Training Program Agenda

Dr. Tadas Jakštas, a cybersecurity capacity building expert with a lot of experience in managing international security and defence projects. Prior to joining NRD Cyber Security, Tadas worked at NATO Energy Security Centre of Excellence where he has been responsible for projects related to critical infrastructure protection, crisis management and industry systems cybersecurity. He has also worked at NATO Allied Command Transformation (ACT) as a coordinator of international defence capability building projects as well as on various EU cyber and energy security projects. Živilė Nečejauskaitė is a seasoned communication specialist with 13 years of experience, half of which focuses on cybersecurity. She specializes in impact, change, and crisis communication. Živilė's expertise includes media engagements, public relations, and coordinating communication strategies. Her professional experience spans across Lithuania, the UK, and Sweden, in both public and private sectors.

This one-day training course is designed for incident response professionals who want to strengthen their ability to adapt and respond effectively to evolving cyber threats. Balancing both national and organizational perspectives on cyber crisis management, the program emphasizes operational resilience. It focuses on building operational resilience by enhancing your capacity to detect, contain, and recover from cyber incidents with precision and confidence. The program covers advanced detection techniques, coordinated response planning, clear crisis communication, and adaptive recovery strategies – the core elements for maintaining stability in high-pressure situations. Through expert-led discussions, real-world case studies, and hands-on simulations, you’ll refine the technical and strategic skills needed to stay ahead of threats, ensure rapid recovery, and reinforce your organization’s overall cyber resilience. The training will not only provide practical examples, the participants will go through a real-case scenario practice at the end of the session.

Vishal Thakur is a cybersecurity leader, researcher, and educator with over 13 years of experience in global Security Operations and Incident Response. He currently serves as a Regional Manager of CSIRT at a major BigTech company, leading detection, response, and threat intelligence operations across the Asia–Pacific region.

Vishal is internationally recognized for his work in AI Security, specializing in adversarial machine learning, large language model (LLM) threats, and the defense of AI-driven systems in production environments. He has developed and delivered advanced trainings such as AI Security: Foundations and Practical Attacks, Fortifying AI, and AI Threat Simulation & Red-Teaming — presented at premier global conferences including DEF CON, Black Hat, FIRST, x33fcon, among others. His research spans adversarial attacks, prompt manipulation, and the intersection of AI, automation, and cybersecurity resilience.

In addition to his AI and research contributions, Vishal has

This hands-on training introduces participants to the fundamentals of AI Security through an interactive attack–defend structure, with a deliberate focus on threats that go beyond prompt injection. Attendees will explore the full attack surface for both classical ML and modern LLM-driven systems — from data poisoning, model evasion, and model extraction to instruction-tampering, adversarial prompt engineering, and supply-chain attacks that alter model behavior at training or RLHF stages.

Each offensive exercise is paired with a defensive lab so participants can immediately test mitigation strategies that move past simple input sanitization: provenance tracking, API-level controls, behavior shaping during RLHF, logging and detection for instruction tampering, and robust evaluation/red-teaming pipelines. Using hands-on labs and frameworks such as MITRE ATLAS, participants will learn to reproduce, detect, and defend against a broad spectrum of AI threats affecting both image/text models and LLMs in deployed services.

By the end of the course, participants will have built, attacked, and defended their own models and prompt stacks, and will leave with practical patterns to secure AI systems in operational environments.

Former Police Officer from Argentina, now a Cloud Incident Responder and Security Engineer with over 10 years of IT experience. A Digital Nomad and international speaker, I've presented on Cloud Security and Incident Response at Ekoparty, FIRST, Virus Bulletin (three times), Hack.Lu, and various BSides events worldwide. I hold a Bachelor's degree in Information Security and an MBA (Master in Business Administration).

Cloud Computing is not trendy anymore, now is part of our daily life as Security Professionals whether we want it or not. The challenge I see everywhere I go is that most cloud security training is a bunch of theory with little technical knowledge behind, which are good for an overview but lack the juice needed for an Engineer or Operational Standpoint. The objective of this training is to provide hands on knowledge, learning by doing.

So, how does it go?

Phase 1: Setting the Lab

Well, I’m going to start by explaining the very few fundamental knowledge they need to have to start their cloud journey, but from a need to know perspective:

• Share Responsibility Model;
• Cloud Segmentation and Regions;
• Fundamental AWS Services;
• Management Plane / Identity and Access Management;
• Cloud Networking Fundamentals;
• Cloud Compute Fundamentals;
• Cloud Storage Fundamentals;
• Infrastructure as Code.

The key part here is the last bullet, infrastructure as code. Why? Because infrastructure as code allows us to have granular control on what we build, what we change and force us to actually be aware of the dependencies that most of the time are handled automatically by the cloud provider when using the GUI. This is critical for a security perspective and to build a cost-effective home lab.

Then, I’m going to demonstrate the first hands on lab, that will consist on:

• Create an AWS Account
• Get AWS Credentials
• Set the AWS Credentials in a workstation
• Quick walkaround in the Console
• Install Terraform
• Set Terraform up in a workstation
• Build the first Terraform code block to build an IAM User.

Knowing this, the attendees will be more familiar with the challenge, and we can go through the second demonstration when we can build something more complex, a Server, using the AWS Free Tier. For us to complete the task, we will need to create with terraform:

• A complete network infrastructure, VPC, Subnets, Security Groups, Route Tables, etc.
• A SSH Key Pair
• The Server Components
• The Server

After these steps, I’ll show them how they can destroy the implementation when they are not using it, and how they can rebuild the lab whenever they need to.

Phase 2: Adding Security

After the creation of the lab, we are going to start doing cloud security with it. So I’m going to explain the theoretical concepts of:

• Cloud Security Fundamentals
• Hardening and Best Practices of AWS Services
• IAM Best Practices for Least Privilege
• Cloud Security Operations Fundamentals
• Logging API Calls in AWS - Cloudtrail
• Security Detection in AWS - Guardduty
• Other Log Sources - ALB / WAF / VPC Flow Logs / ETC
• Introduction to Cloud Forensics

Then we are going to replicate this in the lab, to create.

• An S3 Bucket, and harden it
• A Cloudtrail Trail
• A Guardduty Detector
• A Security Hub Collector
• VPC Flow Logs to the bucket

Then, as a closing demonstration I’ll show them basic attacks to AWS for them to understand how they can get Guardduty Security detections, Cloudtrail Logs and how you should proceed for an investigation in case of a Security Incident.

Requirements: Participants should have the following ready before the training:

• AWS Free Tier account ready
• AWS CLI installed
• Terraform installed
• GitHub account for cloning lab repos

An email with detailed setup instructions will be sent beforehand.

Provided Material:

• Github Repository with the solution to the workshops
• Extra exercises to extend your lab

Final Notes This training is designed for security engineers, SOC analysts, incident responders, and anyone who wants to truly understand AWS security through hands-on work. By the end of the session, you’ll have a fully functional personal AWS security lab you can extend and reuse for further learning. Full Agenda:

• Phase 1: Building the Lab

  • Title 1: Cloud Theory (30 Mins)

  • Share Responsibility Model;

  • Cloud Segmentation and Regions;

  • Fundamental AWS Services;

  • Management Plane / Identity and Access Management;

  • Cloud Networking Fundamentals;

  • Cloud Compute Fundamentals;

  • Cloud Storage Fundamentals;

  • Infrastructure as Code.

  • Title 2: AWS Hands On 101 (15 mins + 30 mins hands on)

  • Create an AWS Account

  • Get AWS Credentials

  • Set the AWS Credentials in a workstation

  • Quick walkaround in the Console

  • Install Terraform

  • Set Terraform up in a workstation

  • Build the first Terraform code block to build an IAM User.

  • Title 3: Lab Building (30 mins + 30 mins hands on)

  • A complete network infrastructure, VPC, Subnets, Security Groups, Route Tables, etc.

  • A SSH Key Pair

  • The Server Components

  • The Server

• Phase 2: AWS Security Fundamentals (30 mins)

  • Title 1: Theory

  • Cloud Security Fundamentals

  • Hardening and Best Practices of AWS Services

  • IAM Best Practices for Least Privilege

  • Cloud Security Operations Fundamentals

  • Logging API Calls in AWS - Cloudtrail

  • Security Detection in AWS - Guardduty

  • Other Log Sources - ALB / WAF / VPC Flow Logs / ETC

  • Introduction to Cloud Forensics

  • Title 2: Advanced Lab Building (15 min + 30 mins hands on)

  • An S3 Bucket, and harden it

  • A Cloudtrail Trail

  • A Guardduty Detector

  • A Security Hub Collector

  • VPC Flow Logs to the bucket

  • Title 3: Introduction to Attack and Defense (30 mins):

  • Basic AWS attack

  • AWS Security Detection with Guardduty

  • Incident Response

  • Forensics with Cloudtrail

Former Police Officer from Argentina, now a Cloud Incident Responder and Security Engineer with over 10 years of IT experience. A Digital Nomad and international speaker, I've presented on Cloud Security and Incident Response at Ekoparty, FIRST, Virus Bulletin (three times), Hack.Lu, and various BSides events worldwide. I hold a Bachelor's degree in Information Security and an MBA (Master in Business Administration).

Cloud platforms like Amazon Web Services (AWS) are foundational to many critical infrastructures and enterprise applications, making them prime targets for attackers. In this session, we will not only explore the most relevant attack vectors cybercriminals use to compromise AWS infrastructures but will also simulate these attacks using known threat actor techniques in an adversary emulation context. From initial access to hardcore persistence, this talk will provide a comprehensive look at how attackers operate in AWS environments.

We will take a technical journey through the tactics, techniques, and procedures (TTPs) employed by attackers at every stage of the threat lifecycle, aligned with the MITRE ATT&CK framework. We’ll start by reviewing common methods of initial access, such as exploiting exposed credentials or vulnerabilities in services like IAM, Lambda, and EC2. From there, we’ll detail how attackers escalate privileges, move laterally, and evade detection from tools like CloudTrail.

The session will conclude with an in-depth look at advanced persistence techniques in AWS, including the manipulation of IAM policies, backdooring Lambda functions or Docker containers, and tampering with logs. Along the way, we’ll demonstrate how security teams can implement defensive and detection strategies to mitigate these risks. By leveraging AWS-native services and third-party tools, attendees will learn how to enhance their incident response capabilities.

This hands-on workshop will give attendees practical, technical insights into AWS security, adversary behavior, and how to better defend against sophisticated, persistent attacks. With only two slides and full hands-on experience, this talk ensures deep technical immersion. Requirements:

• Participants should have the following ready before the training:
• AWS CLI installed
• Terraform installed
• GitHub account for cloning lab repos
• Knowledge of AWS Security Fundamentals

An email with detailed setup instructions will be sent beforehand.

Provided Material:

• Github Repository with the solution to the workshops

Final Notes This training is designed for security engineers, SOC analysts, incident responders, and anyone who wants to truly understand AWS security through hands-on work. By the end of the session, you’ll have a deep understanding on how real attack and defense techniques work in AWS, being able to understand the hardening requirements, replicate attacks, generate detection use cases, and execute forensic techniques.

Full Agenda:

• Phase 1: Attacking The Cloud

  • Title 1: From Initial Access to Privilege Escalation (30 Mins + 30 min hands on)

  • Understanding AWS IAM in full

  • Lateral Movement with IAM

  • Malware Analysis of Team TNT Infostealer

  • Getting Credentials from Missconfigurations

  • Privilege Escalation via IAM policies

  • Privilege Escalation via IAM Roles

  • Privilege Escalation via Exec to Instances and Containers

  • Title 2: From Defense Evasion to Persistence (30 mins + 30 mins hands on)

  • Getting Blindspots in the Share Responsibility Model

  • Bypassing Guardduty

  • Understanding how Cloudtrail logs work

  • Tampering Cloudtrail without getting caught

  • Living on the land Techniques

  • Persistence in AWS via SSH implant

  • Persistence in AWS via lotl

• Phase 2: The Blue Team Way

  • Title 1: Security Detection in AWS (30 min + 30 mins hands on)

  • Cloudtrail for API Call Logging

  • Understanding the complete supply chain

  • SIEM Integration and Detection Use Case Creation

  • Understanding the Delays in SIEM integration

  • Understanding Event Bridge for Automated Response

  • Hardening Best Practices

  • Title 2: Incident Response in AWS (30 min + 30 mins hands on)

  • Using the Cloudtrail Digest to detect tampers

  • Creating an Athena table for Cloudtrail Analysis when SIEM Fails

  • Using Event History as a last resource

  • Forensic Images of EC2 instances

  • Network Isolation of AWS instances

  • AWS Threat Hunting 101

  • How to detect persistence in AWS

Biographies for the presenters are in the attached file.

This workshop is designed to enhance the communication skills of incident response and security analysts, so they can confidently and competently relay key messages to business stakeholders during a cyber crisis. No prior experience of qualifications is needed, as it will provide attendees with advice and recommended best practice, as well as the opportunity to practice communications in a safe environment. Ultimately, the session will immediately enable and equip incident responders with the tools to proactively and consciously develop their own effective communication capability.

High Level Goals • Raise awareness of the value and direct benefit associated with effective communication • Understand key requirements for meaningful communication • Learn how to organise and tailor information based on the intended audience • Develop a clear message to convey; supporting that message with facts and ensuring expectations are managed • Determining the best method for communicating and making the most of existing tools • Learn to use AI effectively to help formulate the message and enhance presentation materials

This workshop is a combination of lecture, hands-on construction of a briefing using data from a sample incident and practiced delivery.

This workshop was presented at FIRST in Montreal in 2023 and the OCSC conference in 2024 with very positive feedback.

[more detail in the attached file]

Vilius Benetis is cybersecurity capacity building expert, who leads a team of experts to consult, establish, and modernise CSIRT/SOCs for governments, organisations, and sectors in Africa, Asia, Europe, and Latin America. He is an active contributor to the development of cybersecurity methodologies for ENISA, FIRST.org, GFCE and ITU. He is official global Ambassador of CIS Controls.

The success of CSIRT/SOCs often depends on how well the team is managed. This training is one of the few available that specifically targets CSIRT/SOC managers, inspiring, motivating, and upskilling them while fostering friendships with other CSIRT/SOC managers. The training is intended for current and future senior and mid-level managers of CSIRTs, SOCs, ISACs, and PSIRTs. The training's objective is to provide time for reflection and collective work on the daily questions and concerns of CSIRT/SOC managers, including KPIs, improving clarity in mandates and strategies, managing stakeholders ,developing processes, and achieving process maturity. There will be dedicated time to build relationships between managers and support each other through discussions. This training is an add-on edition of a similar, well-evaluated training delivered at previous FIRST events.

Cybersecurity professional with a background in electronic engineering and several industry-recognized certifications. 20+ years of teaching experience at the most prestigious universities in Argentina. 4 published books and +15 peer-reviewed research papers. Has worked in the public and private sectors, including regional roles in global companies.

Traditional defenses often fall short against sophisticated threats. This course teaches participants how to turn threat intelligence into action by combining proactive hunting with deception operations. Through a mix of theory, labs, and team exercises, students will learn how to analyze adversary TTPs, translate them into hunt opportunities, and design deception campaigns that disrupt and expose intruders. Participants will investigate APT activity and map deception opportunities from MITRE ENGAGE using a realistic scenario. They will also understand when and where to use deceptive tactics, such as tokens, honey services, and breadcrumbs. Students will conclude by designing and evaluating deception scenarios integrated into a cybersecurity strategy. By the end of the course, participants will have a repeatable methodology for blending CTI, hunting, and deception into their organization’s defenses.

Michael Hamm has been working professional in the fields of computer- and network security for more than 25 years. Since 2010, he has been working as an operator and analyst at CIRCL – Computer Incident Response Centre Luxembourg where he is working on forensic examinations and incident response.

Forensics Analysts heavily rely on there collection of forensics tools. But if the tools fail, like giving back mo or even wrong results, the analyst need to have the capability to understand what is going on. The analyst need the capability to read and understand the data on binary (hexadecimal) level.

This training will tech the attendees what they have learned at school and already forgotten. This training will tech the attendees what they have learned during their studies and already forgotten.

This training will start with a little demo. Different tools produce different output. Than we will:

1. Read a stream of Bit
2. Apply addressing to it
3. Learn to interpret values like integer, signed integer or ASCII
4. Be able to convert a little endian value into a big endian
5. Apply a data structure on the data
6. Recover data manually

At the end of the training the attendee will be able to read a MBR/BootSector and read the partition table manually.

Lindsay Kaye is the Vice President of Threat Intelligence at HUMAN Security. Her technical specialty spans the fields of malware analysis and reverse engineering, with a keen interest in dissecting custom cryptographic systems. Lindsay is an internationally-recognized cybersecurity speaker and author. She is the author of the book Dissecting the Dark Web, to be published by No Starch Press in February 2026. Lindsay holds a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.

Gabriel Cirlig - Software developer turned rogue, went from developing apps for small businesses to 2M+ DAU Facebook games while keeping an eye for everything shiny and new. For a couple of years I’ve shifted gears and started my career as a security researcher while speaking at various conferences (SAS, AVAR, PHDays) in my free time showcasing whatever random stuff I hacked. With a background in electronics engineering and various programming languages, I like to dismantle and hopefully put back whatever I get my hands on.

Oh no, your infrastructure is getting attacked and worsening by the day. The attacks seem highly coordinated, but where do you even begin when trying to hunt down the attackers? Roll up your sleeves and get ready to slip down the rabbit hole into the shadowy corners of the internet. In this 4 hour, one-of-a-kind OSINT and large-scale data-collection workshop, we'll show you how to become the cyber-sleuth you never knew you could be - minus the trench coat and fedora (unless that's your style). We'll demystify the Dark and Dark Web, debunk those spooky legends, and give you tips and tricks to keep a low profile. We'll arm you with cunning tactics for safe lurking in onion-land, navigating sneaky marketplaces, and scraping massive heaps of intel while also staying legal! Expect a healthy dose of humour and enough practical know-how to impress your pet goldfish—and give you something to talk about while you wait for the next season of Love Island. Get ready to dive deep, stay safe, and come out the other side a certified data-diving rockstar!

Armins Palms is the Incident Response Team Manager at CERT.LV, Latvia’s national and governmental CSIRT. He leads the national incident response efforts and is the author of several key cybersecurity projects, including the National DNS Firewall — a service actively used across Latvia — and an intelligence platform for monitoring activity on Telegram, among others.

Armins is also a developer and instructor for multiple hands-on technical workshops, such as “DNS Openshield”, where participants gain practical skills to build their own DNS Firewall services using open-source tools. He is the author of the “LearnDocker” tutorial, designed to teach the fundamental concepts of Docker and containerization.

His latest course, “Let’s Automate RTIR”, is developed for the cybersecurity community and professionals working with RTIR. The workshop helps participants extend RTIR’s capabilities through automation and integration, making daily inc

There are many ticketing systems available to help manage and oversee the daily work of an Incident Response (IR) team. Among them, RTIR (Request Tracker for Incident Response) is one of the most widely used systems by CERT and CSIRT teams. It offers extensive functionality, including support for manual scripting. However, to truly extend RTIR’s capabilities, it’s often necessary to go beyond the standard interface and leverage its API.

In this workshop, you will learn how to enhance RTIR through automation and integration. Using the RTIR API, you will explore how to:

• Prepare RTIR for automation
• Parse and process incoming events
• Automate routine tasks within RTIR
• Enrich tickets with data from external sources
• Integrate RTIR with external tools such as Mattermost

This hands-on course is designed for beginners and provides the foundational knowledge needed to automate and extend RTIR. By the end of the workshop, participants will be equipped with the skills to customize and automate their organization’s RTIR environment to better suit their needs.