35th Annual FIRST Conference | Empowering Communities
Conference Program
The agenda is subject to change. The agenda times are reflected in local time Montreal, Canada (UTC -4). All pre-conference and conference activities--including FIRST hosted social activities--will take place on premisis at the Fairmont The Queen Elizabeth Hotel.
About TLP Designations
If you are unfamiliar with the Traffic Light Protocol ("TLP"), please visit https://www.first.org/tlp/ for details. In the use case for FIRST events, TLP levels specifically indicate whether press, social media, and photography/videography may occur. You do not need to be "invited" to attend a TLP:RED session as a confirmed, registered delegate. Please see the Registration Terms & Conditions: Photography or Recording Usage by Attendees at https://www.first.org/conference/2023/registration-terms.
Meetings notated with "invite-only" or "invitation only" are private meetings.
Sunday Training Activities
Sunday pre-conference training activities are limited opportunities for interested delegates. A separate registration is required. Due to popularity, there is a registration fee to hold training seats. Admission is first-come, first-served with priority given to FIRST members. Please vist the Register Now page for fee details and access to the registration form: https://www.first.org/conference/2023/registration-options.
Sessions Available to Virtual Participants
TLP:CLEAR sessions from Plenary talks, Breakout 1, Breakout 2, and Breakout 3 will be available to our virtual ticket participants via the conference mobile/desktop app. Workshops will NOT be streamed or recorded.
Registration Hours & Location
Registration will be located on the Mezzanine Level of the Fairmont the Queen Elizabeth Hotel. You can access the Mezzanine level from the main lobby escalators. Hours are as follows:
- Sunday, June 4 - Training Participants Only | 07:00-09:00
- Sunday, June 4 - All Conference Participants | 11:00-20:00
- Monday, June 5 | 07:00-16:00
- Tuesday, June 6 | 08:00-16:00
- Wednesday, June 7 | 08:00-15:00 (please pick up any guest badges for the social event by 15:00)
- Thursday, June 8 | 08:30-16:00
- Friday, June 9 | 08:00-13:00
If you have any questions regarding the agenda, please contact the event office via email at events@first.org.
Training Room 1 (Av. Laurier)
Training Room 2 (Av. Duluth)
Training Room 4 (Av. Viger)
Training Room 5 (St. Catherine)
Training Room 6 (Sherbrooke)
Training Room 7 (Notre Dame)
Plenary/Breakout 1 (Place du Canada)
Breakout 2 (Av. Laurier)
Breakout 3 (Av. Viger)
WS1 (Av. Duluth)
WS2 (Av. Van-Horne)
SIG Room 1 (Notre Dame)
SIG Room 2 (St. Catherine)
Plenary/Breakout 1 (Place du Canada)
Breakout 2 (Av. Laurier)
Breakout 3 (Av. Viger)
WS1 (Av. Duluth)
WS2 (Av. Van-Horne)
SIG Room 1 (Notre Dame)
SIG Room 2 (St. Catherine)
Plenary/Breakout 1 (Place du Canada)
Breakout 2 (Av. Laurier)
Breakout 3 (Av. Viger)
WS1 (Av. Duluth)
WS2 (Av. Van-Horne)
SIG Room 1 (Notre Dame)
SIG Room 2 (St. Catherine)
Plenary/Breakout 1 (Place du Canada)
Breakout 2 (Av. Laurier)
Breakout 3 (Av. Viger)
WS1 (Av. Duluth)
WS2 (Av. Van-Horne)
SIG Room 1 (Notre Dame)
SIG Room 2 (St. Catherine)
Plenary/Breakout 1 (Place du Canada)
Breakout 2 (Av. Laurier)
Breakout 3 (Av. Viger)
WS1 (Av. Duluth)
WS2 (Av. Van-Horne)
SIG Room 1 (Notre Dame)
Sunday, June 4th
Training Room 1 (Av. Laurier) | Training Room 2 (Av. Duluth) | Training Room 4 (Av. Viger) | Training Room 5 (St. Catherine) | Training Room 6 (Sherbrooke) | Training Room 7 (Notre Dame) | |
---|---|---|---|---|---|---|
09:00 – 10:30 | US Tier 1 to C-Suite: Communicating a Breach using Threat-Informed Defense (Full Day) Mike Cunningham, Mark Haase, Jon Baker (MITRE Engenuity, US) | LT CSIRT/SOC Manager Improvement Training (Full Day) Vilius Benetis (NRD Cyber Security, LT) | CH MANRS and Routing Security (Full Day) Massimiliano Stucchi (ISOC, CH) | US DNS: Prevention, Detection, Disruption and Defense (Half Day) Carlos Alvarez (ICANN, US) | NL FR Measuring and Improving Your Team's Maturity Using SIM3 Miroslaw Maj (Open CSIRT Foundation, NL); Olivier Caleff (ERIUM, FR) | US How to Build, Drive and Thrive a Bug Bounty Program (Half Day) Kathleen Noble (N/A, US) |
10:30 – 11:00 | Coffee Break | |||||
11:00 – 12:30 | US Tier 1 to C-Suite: Communicating a Breach using Threat-Informed Defense (Full Day) Mike Cunningham, Mark Haase, Jon Baker (MITRE Engenuity, US) | LT CSIRT/SOC Manager Improvement Training (Full Day) Vilius Benetis (NRD Cyber Security, LT) | CH MANRS and Routing Security (Full Day) Massimiliano Stucchi (ISOC, CH) | US DNS: Prevention, Detection, Disruption and Defense (Half Day) Carlos Alvarez (ICANN, US) | NL FR Measuring and Improving Your Team's Maturity Using SIM3 Miroslaw Maj (Open CSIRT Foundation, NL); Olivier Caleff (ERIUM, FR) | US How to Build, Drive and Thrive a Bug Bounty Program (Half Day) Kathleen Noble (N/A, US) |
12:30 – 13:30 | Break (No Lunch Provided) | |||||
13:30 – 15:00 | US Tier 1 to C-Suite: Communicating a Breach using Threat-Informed Defense (Full Day) Mike Cunningham, Mark Haase, Jon Baker (MITRE Engenuity, US) | LT CSIRT/SOC Manager Improvement Training (Full Day) Vilius Benetis (NRD Cyber Security, LT) | CH MANRS and Routing Security (Full Day) Massimiliano Stucchi (ISOC, CH) | US 13:00 Start Time | OPSEC for Investors and Security Researchers (Half Day) Krassimir Tzvetanov (Purdue University, US) | DE NL SIM3 for Experienced Teams and Membership Sponsors Klaus-Peter Kossakowski (DFN-CERT Services GmbH, DE); Miroslaw Maj (Open CSIRT Foundation, NL) | |
15:00 – 15:30 | Coffee Break | |||||
15:30 – 17:00 | US Tier 1 to C-Suite: Communicating a Breach using Threat-Informed Defense (Full Day) Mike Cunningham, Mark Haase, Jon Baker (MITRE Engenuity, US) | LT CSIRT/SOC Manager Improvement Training (Full Day) Vilius Benetis (NRD Cyber Security, LT) | CH MANRS and Routing Security (Full Day) Massimiliano Stucchi (ISOC, CH) | US 13:00 Start Time | OPSEC for Investors and Security Researchers (Half Day) Krassimir Tzvetanov (Purdue University, US) | DE NL SIM3 for Experienced Teams and Membership Sponsors Klaus-Peter Kossakowski (DFN-CERT Services GmbH, DE); Miroslaw Maj (Open CSIRT Foundation, NL) | |
17:00 – 18:00 | Welcome to FIRST! Newbie Session in Place du Canada TLP:CLEAR | |||||
18:00 – 20:00 | Welcome Reception Sponsored by Adobe | Located on Lobby Level TLP:CLEAR |
Monday, June 5th
Plenary/Breakout 1 (Place du Canada) | Breakout 2 (Av. Laurier) | Breakout 3 (Av. Viger) | WS1 (Av. Duluth) | WS2 (Av. Van-Horne) | SIG Room 1 (Notre Dame) | SIG Room 2 (St. Catherine) | |
---|---|---|---|---|---|---|---|
07:30 – 09:00 | Continental Breakfast and Welcome Coffee | ||||||
09:00 – 09:30 | Opening Remarks and Welcome Address TLP:CLEAR | ||||||
09:30 – 10:30 | Lesley Carhart (Dragos Inc) TLP:CLEAR | ||||||
10:30 – 11:15 | Coffee Break | ||||||
11:15 – 11:50 | US Sliding Down the Slippery Analogy Slope and Landing in Clarity Leigh Metcalf (CERT, US); Eugene Spafford (Purdue University, US) TLP:CLEAR | NL Dissect: the Solution to Large-Scale Incident Response (and Why APTs Hate Us) Erik Schamper, Willem Zeeman (Fox-IT, NL) TLP:CLEAR | NL SPooFd: How to Spoof Mails, Even with Full SPF and DMARC Protection Koen van Hove (NLnet Labs / University of Twente / Dutch Institute for Vulnerability Disclosure"., NL) TLP:AMBER | LU Building Your Own Workflows in MISP: Tutorial and Hands-On (Full Day) Sami Mokaddem (CIRCL, LU); Alexandre Dulaunoy (CIRCL - Computer Incident Response Center Luxembourg, LU) TLP:CLEAR 11:15 – 12:35 | US DE CSAF Writing Bootcamp (Full Day) Justin Murphy (CISA, US); Thomas Schmidt (BSI, DE) TLP:CLEAR 11:15 – 12:35 | ||
11:30 – 12:30 | VRDX SIG | Red Team SIG | |||||
12:00 – 12:35 | US Why Are Our Researchers Observing Doorbells Sending Spam? Matthew Stith (Spamhaus, US) TLP:AMBER | NO NL SOCCRATES: Automated Security Decision Support for SOCs and CSIRTs Martin Eian (mnemonic, NO); Frank Fransen (TNO, NL) TLP:CLEAR | GB Incident Command and "The Cloud" - 72 Hours of IR and Ticking Robert Floodeen (New Anderton, GB); Rebecca Taylor (Secureworks, GB) TLP:CLEAR | ||||
12:35 – 14:00 | Lunch | ||||||
14:00 – 14:35 | US Tom Millar (CISA, US) TLP:CLEAR | US Three Simple and Effective Cybersecurity Exercises John Hollenberger (Fortinet, US) TLP:CLEAR | FR AnoMark - Anomaly Detection in Command Lines with Markov Chains Alexandre Junius (ANSSI (National Cybersecurity Agency of France), FR) TLP:CLEAR | LU Building Your Own Workflows in MISP: Tutorial and Hands-On (Full Day) Sami Mokaddem (CIRCL, LU); Alexandre Dulaunoy (CIRCL - Computer Incident Response Center Luxembourg, LU) TLP:CLEAR 14:00 – 15:20 | US DE CSAF Writing Bootcamp (Full Day) Justin Murphy (CISA, US); Thomas Schmidt (BSI, DE) TLP:CLEAR 14:00 – 15:20 | ||
14:15 – 15:15 | Vulnerability Coordination SIG | ||||||
14:45 – 15:20 | US An Introduction to EPSS, The Exploit Prediction Scoring System Jay Jacobs (Cyentia, US); Sasha Romanosky (RAND Corporation, US) TLP:CLEAR | CH Stephan Berger (InfoGuard AG, CH) TLP:CLEAR | JP IOC-DREAM - IOC Distribution in Restricted Environment and Automating response based on MISP Yifan Wang, Fukusuke Takahashi, Kunio Miyamoto (NTT Data Corporation, JP) TLP:CLEAR | ||||
15:20 – 15:50 | Coffee Break | Building Your Own Workflows in MISP: Tutorial and Hands-On (Full Day) TLP:CLEAR | CSAF Writing Bootcamp (Full Day) TLP:CLEAR | ||||
16:00 – 17:15 | Annual General Meeting (AGM) and FIRST Update / Q&A TLP:CLEAR | ||||||
17:30 – 19:30 | Sponsor Showcase Reception Sponsored by Bitdefender TLP:CLEAR |
Tuesday, June 6th
Plenary/Breakout 1 (Place du Canada) | Breakout 2 (Av. Laurier) | Breakout 3 (Av. Viger) | WS1 (Av. Duluth) | WS2 (Av. Van-Horne) | SIG Room 1 (Notre Dame) | SIG Room 2 (St. Catherine) | |
---|---|---|---|---|---|---|---|
08:00 – 09:30 | Continental Breakfast and Welcome Coffee | ||||||
09:00 – 10:00 | Metrics SIG | ||||||
09:30 – 10:05 | US Open Season: Hunting More Intelligently Justin Hopple, Karthik Yetukuri (VMware, US) TLP:AMBER | US Knocking Out Post-Exploitation Kits Matt Bromiley (LimaCharlie, US) TLP:CLEAR | US Cyber Operations: The New Face of Incident Response (Virtual) Shawn Richardson, Amy Rose (NVIDIA, US) TLP:GREEN | BR GB Team Cymru Community Services Workshop Jacomo Piccolini (Team Cymru, BR); Scott Fisher (Team Cymru, GB) TLP:CLEAR 09:30 – 10:50 | US NL Communication Skills for Incident Response (Full Day) Jeff Carpenter (Secureworks, US); Don Stikvoort (Open CSIRT Foundation, NL) TLP:CLEAR 09:30 – 10:50 | ||
10:15 – 10:50 | SIG Updates: Multi-Stakeholder Ransomware, CVSS, Cyber Insurance, DNS Abuse, EPSS TLP:CLEAR | TLP:CLEAR | SIG Updates: TLP, Malware Analysis, CTI, WoF, Red Team, Ethics TLP:CLEAR | ||||
10:50 – 11:20 | Coffee Break | ||||||
11:20 – 11:55 | LU Typosquatting Finder - An Open Source Solution to Find Typosquatted Domains David Cruciani, Alexandre Dulaunoy (CIRCL - Computer Incident Response Center Luxembourg, LU) TLP:CLEAR | US DE Universal (Software) Product Identity: Solving a Hard Problem Twice Over Art Manion (US); Thomas Proell (Siemens ProductCERT, DE); Thomas Schmidt (BSI, DE) TLP:CLEAR 11:20 – 12:40 | CA A Case by Case Basis: Lessons Learned from Flexible Incident Response by Design Rebecca Henfrey (Canadian Centre for Cyber Security, CA) TLP:AMBER | US A Deep Dive into Predicting Vulnerability Exploitation with EPSS Jay Jacobs (Cyentia, US); Sasha Romanosky (RAND Corporation, US) TLP:CLEAR 11:20 – 12:40 | US NL Communication Skills for Incident Response (Full Day) Jeff Carpenter (Secureworks, US); Don Stikvoort (Open CSIRT Foundation, NL) TLP:CLEAR 11:20 – 12:40 | ||
12:00 – 12:45 | PSIRT SIG (CLOSED MEETING) | Automation SIG | |||||
12:05 – 12:40 | US The Internet DDoS Threat Landscape John Kristoff (NETSCOUT, US) TLP:CLEAR | GB Objectifying Your Incident Management to Lift the Fog of IR Robert Floodeen (New Anderton, GB) TLP:CLEAR | |||||
12:40 – 14:00 | Lunch | ||||||
14:00 – 14:35 | BR Lessons Learned from Interrupting a Double Extortion Attack - An Incident Responder Perspective Raimir Holanda, Antonio Horta, Renato Marinho (Morphus Labs, BR) TLP:GREEN | FR CTI-Powered Hunting and Response Emilien Le Jamtel (CERT-EU, FR) TLP:CLEAR | FI Extra-Ordinary Vulnerability Coordination - A Method to the Madness Umair Bukhari (Ericsson PSIRT, FI) TLP:AMBER | AU Enterprise Cloud Threat Hunting and Attack Investigation (Half Day) Josh Lemon (Uptycs and SANS Institute, AU) TLP:AMBER 14:00 – 15:20 | US NL Communication Skills for Incident Response (Full Day) Jeff Carpenter (Secureworks, US); Don Stikvoort (Open CSIRT Foundation, NL) TLP:CLEAR 14:00 – 15:20 | ||
14:15 – 15:15 | EPSS SIG | DNS Abuse SIG | |||||
14:45 – 15:20 | DE I Opened Pandora's Box and It Was Full of Obfuscation Geri Revay (Fortinet, DE) TLP:CLEAR | IT Using CTI to Prevent Banking Frauds: Case Study Gozi Malware Giuseppe Morici, Grazia Leonetti (Intesasanpaolo Bank S.p.A., IT) TLP:AMBER | US Intel as Code - Building a Threat Informed Security Organization Christopher King, Matt Lange (Northwestern Mutual, US) TLP:CLEAR | ||||
15:20 – 15:50 | Coffee Break | ||||||
15:50 – 16:25 | IL Five Easy Ways to Spoof Contributor/Package Reputation Tzachi "Zack" Zorenshtain (checkmarx, IL) TLP:CLEAR | US A Chess Tournament - Chinese and Russian Underground Ecosystems Oxana Parsons (LookingGlass Cyber Solutions, US) TLP:GREEN | GB No One Likes to be Excluded: What Is the Role of War Exclusions in Cyber Insurance? Éireann Leverett (Concinnity Risks, GB); Rick Welsh (Waratah.io, GB) TLP:CLEAR 15:50 – 17:10 | AU Enterprise Cloud Threat Hunting and Attack Investigation (Half Day) Josh Lemon (Uptycs and SANS Institute, AU) TLP:AMBER 15:50 – 17:10 | US NL Communication Skills for Incident Response (Full Day) Jeff Carpenter (Secureworks, US); Don Stikvoort (Open CSIRT Foundation, NL) TLP:CLEAR 15:50 – 17:10 | CTI SIG Meeting 15:50 – 16:50 | Women of FIRST SIG 15:50 – 16:50 |
16:35 – 17:10 | CZ Abusing Electron-Based Applications in Targeted Attacks Jaromir Horejsi (Trend Micro, CZ) TLP:CLEAR | BE John Deprez (CCB/CERT.be, BE) TLP:AMBER | |||||
17:15 – 18:15 | TLP:CLEAR | ||||||
18:15 – 19:15 | BoF | Standards BoF in Place du Canada TLP:CLEAR |
Wednesday, June 7th
Plenary/Breakout 1 (Place du Canada) | Breakout 2 (Av. Laurier) | Breakout 3 (Av. Viger) | WS1 (Av. Duluth) | WS2 (Av. Van-Horne) | SIG Room 1 (Notre Dame) | SIG Room 2 (St. Catherine) | |
---|---|---|---|---|---|---|---|
07:30 – 09:00 | Continental Breakfast and Welcome Coffee | ||||||
09:00 – 09:30 | FIRST Hall of Fame Remarks & Mid-week Updates TLP:CLEAR | ||||||
09:30 – 10:30 | CA US Keynote: Why Gender Diversity is Better Security Allison Pytlak (Stimson Center, CA); Dr. Nina Kollars (Department of Defense, US) TLP:CLEAR | ||||||
10:30 – 11:15 | Coffee Break | ||||||
11:15 – 11:50 | GB US IE GH CH The Female Conversation – Empowering Women in IR and CI Rebecca Taylor (Secureworks, GB); Tracy Bills (CERT® Division of the Software Engineering Institute (SEI), US); Emer O'Neill (VMware, IE); Audrey Mnisi (Ghana Association of Banks; FIRST.org Board Member; Vice President for Women in Cybersecurity Wes, GH); Khushali Dalal (Juniper, US); Amanda Capobianco (Richemont International SA, CH) TLP:CLEAR 11:15 – 12:35 | HK Safeguarding IoT Devices in Digital Age - Building IoT Test Lab Frank Chow (HKCERT, HK) TLP:CLEAR | JP Yoshihiro Ishikawa, Takuma Matsumoto (LAC Co., Ltd, JP) TLP:GREEN | LU AIL Project Training - Monitoring Information Leaks (Full Day) Alexandre Dulaunoy (CIRCL - Computer Incident Response Center Luxembourg, LU); Sami Mokaddem (CIRCL, LU) TLP:CLEAR 11:15 – 12:35 | DE US The CSAF Writer Guild - Advancing Your Experience (Full Day) Thomas Schmidt (BSI, DE); Justin Murphy (CISA, US) TLP:CLEAR 11:15 – 12:35 | ||
11:30 – 12:30 | Cyber Insurance SIG | SecLounge SIG | |||||
12:00 – 12:35 | NL Assessing e-Government DNS Resilience Jeroen van der Ham (NCSC-NL & UTwente, NL) TLP:CLEAR | US How to Save Your SOC from Stagnation Carson Zimmerman (Microsoft, US) TLP:CLEAR | |||||
12:35 – 14:00 | Lunch | ||||||
14:00 – 14:35 | US The PowerPuff Girls of Information Sharing - Joining Forces To Protect The Universe! Denise Anderson (Health-ISAC, US); Faye Francy (Automotive ISAC, US); Suzie Squier (Retail and Hospitality ISAC (RH-ISAC), US); Bridgette Walsh (Financial Services ISAC (FS-ISAC), US); Marina Krenz (Research and Education Networks ISAC (REN-ISAC)) TLP:CLEAR 14:00 – 15:20 | TW Prioritize Your Enterprise Critical Risk - Start at Active Directory Mars Cheng, Dexter Chen (TXOne Networks, TW) TLP:GREEN | JP Can We Tell the Threat Actor from Their ATT&CK TIDs? Ryusuke Masuoka, Toshitaka Satomi, Koji Yamada (Fujitsu System Integration Laboratories Limited, JP) TLP:CLEAR | LU AIL Project Training - Monitoring Information Leaks (Full Day) Alexandre Dulaunoy (CIRCL - Computer Incident Response Center Luxembourg, LU); Sami Mokaddem (CIRCL, LU) TLP:CLEAR 14:00 – 15:20 | DE US The CSAF Writer Guild - Advancing Your Experience (Full Day) Thomas Schmidt (BSI, DE); Justin Murphy (CISA, US) TLP:CLEAR 14:00 – 15:20 | ||
14:15 – 15:15 | ICS SIG | ||||||
14:45 – 15:20 | US "Compromising the Keys to the Kingdom" - Exfiltrating Data to Own and Operate the Exploited Systems Aditya K Sood (F5, US) TLP:CLEAR | KR Info-Stealer: Most Bang for the Buck Malware in 2022 Jiho Kim (S2W Inc., KR) TLP:CLEAR | |||||
15:20 – 15:30 | AIL Project Training - Monitoring Information Leaks (Full Day) TLP:CLEAR | The CSAF Writer Guild - Advancing Your Experience (Full Day) TLP:CLEAR | |||||
15:30 – 16:00 | NL Q&A After Hours | Dissect: the Solution to Large-Scale Incident Response (and Why APTs Hate Us) Willem Zeeman, Erik Schamper (Fox-IT, NL) TLP:CLEAR | ||||||
19:00 – 22:00 | Social Event TLP:CLEAR |
Thursday, June 8th
Plenary/Breakout 1 (Place du Canada) | Breakout 2 (Av. Laurier) | Breakout 3 (Av. Viger) | WS1 (Av. Duluth) | WS2 (Av. Van-Horne) | SIG Room 1 (Notre Dame) | SIG Room 2 (St. Catherine) | |
---|---|---|---|---|---|---|---|
08:00 – 09:30 | Continental Breakfast and Welcome Coffee | ||||||
09:15 – 10:15 | Malware Analysis SIG | Information Sharing SIG | |||||
09:30 – 10:05 | CH Mistakes Happen, Either Learn From Them Or Rinse And Repeat! Gregor Wegberg (Oneconsult International CSIRT, CH) TLP:CLEAR | LT Continuous Threat Intelligence Improvements Leonardas Marozas (CUJO AI, LT) TLP:CLEAR | ES Improving CSIRTs' Procedures Through Standards Guillem Gordillo Garcia (Ackcent Cybersecurity, ES) TLP:CLEAR | AU What Part of JMP RSP Don't You Understand (Half Day) Vishal Thakur (Huntress, AU) TLP:CLEAR 09:30 – 10:50 | CA Supercharge Your Malware Analysis Workflow with Assemblyline (Full Day) Steve Garon, Kevin Hardy-Cooper, Ryan Samaroo, Gabriel Desmarais, Marc-Olivier Guilbault (Canadian Center for Cyber Security, CA) TLP:CLEAR 09:30 – 10:50 | ||
10:15 – 10:50 | LU Pain and Suffering; Implementing CTI Successfully in a SOC Paul Jung (Excellium Services, LU) TLP:CLEAR | US What's Running on My Hosts? Process Identification Through Network Traffic Monitoring Adam Weller (Cisco, US) TLP:CLEAR | FR Another Pint of Crisis Exercises? Vincent Le Toux (VINCI, FR) TLP:RED | ||||
10:50 – 11:20 | Coffee Break | ||||||
11:20 – 11:55 | KR KILLNET: Quantity Over Quality Sojun Ryu (S2W Inc., KR) TLP:GREEN | US From Trust Groups to Action Communities: Changing the Sharing Game Tom Millar (CISA, US); James Shank (SpyCloud, US) TLP:AMBER | JP Creating the Coordinator Rules Tomo Ito (JPCERT Coordination Center (JPCERT/CC), JP) TLP:CLEAR | AU What Part of JMP RSP Don't You Understand (Half Day) Vishal Thakur (Huntress, AU) TLP:CLEAR 11:20 – 12:40 | CA Supercharge Your Malware Analysis Workflow with Assemblyline (Full Day) Steve Garon, Kevin Hardy-Cooper, Ryan Samaroo (Canadian Center for Cyber Security, CA); Gabriel Desmarais, Marc-Olivier Guilbault (Canadian Center for Cyber Security) TLP:CLEAR 11:20 – 12:40 | ||
12:05 – 12:40 | IE Responding to Lapsus$ Style Smshing Attack, or How to Out an Actor! Thomas Fischer (Riot Games, IE) TLP:GREEN | CA Collective Defense Intelligence: A Model for Empowering the Open Cybersecurity Ecosystem Jason Keirstead (IBM Security, CA) TLP:CLEAR | GB Before the Storm: Preincident Response with an Emerging Threats Team at the Bank of England Eloise Hindes (Bank of England, GB) TLP:GREEN | ||||
12:40 – 14:00 | Lunch | ||||||
14:00 – 14:35 | US Authentication Proxy Attacks: Detection, Response and Hunting Christopher King (Northwestern Mutual, US) TLP:CLEAR | BE AT FR Using Apple Sysdiagnose for Forensics and Integrity Check David Durvaux (European Commission, BE); Aaron Kaplan (European Commission, AT); Emilien Le Jamtel (CERT-EU, FR) TLP:CLEAR | US Joint Cyber Defense Collaborative (JCDC) Joint Planning and Coordinated Action Mitchell Freddura (CISA Joint Cyber Defense Collaborative, US) TLP:AMBER | ES Modern Threat Hunting (Half Day) Vicente Diaz (VirusTotal, ES) TLP:CLEAR 14:00 – 15:20 | CA Supercharge Your Malware Analysis Workflow with Assemblyline (Full Day) Steve Garon, Kevin Hardy-Cooper, Ryan Samaroo (Canadian Center for Cyber Security, CA); Gabriel Desmarais, Marc-Olivier Guilbault (Canadian Center for Cyber Security) TLP:CLEAR 14:00 – 15:20 | ||
14:15 – 15:15 | CVSS SIG | ||||||
14:45 – 15:20 | US GB NL Preserving Confidentiality When Hunting With Friends Gabriel Bassett (Liberty Mutual, US); Paolo Di Prodi (Priam Cyber AI ltd, GB); Hugo Ideler, Toon Segers (Roseman Labs, NL) TLP:CLEAR | JP Masato Terada (Information-technology Promotion Agency, JP) TLP:CLEAR | SK Everyone Should Care About National Cyber Security Strategy Matej Šalmík (National Cyber Security Centre SK-CERT, SK) TLP:CLEAR | ||||
15:20 – 15:50 | Coffee Break | ||||||
15:50 – 16:25 | AU Building a New Cybersecurity Alert Priority Matrix Josh Lemon (Uptycs and SANS Institute, AU) TLP:CLEAR | CH Case Solved: Catching Evil on the Fly! Sandro Bachmann, Andreas Klaus (InfoGuard AG, CH) TLP:GREEN | MW LT Operationalization of Malawi CERT- Lessons Learnt and Challenges Christopher Banda (MACRA, MW); Vilius Benetis (NRD Cyber Security, LT) TLP:CLEAR | ES Modern Threat Hunting (Half Day) Vicente Diaz (VirusTotal, ES) TLP:CLEAR 15:50 – 17:10 | CA Supercharge Your Malware Analysis Workflow with Assemblyline (Full Day) Steve Garon, Kevin Hardy-Cooper, Ryan Samaroo (Canadian Center for Cyber Security, CA); Gabriel Desmarais, Marc-Olivier Guilbault (Canadian Center for Cyber Security) TLP:CLEAR 15:50 – 17:10 | ||
16:35 – 17:10 | DE Busy Bees - The Transformation of BumbleBee Patrick Staubmann (VMRay GmbH, DE) TLP:CLEAR | US Automating Cloud Forensics Lab Provisioning Tim Ip (Adobe, US) TLP:CLEAR | FR Dorothée Fermon, Léna Elemento (CERT-FR (ANSSI), FR) TLP:AMBER | ||||
17:00 – 18:00 | BE David Durvaux (European Commission, BE) | ||||||
17:15 – 18:15 | TLP:CLEAR |
Friday, June 9th
Plenary/Breakout 1 (Place du Canada) | Breakout 2 (Av. Laurier) | Breakout 3 (Av. Viger) | WS1 (Av. Duluth) | WS2 (Av. Van-Horne) | SIG Room 1 (Notre Dame) | |
---|---|---|---|---|---|---|
07:30 – 09:00 | Continental Breakfast and Welcome Coffee | |||||
09:00 – 09:35 | US Till There Was Unix: Defending ESXi Against Ransomware Attacks Lindsay Kaye (Recorded Future, US) TLP:CLEAR | LT ISO 27035 Practical Value for CSIRTs and SOCs Vilius Benetis (NRD Cyber Security, LT) TLP:CLEAR | BR Enhancing Security Resilience by Visibility and Protection Gap Analysis Raimir Holanda, Antonio Horta, Renato Marinho (Morphus Labs, BR) TLP:AMBER | NL Building an Integrated Threat Landscape (Full Day) Robin Staa, Bart van den Berg (NCSC-NL, NL) TLP:CLEAR 09:00 – 10:20 | JP Manabu Niseki, Simon Vestin (LINE Corporation, JP) TLP:GREEN 09:00 – 10:20 | NETSEC SIG 09:00 – 10:00 |
09:45 – 10:20 | SE Cracking the Chaos Ransomware Family Alexander Andersson (Truesec, SE) TLP:CLEAR | US The 4 Pillars of Cyber Security Laurie Tyzenhaus (SEI CERT, US) TLP:CLEAR | AU Getting a Handle on Source Code Leaks and Intellectual Property Exposure Robert Byrne (Ericsson, AU) TLP:AMBER | |||
10:20 – 10:30 | Coffee Break | |||||
10:30 – 11:05 | GB US Éireann Leverett (Concinnity Risks, GB); Scott Small (TidalCyber, US) TLP:CLEAR | NL Incident Response: A Christmas Carol Erik de Jong (Securify, NL); Francisco Dominguez (Hunt & Hackett, NL) TLP:CLEAR | JP Cyber Hygiene Hunting : Security Effectiveness Validation for Valid Security Posture Tomohisa Ishikawa (Tokio Marine Holdings, JP) TLP:CLEAR | NL Building an Integrated Threat Landscape (Full Day) Robin Staa, Bart van den Berg (NCSC-NL, NL) TLP:CLEAR 10:30 – 11:50 | JP Manabu Niseki, Simon Vestin (LINE Corporation, JP) TLP:GREEN 10:30 – 11:50 | |
11:15 – 11:50 | SE Hasain Alshakarti, David Lilja (TRUESEC, SE) TLP:AMBER | CA IE Small But Mighty - The Crucial Role a PSIRT Plays in Customer Trust, Adoption and Renewal Kevin Hagopian (VMware, CA); Emer O'Neill (VMware, IE) TLP:AMBER | FR Emilien Le Jamtel (CERT-EU, FR) TLP:CLEAR | |||
12:00 – 13:00 | Chris Lynam (RCMP) TLP:CLEAR | |||||
13:00 – 13:30 | Closing Remarks TLP:CLEAR | |||||
13:30 – 14:30 | Closing Lunch |
- US
13:00 Start Time | OPSEC for Investors and Security Researchers (Half Day)
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University, US)
For the past three years Krassimir Tzvetanov has been a graduate student at Purdue University focusing on Threat Intelligence, Operational Security and Influence Operations, in the cyber domain. Before that, Krassimir was a security engineer at a small CDN, where he focused on incident response, investigations and threat research. Previously he worked for companies like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation, product security. Before that Krassimir held several operational (SRE) and security positions at companies like Google and Yahoo! And Cisco. Krassimir is very active in the security research and investigation community and has contributed to FIRST SIGs. He is also a co-founder and ran the BayThreat security conference, and has volunteered in different roles at DefCon, ShmooCon, and DC650. Krassimir holds Bachelors in Electrical Engineering (Communications), Masters in Digital Forensics and Investigations, and Masters in Homeland security.
Whether performing an in-depth investigation or merely quick research, the investigator (or researcher) and the investigation itself are exposed to certain risks.
This workshop focuses on security and safety issues pertaining to online research and investigations. It covers different areas of the investigative process and how tools and particular techniques can leak information detrimental to the case or the investigator.
Furthermore, it goes deeper into how investigators and blue teams can be profiled and targeted. Those can be either direct attack against their computer or supporting infrastructure, their person or the investigation, which in turn may be as subtle as steering it in the wrong direction or making the evidence inadmissible in court.
More specifically the workshop will cover different browser and infrastructure fingerprinting techniques, browser hooking, instant messaging programs, email security and tracking.
As it covers the dangers, this workshop provides series of countermeasures and mitigations, which can help the investigator increase their level of safety and security and decrease their digital footprint.
In addition, the workshop introduces containerization and how it can be used to segment and streamline the process.
Requirements: Students must bring: VMWare Player or VBox. (*Note the latter does not perform as well.)
June 4, 2023 13:30-15:00
- CATLP:AMBER
A Case by Case Basis: Lessons Learned from Flexible Incident Response by Design
Rebecca Henfrey (Canadian Centre for Cyber Security, CA)
Rebecca is a senior operational coordinator for the Government of Canada, specializing in coordinating multi-agency responses to significant cyber security incidents and vulnerabilities. Rebecca is a subject matter expert in the development of incident response plans and operational playbooks. Rebecca leverages her background in defence and international security studies to inform her work in building emergency response plans that prioritize agility and flexibility.
What happens when a cyber security incident or related operation does not clearly fit within your organization's existing incident response frameworks? Developing dynamic operational response plans that enable flexibility in incident response is necessary to enable teams to respond to the unknown. This talk will examine three case studies of recent and prominent Canadian cyber security incidents and operations. It will provide an overview of lessons learned from each of the three operations and propose how CSIRTs can enhance their current incident response plans to incorporate standards that promote the flexibility required to respond to novel and unique cyber security events.
June 6, 2023 11:20-11:55
- USTLP:GREEN
A Chess Tournament - Chinese and Russian Underground Ecosystems
Oxana Parsons (LookingGlass Cyber Solutions, US)
Oxana Parsons is a Senior Cyber Intelligence Analyst at LookingGlass Cyber Solutions. She leverages her knowledge of Russian and Ukrainian languages and cultures to conduct research into Eastern European and Russian-speaking cybercrime world. Her other areas of focus include tracking threat actor behaviors, TTPs, and toolkits to develop actionable intelligence products that provide valuable insights for decision makers.
Both Chinese and Russian-speaking actors continue to pose threats to organizations globally. It is critical for cybersecurity specialists to be prepared against these threat actors by understanding underground ecosystems and seeing how they evolve through a clear lens. This presentation will explain China's tightly controlled internet environment and highlight how Chinese actors operate under the central government's frequent crackdowns. It will take a deeper look at individual threat actors to pivot unique TTPs, including their choices of products, communication platforms, and payment methods. It will also feature how TTPs and operational methods of Chinese-speaking threat actors compare to those utilized by Russian-speaking threat actors. Additionally, it will analyze existing campaigns to gauge how threat groups and law enforcement continue to evolve under Beijing's low tolerance of cybercrime and how it compares to Russia, which is often seen as a "safe haven" for cybercriminals. Information and data analysis included in this presentation will help cybersecurity specialists predict future trends and protect their organizations against threats originating from both China and Russia.
June 6, 2023 15:50-16:25
- USTLP:CLEAR
A Deep Dive into Predicting Vulnerability Exploitation with EPSS
Sasha RomanoskyJay Jacobs (Cyentia, US), Sasha Romanosky (RAND Corporation, US)
Jay Jacobs is a Co-founder and Chief Data Scientist at Cyentia Institute, a research firm dedicated to advancing the state of information security knowledge and practice through data-driven research. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST. He is also a co-founder of the Society for Information Risk Analysts (SIRA), a not-for-profit association dedicated to advancing risk management practices where he served on the board of directors for several years. Finally, Jay is a co-author of "Data-Driven Security", a book covering data analysis and visualizations for information security professionals.
Sasha Romanosky, PhD, researches topics on the economics of security and privacy, cyber crime, cyber insurance, and national security. He is a Senior Policy Researcher at the RAND Corporation, a faculty member of the Pardee RAND Graduate School, and an affiliated faculty in the Program on Economics & Privacy at the Antonin Scalia Law School, George Mason University. Sasha was a security professional for over 10 years in the financial and e-commerce industries, and is one of the original authors of the Common Vulnerability Scoring System (CVSS), and co-creator of the Exploit Probability Scoring System (EPSS), an emerging standard for estimating the probability of a vulnerability being exploited in the wild. Sasha is a former Cyber Policy Advisor in the Office of the Secretary of Defense for Policy (OSDP) at the Pentagon, where he oversaw the Defense Department's Vulnerability Equities Process (VEP), the Vulnerability Disclosure Program (VDP), and other cyber policy matters. Sasha is also an appointed member of DHS's Data Privacy and Integrity Committee (DPIAC), where we advise the Secretary of Homeland Security and DHS's Chief Privacy Officer on policy, operational, and technology issues.
This session will take a critical, data-driven approach to vulnerability management. We will present and discuss our research concerning metrics and statistics for vulnerability prevalence, exploitation and remediation within enterprises. We will look at how to leverage exploit prediction data using EPSS. We will cover some modeling fundamentals and focus on the importance of, and the approach to, measuring the performance of EPSS. The result is a functional and reliable approach to forecasting the likelihood that a vulnerability will be exploited in the next 30 days. Finally we will look at where EPSS fits into an overall risk-based approach to vulnerability management.
June 6, 2023 11:20-12:40
- CZTLP:CLEAR
Abusing Electron-Based Applications in Targeted Attacks
Jaromir HorejsiJaromir Horejsi (Trend Micro, CZ)
Jaromir Horejsi is a Senior Threat Researcher for Trend Micro Research. He specializes in tracking and reverse-engineering threats such as APTs, DDoS botnets, banking Trojans, click fraud, and ransomware that target both Windows and Linux. His work has been presented at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf, and CARO.
The first part of the presentation will look at Electron framework and discuss possible infection vectors - Chromium vulnerabilities, or trojanizing the Electron applications by replacing/patching the app.asar archive (containing application sources). The second part will follow with analyses of several real-life scenarios which involved Electron-based applications - (1) Iron Tiger threat actor abusing a secure chat application; (2) a threat actor abusing a chat-based customer engagement platform; (3) Water Labbu threat actor abusing a live chat application. The last part will talk about targets of these campaigns, as well as the connections to previous campaigns operated by the same threat actors.
June 6, 2023 16:35-17:10
FIRSTCON23-TLP-CLEAR-Horejsi-Abusing-Electron-Based-Applications-in-Targeted-Attacks.pdf
MD5: 530304fb880db3dbab8e5bae01bdfa58
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.74 Mb
- LUTLP:CLEAR
AIL Project Training - Monitoring Information Leaks (Full Day)
Alexandre DulaunoySami MokaddemAlexandre Dulaunoy (CIRCL - Computer Incident Response Center Luxembourg, LU), Sami Mokaddem (CIRCL, LU)
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.
Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools
AIL Project is an open source framework composed of different modules to collect, crawl, dig and analyse unstructured data. AIL includes an extensible Python-based framework for analysis of unstructured information collected via an advanced Crawler manager or from different feeders (such as Twitter, Discord, Telegram Stream providers) or custom feeders. AIL supports active crawling of Tor hidden services along with crawling protected websites and forums with pre-recorded session cookies. The workshop will be an opportunity to understand how AIL works, how it can be used and integrated in existing CSIRT or SOCs.
June 7, 2023 11:15-12:35
- USTLP:CLEAR
An Introduction to EPSS, The Exploit Prediction Scoring System
Sasha RomanoskyJay Jacobs (Cyentia, US), Sasha Romanosky (RAND Corporation, US)
Jay Jacobs is a Co-founder and Chief Data Scientist at Cyentia Institute, a research firm dedicated to advancing the state of information security knowledge and practice through data-driven research. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST. He is also a co-founder of the Society for Information Risk Analysts (SIRA), a not-for-profit association dedicated to advancing risk management practices where he served on the board of directors for several years. Finally, Jay is a co-author of "Data-Driven Security", a book covering data analysis and visualizations for information security professionals.
Sasha Romanosky, PhD, researches topics on the economics of security and privacy, cyber crime, cyber insurance, and national security. He is a Senior Policy Researcher at the RAND Corporation, a faculty member of the Pardee RAND Graduate School, and an affiliated faculty in the Program on Economics & Privacy at the Antonin Scalia Law School, George Mason University. Sasha was a security professional for over 10 years in the financial and e-commerce industries, and is one of the original authors of the Common Vulnerability Scoring System (CVSS), and co-creator of the Exploit Probability Scoring System (EPSS), an emerging standard for estimating the probability of a vulnerability being exploited in the wild. Sasha is a former Cyber Policy Advisor in the Office of the Secretary of Defense for Policy (OSDP) at the Pentagon, where he oversaw the Defense Department's Vulnerability Equities Process (VEP), the Vulnerability Disclosure Program (VDP), and other cyber policy matters. Sasha is also an appointed member of DHS's Data Privacy and Integrity Committee (DPIAC), where we advise the Secretary of Homeland Security and DHS's Chief Privacy Officer on policy, operational, and technology issues.
The Exploit Prediction Scoring System (EPSS) is an emerging standard that estimates the probability that a vulnerability will be exploited. Since our creation in April 2020, we have grown to over 150 members from around the world, with tens of thousands of daily downloads of our probability scores and API calls.In addition, we have improved and refined the model, and augmented the data feeds with even more data partners. In this presentation, Sasha Romanosky and Jay Jacobs - the original authors and co-chairs of the EPSS SIG - will discuss the evolution of EPSS, some initial findings from our data analysis, and future directions. No prior knowledge or experience with EPSS is required for this talk.
June 5, 2023 14:45-15:20
FIRSTCON23-TLP-CLEAR-Romanosky-and-Jacobs-An-Introduction-to-EPSS.pdf
MD5: d6ded003cd604531f925ed858ef03e01
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.68 Mb
- FRTLP:CLEAR
AnoMark - Anomaly Detection in Command Lines with Markov Chains
Alexandre Junius (ANSSI (National Cybersecurity Agency of France), FR)
Alexandre Junius is a Master's graduate of ENSAE's Statistical Engineering programme and of Sciences Po's Public Policy (Security and Defence speciality) programme. He is currently working as Data Scientist in the Detection team of the National Cybersecurity Agency of France.
AnoMark is a Machine Learning algorithm that uses NLP (Natural Language Processing) methods to analyze the command lines that come up at each process creation in the event logs of an information system. Based on a decomposition into n-grams (from the letters composing the command line), AnoMark trains a statistical model based on a Markov chain. This model then calculates a likelihood score of new order lines, and extracts the most abnormal ones from past activity.The application of this algorithm has already resulted in the detection of malicious behavior in process creation event logs on several occasions. This gives reason to be optimistic about the use of automated anomaly detection methods in cybersecurity, in addition to the usual methods for detecting known behavior.The project is now open source on the National Cybersecurity Agency of France's GitHub and can be integrated in any modern SIEM. As an example, a Splunk custom command implementation is provided in the repository.
June 5, 2023 14:00-14:35
FIRSTCON23-TLP-CLEAR-Junius-AnoMark-Anomaly-Detection-in-Command-Lines.pdf
MD5: 513037ac6dc4443d91c698f163315ab1
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.99 Mb
- FRTLP:RED
Another Pint of Crisis Exercises?
Vincent Le TouxVincent Le Toux (VINCI, FR)
Vincent Le Toux is head of the VINCI-CERT and also the author of Ping Castle: an Active Directory security tool. He has also made many open source contributions such as mimikatz, OpenPGP, OpenSC, GIDS applet, etc. Finally, he already did presentations in security events, mainly BlackHat, FIRST and BlueHat.
Everyone is doing crisis exercises, but mostly once per year at HQ level and organized by external consultants.How will the entities that compose your constituency react in a real crisis? You don't want to hear the answer.With decentralized entities, the VINCI group faces regular cyber attacks that are handled locally. Because those entities don't participate in the annual crisis exercises, the crisis management is chaotic with a lot of delay and loss of forensic artifacts.We ran 15 technical crisis exercises and 15 management crisis exercises (after 15 red team exercises) and here is what we have learned:- The reaction of the entities and what blind spot we should anticipate- What are the attention points in term of vulnerability or template to build- How to reduce the cost of these tests with economy of scale
June 8, 2023 10:15-10:50
- NLTLP:CLEAR
Assessing e-Government DNS Resilience
Jeroen van der HamJeroen van der Ham (NCSC-NL & UTwente, NL)
Jeroen van der Ham is senior researcher at NCSC-NL and Associate Professor at Twente University. He has contributed to numerous FIRST working-groups, including co-chairing the Ethics WG. Jeroen has published on many cybersecurity topics including anonymization, DNS security, and on vulnerability information. His research interests include ethics of cybersecurity and professionalization of incident response
Electronic government (e-gov) enables citizens and residents to digitally interact with their government via the Internet. Underpinning these services is the Internet Domain Name Systems (DNS), which maps e-gov domain names to Internet addresses. Structuring DNS with multiple levels of redundancy that can withstand stress events such as denial-of-service (DoS) attacks is a challenging task. While the operator community has established best practices to this end, adopting them all involves expert knowledge and resources. In this work, we obtain and study a list of e-gov domain names used by four countries (The Netherlands, Sweden, Switzerland, and the United States) and measure the DNS structuring of these domains. We show the adoption of best practices, inter-country differences such as the use of anycast, and provide recommendations to improve DNS service robustness.
June 7, 2023 12:00-12:35
FIRSTCON23-TLP-CLEAR-Van-Der-Ham-Assessing-eGov-t-DNS.pdf
MD5: 0f83d736fae4cacaa7dd89035744a6d7
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.4 Mb
- USTLP:CLEAR
Authentication Proxy Attacks: Detection, Response and Hunting
Christopher King (Northwestern Mutual, US)
Chris King is Sr. Director of Northwestern Mutual's Cyber Threat Operations organization. In this role, he leads teams of talented security engineers operationalizing intelligence, building threat simulations, and hunting for ghosts in the machine. Much to the chagrin of his team, Chris gets his hands dirty and consistently dives into interesting incidents and threat data, looking for patterns to exploit. In prior roles, he led security operations and DevOps teams at Rockwell Automation and spent a large portion of his career working at CERT/CC engaged in vulnerability research and promoting coordinated vulnerability disclosure.
Over five years ago, Evilnginx was released, demonstrating the ease of stealing authentication session tokens from MFA-enabled logon processes with a simple reverse proxy. Despite being a well-known technique, few of these attacks were seen in widespread use among cybercrime threat actors, until recently.The advent of the EvilProxy and similar platforms has now given attackers the ability to compromise targets with strong authentication without resorting to burdensome SIM swapping or noisy push fatigue attacks. With rapid adoption of phish-resistant MFA outside government-aligned sectors, organizations need to know how to detect and respond to these attacks.In this talk, we will provide an in-depth look at the tactics, tools and procedures (TTPs) used by threat actors to effect account-takeover of MFA-enabled accounts. We'll demonstrate how the ingenuity of this attack has a fatal flaw at its core, allowing us to hunt, detect, mitigate and block this type of attack.
June 8, 2023 14:00-14:35
- USTLP:CLEAR
Automating Cloud Forensics Lab Provisioning
Tim Ip (Adobe, US)
Tim has worked for 10+ years for InfoSec across education, pharmaceutical and software industries. Currently he is working as Security Engineer at Adobe focusing on DFIR and Purple Teaming. Prior to Adobe, he served as Security Architect for University of San Francisco and Senior Consultant at Deloitte. He has expertise in Security Automation, Data Analytics and Offensive Security. He enjoys wielding everything from soldering irons to assembly language in Cyber Security Competitions, Hackathons and CTFs. Outside of work, he is leading the monitoring team for Global Collegiate Penetration Testing Competition (CPTC). He is a current holder of CISSP, CISM, OSEE and GXPN certification.
Gathering relevant artifacts and performing a forensic investigation following a cybersecurity incident is a challenge for any organization. However, for larger companies that have a presence across multiple sites and countries, the challenge is far more complex. Not only is there a higher volume of incidents to respond to and investigate, but there are regional regulations and compliance restrictions that limit where and how data and other artifacts can be shared or transmitted.Our project (Forensics VM) is leveraging Infrastructure as Code (IaC) to automate cloud forensics lab provisioning. The project enables us dynamically deploying the lab in different geographic regions across different cloud service providers such as AWS, Azure and GCP. We will discuss how this project streamlines and simplifies our forensics process, as well as resolving different issues due to regulations and compliance restrictions.
June 8, 2023 16:35-17:10
FIRSTCON23-TLP-CLEAR-Ip-Automating-Cloud-Forensics-Lab-Provisioning.pdf
MD5: c2e0e1e1b3d454a6e6216a4b749d7566
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.73 Mb
- GBTLP:GREEN
Before the Storm: Preincident Response with an Emerging Threats Team at the Bank of England
Eloise HindesEloise Hindes (Bank of England, GB)
Coming to Cyber Security after five years as a communications consultant, and four years as the Chief of Staff for Technology, Ellie Hindes now heads the first Emerging Cyber Threats team within the Bank of England. A non-traditional route to the Cyber Security industry has given Ellie a perspective that places organisational concerns and good comms at the heart of her work. She's a firm believer that if the business doesn't care what you're doing, or can't understand it, you'll never have the impact you want. As the UK's Central Bank, the Bank of England oversees the safety and soundness of the British financial sector and operates critical national infrastructure including the Real Time Gross Settlement Service which settles over £750 billion a day. Working closely with national organisations including the National Cyber Security Centre, and other Central Banks worldwide, their Cyber Security Division has been internationally recognised for their innovative approach
How do you harness the pace and focus of incident response before the lightning strikes? At the Bank of England we've created a team to bridge the gap between longer-term strategic change and live incident response. Our new Emerging Threat function is a small agile team of experienced cyber generalists able to provide swarm capacity for the topics and issues which haven't yet caused an incident, but which evidence tells us might do soon. Using many of the techniques of incident management, they coordinate swift changes of controls in response to changing intelligence, observed trends and new vulnerabilities.Using our response to the Russian invasion of Ukraine as a case study, this presentation will explain the team's form, function, benefits, and relationship with our wider Cyber Security Division.
June 8, 2023 12:05-12:40
- TLP:CLEAR
BoF | Standards BoF in Place du Canada
If you're interested in helping define the future of FIRST's standards development work, come join us Tuesday after the lightning talks where we'll be collaboratively outlining the basis for the to-be FIRST Standards Committee.
Questions we'd like you to help us answer:
- What is the relevancy of standards development work in 2023? What roles can and should FIRST play?
- Are there external standards bodies (SDOs) we should be working with but where we don't have an existing partnership?
- Are there draft standards relevant to our work as cyber defenders which we should be tracking and commenting on?
- How should we begin to approach the problem of standardising ML models?
June 6, 2023 18:15-19:15
- AUTLP:CLEAR
Building a New Cybersecurity Alert Priority Matrix
Josh LemonJosh Lemon (Uptycs and SANS Institute, AU)
Josh Lemon is the Director of Uptycs' global managed detection and response team, helping to secure some of the largest international brands from cyberattacks. Josh is also an independent digital forensics and incident response expert. He assists government and commercial clients with sophisticated compromises, maturing their cyber defence and response programs and threat hunting for malicious adversaries. He is also a co-author for the SANS Institute "Enterprise Cloud Forensics" (FOR509) and "DFIR NetWars" courses and teaches the "Advanced Incident Response and Threat Hunting" (FOR508) and the "Advanced Network Forensics" (FOR572) courses. Josh has two decades of experience in the incident response and digital forensic industry, he previously worked as Managing Director for Ankura, where he led Ankura's APAC digital forensics and incident response practice. Director at Salesforce.com in their international Salesforce Security Response Centre (SSRC), where he headed up the team responsible for looking at new cutting-edge ways to approach incident response at scale. He has also held the role of CSIRT Manager for the Commonwealth Bank of Australia and was a Managing Consultant for BAE Systems Applied Intelligence, where he was responsible for all technical cybersecurity services for the Asia Pacific region, including overseeing large and complex incident response and offensive security engagements.
There is a common tug-of-war between SOC staff, detection engineers and CSIRT/DFIR professionals when determining how important or severe an alert or detection is. Detection engineers are continually pushed to find new and creative ways of catching threat actors, whereas SOC and CSIRT staff are on the receiving end of triaging alerts and actioning them. Increasing your number of detections may seem sensible from a metrics perspective, however, it directly increases alert fatigue on SOC staff. How do we strike a balance between ensuring we have creative detections and not flooding our SOC and CSIRT staff with alerts that provide little value to preventing a threat actor from freely moving around an organization's network?
This talk will look at a new way of prioritizing and classifying alerts from the perspective of defending an organization and speeding up the response to threat actors. If we take a different approach to assessing how useful detections are, we can help a SOC to prevent a threat actor from achieving their Actions on Objectives. With this new approach, we can also provide better guidance to detection engineers on alerts that are more likely to catch threat actors and not catch the admin team running an update script.
June 8, 2023 15:50-16:25
- NLTLP:CLEAR
Building an Integrated Threat Landscape (Full Day)
Robin StaaBart van den BergRobin Staa (NCSC-NL, NL), Bart van den Berg (NCSC-NL, NL)
Robin Staa is a Cyber Threat Intelligence Analyst at the National Cyber Security Centre of the Netherlands (NCSC-NL). She holds an international master's degree in Security, Intelligence, and Strategic Studies, awarded by the University of Glasgow, Dublin City University, and Charles University. In her role at the National Cyber Security Centre (NCSC-NL), she gives organizations within a variety of vital sectors and the central government guidance and direction to protect their operations and essential information. As she strongly believes that collaboration and joint efforts are key to addressing the ever-evolving cybersecurity landscape, Robin’s work is anchored in promoting information sharing and cooperation among organizations.
Bart van den Berg is a Senior Cyber Threat Intelligence analyst at the National Cyber Security Centre of the Netherlands (NCSC-NL). He supports organizations in vital sectors and the central government to boost their digital resilience. Bart is an expert in analyzing tactical and strategic international security threats and trends, and holds extensive experience in training professionals within various security domains. Bart is a former Fellow of the Clingendael Institute, a leading think tank on international affairs. As a commissioned officer in the Royal Netherlands Army, Bart was deployed in 2018 with NATO to Lithuania to increase the defense and deterrence posture of the alliance.
Why build a threat landscape alone if you can share insights about mutual threats with peers?
At the NCSC-NL, we stimulate and facilitate the development of threat landscapes across industries and sectors, both private and public. Through our method, organizations share insights about the threats they face and how to manage them.
In this workshop, we will;
Introduce the NCSC-NL organization-transcending risk management methodology and NCSC-NL's approach to public-private cooperation;
Demonstrate how we design threat scenarios by linking the knowledge of participants through structured dialogue;
Provide participants with tools, processes, and the knowledge to identify the most significant threats to their environment;
Enable participants to translate these threats into scenarios and identify indicators to monitor developments within the threat landscape.
This broadly used method by the NCSC-NL enables organizations to generate further insights on shared threats at the strategic, tactical, and operational/technical level. Through this, the presented methodology supports organizations in establishing effective risk-based decision-making and increasing the overall resilience within a sector or supply chain.Join us at the workshop and build an integrated threat landscape together!
June 9, 2023 09:00-10:20
- LUTLP:CLEAR
Building Your Own Workflows in MISP: Tutorial and Hands-On (Full Day)
Sami MokaddemAlexandre DulaunoySami Mokaddem (CIRCL, LU), Alexandre Dulaunoy (CIRCL - Computer Incident Response Center Luxembourg, LU)
Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.
MISP has been a widely used open source CTI platform for the past decade, with a long list of tools that allow users to customise the data models and contextualisation of the platform, yet true customisation of the actual workflows and processes had to be done externally using custom scripts. With the introduction of MISP workflows, this has changed. The workshop aims to walk the audience through some of the potential ideas of how one could adapt the tool to their own CSIRT's or SOC's workflows by using some hands-on examples during the session.
June 5, 2023 11:15-12:35
- DETLP:CLEAR
Busy Bees - The Transformation of BumbleBee
Patrick StaubmannPatrick Staubmann (VMRay GmbH, DE)
Patrick Staubmann joined VMRay as a threat researcher back in 2019. As part of the Threat Analysis team, he continuously researches the threat landscape and conducts analyses of malware samples in depth. To further improve the companies' product, he also extends its detection capabilities in form of behaviour-based rules, YARA rules, and configuration extractors. He is especially interested in reverse-engineering, low-level system security and exploitation.
In early 2022, a new malicious loader named BumbleBee was discovered. Multiple cyber-attacks have been identified that use BumbleBee to deliver well-known malware families to harm systems. While analyzing different BumbleBee samples, we identified many structural changes and improvements implemented since its first sighting. These changes are a strong indicator that the family is still under heavy development, and we expect more changes in the future. This makes the family an interesting and important object of research.To protect itself against detection and manual as well as automated analysis, BumbleBee uses various techniques to detect sandboxes and analysis environments. Most of this logic is taken from an open-source sandbox detection project.This talk shares our insights and thoughts collected over the past months while analyzing and tracking this malware family.
June 8, 2023 16:35-17:10
FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx
MD5: ac9f1663f5ee92a9d3608cedfee88911
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 6.16 Mb
- JPTLP:CLEAR
Can We Tell the Threat Actor from Their ATT&CK TIDs?
Ryusuke MasuokaToshitaka SatomiKoji YamadaRyusuke Masuoka (Fujitsu System Integration Laboratories Limited, JP), Toshitaka Satomi (Fujitsu System Integration Laboratories Limited, JP), Koji Yamada (Fujitsu System Integration Laboratories Limited, JP)
Dr. Ryusuke Masuoka is a Global Fujitsu Distinguished Engineer and a research principal at Fujitsu System Integration Laboratories Limited, working on Cyber Security. He also works part-time as a Chief Cybersecurity Advisor for Japan Ministry of Defense. Over 30 years, he has conducted research in neural networks, simulated annealing, agent system, pervasive/ubiquitous computing, Semantic Web, bioinformatics, Trusted Computing, Software/Security Validation, Cloud Computing, Smart Grid, the Internet of Things, Cyber Security Policy, and Cyber Security. He also led numerous standardization activities and collaborations with universities, national and private research institutes, and startups. He is an ACM senior member and an IEEE senior member. (For more detail, check http://masuoka.net/Ryusuke/cv/)
Toshitaka Satomi Toshitaka Satomi is a researcher with Fujitsu System Integration Laboratories LTD (FSI). He joined Fujitsu PC Systems in 1997 after graduating from the Tokyo Institute of Technology. He worked on the development of an F-BASIC compiler and insurance business systems. After that, he became interested in cybersecurity research and he developed various cybersecurity PoC systems. Since he moved to FSI in 2017, he has been conducting research on Cyber Threat Intelligence (CTI) and has developed a Cyber Threat Intelligence Platform, "S-TIP" which is now available as OSS. He is also the initial developer of "ATT&CK Powered Suit", a Google Chrome Extension, which puts the MITRE ATT&CK knowledge base at your fingertips.
Koji Yamada Koji Yamada is a cybersecurity research manager at Fujitsu System Integration Laboratories LTD (FSI). He had been engaged in FJC-CERT activities for over two years. He also had been engaged in cyber threat intelligence and cyber deception technologies. He is a Certified Information Systems Security Professional (CISSP) and has previously spoken at conferences including Black Hat USA, Arsenal, CodeBlue, and FIRSTCON21.
We examined the research question of "Can we tell the threat actor from their ATT&CK TIDs?" We started to see ATT&CK Technique IDentifiers (TIDs) in more and more tools and CTI reports. With the holistic view of threat actors provided by ATT&CK, we came up with the idea of applying TF-IDF to Groups as documents and TIDs as terms to determine the similarity of the set of ATT&CK TIDs to a particular Group. Our initial answer to the question is "Not a Complete Yes, but Very Promising", based on the evaluation results. We also found a way to utilize Decision Trees for threat hunting purposes in an Analysis of Competing Hypotheses (ACH) context. As a conclusion, observed TIDs in a cyber attack should help you make better informed attribution decisions. This capability makes your cyber defenses more proactive and focused by knowing your adversaries.
June 7, 2023 14:00-14:35
FIRSTCON23-Attribution-from-TIDs-v20230607.pdf
MD5: b0586552c36f1c4a9c8910d082acf4bb
Format: application/pdf
Last Update: June 7th, 2024
Size: 11.81 Mb
- CHTLP:GREEN
Case Solved: Catching Evil on the Fly!
Sandro Bachmann (InfoGuard AG, CH), Andreas Klaus (InfoGuard AG, CH)
Sandro Bachmann is a Senior Cyber Security Analyst at InfoGuard CSIRT, where he is on the front line of cyber attacks every day. In return, he shares his security knowledge with students in the classroom.
Andreas Klaus is a senior security analyst working in the CSIRT of Infoguard. With more than 10 years of experience as a System Engineer and an in-deep specialization for IT-Security, he is well prepared for the daily firefighter challenges. On his free time he is a passionate CTF player and always willing to exchange his knowledge.
During initial triage Incident Responders gather as much information as possible to be able to categorize the current threat situation properly. To speed up this process, also in regards of making better decisions, we built an infrastructure , that allows a quick triage and reveals these endpoints you need to focus on. In this talk we would like to share our experience, when processing forensic artifacts in a data analytics platform to enrich and visualize the necessary information, based on current Threat Intelligence. This approach works for incident response cases and compromise assessments from one host up to thousands
June 8, 2023 15:50-16:25
- FRTLP:AMBER
CERT-FR’s Incident Processing Chain: From Low-Level Alerts to Cybersecurity Crisis, How the French Governmental and National CSIRT Handles Cyberattacks
Dorothée Fermon (CERT-FR (ANSSI), FR), Léna Elemento (CERT-FR (ANSSI), FR)
After a Law degree specialized in defense and both national and European security, Dorothée Fermon joined the French Military academy of Saint Cyr Saint. As a French Army commanding officer, she has been working in the field of network and information security for more than 15 years. Following a master's degree in computer forensic, she joined the CERT-FR in 2019 and has been the head of its Incident response unit for almost 3 years.
Lena Elemento joined the CERT-FR’s Incident Response unit in 2018, after a Master’s degree in International Relation at Sciences Po, paired with a degree in mathematics applied to cryptography at the University of Paris. She has worked there as an analyst in the situation awareness and operational activities regulation team that she now manages.
The CERT-FR's engagement on a specific incident is dependent on the nature of its victim, the criticality of its impacts and the threat it poses to the French nation. Handling more than 3000 cybersecurity events each year, the CERT-FR has therefore adapted to respond efficiently to each of them. Thanks to an incident processing chain involving 5 different stages of treatment (from simple alert to national crisis) coupled with 3 modes of engagement, CERT-FR now benefits from both technical and management expertise tailored to every situation.Illustrated by recent and tangible cases, this presentation will tackle the life cycle of a cybersecurity event at the CERT-FR. It will highlight the different missions and components that are essential to ensure efficient and qualitative support to ANSSI's constituents, who face ever growing cyber threats.
June 8, 2023 16:35-17:10
- CATLP:CLEAR
Collective Defense Intelligence: A Model for Empowering the Open Cybersecurity Ecosystem
Jason Keirstead (IBM Security, CA)
Jason Keirstead is an IBM Distinguished Engineer and CTO of Threat Management in IBM Security. His role includes the complete threat life cycle, from Threat Insight, through Prevention, Detection, Response and Recovery and encompasses XForce Threat Management products, and the QRadar XDR product suite including SIEM, SOAR, and Reaqta EDR. Jason also sits on the OASIS Board of Directors and serves as a co-chair of the Open Cybersecurity Alliance project governing board.
We are at a turning point in the cybersecurity market. Products will soon no longer be measured solely on how many security use cases they can fulfill, or how many attacks their black-box AI can detect or prevent. They will additionally be measured on how easily and robustly they allow users to consume the outputs of the open cybersecurity ecosystem, and how easily they allow analysts to contribute back to it. In order to enable and accelerate this change, the cybersecurity community needs a common collaboration model for defense, that builds upon what already exists in the community for collaboration on threat intelligence, and enhances it to allow for highly agile defense intelligence creation and deployment.
June 8, 2023 12:05-12:40
FIRSTCON23-TLPCLEAR-Keirstead-Collective-Defense-Intelligence.pdf
MD5: 59469ab8ce67dc667a37d0f03dc5d11c
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.93 Mb
- US NLTLP:CLEAR
Communication Skills for Incident Response (Full Day)
Don StikvoortJeff Carpenter (Secureworks, US), Don Stikvoort (Open CSIRT Foundation, NL)
Jeffrey Carpenter has dedicated more than 30 years to improving the state of information security in roles such as analyst, product security officer, information security officer and leader. In 1995, Jeffrey joined the CERT® Coordination Center, located at Carnegie Mellon University's Software Engineering Institute, as an incident response analyst. He became the incident response team leader in 1998 and technical manager in 2000. Jeffrey managed more than 50 technical individuals who conducted applied research and operational analysis with a focus on incidents, software vulnerabilities, network monitoring, malicious code, vulnerability discovery, and secure coding. Jeffrey currently is the Secureworks Senior Director of Incident Response Consulting and Threat Intelligence. The Incident Response Consulting Practice with ovr 100 consultants, analysts and researchers, provides rapid containment and eradication of threats, minimizing the duration and impact of a security breach for Secureworks' customers, as well as helping customers effectively prepare to have an incident. The practice performes more than 1500 engagements per year. The Threat Intelligence group is part of the Counter Threat Unit™ (CTU) and delivers threat intelligence services to customers.
Don Stikvoort was born in in 1961, and did his MSc in physics. From 1988 onwards he was one of Europe's Internet and cyber security pioneers. Led the 2nd European CSIRT until 1998, started the cooperation of European CSIRTs in 1993, and was founding father of NCSC-NL, the Dutch national team. Co-author of the CSIRT Handbook, and creator of the SIM3 CSIRT maturity model. FIRST hall-of-fame member.
Don is an NLP master trainer & practitioner, and has been giving train-the-trainer trainings especially for FIRST and TF-CSIRT. Additionally, Don does life/work coaching and therapy.
This workshop is designed to enhance the communication skills of incident response and security analysts, so they can confidently and competently relay key messages to business stakeholders during a cyber crisis. No prior experience of qualifications is needed, as it will provide attendees with advice and recommended best practice, as well as the opportunity to practice communications in a safe environment. Ultimately, the session will immediately enable and equip incident responders with the tools to proactively and consciously develop their own effective communication capability.
Attendees of this workshop should please download the following materials:
https://onedrive.live.com/?authkey=%21AAGXkSnV22XWYv4&id=A1E5DDD23CE78CFE%21512&cid=A1E5DDD23CE78CFE
June 6, 2023 09:30-10:50
FIRSTCON23-TLP-CLEAR-Carpenter-Workshop-Communication-Skills-for-Incident-Response.pdf
MD5: 2b083cf541b404054753180ff7ec993c
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.49 Mb
- USTLP:CLEAR
"Compromising the Keys to the Kingdom" - Exfiltrating Data to Own and Operate the Exploited Systems
Aditya K SoodAditya K Sood (F5, US)
Aditya K Sood, Ph.D., is a senior director of threat research and security strategy at the Office of the CTO at F5. Dr. Sood manages the Advanced Threat Research Center of Excellence (ATRCoE). With the experience of more than 15 years in the field of security, Dr. Sood focuses on a wide spectrum of cybersecurity and next-generation technologies. Dr. Sood obtained his Ph.D. from Michigan State University in computer sciences. He also authored Targeted Cyberattacks and Empirical Cloud Security books. Dr. Sood is also a frequent speaker at global cybersecurity conferences and contributes regularly to industry and academic leading journals and magazines. Website: https://adityaksood.com Company: https://www.f5.com
Cyberattacks are evolving at an exponential rate. The adversaries (attackers, cybercriminals, nation-state actors) are focused on stealing, exfiltrating, and destructing data. The question is, "Why?" The answer is simple, "Data holds the keys to the kingdom!" In this session, we will present the current state of advanced threats and how "controlling data" has become the breeding ground for cyberattacks. A number of data exfiltration case studies will be discussed, covering nation-state cyber warfare, and targeted cyber-attacks including broad-based attacks.
June 7, 2023 14:45-15:20
FIRSTCON23-TLPCLEAR-Sood-Compromising-the-Keys-to-the-Kingdom.pdf
MD5: 195442fe06acf027d8915af6fc556119
Format: application/pdf
Last Update: June 7th, 2024
Size: 24.72 Mb
- LTTLP:CLEAR
Continuous Threat Intelligence Improvements
Leonardas Marozas (CUJO AI, LT)
Leonardas Marozas is a researcher and cyber security research manager in CUJO AI and lecturer in Vilnius technical university. For the past 15+ years working in cyber security related area, last 6 years were spent with focus towards threat intelligence and IoT security
Beginning as a need to cover the identified gaps that threat intelligence solutions at the time had and having the data at hand, it became obvious that one of the biggest challenges that there is - it's contextualizing the data given the specific area of operating. We explore the usefulness of ML, but only in a certain subset of the data, how global threat intelligence offerings are far less efficient than regional ones and provide an overview of challenges and missteps that were made throughout the journey of building threat intelligence platform suitable to protect globally distributed NSPs' customers
June 8, 2023 09:30-10:05
FIRSTCON23-TLP-CLEAR-Marozas-Continuous-Threat-Intelligence-Improvements.pdf
MD5: 77319fafe41b67fde14763d1351ad28d
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.88 Mb
- SETLP:CLEAR
Cracking the Chaos Ransomware Family
Alexander AnderssonAlexander Andersson (Truesec, SE)
Alexander is a Principal Forensic Consultant at Truesec, where he focuses on incident response, threat intelligence, and security research. Alexander spends most of his time providing incident response to companies that have suffered from a cyber attack. He has responded to several hundred complex incidents, including nation state-backed attacks and ransomware against global organizations. Alexander also performs offensive and forensic research, and is responsible for developing Truesec's forensic tooling.
In the last few years, many organizations have suffered from ransomware attacks. Recovering from a ransomware attack usually requires backups, but in some cases there are other ways. In this session, Alexander will tell the story behind his team's latest research, which is now published by Europol on NoMoreRansom. The research breaks an entire family of ransomware variants and allows victims to restore encrypted data without obtaining the private keys.
June 9, 2023 09:45-10:20
- JPTLP:CLEAR
Creating the Coordinator Rules
Tomo ItoTomo Ito (JPCERT Coordination Center (JPCERT/CC), JP)
Working as a vulnerability coordinator at JPCERT/CC for 7 years, Tomo currently leads the Global CVD project of the organization, which aims to contribute to the global CVD ecosystem stability through collaborations with the stakeholders from different parts of the world.
As the world is becoming more and more interdependent, the importance of Coordinated Vulnerability Disclosure (CVD) activities is increasing rapidly. Today, multiple organizations, such as national CERTs, Governments, bug bounty services, etc. are working as CVD coordinators. In each case, the coordinator aims the best outcomes, which could be said as to reduce the risks to the relevant stakeholders. While the diversity between the coordinators is to be respected, too much difference between them can cause confusions among CVD stakeholders such as vendor PSIRTs and researchers - a stakeholder may not be able to know what and how much to expect from a coordinator, or a coordinator may not act as expected in communication or information distribution timing, etc. To avoid such confusions and decrease the number of unsuccessful CVD cases, JPCERT/CC is suggesting and working to create the rules/guidelines for CVD coordinators. In this presentation, the basic ideas of the coordinator rules and its progression will be explained to the audience.
June 8, 2023 11:20-11:55
FIRSTCON23-TLP-CLEAR-Ito-CoordinatorRules.pdf
MD5: 126020f3ec4dd303ee1e744204933931
Format: application/pdf
Last Update: June 7th, 2024
Size: 957.75 Kb
- US DETLP:CLEAR
CSAF Writing Bootcamp (Full Day)
Justin MurphyThomas SchmidtJustin Murphy (CISA, US), Thomas Schmidt (BSI, DE)
Justin Murphy is a Vulnerability Disclosure Analyst with the Cybersecurity and Infrastructure Security Agency (CISA). He helps to coordinate the remediation, mitigation, and public disclosure of newly identified cybersecurity vulnerabilities in products and services with affected vendor(s), ranging from industrial control systems (ICS), medical devices, Internet of Things (IoT), and traditional information technology (IT) vulnerabilities. He also assists Dr. Allan Friedman in coordinating the global, multi-stakeholder community-led efforts around software bill of materials (SBOM), and other Technology Assurance related projects at CISA. Justin is a former high school mathematics teacher turned cybersecurity professional and has a M.Sc. in Computer Science from Tennessee Technological University, and a B.Sc. degree in Statistics from the University of Tennessee (Knoxville).
Thomas Schmidt works in the 'Industrial Automation and Control Systems' section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM work. Prior to this, Schmidt was BSI's lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric's TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).
The Common Security Advisory Framework (CSAF) become in 2022 an OASIS standard. CISA and BSI announced that CSAF will be a core pillar of a better vulnerability management. But how to create those machine-readable security advisories? Where should I start and what tools are out there? The bootcamp gets you started with CSAF. It starts with a short intro into the standard and available open source tools. Then, several hands-on exercises explore the security advisory and VEX profiles in CSAF.
June 5, 2023 11:15-12:35
- LT
CSIRT/SOC Manager Improvement Training (Full Day)
Vilius BenetisVilius Benetis (NRD Cyber Security, LT)
Dr. Vilius Benetis is from NRD CIRT (@NRD Cyber Security), where he leads a team of experts to establish and modernise cybersecurity incident response teams (CSIRT/SOCs) for sectors, governments and organisations in Africa, Asia, Europe, Latin America. He is active contributor and speaker on cybersecurity incident response, contributes to development of CSIRT methodologies for ENISA, FIRST.org and ITU. He is industry professor in Cybersecurity at Kaunas Technology University.
Often CSIRT/SOC' success depend a lot on how well they are managed by the management team. This training is one of very few trainings available specifically targeting CSIRT/SOC managers - to inspire, motivate, upskill, and foster friendships with other CSIRT/SOC managers. Training is for current and future senior and mid-managers of CSIRTs and SOCs. The objective of the training is to spend full day reflecting and collectively working on CSIRT/SOC manager's daily questions and
concerns, including KPIs, Annual report writing, clarity improvement in mandate and strategy, manager's time planning and allocation. It will be dedicated time to build relations between managers, discussing and supporting each other.
June 4, 2023 09:00-10:30
- BE
CTF Debrief with David
David DurvauxDavid Durvaux (European Commission, BE)
David is leading EC DIGIT CSIRC and is active in the incident response field for more than a decade. He has work on many IT security incidents and especially on computer forensics aspects. David presented twice at the FIRST conference and in other conferences.
June 8, 2023 17:00-18:00
- FRTLP:CLEAR
CTI-Powered Hunting and Response
Emilien Le Jamtel (CERT-EU, FR)
Emilien Le Jamtel is a cyber security expert since 15 years. After building its technical skill in offensive security, he joined CERT-EU in 2014 as a Threat Intelligence Analyst before quickly moving to the Digital Forensics and Incident Response team. Since 2021, Emilien is now leading the DevSecOps team responsible for the infrastructure and tooling used by CERT-EU staff. Emilien is a regular speaker at IT Security conferences such as FIRST, hack.lu, Botconf or NorthSec.
Sharing is caring! This formula is catchy and mostly true in our line of business. But today, when running a threat intelligence program and using it to fuel the work of your SOC, incident response team and threat hunters, the volume and the noise may have unplanned consequences such as a high rate of false positive, lack of contextual information and more generally, alert fatigue. In this talk, we will present the importance of a structure threat intelligence database and how to leverage it to prioritize threat hunting and incident response activities.
June 6, 2023 14:00-14:35
- JPTLP:CLEAR
Cyber Hygiene Hunting : Security Effectiveness Validation for Valid Security Posture
Tomohisa Ishikawa (Tokio Marine Holdings, JP)
Tomohisa is a seasoned cyber security engineer, and a global security manager working for a global insurance company. He has engaged in various security projects/operations including global security strategy, security architecture, threat intelligence analysis, and DFIR. His previous experience includes red team and security training. He holds a Doctor of Engineering, CISSP, CSSLP, CISA, CISM, CDPSE, CFE, PMP etc. In addition, he has a lot of contributions as a speaker, national IT exam committee member in Japan, translator, and author. He speaks at various conferences such as SANSFIRE 2011 & 2012, DEFCON 24 SE Village and Japan domestic conferences. Also, he writes a book related to threat intelligence in Japanese, and I published 4 DFIR translated books from O'Reilly Japan.
Cyber hygiene is a basic strategy but applying it without exception is difficult, and cyber hygiene failure allows the intrusion by threat actors. In this presentation, I will present the "Cyber Hygiene Hunting" concept to identify the failure of cyber hygiene. In this session, I will explain the concept of Cyber Hygiene Hunting and related concepts such as CM&CI (Continuous Monitoring & Continuous Improvement), EoC (Enabler of Compromise), and Pyramid of Hygiene, and compare how this "Cyber Hygiene Hunting" conceptis similar to and different from "threat hunting", "vulnerability assessment" and/or "penetration test ". Then, I will explain numerous examples to identify cyber hygiene failures such as Active Directory check, security control validation, and compromise assessment. Finally, I will explain that these activities are beneficial for not only KPI and actionable improvement for senior leadership, security heads, and global cybersecurity governance, but also security due diligence processes in M&A or strategic partnership.
June 9, 2023 10:30-11:05
FIRSTCON23-TLPCLEAR-Ishikawa-Cyber-Hygiene-Hunting.pdf
MD5: b2de6b1b62db1adc144495492d8f4f42
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.34 Mb
- USTLP:GREEN
Cyber Operations: The New Face of Incident Response (Virtual)
Shawn Richardson (NVIDIA, US), Amy Rose (NVIDIA, US)
Shawn Richardson is senior manager of Cyber Operations at NVIDIA. Over her 20+ year career, she has held a variety of roles in product security incident response, privacy, and security assurance at companies like Microsoft, Palo Alto Networks, and Amazon. She is an active participant in FIRST and Bug Bounty Community of Interest. Shawn resides in Seattle, WA with her husband and 2 cats (and yes, she really likes the rain).
Amy Rose is the Manager of the PSIRT team at NVIDIA. She has worked in Product Security Incident Response as well as various other security roles for multiple companies, has an interest in improving processes to make life easier, and has over 75 patents. Amy lives in Chapel Hill, North Carolina with her family.
As software shifts to cloud services, Incident Response Teams need to shift as well. Faster response and fix times are vital to protect customers. Cross-team incidents that blur the boundaries of what is traditionally PSIRT's versus CSIRT's focus are becoming the norm. To address this, NVIDIA has created a new Cyber Operations organization.How can your company create a similar program to scale your security teams to better adjust to these changes? What traditional strengths from each side of the house can be brought to new cyber operations centers and where can you borrow from other teams? How can you enhance cross team collaboration? We will discuss these challenges, lessons learned, and benefits to this new organizational focus at NVIDIA.
June 6, 2023 09:30-10:05
- NLTLP:CLEAR
Dissect: the Solution to Large-Scale Incident Response (and Why APTs Hate Us)
Erik Schamper (Fox-IT, NL), Willem Zeeman (Fox-IT, NL)
Erik is a security researcher at Fox-IT working on various topics, ranging from threat intelligence to working on complex incident response engagements. He is one of the key authors of Fox-IT's enterprise investigation framework, Dissect. He helped shape the tooling and methods of how Fox-IT approaches enterprise investigations today.
Willem started his career (2000) as a system engineer and studied technical informatics. 2007-2017, he worked in both operational and organisational roles at an MSP. Since 2017 and currently in the role of Principal CIRT Consultant he's enjoying his passion for security and the usage of tools like Dissect.
Fox-IT made it possible to investigate many systems in a short amount of time, without compromising on quality or capabilities. We developed Dissect, an enterprise investigation framework that we have now open-sourced.With Dissect, you can go from an intake call to patient zero in a matter of hours, even in infrastructures with thousands of systems, no matter the operating systems. It also takes away concerns about how to access investigation data, so you can now focus on performing analysis, developing complex analysis plugins, and performing research. Dissect conveniently supports the analyst, from the moment of acquisition to normalization and processing.Behind the easy-to-use analyst tooling is a deep and extensive Python framework powering it all. The Dissect API enables technical analysts to easily get access to the lowest level of traces. This allows analysis and research of artefacts that were previously unnoticed or hard to get to, especially at scale. Because no adversary, no matter how high-end or widespread, should be beyond your reach.Dissect works for us in incident response and traditional digital forensics of computer systems, but it's flexible enough to incorporate forensics of just about any type of device. We can already investigate routers and firewalls, what else can you think of?Attendees will learn what Dissect is, get to know its capabilities, and how to use the Dissect framework to their advantage!
June 5, 2023 11:15-11:50
FIRSTCON23-TLPCLEAR-Schamper-and-Zeeman-DISSECT.pdf
MD5: dc29c23ce8e3afe210b2a783e4242164
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.41 Mb
- US
DNS: Prevention, Detection, Disruption and Defense (Half Day)
Carlos AlvarezCarlos Alvarez (ICANN, US)
Carlos Alvarez del Pino leads ICANN's engagement with the trust and public safety communities (civil/criminal law enforcement, national cyber security centers, consumer protection, incident response teams, threat intelligence, operational security). His portfolio includes trust-groups, national/defense/police response teams, and organizations like the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), the Forum of Incident Response and Security Teams (FIRST), the National Cyber Forensics and Training Alliance (NCFTA), the Global Cyber Alliance or the Cyber Defence Alliance, among others.
Carlos Alvarez del Pino leads ICANN's engagement with the trust and public safety communities (civil/criminal law enforcement, national cyber security centers, consumer protection, incident response teams, threat intelligence, operational security). His portfolio includes trust-groups, national/defense/police response teams, and organizations like the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), the Forum of Incident Response and Security Teams (FIRST), the National Cyber Forensics and Training Alliance (NCFTA), the Global Cyber Alliance or the Cyber Defence Alliance, among others.Carlos is an attorney graduated from the Universidad de los Andes in Bogota. He holds a Master of Laws degree from the University of Southern California Gould School of Law, and has studies on networking with TCP/IP from UCLA.
The training on DNS: Prevention, Detection, Disruption and Defense offers a comprehensive introduction from a basic to an advanced level on how adversaries abuse and leverage the Domain Name System and domain registration services to carry out different types of attacks.
Looking at both the technical aspect of the domain resolution process to the lifecycle of domain names, with a focus on the vulnerabilities in the processes and systems, participants in the training will gain an understanding on how they can prevent the malicious activity, detect and disrupt it, as well as defend their specific constituencies.
The training consists of the following modules:
- DNS Basics and Ecosystem
- How do domains resolve?
- What are the components in the DNS?
- How does a domain get registered?
- Who is who in the domain ecosystem and why this matters?
- Phishing - Hands-on: Participants will learn which steps to take, with real-life examples, when addressing phishing cases against their constituencies:
- Detect the phishingIdentify the relevant entities
- Gather the evidence
- Decide who to submit reports of abuse
- Decide on information sharing
- Advanced DNS
- Delegation
- Relevant Resource Records
- Authoritative vs. Recursive Resolvers
- Exercise
- Sophisticated DNS attacks
- Examples of sophisticated attacks
- Possible countermeasures for detection, disruption, and defense
- Techniques and good practices to prevent DNS threats
- Table-top exercise based on 4 scenarios:
- Hijacking
- DNS amplification
- Random subdomain attack
- DNS as a covert channel for exfiltration
June 4, 2023 09:00-10:30
- BRTLP:AMBER
Enhancing Security Resilience by Visibility and Protection Gap Analysis
Renato MarinhoRaimir Holanda (Morphus Labs, BR), Antonio Horta (Morphus Labs, BR), Renato Marinho (Morphus Labs, BR)
Renato Marinho is Chief Research Officer at Morphus Labs and Incident Handler at SANS Internet Storm Center. Master and PhD candidate in Applied Informatics, he teaches Computer Forensics and Malware Analysis in post-graduate courses. He is also a speaker, having presented at SANSFIRE 2018/2019, RSA Conference 2018/2019, SANS Blue Team Summit 2018, Botconf 2017/2018, SANS Data Breach Chicago 2017, Ignite Cybersecurity Conference 2017/2018, BSides Delaware 2016, BSides Vienna 2016, WSKS Portugal 2013, Brazilian Nacional de CSIRTs Forum 2015/2017/2018/2020/2022 and GTER/GTS 2014. Professional Certifications: GCFA, CISSP, CRISC, PMP e LPIC2.
This work presents the most common gaps in visibility and protection missed by multiple cyber security layers of companies in Brazil and Chile based on the outcome of real incidents and cyber exercises. The results are mapped to MITRE ATT&CK® knowledge base, evidencing tactics and techniques with low visibility rates and a critical path representing the kill chain of the most invisible and unprotected attack path. The outcomes of this work are assembled in a report named Cyber Threat Resilience Report (CTR2), created by Morphus Labs to provide both a baseline and guidance to companies that are creating or reviewing their detection strategy.Unlike other reports, which focus on stats of cyber threats and their intents, CTR2 becomes unique by examining the opposite side: where the defense layers failed to identify malicious behaviors accomplished by cyber threats. An additional expected contribution of this work is to inspire other entities to conduct similar studies to create a broader result, including inputs from other countries.
June 9, 2023 09:00-09:35
- AUTLP:AMBER
Enterprise Cloud Threat Hunting and Attack Investigation (Half Day)
Josh LemonJosh Lemon (Uptycs and SANS Institute, AU)
Josh Lemon is the Director of Uptycs' global managed detection and response team, helping to secure some of the largest international brands from cyberattacks. Josh is also an independent digital forensics and incident response expert. He assists government and commercial clients with sophisticated compromises, maturing their cyber defence and response programs and threat hunting for malicious adversaries. He is also a co-author for the SANS Institute "Enterprise Cloud Forensics" (FOR509) and "DFIR NetWars" courses and teaches the "Advanced Incident Response and Threat Hunting" (FOR508) and the "Advanced Network Forensics" (FOR572) courses. Josh has two decades of experience in the incident response and digital forensic industry, he previously worked as Managing Director for Ankura, where he led Ankura's APAC digital forensics and incident response practice. Director at Salesforce.com in their international Salesforce Security Response Centre (SSRC), where he headed up the team responsible for looking at new cutting-edge ways to approach incident response at scale. He has also held the role of CSIRT Manager for the Commonwealth Bank of Australia and was a Managing Consultant for BAE Systems Applied Intelligence, where he was responsible for all technical cybersecurity services for the Asia Pacific region, including overseeing large and complex incident response and offensive security engagements.
The world is changing and so is the data we need to conduct our investigations. Cloud platforms change how data is stored and accessed. They remove an investigator's ability to put their hands directly on the data. Many investigators are trying to force old methods for on-premise examination onto cloud-hosted platforms. Rather than resisting change, threat hunters and investigators must learn to embrace the new opportunities presented to them in the form of new cloud-based evidence sources. This workshop will give attendees an insight into the rapidly changing world of enterprise cloud environments by uncovering the new evidence sources that only exist in the Cloud and contemporary techniques for conducting threat hunting and investigations. This workshop aims to advance the knowledge of security and incident response professionals when it comes to approaching cloud-based platforms. While several commercial vendors offer capabilities to collect evidence from cloud platforms, this workshop will focus on how teams can acquire evidence and data without requiring proprietary information or software. For this workshop, in-depth exercises are included throughout to provide hands-on experience for attendees to practice the knowledge presented in the workshop.
June 6, 2023 14:00-15:20
- SKTLP:CLEAR
Everyone Should Care About National Cyber Security Strategy
Matej ŠalmíkMatej Šalmík (National Cyber Security Centre SK-CERT, SK)
As head of Training, Awareness, Cooperation and Support Centre at National Cyber Security Centre SK-CERT under National Security Authority, Matej is responsible for a broad range of activities at strategic and decision making level including development of legislation and other high level documents. His hobbies include risk management on sectoral and national levels and maturity assessment of CSIRTs.
A hidden resource to boost your organization's success may be something you never imagined: a national cyber security strategy. If done by bureaucrats, it is a boring piece of paper that collects dust. At the same time, aligning your organization's interests with the national strategy can help you out. And who is better equipped to define the really important strategic goals if not CSIRT teams who are on the front line of incident response and crisis management.We will present lessons learned while building the national cyber security strategy of Slovakia; how we engaged with the community; how you can take a part in developing your own country's strategy.
June 8, 2023 14:45-15:20
FIRSTCON23-TLPCLEAR-Salmik-Everyone-Should-Care-about-National-Cyber-Security-Strategy.pdf
MD5: 569697620cba17a1796e0bfcf7f0a978
Format: application/pdf
Last Update: June 7th, 2024
Size: 547.29 Kb
- FITLP:AMBER
Extra-Ordinary Vulnerability Coordination - A Method to the Madness
Umair BukhariUmair Bukhari (Ericsson PSIRT, FI)
I am a cyber security enthusiast with a passion to bring a positive change to the information security & privacy landscape. As Head of Ericsson Product Security Incident Response Team (PSIRT) I am responsible for vulnerability management and incident response operations as well as situational awareness for the Ericsson's product portfolio. I am an active member of the global security community and believe in solving problems through collaboration.
Log4Shell vulnerability is still fresh in the minds of PSIRT, CERTS, technical staff and leadership teams equally all across the globe. With the dependence on open source and 3rd party components prevalent in the recent day software development practices, the clock is ticking before next vulnerability of similar impact and scale hits us all. This talk presents Ericsson PSIRT's journey to be better prepared next time an extra-ordinary vulnerability surfaces. Response to an extra-ordinary vulnerability requires significant additional actions, coordination and damage control as compared to the usual vulnerability management process. At Ericsson PSIRT we have established a framework for extra-ordinary vulnerability coordination (EVC) that takes into account all necessary actions, parallel work streams, communication needs required to efficiently handle such an event under time and resource pressure. The framework also presents a working structure and organization hierarchy to run a successful EVC. This talk will also provide guidance on how to implement and anchor the proposed EVC process in the organization to have necessary preparedness.
June 6, 2023 14:00-14:35
- ILTLP:CLEAR
Five Easy Ways to Spoof Contributor/Package Reputation
Tzachi "Zack" Zorenshtain (checkmarx, IL)
Tzachi Zorenshtain is the Head of SCS, Checkmarx. Prior to Checkmarx, Tzachi was the Co-Founder and CEO of Dustico, a SaaS-based solution that detects malicious attacks and backdoors in open-source software supply chains, which was acquired by Checkmarx in August 2021. Tzachi is armed with more than a decade's worth of experience in cyber-security, specializing in building advanced malware research systems. Prior to Dustico, Tzachi's tenure at Palo Alto Networks, Symantec and McAfee deepened his passion towards contributing to the developer and cybersecurity space and saw him building custom security architectures and hunting for advanced Cyber-attack groups.
Contributor/Package reputation is the main criterion used by developers when choosing what open-source package to ingrate into their application.The widespread use of open source sparked a new wave of attackers on ways to spoof the Contributor/Package reputation.In this talk, we will share some of the TTP we have seen and researched that can easily be used to fool developers into choosing malicious packages; we will do a live demo of some of that techniques and share some best practices to detect and avoid those techniques.
June 6, 2023 15:50-16:25
- USTLP:AMBER
From Trust Groups to Action Communities: Changing the Sharing Game
Tom MillarJames ShankTom Millar (CISA, US), James Shank (SpyCloud, US)
Tom Millar has served in CISA for 15 years, working to strengthen the agency's information sharing capabilities, increasing the level of public, private and international partner engagement, and supporting initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar holds a Master's of Science from the George Washington University and is a Distinguished Graduate of the National Defense University's College of Information and Cyberspace.
James Shank joined SpyCloud in 2023 after a long tenure at Team Cymru. James keeps community and mission at the center of all his efforts. He is involved in and coordinates several community oriented efforts to combat online threats, and recently was part of a collaborative effort to take down Emotet. He works with community members to find innovative solutions to thorny issues that are hard to solve by individual operators. Lately, he's been thinking about the weaknesses in traditional authentication methods, finding new tools and techniques that are of value to information security professionals worldwide and decentralized public disclosure of information as a way to pave the road for methods to validate user intention.
At the dawn of information security as we know it today, technically capable and altruistic individuals began to form “trust groups” of varying degrees of openness – some more like FIRST (which is relatively very open!) to others whose names we dare not speak. These trust groups have served incredibly important roles in helping defenders collaborate in the fight against cyber threats of all kinds for decades. In this presentation, we will discuss the formation and evolution of what we call “action communities” – an alternative to “trust groups” where the primary question of membership is not necessarily “can I trust you” but “can you help us accomplish a task” – and transparency and ease of communication is a primary goal.
June 8, 2023 11:20-11:55
- AUTLP:AMBER
Getting a Handle on Source Code Leaks and Intellectual Property Exposure
Robert ByrneRobert Byrne (Ericsson, AU)
Robert is a principal security specialist hosted in a global competence center for security within the Ericsson CTO office. Bringing 16 years of experience in telecommunication engineering and information security, Robert holds cross functional roles, spending his time performing vulnerability assessments and incident response activities that touch Ericsson's product and services portfolio. Robert holds a double degree in Engineering and Computer science and is Offensive Security OSCP and (ISC)2 CISSP certified.
With the increased popularity of Github and other open-source collaboration platforms, enterprises face heightened risks of employees uploading intellectual property and other sensitive material into the public domain. Distinguishing between approved open-source activities and potential information breaches or other intellectual property violations can prove challenging for large enterprises with a significant number of software developers. A holistic approach is warranted that includes detection capabilities, well-defined policies, and routine awareness.
In this talk we demonstrate tooling and techniques that can help uncover employee's use of source code platforms, with a particular focus on the Github platform.
A novel technique to identify corporate employee's use on this platform is shared along with a tool that the audience can take away and immediately incorporate into their suite of detection capabilities.
June 9, 2023 09:45-10:20
- US
How to Build, Drive and Thrive a Bug Bounty Program (Half Day)
Kathleen NobleKathleen Noble (N/A, US)
Katie serves as a CVE Program Board, Bug Bounty Community of Interest Board, and Hacking Policy Council member. She is a passionate defensive cybersecurity community activist, she is regularly involved is community driven projects and is most happy when she is able to effect positive progress in cyber defense. In her day job Katie Noble serves as a Director of PSIRT, Bug Bounty, and the Security Working Artifacts Team at a fortune 50 Technology Company. Prior to joining private sector, Katie spent over 15 years in the US Government. Most recently as the Section Chief of Vulnerability Management and Coordination at the Department of Homeland Security, Cyber and Infrastructure Security Agency (CISA). Her team is credited with the coordination and public disclosure of 20,000+ cybersecurity vulnerabilities within a two-year period. During her government tenure, in roles spanning Intelligence Analyst for the National Intelligence Community to Senior Policy Advisor for White House led National Security Council Cyber programs, Katie’s work directly impacted decision making for government agencies in the United States, United Kingdom, Canada, and Australia.
This training will be broken into 3 levels with a final ask me anything where we can bring in experts who have run Bug Bounty programs for many years for their advice to your questions.
- Build: Focus on the fundamentals of setting up a Bug Bounty program, evaluation of 3rd party Bug Bounty Platform providers, things to expect as your Bug Bounty program grows.
- Drive: How interact with researchers/hackers when things go both well and badly, the psychology and motivations of researchers/hackers and how to build and improve process.
- Thrive: You have a running Bug Bounty program, useful advice for how to accelerate your program including advice on ways to keep researcher/hacker motivation during financial budget cuts and times of austerity.
June 4, 2023 09:00-10:30
- USTLP:CLEAR
How to Save Your SOC from Stagnation
Carson ZimmermanCarson Zimmerman (Microsoft, US)
Carson Zimmerman has been working in and around security operations centers (SOCs) and CSIRTs for over 20 years. In his current role at Ardalyst, Carson helps clients transform uncertainty into understanding in their digital landscape. In his previous role at Microsoft, Carson led the investigations team responsible for defending the M365 platform and ecosystem. His experiences as a SOC analyst, engineer, architect, and manager led Carson to author Ten Strategies of a World-Class Cybersecurity Operations Center, and co-authored its second edition, Eleven Strategies… which may be downloaded for free at mitre.org/11Strategies.
Your SOC is overwhelmed. Your analysts feel powerless. Your response lead just rage quit. You must do something. In this presentation, Carson Zimmerman will show the audience how to instill a culture of empowerment into the SOC. He will present seven key processes SOCs of any size or age can implement in to build engagement and improvement at a grassroots level.
June 7, 2023 12:00-12:35
FIRSTCON23-TLPCLEAR-Zimmerman-How-to-Save-Your-SOC-from-Stagnation.pdf
MD5: fc8bc87730231fdf7b8062c0b8c2760b
Format: application/pdf
Last Update: June 7th, 2024
Size: 798.73 Kb
- DETLP:CLEAR
I Opened Pandora's Box and It Was Full of Obfuscation
Geri RevayGeri Revay (Fortinet, DE)
Geri has more than 13 years of experience in cybersecurity. He started on this path as he specialized in network and information security in his M.Sc. in computer engineering. Since then, he has worked as a QA engineer for a security vendor, then changed to penetration testing first as an external consultant and than as an internal consultant at Siemens. He is a hacker at heart and a consultant by trade. He worked on both IT and OT systems. In the past years, he focused on security research in binary analyses and reverse engineering, which led him to Fortinet. At FortiGuard Labs, he currently does malware analysis and reverse engineering related research.
In Greek mythology, opening the infamous Pandora's box introduced terrible things to the world. That can also be said about today's ransomware. The Pandora ransomware that crowned the name is no exception. It steals data from the victim's network, encrypts the victim's files, and unleashes the stolen data if the victim opts not to pay.The sample contains multiple layers of obfuscation and anti-reverse-engineering techniques. Among others: string encoding with 14 different decoding functions, call address obfuscation with opaque predicates, control-flow flattening with a twist, and so on.The Greek myth says hope was left in the box. In this presentation, we will discuss the hope reverse engineers have to save their souls. First, we will discuss what these obfuscation methods mean and how they can be bypassed generally. Then we will build the necessary tooling using IDAPython and emulation to be able to turn the disassembly in IDA Pro into a format that does not cause a heart attack and allows the analyst to understand what is happening in the malware.
June 6, 2023 14:45-15:20
FIRSTCON23-TLPCLEAR-Revay-I-Opened-Pandoras-Box.pdf
MD5: 121ec8f8a2299e514ce491f6d0ad48fb
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.68 Mb
- ESTLP:CLEAR
Improving CSIRTs' Procedures Through Standards
Guillem Gordillo GarciaGuillem Gordillo Garcia (Ackcent Cybersecurity, ES)
CERT Manager at Ackcent Cybersecurity. Highly involved with the SOC after working for two years as the SOC Manager. Close to 7 years in the Cybersecurity field and always hungry for more knowledge!
As defenders, we need to have a common language among incident responders so that we can keep improving and sharing. Using standards for mapping the IR team's actions we define some guidelines to the analysts and also provide a base to improve the way we share. By implementing those standards we improve our communication to the stakeholders and also improve their capabilities to understand the value we provide. Using those models or frameworks will help us to better measure the risk of the company and how to properly use our internal resources in order to be more efficient when deciding which risks to mitigate. On this presentation we will talk about the implementation of standards on a real case and discuss about the difficulties found during that process.
June 8, 2023 09:30-10:05
- GBTLP:CLEAR
Incident Command and "The Cloud" - 72 Hours of IR and Ticking
Robert FloodeenRebecca TaylorRobert Floodeen (New Anderton, GB), Rebecca Taylor (Secureworks, GB)
Rob Floodeen is a Partner at New Anderton Advisory Services. He leads cybersecurity readiness services. Rob has worked across federal, defense, and commercial operations. Highlights from his cybersecurity career include Pentagon IR team lead, member of CERT/CC, manager of a DoD agency CERT, Technical Advisor to the Director of the SEI managing the FFRDC contract, proactive services lead for PwC, and EMEA director of incident response services at Dell Secureworks. Rob has engaged in the security community through FIRST as the Program Chair, Membership Chair, and Education & Training Chair. He was the editor for ISO 27035:2016 Incident Management and has delivered dozens of DFIR technical and academic courses as an Adjunct Professor at Carnegie Mellon University and as a Visiting Scientist at the Software Engineering Institute, CMU. He holds a BS and MS in computer science and an MBA.
Rebecca Taylor joined Secureworks in 2014, where she developed an immediate passion for cybersecurity. Rebecca quickly expanded her cyber acumen, supporting Incident Response as Incident Command Knowledge Manager, and then moving into Secureworks first Threat Intelligence Knowledge Manager role in 2022. Rebecca is primarily focused on the implementation of knowledge management processes and procedures for the Counter Threat Unit, the ingestion and management of Secureworks Threat Intelligence knowledge, and its associated quality, storage and maintenance. Rebecca continues to study and mature her cybersecurity depth of knowledge, with a longer-term ambition of becoming a Threat Intelligence researcher.
The shift of many organisations to the Cloud, has instigated a change in Incident Response activities prioritised and executed in the first days of a major cybersecurity crisis. Incident Responders must be prepared for this shift and be ready to tackle the investigative, detective, remediation and stakeholder management tasks associated with attacks against Cloud environments. This presentation will compare and contrast the on-prem, hybrid, and cloud-native organizational response activities that need to occur in the first three days of a major incident. We will spotlight the necessary Knowledge Management activities which can be utilised to increase Incident Response productivity in relation to Cloud based attacks, including demonstrations of tools and techniques which can be implemented.
June 5, 2023 12:00-12:35
FIRSTCON23-TLP-CLEAR-Floodeen-Taylor-IR-in-the-Cloud-Presentation.pdf
MD5: 6d271efef18d8a7a266c08ec964318a7
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.45 Mb
- NLTLP:CLEAR
Incident Response: A Christmas Carol
Erik de Jong (Securify, NL), Francisco Dominguez (Hunt & Hackett, NL)
With 25 years of experience in the field of information security, both in the government and on the commercial side, Erik has seen his fair share of rightful optimism, misguided solutions, baby steps forward (fist pump!) and embarrassing train wrecks. From being the lead author and project manager of the first National Cyber Security Assessment for the Netherlands (CSBN) to being involved in a number high profile incidents (not as the cause, mind you) he's pretty much traveled the kill chain. Yet in the face of all this, he has managed to stay positive and reject cynicism. After 10 years at Fox-IT and NCC Group, he is now with Securify, no less confused, but still a frequent speaker at conferences and he loves to keep his bio short and to the point so that we can just get on with it.
Bouncing between technical deep dives and board room chatter Francisco Dominguez has been involved with security (nowadays Cybersecurity) for the last 20 years and has kept track of some of it on his personal blog. Hacking and breaking different environments by combining technical knowledge and understanding of the surrounding process has always been his main passion. For example, he was involved in the investigation of the software and processes used to support the Dutch national elections. Unfortunately, those pesky commercial NDAs don't allow the naming of other fun jobs that involved social engineering people, jumping airgaps, fences or listening to hard disks to know if they are encrypted. Most of his offensive career he worked at Fox-IT and Securify, nowadays he is viewing security from the defense side while working at Hunt & Hackett.
The incident response and adjacent communities are fighting ransomware, espionage and other types of threats, rolling out new features and naming more threat actors than ever before! In other words, they are growing, booming and being a general force for good in the world! Are they though? Wipe that smug smile off your face, because what the world really needs is transparency, actual insights into how effective your "soLuTions" are, and services and products that don't hide behind disclaimers that absolve you of all responsibity, and deflect to users or the government. While incident response is quite often a saviour in a darkest hour of need, there are many improvements that can be made. Communities: expect visits from the ghosts of the future. How about some self-reflection instead of pushing more technology and silver bullets? You may have only one chance left to change your ways.
June 9, 2023 10:30-11:05
- KRTLP:CLEAR
Info-Stealer: Most Bang for the Buck Malware in 2022
Jiho Kim (S2W Inc., KR)
Jiho Kim is enrolled in Bachelor of Cyber Security in Ajou University. She graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2021. Recently, Jiho has been focusing on cybercrime group who has been active on the DDW at TALON, S2W.
In the past few years, cases of targeting individuals and using stolen credentials as an initial access vector for accessing corporate internal networks are steadily increasing, and info-stealer type malware is firmly establishing its position at the center of this trend. In particular, as MaaS-type malware increases, stealer operators start operating malware more systematically, and attackers who purchase and distribute stealer also tend to move from individual to organized. As the stealer market expands, the damage suffered by individuals and companies is increasing day by day. In fact, there are more than 5 million stolen logs as of December 2022 in Russian Market, one of the large markets selling stealer logs, and a bulletin board exclusively for trading Stealer logs was created in the Breached forum. The Lapsus$ group, who leaked credentials of famous companies around the world, also used RedLine stealer as an initial access vector. As such, the stealer is exerting great influence as a tool for stealing information from various attack groups. In the field of cybercrime, stealers respond sensitively to changing trends, quickly adjust distribution routes and items to collect, and actively utilize social engineering techniques to deceive general users. The Traffer team provides traffic, such as phishing sites and Redirection Infra, necessary for the distribution of stealer malware, as a service in hacking forums. We have been monitoring various stealer operators and several Traffer teams involved in actual distribution for a long time within DDW, and tracking the changing attack techniques and distribution methods of stealers. Based on this, I would like to explain the change in the method used to distribute the stealer, how the stolen credentials are used in actual attacks, and how the information of the attacker can be specified through the stealer log. I hope that this announcement will be helpful in catching petty theft trying to steal access keys.
June 7, 2023 14:45-15:20
FIRSTCON23-TLPCLEAR-Kim-Info-Stealer-Most-Bang-for-the-Buck-Malware.pdf
MD5: 908ae92bf2783e50cb19b860fd87870e
Format: application/pdf
Last Update: June 7th, 2024
Size: 14.57 Mb
- USTLP:CLEAR
Intel as Code - Building a Threat Informed Security Organization
Christopher King (Northwestern Mutual, US), Matt Lange (Northwestern Mutual, US)
Chris King is Sr. Director of Northwestern Mutual's Cyber Threat Operations organization. In this role, he leads teams of talented security engineers operationalizing intelligence, building threat simulations, and hunting for ghosts in the machine. Much to the chagrin of his team, Chris gets his hands dirty and consistently dives into interesting incidents and threat data, looking for patterns to exploit. In prior roles, he led security operations and DevOps teams at Rockwell Automation and spent a large portion of his career working at CERT/CC engaged in vulnerability research and promoting coordinated vulnerability disclosure.
Matt Lange has been an Incident Responder, Digital Forensic Analyst, Penetration Tester, Red Teamer, and Purple Teamer for over a decade. Currently he manages a team of Pen Testers and Red Teamers and leads the Purple Team at Northwestern Mutual.
The rapid pace of attacker evolution after defenses change (ie, Office macro protections) requires an ever-faster response cycle by all teams, blue and red. How do we get faster? How can we identify, prioritize, and respond to an emerging threat (and technique) before it becomes widespread? We show a use of a common declarative language, "Threat Intel as Code", that combined with a mix of closed and open source tooling is used to rapidly respond to a potential threat. Intelligence drives the entire process, prioritizing work for Red Team, Hunting, and Detection Engineering.
June 6, 2023 14:45-15:20
- JPTLP:CLEAR
IOC-DREAM - IOC Distribution in Restricted Environment and Automating response based on MISP
Yifan WangKunio MiyamotoYifan Wang (NTT Data Corporation, JP), Fukusuke Takahashi (NTT Data Corporation, JP), Kunio Miyamoto (NTT Data Corporation, JP)
Yifan Wang joined NTTDATA-CERT in 2017. She has been working on IR, OSINT, SOAR for 6 years and promoting effective threat intelligence sharing via MISP among multiple overseas organizations. From 2023, she starts to work on talent development for MDR.
Fukusuke Takahashi joined NTTDATA-CERT in 2018. He has been working on IR, OSINT, and SOAR for 5 years. In recent years, he has been promoting effective threat intelligence sharing via MISP among multiple organizations. Also, Fukusuke is one of developers of Hayabusa project, which is a fast forensic tool.
Dr. Miyamoto is a member of NTTDATA-CERT since 2010 and works as an incident responder and researcher of preventing incidents and reducing damage. He started to research and deploy MISP in NTTDATA-CERT from 2018. He received Ph.D. in Informatics(INSTITUTE of INFORMATION SECURITY, Yokohama, Japan) degree in 2011, and he registered as Professional Engineer Japan(Information Engineering) in 2014.
Across the world, CSIRT teams collect cyber threat intelligence, enrich the indicators of compromises based on their investigation and apply them on security products as soon as possible for early prevention of attacks. However, action and decision-making at the human level will cause a delay of response. Time lag issue also remains in large organizations like an international corporation. For these issues, we improve our workflow by automation, manage the indicators of compromise as machine readable data, and share threat intelligence with overseas group companies in near real time by implementation of Malware Information Sharing Platform (MISP) and MISP instances’ integration. Furthermore, we could automate response by using security tool's API from MISP and simple script. In this presentation, we will present our auto-workflow implemented by MISP and MISP integration of other tools/security products. Also, knowledge obtained in MISP integration and cases of real threat response will be described.
June 5, 2023 14:45-15:20
FIRSTCON23-TLP-CLEAR-Wang-Takahashi-Miyamoto-IOC-DREAM.pdf
MD5: 176dede1db1a3f524a8a892a800110b5
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.06 Mb
- LTTLP:CLEAR
ISO 27035 Practical Value for CSIRTs and SOCs
Vilius BenetisVilius Benetis (NRD Cyber Security, LT)
Dr. Vilius Benetis is from NRD CIRT (@NRD Cyber Security), where he leads a team of experts to establish and modernise cybersecurity incident response teams (CSIRT/SOCs) for sectors, governments and organisations in Africa, Asia, Europe, Latin America. He is active contributor and speaker on cybersecurity incident response, contributes to development of CSIRT methodologies for ENISA, FIRST.org and ITU. He is industry professor in Cybersecurity at Kaunas Technology University.
ISO 27035 is recently updated international standard on "Information security incident management". In meantime, more methodologies and standards on information security incident response has been released - such as FIRST.org CSIRT Services Framework, RSIT taxonomy, others. The presentation will introduce ISO 27035 and its' practical and applicable value to all FIRST.org members - for establishment, improvement, or daily operations. The standard will be viewed in the light of other frameworks including NIST 800-61r2:2012, ENISA's "Good Practice Guide for Incident Management" (2010), FIRST.org frameworks.
June 9, 2023 09:00-09:35
FIRSTCON23-TLPCLEAR-Benetis-ISO-27035-practical-value-for-CSIRTs-and-SOCs.pdf
MD5: 6df66afa84c6d2ec9fa385285f216532
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.06 Mb
- USTLP:AMBER
Joint Cyber Defense Collaborative (JCDC) Joint Planning and Coordinated Action
Mitchell Freddura (CISA Joint Cyber Defense Collaborative, US)
Mitchell Freddura is a cyber operational planner with the Cybersecurity and Infrastructure Security Agency (CISA) Joint Cyber Defense Collaborative (JCDC). In this capacity, Mitch leads the development of joint cyber defense plans with JCDC’s federal interagency, state and local, and private sector partners. In 2022, Mitch was the lead planner for the JCDC’s midterm election security efforts, which included the development of a free cybersecurity toolkit for state and local election officials. Currently, Mitch is leading JCDC’s open source software (OSS) planning initiative, which seeks to enhance the security and cyber resilience of OSS components use in operational technologies. Mitch joined CISA from the private sector and is a graduate of the University of Delaware and American University.
CISA's Joint Cyber Defense Collaborative (JCDC) unites cyber defenders from the federal government and private industry to defend U.S. critical infrastructure against cyber threats. During this presentation, JCDC will provide a look into its first years of operation as well as a perspective leveraging real-world experiences that ultimately led to the development of the Enhanced Posturing and Operational Collaboration (EPOC) Framework.
June 8, 2023 14:00-14:35
- TLP:CLEAR
Keynote: Cybercrime and Law Enforcement Evolutions and Improving Integration Within Cyber Incident Response
Chris LynamChris Lynam (RCMP)
The continuous evolution of the cyber domain brings with it an equally shifting balance of opportunity and challenge. As technology increasingly enables efficiencies within our society’s systems, processes, controls and aspects of everyday life, a corresponding dependency also develops. This cyber dependency results in a matching vulnerability within society – a vulnerability that cybercriminals aim to exploit. On the historical spectrum of criminal activity, cyber-based criminality remains a relatively recent development and has brought with it new global challenges to which the law enforcement community has had to adjust. As the cybercriminal continues to evolve, so does the cyber security community that aims to lesson vulnerability alongside law enforcement partners who aim to reduce cyber-criminality. However, the role of Canadian law enforcement in cyber incident response continues to play a secondary or non-existent role at times. There remains an uncertainty when it comes to understanding how law enforcement investigations are conducted specifically in the context of cybercrime and a resulting hesitancy to engage and integrate efforts with police. Cyber victims may be unwilling to report cybercrime occurrences to law enforcement for fear of reputational damage and public exposure. In many cases, victims may simply be unaware of how to engage law enforcement, the value of including law enforcement, and the ways in which parallel law enforcement activities could be integrated into other, core incident response mechanisms. Canadian and international law enforcement successes in this space include arrests, charges and prosecutions, but also extend to other measures to dismantle the cybercrime business model - such as lawfully taking down cybercriminal infrastructure and assets, tracing the criminal use of cryptocurrencies, and combatting further victimization through prevention, outreach and information sharing. Mr. Lynam will provide a brief background on the evolution of law enforcement’s role in cybercrime and the evolving dynamics domestically and internationally that are continuing to shape how law enforcement engages partners in efforts to respond to and, in the end, reduce cybercrime. Specific attention on the relationship to critical infrastructure owner/operator organizations and how cyber incident management is currently configured will then lead to a discussion of where law enforcement investigation currently resides in the spectrum and explore opportunities for future value-added integration of effort.
June 9, 2023 12:00-13:00
FIRSTCON23-TLPCLEAR-Chris-Lynam-FIRST-Deck-June-2023-FINAL-v2.pdf
MD5: 8a8899876b3e41ad0ad792c2b984baf7
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.86 Mb
- TLP:CLEAR
Keynote: How Did We Get Here? The History and Future of Cyberattacks against Industrial Control Networks
Lesley CarhartLesley Carhart (Dragos Inc)
Lesley Carhart is the Director of Incident Response for North America at the industrial cybersecurity company Dragos, Inc., leading response to and proactively hunting for threats in customers’ ICS environments. Prior to joining Dragos, Lesley was the incident response team lead at Motorola Solutions. Following four years as a Principal Incident Responder for Dragos, Lesley now manages a team of incident response and digital forensics professionals across North America who perform investigations of commodity, targeted, and insider threat cases in industrial networks. Lesley is also a certified instructor and curriculum developer for Dragos’ incident response and threat hunting courses. Lesley is honored to be retired from the United States Air Force Reserves, and to have received recognition such as “DEF CON Hacker of the Year”, “SANS Difference Maker”, and “Power Player” from SC Magazine. You may find Lesley organizing resumé and interview clinics at several cybersecurity conferences, lecturing, and blogging and tweeting prolifically about cybersecurity. When not working, Lesley enjoys being a youth martial arts instructor.
There are a lot of misconceptions about cyberattacks against critical infrastructure systems. As cybersecurity professionals, their secuirty condition and the attacks they appear vulnerable to can be baffling. Lesley will walk the audience through the intriguing history of the digital control devices which supply our power, water, gas, and manufacturing services (among others), how they grew into the systems they are today, and how attacks have developed against them. The talk will culminate in a discussion about what happens next, and the real condition of those systems and their cybersecurity, today.
June 5, 2023 09:30-10:30
FIRSTCON23-TLP-CLEAR-Carhart-How-Did-We-Get-Here.pdf
MD5: 1ce87a5bb6b1229f260f29de7b311cac
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.84 Mb
- CA USTLP:CLEAR
Keynote: Why Gender Diversity is Better Security
Allison PytlakDr. Nina KollarsAllison Pytlak (Stimson Center, CA), Dr. Nina Kollars (Department of Defense, US)
Allison Pytlak is the Program Lead of the Cyber Program at the Stimson Center. Her work in this area has examined inter-state cyber operations and international governance structures with a focus on United Nations (UN) processes and frameworks. In this context Pytlak has leveraged her significant experience in multilateral arms control and disarmament policy to identify opportunities to effectively advance law and norms for the prevention of cyber harm.
Allison Pytlak is the Program Lead of the Cyber Program at the Stimson Center. Her work in this area has examined inter-state cyber operations and international governance structures with a focus on United Nations (UN) processes and frameworks. In this context Pytlak has leveraged her significant experience in multilateral arms control and disarmament policy to identify opportunities to effectively advance law and norms for the prevention of cyber harm.In her prior role with the Women’s International League for Peace and Freedom (WILPF), Pytlak monitored and reported on the UN’s working group on state behavior on cyber space and played an important role as a liaison and advocate for civil society participation. She has researched, published, and provided numerous trainings about the gendered and human rights-based dimensions of cyber security and diplomacy.
Allison Pytlak is the Program Lead of the Cyber Program at the Stimson Center. Her work in this area has examined inter-state cyber operations and international governance structures with a focus on United Nations (UN) processes and frameworks. In this context Pytlak has leveraged her significant experience in multilateral arms control and disarmament policy to identify opportunities to effectively advance law and norms for the prevention of cyber harm.In her prior role with the Women’s International League for Peace and Freedom (WILPF), Pytlak monitored and reported on the UN’s working group on state behavior on cyber space and played an important role as a liaison and advocate for civil society participation. She has researched, published, and provided numerous trainings about the gendered and human rights-based dimensions of cyber security and diplomacy.Prior to joining Stimson, Pytlak managed WILPF’s disarmament program where she contributed to its monitoring and analysis of UN disarmament processes including on cyber security and advanced feminist perspectives on international security topics through research and advocacy. Pytlak has worked within international civil society disarmament networks for more than 15 years, including as former staff of the Control Arms Coalition and on the governance body of the International Campaign to Abolish Nuclear Weapons, recipient of the 2017 Nobel Peace Prize.
Allison Pytlak is the Program Lead of the Cyber Program at the Stimson Center. Her work in this area has examined inter-state cyber operations and international governance structures with a focus on United Nations (UN) processes and frameworks. In this context Pytlak has leveraged her significant experience in multilateral arms control and disarmament policy to identify opportunities to effectively advance law and norms for the prevention of cyber harm.In her prior role with the Women’s International League for Peace and Freedom (WILPF), Pytlak monitored and reported on the UN’s working group on state behavior on cyber space and played an important role as a liaison and advocate for civil society participation. She has researched, published, and provided numerous trainings about the gendered and human rights-based dimensions of cyber security and diplomacy.Prior to joining Stimson, Pytlak managed WILPF’s disarmament program where she contributed to its monitoring and analysis of UN disarmament processes including on cyber security and advanced feminist perspectives on international security topics through research and advocacy. Pytlak has worked within international civil society disarmament networks for more than 15 years, including as former staff of the Control Arms Coalition and on the governance body of the International Campaign to Abolish Nuclear Weapons, recipient of the 2017 Nobel Peace Prize.She holds an Honours B.A. in International Relations from the University of Toronto and an M.A., also in International Relations, from the City University of New York where her graduate research focused on inter-state cyber conflict. Pytlak is a listed expert with the Forum on the Arms Trade, a 2018 UN Women Metro-NY “Champion of Change” and co-host of the podcast series “Think & Resist”.
Dr. Kollars is currently serving as Special Advisor to the Under Secretary of Defense for Research and Engineering Hon. Heidi Shyu. Kollars provides guidance regarding emerging and critical technologies for the Department of Defense. Prior to assuming that role she was an Associate Professor in the Cyber and Innovation Policy Institute at the United States Naval War College, and was a contributor to the Cyberspace Solarium Commission. Kollars identifies as a hacker, and is perhaps most well-known for her DefCon talk on internet fraud. She also is the director of the Maritime ICS Village at DefCon. She holds an MA from George Washington University, and a PhD in Political Science from The Ohio State University. She publishes regularly in policy and academic journals on military innovation and cyberspace. Nina is also an executive bourbon steward.
Join us as our keynote speakers discuss why and in what ways diversity creates better cybersecurity. From the technical tactical to the social; from the keyboard to the boardroom; and from the Department of Defense to the United Nations, gender diversity in cybersecurity matters. The speakers will share their perspectives on the risks that biases and inequalities create, and the advantages that diversity provides to security.
June 7, 2023 09:30-10:30
- KRTLP:GREEN
KILLNET: Quantity Over Quality
Sojun Ryu (S2W Inc., KR)
Sojun Ryu graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree in information security from Sungkyunkwan University in Korea. Sojun worked at KrCERT/CC for seven years, analyzing malware and responding to incidents, and is one of the authors of "Operation Bookcodes" published by KrCERT/CC in 2020. Recently, Sojun has been focusing on threat intelligence by expanding to DDW and cybercrime as well as APT at TALON, S2W.
Killnet is a pro-Russian hacktivist group known for carrying out DDoS attacks against government agencies and private businesses in several countries during the Russian invasion of Ukraine in 2022. The group has been active on Telegram since its initial creation in January 2022, at which time it sold DDoS and Stressor tools. In February, Killnet officially declared war on Anonymous, which was attacking Russia for launching the war by expressing support for Russia. Since then, they have become one of the most active cyber mercenary groups born of the Russian-Ukrainian proxy cyber war.Their main purpose is to disrupt access to critical infrastructure, websites, and government services in NATO countries through DDoS attacks. KillNet openly recruits users on their Telegram "We are KillNet" channel to lead the DDoS attack operation, and there are at least 6 teams inside. It uses an open source-based DDoS attack tool without any special skills, but it succeeded in causing a service failure as a large number of users to participate at the same time.Together with Goorm, a cloud IDE service provider located in Korea, we identified malicious users who abused the cloud IDE service to carry out DDoS attacks. Among the users identified were a significant number of users who appeared to be members of KillNet. We worked with Goorm to obtain a detailed analysis of their main attack tools, access methods, and more. We hope that the tools, features, and strategies we have acquired from KillNet members will help you respond.
June 8, 2023 11:20-11:55
- USTLP:CLEAR
Knocking Out Post-Exploitation Kits
Matt Bromiley (LimaCharlie, US)
Lead Solutions Engineer/Developer Relations at LimaCharlie. I have presented at multiple conferences, teach at BlackHat, and am a SANS instructor.
Post exploitation kits have become the tools of choice for adversaries. We all know the names - Cobalt Strike, Nighthawk, Brute Ratel, Sliver, etc.. Used by red teamers, ransomware attackers, and state-nexus actors alike, post-exploitation kits allow these actors to exploit, move laterally, compromise accounts and systems, all via relatively stealthy techniques. However, these exploit kits are not as stealthy as many think. They have telltale signs that, if caught, can stop an adversary in their tracks. In this workshop, we're going to uncover ways to detect these popular exploit kits, using deep technical analysis of both host- and network-based artifacts. Using what we know about their behavior, we'll analyze how to:
- Detect process manipulation
- Uncover privilege escalation and account abuse
- Find lateral movement between systems via host artifacts and network traffic.
Despite their popularity, the tactics and techniques used by these kits are not exclusive. By analyzing commonalities between them, we'll learn how high-fidelity detections can find all sorts of adversary activity. Attendees in this workshop will gain the experience they need to effectively detect the use of exploit kits within their environment. Furthermore, our analysis takeaways will also include preventative countermeasures, allowing for teams to take this knowledge back to their environments immediately.
June 6, 2023 09:30-10:05
- BRTLP:GREEN
Lessons Learned from Interrupting a Double Extortion Attack - An Incident Responder Perspective
Renato MarinhoRaimir Holanda (Morphus Labs, BR), Antonio Horta (Morphus Labs, BR), Renato Marinho (Morphus Labs, BR)
Renato Marinho is Chief Research Officer at Morphus Labs and Incident Handler at SANS Internet Storm Center. Master and PhD candidate in Applied Informatics, he teaches Computer Forensics and Malware Analysis in post-graduate courses. He is also a speaker, having presented at SANSFIRE 2018/2019, RSA Conference 2018/2019, SANS Blue Team Summit 2018, Botconf 2017/2018, SANS Data Breach Chicago 2017, Ignite Cybersecurity Conference 2017/2018, BSides Delaware 2016, BSides Vienna 2016, WSKS Portugal 2013, Brazilian Nacional de CSIRTs Forum 2015/2017/2018/2020/2022 and GTER/GTS 2014. Professional Certifications: GCFA, CISSP, CRISC, PMP e LPIC2.
From the input vector to the data exfiltration, this presentation details the path taken by the double extortion attacker on the network in the search for the most sensitive data while trying to circumvent the protections. Along this path, I will focus on the detection and defense opportunities missed by the defense team and how we act to reverse data exfiltration and break the chain of attack. The lessons learned include technical implementations that could have given visibility to malicious steps and the decision processes on how to act when the possibility to revert the data exfiltrated was presented to the war room.
June 6, 2023 14:00-14:35
- JPTLP:GREEN
Let's Go Door with KCP
Yoshihiro IshikawaTakuma MatsumotoYoshihiro Ishikawa (LAC Co., Ltd, JP), Takuma Matsumoto (LAC Co., Ltd, JP)
Yoshihiro Ishikawa is a member of the Cyber Emergency Center of LAC., he has engaged in malware analysis and cyber threat intelligence. esp. Advanced Persistent Threat (APT) attacks.Based on the results of research, he made presentations in several security conferences such as AVAR, botconf, HITCON, VB and FIRST Annual Conferene.
Takuma Matsumoto is an analyst at LAC, analyzing malware and collecting threat intelligence. He has than 7 years of experience in the security domain. Prior to working as a malware analyst, he was involved in monitoring SIEM, creating detection rules, and developing log analysis support system. He enjoys analyzing malware and writing tools for research, which let him to his current job. He has been a speaker at Japan Security Analyst Conference 2021 and VB2022.
We have observed the use of new APT malware by an unknown China-based APT actors from several incidents in 2022 in Japan. This malware is using KCP protocol for backdoor communication, we called it as "gokcpdoor" that was coded on Golang on multiple platform operating systems.KCP is a communication protocol that maximizes bandwidth for reliable, low-latency communication. The protocol was designed by "skywind3000" and its source code is publicly available.*1Recently, it has been reported that China-based APT actors are using KCP protocol in malware such as Keyplug, Crosswalk, FunnySwitch, PseudoManuscrypt and Pangolin8RAT. However, there are few reports of this protocol being used in actual attack activity, and it is not in common use.Therefore, we think that gokcpdoor is interesting malware uses KCP protocol for C2 communication.In this presentation, we would like to introduce the analysis result of a new malware gokcpdoor (PE and ELF) and then we propose a method to detect and response malware activity for future prevention.Further, we will be demonstrating gokcpdoor's operation to the audience. We made an emulation of the gokcpdoor malware controller which was created from the reversed engineered this malware communication KCP protocol. Additionally, we have attributed the APT actor probably from some incident response cases, hence we will introduce our findings.*1 https://github.com/skywind3000/kcp/blob/master/README.en.md
June 7, 2023 11:15-11:50
- TLP:CLEAR
Lightning Talks
All are welcome to participate! To submit a talk, find the Lightning Talk flip chart near registration (on the Mezzanine level) and enter your talk on-site. Talks will go in order received. No pre-signup.
June 6, 2023 17:15-18:15
- CH
MANRS and Routing Security (Full Day)
Massimiliano StucchiMassimiliano Stucchi (ISOC, CH)
Massimiliano (Max) joined the Internet Society in 2019 and is currently working on the MANRS routing security initiative. He previously worked as a trainer and IPv6 Programme Manager at the RIPE NCC, and before that the founder and technical director of a small Internet Service Provider and Wireless Internet Service Provider in Northern Italy.
This is a full-day tutorial about MANRS and Routing Security, which is supposed to complement the work being done by the Routing Security SIG. The requirements for participating are to have basic knowledge about routing, and to bring a laptop for the exercises, which require a browser.
The layout of the tutorial is as follows:
- BGP Refresher
- Introduction to Routing Security
- Introduction to MANRS
- The Internet Routing Registry
- Create your IRR Entries in the local IRR
- Setting up filters based on the IRR
- Create filters for your upstream and your customer(s)
- Anti Spoofing
- Set up ACLs for your customers
- PeeringDB
- Demo on PeeringDB
- Introduction to RPKI
- Creating ROAs
- Demo: Creating ROAs in the local RIR
- Setting up a delegated CA
- Publishing RPKI objects in parent
- RPKI Relying Parties
- Setting up ROV
- Setup and configure routinator, fort
- Configure your router to perform ROV on your upstreams
- Configure your router to perform ROV on your customer sessions
- BGPSec
- ASPA and Friends
- Tips, Tricks and closing remarksJune 4, 2023 09:00-10:30
- NL FR
Measuring and Improving Your Team's Maturity Using SIM3
Miroslaw MajOlivier CaleffMiroslaw Maj (Open CSIRT Foundation, NL), Olivier Caleff (ERIUM, FR)
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities.
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities.Founder and president of the Cybersecurity Foundation, Vice-president of the ComCERT company, a former leader of CERT Polska team. The member of the Digital In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures and establishing international cooperation in the field of cyberdefence. In March 2021 was appointed a member of the Digitalization Council at the Ministry of Digital Affairs.
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities.Founder and president of the Cybersecurity Foundation, Vice-president of the ComCERT company, a former leader of CERT Polska team. The member of the Digital In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures and establishing international cooperation in the field of cyberdefence. In March 2021 was appointed a member of the Digitalization Council at the Ministry of Digital Affairs.European Network Information Security Agency expert and co-author of many ENISA publications including CERT exercises and papers on improvement CSIRT maturity. He organised 10 editions of cyber exercises (Cyber-EXE™) in several countries for most essential sectors (e.g energy, banking, telecommunication). Speaker on many international conferences including the FIRST conferences. He is also the originator and organiser Security Case Study conference, one of the largest cybersecurity event in Poland.
This session is aimed at both starting and experienced teams, who do not have much experience yet with using SIM3 to assess their team's maturity levels. SIM3 is introduced and explained in short, including FIRST's adoption of SIM3 for the membership process. The goal of SIM3 is to help you improve your team's maturity, and set goals and timelines for doing so.
June 4, 2023 09:00-10:30
- CHTLP:CLEAR
Mistakes Happen, Either Learn From Them Or Rinse And Repeat!
Gregor WegbergGregor Wegberg (Oneconsult International CSIRT, CH)
After his IT apprenticeship with a focus on software development, Gregor Wegberg studied at the Swiss Federal Institute of Technology (ETH) in Zurich, Switzerland. During his studies, he specialized in information security. After completing his master's degree in computer science (MSc ETH CS), he joined Oneconsult in January 2017 as a penetration tester and security consultant. Since February 2020 he is Head of Digital Forensics & Incident Response and leads the OCINT-CSIRT. At the same time, he teaches Incident Response at the University of Applied Sciences OST and likes to share his experience in lectures, workshops and trainings.
When you look at our community, it often seems so flawless. Everyone is just easily detecting, analyzing, and resolving incidents. Yet we know this is not our reality and it is absolutely essential to our success that we learn from mistakes and continuously improve.This talk will give you an insight into mishaps, misguided ventures and plain old mistakes from our CSIRT's everyday incident response and digital forensics life. We will also delve into the valuable lessons our team has learned from these events. This will hopefully stop your team from falling into the same traps. It's time we all started to talk openly and actively about our struggles, mistakes and what we have learned!
June 8, 2023 09:30-10:05
FIRSTCON23-TLPCLEAR-Wegberg-Mistakes-Happen-Either-Learn-From-Them-Or-Rinse-And-Repeat.pdf
MD5: 6d42b79f90f9de53f420cfd4d6524aa7
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.67 Mb
- ESTLP:CLEAR
Modern Threat Hunting (Half Day)
Vicente Diaz (VirusTotal, ES)
Vicente is a specialist in Threat Intelligence and Threat Hunting. He works in the VirusTotal team in Google as Threat Intelligence Strategist. He holds a degree in Computer Science and an MsC in Artificial Intelligence. He was e-crime manager in S21sec for 5 years and deputy director for EU in Kaspersky's Global Research and Analysis team for almost 10 years, where he was co-creator and responsible for the APT Intelligence Reporting service.
Threat Hunting is one of the most popular techniques used by security analysts for all kinds of investigations. It is both science and, to some degree, inspiration. However, in the last years, the security industry has developed new tools and techniques that can dramatically improve the effectiveness and efficiency of our Threat Hunting. In particular, similarity and automatic Yara generation are key when dealing with large amounts of data. In this workshop, we will go through the process of Threat Hunting and showcase how to leverage new techniques available for analysts to step our research up to the next level.
June 8, 2023 14:00-15:20
- JPTLP:CLEAR
MyJVN Product Dictionary Challenge for Collaboration with Vulnerability Database and Asset Management
Masato Terada (Information-technology Promotion Agency, JP)
Dr. Masato Terada is the Technology and Coordination Designer for Hitachi Incident Response Team (HIRT), the leader in vulnerability handling and vulnerability database. He launched a research site, a predecessor of JVN: Japan Vulnerability Notes (http://jvn.jp/) in 2002 and launched MyJVN, a security automation platform for JVN vulnerability database in 2008, and is developing functional extensions of MyJVN currently. Also, he has worked as a visiting researcher at the Information-technology Promotion Agency (IPA)(ipa.go.jp), a senior advisor at JPCERT Coordination Center (jpcert.or.jp).
As Cyber-attacks become more sophisticated, information systems are becoming more serious for the threats. To prevent damage from cyber-attacks, it is necessary to respond quickly to the vulnerabilities that are disclosed. This paper describes the JVN Product Dictionary that supports collaboration between the vulnerability database and asset management in order to construct an environment that enables rapid response to cyber-attacks. JVN is public Vulnerability Database by IPA and JPCERT/CC in Japan. JVN Product Dictionary is configured as a product dictionary for associating product identifiers based on correspondence to Software Bill of Materials (SBOM).
June 8, 2023 14:45-15:20
FIRSTCON23-TLP-CLEAR-Terada-MyJVN-Product-Dictionary-Challenge.pdf
MD5: 80ed32af264f10ac317a6ebfd5a65c23
Format: application/pdf
Last Update: June 7th, 2024
Size: 463.74 Kb
- CHTLP:CLEAR
N-IOC's to Rule Them All
Stephan Berger (InfoGuard AG, CH)
Stephan Berger have worked in security for over ten years, now for two years at the Swiss security company InfoGuard, where he leads the Incident Response Team. He is an active twitterer (@malmoeb) and regularly presents for InfoGuard or at the CH-Certs meetings, where various Swiss security teams are combined. He owns a Bachelor's in Computer Science and a Master's in Engineering, as well as various SANS certifications and the OSCP.
The Swiss GovCERT published monthly statistics on the most common malware families in Switzerland. Much of the published analysis on these malware families focused on the malware's reverse engineering rather than the forensic artifacts that a successful infection leaves on a host.In our research, we examined the top malware families from a forensic perspective to find commonalities in infection, data collection, and network transmission. Through the data obtained through our research, we were able to identify targeted IOC (Indicators of Compromise) that can be used for all malware families (for example, run keys, executables in the AppData folder, specific event logs). This abstraction or generalization of malware families allows SOC analysts, incident responders, and threat hunters to search for malicious behavior on the network more precisely and quickly without focusing on just one malware family.
June 5, 2023 14:45-15:20
FIRSTCON23-TLP-CLEAR-Berger-N-IOCs-To-Rule-Them-All.pdf
MD5: 754c9bf9d404781755c98e14fd749001
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.3 Mb
- GBTLP:CLEAR
No One Likes to be Excluded: What Is the Role of War Exclusions in Cyber Insurance?
Éireann LeverettÉireann Leverett (Concinnity Risks, GB), Rick Welsh (Waratah.io, GB)
Éireann Leverett is the co-author of Solving Cyber Risk, and a cyber risk entrepreneur. His career has taken him from hardhats and steel toed boots in industrial control systems to the implications for critical national infrastructure in policy. He works regularly with the international CERT community at FIRST.org, and writes papers when he finds the time. His proudest achievement is co-authoring a paper which has inspired legislation in the EU. He loves nature, travel, and reading when he gets away from computers.
Rick Welsh has 20 years of experience in cyber insurance.
The recent settlements of Merck and Mondelez with their cyber insurers have set precedents. However, they're hard to decode. Lloyd's of London has said they want cyber exclusions written into all policies, and that may have very important ramifications to all incident responders. We invite a mixture of cyber re/insurance professionals and incident responders to a public discussion of these decisions and their implications.
June 6, 2023 15:50-17:10
FIRSTCON23-TLP-CLEAR-Leverett-Welsh-NoOneLikesToBeExcluded.pdf
MD5: 56d1b5d8c5f1582eef582f59e94bcb87
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.85 Mb
- GBTLP:CLEAR
Objectifying Your Incident Management to Lift the Fog of IR
Robert FloodeenRobert Floodeen (New Anderton, GB)
Rob Floodeen is a Partner at New Anderton Advisory Services. He leads cybersecurity readiness services. Rob has worked across federal, defense, and commercial operations. Highlights from his cybersecurity career include Pentagon IR team lead, member of CERT/CC, manager of a DoD agency CERT, Technical Advisor to the Director of the SEI managing the FFRDC contract, proactive services lead for PwC, and EMEA director of incident response services at Dell Secureworks. Rob has engaged in the security community through FIRST as the Program Chair, Membership Chair, and Education & Training Chair. He was the editor for ISO 27035:2016 Incident Management and has delivered dozens of DFIR technical and academic courses as an Adjunct Professor at Carnegie Mellon University and as a Visiting Scientist at the Software Engineering Institute, CMU. He holds a BS and MS in computer science and an MBA.
IR requires elusive facts to support rapid decisions that resemble a risk-based-game of Jenga. This session will introduce key decision points during IR and provide a methodology to ensure resource allocations, supporting information for decision-making, and effort management is well communicated and effective by using objectives, workstreams, confidence, and levels of effort.
June 6, 2023 12:05-12:40
FIRSTCON23-TLP-CLEAR-Floodeen-Objectifying-Your-Incident-Management-to-Lift-the-Fog-of-IR.pdf
MD5: bc0ba9c14d77e8b6b7d5f5f938eb0104
Format: application/pdf
Last Update: June 7th, 2024
Size: 1 Mb
- USTLP:AMBER
Open Season: Hunting More Intelligently
Karthik YetukuriJustin Hopple (VMware, US), Karthik Yetukuri (VMware, US)
Justin Hopple (VMware, US) Justin Hopple has over 18 years experience in various roles within networking and information security. After 10 years in the US Army, Justin joined VMware to set up a dedicated threat intelligence program. Currently, Justin is the Threat Intelligence Program Lead for VMware's Security Intelligence & Response Team where he continues to mature the program, oversees daily operations and interfaces with internal and external stakeholders.
Karthik leads a globally distributed team of Security experts focused on DFIR, Incident Management, Threat Intelligence, Threat Hunting, Threat Detection and Insider Threats. He holds a Bachelor’s Degree in Electronics and Communication Engineering, a Master’s Degree in Information Systems Security & Project Management and various other security related certifications.
There have been numerous articles and presentations over the years emphasizing the importance or leveraging threat intelligence and conducting threat hunts. Some even mention that threat intelligence should help drive hunts, but have limited details on how to mature and scale a repeatable intelligence driven process. This presentation will cover how we've implemented threat intel driven hunts and how they've enabled us to move towards a more proactive posture. The session will include examples of how to start prioritizing hunts based on information collected during daily threat intel operations in a quantifiable way and how to take that process to the next level by using qualifiers that are unique to your environment. This talk will benefit those looking to mature existing threat intelligence and/or threat hunting programs. Attendees should have a general understanding of basic threat intelligence and threat hunting concepts as these will not be covered.
June 6, 2023 09:30-10:05
- MW LTTLP:CLEAR
Operationalization of Malawi CERT- Lessons Learnt and Challenges
Christopher BandaVilius BenetisChristopher Banda (MACRA, MW), Vilius Benetis (NRD Cyber Security, LT)
Mr. Christopher Ganizani Banda is the head of the Computer Emergency Response Team (CERT) and works under Malawi Communications Regulatory Authority (MACRA). He has been at the center of developing and coordinating Cyber security issues in Malawi, like developing the National Cyber Security Strategy, facilitating the designing, establishment, and management of the National CERT, and initiating various Cyber Security activities. He has been involved in various national and international cybersecurity Policy Forums such as ITU, COMESA, SADC, etc. He was the vice Rapporteur for ITU-D Study Group 2 Questions 3/2 (Securing information and communication networks: best practices. for developing a culture of cyber security) for the study period 2014-2017. Formally focused on ICT Development and was responsible for facilitating ICT Development in Malawi through Policy and Planning; licensing telecommunications networks; implementing ICT development Projects; Research and Development.
He holds MSc and BSc Degrees in ICT, an MSc Degree, a Certified Network Defender (CND), and a Certified Ethical Hacker (CEH). He has over fourteen years of technical experience in the ICT sector. The last five years have focused on cyber security.
Dr. Vilius Benetis is from NRD CIRT (@NRD Cyber Security), where he leads a team of experts to establish and modernise cybersecurity incident response teams (CSIRT/SOCs) for sectors, governments and organisations in Africa, Asia, Europe, Latin America. He is active contributor and speaker on cybersecurity incident response, contributes to development of CSIRT methodologies for ENISA, FIRST.org and ITU. He is industry professor in Cybersecurity at Kaunas Technology University.
National Computer Emergency Response Teams (CERTs) or national Computer Security Incidence Response Teams (CSIRTs) are tasked with developing the capacity to manage cyber security incidents for a specific nation, industry, or organization. They also serve as the focal point for coordinating and supporting the response to cyber security incidents while performing the barest minimum of incident handling tasks. At around 2018 Malawi started the journey of establishing the National CERT, which serves as the country's hub for national coordination of cybersecurity incidents. Of late, MWCERT has been getting a lot of enquiries on the process of establishing the National CERT.
June 8, 2023 15:50-16:25
FIRSTCON23-TLP-CLEAR-Banda-and-Benetis-Operationalization-of-Malawi.pdf
MD5: 99e396f8caaa7dfd6303b38149431836
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.74 Mb
- LUTLP:CLEAR
Pain and Suffering; Implementing CTI Successfully in a SOC
Paul Jung (Excellium Services, LU)
Paul Jung is since a long time a security enthusiast. He works in the security field in Luxembourg since more than a decade. During this time, Paul has covered operations as well as consulting within various industries. He possesses a wide range of skills and experiences that enable him to perform multiple roles from offensive security audit to security incident handling. From 2008 to 2014, prior to join Excellium Services, Paul was Senior Security Architect in the Managed Network Security department of the European Commission. In this previous position, Paul was responsible for leading technical aspects of security projects. Since 2014, Paul works at Excellium Services as senior security consultant. He leads Excellium Services CSIRT (CERT-XLM). Within this position, Paul leads the response team involved in incident handling and intrusion responses. He provides security awareness and recommendations to Excellium Services customers. Paul is often speaker at local event or security conferences such as First Conference, Virus Bulletin, Botconf or Hack.lu. He also wrote a few articles in MISC magazine (French) about DDos, Botnets and incident response. His mother tongue is French, and he speaks English.
Excellium Services, is a company of Thales which perform security monitoring (SOC) for his final's customers. In clear, it means that we survey currently 79 SIEMS (Security Information & Event Management). When it came to detection, Threat Intelligence looks important. It is for anybody willing to improve his detection capacity. It looks to be a key advantage when accurately used. However, it is very challenging to use threat Intelligence to perform detection without sinking in a sea of false positives.My team, CERT-XLM, is maintaining, and curating the Threat Intelligence data for implementation in our customer SIEMS. What we propose to your audience is to explain what are the issue (and deceptions) that we have faced do during these last years to have in place efficient and activable IOC's system.
June 8, 2023 10:15-10:50
- US GB NLTLP:CLEAR
Preserving Confidentiality When Hunting With Friends
Gabriel Bassett (Liberty Mutual, US), Paolo Di Prodi (Priam Cyber AI ltd, GB), Hugo Ideler (Roseman Labs, NL), Toon Segers (Roseman Labs, NL)
Gabriel is the lead data scientist and a contributing author on the Data Breach Investigations Report team at Verizon Enterprise Solutions specializing in data science and graph theory applications to cyber security including VERIS and Attack Flow. He supports several information security data science conferences, is game architect for the Pros vs Joes Capture the Flag series and has previously held cyber security risk management, testing, intelligence, architect, and program management positions at the Missile Defense Agency and Hospital Corporation of America.
Paolo is the founder of Priam Cyber AI, a startup developing a native incident response platform for SOC teams. He was previously a data scientist for companies including Fortinet, Microsoft and Context IS. He worked on the Cyber Threat Alliance consortium and contributed to the following MITRE Engenuity projects including TRAM, Sightings, AttackFlow. He maintains an open source project called TypeDB CTI that is soon to become an OASIS compliant library for STIX source/sinks. He is also a contributor for the EPSS SIG in FIRST ORG. He holds a Phd in multi-agent machine learning and a degree in software engineering.
Hugo Ideler is currently the head of Engineering at Roseman Labs, a start-up specializing in Multi-Party Computation. Hugo is a former senior manager at Deloitte's Incident Response practice and has 10 years of experience in responding to breaches and threat hunting in complex client environments. Hugo is also the lead engineer delivering NCSC' SecureNed platform.
Toon Segers is co-founder and COO at Roseman Labs, the company developing privacy-preserving collaboration software that is used at the Dutch National Cyber Security Center. Toon is a PhD candidate in applied cryptography at TU Eindhoven, focusing on Secure Multi-Party Computation. Prior to this, he was a Partner at Deloitte, responsible for its Cyber Risk practice in the Netherlands. Toon worked at the Boston Consulting Group for 10 years, holds an MBA from Columbia University, and an MSc in Applied Math.
What if data sharing could be better? What if we could cooperatively perform threat hunting across multiple organizations in near-real time with each team adding the pieces of the puzzle they observe.This talk is focused on the tools needed to do that. We'll cover data formats that improve shareability, and tools that improve sharing them while protecting privacy.Come find out what Multi-Party Computation (MPC) and Differential Privacy (DP) are and how you can put them to use without a PhD in applied mathematics.Others like the National Cyber Security Centre (NCSC) in the Netherlands are already using this approach, and you can too!
June 8, 2023 14:45-15:20
FIRSTCON23-TLPCLEAR-Basset-Idler-Preserving-Confidentiality-when-Hunting-with-Friends.pdf
MD5: f2f65f537cae23631ea16f157e8bc792
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.14 Mb
- TWTLP:GREEN
Prioritize Your Enterprise Critical Risk - Start at Active Directory
Mars ChengDexter ChenMars Cheng (TXOne Networks, TW), Dexter Chen (TXOne Networks, TW)
Mars Cheng (@marscheng_) is a manager of TXOne Networks PSIRT and threat research team, responsible for coordinating product security and threat research, and is the executive director of Association of Hackers in Taiwan. Mars blends a background and experience in both ICS/SCADA and enterprise cybersecurity systems. Mars has directly contributed to more than ten CVE-IDs, and has had work published in three Science Citation Index (SCI) applied cryptography journals. Before joining TXOne, Cheng was a security engineer at the Taiwan National Center for Cyber Security Technology (NCCST). Mars is a frequent speaker and trainer at several international cyber security conferences such as Black Hat USA/Europe/Middle East and Africa, RSA Conference, DEFCON, CODE BLUE, SecTor, FIRST, HITB, ICS Cyber Security Conference Asia and USA, HITCON, SINCON, CYBERSEC, and CLOUDSEC. Mars was general coordinator of HITCON (Hacks in Taiwan Conference) PEACE 2022, HITCON 2021 and vice general coordinator of HITCON 2020.
Dexter Chen is a threat researcher at TXOne Network with a primary focus on penetration testing, red teaming, and Active Directory security. He used to be a red teamer that specialized in lateral movement and operation security in Trend Micro. He was the instructor of several trainings including HITCON training, Cybersecurity Center of Excellence (CCoE), and Ministry of National Defense. Dexter is a cyber security enthusiast who likes to playing labs, researching vulnerabilities, and exploring various attack techniques and he is currently the holder of OSCP and OSWE.
From our study, there is a gap between offensive and defensive side which makes Active Directory as easy target for attackers. To begin with, defenders are not sufficiently informed about the Active Directory attacks. With insufficient information about the Active Directory attacks, defenders lack the visibility for the potential threats in the environment to implement the defense such as getting the alerts to uncover an intrusion. Secondly, there are more challenges for securing the Active Directory even if defender has the visibility for the threats. With large amounts of assets and corresponding attack vectors, it is challenging for defenders to prioritize the threats to address. Without prioritization, it is impossible to efficiently reduce the risk in the shortest time possible. Thus, after investing the resources to address security issues, outcome cannot be certain with high confidence without comprehensive risk assessment.To solve these challenges for defenders, we started by inventorying all the attack vectors for Active Directory to provide the visibility of potential threats. Also, we proposed a risk model to practically calculate the risk of attack vectors for prioritization. Thus, based on the risks for attack vectors, we can quantify the attack paths for overall evaluation. After a deep dive into our risk model, we will present how the attack vectors and the attack paths can be applied to the model for risk quantification with a strategy to reduce the overall risk in an effective and comprehensive way.
June 7, 2023 14:00-14:35
- NLTLP:CLEAR
Q&A After Hours | Dissect: the Solution to Large-Scale Incident Response (and Why APTs Hate Us)
Willem Zeeman (Fox-IT, NL), Erik Schamper (Fox-IT, NL)
Willem started his career (2000) as a system engineer and studied technical informatics. 2007-2017, he worked in both operational and organisational roles at an MSP. Since 2017 and currently in the role of Principal CIRT Consultant he's enjoying his passion for security and the usage of tools like Dissect.
Erik is a security researcher at Fox-IT working on various topics, ranging from threat intelligence to working on complex incident response engagements. He is one of the key authors of Fox-IT's enterprise investigation framework, Dissect. He helped shape the tooling and methods of how Fox-IT approaches enterprise investigations today.
June 7, 2023 15:30-16:00
FIRSTCON23-TLPCLEAR-Schamper-and-Zeeman-DISSECT.pdf
MD5: dc29c23ce8e3afe210b2a783e4242164
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.41 Mb
- GB USTLP:CLEAR
Ransomware Zugzwang
Éireann LeverettScott SmallÉireann Leverett (Concinnity Risks, GB), Scott Small (TidalCyber, US)
Éireann Leverett is the co-author of Solving Cyber Risk, and a cyber risk entrepreneur. His career has taken him from hardhats and steel toed boots in industrial control systems to the implications for critical national infrastructure in policy. He works regularly with the international CERT community at FIRST.org, and writes papers when he finds the time. His proudest achievement is co-authoring a paper which has inspired legislation in the EU. He loves nature, travel, and reading when he gets away from computers.
Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He is currently Director of Cyber Threat Intelligence at Tidal Cyber. Scott’s prior roles involved advising enterprise and public sector security teams across maturity levels on technical and strategic applications of intelligence and on using technology to help identify and mitigate organizational risk. Throughout his career, he has briefed & trained large & small audiences, presented original content at major security conferences & other industry events, and actively contributed to the professional community & open source security projects.
Ransomware threat actors use drastically different techniques, and target different groups. That might seem hard to keep up with when organising your defenses, but in fact it's an advantage: you get to deprioritise groups that don't target organisations like yours, and you get to focus on a handful of ATT&CK techniques that are relevant. In turn this means you only need a small number of defenses, and we list them for you in this presentation. We also know some of you want to prevent, while others want to detect and respond, so we build two profiles of defenses, depending on your strategy. We end with a message of hope about how the age of ransomware will come to pass.
June 9, 2023 10:30-11:05
FIRSTCON23-TLP-CLEAR-Leverett-and-Small-Ransomware-Zugzwang-Final.pdf
MD5: bd1ade815eeca3f6ea50d71a5e6fcfc9
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.55 Mb
- IETLP:GREEN
Responding to Lapsus$ Style Smshing Attack, or How to Out an Actor!
Thomas FischerThomas Fischer (Riot Games, IE)
Thomas has over 35 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. While currently focused on SecOps at a gaming company, Thomas continues as a security advocate and threat researcher focused on understanding data protection activities against malicious parties and continuous improvement in the incident response process. Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, and regular shares at events like SANS DFIR EMEA, DeepSec, Shmoocon, ISSA, and various BSides events.
It's memorial weekend 2022, users start reporting strange texts asking them to connect or loose their vpn access. We triggered our response process and things got serious after 2 users informed us they had clicked on the link. 5.days later they came back but this time we were more prepared.Working with our logs, slack and our game data, we were able to identify exactly what the actor targeted and that they were players of our games. We also realized that de-authorization of a user, doesn't necessarily do what we thought it should in a SSO environment.Attribution can be hard but by using our data and working with other gaming companies, we were able to identify a key actor. But this is the story of how we forced the actor to out themselves.In this talk, we will build a timeline of the attack and our response. We will also review some lessons learnt.
June 8, 2023 12:05-12:40
- HKTLP:CLEAR
Safeguarding IoT Devices in Digital Age - Building IoT Test Lab
Frank ChowFrank Chow (HKCERT, HK)
Frank Chow is the Head of Cyber Security and HKCERT, Hong Kong Productivity Council. Frank oversees HKCERT operations and leads a team to deliver a wide range of cyber security consulting services for Hong Kong industries. He has over 20 years of experience in Financial and Service Provider industries spanning across cyber security, technology risk management, IT governance, and business continuity. Prior to joining HKPC and HKCERT, Frank held management role of cybersecurity and information risk in various financial institutions, such as Ping An OneConnect Bank, Livi Bank, Manulife, and Fubon Bank. Frank was awarded the Hong Kong Cyber Security Professionals Awards, (ISC)2 Asia Pacific Information Security Leadership Awards and BCI Asia Business Continuity Awards in recognition of his commitment in the cyber security and business continuity industries. Frank was invited to serve on various advisory panels of local and global organizations, such as Education Bureau, HKIRC, and (ISC)2. Besides, he has held leading roles to serve the professional community in Professional Information Security Association, Cloud Security Alliance Hong Kong and Macau Chapter, (ISC)2 Hong Kong Chapter, Information Security and Forensics Society, and Project Management Institute Hong Kong Chapter.
IoT security has become a necessary subject of study for manufacturers and organizations. The attack consequence has also had a substantial operational impact on critical infrastructure and smart city environments. IoT Test Lab is an innovative platform that will impact vary industries around the globe. IoT Test Lab can help manufacturers and organizations to identify vulnerabilities and provide information to do vulnerability prioritization. The focus of the IoT Test Lab is to sniff the IoT communication and perform vulnerability scanning in enclosed platform. This talk will help participants learn how to build IoT Test Lab and Labelling Scheme.
June 7, 2023 11:15-11:50
FIRSTCON23-TLP-CLEAR-Chow-Safeguarding-IoT-Devices-in-Digital.pdf
MD5: d4d4d170cfba974383d76ac340d71847
Format: application/pdf
Last Update: June 7th, 2024
Size: 10.36 Mb
- TLP:CLEAR
SIG Updates: Multi-Stakeholder Ransomware, CVSS, Cyber Insurance, DNS Abuse, EPSS
CVSS SIG; DNS Abuse SIG; EPSS SIG; Multi-Stakeholder Ransomware SIG; Cyber Insurance SIG;
June 6, 2023 10:15-10:50
FIRSTCON23-TLP-CLEAR-SIG-Updates-CVSS-SIG-slides-Dave-Dugal.pdf
MD5: fd2686a70616c4673fffb0ac1b93bdf3
Format: application/pdf
Last Update: June 7th, 2024
Size: 196.84 Kb
FIRSTCON23-TLP-CLEAR-SIG-Updates-Cyber-Insurance-SIG-slides-Michael-Spr.pdf
MD5: b9ec38dbc08c3e5f6ac3d28428a7a3b5
Format: application/pdf
Last Update: June 7th, 2024
Size: 312.44 Kb
FIRSTCON23-TLP-CLEAR-SIG-Updates-DNS-SIG-slides-Jono-Spring.pdf
MD5: 1b2227cf7cea7e764cd61ae57a4a6489
Format: application/pdf
Last Update: June 7th, 2024
Size: 457.69 Kb
FIRSTCON23-TLP-CLEAR-SIG-Updates-EPSS-SIG-slides-JayJacobs.pdf
MD5: 9650a2fc345a5eafdc2e06918a53a7bd
Format: application/pdf
Last Update: June 7th, 2024
Size: 137.5 Kb
- TLP:CLEAR
SIG Updates: SecLounge, Automation, NETSEC, CSIRT, CSIRT Metrics, Vulnerability Coordination, IEP, VRDX
Group 2: CVSS SIG; DNS Abuse SIG; EPSS SIG; Multi-Stakeholder Ransomware SIG; Cyber Insurance SIG; IEP SIG; VRDX SIG; Vulnerability Coordination SIG
June 6, 2023 10:15-10:50
FIRSTCON23-TLP-CLEAR-SIG-Updates-Automation-SIG-Aaron-Kaplan.pdf
MD5: 6a3fe07ef847a6b38675783e7b708d19
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.74 Mb
FIRSTCON23-TLP-CLEAR-SIG-Updates-CSIRT-Frameworks-SIG-Klaus-Peter.pdf
MD5: 3d190185b10bbdd114199a05c4b7db09
Format: application/pdf
Last Update: June 7th, 2024
Size: 217.32 Kb
FIRSTCON23-TLP-CLEAR-SIG-Updates-NETSEC-SIG-John-Kristoff.pdf
MD5: 6b0616514bf04920ab625a93a774343e
Format: application/pdf
Last Update: June 7th, 2024
Size: 553.56 Kb
FIRSTCON23-TLP-CLEAR-SIG-Updates-VRDX-Vul-Coord-SIGs-Art-Manion.pdf
MD5: 950ef1b2f5d7515131f762c9f56d3e95
Format: application/pdf
Last Update: June 7th, 2024
Size: 31.2 Kb
- TLP:CLEAR
SIG Updates: TLP, Malware Analysis, CTI, WoF, Red Team, Ethics
Group 3: Malware Analysis SIG; CTI SIG; Red Team SIG; TLP SIG; Ethics SIG; WoF SIG;
June 6, 2023 10:15-10:50
FIRSTCON23-TLP-CLEAR-SIG-Updates-CTI-SIG-slides-Krassi-Tzvetanov.pdf
MD5: a4c71ea314574c3bc7123251ee0e1ded
Format: application/pdf
Last Update: June 7th, 2024
Size: 249.89 Kb
FIRSTCON23-TLP-CLEAR-SIG-Updates-Malware-SIG-slides-James-Potter.pdf
MD5: 68282364838faf56c67518b53eb15c4f
Format: application/pdf
Last Update: June 7th, 2024
Size: 190.18 Kb
- DE NL
SIM3 for Experienced Teams and Membership Sponsors
Klaus-Peter KossakowskiMiroslaw MajKlaus-Peter Kossakowski (DFN-CERT Services GmbH, DE), Miroslaw Maj (Open CSIRT Foundation, NL)
Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities.
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities.Founder and president of the Cybersecurity Foundation, Vice-president of the ComCERT company, a former leader of CERT Polska team. The member of the Digital In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures and establishing international cooperation in the field of cyberdefence. In March 2021 was appointed a member of the Digitalization Council at the Ministry of Digital Affairs.
Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities.Founder and president of the Cybersecurity Foundation, Vice-president of the ComCERT company, a former leader of CERT Polska team. The member of the Digital In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures and establishing international cooperation in the field of cyberdefence. In March 2021 was appointed a member of the Digitalization Council at the Ministry of Digital Affairs.European Network Information Security Agency expert and co-author of many ENISA publications including CERT exercises and papers on improvement CSIRT maturity. He organised 10 editions of cyber exercises (Cyber-EXE™) in several countries for most essential sectors (e.g energy, banking, telecommunication). Speaker on many international conferences including the FIRST conferences. He is also the originator and organiser Security Case Study conference, one of the largest cybersecurity event in Poland.
This session is aimed at more experienced teams, who may also act as FIRST membership sponsors. How to use SIM3 to become more mature is discussed, and also how SIM3 works as part of the membership process. Emphasis is on the sponsor perspective.
June 4, 2023 13:30-15:00
- BETLP:AMBER
Simple Deception 101
John Deprez (CCB/CERT.be, BE)
John has worked in IT for more than 30 years, 20+ in different fields of Cyber Security. After his Masters in Computer Science he started his career implementing Networks and Computer Systems for a multinational non-profit organisation. In the advent of the Internet he switched to a Telecom Provider where he practiced a plethora of CyberSecurity tasks. Antivirus, SIEM and Intrusion Detection, Firewall Operation, Pentesting, Security Governance, Vulnerability Assessment, DFIR.
John currently holds the position of Technical Research Team Lead at CERT.BE, the CSIRT of the Belgian Centre for Cybersecurity where he started in 2017 as Senior Analyst, and DFIR Team Lead
Nowadays attackers mostly use "Normal" Tools (LOLBINS) to investigate and moe through hacked networks. This makes them more difficult to detect early using traditional means.Most defenses can be bypassed. (Antivirus, FirewallsW, DLP, Whitelisting, SIEM, IDS/IPS, NAC) The usage of deceptive techniques (as a surplus, not a replacement) makes it easier to detect "strangers" on your network. There are different types of deception, which will be discussed. These methods can even be used if the detection capabilities are sub par. We will discuss how deception can deception be implemented easily and incrementally.
June 6, 2023 16:35-17:10
- USTLP:CLEAR
Sliding Down the Slippery Analogy Slope and Landing in Clarity
Leigh Metcalf (CERT, US), Eugene Spafford (Purdue University, US)
Leigh Metcalf is a Senior Network Security Research Analyst at the Carnegie Mellon University Software Engineering Institute's cybersecurity (CERT) division. CERT is composed of a diverse group of researchers, software engineers, and security analysts who are developing cutting-edge information and training to improve the practice of cybersecurity. Before joining CERT, she spent more than 10 years in industry working as a systems engineer, architect, developer, and security specialist. Dr. Metcalf has presented research at numerous conferences. She is the co-author (with William Casey) of the book Cybersecurity and Applied Mathematics (Syngress, 2016) as well as the co-author (with Jonathan Spring) of the book Using Science in Cybersecurity (World Scientific, 2021). She is also the Co-Editor-in-Chief (with Arun Lakhotia) of the ACM journal Digital Threats: Research and Practice (DTRAP).
Eugene H. Spafford} is one of the most senior academics in the field of cybersecurity. During his 0-plus years in computing--including 35 years as a faculty member at Purdue University, where he founded CERIAS, the Center for Education and Research in Information Assurance and Security--Spaf (as he is widely known) has worked on issues in privacy, public policy, law enforcement, intelligence, software engineering, education, social networks, operating systems, and cybersecurity. He has developed fundamental technologies in intrusion detection, incident response, firewalls, integrity management, and forensic investigation.
Dr. Spafford is a Fellow of the American Academy of Arts and Sciences (AAA&S), the Association for the Advancement of Science (AAAS), the ACM, the IEEE, and the (ISC)^2; a Distinguished Fellow of the ISSA; and a member of the Cyber Security Hall of Fame--the only person to ever hold all these distinctions. In 2012, he was named as one of Purdue's inaugural Morrill Professors--the university's highest award for the combination of scholarship, teaching, ad service. In 2016, he received the State of Indiana's highest civilian honor by being named a Sagamore of the Wabash.
More information may be found at https://ceri.as/spaf-bio.
Working in incident response often involves working with people outside the technical realm. As a result, we may avoid providing a technical description by substituting an analogy:The Internet is a series of tubes. Your cybersecurity is like an immune system. Your network is a castle. We look for the needle in the haystack to find the attack. Users are the weakest link. Viruses, Trojan Horses, and worms - oh my! Analogies have some value based on ground truth, but how they are interpreted often mangles the underlying technical concept. In some cases, it can even make understanding the actual problem harder than it should be. For example, physical firewalls are supposed to keep the fire out, yet cyber firewalls are supposed to let some things pass.This talk will discuss some commonly used analogies and explain the difficulties that can arise from relying too heavily on them. It will also address how best to create analogies that will be useful and facilitate more precise communication.
June 5, 2023 11:15-11:50
- CA IETLP:AMBER
Small But Mighty - The Crucial Role a PSIRT Plays in Customer Trust, Adoption and Renewal
Kevin Hagopian (VMware, CA), Emer O'Neill (VMware, IE)
Kevin Hagopian is a Security Response Program Manager within the VMware Security Response Center (VSRC). Kevin has been a part of VMware for the past 12 years in Global Support (GS) most recently as a Solution Architect within Support Escalations. In the last year he has joined VMware Security Response Center to contribute in coordinating product security, analysis, remediation and disclosure of security issues reported in a wide array of VMware branded products. Kevin recently acquired his membership within ISC2 and received his CISSP with plans to focus on Advanced Threat Analysis and Digital Forensics.
Emer has over 20 years of technology experience and has worked in VMware since 2007. Her current role is Director of the VMware Security Response Center, where she leads a global team of technical program managers and security engineers to ensure the company is responding to external security reports, influencing stakeholders across the business, and advocating for VMware customers. Emer is passionate about security, joining the security incident response team with limited experience, she has built her reputation through seeking out mentors and immersing herself in the field.
In this presentation we will discuss the critical role a PSIRT plays in customer trust, adoption and renewal along with protecting the company brand. Follow along as we highlight the evolution of a PSIRT in a software company, and how we have adapted our process and policies as we deliver both on premise and SaaS offerings. As cloud workloads continue to grow, we will outline how we have evolved in communicating security issues, and implementing mitigations and IOCs. We will share insight into the partnerships a PSIRT has with other business units and the importance of readying your support and sales organization for upcoming security disclosures. We will elaborate how our program has matured over time, share insight into some of the automation tools developed to bolster our function and improve our time to response. Along with these insights we will outline how the PSIRT has enhanced our SDL program and improved the security posture of our offerings.
June 9, 2023 11:15-11:50
- NO NLTLP:CLEAR
SOCCRATES: Automated Security Decision Support for SOCs and CSIRTs
Martin EianFrank FransenMartin Eian (mnemonic, NO), Frank Fransen (TNO, NL)
Dr. Martin Eian is a Researcher at mnemonic. He has more than 20 years of work experience in IT security, IT operations, and information security research roles. In addition to his position at mnemonic, he is a member of the Europol EC3 Advisory Group on Internet Security. Martin was mnemonic's participant contact for the H2020 project SOCCRATES (https://www.soccrates.eu).
Frank Fransen received a MSc in Information Technology at the Technical University of Eindhoven in 1995. He is currently employed as a Senior Scientist in the Cyber Security & Robustness group of TNO. His work at TNO involves consultancy, and acquisition and execution of research projects on emerging security technologies, security of mobile networks (3G, 4G and 5G), automation of security operations, Cyber Threat Intelligence, and cyber security of smart energy grids. Frank was the technical coordinator of the H2020 project SOCCRATES (https://www.soccrates.eu).
You detect a malware infection on a laptop in the engineering department. You discover a new vulnerable server in your DMZ. You detect a change in one of your firewall rules. What is the business impact of these events? What is the potential business impact of an attacker exploiting them to compromise other assets? What is the best course of action to contain or prevent such an attacker?
The SOCCRATES security decision support platform [1] for SOCs and CSIRTs provides answers to questions like these.
The SOCCRATES project researched, designed, developed, deployed and demonstrated the prototype SOCCRATES platform from 2019 to 2022. The platform provides the following capabilities:
- A machine-readable model of the ICT infrastructure
- Automated security reasoning (Attack Simulation & Real-time Business Impact Assessment)
- Automated generation, assessment and execution of response actions
This session will:
- Introduce the SOCCRATES project
- Describe the capabilities above in detail
- Present our lessons learned and recommendations for decision support for SOCs and CSIRTS
[1] https://www.soccrates.euJune 5, 2023 12:00-12:35
FIRSTCON23-TLPCLEAR-Fransen-Eian-SOCCRATES.pdf
MD5: 3edec6bb2626f9e81e9485efea4617df
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.48 Mb
- NLTLP:AMBER
SPooFd: How to Spoof Mails, Even with Full SPF and DMARC Protection
Koen van HoveKoen van Hove (NLnet Labs / University of Twente / Dutch Institute for Vulnerability Disclosure"., NL)
Koen van Hove is a software and research engineer at NLnet Labs and a researcher at the University of Twente on the topic of network security. His most notable contributions are to the DDoS Clearing House and RPKI Relying Party Resiliency Platform. He is also a researcher level 2 at the Dutch Institute for Vulnerability Disclosure (DIVD), active within the Internet Engineering Task Force (IETF) and RIPE community.
Email is widely used for communication within an organisation and between organisations. Standards such as SPF and DMARC were created to reduce the number of phishing emails appearing to stem from legitimate domains. We describe a novel method of (ab)using the information in an SPF record by using the fact that many third-party hosting providers do not adequately check whether their customers hold the domain name they send email from, allowing us to make SPF and DMARC appear as a "pass" even though the domain holder did not authorise us to send email on behalf of them. We identified a significant number of high-profile domains across Europe, including local, federal and national government institutions and banks, where we were able to successfully send email on behalf of them. Solving these issues has proven to be difficult due to large differences in how institutions handled our disclosures.
June 5, 2023 11:15-11:50
- CATLP:CLEAR
Supercharge Your Malware Analysis Workflow with Assemblyline (Full Day)
Steve Garon (Canadian Center for Cyber Security, CA), Kevin Hardy-Cooper (Canadian Center for Cyber Security, CA), Ryan Samaroo (Canadian Center for Cyber Security, CA), Gabriel Desmarais (Canadian Center for Cyber Security, CA), Marc-Olivier Guilbault (Canadian Center for Cyber Security, CA)
Steve is the Team Leader for the Assemblyline project at the Canadian Center for Cyber Security (CCCS). He has been at CCCS for 16 years and began as an analyst working on malware reverse engineering. His wish to speed up triaging malware detection led to Assemblyline, which he has worked on since 2010.
Kevin is the dynamic analysis expert for the Assemblyline project at the Canadian Center for Cyber Security (CCCS). Kevin has been at CCCS for 3 years and is one of CAPE sandbox’s maintainers and top contributors. Kevin can be found spending his time improving JavaScript and PowerShell script detection in Assemblyline, as well as getting as many IOCs out of malware as possible (which coincidentally is also the bane of his existence).
Ryan is the infrastructure expert for the Assemblyline project at the Canadian Center for Cyber Security (CCCS). He has been at CCCS for 2 years, where he spends time deploying and maintaining multiple Assemblyline instances and working on the core components of Assemblyline. He can also be found responding to the community’s questions and suggestions and working towards improving Assemblyline to benefit the cyber community.
Gabriel has been at the Canadian Center for Cyber Security (CCCS) for 10 years and is now working to find the most interesting samples to bring up to the team. Anything from absurdly obfuscated scripts to the strangest file format is going to be of interest. He is always looking into incorporating cutting edge techniques into existing modules or writing new modules.
Marc-Olivier is a new member of the Assemblyline team at the Canadian Center for Cyber Security (CCCS). His primary focus is improving the monitoring agent behind the CAPE sandbox’s project (known as Capemon) and discontinuing usage of Cuckoo sandbox in Assemblyline.
Malware analysis and incident response are very time-consuming processes which is why automating as many tasks as possible can be a game changer. This is where Assemblyline comes into play. This workshop will showcase CCCS' opensource automated malware analysis and triaging system by giving a quick overview of what it is and what its used for. We will then show the participants how to perform malware analysis using Assemblyline by looking at results of know malware inside it. After that, we will dig deep into the multiple facets of its user interface like searching, alerting, etc... Then the participants will start their hands-on experience with Assemblyline by using its python client to write scripts that will access the different APIs and finally create a custom service to add functionalities to the system. Participants will work on a system deployed for the event and will be shown how they can deploy one themselves.
For workshop pre-requisites and instruction, see the following link: https://github.com/CybercentreCanada/assemblyline-training-first2023
June 8, 2023 09:30-10:50
FIRSTCON23-TLPCLEAR-Garon-Hardy-Cooper-Samaroo-Desmarai-Supercharge-Your-Malware-Analysi
MD5: d41d8cd98f00b204e9800998ecf8427e
Format: directory
Last Update: June 7th, 2024
Size: 4 Kb
- JPTLP:GREEN
Surviving the Hurt Locker: or How I Learned to Stop Worrying and Love the Bom (Workshop version) (Full Day)
Manabu Niseki (LINE Corporation, JP), Simon Vestin (LINE Corporation, JP)
A Botconf, HITCON, OBTS and JSAC speaker. A V3 climber forever.
A security engineer and novice conference speaker. Likes to swim along the shores close to his home.
SBOM, Software Bill of Materials, is a new concept in securing the software supply chain. With it, providing transparency for software consumers is possible, making vulnerable components hiding deep down in dependency hell visible. There is an abundance of tools for generating SBOMs, but the majority are based on static lock files. Lock files are not necessarily present on servers after software is deployed, making tracking incomplete without knowing exactly the source of all deployed software. Lock files are also not mandatory in all programming languages, making static lock file based SBOM for certain software doomed. To tackle this issue, SBOM collection also needs to some extent be done at runtime. In this workshop, the difference between static and runtime SBOM collection will be explained through some hands-on challenges. In addition, SBOM based vulnerability detection with the OSV, Open Source Vulnerability, database will be demonstrated.
June 9, 2023 09:00-10:20
- SETLP:AMBER
Tales From the Dark Side
Hasain Alshakarti (TRUESEC, SE), David Lilja (TRUESEC, SE)
Hasain, also known as "the Wolf", is an industry-leading cyber security expert with more than 20 years of experience. He has extensive and deep expertise from numerous design projects, security audits, advanced implementation projects, incident response, threat hunting and penetration testing. He helps customers unerstand and build solutions to protect, detect and respond to cyber threats for enterprises, government agencies, banks, military organizations among others. Hasain is a sought-after advisor, speaker and a popular instructor. For his many achievements over the years, Hasain has been awarded recognition as "Sweden's leading IT security expert" and Microsoft MVP in Enterprise Security and Cloud & Datacenter.
David, is Threat Analyst with a broad background in IT spanning more than 20 years. He's worked with as a developer in the e-commerce business as well as the car industry and the medical industry. He's worked in a start-up and build a Payment Service Provider from the ground up and was the first to put physical PCI DSS approved payment terminals in retail shops in Sweden. Before joining TRUESEC he was a CSIRT the teamleader at a global retail company. He now helps customers to protect, detect and respond to attacks together with Hasain in a wide range of areas; government agencies, banks, and more. David is an appreciated speaker and is also a weekly podcast host with about 400 episodes under his belt.
How are the Threat Actors gaining ground and persistence in an environment today? How sophisticated are they?Real world cyberattacks will be uncovered and explain in detail.
June 9, 2023 11:15-11:50
- BR GBTLP:CLEAR
Team Cymru Community Services Workshop
Scott FisherJacomo Piccolini (Team Cymru, BR), Scott Fisher (Team Cymru, GB)
Jacomo Piccolini joined Team Cymru in 2012 as part of the Outreach Team and is based in Brazil. Prior to working at Team Cymru, he worked at the Brazilian Research and Academic Network, at their Academic CSIRT, and acted as the Academic Coordinator for the Educational School's security and IT governance curriculum. With 21 years of field experience, Jacomo holds a degree in Engineering and a post-graduate degree in Computer Science and Business Administration. Jacomo is known globally due to his long time involvement in FIRST (The Forum for Incident Response and Security Teams). He is a Liaison Member of FIRST and the team representative for Team Cymru. Jacomo is also Team Cymru representative at OIC-CERT. Previously Jacomo coordinated hands-on activities for FIRST and is now contributing on the Membership Committee. Jacomo is also known for his work and contributions within several security communities and trust-based groups, serving as an advisor, doing pro bono work and as an elected board member. Jacomo is responsible for Team Cymru's Community Services, including the CSIRT Assistance Program (CAP) and the Data Sharing Partnerships. When possible he returns to education, teaching network forensics and CSIRT security courses, at the post-graduate level, as an invited professor. When not working to make our networks safer places, Jacomo spends time doing his other great love, photography.
This workshop will review the various Team Cymru Community Service programs that are available at no cost. The TC Community Services provides no-cost Threat Intel, DDOS Mitigation, Transaction Fraud Prevention, and more. Attendees will learn how each service works, how to subscribe for the services and how to configure and implement the service in their network.
June 6, 2023 09:30-10:50
- USTLP:CLEAR
The 4 Pillars of Cyber Security
Laurie Tyzenhaus (SEI CERT, US)
Laurie has worked at the Software Engineering Institute (SEI) on the CERT team for almost 10 years. She joined the Vulnerability Coordination and Analysis Team in 2017. Laurie presented at FIRST in 2018 on the evolution of Coordinated Vulnerability Disclosure from a 'hub and spoke model' to a 'shared bus model' which was later implemented in VINCE. Today Laurie is focused on National and International Standards, working to guide standards which can support implementable cybersecurity policy and procedures. Prior to joining the SEI Laurie was at the Department of Energy (DOE) as a member of the Intelligence and Counterintelligence Team for 12 years, working as a Technical Analyst.
These 4 standards and related policies should be implemented on a global basis. Companies of different sizes can leverage their acquisition process of a product, service, or combination and request information on how the supplier has implemented the four pillars. The four pillars are:Coordinated vulnerability disclosure (CVD)Supply chain transparency/Software Bill of Materials (SBoM)Secure software updatesEnd of security support/end of product life
June 9, 2023 09:45-10:20
FIRSTCON23-TLPCLEAR-Tyzenhaus-The-4-Pillars-of-Cyber-Security.pdf
MD5: b1cac25ec8d93bee7e23ecec6cbad438
Format: application/pdf
Last Update: June 7th, 2024
Size: 752.53 Kb
- DE USTLP:CLEAR
The CSAF Writer Guild - Advancing Your Experience (Full Day)
Thomas SchmidtJustin MurphyThomas Schmidt (BSI, DE), Justin Murphy (CISA, US)
Thomas Schmidt works in the 'Industrial Automation and Control Systems' section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM work. Prior to this, Schmidt was BSI's lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric's TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).
Justin Murphy is a Vulnerability Disclosure Analyst with the Cybersecurity and Infrastructure Security Agency (CISA). He helps to coordinate the remediation, mitigation, and public disclosure of newly identified cybersecurity vulnerabilities in products and services with affected vendor(s), ranging from industrial control systems (ICS), medical devices, Internet of Things (IoT), and traditional information technology (IT) vulnerabilities. He also assists Dr. Allan Friedman in coordinating the global, multi-stakeholder community-led efforts around software bill of materials (SBOM), and other Technology Assurance related projects at CISA. Justin is a former high school mathematics teacher turned cybersecurity professional and has a M.Sc. in Computer Science from Tennessee Technological University, and a B.Sc. degree in Statistics from the University of Tennessee (Knoxville).
The Common Security Advisory Framework (CSAF) became in 2022 an OASIS standard. CISA and BSI announced that machine-processable security advisories in CSAF will be a core pillar of a better vulnerability management. Once you got the basics, writing CSAF documents is easy. However, to write good and actionable CSAF documents a little more knowledge is needed. The participants will learn in several hands-on exercises how to create complex and meaningful structures in the product tree. This includes the handling of hotfixes, hardware/firmware/software combinations, internal components. It will also cover all profiles specified in the standard.
June 7, 2023 11:15-12:35
- GB US IE GH CHTLP:CLEAR
The Female Conversation – Empowering Women in IR and CI
Rebecca TaylorTracy BillsRebecca Taylor (Secureworks, GB), Tracy Bills (CERT® Division of the Software Engineering Institute (SEI), US), Emer O'Neill (VMware, IE), Audrey Mnisi (Ghana Association of Banks; FIRST.org Board Member; Vice President for Women in Cybersecurity Wes, GH), Khushali Dalal (Juniper, US), Amanda Capobianco (Richemont International SA, CH)
Rebecca Taylor joined Secureworks in 2014, where she developed an immediate passion for cybersecurity. Rebecca quickly expanded her cyber acumen, supporting Incident Response as Incident Command Knowledge Manager, and then moving into Secureworks first Threat Intelligence Knowledge Manager role in 2022. Rebecca is primarily focused on the implementation of knowledge management processes and procedures for the Counter Threat Unit, the ingestion and management of Secureworks Threat Intelligence knowledge, and its associated quality, storage and maintenance. Rebecca continues to study and mature her cybersecurity depth of knowledge, with a longer-term ambition of becoming a Threat Intelligence researcher.
Amanda first joined Richemont International SA in 2019 with a degree in Comp Sci. and Cybersecurity, and an internship opportunity which allowed her to explore various Incident Response and Threat Hunting activities. 3.5 years later, Amanda is leading Richemont CSIRT’s Cyber Threat Intelligence team and is responsible for tactical, operational, and strategic intelligence operations within the Group. Through her work, she aims to advance Richemont’s understanding of its adversaries while contributing to a proactive, threat driven defense against the evolving tradecraft of attackers.
Audrey Mnisi is an experienced Information Security Professional with 23 years of experience, Audrey is currently the Chief Information Security and Risk Officer, at the Ghana Association of Banks, FIRST.org Board Member and Vice President for Women in Cybersecurity West Africa Affiliate, a cyber sisterhood, to recruit, retain, mentor, and advance women in cybersecurity. She played a significant role in the drafting of Ghana Cyber Security Legislation, ACT 1038 and reviewing Ghana National Cyber Security Strategy, establishing Ghana National CERT and in 2019 she led Ghana’s National CERT to join FIRST. Audrey is passionate about protecting Children online and is a co-founder of Future Jewels, an NGO which advocates for child online safety.
Emer has over 20 years of technology experience and has worked in VMware since 2007. Her current role is Director of the VMware Security Response Center, where she leads a global team of technical program managers and security engineers to ensure the company is responding to external security reports, influencing stakeholders across the business, and advocating for VMware customers. Emer is passionate about security, joining the security incident response team with limited experience, she has built her reputation through seeking out mentors and immersing herself in the field.
Khushali was born and raised in a small town of India- Ahmedabad, Gujarat. She has a bachelor’s in electrical and Telecommunication Engineering from India and a master’s in cyber security from University of Maryland College Park. Khushali joined Juniper Networks in 2019, where she began her journey as an Associate Sales Engineer supporting and implementing Juniper lab in Verizon’s infrastructure. In 2021, she moved into the Verizon channel team as a Partner Sales Engineer for Verizon’s Managed WLAN solutions. And in this role, she established an early-in-career program to support and build relationship between the Juniper and Verizon sales community. In her current role, she is a Product Security Incident Manager where she is responsible for the receipt, confirmation, verification, management, validation, and resolution of reports of potential product security vulnerabilities in products manufactured and sold by Juniper Networks.
Tracy is a Sr. Cybersecurity Operations Researcher at the CERT® Division of the Software Engineering Institute (SEI). Tracy has worked extensively to assist both public and private organizations to develop, implement, and refine their incident response, security operations, and threat intelligence processes. Currently, her focus is on helping countries build their national-level incident management capabilities and capacity.
According to a recent ISC2 workforce study, around 24% of the cybersecurity workforce is female. Yet despite the need for more diverse representation being a prominent conversation topic across the industry, there is still little focus on how it is actually achieved and the actions all individuals can take to support this initiative. Join Rebecca Taylors panel "The Female Conversation" and gain a higher understanding of what your organisation can do to better empower female talent in your Incident Response teams. From recruitment to team dynamics, to reasonable adjustments and to bridging the gender pay gap- this panel will address these hard-hitting topics and equip you with top tips to take back to improve the hiring, retention and progression of the females leading your Incident Response efforts.
June 7, 2023 11:15-12:35
FIRSTCON23-TLP-CLEAR-Taylor-The-Female-Conversation.pdf
MD5: f196e3b397113f98e490c9d30478aedf
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.82 Mb
- USTLP:CLEAR
The Internet DDoS Threat Landscape
John KristoffJohn Kristoff (NETSCOUT, US)
John is a principal analyst at NETSCOUT on the ATLAS Security Engineering and Response Team (ASERT). He is a PhD candidate in Computer Science at the University of Illinois Chicago studying under the tutelage of Chris Kanich. John is also adjunct faculty in the College of Computing and Digital Media at DePaul University. He currently serves as a research fellow at ICANN and sits on the NANOG program committee, He is also a founder and operator of the non-profit Dataplane.org.
In this presentation, we will discuss global and regional trends in DDoS attacks over the past year. This will include details of new DDoS vectors, observed attack volumes and prevalence, targeted verticals, notable attack campaigns, and other information relevant to network operators, incident responders, and targeted endpoints.
June 6, 2023 12:05-12:40
FIRSTCON23-TLP-CLEAR-Kristoff-The-Internet-DDoS-Threat-Landscape.pdf
MD5: 0ea8b3b3e97963122c880f5457d62364
Format: application/pdf
Last Update: June 7th, 2024
Size: 11.71 Mb
- USTLP:CLEAR
The PowerPuff Girls of Information Sharing - Joining Forces To Protect The Universe!
Denise AndersonDenise Anderson (Health-ISAC, US), Faye Francy (Automotive ISAC, US), Suzie Squier (Retail and Hospitality ISAC (RH-ISAC), US), Bridgette Walsh (Financial Services ISAC (FS-ISAC), US), Marina Krenz (Research and Education Networks ISAC (REN-ISAC))
Denise Anderson, MBA, is President and CEO of the Health Information Sharing and Analysis Center (Health-ISAC), a global, non-profit organization dedicated to providing a trusted forum for timely and valuable situational awareness so that health sector companies can make informed, risk-based decisions about the physical and cyber threats they face. Prior to Health ISAC, she was Vice President of Financial Services-ISAC where for almost nine years she helped the ISAC grow and achieve its successful status in the information sharing community. She has over thirty years of executive level leadership in the private sector. Denise currently serves as Chair of the National Council of ISACs, sits on the Board of Directors for the Global Resilience Federation (GRF) and is on the Executive Committee of the Cyber Working Group for the Health and Public Health Sector Coordinating Council. In addition, she participates in numerous industry and advisory groups and initiatives and has spoken at events all over the globe. Denise was certified as an EMT (B), and Firefighter I/II and Instructor I/II in the state of Virginia for twenty years and was an Adjunct Instructor at the Fire and Rescue Academy in Fairfax County, Virginia for ten years. She is a graduate of the Executive Leaders Program at the Naval Postgraduate School Center for Homeland Security.
Executive Director Automotive ISAC. Ms. Francy serves the global automotive industry by providing strategic leadership and vision to foster collaboration for mitigating the risks of a cyber-attack. The Auto-ISAC was established in 2015 with the goal of developing a more resilient global automotive industry through member collaboration and sharing of timely cyber threat information. As the Executive Director, Faye is actively engaged with private-sector stakeholders, partners, and government agencies to facilitate information sharing to help strengthen the industry's capability and capacity to detect, prevent, respond to, and mitigate disruptions related to the connected vehicle and supporting infrastructure. The Auto-ISAC is a non-profit organization operating in Washington, D.C. Previously Ms. Francy stood up and led the Aviation-ISAC while working at the Boeing Company. She held numerous leadership positions before retiring from Boeing, including Cyber ONE Leader, Director Enterprise Technologies, Director of Research in Phantom Works, and Director for Air Traffic Management. Ms. Francy has a bachelor's degree in chemistry and mathematics and Master of Science in Forensic Chemistry.
Suzie Squier is the president of the Retail & Hospitality ISAC (RH-ISAC). Reporting directly to the board of directors, Squier is responsible for management of the organization, continuing to develop and expand the capabilities of the ISAC by incorporating important benchmark data with its annual CISO Benchmark Report and request for information summaries. Squier has been connected to the ISAC since its inception, overseeing a growth of more than 139% over five years. Prior to joining the RH-ISAC, Squier was executive vice president of member services for the Retail Industry Leaders Association and worked in various membership organizations before that. She is a graduate of the University of Maryland.
Bridgette Walsh is Senior Director, Strategic Partnerships at Financial Services ISAC (FS-ISAC) and also serves as Executive Director of the Financial Services Sector Coordinating Council (FSSCC), a 70+ member organization representing global financial trade associations, financial utilities and other critical financial firms. Before she joined FS-ISAC, she was Chief, Partnerships and Engagement, Office of Cybersecurity and Communications, National Protection and Programs Directorate, U.S. Department of Homeland Security and also held a number of other roles within the organization.
What do an Engineer, Firefighter/EMT-Mountain Climber, Grandmother of five, and Mother of wonder-twins all have in common? By day they are the superhero leaders of thriving Information Sharing and Analysis Centers (ISACs). In this dynamic panel session, moderated by Krysten Stevens, Technical Director of Research and Education (REN) ISAC; Denise Anderson, President and CEO of Health ISAC, Faye Francy, Executive Director of Automotive-ISAC, Suzie Squier, President of Retail and Hospitality (RH) ISAC and Bridgette Walsh, Senior Director Strategic Partnerships of Financial Services (FS) ISAC will share their journeys as accomplished female leaders of successful organizations and how they have paved the way to advance the resilience and security of critical infrastructure across the globe. They will talk about the challenges, opportunities and rewards of leading ISACs through specific examples, actual incidents, and lessons learned. This panel of experts will provide a view of the information sharing landscape and the role it will play in the future, describe how they collaborate with partners and each other and also impart strategies and tips for developing fruitful information sharing networks.
June 7, 2023 14:00-15:20
- USTLP:CLEAR
Three Simple and Effective Cybersecurity Exercises
John Hollenberger (Fortinet, US)
John Hollenberger is a cybersecurity consultant with over fifteen years of experience in web- and host-based vulnerability assessments, incident response, digital forensics collection, PCI compliance, and Data Loss Prevention with a primary focus on proactive incident response consulting services. In his current position, John is a Senior Security Consultant of Proactive Services, where he develops and facilitates tabletop exercises, and reviews and creates Incident Response Plans and related documentation for large corporations, small businesses, and non-profit organizations, and conducts a variety of security assessments. John currently holds the following degrees and certifications: BA, CISSP, CISA, CISM, CRISC, GCIH, GWAPT, and Security+.
The genesis of many cybersecurity exercises begins with a simple request: An executive approaches a manager and says, "We need a tabletop. Get it done." This request may stir up angst as some planning is required and, to some, may be a new experience.But what do you do when you simply don't have the luxury of ample time to plan for a cybersecurity exercise? How do you conduct a cybersecurity exercise that is simple yet effective and worth the participants' valuable time?This presentation will present three simple cybersecurity exercise ideas that may be conducted with minimal planning, are applicable to most organizations and will deliver value by identifying potential deficiencies or confirming the efficacy of existing processes.
June 5, 2023 14:00-14:35
FIRSTCON23-TLP-CLEAR-Hollenberger-Three-Simple-and-Effective-Cybersecurity-Exercises.pdf
MD5: de722f039c1d6e73e9ba40b2c8382944
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.79 Mb
- US
Tier 1 to C-Suite: Communicating a Breach using Threat-Informed Defense (Full Day)
Mike CunninghamMark HaaseJon BakerMike Cunningham (MITRE Engenuity, US), Mark Haase (MITRE Engenuity, US), Jon Baker (MITRE Engenuity, US)
Mike Cunningham is an accomplished R&D Program Manager at MITRE Engenuity's Center for Threat-Informed Defense. He continuously strives to advance the state of the art and the state of practice in threat-informed defense through cutting-edge research and innovation. Prior to joining MITRE, Mike honed his skills as an Interactive On-Net Operator with the NSA's elite Tailored Access Operations team.
Mike Cunningham is an accomplished R&D Program Manager at MITRE Engenuity's Center for Threat-Informed Defense. He continuously strives to advance the state of the art and the state of practice in threat-informed defense through cutting-edge research and innovation. Prior to joining MITRE, Mike honed his skills as an Interactive On-Net Operator with the NSA's elite Tailored Access Operations team.Outside the office, Mike cherishes quality time with his wife, three daughters, and their dog, Sunny. A multifaceted individual, he also relishes playing music, maintaining his fitness, and soaking up the San Diego sunshine.
Mark Haase is the Chief Engineer for the Center for Threat-Informed Defense, where he oversees technical strategy and execution across all Center research projects. Mark previously worked at Microsoft on the Office 365 cloud for USGOV customers. Prior to that, he participated on DARPA research programs focused on law enforcement capabilities for digital crimes and the dark web. Mark is currently pursuing a master's degree at the UC Berkeley School of Information. He lives in the greater Washington, DC area with his wife and two kids, and in his free time he enjoys biking and cooking.
Mark Haase is the Chief Engineer for the Center for Threat-Informed Defense, where he oversees technical strategy and execution across all Center research projects. Mark previously worked at Microsoft on the Office 365 cloud for USGOV customers. Prior to that, he participated on DARPA research programs focused on law enforcement capabilities for digital crimes and the dark web. Mark is currently pursuing a master's degree at the UC Berkeley School of Information. He lives in the greater Washington, DC area with his wife and two kids, and in his free time he enjoys biking and cooking.
As the General Manager for the Center for Threat-Informed Defense, Jon Baker is responsible for the Center’s strategy and its outcomes as he convenes the global cybersecurity community to advance the state of the art and the practice in threat-informed defense. Jon co-founded the Center as a privately funded research and development organization where he partners with sophisticated cybersecurity teams to systematically advance the global understanding of adversary tradecraft and apply that knowledge to improve the community’s ability to defend against those threats.
A breach in network typically involves communicating varying levels of technical information to many stakeholders. It can be difficult to curate the information needed for each stakeholder. A SOC analyst requires vastly different information from a CISO, and vice versa. Not knowing how to effectively communicate the details of a breach can lead to a delayed, or ineffective, response. This workshop will teach defenders how to create high fidelity communications across teams by using open-sourced tools centered around a threat-informed defense. Attendees will be able to execute adversary activity, catalogue the activity, and then plot and visualize the activity on an interactive graph. At the end of this session, attendees will have the tools and knowledge necessary to effectively communicate critical information to all stakeholders.
June 4, 2023 09:00-10:30
- USTLP:CLEAR
Till There Was Unix: Defending ESXi Against Ransomware Attacks
Lindsay KayeLindsay Kaye (Recorded Future, US)
Lindsay Kaye is Senior Director of Advanced Reversing, Malware, Operations and Reconnaissance (ARMOR) at Recorded Future. Her primary focus is the creation of actionable intelligence - providing endpoint, and network detections that can be used to detect threats. Lindsay's passion is malware analysis and reverse engineering. She received a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.
Over the past 18 months, ransomware targeting ESXi has become substantially more popular, with several high-profile groups such as ALPHV, BlackBasta, Hive, and LockBit developing their own lockers. The shift towards ESXi stems from the virtualization of entire organizations' infrastructure, with minimal defensive capabilities available. As a result, this provides more incentive for a threat actor looking to extort the organization into paying the ransom.Our talk will provide a technical discussion and overview of the specific TTPs ransomware operators employ to target ESXi systems prior to dropping ransomware. We will also discuss techniques we can use to detect and defend against them, including endpoint and network detection opportunities, and what gaps exist therein. We will also provide a technical overview of the newest ESXi lockers that are available, and some of the similarities and differences between them that make it possible to track them. Finally, this talk will cover what the future of ransomware could look like, including other opportunities for extortion and additional technologies to exploit that we see in the cybercriminal threat landscape.
June 9, 2023 09:00-09:35
- LUTLP:CLEAR
Typosquatting Finder - An Open Source Solution to Find Typosquatted Domains
Alexandre DulaunoyDavid Cruciani (CIRCL - Computer Incident Response Center Luxembourg, LU), Alexandre Dulaunoy (CIRCL - Computer Incident Response Center Luxembourg, LU)
David Cruciani is security researcher at CIRCL. He lead the development of various open source software in threat intelligence and digital forensic.
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.
There's a lot of tools to identify typosquatting like dnstwist or urlcrazy, but all of those tools never give the possibility to choose a generation of variation with all possible algorithm. We decided to create a library to gather all the possible variations for a domain name.But what better than a user friendly interface to give everybody the possibility to use this tool. So a website have been created too.In this session, the website will be presented with all his functionality and all possible algorithms implemented at this point of time in the library. Our library is open source, the user friendly interface is also open source, an online version is available to the public and there is a MISP integration. You have no more excuse to not take care of potential typosquatting domains targeting your organisation.
June 6, 2023 11:20-11:55
- USTLP:CLEAR
UMQ? What Comes After TLP
Tom MillarTom Millar (CISA, US)
Tom Millar has served in CISA for 15 years, working to strengthen the agency's information sharing capabilities, increasing the level of public, private and international partner engagement, and supporting initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar holds a Master's of Science from the George Washington University and is a Distinguished Graduate of the National Defense University's College of Information and Cyberspace.
Many of us and our teammates have used the Traffic Light Protocol (TLP) to indicate how we wish our information to be shared with others in the community for many years, or over a decade in a few cases. In this presentation, we will discuss the fundamental limitations of TLP, how some communities are trying to overcome them, and ideas for how to improve the state of information sharing between teams around the world. There are major challenges ahead; this talk is intended as a call to action for the FIRST community to begin working together on developing and adopting more advanced solutions for information sharing, not only between humans but between machines as well.
June 5, 2023 14:00-14:35
- US DETLP:CLEAR
Universal (Software) Product Identity: Solving a Hard Problem Twice Over
Art ManionThomas ProellThomas SchmidtArt Manion (Art Manion, US), Thomas Proell (Siemens ProductCERT, DE), Thomas Schmidt (BSI, DE)
Art Manion is the Deputy Director of ANALYGENCE Labs where he and his team perform in-depth vulnerability analysis and coordinated vulnerability disclosure. Art has lead and contributed to a variety of vulnerability-related efforts in ISO/IEC JTC 1/SC 27, the CVE Program (Board member), the Forum of Incident Response and Security Teams (FIRST), and the (US) National Telecommunications and Information Administration (NTIA). Art works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA) and previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Thomas Proell has been working for Siemens in product security for 15 years. After five years of penetration testing he changed sides and is leading the incident handling and vulnerability response team for Siemens ProductCERT.
Thomas Schmidt works in the 'Industrial Automation and Control Systems' section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM work. Prior to this, Schmidt was BSI's lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric's TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).
The year is 2023. Vulnerability disclosure and management are still based on a haphazard foundation of independent software identification systems. We identify software products, systems, and components by name. We also use versions, dates, file hashes, and other identifiers. Unfortunately, we all have slightly (or very) different ideas about the names. And versions. Possibly the dates too. It's harder to disagree about file hashes, but not impossible. We've solved identification for some things. VIN for cars, ISBN for books, UUID, DNS, and DOI for the internet. We've solved software identification for isolated partitions. Package managers, ports, operating system updates, development and build tools, software composition analysis, containers, software services: All of these systems define and manage identification and dependency. But for the most part, these systems don't interoperate. This "hard problem" of universal identification has gained importance with the growing adoption of Software Bills of Materials (SBOM) and related supply chain concepts. So how do we sort out when we are talking about the software, or different software, or how software components are related? This panel will present and discuss nothing less than a global-scale unique product identification (UPID) solution. Or two solutions.
June 6, 2023 11:20-12:40
FIRSTCON23-TLPCLEAR-Schmidt-Manion-Universal-Software-Product-Indentity.pdf
MD5: 3cc058589d01280b54dc544ddd6488f0
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.38 Mb
- BE AT FRTLP:CLEAR
Using Apple Sysdiagnose for Forensics and Integrity Check
David DurvauxDavid Durvaux (European Commission, BE), Aaron Kaplan (European Commission, AT), Emilien Le Jamtel (CERT-EU, FR)
David is leading EC DIGIT CSIRC and is active in the incident response field for more than a decade. He has work on many IT security incidents and especially on computer forensics aspects. David presented twice at the FIRST conference and in other conferences.
Aaron has been working at the national CERT of Austria between 2008 and 2020, he has a background in maths and computer science. Since 2020 he works for EC-DIGIT-CSIRC, the IT security team of the European Commission. He is the co-founder of intelmq.org, a tool for automating the typical tasks of IT security teams. Aaron is a regular speaker at IT security conferences such as FIRST, hack.lu, Blackhat, CCC. He also had the honor to serve as a FIRST board of director between 2014 and 2018 where he initialized multiple infrastructure projects such as misp.first.org. He believes in using automation, open source and machine learning for improving the lives of DFIR folks. In fact, he believes that without those tools, we won't be fast enough to keep up with attackers.
Emilien Le Jamtel is a cyber security expert since 15 years. After building its technical skill in offensive security, he joined CERT-EU in 2014 as a Threat Intelligence Analyst before quickly moving to the Digital Forensics and Incident Response team. Since 2021, Emilien is now leading the DevSecOps team responsible for the infrastructure and tooling used by CERT-EU staff. Emilien is a regular speaker at IT Security conferences such as FIRST, hack.lu, Botconf or NorthSec.
The talk will demonstrate how to use Sysdiagnose for forensics purposes of Apple devices. Sysdiagnose is a tool which was originally intended for other purposesThis approach was used successfully to detect the infamous Pegasus spyware on iOS devices.The presenters will share with the audience hands-on experiences and share what works and what does not work with this approach.
June 8, 2023 14:00-14:35
FIRSTCON23-TLPCLEAR-Durvaux-Using-Apple-Sysdiagnose-for-Forensics-and-Integrity-Check.pdf
MD5: e4ff105c6806c2d8189238e227e45706
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.69 Mb
- ITTLP:AMBER
Using CTI to Prevent Banking Frauds: Case Study Gozi Malware
Giuseppe MoriciGrazia LeonettiGiuseppe Morici (Intesasanpaolo Bank S.p.A., IT), Grazia Leonetti (Intesasanpaolo Bank S.p.A., IT)
Giuseppe is the Global Head of Cyber Threat Intelligence Intesa sanpaolo Bank, Experienced Manager with technical Background in Offensive and Defensive Security. He started his career in Cybersecurity in the 2010 focused on Offensive and Network Security, he joined a international Consulting Firm in the 2018, and, from 2019 is responsible for Cyber Threat Intelligence in the First Italian Bank Intesa Sanpaolo S.p.A.
Giuseppe is the Global Head of Cyber Threat Intelligence Intesa sanpaolo Bank, Experienced Manager with technical Background in Offensive and Defensive Security. He started his career in Cybersecurity in the 2010 focused on Offensive and Network Security, he joined a international Consulting Firm in the 2018, and, from 2019 is responsible for Cyber Threat Intelligence in the First Italian Bank Intesa Sanpaolo S.p.A.
Grazia is a criminologist & intelligence analyst particularly interested in all kinds of threats. In the past she have worked in collaboration with the Italian Army focused on CBRNe threats and in several rehabs for addicts and alcoholics. She’ve been working in cyber security since 2016 with a focus on security architecture, awareness and cyber security culture and, from 2020, in cyber threat intelligence.
As banking trojans pose one of the biggest challenges to banking institutions, we seek to illustrate the case study conducted by tracking GOZI malware distribution across the Italian and European territory. The malicious software has persistently targeted European bank's clientele, leveraging mule accounts and web injects to successfully make fraudulent transactions. We have been monitoring the malware's evolution as it has sought to introduce new methodologies to perpetrate fraudulent campaigns against our customers, discovering the usage of mule accounts and web injects which are typically leveraged to hijack the session created by the unknowing customer when creating a wire transfer. Analyzing both indicators of compromise, and thus triaging the malicious infrastructure, coupled with ad hoc banking rules, we have been able to reduce GOZI's impact on our clientele by bringing down the number of malicious transactions to zero within certain months.
June 6, 2023 14:45-15:20
- TLP:CLEAR
Welcome Reception Sponsored by Adobe | Located on Lobby Level
All attendees welcome! Come and kick-off the week with this networking event. Visit with our various meet and greet tables that will include: participating Special Interest Groups, SEI CERT/CC, and FIRST Membership. Beverages and light appetizers will be provided. Registration will be open during the reception.
June 4, 2023 18:00-20:00
- TLP:CLEAR
Welcome to FIRST! Newbie Session in Place du Canada
Are you new to FIRST, new to the conference, or interested in membership? Join this useful informational session to help you navigate and make the most of your week's participation.
June 4, 2023 17:00-18:00
- AUTLP:CLEAR
What Part of JMP RSP Don't You Understand (Half Day)
Vishal ThakurVishal Thakur (Huntress, AU)
Vishal Thakur has worked in the information security industry for many years in hands-on technical roles, specializing in Incident Response with a heavy focus on Emerging Threats, Malware Analysis and Research. He has presented his research at international conferences (BlackHat, FIRST, SANS DFIR Summit) and has also run training/workshops at BlackHat and FIRST Conference. Vishal is currently working as Manager, Threat Operations Center at Huntress. In past roles, Vishal worked as a Senior Researcher at Salesforce, helping their Incident Response Centre with advanced threat analysis and developing DFIR tools and has been a part of the Incident Response team at the Commonwealth Bank of Australia.
Assembly language is one of the building blocks of all applications that we analyse in the field of Malware Analysis today. This workshop starts of with the basics of Assembly language and goes into details of how to write and subsequently read Assembly code and make sense of it all. Attendees will get to write simple applications and then analyse them in this hands-on, fully practical workshop. We finish off by analysing real-world malware by looking at their assembly code and interpreting it into actionable information.
Please make sure your setup meets following requirements (before the workshop starts):
Virtual Machine: Windows 10 or above
RAM: 8GB or above
IDA Pro (Free version)
x64dbgJune 8, 2023 09:30-10:50
- USTLP:CLEAR
What's Running on My Hosts? Process Identification Through Network Traffic Monitoring
Adam Weller (Cisco, US)
Adam Weller currently works as a Senior Technical Leader in Cisco's CSIRT. Since starting at Cisco in 2015, he has participated in internet research, projects aimed at improving the analysis of encrypted network traffic, and threat intelligence. He seeks to scale automated analysis using metadata.
We developed a new software package for network visibility, which is able to detect many interesting applications like malware, Tor, and outdated software, by fingerprinting TLS and other protocols. Network visibility continues to be an essential component of network defense because of technology trends that impede end host visibility: consumerization (BYOD), virtualization, cloud, and IoT. At the same time, the rise of TLS is changing how fingerprinting must be done. Exact-match TLS fingerprints are used in several software packages through the JA3 library. While exact-match analysis is useful, we found that that the use of additional metadata about the destination significantly improved the accuracy of process identification. We show how this technique is generalizable to other protocols. Our packet capture and analysis system processes enterprise network traffic at 40 Gbps using modern server hardware. In this presentation, we describe our open source software package, our results in applying it to real-world traffic, and our suggestions for applications to your network.
June 8, 2023 10:15-10:50
- USTLP:AMBER
Why Are Our Researchers Observing Doorbells Sending Spam?
Matthew Stith (Spamhaus, US)
Matt is a seasoned anti-abuse advocate with over a decade of experience in email, cloud hosting, and general internet abuse. The internet community is where Matt's passion lies. By coming together and sharing lessons learned, Matt believes that this community has the power and means to combat abuse on the internet. As Industry Liaison for Spamhaus, Matt gets to put his experience into practice; working alongside a multitude of companies and organizations to drive forward Spamhaus' mission of making the internet a safer place for everyone. Additionally, Matt is an active participant at M3AAWG having served two terms on its Board of Directors and authoring the Hosting Committee's best common practices.
Spamhaus researchers are observing a considerable uptick in the number of residential and small business users, even hospitals unknowingly spewing out spam. The reason? Well, as the saying goes, there's no such thing as a free lunch, or in this case, a free app! Users are downloading what they consider "free apps" from third party sites to any device connected to the internet, from smartphones to doorbells. However, buried within the terms and conditions is the fact that a proxy is included in the application. This proxy provides third parties, namely miscreants, access to the application, the proxy, and, ultimately, the user's internet connection. Cybercriminals then use this to send out large volumes of spam from this IP address.Having tracked this activity for the past couple of years, our team can provide insight into it, its associated patterns, and the human pain it causes.
June 5, 2023 12:00-12:35
- FRTLP:CLEAR
You Are a Manager Harry
Emilien Le Jamtel (CERT-EU, FR)
Emilien Le Jamtel is a cyber security expert since 15 years. After building its technical skill in offensive security, he joined CERT-EU in 2014 as a Threat Intelligence Analyst before quickly moving to the Digital Forensics and Incident Response team. Since 2021, Emilien is now leading the DevSecOps team responsible for the infrastructure and tooling used by CERT-EU staff. Emilien is a regular speaker at IT Security conferences such as FIRST, hack.lu, Botconf or NorthSec.
In this talk Emilien Le Jamtel will detail his journey from Senior Incident Responder to team leader of the DevSecOps team of CERT-EU. it will go through the issues he faced, the misconceptions he had and the expertise brought when transitioning from a deeply technical position to a management role in a slightly different area.
June 9, 2023 11:15-11:50