36TH Annual FIRST Conference BRIDGING SECURITY RESPONSE GAPS

Training Program Agenda

The agenda is subject to change. The agenda times are reflected in local time Fukuoka

About TLP Designations

If you are unfamiliar with the Traffic Light Protocol ("TLP"), please visit https://www.first.org/tlp/ for details. In the use case for FIRST events, TLP levels specifically indicate whether press, social media, and photography/videography may occur. You do not need to be "invited" to attend a TLP:RED session as a confirmed, registered delegate. Please see the Registration Terms & Conditions: Photography or Recording Usage by Attendees at https://www.first.org/conference/2023/registration-terms.

Meetings notated with "invite-only" or "invitation only" are private meetings.

Registration & Fees

Training is a separate activity from the annual conference and requires a standalone registration. You do not need to attend the annual conference to register for training. Training registration includes:

  • Two coffee breaks
  • Buffet lunch
  • Entry to the Sunday evening Conference Welcome Reception
  • Applicable training materials

Training is not available as a virtual option.

Fees:

  • Member: US $300.00
  • Non-member and Liaison: US $500.00

Register for Training

Sunday, June 9th

Track 1Track 2Track 3Track 4Track 5Track 6Track 7
07:00 – 08:30

Registration

08:30 – 10:00
 CH

(Advanced) Purple Teaming - BlueTeam Edition

Stephan Berger (InfoGuard AG, CH)

TLP:CLEAR
 LT

CSIRT/SOC Manager Improvement Training

Vilius Benetis (NRD CIRT, LT)

TLP:GREEN
 SG

Demystifying Threat Actors TTPs in AWS: Introduction to Threat Detection Techniques

Ming LOH (CrowdStrike); Wei Chea ANG (SG)

TLP:GREEN
 US

KPIs for CSIRTs

Logan Wilkins (Cisco, US)

TLP:CLEAR
 PL

MWDB, Karton & more: Build your own malware analysis pipeline using open source tools

Jarosław Jedynak (CERT.PL / NASK, PL); Michał Praszmo , Paweł Srokosz (CERT POLSKA, PL)

TLP:CLEAR
 ES

From Threat Intelligence to Threat Hunting: A Practical Approach

Vicente Díaz (VirusTotal , ES)

TLP:CLEAR
 GB CH

Ransomware Empowerment

Éireann Leverett (Conconnity Risks, GB); Nadia Meichtry (CH)

TLP:CLEAR
10:00 – 10:15

Coffee Break

10:15 – 12:30
 CH

(Advanced) Purple Teaming - BlueTeam Edition

Stephan Berger (InfoGuard AG, CH)

TLP:CLEAR
 LT

CSIRT/SOC Manager Improvement Training

Vilius Benetis (NRD CIRT, LT)

TLP:GREEN
 SG

Demystifying Threat Actors TTPs in AWS: Introduction to Threat Detection Techniques

Ming LOH (CrowdStrike); Wei Chea ANG (SG)

TLP:GREEN
 US

KPIs for CSIRTs

Logan Wilkins (Cisco, US)

TLP:CLEAR
 PL

MWDB, Karton & more: Build your own malware analysis pipeline using open source tools

Jarosław Jedynak (CERT.PL / NASK, PL); Michał Praszmo , Paweł Srokosz (CERT POLSKA, PL)

TLP:CLEAR
 ES

From Threat Intelligence to Threat Hunting: A Practical Approach

Vicente Díaz (VirusTotal , ES)

TLP:CLEAR
 GB CH

Ransomware Empowerment

Éireann Leverett (Conconnity Risks, GB); Nadia Meichtry (CH)

TLP:CLEAR
12:30 – 13:30

Lunch Break

13:30 – 15:30
 CH

(Advanced) Purple Teaming - BlueTeam Edition

Stephan Berger (InfoGuard AG, CH)

TLP:CLEAR
 LT

CSIRT/SOC Manager Improvement Training

Vilius Benetis (NRD CIRT, LT)

TLP:GREEN
 SG

Demystifying Threat Actors TTPs in AWS: Introduction to Threat Detection Techniques

Ming LOH (CrowdStrike); Wei Chea ANG (SG)

TLP:GREEN
 NZ

What do I say? A framework for communicating during an incident

Hadyn Green (CERT NZ, NZ)

TLP:CLEAR
 AU

Cat and Mouse - Hunting for post compromise persistence in Linux server environments.

Jurjen De Jonge (Ericsson); Robert Byrne (Ericsson PSIRT, AU)

TLP:GREEN
 US

AI Security Bootcamp - A Practical Guide On Securing AI Systems

Vishal Thakur (TikTok USDS, US)

TLP:CLEAR
 GB CH

Ransomware Empowerment

Éireann Leverett (Conconnity Risks, GB); Nadia Meichtry (CH)

TLP:CLEAR
15:30 – 15:45

Coffee Break

15:45 – 17:30
 CH

(Advanced) Purple Teaming - BlueTeam Edition

Stephan Berger (InfoGuard AG, CH)

TLP:CLEAR
 LT

CSIRT/SOC Manager Improvement Training

Vilius Benetis (NRD CIRT, LT)

TLP:GREEN
 SG

Demystifying Threat Actors TTPs in AWS: Introduction to Threat Detection Techniques

Ming LOH (CrowdStrike); Wei Chea ANG (SG)

TLP:GREEN
 NZ

What do I say? A framework for communicating during an incident

Hadyn Green (CERT NZ, NZ)

TLP:CLEAR

15:45 – 18:00

 AU

Cat and Mouse - Hunting for post compromise persistence in Linux server environments.

Jurjen De Jonge (Ericsson); Robert Byrne (Ericsson PSIRT, AU)

TLP:GREEN

15:45 – 18:00

 US

AI Security Bootcamp - A Practical Guide On Securing AI Systems

Vishal Thakur (TikTok USDS, US)

TLP:CLEAR

15:45 – 18:00

 GB CH

Ransomware Empowerment

Éireann Leverett (Conconnity Risks, GB); Nadia Meichtry (CH)

TLP:CLEAR
  •  CHTLP:CLEAR

    (Advanced) Purple Teaming - BlueTeam Edition

    Stephan Berger has worked in security for over ten years, now for over three years at the Swiss security company InfoGuard, where he leads the Incident Response Team. He is an active twitterer (@malmoeb), owns a Bachelor's in Computer Science and a Master's in Engineering, as well as various SANS certifications and the OSCP. He spoke at multiple conferences, including last year's FIRST conference.

    How do the bad guys can breach our defenses so fast? In this training, we will touch on different advanced topics that will give you a better understanding of how attacks are carried out and how we can protect ourselves better against them.

    • Windows Credentials: The various forms of credentials and how they are used during authentication. We will learn how attackers can steal these credentials and move laterally with these credentials.
    • Active Directory: Advanced attacks like Abusing GenericALL / WriteDACL and Delegations
    • AV Evasion: It's easier than you might think
    • AMSI: Background and internals of the mighty Anti-Malware-Scan-Interface
    • Meet the Shellcode Runners: How to create malicious documents and files which will infect our lab machines
    • Process Injection: And how to stay under the radar once the infection occurred
    • Bypassing Applocker: If time permits, we will dig into the art of bypassing Applocker to learn how to protect it better.

    June 9, 2024 08:30-10:00, June 9, 2024 10:15-12:30, June 9, 2024 13:30-15:30, June 9, 2024 15:45-17:30

  •  USTLP:CLEAR

    AI Security Bootcamp - A Practical Guide On Securing AI Systems

    Vishal Thakur has worked in the information security industry for many years in hands-on technical roles, specializing in Incident Response with a heavy focus on Emerging Threats, Malware Analysis and Research. He has presented his research at international conferences (BlackHat, DEFCON, FIRST, SANS DFIR Summit) and has also run training/workshops at BlackHat and FIRST Conference. Vishal is currently working as Senior Director, Cyber Fusion Center at TikTok USDS. In past roles, Vishal worked as a Senior Researcher at Salesforce, helping their Incident Response Centre with advanced threat analysis and developing DFIR tools and has been a part of the Incident Response team at the Commonwealth Bank of Australia. For past few years, Vishal has been involved in ML and AI security and has been researching this subject.

    Join our immersive AI Cybersecurity Workshop where participants will learn to build and secure a virtual lab for hands-on practice in protecting AI systems. Delve into the creation of realistic datasets and AI models, essential for simulating cyber threats. Explore the intricacies of injecting anomalies, introducing adversarial attacks, and labeling data for supervised learning scenarios. Gain insights into leveraging pre-existing models, custom model creation, and developing adversarial models for comprehensive security testing. The workshop guides participants in crafting detailed security scenarios, defining use cases, and understanding data flow to simulate real-world AI cybersecurity challenges. Through practical exercises, attendees will master techniques to safeguard AI systems, evaluate defense measures, and hone incident response skills. Elevate your expertise in AI cybersecurity through this dynamic workshop, equipping you to tackle evolving threats in the rapidly advancing landscape of artificial intelligence.

    June 9, 2024 13:30-15:30, June 9, 2024 15:45-18:00

  •  AUTLP:GREEN

    Cat and Mouse - Hunting for post compromise persistence in Linux server environments.

    Robert Byrne is a principal security specialist hosted in a global competence center for security within the Ericsson CTO office. Bringing over 17 years of experience in telecommunication engineering and information security, Robert holds cross functional roles, spending his time performing vulnerability assessments and incident response activities that touch Ericsson's product and services portfolio. Robert holds a double degree in Engineering and Computer science and is Offensive Security OSCP and (ISC)2 CISSP certified.

    Jurjen De Jonge is a Senior Security Specialist within Ericsson's Security Assurance organization. With a focus on offensive security, Jurjen performs assurance activities such as vulnerability and penetration testing on Ericsson's products and cloud services.

    In this workshop, participants will learn how to identify post-compromise persistence techniques used by threat actors within Linux server environments. Attendees will gain hands on experience by exploring a diverse range of scenarios - from crypto-miner infections to state sponsored campaigns. Best in class opensource tooling (such as Osquery) will be used during hands on exercises where participants will investigate compromised Linux systems in a lab environment.

    June 9, 2024 13:30-15:30, June 9, 2024 15:45-18:00

  •  LTTLP:GREEN

    CSIRT/SOC Manager Improvement Training

    Dr. Vilius Benetis is a member of NRD CIRT (@NRD Cyber Security), where he leads a team of experts to consult, establish, and modernise CSIRT/SOCs for governments, organisations, and sectors in Africa, Asia, Europe, and Latin America. He is an active contributor to the development of CSIRT/SOC-related methodologies for ENISA, FIRST.org, and ITU.

    This training is for CSIRT or SOC managers, mid-managers and wanna-be managers.

    CSIRT/SOC Manager Improvement Training, covers 4 topics:

    1. Mandate and Strategy Clarification
    2. Manager's Time Allocation and priorities
    3. KPIs
    4. Annual Reporting

    Often CSIRT/SOC success depend a lot on how well they are managed by the management team. This training is one of very few trainings available specifically targeting CSIRT/SOC managers - to inspire, motivate, upskill, and foster friendships with other CSIRT/SOC managers. Training is for current and future senior and mid-managers of CSIRTs and SOCs. The objective of the training is to spend full day reflecting and collectively working on CSIRT/SOC manager's daily questions and concerns, including KPIs, Annual report writing, clarity improvement in mandate and strategy, manager's time planning and allocation. It will be dedicated time to build relations between managers, discussing and supporting each other.

    in 2023 it was run in 3 FIRST events (Bilbao, Kigali, Montreal), totaling more than 160 course participants, with very positive reviews.

    June 9, 2024 08:30-10:00, June 9, 2024 10:15-12:30, June 9, 2024 13:30-15:30, June 9, 2024 15:45-17:30

  •  SGTLP:GREEN

    Demystifying Threat Actors TTPs in AWS: Introduction to Threat Detection Techniques

    Ming LOH is a principal consultant at CrowdStrike where he focuses on incident response and technical assessment engagements focusing on cloud. He has worked on several high profile investigation involving both nation state and eCrime threat actors for a wide range of industries.

    Wei Chea ANG currently works at a SaaS company, empowering enterprises to secure and manage their digital assets. With a focus on cloud security for the past 5 years, he has worked with various organizations, including large tech startups and Fortune 100 companies. Before venturing into cloud security, he served as a threat hunter at Countercept.

    As organizations migrate their critical workloads into the cloud, it is critical for the security teams to fortify their cloud environment against modern threat actors targeting it. This introductory program is crafted to empower security teams with the foundational skills needed to effectively build out the detection capabilities in AWS.

    You will learn:

    • Common AWS Attacks:
      Explore real-world attack scenarios in AWS, covering tactics commonly used by threat actors ranging from unauthorized access to data exfiltration. This helps to gain insights into attack vectors and form a foundation for effective detection strategies in the AWS Cloud.
    • What is CloudTrail:
      AWS CloudTrail is a cloud service that enables you to record and monitor activity within your AWS account. We will look into the essential fundamentals of AWS CloudTrail, gaining a comprehensive understanding of its role in enhancing security within AWS environments. We will cover the intricacies of configuring CloudTrail trails, allowing participants to tailor logging settings to capture specific events and activities.
    • CloudTrail Log Analysis with Athena:
      Master the interpretation of AWS CloudTrail logs, extracting valuable insights from user activities, API calls, and resource changes. Learn to identify indicators of compromise, enabling proactive detection and response to security threats. Harness the power of native AWS tools like Amazon Athena for SQL-based queries on CloudTrail logs. Develop skills to uncover patterns and anomalies, allowing for advanced analysis and actionable intelligence to enhance AWS security.

    June 9, 2024 08:30-10:00, June 9, 2024 10:15-12:30, June 9, 2024 13:30-15:30, June 9, 2024 15:45-17:30

  •  ESTLP:CLEAR

    From Threat Intelligence to Threat Hunting: A Practical Approach

    Vicente Díaz is a specialist in Threat Intelligence and Threat Hunting. He works in the VirusTotal team in Google as Threat Intelligence Strategist. He holds a degree in Computer Science and an MsC in Artificial Intelligence. He was e-crime manager in S21sec for 5 years and deputy director for EU in Kaspersky's Global Research and Analysis team for almost 10 years, where he was co-creator and responsible for the APT Intelligence Reporting service.

    Threat hunting is one of the most powerful techniques to proactively uncover and neutralize threats. While it has traditionally been a blend of science and intuition, we witnessed a surge of innovative tools and techniques that can significantly enhance its effectiveness. In this hands-on workshop, we will explore how to effectively use new and traditional techniques including: Identify, monitor and get full context of malicious campaigns. Effective semi-automated YARA generation. Netloc hunting. Similarity analysis. Understanding and leveraging AI engines for code analysis. Tackling large datasets. Throughout the workshop, you will engage in practical exercises and real case studies, equipping both seasoned and new hunters with practical knowledge to find and monitor all kinds of real threats.

    June 9, 2024 08:30-10:00, June 9, 2024 10:15-12:30

  •  USTLP:CLEAR

    KPIs for CSIRTs

    Logan Wilkins has over 25 years of software development and information security experience. He has worked in academic, research, and corporate settings, specializing in DevSecOps management, data science, and information security. In his current role, Logan manages Cisco's CSIRT Engineering Delivery team, which is responsible for Security Monitoring and Incident Response systems development, CI/CD processes, and Data Management. Logan is Co-chair of the FIRST Metrics Special Interest Group (SIG).

    In the rapidly evolving landscape of cybersecurity, organizations increasingly rely on effective Cybersecurity Incident Response Teams (CSIRTs) to detect, respond to, and mitigate security incidents. Key Performance Indicators (KPIs) play a crucial role in assessing the efficiency and effectiveness of CSIRT operations. This half-day training class is designed to empower CSIRT professionals with the knowledge and skills to develop, implement, and leverage KPIs for enhanced incident response. The training will cover essential topics, including:

    1. Understanding CSIRT Objectives: Participants will gain insights into the core objectives of a CSIRT and how KPIs align with these goals. A comprehensive overview will be provided to establish a foundation for KPI development.
    2. Identification and Selection of Relevant KPIs: Explore a range of KPIs applicable to CSIRTs, considering factors such as incident detection, response times, and containment effectiveness.
    3. Metrics and Measurement Techniques: Delve into the methodologies for measuring KPIs accurately. Participants will learn how to define and collect relevant metrics.
    4. Establishing Baselines and Targets: Understand the significance and pitfall of setting baselines and realistic targets for KPIs. Practical examples and case studies will be discussed to illustrate how organizations can benchmark their CSIRT performance.
    5. Visualization and Reporting: Learn effective ways to present KPI data through visualizations and reports.

    Following this training, participants have additional knowledge and tools to help establish a KPI framework tailored to their CSIRT's objectives. This class provides a opportunity for CSIRT professionals to enhance their skills, optimize their operations, and contribute to the overall security posture of their organizations.

    June 9, 2024 08:30-10:00, June 9, 2024 10:15-12:30

  •  PLTLP:CLEAR

    MWDB, Karton & more: Build your own malware analysis pipeline using open source tools

    Paweł Srokosz is a security researcher and a malware analyst at CERT.PL, constantly digging for fire and doing reverse engineering of ransomware and botnet malware. Main developer of CERT.pl open-source projects for malware analysis automation: MWDB Core and Karton. Free-time spends on playing CTFs as a p4 team member.

    Michał Praszmo is a Jack of all trades, and master of none at cert.pl. Busy doing everything that needs to be done at a national CERT - ranging from software engineering to reverse engineering and APT tracking.

    Jarosław Jedynak likes sysadm, high-level, software engineering, low-level, reverse engineering, cryptography, algorithms, math, death metal and cats. He plays CTFs with p4.

    Throughout the many years of our malware analysis in CERT.PL, we have tried many different approaches to automating our workflows. Through trial and error we figured out which approaches work and which will never see the light of day.

    The result was the publication of a set of tools a few years ago that we still use and improve in our everyday malware endeavors. We are very proud of the outcome and would like to present the way that those tools can be linked together to form a mature malware analysis platform.

    The workshop will provide practical hands-on introduction to all aspects of the platform:

    • mwdb.cert.pl: Community-based online service for analysis and sharing of malware samples. The service is freely available to a white-hat researchers and provides fully-automated malware configuration extraction and botnet tracking.
    • MWDB Core: Self-hosted repository of samples and all kinds of technical information related to malware configurations.
    • karton: Microservice framework for highly scalable and fault-resistant malware analysis workflows. We will explain the installation and configuration quickly and spend the rest of time on adapting workflows to the karton framework.
    • mquery: Our custom YARA query accelerator. We will show how it can be bundled together with MWDB to allow researchers to search across huge malware datasets in a blink of an eye.

    All components are open source and available on our GitHub: https://github.com/CERT-Polska/ Most of the practical tasks in the training will be based on the open access materials we maintain: https://training-mwdb.readthedocs.io/

    June 9, 2024 08:30-10:00, June 9, 2024 10:15-12:30

  •  GB CHTLP:CLEAR

    Ransomware Empowerment

    Éireann Leverett is the co-author of Solving Cyber Risk, and regularly writes about cyber risk perception, articulation, and quantification. He is a co-chair of the Ransomware SIG, and long time DFIR innovator and data scientist. When he's not working in cyber insurance and risk, he likes writing code, papers, and taking long walks in nature.

    While his bio is serious; he hates writing bios in the third person, and once placed second in an Eireann Leverett impersonation contest.

    Nadia Meichtry has been working as a DFIR specialist at Oneconsult for the last 3.5 years, where she regularly deals with cyber incidents, including ransomware. She holds a Masters in Digital Forensics and several SANS certifications. She joined the FIRST Multi-Stakeholder Ransomware SIG in 2022. She was a speaker at secIT digital by Heise in 2023 and has also written articles on malware analysis for iX (German magazine).

    How to prepare for and handle ransomware attacks, thereby increasing your cyber resilience? This is what our full-day introductory training is all about:

    • What is ransomware?
    • How bad is it?
    • What do current attacks look like?
    • What are the risks to keep an eye on?
    • Who should be involved?
    • How to prepare for & protect against ransomware attacks?
    • How to handle ransomware attacks?
    • Common mistakes compared to other kinds of attacks
    • Focus on the first hours of incident management & incident response
    • Key points on recovery
    • Takeaways on negotiating

    You will benefit from the experience of the FIRST Multi-Stakeholder Ransomware SIG members with real ransomware cases.

    June 9, 2024 08:30-10:00, June 9, 2024 10:15-12:30, June 9, 2024 13:30-15:30, June 9, 2024 15:45-17:30

  •  NZTLP:CLEAR

    What do I say? A framework for communicating during an incident

    Hadyn Green is a Senior Communications Advisor for CERT New Zealand. His main role is media and public communications. Prior to this he was a technology and business journalist, covering many cyber attacks over the years. This gave Hadyn the perspective of knowing what journalists and the public are wanting from reports about cyber incidents.

    Anyone can be caught flatfooted and speechless in a cyber incident: from small organisations with little-to-no communications experience, to large ones with full comms teams.

    Do you put out a press release? What should you say to your staff? Who do you have to report to first? How much info do you want to give out?

    CERT New Zealand has developed a simple framework for running communications during a cyber incident and made it available as a resource on its website alongside templates and guides.

    This session will run attendees through the basics of the framework and giving concrete examples on how to communicate various stakeholder groups and, importantly, what to avoid.

    Following this, attendees will join to work through a collaborative tabletop scenario, putting their skills to work.

    June 9, 2024 13:30-15:30, June 9, 2024 15:45-18:00