Training Program Agenda

Vishal Thakur has worked in the information security industry for many years in hands-on technical roles, specializing in Incident Response with a heavy focus on Emerging Threats, Malware Analysis and Research. He has presented his research at international conferences (BlackHat, DEFCON, FIRST, SANS DFIR Summit) and has also run training/workshops at BlackHat and FIRST Conference. Vishal is currently working as Senior Director, Cyber Fusion Center at TikTok USDS. In past roles, Vishal worked as a Senior Researcher at Salesforce, helping their Incident Response Centre with advanced threat analysis and developing DFIR tools and has been a part of the Incident Response team at the Commonwealth Bank of Australia. For past few years, Vishal has been involved in ML and AI security and has been researching this subject.

Join our immersive AI Cybersecurity Workshop where participants will learn to build and secure a virtual lab for hands-on practice in protecting AI systems. Delve into the creation of realistic datasets and AI models, essential for simulating cyber threats. Explore the intricacies of injecting anomalies, introducing adversarial attacks, and labeling data for supervised learning scenarios. Gain insights into leveraging pre-existing models, custom model creation, and developing adversarial models for comprehensive security testing. The workshop guides participants in crafting detailed security scenarios, defining use cases, and understanding data flow to simulate real-world AI cybersecurity challenges. Through practical exercises, attendees will master techniques to safeguard AI systems, evaluate defense measures, and hone incident response skills. Elevate your expertise in AI cybersecurity through this dynamic workshop, equipping you to tackle evolving threats in the rapidly advancing landscape of artificial intelligence.

Robert Byrne is a principal security specialist hosted in a global competence center for security within the Ericsson CTO office. Bringing over 17 years of experience in telecommunication engineering and information security, Robert holds cross functional roles, spending his time performing vulnerability assessments and incident response activities that touch Ericsson's product and services portfolio. Robert holds a double degree in Engineering and Computer science and is Offensive Security OSCP and (ISC)2 CISSP certified.

Jurjen De Jonge is a Senior Security Specialist within Ericsson's Security Assurance organization. With a focus on offensive security, Jurjen performs assurance activities such as vulnerability and penetration testing on Ericsson's products and cloud services.

In this workshop, participants will learn how to identify post-compromise persistence techniques used by threat actors within Linux server environments. Attendees will gain hands on experience by exploring a diverse range of scenarios - from crypto-miner infections to state sponsored campaigns.

Best in class opensource tooling (such as osquery) will be used during hands on exercises where participants will investigate compromised Linux systems in a lab environment.

The content will be taught with a fundamentals first approach: providing a foundation in which attendees can take away the concepts and apply it to their own detection tooling and incident response methodologies.

Dr. Vilius Benetis is a member of NRD CIRT (@NRD Cyber Security), where he leads a team of experts to consult, establish, and modernise CSIRT/SOCs for governments, organisations, and sectors in Africa, Asia, Europe, and Latin America. He is an active contributor to the development of CSIRT/SOC-related methodologies for ENISA, FIRST.org, and ITU.

This training is for CSIRT or SOC managers, mid-managers and wanna-be managers.

CSIRT/SOC Manager Improvement Training, covers 4 topics:

1. Mandate and Strategy Clarification
2. Manager's Time Allocation and priorities
3. KPIs
4. Annual Reporting

Often CSIRT/SOC success depend a lot on how well they are managed by the management team. This training is one of very few trainings available specifically targeting CSIRT/SOC managers - to inspire, motivate, upskill, and foster friendships with other CSIRT/SOC managers. Training is for current and future senior and mid-managers of CSIRTs and SOCs. The objective of the training is to spend full day reflecting and collectively working on CSIRT/SOC manager's daily questions and concerns, including KPIs, Annual report writing, clarity improvement in mandate and strategy, manager's time planning and allocation. It will be dedicated time to build relations between managers, discussing and supporting each other.

in 2023 it was run in 3 FIRST events (Bilbao, Kigali, Montreal), totaling more than 160 course participants, with very positive reviews.

Fernando Diaz Urbano is a software engineer at VirusTotal. His experience involves analysis of banking trojans and development of automated binary analysis solutions. He also teaches binary instrumentation for UMA’s Malware Intelligence M.Sc. course. Fernando is the author of learnfrida.info, a free web resource for learning about binary instrumentation and its applications using the Frida toolkit.

Threat hunting is one of the most powerful techniques to proactively uncover and neutralize threats. While it has traditionally been a blend of science and intuition, we witnessed a surge of innovative tools and techniques that can significantly enhance its effectiveness. In this hands-on workshop, we will explore how to effectively use new and traditional techniques including: Identify, monitor and get full context of malicious campaigns. Effective semi-automated YARA generation. Netloc hunting. Similarity analysis. Understanding and leveraging AI engines for code analysis. Tackling large datasets. Throughout the workshop, you will engage in practical exercises and real case studies, equipping both seasoned and new hunters with practical knowledge to find and monitor all kinds of real threats.

Paweł Srokosz is a security researcher and a malware analyst at CERT.PL, constantly digging for fire and doing reverse engineering of ransomware and botnet malware. Main developer of CERT.pl open-source projects for malware analysis automation: MWDB Core and Karton. Free-time spends on playing CTFs as a p4 team member.

Jarosław Jedynak likes sysadm, high-level, software engineering, low-level, reverse engineering, cryptography, algorithms, math, death metal and cats. He plays CTFs with p4.

Throughout the many years of our malware analysis in CERT.PL, we have tried many different approaches to automating our workflows. Through trial and error we figured out which approaches work and which will never see the light of day.

The result was the publication of a set of tools a few years ago that we still use and improve in our everyday malware endeavors. We are very proud of the outcome and would like to present the way that those tools can be linked together to form a mature malware analysis platform.

The workshop will provide practical hands-on introduction to all aspects of the platform:

• mwdb.cert.pl: Community-based online service for analysis and sharing of malware samples. The service is freely available to a white-hat researchers and provides fully-automated malware configuration extraction and botnet tracking.
• MWDB Core: Self-hosted repository of samples and all kinds of technical information related to malware configurations.
• karton: Microservice framework for highly scalable and fault-resistant malware analysis workflows. We will explain the installation and configuration quickly and spend the rest of time on adapting workflows to the karton framework.
• mquery: Our custom YARA query accelerator. We will show how it can be bundled together with MWDB to allow researchers to search across huge malware datasets in a blink of an eye.

All components are open source and available on our GitHub: https://github.com/CERT-Polska/ Most of the practical tasks in the training will be based on the open access materials we maintain: https://training-mwdb.readthedocs.io/

Éireann Leverett is the co-author of Solving Cyber Risk, and regularly writes about cyber risk perception, articulation, and quantification. He is a co-chair of the Ransomware SIG, and long time DFIR innovator and data scientist. When he's not working in cyber insurance and risk, he likes writing code, papers, and taking long walks in nature.

While his bio is serious; he hates writing bios in the third person, and once placed second in an Eireann Leverett impersonation contest.

Nadia Meichtry has been working as a DFIR specialist at Oneconsult for the last 3.5 years, where she regularly deals with cyber incidents, including ransomware. She holds a Masters in Digital Forensics and several SANS certifications. She joined the FIRST Multi-Stakeholder Ransomware SIG in 2022. She was a speaker at secIT digital by Heise in 2023 and has also written articles on malware analysis for iX (German magazine).

How to prepare for and handle ransomware attacks, thereby increasing your cyber resilience? This is what our full-day introductory training is all about:

• What is ransomware?
• How bad is it?
• What do current attacks look like?
• What are the risks to keep an eye on?
• Who should be involved?
• How to prepare for & protect against ransomware attacks?
• How to handle ransomware attacks?
• Common mistakes compared to other kinds of attacks
• Focus on the first hours of incident management & incident response
• Key points on recovery
• Takeaways on negotiating

You will benefit from the experience of the FIRST Multi-Stakeholder Ransomware SIG members with real ransomware cases.

Hadyn Green is a Senior Communications Advisor for CERT New Zealand. His main role is media and public communications. Prior to this he was a technology and business journalist, covering many cyber attacks over the years. This gave Hadyn the perspective of knowing what journalists and the public are wanting from reports about cyber incidents.

Anyone can be caught flatfooted and speechless in a cyber incident: from small organisations with little-to-no communications experience, to large ones with full comms teams.

Do you put out a press release? What should you say to your staff? Who do you have to report to first? How much info do you want to give out?

CERT New Zealand has developed a simple framework for running communications during a cyber incident and made it available as a resource on its website alongside templates and guides.

This session will run attendees through the basics of the framework and giving concrete examples on how to communicate various stakeholder groups and, importantly, what to avoid.

Following this, attendees will join to work through a collaborative tabletop scenario, putting their skills to work.