Additional Programming

Sunday, 24 June

FIRST Training

FIRST is offering training courses on Sunday, 24 June. They require an additional registration, free of charge to the conference participants in the link below:

Register to FIRST Training

  • Sunday, June 24th

    Johor 1+4 | Lower Lobby floor

    Johor 2+5 | Lower Lobby floor

    Johor 3+6 | Lower Lobby floor

    Perak

Sunday, June 24th

Johor 1+4
Lower Lobby floor
Johor 2+5
Lower Lobby floor
Johor 3+6
Lower Lobby floor
Perak
09:00 – 10:30

Forensics

Alex Harmon, Lucine Wang (Microsoft)

Malware Reverse Engineering

Stefan Sellmer (Microsoft)

MISP/TheHive

Steve Clement and Raphaël Vinot (Circl.lu), Saâd Kadhi (TheHive)

10:30 – 10:45

Break

10:45 – 12:30

DDoS Train the Trainer

11:00 – 12:30

Forensics

Alex Harmon, Lucine Wang (Microsoft)

Malware Reverse Engineering

Stefan Sellmer (Microsoft)

MISP/TheHive

Steve Clement and Raphaël Vinot (Circl.lu), Saâd Kadhi (TheHive)

12:30 – 13:30

Lunch

13:30 – 15:30

Forensics

Alex Harmon, Lucine Wang (Microsoft)

Malware Reverse Engineering

Stefan Sellmer (Microsoft)

Mitigating DDoS Attacks

Krassimir Tzvetanov (Fastly)

MISP/TheHive

Steve Clement and Raphaël Vinot (Circl.lu), Saâd Kadhi (TheHive)

15:30 – 15:45

Break

15:45 – 18:00

Forensics

Alex Harmon, Lucine Wang (Microsoft)

Malware Reverse Engineering

Stefan Sellmer (Microsoft)

Mitigating DDoS Attacks

Krassimir Tzvetanov (Fastly)

MISP/TheHive

Steve Clement and Raphaël Vinot (Circl.lu), Saâd Kadhi (TheHive)

  • DDoS Train the Trainer

    This course will take place from 10:45-12:30.

    June 24, 2018 10:45-12:30

  • Forensics

    Course Level: Intermediate

    Intended Audience: Security/SOC analysts, CSIRT/CERT team members, Forensics investigators

    Pre-requisites:
    Download all course materials, follow documentation to prepare laptop for the labs (coming soon).

    Hardware requirements:

    • OS: Windows 7 or greater
    • CPU: The faster the better, but the software will work OK with CPUs dating back to the first Intel Core-i line.
    • Memory: No less than 4GB, but the more the better.
    • HDD: recommend having at least 80GB free disk space. SSD recommended but not required.

    Abstract:
    Two of Microsoft Security Response Center’s digital forensics experts will lead you through a deeper understanding of Windows forensic artifacts, how to analyze them, and how to fit them into your greater understanding of an investigation. Examples include the master file table, the Windows registry, and Windows Event logs. You will use your newfound understanding of these artifacts to perform analysis of disk images and come to conclusions based on various real-world scenarios the instructors have encountered while working within the MSRC. You must bring your own laptop.
    Lab materials will be provided ahead of the event.

    Topics: -Introduction -Scenario Exploration -Use of the tooling -Analysis of artifacts Event logs Application logs Registry NTFS File System (Master File Table) Recycle Bin & Deleted Files Other sources of file and application execution evidence Services and Tasks Remote control analysis Volatile Data: Process and Network Artifacts Windows 10-specific artifacts, including Cortana, Edge, and Notification Center -Timelining the evidence and fitting it into a larger investigation

    June 24, 2018 09:00-10:30, June 24, 2018 15:45-18:00, June 24, 2018 13:30-15:30, June 24, 2018 11:00-12:30

  • Malware Reverse Engineering

    Course Level: Beginner to Intermediate

    Intended Audience: Malware analysts and researchers

    Pre-requisites:
    Download all course materials, follow documentation to prepare laptop for the labs (coming soon).

    Hardware requirements:

    -OS: Windows 7 or greater -CPU: The faster the better, but the software will work OK with CPUs dating back to the first Intel Core-i line. -Memory: No less than 8GB, but the more the better. -HDD: recommend having at least 80GB free disk space. SSD recommended but not required. -Hands-on exercises will involve operating with malicious code! -The laptop needs to have an installed VMware Virtualization or Hyper-V Virtualization, with a Windows 7 or above operating system installed, as guest OS. -You need to be able to make snapshots of the guest OS and transfer file between host and guest system. Also the guest OS should have no Antivirus software installed and you need to have admin rights.

    Abstract:
    Learn the fundamentals of malware reverse engineering. While malware grows exponentially the techniques malware exhibits are often similar. The class focuses on outlining these commonalities and how to use IDA Pro and dynamic analysis to deal with them.

    Topics:

    • Introduction
    • Getting started with malware analysis
      • Triage
      • Common malware modularization & behaviors
      • Common anti-analysis & anti-AV tricks
    • Static Analysis With Ida Pro:
      • Ida Pro basics
      • Recognizing programming constructs
      • Rebuild high level constructs (structs, enums)
    • Dynamic Analysis
      • Debugger basics
      • Manual unpacking & dumping position independent code
      • Patching to change the behavior in favor of the analyst

    June 24, 2018 09:00-10:30, June 24, 2018 15:45-18:00, June 24, 2018 13:30-15:30, June 24, 2018 11:00-12:30

  • MISP/TheHive

    Course Level: Beginner

    Intended Audience: Security/SOC analysts, CSIRT/CERT team members

    Pre-requisites: See attached document.

    Abstract:
    The goal of the tutorial is to familiarize participants with Incident Response and Cyber Threat Intelligence using TheHive, a Security Incident Response Platform, Cortex, a powerful observable analysis engine and MISP, a popular threat sharing platform. All software is free and open source.

    Topics:

    • TheHive, Cortex & MISP Overview,
    • Installing & configuring the product stack
    • Bringing it all together
    • An IR case study
    • Dealing with notifications
    • How CTI feeds IR
    • How IR feeds CTI
    • The CTI-IR cycle: case study

    June 24, 2018 09:00-10:30, June 24, 2018 15:45-18:00, June 24, 2018 13:30-15:30, June 24, 2018 11:00-12:30

    MD5: 55bbc89ab7104e472bfd532decb77dc6

    Format: application/pdf

    Last Update: June 7th, 2024

    Size: 373.97 Kb

  • Mitigating DDoS Attacks

    This course will take place after lunch from 13:45-15:30.

    Course Level: Advanced

    June 24, 2018 13:30-15:30, June 24, 2018 15:45-18:00

Register to FIRST Training

Hackathon

On Sunday, 24 June FIRST will host an all-day Hackathon. FIRST will provide a room where interested participants can work in smaller groups and have the ability to collaborate with other conference attendees toward a common goal. The event will be moderated and FIRST will provide the project topics and wireless internet access, in addition to refreshments, so participants can focus on the most important thing - finishing their project.

Please purpose projects or ideas you want to work on by 25 May. We will announce the program under www.first.org/hackathon . Please submit your ideas to first-hackathon@first.org.

FIRST & AWS 2018 Security Jam!

AWS Security Jam!

Join us for an afternoon of fun challenges with an IR twist. We will provide the beat and the incident response scenarios where you can learn new skills and practice current ones against a set of simulated security incidents. Can you identify what caused the blues? What would you do differently? How can you architect multiple AWS services to prevent it from happening again? How do you automate the incident response? Take part in our jam to find out!

As the challenges develop, you will take the initial infrastructure, and challenge by challenge, improve it into a resilient and secure deployment. Use your knowledge of AWS services and information security to perform incident response in the cloud and forensic analysis to find out whodunit! We will have a number of experienced AWS experts in the room that will be available to discuss ideas, provide guidance and in general help your team get through any roadblocks that pop up. New to AWS? New to security? Come and join us! Our activities are structured to accommodate AWS users of all levels. We have AWS experts, plus guided exercises, that will ramp up your security knowledge. We will form team on the spot, provide 10 challenges to tackle. You score the points by solving and get some cool swag for all participants and a special prize for the winning team!

Register to Security Jam!

Friday-Saturday, June 29-30th

NatCSIRT Meeting 2018

13th Annual Technical Meeting for CSIRTs with National Responsibility

Is your organization responsible for protecting the security of nations, economies, and critical infrastructures? If so, attend NatCSIRT 2018 to discuss with your peers the unique challenges you face every day. You will drive discussions that focus on current issues, tools, and methods relevant to the National CSIRT community. This year's meeting is co-located with the 30th Annual FIRST Conference in Kuala Lumpur. This meeting is by invitation only and more details can be found at http://www.cert.org/natcsirt/.

GFCE Working Group - Cyber Incident Management and Critical Information Protection

The GFCE Working Group - Cyber Incident Management and Critical Information Protection - will have a meeting (invitation-only) from 2-5pm on Sunday June 24th at the 30th Annual FIRST Conference. The GFCE Working Group meeting will focus on how to effectively respond to the needs and expertise available on the theme 'Cyber Incident Management and Critical Information Protection' in order to encourage the multistakeholder dialogue on the implementation of cyber capacity building in line with the Delhi Communiqué.

Participation at this meeting is by invitation only. Inquiries should be directed to contact@thegfce.com.

Monday-Friday, June 25-29th

Birds of a Feather (BoFs)

Bird of a Feather Sessions, activities primarily focus on meetings which take place at the conference based on the interest of a number of members. They are not necessarily intended to lead to year round work.

BoF sessions are scheduled to take place during before conference sessions begin (8-9am) or following the final session of the day. We will have an up-to-date-schedule and bulletin board near the registration desk onsite. Attendees are welcome to request a BoF in advance by emailing first-sec@first.org or by adding their own BoFs to the bulletin board onsite (rooms are assigned based on first come, first served - and room assignment space is limited. A Schedule of BoFs will be posted once confirmed.

Monday, June 25th

MelakaJohor 2+5
17:30 – 18:30

CERT Team Insights

Johan Berggren, Google

ATT&CK

Richard Struse, Mitre

Tuesday, June 26th

Johor 3+6
13:00 – 13:45

Membership Information Session for Applying Teams

Alexander Jäger and the FIRST Membership Committee

Wednesday, June 27th

MelakaJohor 3+6Johor 2+5
16:00 – 17:00

GDPR

Jonathan Matkowsky, RiskIQ

Levelling the playing field - Taking the opportunity away from the Treat actor

Lari Huttunen, Deployment Specialist Arctic Security

17:00 – 18:00

Vulnerability Prioritization

Art Manion

Devising an Exploratory Cyber Exercise

Luc Dandurand

National sectoral healthcare CERTs and cooperation with manufacturers

Jasper Hupkens

18:00 – 19:00

Taxonomies and Ontologies in Threat Intelligence and Incidence Response

Morton Swimmer

Thursday, June 28th

Johor 2+5
18:00 – 19:00

IHAP - Abuse Information Exchange at Country Level (starts after the AGM)

Aaron Kaplan and Martijn van der Heide

  • ATT&CK

    MITRE’s freely-available ATT&CK™ framework is being widely adopted by both producers and consumers of cyber threat intelligence as a common “language” to describe adversary behavior. Come get an update on new developments in ATT&CK, and discuss how you use ATT&CK and how you’d like to see it evolve in the future. Attendees should have basic familiarity with ATT&CK. For those who don’t, here is a very brief overviewhttps://www.youtube.com/watch?v=0BEf6s1iu5g&t=1s of ATT&CK.

    June 25, 2018 17:30-18:30

  • CERT Team Insights

    Google has a long history of developing security technology that benefits not just our own users, but the online world as a whole. When we create technology to keep our services safer, we find opportunities to share it for everyone’s benefit. And as threats change over time, our adaptive, forward-looking measures pave the way for other companies to follow.

    In order to further our commit to help make the Internet a safer place, we would like to take this time to talk openly with CERT teams on how we can improve cooperation and information sharing in the future.

    June 25, 2018 17:30-18:30

  • Devising an Exploratory Cyber Exercise

    Recent developments in the regulatory environment of some CIRTs (i.e. GDPR), the emergence of cyber insurance, and the need to collect more and better metrics about incidents continue to raise questions and concerns within the incident handling community. Emerging technologies can help address these issues, but first need to be properly assessed. This BoF session will propose a different way of approaching these issues to make progress: a slow-pace, long-running cyber exercise that generates realistic use cases for further analysis and discussion. Running remotely over several months but requiring only a few minutes of work per day/week, it is hoped that such an exercise can help assess the potential value of new technologies in the incident handling process and generate useful simulation data to support ongoing debates and discussions.

    June 27, 2018 17:00-18:00

  • GDPR

    Since 25th of May, GDPR is in place and after one month we have already observed some affects on our community. Within this BoF we would like to discuss the impact of GDPR and evaluate what the community may need to address. The outcome might be a SIG which is addressing the discussed topics.

    Attendees should be people interested in the topic of privacy and especially GDPR. The BoF will not give an overview of the regulation, as so people should be familiar with the regulation.

    June 27, 2018 16:00-17:00

  • IHAP - Abuse Information Exchange at Country Level (starts after the AGM)

    Please note this meeting will follow the AGM.

    June 28, 2018 18:00-19:00

  • Levelling the playing field - Taking the opportunity away from the Treat actor

    The main topics of the BoF will pass though leveling the playing field and taking the opportunity away from the Treat actor. Attendees should expect to discuss searching for a community agreement on "What Treat Intelligence is today" and working towards taxonomy.

    June 27, 2018 16:00-17:00

  • Membership Information Session for Applying Teams

    Interested in FIRST membership and have questions about the application process or benefits of joining? Join us for this session to learn more about membership and ask your questions! Please note - we encourage you to enjoy a 30 min lunch from 12:30-13:00 before joining the meeting - or make a plate and bring it with you!

    June 26, 2018 13:00-13:45

  • Taxonomies and Ontologies in Threat Intelligence and Incidence Response

    Continuing from our inaugural BoF at FIRST 2017, we welcome everyone who is interested in developing taxonomies and ontologies in IR and TI for a discussion of how best to achieve interoperability through the use of taxonomies and ontologies of data and resources. There has been an uptick in the interest in making data more actionable by using such classification schemes in IR, but nothing has been widely accepted. The best ontologies are created as a group effort and not in a vacuum, so we wish to bring together everyone who is interested in the subject to discuss how we can reach our goals. If the participants request it, Morton Swimmer can demonstrate ontology design and editing using Protégé, a free tool available from Stanford University. Related events to this BoF at FIRST 2018: https://first.org/conference/2018/program#psemi-automated-cyber-threat-inte lligence-act

    https://first.org/conference/2018/program#pmanaging-risks-through-taxonomie s

    https://first.org/conference/2018/program#premoving-the-pain-from-the-repet itive-processing-of-vulnerability-reports-using-a-vulnerability-ontology

    https://first.org/conference/2018/program#pstix2-taxii2-workshop

    https://first.org/conference/2018/program#pwhy-is-cti-automation-harder-tha n-it-needs-to-be-and-what-can-security-teams-do-about-it

    June 27, 2018 18:00-19:00

  • Vulnerability Prioritization

    Out of 20K publicly disclosed vulnerabilities in a year, how many are used to attack you? How do you decide which vulnerabilities get your attention? Let scan and patch decide? How do they decide? Does the decision involve CVSS? Join this BoF to talk about what defenders and vendors really want in terms of prioritizing vulnerability response.

    June 27, 2018 17:00-18:00

Wednesday, 27 June

PGP Key Signing

Get your PGP Key signed to increase trust!
Wednesday, June 27th from 10:45 to 11:15 (at Registration desk).
Thursday, June 28th(at AGM).

Alexander Jaeger (FIRST)

Why?

PGP is one of the foundations of the security community, and to rely on PGP there needs to be trust in the PGP keys. The trust is made by signatures and validation of identity. FIRST facilitates this community effort by hosting PGP Key signing events.

We will have at least two PGP Key signing events - listen to the opening remarks or a remark at registration desk for changes in regards time / date.

In the past we did not sign team keys and we do not plan to change that.

Preparation before the conference

For those who haven’t participated in the past years it will go like to following:

  1. Upload your Public PGP key to the link below
  2. Check if your key is really uploaded (if not let me know early enough via mail, we will print the keys at the morning of the signing party)

Hint: Please do not upload your key an hour before the key signing, as I might be printing out the keyring a few hours earlier.

Upload your public key!

Preparation for the signing party at the conference

  1. Show up at the signing party like usual with a password / ID (most people will not sign without you providing such an ID)
  2. Participate the Signing party
  3. Get a copy of the printed keyring (I will provide n+20 where n is the number of keys on the keyring)
  4. Sign the keys of others by checking their identity
  5. Get your key signed by others by showing your ID / passport to the people

After the signing party / conference

8 Sign the keys with your PGP key

  1. send the signed person the signed key with your signature
  2. Feel good — you increased the PGP web of trust

There is a good documentation about PGP Key signing parties: http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html

Issues with biglumber?

People who wish to participate should email an ASCII extract of their PGP public key to keysigning@alexanderjaeger.de by noon on Monday, June 25, 2018. Please include a subject line of "FIRST PGP KEY", and please avoid MIME-encrypting your e-mail. (I will be running the entire mail folder file through PGP, and PGP-keys that are base-64 encoded will get ignored unless I take manual action to fix things. I will try do the manual fixup, but I make no guarantees about catching all of them.)