Conference Program

This is a working draft agenda. Agenda is subject to change.

Sunday, 16 June

08:00 – 09:00

Registration for Sunday FIRST Training ONLY

Strathblane Hall & Atrium Foyer

10:00 – 12:00

Registration

Strathblane Hall & Atrium Foyer

13:00 – 17:00

AWS Security Jam

Lammermuir | Level -2

14:00 – 20:00

Registration

Strathblane Hall & Atrium Foyer

15:00 – 16:00

Session Chair Meeting (closed meeting)

Harris 1 | Level 1

18:30 – 21:00

Strathblane Hall & Atrium Foyer

Monday, 17 June

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Tinto
Level 0
Workshop – Kilsyth
Level 0
Other – Moorfoot
Level 0
SIG Meetings – Menteith
Level -1
08:00 – 18:15

Registration

Strathblane Hall & Atrium Foyer

09:00 – 17:30

Security Lounge: FIRST CTF HQ & AWS Jam HQ

Café 5 | Level 1

09:15 – 10:00

Welcome Remarks

Pentland Auditorium – Level 3

10:00 – 11:00
 GB

Keynote: Backdoors in Back Doors

Ken Munro (Pen Test Partners LLP, GB)

11:00 – 11:45

Networking Break

Lennox / Moffat / Lammermuir – Level -2

11:45 – 12:45
 GB

Five Years of BGP Hijacking by Email Spammers

Richard Clayton (University of Cambridge, GB)

 US

Software Bill of Materials: Progress toward transparency of 3rd party code

Allan Friedman (NTIA / US Department of Commerce, US); Art Manion (CERT/CC, US)

 US

A Practical Model for Developing an Integrated IT/OT SOC and Monitoring

Christopher King, Umair Masud (Rockwell Automation, US)

 LU

Training (1 day) - Threat Intelligence Analyst and Administrators

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

11:45 – 13:15

 LU

Malware Unpacking for Dummies

Paul Jung (Excellium Services, LU); Rémi Chipaux (Qintel)

11:45 – 13:15

PSIRT SIG Meeting

11:45-13:15

12:45 – 13:15
 LU

BGP Ranking & IP-ASN History: Making Something Useful Out of Old Massive Datasets

Raphael Vinot (CIRCL, LU)

 US

Advancements in Publishing Vulnerabilities and Security Advisories.

Chandan Nandakumaraiah (Juniper Networks, US)

 DE

Fingerpointing False Positives: How to Better Integrate Continuous Improvement into Security Monitoring

Desiree Sacher (Finanz Informatik, DE)

13:15 – 14:30

Lunch

Lennox Suite / Moffat / Lammermuir – Level -2

Cyber Threat Intelligence SIG Meeting

13:45-15:15

14:30 – 15:30
 CN

Protect Enterprise Against Cryptojacking: Lessons From Tracing 8220 Miner Group

Lion Gu (360 Enterprise Security Group, CN)

 MY

Cyber Threats Incident Response Model for CNII Organizations

Aswami Ariffin, Megat Mutalib (CyberSecurity Malaysia, MY)

 US

Real-World SOC Metrics

Carson Zimmerman (Microsoft, US)

 LU

Training (1 day) - Threat Intelligence Analyst and Administrators

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

14:30 – 16:00

 LU

Malware Unpacking for Dummies

Paul Jung (Excellium Services, LU); Rémi Chipaux (Qintel)

14:30 – 16:00

15:30 – 16:00
 JP

Cryptocurrency Breaches and Financial Regulators in Japan

Natsuko Inui (Financial Services Information Sharing and Analysis Center, JP)

 GB

Being the Third Party - The Challenges and Successes of Notifying Victim Organisations at National Scale

Harry W (NCSC-UK, GB)

 AU

Re-Building a Scalable CSIRT

Josh Lemon (Salesforce, AU)

Capture the Flag SIG Meeting

15:30-16:30

16:00 – 16:45

Networking Break

Lennox / Moffat / Lammermuir – Level -2

CVSS SIG Meeting

16:30-18:00

16:45 – 17:45
 BE

Swimming in the Cryptonote Pools

Emilien Le Jamtel (CERT-EU, BE)

 US

How to Manage the Tangled Web of Dependencies

Jessica Butler, Lisa Bradley (NVIDIA, US)

 US

Adversary Modeling and Emulation in Operational Technology Environments

Marie Collins, Otis Alexander (MITRE, US)

 LU

Training (1 day) - Threat Intelligence Analyst and Administrators

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

16:45 – 18:15

 US

ICS Simulation and CTF

Jermaine Roebuck (HIRT, US)

16:45 – 18:15

FIRST Update: Financial & Business Review

FIRST Members Only

17:45 – 18:15
 FR

Analyze & Detect WebAssembly Cryptominer

Patrick Ventuzelo (QuoScient, FR)

 FI

A Tool for Vulnerability Management in a Large Company

Umair Bukhari (Ericsson, FI)

 GB

A Dragon In Wolf’s Clothing: When Stopping the APT Could be Easy

Keir P (NCSC-UK, GB)

19:15 – 22:15

Contini George Street | 103 George Street, Edinburgh

Tuesday, 18 June

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Tinto
Level 0
Workshop – Kilsyth
Level 0
SIG Meetings – Menteith
Level -1
08:30 – 17:00

Registration

Strathblane Hall & Atrium Foyer

09:00 – 17:30

Security Lounge: FIRST CTF HQ & AWS Jam HQ

Café 5 | Level 1

09:15 – 09:30

Opening Remarks

Pentland Auditorium – Level 3

09:30 – 10:30
 GB

Keynote: Who's Afraid of the Big Bad Smart Fridge: Governance Challenges of the Internet of Things

Leonie Tanczer (University College London, GB)

10:30 – 11:00

Networking Break with Exhibits

Lennox / Moffat / Lammermuir – Level -2

11:00 – 12:00
 US

Finding Dependencies Between Adversary Techniques

Andy Applebaum (The MITRE Corporation, US)

 JP RU

Attacks on Industrial and Manufacturing Networks

Bakuei Matsukawa (Trend Micro FTR Team, JP); Vladimir Kropotov (Trend Micro FTR Team, RU)

 US

CSIRT Schiltron: Training, Techniques, and Talent

James Sheppard, Jeff Bollinger (Cisco Systems, Inc., US)

 US

Vulnerability Response Capability Development for PSIRT Teams

Art Manion, Deana Shick, Madison Oliver (CERT/CC, US)

11:00 – 12:30

 LU

Training (day 2): Extending and Integrating MISP to Fit Your Use Case

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

11:00 – 12:30

Academic Security SIG Meeting

11:00-14:30

12:00 – 12:30
 TW

Improving the Efficiency of Dynamic Malware Analysis with Temporal Syscall Measure

Dr. Chih-Hung Lin (Taiwan Network Information Center (TWNIC), TW)

 AE GB

TRITON - The First Documented Attack on ICS Safety Systems

Daniel Caban (Mandiant (a FireEye Company), AE); Peter Barbour (Mandiant (a FireEye Company), GB)

 NL

Building a Global Maturity Measurement and Development Process for National CSIRTs

Don Stikvoort (representing NCSC-NL, NL); Dr. Hanneke Duijnhoven (TNO, NL)

12:30 – 13:30

Lunch

Lennox Suite / Moffat / Lammermuir – Level -2

13:30 – 14:30
 GB

Magecart Activity and Actors - How Thousands of e-Commerce Sites are Being Compromised

Terry Bishop (RiskIQ, GB)

 US

ATT&CKing the Castle

Chip Greene, Conrad Layne (GE, US)

 NL

What a Code of Ethics Means for You and for FIRST

Jeroen van der Ham (NCSC-NL, NL); Shawn Richardson (Palo Alto Networks)

 US

Vulnerability Response Capability Development for PSIRT Teams

Art Manion, Deana Shick, Madison Oliver (CERT/CC, US)

13:30 – 15:00

 LU

Training (day 2): Extending and Integrating MISP to Fit Your Use Case

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

13:30 – 15:00

14:30 – 15:00
 HU

The Evolution of GandCrab Ransomware

Tamas Boczan (VMRay, HU)

 DE

Applying Security Metrics for Quality Control and Situational Awareness

Jan Kohlrausch (DFN-CERT, DE)

 EU

Building a Common Language to Face Future Incidents

Rossella Mattioli (ENISA - European Union Agency for Network and Information Security, EU)

Cyber Insurance SIG Meeting

14:30-16:00

15:00 – 15:30

Networking Break with Exhibits

Lennox / Moffat / Lammermuir – Level -2

15:30 – 16:30
 US

Operationalizing Cyber Hunt

Anthony Talamantes, Todd Kight (Johns Hopkins University Applied Physics Laboratory, US)

 GB PL

Obtaining a Global Picture of the IoT Attack and Malware Landscape

David Watson (The Shadowserver Foundation, GB); Piotr Kijewski (The Shadserver Foundation, PL)

 US CZ

Collaborative Security – A Look at How Information Sharing and Incidents can lead to Mitigation, Best Practices and Resilience

Denise Anderson (H-ISAC, US); Eva Telecka (MSD, CZ)

 US

Vulnerability Response Capability Development for PSIRT Teams

Art Manion, Deana Shick, Madison Oliver (CERT/CC, US)

15:30 – 17:00

 LU

Training (day 2): Extending and Integrating MISP to Fit Your Use Case

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

15:30 – 17:00

Ethics SIG Meeting

16:00-17:00

16:30 – 17:00
 US

Optimized Playbook, Roll out! How an Optimized Playbook can Reduce Time-to-Detect

Christopher Merida, Jason Kmack (Cisco Systems Inc, US)

 TW JP

Malware in IoT Devices: Detection and Family Classification Using ELF Opcode Features

Chin Wei Tien (Institute for Information Industry, National Taiwan University, TW); Shang Wen Chen (Institute for Information Industry, TW); Tao Ban (National Institute of Information and Communication Technology, JP)

 NL

Protect your Castle by ‘Poldering’: Create a Network of Cybersecurity Clans

Gijs Peeters (National Cyber Security Centre the Netherlands (NCSC-NL), NL)

17:00 – 19:00

Vendor Showcase

Lennox / Moffat / Lammermuir – Level -2

Wednesday, 19 June

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Tinto
Level 0
Workshop – Kilsyth
Level 0
SIG Meetings – Menteith
Level -1
08:30 – 16:00

Registration

Strathblane Hall & Atrium Foyer

09:00 – 17:30

Security Lounge: FIRST CTF HQ & AWS Jam HQ

Café 5 | Level 1

09:15 – 09:30

Opening Remarks

Pentland Auditorium – Level 3

09:30 – 10:30
 AU

Keynote: Developing a Conceptual Model for Insider Threat

Monica Whitty (University of Melbourne, AU)

10:30 – 11:00

After ShadowHammer - Maintaining Trust in Auto-Updates

Panel Discussion

11:00 – 11:45

Networking Break with Exhibits

Lennox / Moffat / Lammermuir – Level -2

11:45 – 12:45
 US

Information Convergence for Efficient Product Security Incident Management

Chandan Nandakumaraiah (Juniper Networks/ICASI, US)

 US

Detecting Covert Communication Channels via DNS

Dhia Mahjoub (Cisco, US); Thomas Mathew (Umbrella (Cisco), US)

 ID

The Asian Games 2018 Cyber Security, A Lessons Learned

Andika Triwidada (Indonesia Computer Emergency Response Team (IDCERT), ID); Bisyron Wahyudi Masduki (Indonesia Security Incident Response Team on Internet Infrastructure (Id-SIRTI/CC), ID)

 JP

Blue-team vs. Red-team Tabletop Exercise to Train the Process of Attack Investigation

Yoshihiro Masuda (Fuji Xerox Co., Ltd., JP); Chiyuki Matsuda, Fumie Watanabe (DeNA Co., Ltd., JP); Yusuke Kon (Trend Micro Inc., JP); Keisuke Ito (NTT DATA INTELLILINK Corporation, JP); Hajime Ishizuka (NTT Security Japan KK, JP); Toshiaki Ohta (Yahoo Japan Corporation, JP)

11:45 – 13:15

 CA

Hunting Linux Malware for Fun and Flags

Marc-Etienne M.Léveillé (ESET, CA)

11:45 – 13:15

Metrics SIG Meeting

11:45-13:15

12:45 – 13:15
 US

What Information Security Can Learn from Design

Douglas Wilson (Self, US); Nguyet Vuong (Civil / Consensys, US)

 US

How a Severity 2.2 Issue can Cost us so Much

Lisa Bradley (NVIDIA , US)

 US

"Excuse me While I Kiss this Guy" - What You Said isn't What they Heard.

Matt Linton (Google, US)

13:15 – 14:30

Lunch

Lennox Suite / Moffat / Lammermuir – Level -2

Vulnerability Coordination SIG Meeting

13:45-15:30

14:30 – 15:30
 BE

Practical and Affordable Side-Channel Attacks

Francois Durvaux (Thales, BE)

 FI

Distributed Model for Targeted Threat Intelligence - Cyber Defence Cells

Juha Haaga (Artic Security, FI)

 US

The Past, Present, and Future of DNS Resolution

Paul Vixie (Farsight Security, Inc., US)

 US

Hands-on: Practical tabletop drills for CSIRTS

Kenneth van Wyk (KRvW Associates, LLC, US)

14:30 – 16:30

 CA

Hunting Linux Malware for Fun and Flags

Marc-Etienne M.Léveillé (ESET, CA)

14:30 – 16:00

15:30 – 16:00
 US

Malicious Encrypted Document Analysis

Tyler Halfpop (Palo Alto Networks, US)

 DE

Threat Detection based on Deep Learning at Scale

Jan Pospisil, Karl Peter Fuchs (Siemens, DE)

 GB

Working at Scale - How to Kill Botnets Quickly and Efficiently

David Watson, Stewart Garrick (The Shadowserver Foundation, GB); Piotr Kijewski (The Shadowserver Foundation)

16:00 – 17:00

Lightning Talks

Pentland Auditorium – Level 3

Networking Break with Exhibits

Lennox / Moffat / Lammermuir – Level -2

Big Data SIG Meeting

16:00-17:00

17:00 – 18:30

VRDX SIG Meeting

17:00-18:30

18:30 – 22:00

Cromdale Hall - Level -2

Thursday, 20 June

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Tinto
Level 0
Workshop – Kilsyth
Level 0
Workshop – Lowther
Level -1
SIG Meetings – Menteith
Level -1
08:30 – 16:00

Registration

Strathblane Hall & Atrium Foyer

09:00 – 17:30

Security Lounge: FIRST CTF HQ & AWS Jam HQ

Café 5 | Level 1

09:15 – 09:30

Opening Remarks

Pentland Auditorium – Level 3

09:30 – 10:30
 US

Keynote: Waking Up The Guards - Renewed Vigilance Is Needed To Regain Trust In Fundamental Building Blocks

Merike Kaeo (Double Shot Security, US)

10:30 – 11:00

Networking Break with Exhibits

Lennox / Moffat / Lammermuir – Level -2

11:00 – 12:00
 GB

Seeing Clearly and Communicating Effectively to Address Event Overload

Thomas Fischer (FVT SecOps Consulting, GB)

 NL

TIDE -- Proactive Threat Detection Using Active DNS Measurements

Olivier van der Toorn (University of Twente, NL)

 US

Top Common Tabletop Exercise Failures

Michael Murray, Robert Lelewski (Secureworks, US)

 US

Cyber Threat Response Clinic

Hakan Nohre (Cisco Systems, US)

11:00 – 12:30

 JP

Fast Forensics against Malware Infection

Hiroshi Suzuki, Hisao Nashiwa (Internet Initiative Japan Inc., JP)

11:00 – 12:30

Red Team SIG Meeting

11:00-14:30

Traffic Light Protocol SIG Meeting

11:00-12:00

12:00 – 12:30
 US

Effective Victim Interview Techniques for Incident Responders

Alison Naylor (Red Hat, Inc., US)

 PL

CSIRT in the Era of Information Operations. Should we be Involved?

Mirosław Maj (Cybersecurity Foundation, Open CSIRT Foundation, ComCERT.PL, PL)

 US

Building a Clan of Security Warriors

Kristen Pascale, Tania Ward (Dell, US)

Passive DNS SIG Meeting

12:00-13:00

12:30 – 13:30

Lunch

Lennox Suite / Moffat / Lammermuir – Level -2

13:30 – 14:30
 US

Hunting and Automation Using Open Source Tools

Brian Baskin, John Holowczak (Carbon Black, US)

 GB

Risk and Ransomware

Eireann Leverett (Concinnity Risks, GB)

 US

Incident Response: Make it a Family Affair

Anthony Talamantes, Todd Kight (Johns Hopkins University Applied Physics Laboratory, US)

 US

OPSEC for Investigators and Researchers

Krassimir Tzvetanov (US)

13:30 – 15:00

 JP

Fast Forensics against Malware Infection

Hiroshi Suzuki, Hisao Nashiwa (Internet Initiative Japan Inc., JP)

13:30 – 15:00

Industrial Control Systems SIG Meeting

13:30-14:30

14:30 – 15:00
 BE

Where's Wally? Hands-on Threat Hunting in Elasticsearch using ee-outliers

Daan Raman (NVISO, BE)

 GB

We Know Where You Live: Systematically Fingerprinting Low- and Medium-Interaction Honeypots at Internet Scale

Alexander Vetterl (University of Cambridge, GB)

 US

Attack the News Cycle Before it Attacks You

Jerry Bryant (Intel, US)

15:00 – 15:30

AGM Registration

Outside of Pentland Auditorium - Level 3

Networking Break with Exhibits (for non-members)

Lennox Suite / Moffat / Lammermuir – Level -2

15:30 – 18:00

Annual General Meeting (AGM) - Members Only

Pentland Auditorium - Level 3

Friday, 21 June

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Lowther
Level -1
SIG Meetings – Menteith
Level -1
08:30 – 11:00

Registration

Strathblane Hall & Atrium Foyer

09:00 – 12:00

Security Lounge: FIRST CTF HQ & AWS Jam HQ

Café 5 | Level 1

09:15 – 10:15
 SE

Hunting for Unknown Unknowns in Network Traffic

Erik Hjelmvik (Netresec, SE)

 GB

Saving the World with DGA DNS RPZ

David Watson (The Shadowserver Foundation, GB); Piotr Kijewski (The Shadowserver Foundation)

 FI

Three Circles to Improve Health Care Cyber Security - This is How We do it in Finland

Perttu Halonen (National Cyber Security Centre Finland, Finnish Communications Regulatory Authority, FI)

 US

A Design Thinking Facilitation Workshop

Doug Wilson (Self, US); Nguyet Vuong (Civil / Consensys, US)

09:15 – 10:45

 FI

hACME: A Social Engineering Workshop

Victor Sant'Anna (Nixu, FI)

09:15 – 10:45

10:15 – 10:45
 JP

Threat Hunting with SysmonSearch - Sysmon Log Aggregation, Visualization and Investigation

Wataru Takahashi (Japan Computer Emergency Response Team Coordination Center, JP)

 JP

TBD: To Block Connection to Malicious Host by Using “DQB” and "Shutdowner"

Kunio Miyamoto (NTT DATA Corporation, JP)

 NL

Defending the Dutch Healthcare Sector

Jasper Hupkens (Z-CERT, NL)

10:45 – 11:30

Networking Break

Lennox / Moffat / Lammermuir – Level -2

11:30 – 12:30
 GB

Keynote: Things That Go Bump in the Night: Detecting Problems in the Internet of Things

Miranda Mowbray (University of Bristol, GB)

12:30 – 13:15

Closing Remarks & Raffle Drawing

13:15 – 14:30

Lunch

Lennox Suite / Moffat / Lammermuir – Level -2

14:00 – 18:00

National CSIRT Meeting

NCSIRT Members Only