Program Overview

In today's rapidly evolving cybersecurity landscape, manual threat detection processes struggle to keep pace with the growing sophistication and volume of cyberattacks. Threat hunting, the proactive approach to detecting and neutralizing advanced threats, can be a time-consuming and resource-intensive task. Automation, coupled with open-source tools, offers an efficient and cost-effective way to enhance threat hunting capabilities. This presentation explores the approach of threat hunting automation using widely available open-source tools, such as MISP, Shuffle, RTIR, IntelOwl. We will discuss how automation frameworks streamline data collection, false-positive management, and incident response, significantly reducing response times and enabling more efficient use of cybersecurity resources. The session will include real-world use cases, tool demonstrations, and best practices for implementing automated threat hunting in CSIRTs and SOCs of various sizes. Participants will gain insights into how to harness the power of open-source tools to improve their organization's security posture while maintaining flexibility and cost-efficiency.

Marius Urkis is a senior researcher and CSIRT/SOC architect, with more than 20 years of experience in Incident Management, CSIRT capability and capacity building. At NRD Cyber Security he specializes in security incident investigations, CSIRT architecture setup and process automation. He is leading CSIRT technology stack development, which provides integrated toolset for national, regional or sectorial CSIRT teams. He also participates in CSIRT capability, maturity, and capacity building projects in different countries around the world.

Paulius Dauksas is a Cyber Security Consultant at NRD Cyber Security, specializing in CSIRT/SOC setup, modernization, and cybersecurity capacity building for nations and critical sectors. He works on Natrix, a collective cyber defence solution for key industries, and contributes to both local and international projects. Paulius has hands-on experience in CII protection, cyber crisis management, and has engaged with organizations like the ITU, World Bank, DCAF, Gates Foundation, and UK Home Office through conferences, workshops, proposals, etc.

In CSIRT activities, cooperation with other teams is essential. In order to conduct appropriate activities quickly and efficiently, it is important not only to enhance the technical and incident response capabilities of your own team, but also to conduct appropriate activities as a CSIRT, such as organizing team charter, various ranges and communication system with constituency and communicating and collaborating other teams appropriately. In this presentation, we will discuss the necessity of CSIRT maturity, focusing on the points where CSIRTs collaborate with other teams and communities. At first, we introduce CSIRT maturity model: SIM3 and describe what FIRST and other CSIRT communities are looking for member CSIRTs. Next, we will introduce the three maturity baselines by SIM3 required for national CSIRTs in EU and European CSIRT community: TF-CSIRT’s baseline for certifying mature CSIRTs. We will also introduce activities and training for CSIRT maturity in Japan, Pacific countries, and East Asia. Our presentation will add simple exercises to promote understanding of SIM3, listed below. Exercise1: we will ask attendees to order what is important in the four areas of SIM3 by Basic, Intermediate, and Advanced. There is no correct answer, but we will share the three ENISA baselines and the TF-CSIRT averages for each area as a reference. After that we will compare the result and the baseline of European communities. Exercise2: Present some items from SIM3 and ask them to guess which field they are in. We will include an occasional item from RFC2350 or FIRSR CSIRT Framework that is not in SIM3 to the options. *We would like to have 60 min for our presentation, but we are able to arrange it in 45 min if needed.

Seiichi "Ichi" Komura, Certified SIM3 Trainer and Auditor, CISSP He is member of steering committee, the chair of SIM3 promotion committee and the leader of CSIRT evaluation and maturity model WG of Nippon CSIRT Association (NCA). He conducts CSIRT related presentations, lectures and training in several communities and universities. He is a Senior manager of NTT Advanced technology corporation, works as a POC of internal CSIRT, a consultant on building and improving CSIRT, and a trainer of information security.

Yoshiki yo!! Sugiura has been working in CSIRTs for 25 years. He used to be a member of JPCERT/CC from 1998 to 2002. He works for IL-CSIRT and NTT-CERT. He is also a board member of Nippon CSIRT Association. He is a certified trainer and auditor for SIM3. His current working area is management of CSIRT.

We uncovered a sophisticated APT campaign targeting multiple countries in Southeast Asia, including the Philippines, Vietnam, and Malaysia. We have named this campaign "Earth Kurma." Our analysis revealed that the attackers primarily focused on high-profile entities, such as government agencies and telecommunications companies. The threat actors employed a variety of malware tools, including TESDAT, DUNLOADER, and KRNRAT, to infiltrate their targets. One particular discovery was their use of public cloud services to exfiltrate confidential documents, a tactic that complicates detection and response efforts. Upon further research, we identified weak links between Earth Kurma and ToddyCat, a known APT group. Both shared some similarities between their TTPs and targets. Given the geopolitical landscape and the regions targeted, we hypothesize that Earth Kurma's operations may be motivated by the ongoing tensions in the South China Sea. In our ongoing investigation, we are also exploring ways to identify additional potential victims. By analyzing the artifacts left behind by Earth Kurma, we can trace their movements. This approach not only enhances our understanding of the group's operational methods but also aids in fortifying defenses against similar threats in the future.

Nick Dai is a threat researcher at Trend Micro with expertise in reverse engineering, malware analysis, APT investigation, and threat intelligence. He has spoken in multiple conferences like JSAC, BotConf and CyberSec.

Sunny W Lu is a threat researcher at Trend Micro. She has been engaged in tracking and hunting APT malwares and attacks in APAC region.

Recently, cybersecurity has been moving toward a proactive response focusing on vulnerabilities. As a result, vulnerability treatment is establishing itself as an important competitive factor for ICT product manufacturers and service providers. In particular, the US, EU, and OECD have been adopting and promoting Coordinated Vulnerability Disclosure (CVD) into their cybersecurity frameworks as part of measures to enhance the security of ICT products and services. CVD is a security vulnerability response process based on the cooperation among white-hat hackers (security researchers), ICT product manufacturers or service providers, and CVD coordinators (CERTs/CSIRTs). CVD covers the entire vulnerability disclosure lifecycle, including the discovery, reporting, remediation, and disclosure of security vulnerabilities in ICT products and services. Based on this vulnerability-centric cybersecurity trend, we will introduce what CVD is, why adopting CVD into cybersecurity frameworks is important, and what the essentials for adopting CVD are. First, to understand what CVD is and why adopting CVD into cybersecurity frameworks is important, we will examine the status of CVD adoption in the US, EU, and OECD, focusing on their cybersecurity laws, policies, and guidelines related to CVD. Then, we will identify three requirements for adopting CVD into cybersecurity frameworks: the establishment and publication of a Vulnerability Disclosure Policy (VDP), legal protection for white-hat hackers against laws such as cybercrime law, data protection law, and copyright law, and the designation and role assignments of CVD coordinators (CERTs/CSIRTs). Finally, to promote CVD adoption in APCERT economies within the Asia-Pacific region, we will introduce the need for a common publication method and template for the Vulnerability Disclosure Policy (VDP) as key considerations. Given that cybersecurity frameworks may differ across APCERT economies within the Asia-Pacific region, we hope this presentation will be helpful in promoting the adoption of CVD in these economies.

Dr. Tae-seung Lee is currently working as a chief researcher at KrCERT/CC of the Korea Internet & Security Agency (KISA), where he is involved in improving cybersecurity frameworks. He is also participating in the APCERT PPG and CVD Working Groups. He joined Samsung Electronics in 1996, where he worked as a project leader or researcher in the field of software development for six years. Since 2002, he has worked at KISA as a team director or researcher in cybersecurity areas such as Common Criteria for information security, personal information protection, and cybersecurity incident prevention and response. He received his bachelor's degree, master's degree, and Ph.D. in computer science. His current research interests are cybersecurity policy and legislation, cybersecurity incident prevention and response, and AI security.

JPCERT/CC developed a guideline outlining the tasks and considerations required for smooth vulnerability coordination based on the survey about efforts taken by vendors. Recently, vulnerabilities which affect products used in various fields have been reported, and many vendors are struggling to deal with them. One of the reasons for this is that, although there are a variety of vulnerability coordination cases depending on the vendor's industry and the stakeholders affected, much of the work relies on the experience of those who have been involved. It can be assumed that vendors, especially those with less experience, take a lot of time to understand the tasks and considerations required in each case. Therefore, JPCERT/CC considered that it would be helpful to clearly state the know-how of vulnerability coordination. We collected case studies on experienced vendors’ knowledge and their PSIRT structures, and included information in the guidelines that other vendors may easily refer to. Compared to FIRST’s PSIRT Services Framework, which covers the whole range of PSIRT operations and necessary functions and is intended for a broad variety of readers, the main target of our guideline is the primarily point of contact for vulnerability information and not necessarily security engineers. It outlines the basic minimum actions and communication that we recommend vendors to perform. We now promote the guideline to vendors in Japan hoping that it will reduce the workload of vulnerability coordination. This presentation will introduce our efforts within the country to ensure better and smooth coordination.

Hiroki Kimura works as a vulnerability coordinator at JPCERT/CC for 2 years after his experience at Hitachi as a system engineer. His current main job is investigating and improving vendor vulnerability coordination within Japan.

In an era defined by evolving cyber threats and growing attack surfaces, the need for proactive, autonomous defense mechanisms is more pressing than ever. The talk will introduce a cutting-edge AI Agent for cybersecurity that operates without traditional copilots, predefined rules, or extensive coding. This AI-driven agent autonomously scans and identifies exposed vulnerabilities, investigates compromised systems, and fortifies abused identities in real time. Notably, Taiwan’s unique threat landscape positions it as an early warning system, providing critical insights that strengthen global cyber defenses.

Benson Wu is the CEO and co-founder of CyCraft. He has lectured many times at well-known cybersecurity conferences in Taiwan and abroad, including Black Hat, DEFCON, and HITCON. He has worked at institutions such as the National Information & Communication Security Taskforce of the Executive Yuan and the Research Center for Information Technology Innovation of Academia Sinica, Co-founder of Xecure Lab, general manager for the Taiwan region of the Israeli company Verint, and technical director at the U.S. company Armorize, Benson was awarded the 2020 ICT Month Outstanding ICT Elite Award.

Many individuals and organizations are familiar with the US National Vulnerability Database (NVD), but few are aware of its origins, data sources, or future plans. This presentation will explore these aspects, provide insights into the vulnerability ecosystem in which the NVD functions, and share some intriguing facts about the NVD and its data.

Tanya Brewer is a Cybersecurity Program Manager at the US’s National Institutes of Standards and Technology. She manages the National Vulnerability Database (NVD) Program, so folks around the world can know more about publicly disclosed vulnerabilities. She has worked on technical standards and program management in the areas of cybersecurity and privacy for smart grids, electric vehicles, identity management, biometrics, and industrial control systems; cybersecurity education, and workforce training. She has done so with experts from NIST, ITU-T, OECD, SAE, privacy watchdogs, power companies and co-ops, the Department of State, and the U.S. Senate. She blends her background in public policy and cybersecurity to scale complex, multi-stakeholder programs while keeping them approachable to people of all backgrounds. When not managing her team and thousands of vulnerabilities, she is crafting beautiful miniatures or using a stick to turn string into soft and warm beauty.

This session will provide an opportunity for attendees to learn more about the resources within MITRE ATLAS™ and explore the world of adversarial attacks and incident information sharing for AI-enabled systems. Attendees will spend time engaging with the ATLAS matrix of tactics, techniques, and procedures, leaving the session with a better understanding of the unique adversarial attacks that have been leveraged against AI systems in real-world incidents and realistic red-teaming demonstrations. Workshop attendees will also learn about the most recent updates to ATLAS’s living knowledge base that were released in collaboration with leading industry partners through the Secure AI project within MITRE Engenuity’s Center for Threat Informed Defense. Finally, workshop participants will have the opportunity to engage directly with the ATLAS team in a series of engaging conversations around improving voluntary information sharing practices during an AI incident.

Attendee Requirements: Please bring a laptop as well as something to write with.

Pre-reading to prepare for the Training:

1. A link to our AI Security 101 page on the ATLAS website: https://atlas.mitre.org/resources/ai-security-101
2. “Here Comes the AI Worm: Unleashing Zero-Click Worms that Target GenAI-Powered Applications” https://arxiv.org/abs/2403.02817 (also attached) written by Stav Cohen, Ron Bitton, and Ben Nassi

Shiri Bendelac, Secure AI Technical Lead and ATLAS Deputy Project Lead, The MITRE Corporation

Since 2018, Shiri has been a Lead AI Researcher at the MITRE Corporation, where she specializes in AI Security. She has led multiple AI Security teams demonstrating vulnerabilities in various AI systems in support of a range of U.S. Government sponsors as well as IR&D. In addition to her role as an AI subject matter expert in MITRE's IR&D program, aligning MITRE's AI technical research portfolio with the broader mission strategy, she is the Deputy PL for MITRE ATLAS, a knowledgebase of adversary tactics and techniques against AI-enabled systems used by government and industry. A recipient of the Cybercorps Scholarship for Service, Shiri holds B.S. and M.S. degrees in Computer Engineering from Virginia Tech.

Tabitha Colter, Secure AI Project Lead and ATLAS Community Engagement Lead, The MITRE Corporation

Since joining MITRE’s AI and Autonomy Lab in April 2022, Tabitha has supported projects focused on assuring the security and reliability of AI systems. This includes serving as the Project Lead for the Center for Threat-Informed Defense’s Secure AI project to expand the MITRE ATLAS™ knowledge base, supporting government and industry partners to improve voluntary information sharing about AI incidents, and leading the strategic outreach and communication efforts for the U.S. Department of Defense’s Chief Digital and AI Office (DoD CDAO) JATIC program focused on providing open-source tools for AI test and evaluation. Before joining MITRE, Tabitha was Director of Operations at Partners for Automated Vehicle Education (PAVE) where she shared facts with the public about autonomous vehicles to empower them to participate in conversations about the future of transportation. Tabitha holds a Master’s in Bioethics and Science Policy from Duke University thanks to the National Science Foundation’s Graduate Research Fellowship Program (NSF GRFP) and a Bachelor of Science in Physics and Philosophy from Furman University.

Herming Chiueh, Deputy Minster, Ministry of Digital Affairs

Yukako Uchida is the Manager of Global Coordination Division at Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). She is responsible for international collaboration activities with overseas Cyber Security Incident Response Teams (CSIRTs), mainly in the Asia Pacific region. She has participated in several international CSIRT communities including Asia Pacific Computer Emergency Response Team (APCERT) for about 10 years. She joined the FIRST Board of Directors in 2021.Yukako has participated in the FIRST community through the following activities:

• Supported the organising team for Osaka TC in 2018
• Attended TCs and Regional Symposia held in Shanghai, Muscat, Málaga and Bilbao
• Organised a panel session at 2020 Annual Conference (virtual) on regional CSIRT communities
• Assisted in Japanese translation of several FIRST documents (TLP v2, EthicsfIRST etc.)
• Involved in multiple membership applications as a sponsor for teams in Japan and other countries
• Actively communicate with local FIRST members to keep them updated about the latest FIRST activities
• Since appointed as a board member in 2021, Yukako has been engaged in the following board activities:
  • Organised the Incident Response Hall of Fame program for 2022 and 2023 Annual Conference
  • Lead the training programs and engagements
  • Organise FIRST-APCERT Symposium for Asia-Pacific Region
  • Participate in the diversity and inclusion discussions

A business is only as secure as the weakest link in its supply chain. With an increasing risk of attacks on supply chains, supply chain security is becoming a pressing issue for companies. TSMC set the vision to elevate global supply chain security by 3 stages: 1) Influence and help TSMC suppliers, 2) Partner with SEMI and 3) Suppliers and SEMI member influence with their suppliers. TSMC is committed to implementing the Information Security Declaration and promoting supply chain information security management in four major areas including establishing regulations, developing evaluation mechanisms, establishing diverse promotion and training mechanisms, and risk management. In order to further enhance its cybersecurity management practices, in June 2024, TSMC organized its first Supply Chain Security Workshop with the theme of Strengthening Supply Chain Information Security Management Practices. During the workshop, TSMC shared its experiences in implementing ten key information security control measures.  Over 800 participants from 486 important suppliers attended the workshop. As feedback from suppliers, the experiences sharing helps to optimize cybersecurity management and build a more resilient semiconductor supply chain. TSMC furtherly partner with SEMI to delivered the Semiconductor Equipment Security Standard – SEMI E187 and come out security assessment methodology to help improving the supply chain resilience.

Leon Chang is a deputy director of TSMC IT Security Division. With 26 years experience in IT and cybersecurity domain, Leon is responsible for TSMC cybersecurity risk management, security policy, procedure development, security defense solution implementation, awareness promotion and supply chain security management. Leon led SEMI taskforce and developed the E187, cybersecurity specification of fab equipment and join SEMI Taiwan Cybersecurity committee, act as sub-group leader, defined the security assessment methodology to help improving supply chain security resilience.