Program Overview

The FIRST Symposium event is restricted to FIRST members only and will be held in Feb 1-3, 2011.

Nevertheless, since this will be a joint event with TF-CSIRT - the European CSIRT regional initiative- there will be some sessions restricted to TF-CSIRT members only and others open to both communities.

This year's event is hosted and co-sponsored by e-LaCaixa CSIRT.

Tuesday, February 1^st
TF-CSIRT Meeting
Wednesday, February 2^nd
TF-CSIRT/FIRST Symposium
Thursday, February 3^rd
FIRST Symposium Hands On Classes

Tuesday, February 1^st

	TF-CSIRT Meeting
09:00 – 12:30	Trusted Introducer Meeting *
13:30 – 13:35	BE Welcome, introductions and apologies Lionel Ferette (Belnet CERT, BE)
13:35 – 13:40	BE Approval of minutes and status of action items Lionel Ferette (Belnet CERT, BE)
13:40 – 14:00	LV CERT NIC.LV presentation Baiba Kaskina (CERT NIC.LV, LV)
14:00 – 14:20	NL GOVCERT.NL presentation André Oosterwijk (GOVCERT.NL, NL)
14:20 – 14:40	CESICAT-CERT presentation Carles Fragoso (CESICAT-CERT)
14:40 – 15:00	DE ENISA update Marco Thorbrügge (ENISA, DE)
15:00 – 15:30	Coffee Break
15:30 – 15:50	Malware Domain Notification Serge Droz (SWITCH-CERT)
15:50 – 16:10	AbuseHelper update Christian Van Heurck (BELNET CERT)
16:10 – 16:20	NL TRANSITS2 update Don Stikvoort (NL)
16:20 – 16:30	DE ICANN review of WHOIS policy (RT4) Wilfried Woeber (ACOnet-CERT, DE)
16:30 – 16:40	DE RIPE Database IRT and Abuse Task Force Wilfried Woeber (ACOnet-CERT, DE)
16:40 – 17:00	LU BGP Ranking Project Alexandre Dulaunoy (CIRCL, LU)
17:30 – 18:30	TI Review Board **
20:00 – 22:00	Social Event

Wednesday, February 2^nd

	TF-CSIRT/FIRST Symposium
09:00 – 09:15	Welcoming remarks Steve Adegbite (FIRST Steering Committee Chair)
09:15 – 09:30	Welcome from La Caixa
09:30 – 10:00	US A Day in the Life of an Incident Responder Gavin Reid (HUMAN Security, US)
10:00 – 10:30	DE X-ARF Tilmann Haak (DFN-CERT, DE)
10:30 – 11:00	US FluxTracker - The Fast-Flux Service Networks Tracker Marc Vilanova (Netflix, US)
11:00 – 11:15	Coffee Break
11:15 – 11:45	Smartphones and fraud: The good, the bad and the ugly Marc García Mateos (GMV Soluciones)
11:45 – 12:30	Team updates IT-ISAC, IBM, CESICAT-CERT, ECSC, NTT-CERT
12:30 – 13:30	Lunch
13:30 – 14:30	US Panel: International Coordination in a Borderless World Scott Algeier (IT-ISAC – Information Technology - Information Sharing and Analysis Center , US)
14:30 – 15:00	FR Evil Eating Evil Alex Kouzmine, Vincent Hinderer (CERT-LEXSI, FR)
15:00 – 15:15	Coffee Break
15:15 – 15:30	US DNS Security Survey Yurie Ito (ICANN, US)
15:30 – 16:00	Security of Cloud Computing Oscar Marquez (ISheriff)
16:00 – 16:30	Growing Risks and Collaborative Responses Greg Rattray (BITS/Financial Services Roundtable )
16:30 – 17:00	Closing Remarks

Thursday, February 3^rd

	FIRST Symposium Hands On Classes
09:00 – 12:00	NL Tracking, analyzing and describing threats and vulnerabilities with Taranis André Oosterwijk, Bart Roos (GOVCERT.NL, NL)
12:00 – 13:30	Lunch
13:30 – 17:00	DE Hands-on class on file system analysis Andreas Schuster (Deutsche Telekom AG, DE) 13:30 – 17:30 US Prioritizing Defensive Measures Robert Floodeen (CERT/CC, US) 13:30 – 17:30 NL Tracking, analyzing and describing threats and vulnerabilities with Taranis André Oosterwijk, Bart Roos (GOVCERT.NL, NL)

FIRST Symposium Hands On Classes

09:00 – 12:00

Tracking, analyzing and describing threats and vulnerabilities with Taranis

André Oosterwijk, Bart Roos (GOVCERT.NL, NL)

12:00 – 13:30

Lunch

13:30 – 17:00

Hands-on class on file system analysis

Andreas Schuster (Deutsche Telekom AG, DE)

13:30 – 17:30

Prioritizing Defensive Measures

Robert Floodeen (CERT/CC, US)

13:30 – 17:30

Tracking, analyzing and describing threats and vulnerabilities with Taranis

André Oosterwijk, Bart Roos (GOVCERT.NL, NL)

US
A Day in the Life of an Incident Responder
Gavin ReidGavin Reid (HUMAN Security, US)

Gavin Reid is VP of Threat Intelligence for HUMAN, HUMAN is a cybersecurity company that protects enterprises from bot attacks to keep digital experiences human. Previous to this, he was the CSO for Recorded Future. Recorded Future delivers advanced security intelligence to disrupt adversaries, empower defenders, and protect organizations. Reid had global responsibility for ensuring the protection, integrity, confidentiality, and availability of all customer-facing services, internal operational systems, and related information assets. Gavin has 20 years of experience in managing all aspects of security for large enterprises. He was the creator of Cisco's Security Incident Response Team (CSIRT), Cisco's Threat Research and Communications (TRAC), and Fidelity's Cyber Information Group (CIG). Gavin started doing information security at NASA's Johnson Space Centre.

February 2, 2011 09:30-10:00
LU
BGP Ranking Project
Alexandre DulaunoyAlexandre Dulaunoy (CIRCL, LU)

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.

February 1, 2011 16:40-17:00
Closing Remarks

February 2, 2011 16:30-17:00
DE
ENISA update
Marco Thorbrügge (ENISA, DE)

February 1, 2011 14:40-15:00
NL
GOVCERT.NL presentation
André Oosterwijk (NL)

Andre Oosterwijk is a Senior Security Specialist – Incident Response at KPN CERT. He has worked in the public sector from 1997-2015 in different roles related to Incident response and security analysis at the Ministry of Defence and the National Cyber Security Centre (NCSC-NL). His first TF-CSIRT meeting was in 2007 and he is an active participant in the community since then. The past years Andre worked for several multinational companies on Incident Response/Forensics and SOC/CSIRT deployment. Since 2017, he is working at the Dutch telco KPN as part of the KPN-CERT team.

February 1, 2011 14:00-14:20
DE
Hands-on class on file system analysis
Andreas Schuster (Deutsche Telekom AG, DE)
Summary: Many free and commercial tools are available to examine common file systems like ext3, HFS, NTFS, and the ubiquitous FAT. But how do you analyze a less common file system? During this hands-on class you will explore a number of sample disk images and learn how to:
- start with your analysis
- mount and dissect forensic disk images
- interpret partitioning schemes (MBR, GPT)
- break down a volume into functional units
- visualize your data using Gnuplot and GraphViz
- find repeating data structures
- make sense out of bit patterns
Students are required to bring their own computer with VMware installed. At least 1 GB of main memory and 30 GB of disk space should be free. A Linux VM with tools and sample data will be provided on DVD. Feel free to bring your own tools, too!
February 3, 2011 13:30-17:30
US
Panel: International Coordination in a Borderless World
Scott Algeier (Information Technology - Information Sharing and Analysis Center , US)

February 2, 2011 13:30-14:30
algeier-scott-slides.pdf
MD5: fa227a3f38a1b97227656435649d640b
Format: application/pdf
Last Update: June 7th, 2024
Size: 430.52 Kb
US
Prioritizing Defensive Measures
Robert Floodeen (US)
Summary: If you build it, they will hack it. Can your team survive 3 hours of attacks? With 30 virtual machines and 100's of vulnerabilities known to the attackers, teams are put through the paces in making realistic decisions as to which systems to harden and which to "leave till later". This exhausting challenge will prepare your team for large scale technical response as your resources are constrained and successful attacks keep occurring.

Equipment: Please bring a laptop.
- Web Browser that allows signed ActiveX (Microsoft Remote Desktop Connection) OR signed Java Applets
- Access to TCP 80, 443, 3389 on 192.88.209.160/28 and 128.2.243.128/25
- Screen resolution of 1280x1024 or greater
Instructions: We will provide detailed directions for a number of tasks so novice as well as senior technical staff will get a chance to contribute. On the other hand, there are challenges that very few will have the ability to figure out.

Teams: Build your own, or we will help you join one at the start of the exercise. It is more than reasonable to have remote members not in Barcelona (remote team members) assist in this exercise. The environment will be accessed via XNET, which does not have a physical limitation based on geographical location.

Scoring: We have an automated scoring script that will run the attacks as well as verify the required services are maintained.

Wrap-up: We will conclude with an instructor-lead walkthrough of a few of the scarier attacks.

Are you ready, what will be your first step? Restrict the internal compromised system, protect the E-Mail server, lock down the Web server, implement blocks on the router, start network monitoring, or enable enterprise logging? Oh, and don’t miss the number of internal documents being exfiltrated from an insider.
February 3, 2011 13:30-17:30
Team updates
IT-ISAC, IBM, CESICAT-CERT, ECSC, NTT-CERT

February 2, 2011 11:45-12:30
it-isac.pdf
MD5: 1d1ced8462d252368651a47d1008bb82
Format: application/pdf
Last Update: June 7th, 2024
Size: 615.09 Kb
NL
Tracking, analyzing and describing threats and vulnerabilities with Taranis
André Oosterwijk (NL), Bart Roos (NL)
Summary: In order to streamline her vulnerability management capabilities, GOVCERT.NL has developed a tool called Taranis. This tool is designed to help CERT's/CSIRT's to manage the constant flow of information from a variety of sources, and to inform relevant constituents of threats and new vulnerabilities. Taranis is developed in-house and is being shared among partners and other trusted parties.

This workshop is aimed at current and potential users of Taranis and at security specialists responsible for tracking, analyzing and describing threats and vulnerabilities.

There are no special pre-requisites for people willing to attend this course.

To be able to carry out the hands-on exercises, we will supply a VMware-based image of Taranis. To be able to use this image, you are required to bring your own laptop equipped with:
- VMware Player 2 or 3 (or any other virtual machine that can handle VMware-images like VMware Fusion for Mac OS X and Sun VirtualBox).
February 3, 2011 09:00-12:00, February 3, 2011 13:30-17:00
NL
TRANSITS2 update
Don StikvoortDon Stikvoort (NL)

Don Stikvoort is founder of the companies “S-CURE” and “Cross Your Limits”. S-CURE offers senior consultancy in the area of cyber security – specialising in CSIRT matters. Cross Your Limits coaches and trains in the human area. Based in Europe, Don’s client base is global.

After his MSc degree in Physics, he became Infantry platoon commander in the Dutch Army. In 1988 he joined the Dutch national research network SURFnet. In that capacity he was among the pioneers who together created the European Internet since November 1989. He recognised “security” as a future concern in 1991, and was chair of the 2nd CSIRT in Europe (now SURFcert) from 1992-8, and FIRST member since 1992. Today Don is a FIRST Liaison Member.

Together with Klaus-Peter Kossakowski he initiated and built the closer cooperation of European CSIRTs starting in 1993 – this led to the emergence of TF-CSIRT in 2000. In 1998 he finished the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown of CERT/CC. He was active in the IETF and RIPE (co-creator of the IRT-object). Don chaired the Program Committee for the 1999 FIRST conference in Brisbane, Australia, and kick-started the international FIRST Secretariat in the same year. From 2001-2011 his company ran TF-CSIRT’s Trusted Introducer service. He wrote and taught several training modules for the CSIRT community.

In 1998 Don started his first company. A first assignment was to build the network connecting over 10,000 schools in The Netherlands. Many CSIRTs were created with his help and guidance, among which the Dutch national team (NCSC-NL). Second opinions, audits and maturity assessments in this field have become a specialty – and in that capacity Don developed SIM3 in 2008, the maturity model for CSIRTs which is used worldwide today for maturity assessments and certifications. SIM3 has is now under the wings of the “Open CSIRT Foundation” (OCF). Don was one of the founders in 2016 and now chairs its board.

Starting in 1999, Don was certified in NLP, Time Line Therapy®, Coaching and Hypnotherapy, and brought that under the wing of “Cross Your Limits”, which portfolio is life & executive coaching, and training courses in what Don likes to call “human arts”. He also trains communicators, presenters and trainers, including many in the CSIRT field.

Don thrives as motivational and keynote speaker. He enjoys to share his views on how the various worlds of politics, economics, psychology and daily life, but also cyber security, all intertwine and relate – and how deeper understanding and a better ability to express ourselves, increase our ability to bring good change to self as well as the world around us. He has discussed such topics all over the world, from Rome to the Australian Outback. His goal is to challenge his audience to think out-of-the-box, and motivate them to be the difference that makes the difference, along the lines of the old African proverb:

“If you think you’re too small to make a difference, try sleeping in a closed room with a mosquito”.

February 1, 2011 16:10-16:20
Trusted Introducer Meeting *

February 1, 2011 09:00-12:30