35th Annual FIRST Conference | Empowering Communities
BoFs & Scheduled Side Meetings
Schedule is subject to change. Please be sure to refer to the conference mobile app during conference week for the latest and most accurate times.
Mansfield | 2nd Floor
Mansfield | 2nd Floor
Mansfield | 2nd Floor
Sherbrooke | 2nd Floor
Diese | 3rd Floor
Mansfield | 2nd Floor
St. Denis | 2nd Floor
Monday, June 5th
| Mansfield 2nd Floor | |
|---|---|
| 11:15 – 12:15 | SE BoF | USB Malware, the Old but New Nicklas Keijser (Truesec CSIRT, SE) TLP:CLEAR |
| 14:45 – 15:45 | US Tom Millar (CISA, US) TLP:CLEAR |
Tuesday, June 6th
| Mansfield 2nd Floor | |
|---|---|
| 09:30 – 10:30 | BoF | How to Create a Secure Programming Culture Among Engineering Teams Dr. Pedram Hayati TLP:CLEAR |
| 11:20 – 12:20 | SG BoF | Law Enforcement-CSIRT Cooperation Special Interest Group Proposal Pei Ling Lee (INTERPOL, SG) TLP:CLEAR |
Wednesday, June 7th
| Mansfield 2nd Floor | Sherbrooke 2nd Floor | Diese 3rd Floor | |
|---|---|---|---|
| 11:15 – 12:15 | SIM3 Auditors Meeting | ||
| 12:00 – 12:35 | AT Aaron Kaplan (European Commission, AT) TLP:CLEAR | ||
| 12:35 – 14:00 | FIRSTCON24 Lunch and Learn: Volunteering for the Program Committee TLP:CLEAR | ||
| 13:00 – 14:00 | FIRST Membership Committee Meeting |
Thursday, June 8th
| Mansfield 2nd Floor | St. Denis 2nd Floor | |
|---|---|---|
| 08:00 – 09:00 | GFCE Working Group Meeting (closed) | |
| 09:30 – 10:30 | PT BoF | NETSEC: Basics & Discussing LoA Carlos Friacas (RCTS CERT, PT) TLP:CLEAR |
- TLP:CLEAR
BoF | How to Create a Secure Programming Culture Among Engineering Teams
Dr. Pedram Hayati
Getting security in the code is at the core of 4Cs of security (Code, Container, Cloud and Cluster). There are vast number of security vulnerabilities that can be only fixed with the code. Build a usable software is far from making the software secure. Therefore, we need active involvement from the software engineers to build a secure program from the ground up. This is a two-way presentation where we cover:
- The hard problems in getting developers in writing secure program
- Wrong approaches (e.g. tool driven, top-down) that will not make the shift toward secure programming
- Teaching developers how to exploit a vulnerabilities vs teaching them how best to fix it
- Approaches that can organically engage developers into secure programming
- Discussion
June 6, 2023 09:30-10:30
- ATTLP:CLEAR
BoF | LLMs and Cyber
Aaron Kaplan (European Commission, AT)
This is a first time get together (BoF) for all practitioners working with Large Language Models (LLMs), Deep Learning and IT Security. While the end of 2022 showed great advances in generative AI, the early months in 2023 demonstrated that the open source community massively picked up on this trend and started to engage in creating open source, off-line (on-prem) LLMs [1]. This is especially practical if you need to keep incident data or CTI feeds private and not send them to a public API such as GPT4. But are we on-par yet with ChatGPT? Experiences, lessons learned etc.
This BoF tries to bring together people exploring LLMs for CTI and more generally for incident response, detection and - prevention. What works for you? What did not work?
The BoF will have a short demo presentation on running your own LLM locally, followed by a round of sharing of experiences and deciding on the next steps of the BoF (how to continue this discussion).
[1] https://www.semianalysis.com/p/google-we-have-no-moat-and-neither
Aaron Kaplan: Aaron has been working at the national CERT of Austria between 2008 and 2020, he has a background in maths and computer science. Since 2020 he works for EC-DIGIT-CSIRC, the IT security team of the European Commission. He is the co-founder of intelmq.org, a tool for automating the typical tasks of IT security teams. Aaron is a regular speaker at IT security conferences such as FIRST, hack.lu, Blackhat, CCC. He also had the honor to serve as a FIRST board of director between 2014 and 2018 where he initialized multiple infrastructure projects such as misp.first.org. He believes in using automation, open source and machine learning for improving the lives of DFIR folks. In fact, he believes that without those tools, we won't be fast enough to keep up with attackers.
June 7, 2023 12:00-12:35
- SETLP:CLEAR
BoF | USB Malware, the Old but New
Nicklas Keijser (Truesec CSIRT, SE)
I work at Truesec as a Threat Research Analyst were my role is to reverse engineer malware that we find in our SOC and we find in our incident response engagement. Before joining Truesec I worked the national CSIRT, CERT-SE, as a CSIRT Officer.
The last year we have seen an increase in malware distributed by USB, at Truesec we have now +100 cases of Raspberry Robin and a few cases of PlugX that utilize USB as the payload carrier but also can exfiltrate data that is air-gapped. In this presentation I would like to show the findings we have done and share insights but also to discuss with other practitioners what they have discovered and how we can help each other in detecting and stopping malware distributed by USB drives.
June 5, 2023 11:15-12:15
- USTLP:CLEAR
BoF | What Comes After TLP?
Tom MillarTom Millar (CISA, US)This BoF Session will provide attendees with an opportunity to discuss the issues raised in the "UMQ? What Comes After TLP" presentation to be delivered by Tom Millar (CISA) on Monday of the conference. The goal is to discover whether attendees are interested in establishing a new SIG (or augmenting an existing SIG) to advance information sharing beyond the limitations of TLP, IEP, etc.
June 5, 2023 14:45-15:45