BoFs & Scheduled Side Meetings

Schedule is subject to change. Please be sure to refer to the conference mobile app during conference week for the latest and most accurate times.

• Monday, June 5^th

  Mansfield | 2nd Floor

  St. Denis | 2nd Floor

• Tuesday, June 6^th

  Mansfield | 2nd Floor

  Place du Canada | 2nd Floor

• Wednesday, June 7^th

  Mansfield | 2nd Floor

  Sherbrooke | 2nd Floor

  Diese | 3rd Floor

• Thursday, June 8^th

  Mansfield | 2nd Floor

• TLP:CLEAR

  BoF | How to Create a Secure Programming Culture Among Engineering Teams

  Dr. Pedram Hayati

  Getting security in the code is at the core of 4Cs of security (Code, Container, Cloud and Cluster). There are vast number of security vulnerabilities that can be only fixed with the code. Build a usable software is far from making the software secure. Therefore, we need active involvement from the software engineers to build a secure program from the ground up. This is a two-way presentation where we cover:

  • The hard problems in getting developers in writing secure program
  • Wrong approaches (e.g. tool driven, top-down) that will not make the shift toward secure programming
  • Teaching developers how to exploit a vulnerabilities vs teaching them how best to fix it
  • Approaches that can organically engage developers into secure programming
  • Discussion

  June 6, 2023 09:30-10:30

•  SGTLP:CLEAR

  BoF | Law Enforcement-CSIRT Cooperation Special Interest Group Proposal

  Pei Ling LeePei Ling Lee (INTERPOL, SG)

  Following discussions during and after #FIRSTCON22, INTERPOL has formulated a proposal to create a Special Interest Group (SIG) to discuss issues relating to cybercrime law enforcement with the FIRST community. The proposed Law Enforcement-CSIRT Cooperation SIG aims to enable contact and exchange of experience and best practices between FIRST members within law enforcement, CERTS / CSIRTs, and to foster better mutual understanding on work relating to the prevention and disruption of cybercrime and other cyber threats.

  This BOF talk aims to solicit further comments and inputs regarding the drafted SIG Proposal Checklist which will be submitted to the FIRST Secretariat and onward to the FIRST Board of Directors. Current proposed main areas for engagement and discussion within the SIG include:

  • Fostering better understanding of the law enforcement component of disruption and investigation
  • Threat assessment and notification processes within private entities and non-law enforcement public entities (CERTs / CSIRTs)
  • Current / best practices for collaboration and exchange between law enforcement agencies and CERTs / CSIRTs, and for engagement / activation of their respective capacities before the commencement of operational planning and disruption investigations (e.g. threshold for activation, process and legal regulation of such engagement)
  • Modalities for collaboration and coordination of joint disruption operations between law enforcement and CERTs / CSIRTs
  • Understanding modi operandi of threat actors and how CERTs / CSIRTs and law enforcement can better align efforts to disrupt these actors

  June 6, 2023 11:20-12:20

•  ATTLP:CLEAR

  BoF | LLMs and Cyber

  Aaron Kaplan (European Commission, AT)

  This is a first time get together (BoF) for all practitioners working with Large Language Models (LLMs), Deep Learning and IT Security. While the end of 2022 showed great advances in generative AI, the early months in 2023 demonstrated that the open source community massively picked up on this trend and started to engage in creating open source, off-line (on-prem) LLMs [1]. This is especially practical if you need to keep incident data or CTI feeds private and not send them to a public API such as GPT4. But are we on-par yet with ChatGPT? Experiences, lessons learned etc.

  This BoF tries to bring together people exploring LLMs for CTI and more generally for incident response, detection and - prevention. What works for you? What did not work?

  The BoF will have a short demo presentation on running your own LLM locally, followed by a round of sharing of experiences and deciding on the next steps of the BoF (how to continue this discussion).

  [1] https://www.semianalysis.com/p/google-we-have-no-moat-and-neither

  Aaron Kaplan: Aaron has been working at the national CERT of Austria between 2008 and 2020, he has a background in maths and computer science. Since 2020 he works for EC-DIGIT-CSIRC, the IT security team of the European Commission. He is the co-founder of intelmq.org, a tool for automating the typical tasks of IT security teams. Aaron is a regular speaker at IT security conferences such as FIRST, hack.lu, Blackhat, CCC. He also had the honor to serve as a FIRST board of director between 2014 and 2018 where he initialized multiple infrastructure projects such as misp.first.org. He believes in using automation, open source and machine learning for improving the lives of DFIR folks. In fact, he believes that without those tools, we won't be fast enough to keep up with attackers.

  June 7, 2023 12:00-12:35

•  PTTLP:CLEAR

  BoF | NETSEC: Basics & Discussing LoA

  Carlos FriacasCarlos Friacas (RCTS CERT, PT)

  Carlos was born in Lisbon (Portugal), and graduated in Computer Science at the University of Lisbon in 1999. He was a Systems Engineer at University of Lisbon from 1996 to 2000 -- with a short spell at FCCN, working for the Portuguese Schools' Network Team and ccTLD .PT. Back to FCCN during 2000, he managed the Portuguese Internet Exchange (Gigapix) for 15 years. Since late 2015 he moved into CyberSecurity, taking a leadership role at RCTS CERT, the Portuguese R&E Network's Computer Emergency Response Team. From 2016 to 2018 he was the Chairman of the Portuguese CSIRT Network's General Assembly (redecsirt.pt).

  The initial part will cover how IP address blocks are distributed, and the "market dynamics" in recent years triggered by scarcity. The Internet has evolved and Global routing can't rely anymore on "confidence". Practice still enables the use of LoA (Letters of Authorization) which can be easily forged. Tools in place such as RPKI and ROV enable any person to check the holdership of any given IP address space block anytime, and it is the perfect solution to drop the use of LoA. This presentation intends to discuss path to change current status quo, and thus enable a more secure routing plane for the Internet.

  June 8, 2023 09:30-10:30

•  BETLP:CLEAR

  BoF | Standards

  Trey Darley (Accenture, BE)

  If you're interested in helping define the future of FIRST's standards development work, come join us Tuesday after the lightning talks where we'll be collaboratively outlining the basis for the to-be FIRST Standards Committee.

  Questions we'd like you to help us answer:

  • What is the relevancy of standards development work in 2023? What roles can and should FIRST play?
  • Are there external standards bodies (SDOs) we should be working with but where we don't have an existing partnership?
  • Are there draft standards relevant to our work as cyber defenders which we should be tracking and commenting on?
  • How should we begin to approach the problem of standardising ML models?

  June 6, 2023 18:15-19:15

•  SETLP:CLEAR

  BoF | USB Malware, the Old but New

  Nicklas Keijser (Truesec CSIRT, SE)

  I work at Truesec as a Threat Research Analyst were my role is to reverse engineer malware that we find in our SOC and we find in our incident response engagement. Before joining Truesec I worked the national CSIRT, CERT-SE, as a CSIRT Officer.

  The last year we have seen an increase in malware distributed by USB, at Truesec we have now +100 cases of Raspberry Robin and a few cases of PlugX that utilize USB as the payload carrier but also can exfiltrate data that is air-gapped. In this presentation I would like to show the findings we have done and share insights but also to discuss with other practitioners what they have discovered and how we can help each other in detecting and stopping malware distributed by USB drives.

  June 5, 2023 11:15-12:15

•  US GB

  BoF | Vulnerability Measurement and Prediction

  Art ManionÉireann LeverettArt Manion (ANALYGENCE Labs, US), Éireann Leverett (Concinnity Risks, GB)

  Do you count vulnerabilities? Characterize or measure them in some way? Predict the occurrence or distributions of new vulnerabilities? Predict characteristics of new vulnerabilities? Why? What are your use cases? Do you work with acronyms like CVE, GSD, CVSS, SSVC, EPSS, CWE? If any of the above are true, you might be interested in this BoF.

  CFP submission page: https://easychair.org/my/conference?conf=v4ctc

  Art Manion is the Deputy Director of ANALYGENCE Labs where he and his team perform in-depth vulnerability analysis and coordinated vulnerability disclosure. Art has lead and contributed to a variety of vulnerability-related efforts in ISO/IEC JTC 1/SC 27, the CVE Program (Board member), the Forum of Incident Response and Security Teams (FIRST), and the (US) National Telecommunications and Information Administration (NTIA). Art works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA) and previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).

  Éireann Leverett is the co-author of Solving Cyber Risk, and a cyber risk entrepreneur. His career has taken him from hardhats and steel toed boots in industrial control systems to the implications for critical national infrastructure in policy. He works regularly with the international CERT community at FIRST.org, and writes papers when he finds the time. His proudest achievement is co-authoring a paper which has inspired legislation in the EU. He loves nature, travel, and reading when he gets away from computers.

  June 7, 2023 15:30-16:30

•  USTLP:CLEAR

  BoF | What Comes After TLP?

  Tom MillarTom Millar (CISA, US)

  This BoF Session will provide attendees with an opportunity to discuss the issues raised in the "UMQ? What Comes After TLP" presentation to be delivered by Tom Millar (CISA) on Monday of the conference. The goal is to discover whether attendees are interested in establishing a new SIG (or augmenting an existing SIG) to advance information sharing beyond the limitations of TLP, IEP, etc.

  June 5, 2023 14:45-15:45