FIRST is offering training courses on Sunday, 24 June. They require an additional registration, free of charge to the conference participants in the link below:
Johor 1+4 | Lower Lobby floor
Johor 2+5 | Lower Lobby floor
Johor 3+6 | Lower Lobby floor
Perak
| Johor 1+4 Lower Lobby floor | Johor 2+5 Lower Lobby floor | Johor 3+6 Lower Lobby floor | Perak | |
|---|---|---|---|---|
| 09:00 – 10:30 | Alex Harmon, Lucine Wang (Microsoft) | Stefan Sellmer (Microsoft) | Steve Clement and Raphaël Vinot (Circl.lu), Saâd Kadhi (TheHive) | |
| 10:30 – 10:45 | Break | |||
| 10:45 – 12:30 | ||||
| 11:00 – 12:30 | Alex Harmon, Lucine Wang (Microsoft) | Stefan Sellmer (Microsoft) | Steve Clement and Raphaël Vinot (Circl.lu), Saâd Kadhi (TheHive) | |
| 12:30 – 13:30 | Lunch | |||
| 13:30 – 15:30 | Alex Harmon, Lucine Wang (Microsoft) | Stefan Sellmer (Microsoft) | Krassimir Tzvetanov (Fastly) | Steve Clement and Raphaël Vinot (Circl.lu), Saâd Kadhi (TheHive) |
| 15:30 – 15:45 | Break | |||
| 15:45 – 18:00 | Alex Harmon, Lucine Wang (Microsoft) | Stefan Sellmer (Microsoft) | Krassimir Tzvetanov (Fastly) | Steve Clement and Raphaël Vinot (Circl.lu), Saâd Kadhi (TheHive) |
This course will take place from 10:45-12:30.
June 24, 2018 10:45-12:30
Alex Harmon, Lucine Wang (Microsoft)
Course Level: Intermediate
Intended Audience: Security/SOC analysts, CSIRT/CERT team members, Forensics investigators
Pre-requisites:
Download all course materials, follow documentation to prepare laptop for the labs (coming soon).
Hardware requirements:
Abstract:
Two of Microsoft Security Response Center’s digital forensics experts will lead you through a deeper understanding of Windows forensic artifacts, how to analyze them, and how to fit them into your greater understanding of an investigation. Examples include the master file table, the Windows registry, and Windows Event logs. You will use your newfound understanding of these artifacts to perform analysis of disk images and come to conclusions based on various real-world scenarios the instructors have encountered while working within the MSRC. You must bring your own laptop.
Lab materials will be provided ahead of the event.
Topics: -Introduction -Scenario Exploration -Use of the tooling -Analysis of artifacts Event logs Application logs Registry NTFS File System (Master File Table) Recycle Bin & Deleted Files Other sources of file and application execution evidence Services and Tasks Remote control analysis Volatile Data: Process and Network Artifacts Windows 10-specific artifacts, including Cortana, Edge, and Notification Center -Timelining the evidence and fitting it into a larger investigation
June 24, 2018 09:00-10:30, June 24, 2018 15:45-18:00, June 24, 2018 13:30-15:30, June 24, 2018 11:00-12:30
Stefan Sellmer (Microsoft)
Course Level: Beginner to Intermediate
Intended Audience: Malware analysts and researchers
Pre-requisites:
Download all course materials, follow documentation to prepare laptop for the labs (coming soon).
Hardware requirements:
-OS: Windows 7 or greater -CPU: The faster the better, but the software will work OK with CPUs dating back to the first Intel Core-i line. -Memory: No less than 8GB, but the more the better. -HDD: recommend having at least 80GB free disk space. SSD recommended but not required. -Hands-on exercises will involve operating with malicious code! -The laptop needs to have an installed VMware Virtualization or Hyper-V Virtualization, with a Windows 7 or above operating system installed, as guest OS. -You need to be able to make snapshots of the guest OS and transfer file between host and guest system. Also the guest OS should have no Antivirus software installed and you need to have admin rights.
Abstract:
Learn the fundamentals of malware reverse engineering. While malware grows exponentially the techniques malware exhibits are often similar. The class focuses on outlining these commonalities and how to use IDA Pro and dynamic analysis to deal with them.
Topics:
June 24, 2018 09:00-10:30, June 24, 2018 15:45-18:00, June 24, 2018 13:30-15:30, June 24, 2018 11:00-12:30
Steve Clement and Raphaël Vinot (Circl.lu), Saâd Kadhi (TheHive)
Course Level: Beginner
Intended Audience: Security/SOC analysts, CSIRT/CERT team members
Pre-requisites: See attached document.
Abstract:
The goal of the tutorial is to familiarize participants with Incident Response and Cyber Threat Intelligence using TheHive, a Security Incident Response Platform, Cortex, a powerful observable analysis engine and MISP, a popular threat sharing platform. All software is free and open source.
Topics:
June 24, 2018 09:00-10:30, June 24, 2018 15:45-18:00, June 24, 2018 13:30-15:30, June 24, 2018 11:00-12:30
FIRST-KL2018-MISP_TheHive_Cortex_Training_Instructions.pdf
MD5: 55bbc89ab7104e472bfd532decb77dc6
Format: application/pdf
Last Update: June 7th, 2024
Size: 373.97 Kb
Krassimir Tzvetanov (Fastly)
This course will take place after lunch from 13:45-15:30.
Course Level: Advanced
June 24, 2018 13:30-15:30, June 24, 2018 15:45-18:00
On Sunday, 24 June FIRST will host an all-day Hackathon. FIRST will provide a room where interested participants can work in smaller groups and have the ability to collaborate with other conference attendees toward a common goal. The event will be moderated and FIRST will provide the project topics and wireless internet access, in addition to refreshments, so participants can focus on the most important thing - finishing their project.
Please purpose projects or ideas you want to work on by 25 May. We will announce the program under www.first.org/hackathon . Please submit your ideas to first-hackathon@first.org.
Join us for an afternoon of fun challenges with an IR twist. We will provide the beat and the incident response scenarios where you can learn new skills and practice current ones against a set of simulated security incidents. Can you identify what caused the blues? What would you do differently? How can you architect multiple AWS services to prevent it from happening again? How do you automate the incident response? Take part in our jam to find out!
As the challenges develop, you will take the initial infrastructure, and challenge by challenge, improve it into a resilient and secure deployment. Use your knowledge of AWS services and information security to perform incident response in the cloud and forensic analysis to find out whodunit! We will have a number of experienced AWS experts in the room that will be available to discuss ideas, provide guidance and in general help your team get through any roadblocks that pop up. New to AWS? New to security? Come and join us! Our activities are structured to accommodate AWS users of all levels. We have AWS experts, plus guided exercises, that will ramp up your security knowledge. We will form team on the spot, provide 10 challenges to tackle. You score the points by solving and get some cool swag for all participants and a special prize for the winning team!
13th Annual Technical Meeting for CSIRTs with National Responsibility
Is your organization responsible for protecting the security of nations, economies, and critical infrastructures? If so, attend NatCSIRT 2018 to discuss with your peers the unique challenges you face every day. You will drive discussions that focus on current issues, tools, and methods relevant to the National CSIRT community. This year's meeting is co-located with the 30th Annual FIRST Conference in Kuala Lumpur. This meeting is by invitation only and more details can be found at http://www.cert.org/natcsirt/.
The GFCE Working Group - Cyber Incident Management and Critical Information Protection - will have a meeting (invitation-only) from 2-5pm on Sunday June 24th at the 30th Annual FIRST Conference. The GFCE Working Group meeting will focus on how to effectively respond to the needs and expertise available on the theme 'Cyber Incident Management and Critical Information Protection' in order to encourage the multistakeholder dialogue on the implementation of cyber capacity building in line with the Delhi Communiqué.
Participation at this meeting is by invitation only. Inquiries should be directed to contact@thegfce.com.
Bird of a Feather Sessions, activities primarily focus on meetings which take place at the conference based on the interest of a number of members. They are not necessarily intended to lead to year round work.
BoF sessions are scheduled to take place during before conference sessions begin (8-9am) or following the final session of the day. We will have an up-to-date-schedule and bulletin board near the registration desk onsite. Attendees are welcome to request a BoF in advance by emailing first-sec@first.org or by adding their own BoFs to the bulletin board onsite (rooms are assigned based on first come, first served - and room assignment space is limited. A Schedule of BoFs will be posted once confirmed.
Melaka
Johor 2+5
Johor 3+6
Melaka
Johor 3+6
Johor 2+5
Johor 2+5
| Johor 3+6 | |
|---|---|
| 13:00 – 13:45 | Membership Information Session for Applying Teams Alexander Jäger and the FIRST Membership Committee |
| Melaka | Johor 3+6 | Johor 2+5 | |
|---|---|---|---|
| 16:00 – 17:00 | Jonathan Matkowsky, RiskIQ | Levelling the playing field - Taking the opportunity away from the Treat actor Lari Huttunen, Deployment Specialist Arctic Security | |
| 17:00 – 18:00 | Art Manion | Devising an Exploratory Cyber Exercise Luc Dandurand | National sectoral healthcare CERTs and cooperation with manufacturers Jasper Hupkens |
| 18:00 – 19:00 | Taxonomies and Ontologies in Threat Intelligence and Incidence Response Morton Swimmer |
| Johor 2+5 | |
|---|---|
| 18:00 – 19:00 | IHAP - Abuse Information Exchange at Country Level (starts after the AGM) Aaron Kaplan and Martijn van der Heide |
Richard Struse, Mitre
MITRE’s freely-available ATT&CK™ framework is being widely adopted by both producers and consumers of cyber threat intelligence as a common “language” to describe adversary behavior. Come get an update on new developments in ATT&CK, and discuss how you use ATT&CK and how you’d like to see it evolve in the future. Attendees should have basic familiarity with ATT&CK. For those who don’t, here is a very brief overviewhttps://www.youtube.com/watch?v=0BEf6s1iu5g&t=1s of ATT&CK.
June 25, 2018 17:30-18:30
Johan Berggren, Google
Google has a long history of developing security technology that benefits not just our own users, but the online world as a whole. When we create technology to keep our services safer, we find opportunities to share it for everyone’s benefit. And as threats change over time, our adaptive, forward-looking measures pave the way for other companies to follow.
In order to further our commit to help make the Internet a safer place, we would like to take this time to talk openly with CERT teams on how we can improve cooperation and information sharing in the future.
June 25, 2018 17:30-18:30
Luc Dandurand
Recent developments in the regulatory environment of some CIRTs (i.e. GDPR), the emergence of cyber insurance, and the need to collect more and better metrics about incidents continue to raise questions and concerns within the incident handling community. Emerging technologies can help address these issues, but first need to be properly assessed. This BoF session will propose a different way of approaching these issues to make progress: a slow-pace, long-running cyber exercise that generates realistic use cases for further analysis and discussion. Running remotely over several months but requiring only a few minutes of work per day/week, it is hoped that such an exercise can help assess the potential value of new technologies in the incident handling process and generate useful simulation data to support ongoing debates and discussions.
June 27, 2018 17:00-18:00
Jonathan Matkowsky, RiskIQ
Since 25th of May, GDPR is in place and after one month we have already observed some affects on our community. Within this BoF we would like to discuss the impact of GDPR and evaluate what the community may need to address. The outcome might be a SIG which is addressing the discussed topics.
Attendees should be people interested in the topic of privacy and especially GDPR. The BoF will not give an overview of the regulation, as so people should be familiar with the regulation.
June 27, 2018 16:00-17:00
Aaron Kaplan and Martijn van der Heide
Please note this meeting will follow the AGM.
June 28, 2018 18:00-19:00
Lari Huttunen, Deployment Specialist Arctic Security
The main topics of the BoF will pass though leveling the playing field and taking the opportunity away from the Treat actor. Attendees should expect to discuss searching for a community agreement on "What Treat Intelligence is today" and working towards taxonomy.
June 27, 2018 16:00-17:00
Alexander Jäger and the FIRST Membership Committee
Interested in FIRST membership and have questions about the application process or benefits of joining? Join us for this session to learn more about membership and ask your questions! Please note - we encourage you to enjoy a 30 min lunch from 12:30-13:00 before joining the meeting - or make a plate and bring it with you!
June 26, 2018 13:00-13:45
Morton Swimmer
Continuing from our inaugural BoF at FIRST 2017, we welcome everyone who is interested in developing taxonomies and ontologies in IR and TI for a discussion of how best to achieve interoperability through the use of taxonomies and ontologies of data and resources. There has been an uptick in the interest in making data more actionable by using such classification schemes in IR, but nothing has been widely accepted. The best ontologies are created as a group effort and not in a vacuum, so we wish to bring together everyone who is interested in the subject to discuss how we can reach our goals. If the participants request it, Morton Swimmer can demonstrate ontology design and editing using Protégé, a free tool available from Stanford University. Related events to this BoF at FIRST 2018: https://first.org/conference/2018/program#psemi-automated-cyber-threat-inte lligence-act
https://first.org/conference/2018/program#pmanaging-risks-through-taxonomie s
https://first.org/conference/2018/program#premoving-the-pain-from-the-repet itive-processing-of-vulnerability-reports-using-a-vulnerability-ontology
https://first.org/conference/2018/program#pstix2-taxii2-workshop
https://first.org/conference/2018/program#pwhy-is-cti-automation-harder-tha n-it-needs-to-be-and-what-can-security-teams-do-about-it
June 27, 2018 18:00-19:00
Art Manion
Out of 20K publicly disclosed vulnerabilities in a year, how many are used to attack you? How do you decide which vulnerabilities get your attention? Let scan and patch decide? How do they decide? Does the decision involve CVSS? Join this BoF to talk about what defenders and vendors really want in terms of prioritizing vulnerability response.
June 27, 2018 17:00-18:00
Get your PGP Key signed to increase trust!
Wednesday, June 27th from 10:45 to 11:15 (at Registration desk).
Thursday, June 28th(at AGM).
Alexander Jaeger (FIRST)
Why?
PGP is one of the foundations of the security community, and to rely on PGP there needs to be trust in the PGP keys. The trust is made by signatures and validation of identity. FIRST facilitates this community effort by hosting PGP Key signing events.
We will have at least two PGP Key signing events - listen to the opening remarks or a remark at registration desk for changes in regards time / date.
In the past we did not sign team keys and we do not plan to change that.
For those who haven’t participated in the past years it will go like to following:
Hint: Please do not upload your key an hour before the key signing, as I might be printing out the keyring a few hours earlier.
8 Sign the keys with your PGP key
There is a good documentation about PGP Key signing parties: http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
People who wish to participate should email an ASCII extract of their PGP public key to keysigning@alexanderjaeger.de by noon on Monday, June 25, 2018. Please include a subject line of "FIRST PGP KEY", and please avoid MIME-encrypting your e-mail. (I will be running the entire mail folder file through PGP, and PGP-keys that are base-64 encoded will get ignored unless I take manual action to fix things. I will try do the manual fixup, but I make no guarantees about catching all of them.)
Inquiries? Contact us at the following:
email:
first-2018@first.orghotline:
+1 312 646 1013snail mail address:
FIRST.Org, Inc.
Conference Office
c/o CAPS, LLC
219 W. Chicago Avenue, Suite 300
Chicago, IL 60654
United States of America
