Conference Program

This is a working draft agenda. Agenda is subject to change.

Sunday, 16 June

08:00 – 10:00

Registration

14:00 – 20:00

Registration

18:30 – 21:00

Strathblane Hall & Atrium Foyer

Monday, 17 June

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Tinto
Level 0
Workshop – Kilsyth
Level 0
Other – Moorfoot
Level 0
08:00 – 18:15

Registration

09:15 – 10:00

Welcome Remarks

Pentland Auditorium – Level 3

10:00 – 11:00
 GB

Keynote

Ken Munro (Pen Test Partners, GB)

11:00 – 11:45

Break

Lennox Suite – Level -2

11:45 – 12:45
 GB

Five Years of BGP Hijacking by Email Spammers

Richard Clayton (University of Cambridge, GB)

 US

Software Bill of Materials: Progress toward transparency of 3rd party code

Allan Friedman (NTIA / US Department of Commerce, US); Art Manion (CERT/CC, US)

 US

A Practical Model for Developing an Integrated IT/OT SOC and Monitoring

Christopher King, Umair Masud (Rockwell Automation, US)

 LU

Training (1 day) - Threat Intelligence Analyst and Administrators

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

11:45 – 13:15

 LU

Malware Unpacking for Dummies

Paul Jung (Excellium Services, LU); Rémi Chipaux (Qintel)

11:45 – 13:15

12:45 – 13:15
 LU

BGP Ranking & IP-ASN HIstory: making something usefull out of old massive datasets

Raphael Vinot (CIRCL, LU)

 US

Advancements in Publishing Vulnerabilities and Security Advisories.

Chandan Nandakumaraiah (Juniper Networks, US)

 DE

Fingerpointing False Positives: How to better integrate Continuous Improvement into Security Monitoring

Desiree Sacher (Finanz Informatik, DE)

13:15 – 14:30

Lunch

Lennox Suite – Level -2

14:30 – 15:30
 CN

Protect Enterprise Against Cryptojacking: Lessons From Tracing 8220 Miner Group

Bowen Pan, Haowen Bai, Lion Gu (360 Enterprise Security Group, CN)

 MY

Cyber Threats Incident Response Model for CNII Organizations

Aswami Ariffin, Megat Mutalib, Zahri Yunos (CyberSecurity Malaysia, MY)

 US

Real-World SOC Metrics

Carson Zimmerman (Microsoft, US); Christopher Crowley (Montance LLC, US)

 LU

Training (1 day) - Threat Intelligence Analyst and Administrators

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

14:30 – 16:00

 LU

Malware Unpacking for Dummies

Paul Jung (Excellium Services, LU); Rémi Chipaux (Qintel)

14:30 – 16:00

15:30 – 16:00
 JP

Cryptocurrency Breaches and Financial Regulators in Japan

Natsuko Inui (Financial Services Information Sharing and Analysis Center, JP)

 GB

APT campaign against the Energy and ICS sector: notifying the sector at scale

Elle R (NCSC-UK, GB)

 AU

Re-Building a Scalable CSIRT

Josh Lemon (Salesforce, AU)

16:00 – 16:45

Break

Lennox Suite – Level -2

16:45 – 17:45
 BE

Swimming in the cryptonote pools

Emilien Le Jamtel (CERT-EU, BE)

 US

How to manage the tangled web of dependencies

Jessica Butler, Lisa Bradley (NVIDIA, US)

 US

Adversary Modeling and Emulation in Operational Technology Environments

Marie Collins, Otis Alexander (MITRE, US)

 LU

Training (1 day) - Threat Intelligence Analyst and Administrators

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

16:45 – 18:15

 US

ICS Simulation and CTF

Jermaine Roebuck (HIRT, US); Jon Briney (DHS Hunt and Incident Response Team, US); Jonathan Homer (HIRT ICSG, US)

16:45 – 18:15

FIRST Update: Financial & Business Review

FIRST Members Only

17:45 – 18:15
 FR

Analyze & Detect WebAssembly Cryptominer

Patrick Ventuzelo (QuoScient, FR)

 FI

A tool for vulnerability management in a large company

Umair Bukhari (Ericsson, FI)

 GB

A Dragon In Wolf’s Clothing: When Stopping the APT Could be Easy

Keir P (NCSC-UK, GB)

Tuesday, 18 June

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Tinto
Level 0
Workshop – Kilsyth
Level 0
Other – Moorfoot
Level 0
08:30 – 18:15

Registration

09:15 – 09:30

Opening Remarks

Pentland Auditorium – Level 3

09:30 – 10:30
 GB

Keynote: Who's Afraid of the Big Bad Smart Fridge: Governance Challenges of the Internet of Things

Leonie Tanczer (University College London, GB)

10:30 – 11:00

Industry Current Events

11:00 – 11:45

Break

Lennox Suite – Level -2

11:45 – 12:45
 US

Finding Dependencies Between Adversary Techniques

Andy Applebaum (The MITRE Corporation, US)

 JP RU

Attacks on Industrial and Manufacturing Networks

Bakuei Matsukawa (Trend Micro FTR Team, JP); Vladimir Kropotov (Trend Micro FTR Team, RU)

 US

CSIRT Schiltron: Training, Techniques, and Talent

James Sheppard, Jeff Bollinger (Cisco Systems, Inc., US)

 US

Vulnerability Response Capability Development for PSIRT Teams

Deana Shick, Laurie Tyzenhaus, Noelle Allon (CERT/CC, US)

11:45 – 13:15

 LU

Training (day 2): Extending and integrating MISP to fit your use case

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

11:45 – 13:15

12:45 – 13:15
 TW

Improving the Efficiency of Dynamic Malware Analysis with Temporal Syscall Measure

Dr. Chih-Hung Lin (Taiwan Network Information Center (TWNIC), TW)

 AE GB

TRITON - the first documented attack on ICS safety systems

Daniel Caban (Mandiant (a FireEye Company), AE); Peter Barbour (Mandiant (a FireEye Company), GB)

 NL

Building a global maturity measurement and development process for national CSIRTs

Don Stikvoort (representing NCSC-NL, NL); Dr. Hanneke Duijnhoven (TNO, NL)

13:15 – 14:30

Lunch

Lennox Suite – Level -2

14:30 – 15:30
 GB

Magecart Activity and Actors - how thousands of e-commerce sites are being compromised

Terry Bishop (RiskIQ, GB)

 US

ATT&CKing the Castle

Chip Greene, Conrad Layne, David Bell (GE, US)

 NL US

What a Code of Ethics means for you and for FIRST

Jeroen van der Ham (NCSC-NL, NL); Tom Millar (Cybersecurity and Infrastructure Security Agency, US)

 US

Vulnerability Response Capability Development for PSIRT Teams

Deana Shick, Laurie Tyzenhaus, Noelle Allon (CERT/CC, US)

14:30 – 16:00

 LU

Training (day 2): Extending and integrating MISP to fit your use case

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

14:30 – 16:00

Lightning Talks

14:30 – 16:00

15:30 – 16:00
 HU

The Evolution of GandCrab Ransomware

Tamas Boczan (VMRay, HU)

 DE

Applying Security Metrics for Quality Control and Situational Awareness

Eugene A Brin, Jan Kohlrausch (DFN-CERT, DE)

 EU

Building a common language to face future incidents

Rossella Mattioli (ENISA - European Union Agency for Network and Information Security, EU)

16:00 – 16:45

Break

Lennox Suite – Level -2

16:45 – 17:45
 US

Operationalizing Cyber Hunt

Anthony Talamantes, Todd Kight (Johns Hopkins University Applied Physics Laboratory, US)

 GB PL

Obtaining a Global Picture of the IoT Attack and Malware Landscape

David Watson (The Shadowserver Foundation, GB); Piotr Kijewski (The Shadserver Foundation, PL)

 US CZ

Collaborative Security – A Look at How Information Sharing and Incidents can lead to Mitigation, Best Practices and Resilience

Denise Anderson (H-ISAC, US); Eva Telecka (MSD, CZ)

 US

Vulnerability Response Capability Development for PSIRT Teams

Deana Shick, Laurie Tyzenhaus, Noelle Allon (CERT/CC, US)

16:45 – 18:15

 LU

Training (day 2): Extending and integrating MISP to fit your use case

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

16:45 – 18:15

17:45 – 18:15
 US

Optimized Playbook, Roll out! How an optimized playbook can reduce time-to-detect

Christopher Merida, Jason Kmack (Cisco Systems Inc, US)

 TW JP

Malware in IoT Devices: Detection and Family Classification Using ELF Opcode Features

Chia Wei Tien, Shang Wen Chen (Institute for Information Industry, TW); Chin Wei Tien (Institute for Information Industry, National Taiwan University, TW); Tao Ban (National Institute of Information and Communication Technology, JP)

 NL

Protect your Castle by ‘poldering’: create a network of cybersecurity clans

Gijs Peeters (National Cyber Security Centre the Netherlands (NCSC-NL), NL)

18:15 – 20:15

Vendor Showcase

Wednesday, 19 June

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Tinto
Level 0
Workshop – Kilsyth
Level 0
08:30 – 16:00

Registration

09:15 – 09:30

Opening Remarks

Pentland Auditorium – Level 3

09:30 – 10:30
 GB

Keynote

Monica Whitty (University of Warwick, GB)

10:30 – 11:00

Industry Current Events

11:00 – 11:45

Break

Lennox Suite – Level -2

11:45 – 12:45
 US

Have fun storming the castle! Understanding Open Source security challenges in modern development

Christopher Robinson (RH-ISIRT – Red Hat Inc, US)

 US

Detecting Covert Communication Channels via DNS

Dhia Mahjoub (Cisco, US); Thomas Mathew (Umbrella (Cisco), US)

 ID

The Asian Games 2018 Cyber Security, A Lessons Learned

Andika Triwidada (Indonesia Computer Emergency Response Team (IDCERT), ID); Bisyron Wahyudi Masduki (Indonesia Security Incident Response Team on Internet Infrastructure (Id-SIRTI/CC), ID)

 JP

Blue-team vs. Red-team Tabletop Exercise to Train the Process of Attack Investigation

Yoshihiro Masuda (Fuji Xerox Co., Ltd., JP); Chiyuki Matsuda, Fumie Watanabe (DeNA Co., Ltd., JP); Yusuke Kon (Trend Micro Inc., JP); Keisuke Ito (NTT DATA INTELLILINK Corporation, JP); Hajime Ishizuka (NTT Security Japan KK, JP); Toshiaki Ohta (Yahoo Japan Corporation, JP)

11:45 – 13:15

 CA

Hunting Linux Malware for Fun and Flags

Marc-Etienne M.Léveillé (ESET, CA)

11:45 – 13:15

12:45 – 13:15
 US

What Information Security Can Learn from Design

Douglas Wilson (Self, US); Nguyet Vuong (Civil / Consensys, US)

 US

Detecting DNS C&C and data exfiltration

Krassimir Tzvetanov (US)

 US

"Excuse me while I kiss this guy" - What you said isn't what they heard.

Matt Linton (Google, US)

13:15 – 14:30

Lunch

Lennox Suite – Level -2

14:30 – 15:30
 BE

Practical and affordable side-channel attacks

Francois Durvaux (Thales, BE)

 US

Defending The Castle With Intelligence: AIS Data Sharing with MISP

Marlon Taylor, Omar Cruz (National Cybersecurity & Communications Integration Center (NCCIC), US)

 US

The Past, Present, and Future of DNS Resolution

Paul Vixie (Farsight Security, Inc., US)

 US

Hands-on: Practical tabletop drills for CSIRTS

Kenneth Van Wyk (KRvW Associates, LLC, US)

14:30 – 16:30

 CA

Hunting Linux Malware for Fun and Flags

Marc-Etienne M.Léveillé (ESET, CA)

14:30 – 16:00

15:30 – 16:00
 US

Malicious Encrypted Document Analysis

Tyler Halfpop (Palo Alto Networks, US)

 DE

Threat Detection based on Deep Learning at Scale

Jan Pospisil, Karl Peter Fuchs (Siemens, DE)

 GB

Working at Scale - How to Kill Botnets Quickly and Efficiently

David Watson, Stewart Garrick (The Shadowserver Foundation, GB); Piotr Kijewski (The Shadowserver Foundation)

16:00 – 16:45

Break

Lennox Suite – Level -2

18:30 – 22:00

All Attendees Welcome

Thursday, 20 June

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Tinto
Level 0
Workshop – Kilsyth
Level 0
08:30 – 16:00

Registration

09:15 – 09:30

Opening Remarks

Pentland Auditorium – Level 3

09:30 – 10:30
 US

Keynote

Merike Kaeo (Double Shot Security, US)

10:30 – 11:00

Industry Current Events

11:00 – 11:45

Break

Lennox Suite – Level -2

11:45 – 12:45
 GB

Seeing Clearly and Communicating Effectively to Address Event Overload

Thomas Fischer (FVT SecOps Consulting, GB)

 NL

TIDE -- proactive threat detection using active DNS measurements

Anna Sperotto, Olivier van der Toorn, Roland van Rijswijk-Deij (University of Twente, NL)

 US

Top Common Tabletop Exercise Failures

Michael Murray, Robert Lelewski (Secureworks, US)

 US

Cyber Threat Response Clinic

Hakan Nohre (Cisco Systems, US); Luc Billot, Tobias Mayer (Cisco Systems)

11:45 – 13:15

 JP

Fast Forensics against Malware Infection

Hiroshi Suzuki, Hisao Nashiwa (Internet Initiative Japan Inc., JP)

11:45 – 13:15

12:45 – 13:15
 US

Effective Victim Interview Techniques for Incident Responders

Alison Naylor (Red Hat, Inc., US)

 NL

My castle is your castle: when sharing CTI is – really - beneficial to all

Michael Meijerink (NCSC-NL, NL)

 US

Building a clan of security warriors

Kristen Pascale, Tania Ward (Dell, US)

13:15 – 14:30

Lunch

Lennox Suite – Level -2

14:30 – 15:30
 US

Hunting and Automation Using Open Source Tools

Brian Baskin, John Holowczak (Carbon Black, US)

 IT GB NL

Risk and Ransomware

Ankit Gangwal (University of Padua, IT); Eireann Leverett (Concinnity Risks, GB); Jurriaan Bremer (Hatching.io, NL)

 US

Adventures in Communication: When I Consume You and You Consume Them

Christopher Robinson (RedHat, US); Kevin Ryan (NetApp, US); Lisa Bradley (NVIDIA, US)

 US

OPSEC for investigators and researchers

Krassimir Tzvetanov (US)

14:30 – 16:00

 JP

Fast Forensics against Malware Infection

Hiroshi Suzuki, Hisao Nashiwa (Internet Initiative Japan Inc., JP)

14:30 – 16:00

15:30 – 16:00
 BE

Where's Wally? Hands-on Threat Hunting in Elasticsearch using ee-outliers

Daan Raman (NVISO, BE)

 GB

We know where you live: Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale

Alexander Vetterl (University of Cambridge, GB)

 US

Attack the news cycle before it attacks you

Jerry Bryant (Microsoft, US)

16:00 – 16:45

Break

Lennox Suite – Level -2

16:45 – 19:00

Annual General Meeting (AGM)

FIRST Members Only

Friday, 21 June

Pentland Auditorium
Level 3
Sidlaw
Level 3
Fintry
Level 3
Workshop – Menteith
Level -1
Workshop – Lowther
Level -1
08:30 – 11:00

Registration

09:15 – 10:15
 SE

Hunting for Unknown Unknowns in Network Traffic

Erik Hjelmvik (Netresec, SE)

 GB

Saving the World with DGA DNS RPZ

David Watson (The Shadowserver Foundation, GB); Piotr Kijewski (The Shadowserver Foundation)

 FI

Three circles to improve health care cyber security - this is how we do it in Finland

Perttu Halonen (National Cyber Security Centre Finland, Finnish Communications Regulatory Authority, FI)

 FI

hACME: A social engineering workshop

Victor Sant'Anna (Nixu, FI)

09:15 – 10:45

 US

A Design Thinking Facilitation Workshop

Doug Wilson (Self, US); Nguyet Vuong (Civil / Consensys, US)

09:15 – 10:45

10:15 – 10:45
 JP

Threat Hunting with SysmonSearch - Sysmon Log Aggregation, Visualization and Investigation

Wataru Takahashi (Japan Computer Emergency Response Team Coordination Center, JP)

 JP

TBD: To Block connection to malicious host by using “DQB” and "Shutdowner"

Kunio Miyamoto (NTT DATA Corporation, JP)

 NL

Defending the Dutch Healthcare Sector

Frank Ritsema (Z-CERT, NL)

10:45 – 11:30

Break

Lennox Suite – Level -2

11:30 – 12:30
 GB

Keynote: Things That Go Bump in the Night: Detecting Problems in the Internet of Things

Miranda Mowbray (University of Bristol, GB)

12:30 – 13:10

Closing Remarks

13:15 – 14:30

Lunch

Lennox Suite – Level -2

14:00 – 16:00

National CSIRT Meeting

NCSIRT Members Only