Conference Program

For additional pre and post conference programming, please check the Additional Programming page. Separate registrations apply.

This is a working draft agenda. Agenda is subject to change.

Sunday, 11 June

Pre-Conference
11:00 – 17:00

FIRST Hackathon - Flamingo A

14:00 – 19:00

Amazon & FIRST Security Jam Orientation - Tropical Ballroom

18:30 – 19:00

Newbie Reception - Atlantic Garden

19:00 – 21:00

Ice Breaker Reception - Atlantic Garden

Monday, 12 June

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Team Insigths
Flamingo A-B
Other Meetings
09:30 – 09:45

Opening Remarks

Klaus-Peter Kossakowski

09:45 – 10:45

Keynote

Alex Stamos (Facebook)

10:45 – 11:15

Coffee Break

Red Team SIG Meeting

10:45 – 12:15

11:15 – 12:00
 US

Measuring Similarity Between Cyber Security Incident Reports

Samuel Perl (The CERT Program in the Software Engineering Institute at Carnegie Mellon University, US); Zachary Kurtz (Software Engineering Institute, US)

 US

Beyond Matching: Applying Data Science Techniques to IOC-based Detection

Alex Pinto (Niddel, US)

 US

Navigating the High Seas of Ransomware

Prince Donyina (Cyber Defense Solutions, LLC, US); Tim Slaybaugh (Northrop Grumman Corporation, US)

 US

Windows Credentials, Attacks, and Mitigation Techniques

Chad Tilbury (SANS Institute, US)

11:15 – 12:45

12:00 – 12:45
 FR

Active Directory : How To Change a Weak Point Into a Leverage for Security Monitoring

Vincent Le Toux (Engie, FR)

 GB AT

IoCannon: Blasting Back on Attackers with Economics -or- How do we Improve the Power of IoCs?

Eireann Leverett (Concinnity Risks and Privacy International, GB); Marion Marschalek (Independant, AT)

 US CR

The Ransomware Odyssey: Their Relevance and Their Kryptonite

Kevin Figueroa (CNSI, US); Marco Figueroa, Ronald Eddings (Intel, US); Sue Ballestero (Intel, CR)

12:45 – 14:00

Lunch Break

13:00 – 15:00

Ethics SIG Meeting

14:00 – 14:45
 US

Building a High Performing Cyber Security Team on the Cheap

Christopher Payne (Target, US)

 NO

Threat Ontologies for Cyber Security Analytics

Martin Eian (mIRT/mnemonic AS, NO)

 US

Cyber Terrorist Activity: The New Way to Cause Chaos

Kyle Wilhoit (DomainTools, US)

 US

OSS Security: That’s Real Mature Of You!

Christine Gadsby (BlackBerry, US); Jake Kouns (Risk Based Security, US)

14:00 – 15:30

14:45 – 15:30
 CA

Building a Product Security Team – The Good, the Bad and the Ugly - Lessons from the Field

Peter Morin (Forcepoint, CA)

 FI

Best Practices for Building a Large Scale Sensor Network

Juhani Eronen (NCSC-FI / FICORA, FI)

 ES

Are West African Cybercriminals on Safari in your Network?

David Sancho (Trend Micro, ES)

15:30 – 16:00

Coffee Break

16:00 – 16:30
 PL

Trying to Know Your Own Backyard (A National CERT Perspective)

Paweł Pawliński (CERT Polska / NASK, PL)

 US GB

WatchEvaluateEnrichPunch (WEEP): A Poor Man’s Self-Defence Host Monitor.

Adrian Sanabria (451, US); Konrads Smelkovs (KPMG LLP, GB)

 JP

SDN Control System Based on Threat Level of Shared Information

Takuho Mitsunaga (The University of Tokyo, JPCERT/CC, JP)

FIRST Update: Financial & Business Review

FIRST Members Only

16:00 – 17:00

16:30 – 17:00
 CA

Digital Supply Chain: The Exposed Flank In 2017

Dave Lewis (Akamai Technologies, CA)

 LU

AIL Framework - Analysis Information Leak Framework

Alexandre Dulaunoy, Steve Clement (CIRCL - Computer Incident Response Center Luxembourg, LU)

 US

HIRT Locker 2.0 - Next Generation Hunting

Christopher Butera (US-CERT, US)

Tuesday, 13 June

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Team Insigths
Flamingo A-B
Other Meetings
09:30 – 09:45

Opening Remarks

Klaus-Peter Kossakowski

09:45 – 10:45

Keynote

Darren Bilby (Google)

10:45 – 11:15

Coffee Break

Malware Analysis SIG Meeting

10:45 – 12:45

11:15 – 11:45
 US

Communicating Risk: A Comparative Approach to Vulnerability Remediation

Mark-David Mclaughlin (Cisco, US)

 TW RU

Hunting for Threats in Academic Networks

Fyodor Yarochkin (TrendMicro, TW); Vladimir Kropotov (Trend Micro, RU)

 MY

A Practical Workflow for Automation and Orchestration of Threat Intelligent Information for Global Mitigation of Large-Scale Cyber Attacks: Case Study on Mirai Botnet Takedown in Malaysia

Megat Muazzam Abdul Mutalib, Sharifah Roziah Mohd Kassim (CyberSecurity Malaysia, MY)

 US

TBA

Fatima Rivera (Google, US)

11:15 – 12:00

11:45 – 12:15
 US

The Arrr in PSIRT

Beverly Finch (Lenovo, US)

 DE

Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification

Ben Stock, Christian Rossow (CISPA, DE)

 MY US

Panel Topic: Mirai: How Did We Do?

Megat Muazzam Bin Abdul Mutalib (MyCERT, MY); Merike Kaeo (Farsight Security, US)

11:45 – 12:45

12:15 – 12:45
 TW RU

Web as ongoing threat vector: case studies from Europe and Asia Pacific

Fyodor Yarochkin (TrendMicro, TW); Vladimir Kropotov (Trend Micro, RU)

 DE

Experiences and Lessons Learned from a Siemens-Wide Security Patch Management Service for Products

Manuel Ifland (Siemens AG, DE)

 CH

Trust Nothing: Google's Approach to Enterprise Security in Forensic Context

Jan Monsch (Google, CH)

12:15 – 13:00

12:45 – 14:00

Lunch Break

14:00 – 14:45
 PL

How To Ruin Your Weekend (And Business) In Few Simple Steps

Przemek Jaroszewski (CERT Polska/NASK, PL)

 CH

Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)

Tom Ueltschi (Swiss Post, CH)

 DE

Dismantling the Avalanche Botnet

Kaspar Clos (CERT-Bund / BSI, DE)

 CH

TBD

Jan Monsch (Google, CH)

VRDX SIG Meeting

14:00 – 15:30

14:45 – 15:30
 BE

Handling an Incident in CERT-EU

Emilien Le Jamtel (CERT-EU, BE)

 US

Defensive Evasion: How APT Adversaries Bypass Security Controls

Phil Burdette (SecureWorks, US)

 FI

Disrupting IoT Worms in Finland (2016 Edition)

Markus Lintula (NCSC-FI / FICORA, FI)

 US

Remediation Ballet: Choreographing Your Team To Victory

Matt Linton (Google, US)

15:30 – 16:00

Coffee Break

16:00 – 16:30
 US

These Aren't The IR Processes You're Looking For

Jake Kouns (Risk Based Security, US)

 CZ

Malicious Proxy Auto-Configs: Harvesting Credentials From Web Forms Made Easy

Jan Sirmer, Jaromir Horejsi (Avast Software, CZ)

 GB

Hajime & the Mainline DHT

Kevin O'Sullivan (BT Plc, GB)

 CH

Finding An Intruder in a 10TB Haystack: The Benefits of Similarity Searching

Thomas Dullien (Google, CH)

16:00 – 16:45

Education Summit on PSIRT/CSIRT Services Framework

16:00 – 17:00

16:30 – 17:00
 FI

From Bullet Journal to Lessons Learned: How to Manage Coordination and Cooperation Development in Ad-hoc Working Environment?

Jarna Hartikainen (NCSC-FI, FI)

 MY

Collaborative Information Sharing Model for Malware Threat Analysis

Aswami Ariffin, Zahri Yunos (CyberSecurity Malaysia, MY)

 US

Panel Topic Friend or Foe? Named Flaws, the Impact to Your Products and Your Customers

Amy Rose, Beverly Finch (Lenovo, US); Art Manion (CERT Coordination Center (CERT/CC), US); Lisa Bradley (NVIDIA, US)

16:30 – 17:30

17:00 – 17:30
 NL

Revising the TLP - Lessons Learned

Don Stikvoort (S-CURE bv, NL)

 DE

Countering Innovative Sandbox Evasion Techniques Used by Malware

Carsten Willems, Frederic Besler, Ralf Hund (VMRay, DE)

Q/A with speakers

17:30 – 19:30

Wednesday, 14 June

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Team Insigths
Flamingo A-B
Other Meetings
09:30 – 09:45

Opening Remarks

Klaus-Peter Kossakowski

09:45 – 10:45

Keynote: Cybersecurity and the Age of Privateering

Florian Egloff (University of Oxford)

10:45 – 11:15

Coffee Break

11:15 – 12:00
 NL

Ozon: Running a Gap Bridging Cybercrisis Exercise

Remon Klein Tank (SURFcert, NL)

 AE

CSIRT Under Attack

Riccardo Tani (Si Cyber Consult, AE)

 US

THINKPWN: PSIRT Case Study of a Zero-Day

Amy Rose (Lenovo, US)

Q/A Roundtable with Google's Security and Privacy team

11:15 – 12:45

Metrics SIG Meeting (meeting ends 13:15)

11:15 – 12:45

12:00 – 12:45
 US

Steel Sharpens Steel: Using Red Teams to Make Blue Teams Better

Christopher Payne (Target, US)

 DK

Hunting Down MazarBOT

Peter Kruse (CSIS Security Group, DK)

 US

The Budding World of Cloud Storage Abuse and Exploitation : A Technical Deep Dive

Aditya K Sood (BlueCoat, A Symantec Company, US)

12:45 – 14:00

Lunch Break

Vendor SIG Meeting

12:45 – 14:15

14:00 – 14:45
 US

Things That Make You Go HMM: Using a Simple Hunting Maturity Model to Establish and Improve your Threat Hunting Program

David J. Bianco (Target, US)

 IL

A Look into the Long Tale of Cyber Threats

Eyal Paz, Gadi Naveh (Check Point, IL)

 US

You’re Leaking: Incident Response in the World of DevOps

Jerry Dixon (Crowdstrike, US); Levi Gundert (Recorded Future, US)

 US

Managerial Strategies for Improving the Social Maturity of Cybersecurity Incident Response Teams and Multiteam Systems: A Workshop

Daniel Shore, Stephen Zaccaro (George Mason University, US)

14:00 – 15:30

14:45 – 15:30
 US

Building a Threat Hunting Framework for the Enterprise

Joseph Ten Eyck (Target Company, US)

 US

Going Undetected: How Cybercriminals, Hacktivists, and Nation States Misuse Digital Certificates

Christine Drake, Kevin Bocek (Venafi, US)

 NO

The Incident Responder and the Half Year APT

Dr. Martin Eian, Jon Røgeberg (mIRT/mnemonic AS, NO)

Vulnerability Coordination SIG Meeting

14:45 – 16:15

15:30 – 16:00

Coffee Break

16:00 – 17:00

Lightning Talks

 US

Panel Topic: Incident Response Providers: Casework Trends

Brian Klenke (Morphick, US); Eric Szatmary (SecureWorks, US); Robert Floodeen (PwC, US)

 US CA

Panel Topic: Issues Surrounding Internet of Things (IoT) Security Upgradibility and Patching

Alan Friedman (National Telecommunications and Information Administration, US); John Banghart (Venable LLP, US); Kent Landfield (McAfee, US); Vic Chung (SAP, CA)

19:00 – 22:00

Thursday, 15 June

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Team Insigths
Flamingo A-B-C-D
Other Meetings
09:30 – 09:45

Opening Remarks

Klaus-Peter Kossakowski

09:45 – 10:45

Keynote

David Willems (NCSC-NL)

10:45 – 11:15

Coffee Break

11:15 – 12:00
 NL PL

How to Become a Mature CSIRT in 3 Steps

Don Stikvoort (S-CURE bv, NL); Mirosław Maj (Open CSIRT Foundation, PL)

 CA

Canaries in a Coal Mine…

Peter Morin (Forcepoint, CA)

 FI

When Phone Networks Go Down - Who You Gonna Call?

Mikko Karikytö (Ericsson, FI)

 US

DNS is NOT Boring! Using DNS to Expose and Thwart Attacks

Rod Rasmussen (Infoblox, US)

11:15 – 12:45

Intro to CVSS

12:00 – 12:45
 US

What Metrics Should a CSIRT Collect to Measure Success (Or What Questions Should We Be Asking and How Do We Get the Answers?)

Robin Ruefle (CERT Division, SEI, CMU, US)

 AU

Lean Gains - Small Team Effectiveness

Ben May (AEMO, AU)

 DE

You Don't Need a Better Car, You Need to Learn How to Drive: On the Importance of Cyber-Defense Line Automation.

Enrico Lovat, Florian Hartmann, Philipp Lowack (Siemens CERT, DE)

CVSS General meeting (open meeting)

12:45 – 14:00

Lunch Break

13:00 – 14:00

CVSS SIG (closed meeting)

14:00 – 14:45
 US

Medical Device Security: A Sucking Chest Wound That Needs Emergency Medicine

Denise Anderson (NH-ISAC, US)

 LU

Blackhole Networks - an Underestimated Source for Information Leaks

Alexandre Dulaunoy, Gerard Wagener (CIRCL, LU); Cynthia Wagner (RESTENA Foundation, LU)

 FR

TheHive: a Scalable, Open Source and Free Incident Response Platform

Saâd Kadhi (Banque de France, FR)

 US

The Art of the Jedi Mind Trick: Learning Effective Communication Skills

Jeff Man (Cybrary.it, US)

14:00 – 15:30

14:45 – 15:30
 GB NO

Embodied Vulnerabilities: Compromising Medical Implants

Eireann Leverett (Concinnity Risks and Privacy International, GB); Marie Moe (SINTEF, NO)

 HR

Improving Network Intrusion Detection with Traffic Denoise

Miroslav Stampar (Information Systems Security Bureau, HR)

 DE

Marvin: Automated Incident Handling at DFN-CERT

Christian Keil, Eugene Brin, Jan Kohlrausch (DFN-CERT, DE)

15:30 – 16:00

Coffee Break

16:00 – 18:00

FIRST Annual General Meeting

FIRST Members Only

Friday, 16 June

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Team Insigths
Flamingo A-B
Other Meetings
09:30 – 09:45

Opening Remarks

Jeffrey Carpenter

09:45 – 10:45
 US

Keynote: Post-Quantum Cryptography

Brian Lamacchia (Microsoft Research, US)

10:45 – 11:15

Coffee Break

Trainer Training

10:45 – 17:45

11:15 – 11:45
 US

PyNetSim: A Modern INetSim Replacement

Jason Jones (Arbor Networks ASERT, US)

 BR

Rio 2016 Olympic CSIRT - creation, operation and lessons learned

Romulo Rocha (Former Rio2016 Commitee and now Tempest Security Intelligence, BR)

 US

Deep Learning for Incident Response: Predicting and Visualizing Cyber Attacks Using Open Data, Social Media and GIS

Anne Connell (CERT, US)

 US

::1 The Official Home for IPv6 Attacks

Marco Figueroa, Ronald Eddings (Intel, US)

11:15 – 12:45

11:45 – 12:15
 JP

APT Log Analysis - Tracking Attack Tools by Audit Policy and Sysmon -

Shusei Tomonaga (JPCERT/CC, JP)

 BR

Implementing a country-wide sensor infrastructure for proactive detection of malicious activity.

Edilson Lima, Rildo Souza (RNP, BR)

 US

Improving Useful Data Extraction from Cybersecurity Incident Reports

Matthew Sisk, Samuel Perl (The CERT Program in the Software Engineering Institute at Carnegie Mellon University, US)

12:15 – 12:45
 LV

Non-Formal Learning Approaches for CSIRT Teams

Svetlana Amberga (CERT.LV, LV)

 US BR

Moving Like a Spook Through Walls or Being Just a Shadow for APT Detectors

Dmitry Bestuzhev (Kaspersky Lab, US); Fabio Assolini (Kaspersky Lab, BR)

 DE IT

Experiences in Threat Data Processing and Analysis Using Open Source Software

Morton Swimmer (Trend Micro, Inc, DE); Rainer Vosseler (Trend Micro, Inc., DE); Vincenzo Ciancaglini (Trend Micro, Inc., IT)

12:45 – 14:00

Closing Remarks

14:00 – 15:00

Lunch Break