Papers & Presentations

FIRST organizes and participates in many events per year, and lots of papers and presentations offered. Annual Conferences presentations are available to the public 6 months later, while Technical Colloquia presentations and papers are restricted to members only.

FIRST Members may view all the Technical Colloquia presentations when connected to the Members website.

  • 2010 FIRST Symposium, Hamburg

    January 25–27, 2010 — Hamburg, Germany

    • Building a CSIRT in an ITIL Driven Organization
    • CZ.NIC presentation
    • Delivering services in a user-focused way
    • Detecting and Analyzing Malicious PDF Files
    • DNS community efforts to enable Security Stability and Resiliency
    • GN3 Security Activities
    • Grid Security developments
    • Incident Response in a Collegiate University
    • Mass Malware Analysis: A Do-It-Yourself Kit
    • Security made in Luxembourg
    • Tales From the War Room
    • TRANSITS update

  • 21st Annual FIRST Conference on Computer Security Incident Handling

    June 28–July 03, 2009 — Kyoto,

    • A Railway Operators Perspective on the Lessons of the Great Hanshin-Awaji Earthquake
    • Analysis of the DDoS Attacks on Georgia & Estonia
    • Anti-Phishing Working Group and the Internet Policy Committee
    • Anti-bot Countermeasures in Japan
    • Architecting Systems of Systems for Response
    • Attacks Against the Cloud: Combating Denial-of-Service
    • CSIRT Modeling Architecture
    • Closing the Gap Between Network Policy Creation and Enforcement
    • Comprehensive Response: A Bird's Eye View of Microsoft Critical Security Update MS08067
    • Content: The Next Generation of Incident Response
    • Contradictions in Current European Security Policy
    • Creating an End-to-End Identity Management Architecture
    • Deriving information from raw data: making business decisions with logs
    • Effective Software Vulnerability Discovery within a Time Constraint
    • Emerging Threats and Attack Trends
    • Establishing Collaborative Response to Abuse of the Domain Name System
    • Front Line Report: Fighting Against Malware in China
    • Handling Incidents from Honeypot data
    • How to Handle Domain Hijacking Incidents (Prevention, Investigation and Recovery)
    • In the Cloud Security
    • Incident Response For VOICE Services
    • Information Management and Economic Crisis
    • Information Security Exchange Formats and Standards
    • Information Security of the Beijing 2008 Olympic Games
    • Information Security one Character at a Time
    • Information Security's Third Wave
    • Initiatives to enhance Cyber Security
    • Internet Analysis System (IAS) Module of the German IT Early Warning System
    • Malicious Webpage Detection
    • Mashup Security & Incident Response Considerations
    • Measuring the Root Cause of Incidents
    • Missing Clues How to Prevent Critical Gaps in Your Security Monitoring
    • More of What Hackers Dont Want You to Know
    • New Developments on Brazilian Phishing Malware
    • Proactively blacklisting Fast-Flux domains and IP addresses
    • Proprietary Data leaks: Response and Recovery
    • Recapturing the Wheel MediPerspectives on Crisis and Recoverya
    • Reconceptualizing Security
    • Security and the Future Generation
    • Show Me The Evil - A Graphical Look at Online Crime
    • The Incident Response and the Law Enforcement
    • The State of Internet Fraud and Crime and Useful Attempts to Battle the Miscreants
    • The Threat of Banking Trojans: Detection, Forensics, and Response
    • The essential role of the CSIRT in secure software development
    • Threat Response - Doing the right thing first time
    • To Be or Not To Be An Incident Recovery Case Study
    • Tracking the who and why behind targeted, semi-targeted and widespread attacks
    • Trouble Ahead: Cyber Security Policy Developmentsor the lack thereof
    • Update on Carrier Infrastructure Security Attacks
    • Windows Memory Forensics with Volatility

  • 20th Annual FIRST Conference on Computer Security Incident Handling

    June 22–27, 2008 — Vancouver, Canada

    • A Collaborative Approach to Anti-Spam
    • About the Security Pros and Cons of Server Virtualization
    • Applied Security Visualization
    • Automating Vulnerability Management in a Heterogeneous Enterprise
    • Barriers to CSIRTS cooperation with other CSIRTS and The CLOSER Project
    • Beyond a sensor: Towards the Globalization of SURFids
    • Building a no frills malware lab: How to construct a relatively inexpensive, yet effective, malware analysis lab for CIRTs
    • CERTification: Assessing CSIRT Maturity
    • Computer Forensics for Managers and IT Administrators What you need to know
    • Creating and Managing Computer Security Incident Response Teams(CSIRTs)
    • Cyber Fraud Trends
    • Detecting Intrusions - The latest forensics tools and techniques to identify Windows malware infections
    • Efforts to Secure Electronic Financial Transactions
    • Emerging Economies: The Vulnerability Market
    • Enabling End-to-End Trust
    • Event Correlation for Early Warning Systems
    • FMC (Fixed Mobile Convergence) - What About Security
    • GridCERT Services - Modification of traditional and additional new CERT Services for Grids
    • Has Pakistan stolen your traffic lately? Threats to Internet Routing and Global Connectivity
    • Identifying network scanning tools
    • Incident Handling around the world in 80 ms. (Well not really that fast)
    • Incident Management Mission Diagnostic(IMMD) Method
    • Insecurity
    • Inside a BBB Malware Scheme - Mapping and Dissecting Attacker Infrastructure
    • Intellectual Property Loss in the Global Marketplace
    • International Privacy & Security Compliance Navigating the Maze
    • Internet Law Update 2008
    • Malcode Analysis Techniques for Incident Handlers
    • Malicious Websites on the Chinese Web: Overview and Case Study
    • Malware Without Borders - Multi-Party Response
    • Managing Security & Privacy Incidents in the Health Care Environment
    • Matrix, a Distributed Honeynet and its Applications
    • Models and Experiences for National and International Information Sharing
    • National spam monitoring network
    • Practical RFID hacking without soldering irons (or Patent Attorneys)
    • Public and Private Collaboration for Improved National Cyber Security
    • Push-Email in the Enterprise. Is it BlackBerry, WindowsMobile or Symbian?
    • Putting private and government CERTs to the test
    • Responding to Security Incidents: Are Security Tools Everything You Need?
    • SCADA Security Who Is Really In Control of Our Control Systems?
    • Safely Sharing Data Between CSIRTs for Collaborative Security: The SCRUB* Anonymization Tool Infrastructure
    • Safety and Security of Networked LANs in Aircraft
    • Securing Wiki-Style Technology in the Global Enterprise: The Competing Tensions of Privacy Law and Distributed Collaboration
    • Security Breaches: To Disclose or not to Disclose
    • Security Testing: Moving Beyond the Penetration Test
    • Security and Education Bringing it all Together
    • Semantic Potential of Existing Security Advisory Standards
    • Spotspam - Tackling Spam at New Frontiers
    • System, Network and Security Log Analysis for Incident Response
    • Tales from the dark. Diary of a compromised Windows Vista
    • Techies Can Communicate Too !
    • The Dark Future of Desktop Security and How to Stop It
    • The Easiest Score on the Internet - PII and corporate secrets for the taking on P2P file sharing networks.
    • The Enterprises Role in Protecting Critical Infrastructures
    • The HoneySpider Network: Fighting client-side threats
    • The Most Important Thing: How Mozilla Does Security and What You Can Steal
    • The State of Internet Phishing and Fraud and Useful Means to Combat It
    • The future of hacking: Blended attacks using social engineering
    • The life cycle of infections and a botnet
    • Tracking and Detecting Trojan Command and Control Servers
    • Trends in the Internet Underground / Cyber Kadogos
    • Tunisias experience in building an information sharing and analysis center
    • Virtualization Technology A Manifold Arms Race
    • Whos watching the watch dogs? Security Audits for network infrastructure security enforcement devices

  • 19th Annual FIRST Conference on Computer Security Incident Handling

    June 17–22, 2007 — Seville, Spain

    • A European Approach to IT Security
    • A day in the life of a hacker... Things we get up to when nobody is looking, and that keep me awake at night.
    • An Internet Threat Evaluation Method based on Access Graph of Malicious Packets
    • Assessing Incident Severity in a Network and Automatic Defense Mechanisms
    • Beyond the CPU: Defeating Hardware Based RAM Acquisition Tools
    • Botnet: Creation, usage, detection and eradication
    • Building a scalable, accurate, actionable Incident Response system
    • Common Vulnerability Scoring System (CVSS-SIG)
    • Creating and Managing CSIRTs
    • Creating, Managing and Using a Malware Lab
    • Cyber Fraud Trends and Mitigation
    • Data on Data Breaches: Past, Present, and Future
    • Dealing with Unreliable Software: Exile, Jail, and other Sentences
    • Developing a trusted partnership to prepare a framework for the collection of information security data
    • Do it yourself: The latest in forensic tools and techniques to examine Microsoft Windows
    • Electronic Forensics: a Casefor First responders
    • Espionage Reality or Myth? A Demonstration of Bugging Equipment
    • Experiences with Building, Deploying and Running remote-controlled easily installable Network Sensors
    • First Team Members Update Panel
    • Flaws and frauds in the evaluation of IDS/IPS technologies
    • Forensic Discovery
    • Forensics for Managers Presenting and understanding forensics from the MBA point of view
    • Handling Less-Than-Zero-Day Attack A Case Study
    • How many RAT's do you know out there?
    • I know what you (and your company) did last summer...
    • Identity Management Systems: the forensic dimension
    • Identity theft in the corporate environment demonstration and hands-on
    • Information Security - No More the Cinderella?
    • Inside the Perimeter: 6 Steps to Improve Your Security Monitoring
    • Insider Threat The Visual Conviction
    • Law Enforcement / CSIRT Cooperation SIG
    • Long term instability of high priority incident response A system dynamics simulation approach
    • Malware distribution trough software piracy: a case study
    • Managing Privacy in Network Operations: Learning from the Law
    • NUS IT Security Landscape
    • Our Own Worst Enemies
    • Privacy matters in directories
    • Provider Practicalities and Paranoia: Modern ISP incident response
    • Provider practicalities and paranoia: Modern ISP incident response the tooling of incident response at a ISP
    • Reviewing the VoIP Threat Landscape
    • SafeSOA: Managing Privacy & Risk In The Global Service Oriented Environment
    • Security Policy & implementation: The European Commission Perspective
    • Security Risk Management: breaking through technology and market barriers a real life story
    • Setting up a Grid-CERT Experiences of an academic CSIRT
    • Setting up a governmental CERT: The CCN-CERT case study
    • Software Security: Integrating Security Tools Into a Secure Software Development Process
    • State of Security
    • System, Network and Security Log Analysis for Incident Response
    • Taming Packets: The Network Expect Framework for Building Network Tools
    • Targeted attacks (spear phishing): A demonstration and analysis of a former Office 0-day vulnerability
    • Technical Evolution of Cybercrime
    • The Art of RFID Exploitation
    • The Benefits of FIRST: How to sell FIRST to your Upper Management
    • The Evolution of Online Fraud
    • The Future of Security - The Security of the Future?
    • The Security needs of the State versus the rights of the individual
    • Tools and techniques to automate the discovery of zero day vulnerabilities
    • Tunisia's experience in establishing the first public CSIRT in Africa, as a case example for developing countries, and some guidelines and schemes for International cooperation
    • UNIX/C Programming traps and pitfalls
    • Understanding & Analyzing Botnets
    • Unique Challanges for Incident Response in a Grid Environment
    • Using Intelligence to Forecast Risk and Allocate Resources: It's Not Hocus-Pocus Anymore
    • Using instrumented browser instances for detecting 0-day exploits and filtering web traffic
    • Vulnerability Remediation Decision Assistance system
    • Web 2.0 Securing the Brave New World
    • Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents
    • WiMAX: Security Analysis and Experience Return

  • 18th Annual FIRST Conference on Computer Security Incident Handling

    June 25–30, 2006 — Baltimore, Maryland, United States

    • A Distributed Intrusion Detection System Based on Passive Sensors
    • A Framework for Effective Alert Visualization
    • A Strategy for Inexpensive Automated Containment of Infected or Vulnerable Systems
    • Automated Extraction of Threat Signatures from Network Flows
    • Behavioral Study of Bot Obedience using Causal Relationship Analysis
    • Botnets as Vehicle for Online Crime
    • Building and Deploying Billy Goat: a Worm-Detection System
    • CERT's Virtual Training Environment: A New Model for Security and Compliance Training
    • CarmentiS - a German Early Warning Information System - Challenges and Approaches
    • Counter-Forensic Tools: Analysis and Data Recovery
    • Design Your Network to Aid Forensic Investigation
    • Designing and Developing an Application for Incident Response Teams
    • Effectiveness of Proactive CSIRT Services
    • Evaluating CSIRT Operations
    • Honeypot Technology: Principles and Applications
    • If You Don't Know What You Don't Know
    • Maximizing the Benefits of Intrusion Prevention Systems: Effective Deployment Strategies
    • Netflow Tools NfSen and NFDUMP
    • Proposal of RSS Extension for Security Information Exchange
    • RAPIER - A 1st Responders Info Collection Tool
    • Reliably Determining the Outcome of Computer Network Attacks
    • Risk Analysis Methodology for New IT Service
    • Secure Coding in C and C++
    • The Impact of Honeynets for CSIRTs
    • The Network-Centric Incident Response and Forensics Imperative
    • The Survivability and Information Assurance (SIA) Curriculum
    • Threats of P2P File Sharing Software - a Japanese Situation About "Winny"
    • Threats of P2P file sharing software - a Japanese situation about "Winny"
    • Time Signatures to Detect Multi-headed Stealthy Attack Tools
    • VisFlowConnect-IP : A Link-Based Visualization of NetFlows for Security Monitoring
    • Worm Poisoning Technology and Application

  • 17th Annual FIRST Conference on Computer Security Incident Handling

    June 26–July 01, 2005 — Singapore, Singapore

    • A Common Vulnerability Scoring System
    • A Distributed Intrusion Alert System
    • A National Early Warning Capability Based on a Network of Distributed Honeypots
    • Artifact Analysis
    • Bridging the Gap Between Software Development and Incident Handling
    • Building a Logging Infrastructure
    • CVE, CME, ... CMSI? Standardizing System Information
    • Computer Forensics as Part of a Security Incident Response Plan
    • Creating and Managing CSIRTs
    • Crisis communication and Media management in Security Incidence Response
    • Defining the Rules of Trusted Computing: A Global Agenda
    • Dynamics of Incident Response
    • EWIS in a Box - or - How to build a National Early Warning Information System in 80 Days
    • European CSIRT Update
    • FIRST 2005 Welcome
    • Fighting Phishing site at the front line
    • Getting Ahead: Integrating Development and Response for Improved Security
    • How to Reduce Incidents by Employing Pro-Active Preventions
    • IEEE 802.16 WiMax Security
    • Key Strategies for defeating crime online
    • Mitirating Rogue Access Points in Corporate Environments
    • Network Monitoring on Large Networks
    • New Security Features in Solaris 10 and DTrace
    • Passive DNS Replication
    • Pondering and Patrolling Network Perimeters
    • Proposal for the experimental environment for Network Worm infection
    • Risk Triage and Prototyping in Information Security Engagements
    • SIRIOS, a Framework for CERTs
    • Security Bulletin Publication at AusCERT using "EzESB"
    • Security Challenges on the Road Ahead
    • Sharing Incident Data; History, Perspective, and a View for the Future
    • Strategies for Achieving Network Intelligence
    • TeamDefend Organizational and Inter-Organizational Cyber Defense Training
    • The Looming Privacy Rights Debacle: How Data Protection Law Will Shape Response Team Activities
    • Trends in Malware Enabled Identity Theft
    • Vulnerabilities in Consumer Electronics -- DVD players, Cell phones attack : your system ??
    • Wireless Security

  • 16th Annual FIRST Conference on Computer Security Incident Handling

    June 13–18, 2004 — Budapest, Hungary

    • A Framework for Collection and Management of Intrusion Detection Data Sets
    • ARAKIS - An Early Warning and Attack Identification System
    • Creating a Process Map for Incident Management
    • Creating and Managing Computer Security Incident Response Teams (CSIRTs)
    • Critical Infrastructure Protection - a business view
    • Cyber Intelligence: Why a Business needs to set-up a Cyber Threat Analysis Unit
    • Defence in Depth: Protecting Against Zero-Day Attacks
    • Deploying new Wireless Standards in Corporate Environments
    • FIRST at WSIS: The Security in the emerging Information Society
    • Fighting Internet diseases: DDoS, worms and miscreants
    • From Incident response to Incident Response Management
    • Incident Response in the Research University
    • Inside Microsoft Security
    • Internet Threat Detection System Using Bayesian Estimation
    • Intrusion Prevention System for Databases: The Sandbox Approach
    • Network Monitoring and web portal site Project in AP region
    • Public Monitoring
    • Security Implications of IPv6
    • Seeing Vulnerability: The art, science, law, and politics of vulnerability discovery
    • TF-CSIRT Activity Update
    • The CSIRT and Wireless Security Breaches: Specialized Methods, Tools, and Techniques for Proactive and Reactive Wireless LAN Incident Response
    • The Common Announcement Interchange Format - CAIF
    • The Incident Response Team object in the RIPE database - the direct link from IP numbers to CSIRTs
    • UNIX and Linux based Rootkits Techniques and Countermeasures
    • Update the APCERT activities (Under the Regional Initiative Activities Update slot with TF-CSIRT)
    • What Went Wrong?
    • Workshop on Network Flow Analysis