Program Overview

The FIRST Technical Colloquium (TC) event will be held in 2-3 April 2013 at the Cisco Campus, Amsterdam. April 1st is reserved for committee meetings attendance by invitation.

Please note: the program schedule is not final, please keep checking for updates.

Tuesday, April 2^nd
Technical Colloquium (Tuesday)
Wednesday, April 3^rd
Technical Colloquium (Wednesday)

Tuesday, April 2^nd

	Technical Colloquium (Tuesday)
08:00 – 09:00	Registration
09:00 – 09:15	US Welcome Gavin Reid (HUMAN Security, US)
09:15 – 10:15	Overview of Cuckoo Sandbox Claudio, ShadowServer
10:15 – 11:00	US CVSS v3 Preview Seth Hanford (Proofpoint, US)
11:00 – 11:15	Networking and Coffee Break
11:15 – 12:30	RPZ I
12:30 – 13:30	Lunch
13:30 – 14:30	RPZ II April Lorenzen (Dissect Cyber, Inc)
14:30 – 15:15	CA Pre-Recursor Passive DNS Logging Henry Stern (Cisco, CA)
15:15 – 16:15	Networking and Coffee Break
16:15 – 17:00	AT ProcDOT Visual Malware Analysis Christian Wojner (CERT.at, AT)
17:00 – 18:00	US Re-writing the CSIRT Playbook Jeff Bollinger (LinkedIn, US); Matthew Valites (SAP, US)
18:00 – 20:00	Social Reception

Wednesday, April 3^rd

	Technical Colloquium (Wednesday)
08:00 – 09:00	Registration
09:00 – 09:45	NL Info Sharing after bot-net takedowns Martijn van der Heide (KPN-CERT – Chairman KPN-CERT, NL)
09:45 – 10:15	NL Our Customer from the Underground Feike Hacquebord (Trend Micro, NL)
10:15 – 10:45	Networking and Coffee Break
10:45 – 11:30	Spamhaus Data for CERTs and ISPs Carel van Staten
11:30 – 12:30	SIE Security Information Exchange
12:30 – 13:30	Lunch
13:30 – 14:15	Understanding CSIRT Knowledge Management Needs Oscar Serrano (NATO Communications and Information Agency)
14:15 – 15:00	Expanding the Bitsquatting Attack Surface Jaeson Schultz, Cisco
15:00 – 15:30	Networking and Coffee Break
15:30 – 16:15	MY In-house Developed Tools to Enhance Incident Response - Sharing MyCERT's Experience Sharifah Roziah Mohd Kassim (MyCERT, CyberSecurity Malaysia, MY)
16:15 – 17:00	NL Inside Torpig/Sinowal - An in depth (malware) analysis Godert Jan van Manen (Northwave, NL)
17:00 – 17:45	What are Banks doing Against Malware? Jan Joris Vereijken (Chief Security Architect at ING)
17:45 – 18:00	Wrap up

US
CVSS v3 Preview
Seth HanfordSeth Hanford (Proofpoint, US)

Seth Hanford is a Principal Engineer at Proofpoint. In his role, he serves as security architect, and as an advisor to the enterprise CSIRT, PSIRT, and other Global Information Security functions responsible for designing secure architectures and protecting customer and enterprise data for the company. He has previously worked as Sr. Manager for Detection & Response for a Fortune 100 financial services firm, as well as various vulnerability & threat intelligence roles, and as a PSIRT incident manager for a Fortune 100 network technology company. He has been active in the FIRST community over the past decade, including service on the CVSS SIG during v2, and as SIG chair for the development of CVSS v3.

April 2, 2013 10:15-11:00
hanford-seth-slides.pdf
MD5: 82fb03b0a6482bba43cd2d0c6ee6793b
Format: application/pdf
Last Update: April 15th, 2013
Size: 966.55 Kb
NL
Info Sharing after bot-net takedowns
Martijn van der Heide (Chairman KPN-CERT, NL)

Security Officer

April 3, 2013 09:00-09:45
van-der-heide-martijn-slides.pdf
MD5: 804dacc43829d41b10dcc5833756944f
Format: application/pdf
Last Update: April 15th, 2013
Size: 278.84 Kb
NL
Our Customer from the Underground
Feike HacquebordFeike Hacquebord (Trend Micro, NL)

Feike Hacquebord has more than 18 years experience in doing threat research as a Senior Threat Researcher. Since 2005, he has been a regular advisor of international law enforcement agencies and has assisted in several high-profile investigations. Hacquebord is the author of more than a dozen blog postings and papers on advanced cyberattacks. Prior to joining Trend Micro, he earned a Ph.D. in theoretical physics from the University of Amsterdam.

April 3, 2013 09:45-10:15
Overview of Cuckoo Sandbox
Claudio, ShadowServer
April 2, 2013 09:15-10:15
guarnieri-claudio-slides.pdf
MD5: 19548d1bdec5aaf358b068e478ed8a4f
Format: application/pdf
Last Update: April 15th, 2013
Size: 1.23 Mb
CA
Pre-Recursor Passive DNS Logging
Henry Stern (Cisco, CA)
April 2, 2013 14:30-15:15
stern-henry-slides.pdf
MD5: 3cd10110dc88aaf0602b72955a3fe65c
Format: application/pdf
Last Update: April 15th, 2013
Size: 1.78 Mb
AT
ProcDOT Visual Malware Analysis
Christian Wojner (AT)
April 2, 2013 16:15-17:00
wojner-christian-slides.pdf
MD5: c14d6d6132aa9547e58200673a7d2377
Format: application/pdf
Last Update: April 8th, 2013
Size: 1.46 Mb
US
Re-writing the CSIRT Playbook
Jeff BollingerMatthew ValitesJeff Bollinger (LinkedIn, US), Matthew Valites (SAP, US)

With over twenty years of information security experience, Jeff Bollinger has worked as security architect, incident responder, and people manager for both academic and enterprise networks. Specializing in investigations, network security monitoring, detection engineering, log analysis, and intrusion detection, Jeff Bollinger is the Director of LinkedIn's incident response team (SEEK). Prior to LinkedIn, Jeff helped build and operate one of the world's largest corporate security monitoring infrastructures at Cisco Systems. Jeff regularly speaks at international FIRST conferences, blogs about security topics. He is also the co-author of "Crafting the InfoSec Playbook". Jeff's recent work includes log mining, search optimization, cloud threat research, and security investigations.

Matt has spent the past 15+ years in various security roles spanning leadership, operations, investigations, field sales, and research. Currently leading Threat Detection Operations and Operational Strategy at SAP's Global Security Operations, he's spent most of his career in the Enterprise Software-as-a-Service space. He's a co-author of O'Reilly's Crafting the Infosec Playbook and a longtime active member of the FIRST organization.

April 2, 2013 17:00-18:00
bollinger-jeff-slides.pdf
MD5: 0b9a8c628b67853568af469d931c167f
Format: application/pdf
Last Update: April 8th, 2013
Size: 3.7 Mb
RPZ II
April Lorenzen (Dissect Cyber, Inc)
April 2, 2013 13:30-14:30
lorenzen-april-slides.pdf
MD5: 1ea379b89663323739a337c21334e957
Format: application/pdf
Last Update: April 15th, 2013
Size: 54.22 Kb
SIE Security Information Exchange
April 3, 2013 11:30-12:30
vixie-paul-slides-1.pdf
MD5: 348e9c28931496189eb169ca7f93a5b6
Format: application/pdf
Last Update: April 8th, 2013
Size: 337.65 Kb
vixie-paul-slides-2.pdf
MD5: 3c035f278efabc03b97481a643b184ad
Format: application/pdf
Last Update: April 8th, 2013
Size: 426.3 Kb
vixie-paul-slides-3.pdf
MD5: ad17f01b18890411b52b94cc37dc5606
Format: application/pdf
Last Update: April 8th, 2013
Size: 428.67 Kb
Understanding CSIRT Knowledge Management Needs
Oscar Serrano (NATO Communications and Information Agency)
April 3, 2013 13:30-14:15
serrano-oscar-slides.pdf
MD5: 2cae9095d87e4f643aefb7add5e22284
Format: application/pdf
Last Update: April 15th, 2013
Size: 554.91 Kb
US
Welcome
Gavin ReidGavin Reid (HUMAN Security, US)

Gavin Reid is VP of Threat Intelligence for HUMAN, HUMAN is a cybersecurity company that protects enterprises from bot attacks to keep digital experiences human. Previous to this, he was the CSO for Recorded Future. Recorded Future delivers advanced security intelligence to disrupt adversaries, empower defenders, and protect organizations. Reid had global responsibility for ensuring the protection, integrity, confidentiality, and availability of all customer-facing services, internal operational systems, and related information assets. Gavin has 20 years of experience in managing all aspects of security for large enterprises. He was the creator of Cisco's Security Incident Response Team (CSIRT), Cisco's Threat Research and Communications (TRAC), and Fidelity's Cyber Information Group (CIG). Gavin started doing information security at NASA's Johnson Space Centre.

April 2, 2013 09:00-09:15