FIRST is offering training courses on Sunday, 16 June. Training courses require an additional registration form (free of charge) and are open to any registered conference attendee.
Individuals may register for ONE training course. Exception: participants can register for BOTH Train the Trainer sessions.
The courses below listed as Train the Trainer are sessions for people wishing to teach the FIRST DDoS Mitigation Fundamentals and the IPv6 Security training courses at a future engagement on behalf of FIRST. The sessions will be taught by Krassimir Tzvetanov and Frank Herberg, respectively, the original authors of the material. (Prospective trainers may choose to take both the course and then the Train the Trainers sessions if desired).
The trainings are open to qualified members of the FIRST community. By signing up for this training, you commit to volunteer in the FIRST training activities as outlined in our Trainers documentation.
Please submit your request to register for the training(s) or any questions about the trainer program by 15 May to first-sec@first.org. We will review your request and respond as soon as possible.
Pre-requisites for Train the Trainer DDoS session:
To attend this session, basic networking and systems know-how is required, and possibly some experience as a trainer is required.
As a benchmark, we expect people to be familiar with materials covered in any of the following certifications:
Pre-requisites for Train the Trainer IPv6 Security session:
Participants of this module are required to have a solid understanding of networking fundamentals – in particular, a solid understanding of IPv4 and a good understanding of IPv6.
You should be familiar with the materials covered in Chapters 2,3,5 and 6 of the NIST Guidelines for the Secure Deployment of IPv6.
Lowther | Level -1
Menteith | Level -1
Kilsyth | Level 0
Tinto | Level 0
Moorfoot | Level 0
Pentland | Level 3
| Lowther Level -1 | Menteith Level -1 | Kilsyth Level 0 | Tinto Level 0 | Moorfoot Level 0 | Pentland Level 3 | |
|---|---|---|---|---|---|---|
| 09:00 – 10:30 | CH IPv6 Security (Half-Day, Morning) Frank Herberg (SWITCH-CERT, CH) | US Train the Trainer: DDoS Mitigation (Half-Day, Morning) Krassimir Tzvetanov (Purdue University, US) | LU Forensics Challenge Workshop (Full-Day) Michael Hamm (CIRCL, LU) | SIM3 for CSIRT Maturity Assessment (Full-Day) Olivier Caleff, Miroslaw Maj, Don Stikvoort (OpenCSIRT Foundation) | NO ACT Threat Intelligence Platform (Full-Day) Dr. Martin Eian (mnemonic, NO) | US You Found A Malware, Now What? (Full-Day) Uttang Dawda (US) |
| 10:30 – 10:45 | Break | |||||
| 10:45 – 13:00 | CH IPv6 Security (Half-Day, Morning) Frank Herberg (SWITCH-CERT, CH) | US Train the Trainer: DDoS Mitigation (Half-Day, Morning) Krassimir Tzvetanov (Purdue University, US) | LU Forensics Challenge Workshop (Full-Day) Michael Hamm (CIRCL, LU) | SIM3 for CSIRT Maturity Assessment (Full-Day) Olivier Caleff, Miroslaw Maj, Don Stikvoort (OpenCSIRT Foundation) | NO ACT Threat Intelligence Platform (Full-Day) Dr. Martin Eian (mnemonic, NO) | US You Found A Malware, Now What? (Full-Day) Uttang Dawda (US) |
| 13:00 – 14:00 | Lunch Break -- Lunch Not Provided | |||||
| 14:00 – 15:30 | CH Train the Trainer: IPv6 Security (Half-Day, Afternoon) Frank Herberg (SWITCH-CERT, CH) | US DDoS Mitigation (Half-Day, Afternoon) Krassimir Tzvetanov (Purdue University, US) | LU Forensics Challenge Workshop (Full-Day) Michael Hamm (CIRCL, LU) | SIM3 for CSIRT Maturity Assessment (Full-Day) Olivier Caleff, Miroslaw Maj, Don Stikvoort (OpenCSIRT Foundation) | NO ACT Threat Intelligence Platform (Full-Day) Dr. Martin Eian (mnemonic, NO) | US You Found A Malware, Now What? (Full-Day) Uttang Dawda (US) |
| 15:30 – 15:45 | Break | |||||
| 15:45 – 18:00 | CH Train the Trainer: IPv6 Security (Half-Day, Afternoon) Frank Herberg (SWITCH-CERT, CH) | US DDoS Mitigation (Half-Day, Afternoon) Krassimir Tzvetanov (Purdue University, US) | LU Forensics Challenge Workshop (Full-Day) Michael Hamm (CIRCL, LU) | SIM3 for CSIRT Maturity Assessment (Full-Day) Olivier Caleff, Miroslaw Maj, Don Stikvoort (OpenCSIRT Foundation) | NO ACT Threat Intelligence Platform (Full-Day) Dr. Martin Eian (mnemonic, NO) | US You Found A Malware, Now What? (Full-Day) Uttang Dawda (US) |
Dr. Martin EianDr. Martin Eian (mnemonic, NO)
Course Level: Beginner – Intermediate
Intended Audience: Threat analysts/researchers/hunters, SOC analysts, Incident responders
Pre-requisites: Laptop with Linux VM
Hardware requirements Standard laptop, Virtual Machine sufficient. Participants do not need a virtual machine to participate in the ACT training. Everything is set up in AWS, so only an Internet connection is needed. Advanced participants that want to use the API and create workers for the platform will need a Python environment; any vanilla Linux distro (either VM or installed as the laptop OS) should be more than enough.
Abstract: ACT: The Open Threat Intelligence Platform
The ACT platform is an open source, scalable graph database with support for granular access control and workflow management. ACT enables advanced threat enrichment, threat analysis, visualization, process automation, information sharing, and powerful graph analytics. Its modular design and APIs facilitate implementing new workers for enrichment, analysis, information sharing, and countermeasures.
Key takeaways for the ACT training participants:
The ACT platform source code is available on Github, ISC license (BSD compatible): https://github.com/mnemonic-no
A read-only platform instance pre-loaded with OSINT is available on AWS: https://act-eu1.mnemonic.no https://act-eu1.mnemonic.no/examples/
Topics:
June 16, 2019 09:00-10:30, June 16, 2019 10:45-13:00, June 16, 2019 14:00-15:30, June 16, 2019 15:45-18:00
2019-06-16-ACT-FIRST-Training.pdf
MD5: 3502c6587e9eb1c730a459c844b720ce
Format: application/pdf
Last Update: August 22nd, 2019
Size: 3.84 Mb
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University, US)
Krassimir Tzvetanov is a security engineer at Fastly, a high performance CDN designed to accelerate content delivery as well as serve as a shield against DDoS attacks.
In the past he worked for hardware vendors like Cisco and A10 focusing on threat research, DDoS mitigation features, product security and best security software development practices. Before joining Cisco, Krassimir was Dedicated Paranoid (security) at Yahoo!, Inc. where he focused on designing and securing the edge infrastructure of the production network. Part of his duties included dealing with DDoS and abuse. Before Yahoo! Krassimir worked at Google, Inc. as an SRE for two mission critical systems, the ads database supporting all incoming revenue from ads and the global authentication system which served all of the company applications.
Krassimir has established a couple of Threat Intelligence programs at past employers in the past and has been actively involved in the security community facilitating information exchange in large groups.
Currently Krassimir is a co-chair and co-founder of the FIRST CTI SIG.
Before retiring, he was a department lead for DefCon, and an organizer of the premier BayArea security event BayThreat. In the past he was also an organizer of DC650 - a local BayArea security meetup.
Krassimir holds a Bachelors in Electrical Engineering (Communications) and Masters in Digital Forensics and Investigations.
In this class, the attendees will go over the basics of Denial of Service. It starts with coverage of the different parts of the stack that can be attacked and transitions into a discussion about the currently popular types of DDoS: reflection attacks, SYN flood, Sloworis, etc.
While it covers different attack types, it supplements the attack descriptions with detailed technical explanation of the specific operating system components like sockets, buffers, etc.
The class is interlaced with a number of exercises allowing the attendees to manually configure different mitigations.
In general, the workshop focuses on the technologies and not on particular vendor implementation. The test platform is vendor agnostic and uses a Linux VM to illustrate the attacks and mitigations.
Hardware and Software Requirements:
June 16, 2019 14:00-15:30, June 16, 2019 15:45-18:00
Michael HammMichael Hamm (CIRCL, LU)
Michael Hamm has worked for more than 10 years as Ingenieur-Security in the field of classical Computer and Network Security (Firewall, VPN, AntiVirus) at the research center “Henry Tudor” in Luxembourg. Since 2010, Michael has worked as an operator and analyst at CIRCL – Computer Incident Response Center Luxembourg where he is working on forensic examinations and incident response.
Course Level: Beginner - Intermediate
Intended Audience: Security/SOC analysts, CSIRT/CERT team members, forensics investigators.
Pre-requisites: Forensic Workstation: Linux (Kali, DEFT, SANS SIFT).
Hardware Requirements: Standard Laptop, Virtual Machine sufficient. The participant should show up with any kind of (Virtual) Forensics Workstation they usually prefer to work with. If the participant is quite new in forensics but knows Linux, either 'Kali Linux' or 'SANS SIFT Workstation' as virtual PC is a good choice.
Abstract: In this course you will solve some small size challenges to train your skills in forensics with open source tools.
Topics:
June 16, 2019 09:00-10:30, June 16, 2019 14:00-15:30, June 16, 2019 15:45-18:00, June 16, 2019 10:45-13:00
Frank Herberg (SWITCH-CERT, CH)
After completing his studies in engineering, Frank Herberg worked on IT infrastructure and security projects for a number of technology consulting firms. In 2012, he joined SWITCH-CERT, where one of his specialties is IPv6 security. In the past years, he conducted divers IPv6 security trainings and hands-on workshops for the security community. Frank is Head of SWITCH-CERT for its Commercial Sectors.
Course Level: Intermediate
Intended Audience: Security/SOC analysts, CSIRT/CERT team members, IT-Security responsible persons.
Pre-requisites: Intermediate or good IPv4 knowledge.
Hardware requirements: None.
Abstract: The Training will give an overview of the security aspects of the 'new' Internet Protocol IPv6. Participants will learn the differences to IPv4-related to security. The training also covers a deep dive into selected protocol details and their accompanied attacks including demonstrations. The participants will get recommendations on the mitigation of IPv6-related attacks and how to strategically approach IPv6 Security in an organization. Last but not least, an overview of useful IPv6 Security Resources and Tools will be provided.
Topics:
June 16, 2019 09:00-10:30, June 16, 2019 10:45-13:00
Olivier Caleff (OpenCSIRT Foundation), Miroslaw Maj (OpenCSIRT Foundation), Don Stikvoort (OpenCSIRT Foundation)
Olivier CALEFF, FIRST liaison. Olivier Caleff is currently in charge of Cyber Resilience at SANOFI, a global healthcare leader with more than 100.000 employees in 100 countries, and providing healthcare solutions in more than 170 countries. Prior to SANOFI, he managed for 5 years the international relationships for ANSSI’s CERT-FR – the French governmental and national CSIRT – liaising with partners, other CSIRTs and institutional bodies. He has been involved in incident handling and an increasing number of CSIRT-related organizations (FIRST, TF-CSIRT, CSIRTs Network, InterCERT-FR) since 1996. He helped set up some CSIRTs in France, and performed half a dozen FIRST site visits to assess the maturity of the teams CSIRT. He also contributed to various publications, including ENISA documents related to CSIRT maturity, Cloud security and forensics, and security training. He has been delivering various TRANSITS and FIRST security training since 2014, and is an advocate of SIM3, and is a OpenCSIRT’s Certified SIM3 Auditor. For almost 30 years, he has been teaching network and security at engineering schools, universities, and Master of Sciences in French and English.
Miroslaw MAJ, Cybersecurity Foundation, Open CSIRT Foundation, ComCERT.PL. More than 20 years of experience in ICT security. Founder and president of the Cybersecurity Foundation, CEO of the ComCERT company, a former leader of CERT Polska team. In 2017-2018 he was the advisor to the Minister of National Defense of Poland on planning cyberdefense capabilities and building organizational structures as well as establishing international cooperation on the field of cyberdefense. Initiator of Polish Civic Cyberdefence organization. Co-founder of Open CSIRT Foundation - the stewardship organization for SIM3 model. European Network Information Security Agency expert and co-author of many ENISA publications including CERT exercises and paper on improvement CSIRT maturity. He organized 9 editions of cyber exercises in a few countries for most essential sectors (e.g. energy, banking). Speaker on many international conferences including FIRST conferences. He is also the originator organiser Security Case Study conference.
Don STIKVOORT, Open CSIRT Foundation, FIRST liaison. Don Stikvoort, The Netherlands Executive Coach & Master Trainer MSc (summa cum laude) in Physics Internet & Internet Security pioneer, advisor and trainer. Don Stikvoort is partner and co-founder of the companies “S-CURE” and “AVALON Coaching & NLP”. Don has worked in the security area for over 25 years. In 1988 he joined the Dutch national research network. In that capacity he was among the pioneers who created the European Internet, RIPE, the European cooperation of CERTs (TF-CSIRT) and the NL domain registry from 1989 onward. Many CERTs were created with his help and guidance, among which the Dutch national CSIRT, now called NCSC-NL, and teams for universities, major hospitals and multinationals like Philips. Second opinions, audits and maturity assessments in this field have become a specialty – and in that capacity Don developed SIM3, a maturity model for CSIRTs which is used worldwide today for maturity assessments and certifications. SIM3 has now been taken under the wings of the not-for-profit "Open CSIRT Foundation" (OCF) that aims at improving the state of cyber security worldwide, while safeguarding personal freedom, privacy and democracy. Don was one of the founders in 2016 and now the OCF’s Chairman. Don was deeply involved in the IETF and RIPE in the past, and since 1992 he is on the forefront of the global incident response community, and as such a member of FIRST and TF-CSIRT. Together with Dr. Klaus-Peter Kossakowski he initiated and fostered the closer cooperation of European CERTs ever since 1993. In 1998 he finished the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown of CERT/CC. Don was chairman of the Program Committee for the 1999 FIRST conference in Brisbane, Australia, and kick-started the international FIRST Secretariat in the same year. Don authored and taught several training modules for the CSIRT community, some of which are being used worldwide today. Starting in 1999, Don was certified in NLP, Time Line Therapy®, Hypnotherapy and Coaching, and started AVALON as a result. AVALON’s portfolio is life & executive coaching, and workshops and intensive training courses in NLP and other “human arts” areas, leading to internationally recognized certifications.
Course Level: All levels (beginners to experts).
Intended Audience:
Pre-requisites: Knowledge about a CSIRT missions, organisation and activities.
Hardware requirements: A computer with: a Web browser or an Excel compatible spreadsheet tool, and a PDF reader.
Abstract:
Topics:
June 16, 2019 09:00-10:30, June 16, 2019 10:45-13:00, June 16, 2019 14:00-15:30, June 16, 2019 15:45-18:00
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University, US)
Krassimir Tzvetanov is a security engineer at Fastly, a high performance CDN designed to accelerate content delivery as well as serve as a shield against DDoS attacks.
In the past he worked for hardware vendors like Cisco and A10 focusing on threat research, DDoS mitigation features, product security and best security software development practices. Before joining Cisco, Krassimir was Dedicated Paranoid (security) at Yahoo!, Inc. where he focused on designing and securing the edge infrastructure of the production network. Part of his duties included dealing with DDoS and abuse. Before Yahoo! Krassimir worked at Google, Inc. as an SRE for two mission critical systems, the ads database supporting all incoming revenue from ads and the global authentication system which served all of the company applications.
Krassimir has established a couple of Threat Intelligence programs at past employers in the past and has been actively involved in the security community facilitating information exchange in large groups.
Currently Krassimir is a co-chair and co-founder of the FIRST CTI SIG.
Before retiring, he was a department lead for DefCon, and an organizer of the premier BayArea security event BayThreat. In the past he was also an organizer of DC650 - a local BayArea security meetup.
Krassimir holds a Bachelors in Electrical Engineering (Communications) and Masters in Digital Forensics and Investigations.
This module is designed for qualified and approved by FIRST instructors who intend and are committed to teach the DDoS Mitigation Fundamentals class.
Pre-requisites:
June 16, 2019 09:00-10:30, June 16, 2019 10:45-13:00
Frank Herberg (SWITCH-CERT, CH)
After completing his studies in engineering, Frank Herberg worked on IT infrastructure and security projects for a number of technology consulting firms. In 2012, he joined SWITCH-CERT, where one of his specialties is IPv6 security. In the past years, he conducted divers IPv6 security trainings and hands-on workshops for the security community. Frank is Head of SWITCH-CERT for its Commercial Sectors.
Pre-requisites: Participants of this module are required to have a solid understanding of networking fundamentals – in particular, a solid understanding of IPv4 and a good understanding of IPv6. You should be familiar with the materials covered in Chapters 2,3,5 and 6 of the NIST Guidelines for the Secure Deployment of IPv6.
Hardware requirements: None.
Abstract: The Trainer the Trainer session will provide an overview of the different sections of the SWITCH IPv6 Security Training. The aim is to enable FIRST trainers to give the course. The aim of the course is to provide IT & Security staff as well as CERT members with an appropiate level of knowledge about the manifold security aspects of the Internet Protocol Version 6. Moreover students will learn, how to setup a test lab for IPv6 and how to make use of attack tool kits.
Topics:
June 16, 2019 14:00-15:30, June 16, 2019 15:45-18:00
Uttang DawdaUttang Dawda (US)
Uttang Dawda is a leading Threat Intelligence Researcher and Trainer who specializes in identifying cyber threats and reverse engineering malicious software. Uttang is most well known for creating Decryptolocker - an anti-ransomware tool, saving hundreds of thousands of victims, including the FBI and Law Enforcement Agencies globally, from losing their data to ransomware attacks. His tool disrupted millions of dollars of ransom transactions to criminals.
Uttang also specializes in multi-day threat intelligence and reverse engineering trainings and security consulting.
Course Level: Intermediate
Intended Audience: SOC Analysts, Incident Responders, CSIRT/CERT members, aspiring Malware Analysts
Pre-requisites: Network Security, Windows API, x86 Assembly and Programming knowledge a plus
Hardware Requirements: Laptop with Virtualbox/VmWare/Parallels installed
Abstract: Win32:Malware-gen! VirusTotal's frustrating unhelpful response when you are battling hordes of malware infections. In a race against time and a zombie war bigger than Game of Thrones, this workshop will help you understand the enemy and protect your marshmallow castle. Quickly identify the malware and reverse engineer their guts with free tools.
Topics:
June 16, 2019 14:00-15:30, June 16, 2019 15:45-18:00, June 16, 2019 09:00-10:30, June 16, 2019 10:45-13:00
The Global Forum on Cyber Expertise is a global forum on cyber capacity building. This is a meeting of the Taskforce on Cyber Incident Management within the GFCE, which focuses on: (1) collecting incident management capacity building good practices and publishing them, (2) being a broker between GFCE members on capacity building requests, and (3) develop a global capacity measurement standard under leadership of Don Stikvoort, with consulting support from TNO, the Dutch government research organization and ENISA.
This meeting will take place on Sunday, 16 June in the Sidlaw room from 9am-3pm and participation is by invitation only. Inquiries should be directed to maarten@first.org and nynke.stegink@thegfce.org.
| Date/Time | Location |
|---|---|
| Sunday 16th, 09:00 – 15:00 | Sidlaw |
Join us for an afternoon of fun challenges with an IR twist. We will provide the beat and the incident response scenarios where you can learn new skills and practice current ones against a set of simulated security incidents. Can you identify what caused the blues? What would you do differently? How can you architect multiple AWS services to prevent it from happening again? How do you automate the incident response? Take part in our jam to find out!
As the challenges develop, you will take the initial infrastructure, and challenge by challenge, improve it into a resilient and secure deployment. Use your knowledge of AWS services and information security to perform incident response in the cloud and forensic analysis to find out whodunit! We will have a number of experienced AWS experts in the room that will be available to discuss ideas, provide guidance and in general help your team get through any roadblocks that pop up. New to AWS? New to security? Come and join us! Our activities are structured to accommodate AWS users of all levels. We have AWS experts, plus guided exercises, that will ramp up your security knowledge. We will form team on the spot and provide challenges for you to tackle. Just bring your laptop to score the points by solving and get some cool prizes!
| Date/Time | Location |
|---|---|
| Sunday 16th, 13:00 – 17:00 | Lammermuir, Level -2 |
Bird of a Feather Sessions, activities primarily focus on meetings which take place at the conference based on the interest of a number of members. They are not necessarily intended to lead to year round work.
BoF sessions are scheduled to take place during before conference sessions begin (8-9am) or following the final session of the day. We will have an up-to-date-schedule and bulletin board near the registration desk onsite. Attendees are welcome to request a BoF in advance by emailing first-sec@first.org and please include:
BoFs are informal or interactive discussions (not conference presentations) and marketing/product presentations are strictly prohibited. BoFs are assigned on a first come, first served basis and room assignment space is limited. A Schedule of BoFs will be posted once confirmed.
Get your PGP Key signed and sign other keys to increase trust!
| Date/Time | Location |
|---|---|
| Wednesday, June 19th 10:45 – 11:15 | PStrathblane Hall |
| Thursday, June 20th | At AGM in the back of the room |
Alexander Jaeger (FIRST)
PGP is one of the foundations of the security community, and to rely on PGP there needs to be trust in the PGP keys. The trust is made by signatures and validation of identity. FIRST facilitates this community effort by hosting PGP Key signing events.
We will have at least two PGP Key signing events – listen to the opening remarks or a remark at registration desk for changes in regards time/date.
In the past we did not sign team keys and we do not plan to change that.
For those who haven’t participated in the past years it will go like to following:
Hint: Please do not upload your key an hour before the key signing, as I might be printing out the keyring a few hours earlier.
Link: http://biglumber.com/x/web?keyring=4284
14th Annual Technical Meeting for CSIRTs with National Responsibility
Is your organization responsible for protecting the security of nations, economies, and critical infrastructures? If so, attend NatCSIRT 2019 to discuss with your peers the unique challenges you face every day. You will drive discussions that focus on current issues, tools, and methods relevant to the National CSIRT community. This year's meeting is co-located with the 31st Annual FIRST Conference in Edinburgh. This meeting is by invitation only and more details can be found at http://www.cert.org/natcsirt/.