Birds of a Feather (BoFs) During Conference Week

What, When, and How to Participate

The following BoF sessions are scheduled to take place during conference week in Puerto Rico. We will have an up-to-date-schedule and bulletin board near the registration desk all week. Attendees are welcome to add their own BoFs to the bulletin board by first checking with the registration desk in order to receive a room assignment.

BoF Title When Room
Crimeware Mailing List Meetup Monday, 12 June 17:00-18:00 Conference 10
Academic Networks Monday, 12 June 17:00-18:00 Salon Del Mar A
PSIRT Tracking Tool Monday, 12 June 17:00-18:00 Salon Del Mar B
osquery Monday, 12 June 17:00-18:00 Auditorium
FIRST Trainers BoF Tuesday, 13 June 08:30-09:30 Auditorium
FIRST Membership Information Tuesday, 13 June 12:45-13:45 Salon Del Mar A/B
Cyber Threat Alliance (CTA) Wednesday, 14 June 17:00-18:00 Auditorium
Big Data Wednesday, 14 June 17:00-18:00 Salon Del Mar A
DDoS Attacks Wednesday, 14 June 17:00-18:00 Salon Del Mar B

Academic Networks

Liliana Solha (CAIS/RNP) and Sigita Jurkynaite (GEANT)

Most academic networks face similar problems, challenges and difficulties on regards to information security. However, currently there is no worldwide platform created specifically for NRENs (National Research and Educational Networks) or for academic networks security collaboration. The proposal of this BoF (Proposed SIG) is to create a new space for discussion in order to reflect on our collective experiences, focus on current challenges and envision strategies on how we could work together to improve security in academic networks. We believe that FIRST is the right organizational context for this group to be established.

Target deliverables:

Monday, 12 June 17:00-18:00 (Salon Del Mar A)

Big Data

Gavin Reid and Steve Mckinney (Cisco)

The amount of security-relevant data on the networks we protect is growing beyond the capabilities of traditional incident detection and response tools.  Evaluating and operationalizing the “big data” technologies capable of storing and analyzing data at scale requires technical depth uncommon to IR teams and is non-trivial and time consuming.  Teams need both the ability to deploy and store data in these technologies, and to use them to enable “playbooks” for detection and response. This BoF will leverage the collective knowledge of teams who have deployed scaled IR capabilities to share reference architectures.  It will also create containerized environments based on those architectures for teams that would like to get started. As a community, FIRST is uniquely situated to provide non-denominational best practices, based on live deployments of these systems, to resource constrained IR teams. The mission of this SIG is to provide a mechanism for sharing and implementing best practices for incident detection and response at scale.

Wednesday, 14 June 17:00-18:00 (Salon Del Mar A)

Cyber Threat Alliance (CTA)

This BoF session will be an interactive workshop between the Cyber Threat Alliance (CTA) and attendees with Michael Daniel (the CTA's President & CEO) and Derek Manky (Fortinet's CTA Steering Committee representative) facilitating the discussion. Some context and our BoF objectives are outlined below.

CTA is an industry initiative started in 2014 to enable cyber threat intelligence sharing among four large cybersecurity vendors. That effort has now grown into an independent organization with 11 public members and a cloud-based platform that facilitates near-real time threat sharing among members. The platform incorporates an algorithm that scores the incoming intelligence, weighting context over simple observables. CTA plans to leverage this platform to:

CTA membership is currently limited to private sector entities that can share cyber threat intelligence. However, we realize that for CTA to be successful, we must engage stakeholders across the ecosystem, especially the CERT community. Furthermore, we've had several CERTs reach out and want to partner with the CTA. But, to date, we have not yet defined what CTA-CERT partnerships should look like.

Attendees can expect a short overview of what is the CTA and why we are different — followed by an interactive discussion on how CTA can best partner with CERTs. Input and feedback are critical to defining a CTA-CERT partnership program that is mutually beneficial for both communities.

Wednesday, 14 June 17:00-18:00 (Auditorium)

DDoS Attacks

Vijay Sarvepalli and Art Manion (CERT)

DDoS attacks: what’s actually happening out there?
As DDoS attacks continue to grow larger and more frequent each year, they have also drawn more attention from both the media and security researchers. Often the public discussion of DDoS attacks focuses on the largest, the most interesting, the most disruptive, or most relatable events. For instance, the attack on Dyn in October 2016 received possibly more mainstream news coverage than any previous DDoS attack. This is likely both because of the event’s impact on regular Internet users, and because of the “hook” to the story: “Your own IoT devices may be part of a DDoS attack right now!” Similarly, security researchers often focus on the attacks that are most interesting to them, which may be driven by media coverage, or by how technically complex the attacks are—but these may not be the attacks that are causing the most trouble in the real world. We propose a BoF in which people who manage, operate, and secure networks can talk about what they’re actually seeing, which may not be reflected in the media and research coverage of DDoS attacks.

Potential topics of discussion:

  1. Have you been attacked? How often, how recently? Have you observed any trends in how likely you are to experience a DDoS attack now, versus 1-5-10-20 years ago?
  2. How large are the attacks you’re seeing? Do you see any growth trends?
  3. What kind of attack traffic are you seeing? Simple volumetric attacks, more sophisticated layer 7 attacks, something else?
  4. Do you feel capable of defending against the attacks you’ve seen recently? How successful are your defenses? Do you defend against attacks yourself, with the assistance of an upstream ISP, with the assistance of a commercial scrubbing service?

Wednesday, 14 June 17:00-18:00 (Salon Del Mar B)

FIRST Membership Information

FIRST Membership Committee

CSIRT Teams interested in applying to FIRST can attend this information session which will highlight the benefits of the membership in FIRST and how to apply.

Tuesday, 13 June 12:45-13:45 (Salon Del Mar A/B)

FIRST Trainers BoF

Thomas Schreck and Serge Droz (FIRST)

There will be a BoF for current and interested FIRST Trainers. Serge Droz and Thomas Schreck will give an overview on the FIRST training materials and the trainer process. Further we would like to feedback from current trainers on their experiences and brainstorm ways to improve both the training experience and materials.

Tuesday, 13 June 08:30-09:30 (Auditorium)


Doug Wilson (uptycs)

osquery ( is an open source endpoint technology created by Facebook.

osquery allows for the rapid querying of endpoints using SQL, and runs on a variety of platforms (Most modern versions of Linux, Mac, and Windows). The insight the responses to these queries gives can be used for security, operations, compliance, and more.

Initially released in 2014, the osquery project has gained great momentum in the past few years, with over 9,000 stars and 1,000 forks on github. Today, osquery is used by prominent internet companies to run facets of both security and operations programs, and those companies are constantly contributing back to the core project as it continues to evolve.

The goal of this BoF will be:

PSIRT Tracking Tool

Beverly Finch (Lenovo)

This BoF session will include a demo of a custom-built Jira solution that resolves one of a PSIRTs greatest challenges.

Monday, 12 June 17:00-18:00 (Salon Del Mar B)