Program Overview

The FIRST Technical Colloquium (TC) event is restricted to FIRST members only and will be held in March 01-02, 2007.

Thursday, March 1^st
Plenary Session Day (March, 1st)
Friday, March 2^nd
Hands-On Class (March, 2nd)

Thursday, March 1^st

	Plenary Session Day (March, 1st)
09:00 – 09:30	US FIRST update Mike Caudill (Cisco PSIRT, FIRST Chairman, US)
09:30 – 10:30	CA MATH Lab - An essential for CIRT Disaster Recovery Gerard White (Aliant CSIRT, CA)
10:30 – 11:00	Coffee break
11:00 – 12:00	US Recent Experiences with Computer Forensics at OSU Steve Romig (OSU-IRT – Ohio State University, US)
13:00 – 14:00	US Means, Motivations and Mitigation of Insider Threats Fred Doyle ( iDefense Labs Director - Verisign, US); Roger Weiler (FSISAC Analyst - Verisign, US)
14:00 – 15:00	US Wicked Rose and the NCPH (Actor Attribution in China) Rick Howard (iDefense Intelligence Director - Verisign, US)
15:30 – 16:00	Coffee break
16:00 – 16:30	US NetExpect Eloy Paris (Cisco PSIRT, US)

Friday, March 2^nd

	Hands-On Class (March, 2nd)
09:00 – 10:30	US CVSS trainning Michael Scheck (Cisco CSIRT, US) US Malware analysis workshop Steve Romig (OSU-IRT – Ohio State University, US) CA MATH (Malware Analysis Treatment & Handling) LAB Gerard White (Aliant CSIRT, CA) Strategies for Executable Unpacking Joe Stewart (SWRX CERT) Tools and Methodologies for the Analysis of Windows Event Logs Dan Moor (EDS) US Windows Memory Analysis Harlan Carvey (IBM, US)
11:00 – 12:00	US CVSS trainning Michael Scheck (Cisco CSIRT, US) US Malware analysis workshop Steve Romig (OSU-IRT – Ohio State University, US) CA MATH (Malware Analysis Treatment & Handling) LAB Gerard White (Aliant CSIRT, CA) Strategies for Executable Unpacking Joe Stewart (SWRX CERT) Tools and Methodologies for the Analysis of Windows Event Logs Dan Moor (EDS) US Windows Memory Analysis Harlan Carvey (IBM, US)
13:30 – 15:30	US CVSS trainning Michael Scheck (Cisco CSIRT, US) US Malware analysis workshop Steve Romig (OSU-IRT – Ohio State University, US) CA MATH (Malware Analysis Treatment & Handling) LAB Gerard White (Aliant CSIRT, CA) Strategies for Executable Unpacking Joe Stewart (SWRX CERT) Tools and Methodologies for the Analysis of Windows Event Logs Dan Moor (EDS) US Windows Memory Analysis Harlan Carvey (IBM, US) Writing Good Security Advisories: A Hands-On Guide to Delivering Bad News in the Best Possible Way
16:00 – 17:00	US CVSS trainning Michael Scheck (Cisco CSIRT, US) US Malware analysis workshop Steve Romig (OSU-IRT – Ohio State University, US) CA MATH (Malware Analysis Treatment & Handling) LAB Gerard White (Aliant CSIRT, CA) Strategies for Executable Unpacking Joe Stewart (SWRX CERT) Tools and Methodologies for the Analysis of Windows Event Logs Dan Moor (EDS) US Windows Memory Analysis Harlan Carvey (IBM, US) Writing Good Security Advisories: A Hands-On Guide to Delivering Bad News in the Best Possible Way

US
CVSS trainning
Michael Scheck (Cisco CSIRT, US)
This class will first go over CVSS basics. Then have the participants score some test vulnerabilities and go over results. We will also cover the new version of CVSS and upcoming changes.

Estimated time: 2 hrs (morning and afternoon sessions)

Format: Students use their own laptops to run a .xls file to score vulnerabilities.
March 2, 2007 09:00-10:30, March 2, 2007 11:00-12:00, March 2, 2007 13:30-15:30, March 2, 2007 16:00-17:00
US
Malware analysis workshop
Steve Romig (Ohio State University, US)

We'll demonstrate and practice some techniques for dynamic analysis of malware by running it under vmware and creating a fake environment (DNS, WWW, FTP) for it to see what it does. We'll also discuss other aspects of incident response. We will be using an incident involving a backdoor program called Nethief as our case study.

Estimated time: 3 hrs (morning and afternoon sessions)

Format: Demonstration, though I'll be handing out CDs containing most of what would be needed to reproduce the analysis if people want to try it on their own.
March 2, 2007 09:00-10:30, March 2, 2007 11:00-12:00, March 2, 2007 13:30-15:30, March 2, 2007 16:00-17:00
CA
MATH (Malware Analysis Treatment & Handling) LAB
Gerard White (Aliant CSIRT, CA)
Are you responsible for the secure operation of many computing entities in a diverse network? Are you prepared with the proper tools and accessibility to handle security compromise incidents in a fast and efficient manner? In this class, we will cover how a basic Malware Analysis, Treatment & Handling (MATH) Lab could be your best ally in terms of analyzing, handling & treating a serious security incident.

Estimated time: 2 hrs (morning and afternoon sessions)

Format: Pure Lecture & Live Demo only... Because its live, there's always an element of uncertainty that can occur during the demo process.
March 2, 2007 09:00-10:30, March 2, 2007 11:00-12:00, March 2, 2007 13:30-15:30, March 2, 2007 16:00-17:00
Strategies for Executable Unpacking
Joe Stewart
Strategies for Executable Unpacking using OllyDbg. We will cover basics of how malware is packed, along with different approaches for manual unpacking of Windows executables using OllyDbg. Packed samples will be provided as a hands-on, but we won't be using live malware, only test executables. Students who wish to follow along need a laptop running Windows or at least running a Windows VM.

Estimated time: 3 hrs (only morning session)

Format: Demo but samples and tools will be provided for those who want to follow along on their laptop if they have Windows or a Windows VM.
March 2, 2007 09:00-10:30, March 2, 2007 11:00-12:00, March 2, 2007 13:30-15:30, March 2, 2007 16:00-17:00
Tools and Methodologies for the Analysis of Windows Event Logs
Dan Moor
This class will help develop an understanding of the Microsoft Windows Event Log and how to extract information from it. The presentation is hands-on, with an opening discussion of the basics of the Windows Event Log, its strengths and weaknesses, and a few cautions. Attendees then receive an in depth introduction to several tools for examining an event log; these include Log Parser, Windows Event Log Explorer and Event Comber. Following the introduction, attendees are encouraged to participate as the 'how' and 'when' to use each tool is discussed. Methodologies covered include multiple log analysis, dealing with corrupted logs, how to get a general idea of the entire situation and then to hone in on targeted events and users.

Estimated time: 3 hrs (morning and afternoon sessions)

Format: Mostly demonstrations with supplied tools and sample files for those who would like to follow along. Attendees are encouraged to participate and ask questions. Students will use their own laptops.
March 2, 2007 09:00-10:30, March 2, 2007 11:00-12:00, March 2, 2007 13:30-15:30, March 2, 2007 16:00-17:00
US
Windows Memory Analysis
Harlan Carvey (IBM, US)
This class will explore issues of Windows Memory Analysis and Registry Analysis.

Estimated time: 2 hrs (morning and afternoon sessions)

Format: The format of the class will be a presentation with demos and will cover topics on collecting and analyzing information.
March 2, 2007 09:00-10:30, March 2, 2007 11:00-12:00, March 2, 2007 13:30-15:30, March 2, 2007 16:00-17:00
Writing Good Security Advisories: A Hands-On Guide to Delivering Bad News in the Best Possible Way

Once a rare occurrence a decade ago, security advisories are now produced many times a day. For each one, there are multiple other companion advisories or commentaries produced in response, and each of those have slightly different information from different sources, are produced or collected at different times, and are written in different styles with different ultimate goals.

Is it any wonder that we are confused? And we are the experts!

The existing state of the art is complex and so are the products, but the goal of this hands-on class is simple: Find the common elements of advisory construction that are _good_, eliminate the _bad_, and develop a framework for producing better future advisories.

Estimated time: 3 hrs (afternoon session)

Format: The class will be consensus-led. The instructor will provide background and examples, propose one or more vulnerabilities to study, encourage discussion, and collate material contributed by the participants. Attendees are expected to contribute to discussion and commentary,
identify desirable and undesirable elements of advisories, compose (or help with composing) sections of text as a result of what has been
learned, and then develop rules for ensuring better content in future security advisories.

Laptops are recommended highly but are not required; pen and paper will be adequate. Attendees will compose some sections separately at the same time to compare with others, and at other times attendees will work in parallel on different sections of an advisory to be collated by the instructor.
Experience with more than one language will be valuable but is not required.

March 2, 2007 13:30-15:30, March 2, 2007 16:00-17:00

Program Overview

Thursday, March 1st

Friday, March 2nd

CVSS trainning

Malware analysis workshop

MATH (Malware Analysis Treatment & Handling) LAB

Strategies for Executable Unpacking

Tools and Methodologies for the Analysis of Windows Event Logs

Windows Memory Analysis

Writing Good Security Advisories: A Hands-On Guide to Delivering Bad News in the Best Possible Way

Thursday, March 1^st

Friday, March 2^nd