Conference Program

This is a working draft agenda. Agenda is subject to change.

Sunday, June 16th

08:00 – 09:00

Registration for Sunday FIRST Training ONLY

Strathblane Hall & Atrium Foyer

10:00 – 12:00

Registration

Strathblane Hall & Atrium Foyer

13:00 – 17:00

AWS Security Jam

Lammermuir | Level -2

14:00 – 20:00

Registration

Strathblane Hall & Atrium Foyer

15:00 – 16:00

Session Chair Meeting (closed meeting)

Harris 1 | Level 1

18:30 – 21:00

Strathblane Hall & Atrium Foyer

Monday, June 17th

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Tinto
Level 0
Workshop – Kilsyth
Level 0
Other – Moorfoot
Level 0
SIG Meetings – Menteith
Level -1
08:00 – 18:15

Registration

Strathblane Hall & Atrium Foyer

09:00 – 17:30

Security Lounge: FIRST CTF HQ & AWS Jam HQ

Café 5 | Level 1

09:15 – 10:00

Welcome Remarks

Pentland Auditorium – Level 3

10:00 – 11:00
 GB

Keynote: Backdoors in Back Doors

Ken Munro (Pen Test Partners LLP, GB)

11:00 – 11:45

Networking Break

Lennox / Moffat / Lammermuir – Level -2

11:45 – 12:45
 GB

Five Years of BGP Hijacking by Email Spammers

Richard Clayton (University of Cambridge, GB)

TLP:AMBER
 US

Software Bill of Materials: Progress toward transparency of 3rd party code

Allan Friedman (NTIA / US Department of Commerce, US); Art Manion (vu.ls – CERT/CC, US)

TLP:CLEAR
 US

A Practical Model for Developing an Integrated IT/OT SOC and Monitoring

Christopher King, Umair Masud (Rockwell Automation, US)

TLP:CLEAR
 LU

Training (1 day) - Threat Intelligence Analyst and Administrators

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

TLP:CLEAR

11:45 – 13:15

 LU

Malware Unpacking for Dummies

Paul Jung (Excellium Services, LU); Rémi Chipaux (Qintel)

TLP:CLEAR

11:45 – 13:15

PSIRT SIG Meeting

11:45-13:15

12:45 – 13:15
 LU

BGP Ranking & IP-ASN History: Making Something Useful Out of Old Massive Datasets

Raphael Vinot (CIRCL, LU)

TLP:CLEAR
 US

Advancements in Publishing Vulnerabilities and Security Advisories.

Chandan Nandakumaraiah (Juniper Networks, US)

TLP:CLEAR
 DE

Fingerpointing False Positives: How to Better Integrate Continuous Improvement into Security Monitoring

Desiree Sacher (Finanz Informatik, DE)

TLP:CLEAR
13:15 – 14:30

Lunch

Lennox Suite / Moffat / Lammermuir – Level -2

Cyber Threat Intelligence SIG Meeting

13:45-15:15

14:30 – 15:30
 CN

Protect Enterprise Against Cryptojacking: Lessons From Tracing 8220 Miner Group

Lion Gu (360 Enterprise Security Group, CN)

TLP:CLEAR
 MY

Cyber Threats Incident Response Model for CNII Organizations

Aswami Ariffin, Megat Mutalib (CyberSecurity Malaysia, MY)

TLP:CLEAR
 US

Real-World SOC Metrics

Carson Zimmerman (Microsoft, US)

TLP:CLEAR
 LU

Training (1 day) - Threat Intelligence Analyst and Administrators

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

TLP:CLEAR

14:30 – 16:00

 LU

Malware Unpacking for Dummies

Paul Jung (Excellium Services, LU); Rémi Chipaux (Qintel)

TLP:CLEAR

14:30 – 16:00

15:30 – 16:00
 JP

Cryptocurrency Breaches and Financial Regulators in Japan

Natsuko Inui (Financial Services Information Sharing and Analysis Center, JP)

TLP:GREEN
 GB

Being the Third Party - The Challenges and Successes of Notifying Victim Organisations at National Scale

Harry W (NCSC-UK, GB)

TLP:GREEN
 AU

Re-Building a Scalable CSIRT

Josh Lemon (Salesforce, AU)

TLP:CLEAR

Capture the Flag SIG Meeting

15:30-16:30

16:00 – 16:45

Networking Break

Lennox / Moffat / Lammermuir – Level -2

CVSS SIG Meeting

16:30-18:00

16:45 – 17:45

Swimming in the Cryptonote Pools

Emilien Le Jamtel (CERT-EU)

TLP:CLEAR
 US

How to Manage the Tangled Web of Dependencies

Jessica Butler, Lisa Bradley (NVIDIA, US)

TLP:CLEAR
 US

Adversary Modeling and Emulation in Operational Technology Environments

Marie Collins, Otis Alexander (MITRE, US)

TLP:CLEAR
 LU

Training (1 day) - Threat Intelligence Analyst and Administrators

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

TLP:CLEAR

16:45 – 18:15

 US

ICS Simulation and CTF

Jermaine Roebuck (HIRT, US)

TLP:CLEAR

16:45 – 18:15

FIRST Update: Financial & Business Review

FIRST Members Only

17:45 – 18:15
 FR

Analyze & Detect WebAssembly Cryptominer

Patrick Ventuzelo (QuoScient, FR)

TLP:CLEAR
 FI

A Tool for Vulnerability Management in a Large Company

Umair Bukhari (Ericsson, FI)

TLP:CLEAR
 GB

A Dragon In Wolf’s Clothing: When Stopping the APT Could be Easy

Keir P (NCSC-UK, GB)

TLP:GREEN
19:15 – 22:15

Contini George Street | 103 George Street, Edinburgh

Tuesday, June 18th

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Tinto
Level 0
Workshop – Kilsyth
Level 0
SIG Meetings – Menteith
Level -1
08:30 – 17:00

Registration

Strathblane Hall & Atrium Foyer

09:00 – 17:30

Security Lounge: FIRST CTF HQ & AWS Jam HQ

Café 5 | Level 1

09:15 – 09:30

Opening Remarks

Pentland Auditorium – Level 3

09:30 – 10:30
 GB

Keynote: Who's Afraid of the Big Bad Smart Fridge: Governance Challenges of the Internet of Things

Leonie Tanczer (University College London, GB)

10:30 – 11:00

Networking Break with Exhibits

Lennox / Moffat / Lammermuir – Level -2

11:00 – 12:00
 US

Finding Dependencies Between Adversary Techniques

Andy Applebaum (The MITRE Corporation, US)

TLP:CLEAR
 JP DE

Attacks on Industrial and Manufacturing Networks

Bakuei Matsukawa (Trend Micro FTR Team, JP); Vladimir Kropotov (Trend Micro FTR Team, DE)

TLP:CLEAR
 US

CSIRT Schiltron: Training, Techniques, and Talent

James Sheppard, Jeff Bollinger (Cisco Systems, Inc., US)

TLP:CLEAR
 US

Vulnerability Response Capability Development for PSIRT Teams

Art Manion (vu.ls – CERT/CC, US); Deana Shick, Madison Oliver (CERT/CC, US)

TLP:CLEAR

11:00 – 12:30

 LU

Training (day 2): Extending and Integrating MISP to Fit Your Use Case

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

TLP:CLEAR

11:00 – 12:30

Academic Security SIG Meeting

11:00-14:30

12:00 – 12:30
 TW

Improving the Efficiency of Dynamic Malware Analysis with Temporal Syscall Measure

Dr. Chih-Hung Lin (Taiwan Network Information Center (TWNIC), TW)

TLP:GREEN
 AE GB

TRITON - The First Documented Attack on ICS Safety Systems

Daniel Caban (Mandiant (a FireEye Company), AE); Peter Barbour (Mandiant (a FireEye Company), GB)

TLP:CLEAR
 NL

Building a Global Maturity Measurement and Development Process for National CSIRTs

Don Stikvoort (representing NCSC-NL, NL); Dr. Hanneke Duijnhoven (TNO, NL)

TLP:CLEAR
12:30 – 13:30

Lunch

Lennox Suite / Moffat / Lammermuir – Level -2

13:30 – 14:30
 GB

Magecart Activity and Actors - How Thousands of e-Commerce Sites are Being Compromised

Terry Bishop (RiskIQ, GB)

TLP:CLEAR
 US

ATT&CKing the Castle

Chip Greene, Conrad Layne (GE, US)

TLP:GREEN
 NL

What a Code of Ethics Means for You and for FIRST

Jeroen van der Ham (NCSC-NL, NL); Shawn Richardson (Palo Alto Networks)

TLP:CLEAR
 US

Vulnerability Response Capability Development for PSIRT Teams

Art Manion (vu.ls – CERT/CC, US); Deana Shick, Madison Oliver (CERT/CC, US)

TLP:CLEAR

13:30 – 15:00

 LU

Training (day 2): Extending and Integrating MISP to Fit Your Use Case

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

TLP:CLEAR

13:30 – 15:00

14:30 – 15:00
 HU

The Evolution of GandCrab Ransomware

Tamas Boczan (VMRay, HU)

TLP:CLEAR
 DE

Applying Security Metrics for Quality Control and Situational Awareness

Jan Kohlrausch (DFN-CERT, DE)

TLP:CLEAR
 EU

Building a Common Language to Face Future Incidents

Rossella Mattioli (ENISA - European Union Agency for Network and Information Security, EU)

TLP:CLEAR

Cyber Insurance SIG Meeting

14:30-16:00

15:00 – 15:30

Networking Break with Exhibits

Lennox / Moffat / Lammermuir – Level -2

15:30 – 16:30
 US

Operationalizing Cyber Hunt

Anthony Talamantes, Todd Kight (Johns Hopkins University Applied Physics Laboratory, US)

TLP:CLEAR
 GB PL

Obtaining a Global Picture of the IoT Attack and Malware Landscape

David Watson (The Shadowserver Foundation, GB); Piotr Kijewski (The Shadserver Foundation, PL)

TLP:CLEAR
 US CZ

Collaborative Security – A Look at How Information Sharing and Incidents can lead to Mitigation, Best Practices and Resilience

Denise Anderson (H-ISAC, US); Eva Telecka (MSD, CZ)

TLP:AMBER
 US

Vulnerability Response Capability Development for PSIRT Teams

Art Manion (vu.ls – CERT/CC, US); Deana Shick, Madison Oliver (CERT/CC, US)

TLP:CLEAR

15:30 – 17:00

 LU

Training (day 2): Extending and Integrating MISP to Fit Your Use Case

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

TLP:CLEAR

15:30 – 17:00

Ethics SIG Meeting

16:00-17:00

16:30 – 17:00
 US

Optimized Playbook, Roll out! How an Optimized Playbook can Reduce Time-to-Detect

Christopher Merida, Jason Kmack (Cisco Systems Inc, US)

TLP:CLEAR
 TW JP

Malware in IoT Devices: Detection and Family Classification Using ELF Opcode Features

Chin Wei Tien (Institute for Information Industry, National Taiwan University, TW); Shang Wen Chen (Institute for Information Industry, TW); Tao Ban (National Institute of Information and Communication Technology, JP)

TLP:CLEAR
 NL

Protect your Castle by ‘Poldering’: Create a Network of Cybersecurity Clans

Gijs Peeters (National Cyber Security Centre the Netherlands (NCSC-NL), NL)

TLP:GREEN
17:00 – 19:00

Vendor Showcase

Lennox / Moffat / Lammermuir – Level -2

Wednesday, June 19th

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Tinto
Level 0
Workshop – Kilsyth
Level 0
SIG Meetings – Menteith
Level -1
08:30 – 16:00

Registration

Strathblane Hall & Atrium Foyer

09:00 – 17:30

Security Lounge: FIRST CTF HQ & AWS Jam HQ

Café 5 | Level 1

09:15 – 09:30

Opening Remarks

Pentland Auditorium – Level 3

09:30 – 10:30
 AU

Keynote: Developing a Conceptual Model for Insider Threat

Monica Whitty (University of Melbourne, AU)

10:30 – 11:00

After ShadowHammer - Maintaining Trust in Auto-Updates

Panel Discussion

11:00 – 11:45

Networking Break with Exhibits

Lennox / Moffat / Lammermuir – Level -2

11:45 – 12:45
 US

Information Convergence for Efficient Product Security Incident Management

Chandan Nandakumaraiah (Palo Alto Networks, US)

TLP:CLEAR
 US

Detecting Covert Communication Channels via DNS

Dhia Mahjoub (Cisco, US); Thomas Mathew (Umbrella (Cisco), US)

TLP:GREEN
 ID

The Asian Games 2018 Cyber Security, A Lessons Learned

Andika Triwidada (Indonesia Computer Emergency Response Team (IDCERT), ID); Bisyron Wahyudi Masduki (Indonesia Security Incident Response Team on Internet Infrastructure (Id-SIRTI/CC), ID)

TLP:CLEAR
 JP

Blue-team vs. Red-team Tabletop Exercise to Train the Process of Attack Investigation

Yoshihiro Masuda (Fuji Xerox Co., Ltd., JP); Chiyuki Matsuda, Fumie Watanabe (DeNA Co., Ltd., JP); Yusuke Kon (Trend Micro Inc., JP); Keisuke Ito (NTT DATA INTELLILINK Corporation, JP); Hajime Ishizuka (NTT Security Japan KK, JP); Toshiaki Ohta (Yahoo Japan Corporation, JP)

TLP:CLEAR

11:45 – 13:15

 CA

Hunting Linux Malware for Fun and Flags

Marc-Etienne M.Léveillé (ESET, CA)

TLP:CLEAR

11:45 – 13:15

Metrics SIG Meeting

11:45-13:15

12:45 – 13:15
 US

What Information Security Can Learn from Design

Douglas Wilson (Self, US); Nguyet Vuong (Civil / Consensys, US)

TLP:CLEAR
 US

How a Severity 2.2 Issue can Cost us so Much

Lisa Bradley (NVIDIA , US)

TLP:AMBER
 US

"Excuse me While I Kiss this Guy" - What You Said isn't What they Heard.

Matt Linton (Google, US)

TLP:CLEAR
13:15 – 14:30

Lunch

Lennox Suite / Moffat / Lammermuir – Level -2

Vulnerability Coordination SIG Meeting

13:45-15:30

14:30 – 15:30
 BE

Practical and Affordable Side-Channel Attacks

Francois Durvaux (Thales, BE)

TLP:CLEAR
 FI

Distributed Model for Targeted Threat Intelligence - Cyber Defence Cells

Juha Haaga (Artic Security, FI)

TLP:CLEAR

The Past, Present, and Future of DNS Resolution

Paul Vixie (Farsight Security, Inc.)

TLP:CLEAR
 US

Hands-on: Practical tabletop drills for CSIRTS

Kenneth van Wyk (KRvW Associates, LLC, US)

TLP:CLEAR

14:30 – 16:30

 CA

Hunting Linux Malware for Fun and Flags

Marc-Etienne M.Léveillé (ESET, CA)

TLP:CLEAR

14:30 – 16:00

15:30 – 16:00
 US

Malicious Encrypted Document Analysis

Tyler Halfpop (Palo Alto Networks, US)

TLP:CLEAR
 DE

Threat Detection based on Deep Learning at Scale

Jan Pospisil, Karl Peter Fuchs (Siemens, DE)

TLP:CLEAR
 GB

Working at Scale - How to Kill Botnets Quickly and Efficiently

David Watson, Stewart Garrick (The Shadowserver Foundation, GB); Piotr Kijewski (The Shadowserver Foundation)

TLP:AMBER
16:00 – 17:00

Lightning Talks

Pentland Auditorium – Level 3

Networking Break with Exhibits

Lennox / Moffat / Lammermuir – Level -2

Big Data SIG Meeting

16:00-17:00

17:00 – 18:30

VRDX SIG Meeting

17:00-18:30

18:30 – 22:00

Cromdale Hall - Level -2

Thursday, June 20th

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Tinto
Level 0
Workshop – Kilsyth
Level 0
Workshop – Lowther
Level -1
SIG Meetings – Menteith
Level -1
08:30 – 16:00

Registration

Strathblane Hall & Atrium Foyer

09:00 – 17:30

Security Lounge: FIRST CTF HQ & AWS Jam HQ

Café 5 | Level 1

09:15 – 09:30

Opening Remarks

Pentland Auditorium – Level 3

09:30 – 10:30
 US

Keynote: Waking Up The Guards - Renewed Vigilance Is Needed To Regain Trust In Fundamental Building Blocks

Merike Kaeo (Double Shot Security, US)

10:30 – 11:00

Networking Break with Exhibits

Lennox / Moffat / Lammermuir – Level -2

11:00 – 12:00
 GB

Seeing Clearly and Communicating Effectively to Address Event Overload

Thomas Fischer (FVT SecOps Consulting, GB)

TLP:CLEAR
 NL

TIDE -- Proactive Threat Detection Using Active DNS Measurements

Olivier van der Toorn (University of Twente, NL)

TLP:CLEAR
 US

Top Common Tabletop Exercise Failures

Michael Murray, Robert Lelewski (Secureworks, US)

TLP:CLEAR
 US

Cyber Threat Response Clinic

Hakan Nohre (Cisco Systems, US)

TLP:CLEAR

11:00 – 12:30

 JP

Fast Forensics against Malware Infection

Hiroshi Suzuki, Hisao Nashiwa (Internet Initiative Japan Inc., JP)

TLP:AMBER

11:00 – 12:30

Red Team SIG Meeting

11:00-14:30

Traffic Light Protocol SIG Meeting

11:00-12:00

12:00 – 12:30
 US

Effective Victim Interview Techniques for Incident Responders

Alison Naylor (Red Hat, Inc., US)

TLP:CLEAR
 PL

CSIRT in the Era of Information Operations. Should we be Involved?

Mirosław Maj (Cybersecurity Foundation, Open CSIRT Foundation, ComCERT.PL, PL)

TLP:CLEAR
 US

Building a Clan of Security Warriors

Kristen Pascale, Tania Ward (Dell, US)

TLP:GREEN

Passive DNS SIG Meeting

12:00-13:00

12:30 – 13:30

Lunch

Lennox Suite / Moffat / Lammermuir – Level -2

13:30 – 14:30
 US

Hunting and Automation Using Open Source Tools

Brian Baskin, John Holowczak (Carbon Black, US)

TLP:CLEAR
 GB

Risk and Ransomware

Eireann Leverett (Concinnity Risks, GB)

TLP:GREEN
 US

Incident Response: Make it a Family Affair

Anthony Talamantes, Todd Kight (Johns Hopkins University Applied Physics Laboratory, US)

TLP:CLEAR
 US

OPSEC for Investigators and Researchers

Krassimir Tzvetanov (Purdue University, US)

TLP:AMBER

13:30 – 15:00

 JP

Fast Forensics against Malware Infection

Hiroshi Suzuki, Hisao Nashiwa (Internet Initiative Japan Inc., JP)

TLP:AMBER

13:30 – 15:00

Industrial Control Systems SIG Meeting

13:30-14:30

14:30 – 15:00
 BE

Where's Wally? Hands-on Threat Hunting in Elasticsearch using ee-outliers

Daan Raman (NVISO, BE)

TLP:CLEAR
 GB

We Know Where You Live: Systematically Fingerprinting Low- and Medium-Interaction Honeypots at Internet Scale

Alexander Vetterl (University of Cambridge, GB)

TLP:CLEAR
 US

Attack the News Cycle Before it Attacks You

Jerry Bryant (Intel, US)

TLP:CLEAR
15:00 – 15:30

AGM Registration

Outside of Pentland Auditorium - Level 3

Networking Break with Exhibits (for non-members)

Lennox Suite / Moffat / Lammermuir – Level -2

15:30 – 18:00

Annual General Meeting (AGM) - Members Only

Pentland Auditorium - Level 3

Friday, June 21st

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Lowther
Level -1
SIG Meetings – Menteith
Level -1
08:30 – 11:00

Registration

Strathblane Hall & Atrium Foyer

09:00 – 12:00

Security Lounge: FIRST CTF HQ & AWS Jam HQ

Café 5 | Level 1

09:15 – 10:15
 SE

Hunting for Unknown Unknowns in Network Traffic

Erik Hjelmvik (Netresec, SE)

TLP:CLEAR
 GB

Saving the World with DGA DNS RPZ

David Watson (The Shadowserver Foundation, GB); Piotr Kijewski (The Shadowserver Foundation)

TLP:GREEN
 FI

Three Circles to Improve Health Care Cyber Security - This is How We do it in Finland

Perttu Halonen (National Cyber Security Centre Finland, Finnish Communications Regulatory Authority, FI)

TLP:CLEAR
 US

A Design Thinking Facilitation Workshop

Doug Wilson (Self, US); Nguyet Vuong (Civil / Consensys, US)

TLP:CLEAR

09:15 – 10:45

 FI

hACME: A Social Engineering Workshop

Victor Sant'Anna (Nixu, FI)

TLP:CLEAR

09:15 – 10:45

10:15 – 10:45
 JP

Threat Hunting with SysmonSearch - Sysmon Log Aggregation, Visualization and Investigation

Wataru Takahashi (Japan Computer Emergency Response Team Coordination Center, JP)

TLP:CLEAR
 JP

TBD: To Block Connection to Malicious Host by Using “DQB” and "Shutdowner"

Kunio Miyamoto (NTT DATA Corporation, JP)

TLP:CLEAR
 NL

Defending the Dutch Healthcare Sector

Jasper Hupkens (Z-CERT, NL)

TLP:GREEN
10:45 – 11:30

Networking Break

Lennox / Moffat / Lammermuir – Level -2

11:30 – 12:30
 GB

Keynote: Things That Go Bump in the Night: Detecting Problems in the Internet of Things

Miranda Mowbray (University of Bristol, GB)

12:30 – 13:15

Closing Remarks & Raffle Drawing

13:15 – 14:30

Lunch

Lennox Suite / Moffat / Lammermuir – Level -2

14:00 – 18:00

National CSIRT Meeting

NCSIRT Members Only