Opening Remarks

Klaus-Peter Kossakowski

09:45 – 10:45

Keynote

TBD

10:45 – 11:15

Coffee Break

11:15 – 12:00
 NL PL

How to Become a Mature CSIRT in 3 Steps

Don Stikvoort (Open CSIRT Foundation, NL); Mirosław Maj (Open CSIRT Foundation, PL)

 BE US

Detecting Threats on a Massive Mac OS X Deployment

Fabio Nigi (Cisco Systems, BE); James Sheppard (Cisco Systems, US)

 FI

When Phone Networks Go Down - Who You Gonna Call?

Mikko Karikytö (Ericsson, FI)

 US

DNS is NOT Boring! Using DNS to Expose and Thwart Attacks

Rod Rasmussen (Infoblox, US)

11:15 – 12:45

12:00 – 12:45
 US

What Metrics Should a CSIRT Collect to Measure Success (Or What Questions Should We Be Asking and How Do We Get the Answers?)

Audrey Dorofee (Software Engineering Institute, CMU, US); Robin Ruefle (CERT Division, SEI, CMU, US)

 AU

Lean Gains - Small Team Effectiveness

Ben May (AEMO, AU)

 DE

You Don't Need a Better Car, You Need to Learn How to Drive: On the Importance of Cyber-Defense Line Automation.

Enrico Lovat, Florian Hartmann, Philipp Lowack (Siemens CERT, DE)

12:45 – 14:00

Lunch Break

14:00 – 14:45
 US

Medical Device Security: A Sucking Chest Wound That Needs Emergency Medicine

Denise Anderson (NH-ISAC, US)

 LU

Blackhole Networks - an Underestimated Source for Information Leaks

Alexandre Dulaunoy, Gerard Wagener (CIRCL, LU); Cynthia Wagner (RESTENA Foundation, LU)

 FR

TheHive: a Scalable, Open Source and Free Incident Response Platform

Saâd Kadhi (Banque de France, FR)

 US

The Art of the Jedi Mind Trick: Learning Effective Communication Skills

Jeff Man (Self-employed, US)

14:00 – 15:30

14:45 – 15:30
 GB NO

Embodied Vulnerabilities: Compromising Medical Implants

Eireann Leverett (Concinnity Risks, GB); Marie Moe (SINTEF, NO)

 HR

Improving Network Intrusion Detection with Traffic Denoise

Miroslav Stampar (Information Systems Security Bureau, HR)

 DE

Marvin: Automated Incident Handling at DFN-CERT

Christian Keil, Eugene Brin, Jan Kohlrausch (DFN-CERT, DE)

15:30 – 16:00

Coffee Break

16:00 – 18:00

FIRST Annual General Meeting

FIRST Members Only

June 16th (Friday)Return to overview

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Workshops
09:30 – 09:45

Opening Remarks

Jeffrey Carpenter

09:45 – 10:45

Keynote

TBD

10:45 – 11:15

Coffee Break

11:15 – 11:45
 US

PyNetSim: A Modern INetSim Replacement

Jason Jones (Arbor Networks ASERT, US)

 BR

Rio 2016 Olympic CSIRT - creation, operation and lessons learned

Romulo Rocha (Former Rio2016 Commitee and now Tempest Security Intelligence, BR)

 US

Deep Learning for Incident Response: Predicting and Visualizing Cyber Attacks Using Open Data, Social Media and GIS

Anne Connell (CERT, US)

 US

::1 The Official Home for IPv6 Attacks

Marco Figueroa, Ronald Eddings (Intel Corporation, US)

11:15 – 12:45

11:45 – 12:15
 JP

APT Log Analysis - Tracking Attack Tools by Audit Policy and Sysmon -

Shusei Tomonaga (JPCERT/CC, JP)

 US

Inspect your Shorts and SOCs

Anthony Spina (ADP LLC, US)

 US

Improving Useful Data Extraction from Cybersecurity Incident Reports

Matthew Sisk (The CERT Program in the Software Engineering Institute at Carnegie Mellon University, US); Samuel Perl (Software Engineering Institute, US)

12:15 – 12:45
 LV

Non-Formal Learning Approaches for CSIRT Teams

Svetlana Amberga (CERT.LV, LV)

 US BR

Moving Like a Spook Through Walls or Being Just a Shadow for APT Detectors

Dmitry Bestuzhev (Kaspersky Lab, US); Fabio Assolini (Kaspersky Lab, BR)

 DE IT

Experiences in Threat Data Processing and Analysis Using Open Source Software

Morton Swimmer (Trend Micro, Inc, DE); Rainer Vosseler (Trend Micro, Inc., DE); Vincenzo Ciancaglini (Trend Micro, Inc., IT)

12:45 – 14:00

Closing Remarks

14:00 – 15:00

Lunch Break