Conference Program

For additional pre and post conference programming, please check the Additional Programming page. Separate registrations apply.

This is a working draft agenda. Agenda is subject to change.

Sunday, 11 June

Pre-Conference
08:00 – 10:00

Registration

11:00 – 17:00

FIRST Hackathon - Flamingo A

14:00 – 19:00

FIRST & Amazon Security Jam Orientation - Tropical Ballroom

18:30 – 19:00

Newbie Reception - Atlantic Garden

19:00 – 21:00

Ice Breaker Reception - Atlantic Garden

Monday, 12 June

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Team Insights
Flamingo A-B
Other Meetings
08:00 – 17:00

Registration

09:00 – 09:45

Opening Remarks

Klaus-Peter Kossakowski

09:45 – 10:45

Keynote

Alex Stamos (Facebook)

10:45 – 11:15

Coffee Break

Red Team SIG Meeting

10:45 – 12:15

11:15 – 12:00
 US

Measuring Similarity Between Cyber Security Incident Reports

Samuel Perl, Zachary Kurtz (Software Engineering Institute, US)

 US

Beyond Matching: Applying Data Science Techniques to IOC-based Detection

Alex Pinto (Niddel, US)

 AE

CSIRT Under Attack

Riccardo Tani (Si Cyber Consult, AE)

 US

Windows Credentials, Attacks, and Mitigation Techniques

Chad Tilbury (SANS Institute, US)

11:15 – 12:45

12:00 – 12:45
 FR

Active Directory : How To Change a Weak Point Into a Leverage for Security Monitoring

Vincent Le Toux (Engie, FR)

 GB AT

IoCannon: Blasting Back on Attackers with Economics -or- How do we Improve the Power of IoCs?

Eireann Leverett (Concinnity Risks, GB); Marion Marschalek (Independant, AT)

 US CR

The Ransomware Odyssey: Their Relevance and Their Kryptonite

Marco Figueroa, Ronald Eddings (Intel Corporation, US); Sue Ballestero (Intel, CR)

12:45 – 14:00

Lunch Break

Ethics SIG Meeting

12:45 – 15:00

14:00 – 14:45
 US

Building a High Performing Cyber Security Team on the Cheap

Christopher Payne (Target, US)

 NO

Threat Ontologies for Cyber Security Analytics

Dr. Martin Eian (mIRT/mnemonic AS, NO)

 US

Cyber Terrorist Activity: The New Way to Cause Chaos

Kyle Wilhoit (DomainTools, US)

 US

OSS Security: That’s Real Mature Of You!

Christine Gadsby (BlackBerry, US); Jake Kouns (Risk Based Security, US)

14:00 – 15:30

14:45 – 15:30
 CA

Building a Product Security Team – The Good, the Bad and the Ugly - Lessons from the Field

Peter Morin (Forcepoint, CA)

 FI

Best Practices for Building a Large Scale Sensor Network

Juhani Eronen (NCSC-FI / FICORA, FI)

 ES

Are West African Cybercriminals on Safari in your Network?

David Sancho (Trend Micro, ES)

15:30 – 16:00

Coffee Break

16:00 – 16:30
 PL

Trying to Know Your Own Backyard (A National CERT Perspective)

Paweł Pawliński (CERT Polska / NASK, PL)

 US GB

WatchEvaluateEnrichPunch (WEEP): A Poor Man’s Self-Defence Host Monitor.

Adrian Sanabria (Savage Security, US); Konrads Smelkovs (KPMG LLP, GB)

 JP

SDN Control System Based on Threat Level of Shared Information

Takuho Mitsunaga (The University of Tokyo, JPCERT/CC, JP)

FIRST Update: Financial & Business Review

FIRST Members Only

16:00 – 17:00

Information Exchange Policy SIG Meeting

16:00 – 17:00

16:30 – 17:00
 GB

Digital Supply Chain: The Exposed Flank In 2017

Martin McKeay (Information Security Industry, GB)

 LU

AIL Framework - Analysis Information Leak Framework

Alexandre Dulaunoy, Steve Clement (CIRCL - Computer Incident Response Center Luxembourg, LU)

 US

HIRT Locker 2.0 - Next Generation Hunting

Christopher Butera (US-CERT, US)

Tuesday, 13 June

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Team Insights
Flamingo A-B
Other Meetings
08:30 – 17:30

Registration

09:30 – 09:45

Opening Remarks

Klaus-Peter Kossakowski

09:45 – 10:45

Keynote: A Decade of Lessons in Incident Response

Darren Bilby (Google)

10:45 – 11:15

Coffee Break

Malware Analysis SIG Meeting

10:45 – 12:45

11:15 – 11:45
 US

Communicating Risk: A Comparative Approach to Vulnerability Remediation

Mark-David Mclaughlin (Cisco, US)

 TW RU

Hunting for Threats in Academic Networks

Fyodor Yarochkin (Trend Micro, TW); Vladimir Kropotov (Trend Micro, RU)

 MY

A Practical Workflow for Automation and Orchestration of Threat Intelligent Information for Global Mitigation of Large-Scale Cyber Attacks: Case Study on Mirai Botnet Takedown in Malaysia

Megat Muazzam Abdul Mutalib (CyberSecurity Malaysia, MY)

 US

Change is the Only Constant: The Progression of Detection and Response at Google

Fatima Rivera (Google, US)

11:15 – 12:00

11:45 – 12:15
 US

The Arrr in PSIRT

Beverly Finch (Lenovo, US)

 DE

Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification

Ben Stock, Christian Rossow (CISPA, DE)

 US MY CN

Panel Topic: Mirai: How Did We Do?

Chris Baker (Dyn, US); Megat Muazzam Bin Abdul Mutalib (MyCERT, MY); Merike Kaeo (Farsight Security, US); Yiming Gong (Qihoo 360, CN)

11:45 – 12:45

12:15 – 12:45
 TW RU

Web as ongoing threat vector: case studies from Europe and Asia Pacific

Fyodor Yarochkin (Trend Micro, TW); Vladimir Kropotov (Trend Micro, RU)

 DE

Experiences and Lessons Learned from a Siemens-Wide Security Patch Management Service for Products

Manuel Ifland (Siemens AG, DE)

 CH

Trust Nothing: Google's Approach to Enterprise Security in Forensic Context

Jan Monsch (Google, CH)

12:45 – 14:00

Lunch Break

14:00 – 14:45
 US

Things That Make You Go HMM: Using a Simple Hunting Maturity Model to Establish and Improve your Threat Hunting Program

David J. Bianco (Target, US)

 CH

Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)

Tom Ueltschi (Swiss Post, CH)

 DE

Dismantling the Avalanche Botnet

Kaspar Clos (CERT-Bund / BSI, DE)

 US

TBD

Andy Bohm (Google, US)

VRDX SIG Meeting

14:00 – 15:30

14:45 – 15:30
 US

Building a Threat Hunting Framework for the Enterprise

Joseph Ten Eyck (Target Company, US)

 US

Defensive Evasion: How APT Adversaries Bypass Security Controls

Aaron Shelmire (SecureWorks, US)

 FI

Disrupting IoT Worms in Finland (2016 Edition)

Markus Lintula (NCSC-FI / FICORA, FI)

 US

Remediation Ballet: Choreographing Your Team To Victory

Matt Linton (Google, US)

15:30 – 16:00

Coffee Break

16:00 – 16:30
 US

These Aren't The IR Processes You're Looking For

Jake Kouns (Risk Based Security, US)

 CZ

Malicious Proxy Auto-Configs: Harvesting Credentials From Web Forms Made Easy

Jan Sirmer, Jaromir Horejsi (Avast Software, CZ)

 GB

Hajime & the Mainline DHT

Kevin O'Sullivan (BT Plc, GB)

 CH

Finding An Intruder in a 10TB Haystack: The Benefits of Similarity Searching

Thomas Dullien (Google, CH)

16:00 – 16:45

Information Sharing SIG Meeting

16:00 – 17:00

16:30 – 17:00
 FI

From Bullet Journal to Lessons Learned: How to Manage Coordination and Cooperation Development in Ad-hoc Working Environment?

Jarna Hartikainen (NCSC-FI, FI)

 MY

Collaborative Information Sharing Model for Malware Threat Analysis

Aswami Ariffin (CyberSecurity Malaysia, MY)

 US

Panel Topic Friend or Foe? Named Flaws, the Impact to Your Products and Your Customers

Amy Rose, Beverly Finch (Lenovo, US); Art Manion (CERT Coordination Center (CERT/CC), US); Lisa Bradley (NVIDIA, US)

16:30 – 17:30

17:00 – 17:30
 NL

Revising the TLP - Lessons Learned

Don Stikvoort (Open CSIRT Foundation, NL)

 DE

Countering Innovative Sandbox Evasion Techniques Used by Malware

Carsten Willems, Frederic Besler (VMRay, DE)

Q/A with speakers

17:30 – 19:30

Wednesday, 14 June

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Team Insights
Flamingo A-B
Other Meetings
08:00 – 09:15

Passive DNS Exchange SIG Meeting

08:30 – 17:00

Registration

09:30 – 09:45

Opening Remarks

Klaus-Peter Kossakowski

09:45 – 10:45

Keynote: Cybersecurity and the Age of Privateering

Florian Egloff (University of Oxford)

10:45 – 11:15

Coffee Break

11:15 – 12:00
 NL

Ozon: Running a Gap Bridging Cybercrisis Exercise

Remon Klein Tank (SURFcert, NL)

 US

Update on PSIRT/CSIRT Services Framework

Peter Allor (IBM, US)

11:15 – 12:45

 US

THINKPWN: PSIRT Case Study of a Zero-Day

Amy Rose (Lenovo, US)

Q/A Roundtable with Google's Security and Privacy team

11:15 – 12:45

Metrics SIG Meeting (meeting ends 13:15)

11:15 – 12:45

12:00 – 12:45
 US

Steel Sharpens Steel: Using Red Teams to Make Blue Teams Better

Christopher Payne (Target, US)

 US

The Budding World of Cloud Storage Abuse and Exploitation : A Technical Deep Dive

Aditya K Sood (BlueCoat, A Symantec Company, US)

12:45 – 14:00

Lunch Break

Vendor SIG Meeting

12:45 – 14:15

14:00 – 14:45
 PL

How To Ruin Your Weekend (And Business) In Few Simple Steps

Przemek Jaroszewski (CERT Polska/NASK, PL)

 IL

A Look into the Long Tale of Cyber Threats

Eyal Paz, Gadi Naveh (Check Point, IL)

 US

You’re Leaking: Incident Response in the World of DevOps

Jerry Dixon (Crowdstrike, US); Levi Gundert (Recorded Future, US)

 US

Managerial Strategies for Improving the Social Maturity of Cybersecurity Incident Response Teams and Multiteam Systems: A Workshop

Daniel Shore, Stephen Zaccaro (George Mason University, US)

14:00 – 15:30

14:45 – 15:30
 BE

Handling an Incident in CERT-EU

Emilien Le Jamtel (CERT-EU, BE)

 US

Going Undetected: How Cybercriminals, Hacktivists, and Nation States Misuse Digital Certificates

Kevin Bocek (Venafi, US)

 NO

The Incident Responder and the Half Year APT

Dr. Martin Eian, Jon Røgeberg (mIRT/mnemonic AS, NO)

Vulnerability Coordination SIG Meeting

14:45 – 16:15

15:30 – 16:00

Coffee Break

16:00 – 17:00

Lightning Talks

 US

Panel Topic: Incident Response Providers: Casework Trends

Brian Klenke (Morphick, US); Eric Szatmary (SecureWorks, US); Robert Floodeen (PwC, US)

 US CA

Panel Topic: Issues Surrounding Internet of Things (IoT) Security Upgradibility and Patching

Allan Friedman (National Telecommunications and Information Administration, US); John Banghart (Venable LLP, US); Kent Landfield (McAfee, US); Vic Chung (SAP, CA)

Wannacry: Lessons Learned

19:00 – 22:00

Thursday, 15 June

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Team Insights
Flamingo A-B-C-D
Other Meetings
08:30 – 17:00

Registration

09:30 – 09:45

Opening Remarks

Klaus-Peter Kossakowski

09:45 – 10:45
 NL

Keynote: 18 Years Old, it's Time to Become Mature

Martijn de Hamer (NCSC-NL, NL)

10:45 – 11:15

Coffee Break

11:15 – 12:00
 NL PL

How to Become a Mature CSIRT in 3 Steps

Don Stikvoort (Open CSIRT Foundation, NL); Mirosław Maj (Open CSIRT Foundation, PL)

 CA

Canaries in a Coal Mine…

Peter Morin (Forcepoint, CA)

 FI

When Phone Networks Go Down - Who You Gonna Call?

Mikko Karikytö (Ericsson, FI)

 US

DNS is NOT Boring! Using DNS to Expose and Thwart Attacks

Rod Rasmussen (Infoblox, US)

11:15 – 12:45

Intro to CVSS

12:00 – 12:45
 US

What Metrics Should a CSIRT Collect to Measure Success (Or What Questions Should We Be Asking and How Do We Get the Answers?)

Robin Ruefle (CERT Division, SEI, CMU, US)

 AU

Lean Gains - Small Team Effectiveness

Ben May (AEMO, AU)

 DE

You Don't Need a Better Car, You Need to Learn How to Drive: On the Importance of Cyber-Defense Line Automation.

Enrico Lovat, Florian Hartmann, Philipp Lowack (Siemens CERT, DE)

CVSS General meeting (open meeting)

12:45 – 14:00

Lunch Break

CVSS SIG (closed meeting)

14:00 – 14:45
 US

Medical Device Security: A Sucking Chest Wound That Needs Emergency Medicine

Denise Anderson (NH-ISAC, US)

 LU

Blackhole Networks - an Underestimated Source for Information Leaks

Alexandre Dulaunoy (CIRCL, LU)

 FR

TheHive: a Scalable, Open Source and Free Incident Response Platform

Saâd Kadhi (Banque de France, FR)

 US

The Art of the Jedi Mind Trick: Learning Effective Communication Skills

Jeff Man (Cybrary.it, US)

14:00 – 15:30

14:45 – 15:30
 GB NO

Embodied Vulnerabilities: Compromising Medical Implants

Eireann Leverett (Concinnity Risks, GB); Marie Moe (SINTEF, NO)

 HR

Improving Network Intrusion Detection with Traffic Denoise

Miroslav Stampar (Information Systems Security Bureau, HR)

 DE

Marvin: Automated Incident Handling at DFN-CERT

Eugene Brin, Jan Kohlrausch (DFN-CERT, DE)

15:30 – 16:00

Coffee Break

16:00 – 18:00

FIRST Annual General Meeting

FIRST Members Only

Friday, 16 June

San Geronimo B
Management Track
San Geronimo A
Technical Track
San Geronimo C
Technical Track
Auditorium
Team Insights
Flamingo A-B
Other Meetings
09:00 – 11:00

Registration

09:30 – 09:45

Opening Remarks

Jeffrey Carpenter

09:45 – 10:45
 US

Keynote: Post-Quantum Cryptography

Brian Lamacchia (Microsoft Research, US)

10:45 – 11:15

Coffee Break

Trainer Training

10:45 – 17:45

11:15 – 11:45
 US

PyNetSim: A Modern INetSim Replacement

Jason Jones (Arbor Networks ASERT, US)

 BR

Rio 2016 Olympic CSIRT - Creation, Operation and Lessons Learned

Romulo Rocha (Former Rio2016 Commitee and now Tempest Security Intelligence, BR)

 US

Deep Learning for Incident Response: Predicting and Visualizing Cyber Attacks Using Open Data, Social Media and GIS

Anne Connell (CERT, US)

 US

::1 The Official Home for IPv6 Attacks

Josh Porter (McAfee, US); Marco Figueroa, Ronald Eddings (Intel Corporation, US)

11:15 – 12:45

11:45 – 12:15
 JP

APT Log Analysis - Tracking Attack Tools by Audit Policy and Sysmon -

Shusei Tomonaga (JPCERT/CC, JP)

 BR

Implementing a Country-wide Sensor Infrastructure for Proactive Detection of Malicious Activity

Edilson Lima, Rildo Souza (RNP, BR)

 US

Improving Useful Data Extraction from Cybersecurity Incident Reports

Matthew Sisk (The CERT Program in the Software Engineering Institute at Carnegie Mellon University, US); Samuel Perl (Software Engineering Institute, US)

12:15 – 12:45
 LV

Non-Formal Learning Approaches for CSIRT Teams

Svetlana Amberga (CERT.LV, LV)

 US BR

Moving Like a Spook Through Walls or Being Just a Shadow for APT Detectors

Dmitry Bestuzhev (Kaspersky Lab, US); Fabio Assolini (Kaspersky Lab, BR)

 DE

Experiences in Threat Data Processing and Analysis Using Open Source Software

Morton Swimmer (Trend Micro, Inc, DE)

12:45 – 14:00

Closing Remarks

14:00 – 15:00

Lunch Break

National CSIRT meeting (invitation only)

14:00 – 18:00

18:00 – 19:30

National CSIRT Reception (invitation only)

Saturday, 17 June

Other Meetings
08:00 – 17:00

National CSIRT meeting (invitation only)