Program Overview

During a recent incident response engagement, I was assigned to reverse engineer the RAT that the threat actor had deployed in the environment. When analysing the malware to unpack it, a suspicious string was found in the memory - https://ipnumber/list.txt. The list contained a not only a complete inventory that the threat actor had, but also a link to the full repository of all their tools, almost 5 GB / over 100 files and scripts of content covering every part for an intrusion -from reconnaissance to impact and everything in between. This led to an interesting labyrinth of research on all the aspects of this tooling.

This presentation goes through many of the tools that have been reverse engineered and provides advice on how to detect and mitigate the effect from this threat actor. Further, it reveals techniques used to turn off anti-virus and clear out logs, including keys used for locking down computers and much more.

To conclude I will investigate the threat intelligence part of the intrusion, showing how threat actors copy and stockpile techniques from each other and finish off showing how malware analysis in combination with threat intelligence made it possible to find an undetected spare back door that was deployed in the environment.

In this talk I will also share several indicators of compromise as well as tools, tactics, and procedures from an active and aggressive ransomware operator that can serve as inspiration for how malware analysis and threat intelligence can be operationalized to stop an intrusion.

Nicklas Keijser works as a Threat Research Analyst at Truesec. That involves reverse engineer much malware found in our incident response, with a majority coming from ransomware cases, but also malicious code found by our SOC. Nicklas also serves as a subject matter expert in questions involving industrial control system, working many years in the field of OT security. Before joining Truesec Nicklas worked as CSIRT officer at the Swedish national CERT, CERT-SE.

Training is for current and future senior and mid-managers of CSIRTs and SOCs. The objective of the training is to spend full day reflecting and collectively working on CSIRT managers’ daily questions and concerns, including CSIRT KPIs, Annual report writing, clarity improvement in CSIRT mandate and strategy, CSIRT manager’s time planning and allocation. It will be dedicated time to build relations between managers, discussing and supporting each other.

Dr. Vilius Benetis is member of NRD CIRT (in NRD Cyber Security), where he leads a team of experts to consult, establish and modernize CSIRT/SOCs for sectors, governments and organizations in Africa, Asia, Europe, and Latin America. He is an active contributor and speaker for ISACA's cybersecurity research and contributes to development of CSIRT methodologies for ENISA, FIRST.org and ITU. He is an industry professor in Cybersecurity at Kaunas Technology University (ktu.edu).

Cyber fortress is online strategy TTX game in which players learn how to build and defend critical infrastructure of various organizations in their virtual countries. For this purpose there are scenarios prepared, based on real attacks. Scenarios, which consist of both - technical ana organizational aspects, simulate real cyber-attacks. The game can be played by individual players as well as teams. Especially team based version bring a significant value in terms of understanding and learn a cooperation during crisis situations. Building the most effective cybersecurity system is on the budget-based approach.Players and teams receive a virtual budget that limits the scope of their investments. The main idea and the task during the game is protection of teams/players critical infrastructure against the most likely threats and to effectively react during the attack phases. Competitors have available various cybersecurity measures, which represent real choices from organizational aspects, processes and technical cybersecurity solutions.

The game has the three years history and proved its practical value during many events and trainings.

Marcin Fronczak has worked for 12 years as Chief Information Security in the financial and insurance sectors, and performed IT/OT area security audits for a critical infrastructure operator. Prior to that, he spent 5 years as a consultant in the area of technology risk and security. During many audits and consulting projects in Europe, he gained extensive experience and thorough knowledge of risks and auditing of ICT systems, confirmed by obtaining international certifications including CISA, CIA, CRISC, Comptia Security +, ISO 27001 LA. He was the first Pole to earn the CCSK certification in the Cloud Security Area. He currently works at ComCERT as a leader of the R&D team and serves as President of the Polish branch of the Cloud Security Alliance.

Mirosław Maj (Open CSIRT Foundation, Cybersecurity Foundation, ComCERT.PL) Over 20 years of experience in ICT security. Co-founder of Open CSIRT Foundation - the stewardship organisation for SIM3 model and co-provider of Trusted Introducer service for CSIRTs, including processing of CSIRT formal certifications. Lecturer of cybersecurity courses on few universities.

Founder and president of the Cybersecurity Foundation, Vice-president of the ComCERT company, a former leader of CERT Polska team. The member of the Digital In 2017-2018 he was the adviser to the Minister of National Defence of Poland on planning cyberdefence capabilities and building organizational structures and establishing international cooperation in the field of cyberdefence. In March 2021 was appointed a member of the Digitalization Council at the Ministry of Digital Affairs.

European Network Information Security Agency expert and co-author of many ENISA publications including CERT exercises and papers on improvement CSIRT maturity. He organised 10 editions of cyber exercises (Cyber-EXE™) in several countries for most essential sectors (e.g energy, banking, telecommunication). Speaker on many international conferences including the FIRST conferences. He is also the originator and organiser Security Case Study conference, one of the largest cybersecurity event in Poland.

Piotr Kepski currently works as a Cybersecurity Systems Analyst at ComCERT S.A., where he works in the area of cyber threat modeling and TTP (techniques, tactics and procedures) in cyber attacks. He is an internal auditor of the Information Security Management System according to the ISO/IEC 27001 standard. As a member of the Cybersecurity Foundation, he actively works to strengthen awareness in the area of threats from cyberspace, including, among other things, conducting trainings, co-creating the Cyber, Cyber... podcast series and participating in the organization of the Cyber Fortress League.

When Russia launched its devastating war on Ukraine this year, it also sought to disrupt Ukraine’s business, government, and communications with an unrelenting barrage of cyberattacks. However, Cisco and its Talos threat intelligence group helped assist Ukraine by managing and monitoring the security of critical infrastructure customers in Ukraine. The session will cover lessons from the ongoing cyberwar which can be applied to improve corporate defense and critical infrastructure protection.

Artsiom Holub is a Senior Security Analyst on the Cisco Talos Web and DNS Threat Research team. Throughout the course of the day, he works on discovery of new threats and attacks by analyzing global data coming from Cisco telemetry, and designs tactics to track down and identify malicious actors and domains. He is a frequent presenter at major cybersecurity conferences including RSAC, Black Hat and THEFirst. Holub is currently focused on analysis and research of various cybercrime campaigns and building defensive mechanisms powered with ML

When a company has been hit by ransomware, and their backups have also been compromised, it is often assumed that the business is left with only 2 choices:

• Pay and pray
• Rebuild the business

However, ransomware authors and operators make mistakes too, and when they do, it can open a window for incident responders to fully restore business operations.

In this presentation, Improsec will talk about our experiences with ransomware, and how using a specific crypto analysis methodology helped identify a flawed ransomware implementation. By exploiting this flaw, the Improsec CSIRT was able to write a decrypter and fully recover ALL of the customer’s encrypted files.

Christoffer Bech is now a generalist in cyber defence, but he has previously worked with penetration testing, digital forensics, threat analytics, and incident response. He currently serves as the Director of Cyber Defence at Improsec. Prior to Improsec, Christoffer served as a security specialist with the Danish Military and Danish Cyber Defence where he worked bridging the gaps between operations, threat analytics, and management. Christoffer is well aware of the cyber threats facing Denmark, and he is eager to help companies push back, and make the hackers sweat. When not hunting for adversaries, he enjoys spending family time at his summer house where finetunes recipes for everything that can go in the BBQ Smoker.

Lasse Dessau is a security advisor on the Incident Response Team at Improsec. Lasse is an IT Civil Engineer who enjoys technical challenges and developing code. He has strong IR experience from The Danish Armed Forces where he worked on many cyber incidents and applied his skills in reverse engineering to combat malware threats and keep computer systems secure in Denmark. In his free time, Lasse loves spending time outdoors playing water sports and hiking.

ANSSI, as the French national cybersecurity agency, is committed in improving the global level of cybersecurity maturity, which includes providing relevant CTI information both to mitigate an adversarial situation as well as to better anticipate the occurence of malicious activities. However, using IoC is most of the time not straightforward and the need to take into account the level of knowledge that may leak to a malicious individual when handling CTI information had led the Agency to update its information sharing policy. As introduced during the last annual First conference, this policy relies on a combination of TLP and PAP to leverage on conventions that are widely understood and implemented by the CSIRT community. This approach has been positively received. If tooling has been updated, mainly to allow for further PAP support, a lot of energy has been spent in producing content aiming at supporting final users that will have to use such labelled information. Existing sharing agreements have been also updated. Enforcing this policy helped consumers to focus on CTI issues rather than associated terms of use, while in the same time producers have been offered a standard and easy to use mechanism to provide insight on the way information should, or not, be used.

Matthieu Bontrond joined ANSSI's IoC management unit in January 2020. There he had the opportunity to work on IoCs' normalisation, sharing and exploitation. Before joining ANSSI, Matthieu worked on governance and compliance issues for the French Superior Council of Notaries as CISO and for various companies as a consultant. Previously he was a cryptography analyst for the payment industry, focusing on keys management issues. Matthieu holds a Master in mathematics applied to cryptography.

Thomas Fontvielle joined the ANSSI in July 2021 as International Cooperation Officer, furthering data sharing and relationships with partners. Before that, he managed and helped develop Signal Spam, the French National Spam Reporting Center as General Secretary for 10 years.

Iron Tiger, also known as APT27 or Emissary Panda, is an advanced threat actor that has been doing espionage for more than a decade, targeting multiple sensitive industries worldwide.

In the past months, we noticed the threat actor enhancing its toolkit to target all three major platforms – Windows, MacOS and Linux. We found out that a previously unreported remote access tool named “rshell” was the final stage of the delivery chain targeting MacOS users. This campaign was very interesting as the threat actor obtained access to backend of a lesser-known chat application, whose installers were modified to deliver malicious payload, thus acting as a supply chain attack against chat application users.

Our presentation will start with the analysis of this interesting infection vector (modified MacOS installers, where and how they were modified and how we initially discovered it), followed by discussion of an earlier compromise of the same chat application to deliver HyperBro malware for the Windows platform. We will analyze the features of both rshell and HyperBro malware families utilized in this campaign, and later we will discuss connections to previous campaigns operated by the same threat actor.

As a conclusion, we will provide information on the targets of this campaign and explain our approach to attributing this campaign to Iron Tiger.

Daniel Lunghi is a threat researcher at Trend Micro. He has been hunting malware and performing incident response investigations for years. Now he focuses on long-term monitoring of advanced threat actors from all over the world, exploring new ways of tracking them, and enjoying their mistakes. The result of such investigations are shared through blogposts, whitepapers, and conference talks.

Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.

• Getting ready for NIS2 and Cyber Resilience Act (Francois Ambrosini)
• Software Vulnerabilities. Do You Handle Them? (Daniel Kouril)
• P3-CERT team of Perseus Cybersecurity Services & VulnAna (Donetz Errasti)
• Team Update on CERT-SE and the Weirdest Way We Could Think of for Transmitting Data (Karl Selin)
• eduGAIN Security Team Update (Sven Gabriel)
• VoidSOC status (Marek Madžo)

Francois Ambrosini is Responsible Disclosure and Vulnerability Management Evangelist at Huawei and represents Huawei PSIRT in Europe. He obtained his engineering degree in electronics and signal processing combined with a master's degree in computer networks and telecommunications from ENSEEIHT, Toulouse, France, in 2003. He was involved with radio technology development at Sagem Défence & Sécurité and later in the standardisation of mobile TV systems at Motorola, and consulted on security both independently and for umlaut communications. His activities have spanned several domains including IoT security, reconfigurable radio systems security, practical use of attribute-based cryptography and of language-theoretic security, and the development of several standards serving the private and public sectors as well as the EU legislation.

Daniel Kouril - Bio Pending.

Donetz Errasti - Bio Pending.

Karl Selin has been active in the IT-security field since the late 80s. Since then he has worked for several government agencies as well as being a consultant in the private sector. Now he works for the Swedish national CSIRT, CERT-SE, as a Senior Cyber Specialist.

Marek Madžo works as the Technical director of VoidSOC in Soitron company. In the past he was leading the Network & Security Operations Center of slovak governmental network. He is enthusiastic about security monitoring, Cyber Threat Intel and the building of SOC/CSIRT teams with focus on the improvement of the provided services.

Sven Gabriel - Sven Gabriel is a senior technical researcher at Nikhef, the Dutch National Institute for Subatomic Physics. He has a background in Computational Chemistry and Climate modelling and worked on a wide range of IT and IT security activities in various international projects. In his current position he is working on operational security in EGI.eu, a publicly-funded federation of over 300 data and computing data centres spread across Europe and worldwide, serving over 60000 users from a wide range of fields. In this function he successfully drove the process to make EGI-CSIRT a certified team within Trusted Introducer (TI). Here he ran Security Drills on a global scale, challenging the Incident Response capabilities of the various security teams active in EGI. In the same project, he also coordinated training addressing various technical and high level managerial problems in Incident Response for distributed infrastructures. Sven Gabriel received his Ph.D from RWTH Aachen University with a dissertation about Theoretical calculations of Circular Dichroism spectra of Bio-Organic compounds.

In this short course, we will go over a basic methodology for initial malware analysis and triage. We will introduce tools and approaches necessary for analysis of the most common malicious file types (Office documents, PDFs, scripts, LNKs and - to some level - even EXE/PE files) and discuss the appropriate use of static and dynamic malware analysis techniques.

The course will be practical in nature and will require each trainee to be able to at least "read" code and have a specially prepared VM.

Jan Kopřiva is an experienced cyber security professional, currently working as a consultant at Nettles Consulting and donating his time as one of the Handlers at the renowned SANS Internet Storm Center. Jan has an extensive professional experience – over his career, Jan worked on projects ranging from implementation of security monitoring and incident response processes and technologies to conducting penetration tests and red team exercises and from performing security audits to teaching different aspects of application security to developers. He has authored numerous research papers and articles focused on different aspects of cyber security and he regularly speaks at security conferences

Addressing the ever-growing momentum of cybersecurity threats, Polish cybercrime combating Law Enforcement Agency had commissioned the development of a system enabling the automation of a multidimensional malware analysis process. In response to this particular call, the MALWINA project was proposed. The presentation will demonstrate selected features of the MALWINA system possibly (but not limited to) describing the integration challenges as well as bespoke capabilities development process and its results.

Mikołaj Dobski joined Poznan Supercomputing and Networking Center in 2010 and for the last 6 years has been working with the PSNC ICT Security Department researching applied machine learning (data stream mining & anomaly detection) for cybersecurity and other fields. He participated in two EU-H2020 projects: PROTECTIVE (system co-designer and one of the technology consultants, MCDA developer) and symbIoTe (core services co-architect and the project’s security layer task leader). Since 2017 he has been engaged in numerous research activities concerning anomaly detection in SCADA networks (Scadvance project) which concluded with the release of the Scadvance XP product (offered by ICSec S.A.). For the last 3 years he has been acting as the technology coordinator for the presented integrated malware analysis environment project - MALwina.

In this presentation we explore the current state of ransomware in cybercrime and how ransomware business models will change in the near and far future. We will talk about the triggers that will cause ransomware actors to adapt. Some triggers will lead to a gradual evolution of ransomware. These triggers include the usage of more 0days in the initial access phase, better operational security, automation to optimize revenues, targeting Linux cloud servers more and targeting exotic platforms. Only when ransomware actors are pushed hard they will radically rethink their business models. Triggers include geopolitical events, regulations of cryptocurrency and the realization that other cybercrime is more profitable. We will discuss business models where the ransomware payload is changed to other, more profitable payloads, while still many of the core specialist skills of ransomware actors are leveraged. Finally we discuss how private industry, government and law enforcement can work together to fight against the crimes committed by the most prolific ransomware actors today and in the future.

Feike Hacquebord has more than 18 years experience in doing threat research as a Senior Threat Researcher. Since 2005, he has been a regular advisor of international law enforcement agencies and has assisted in several high-profile investigations. Hacquebord is the author of more than a dozen blog postings and papers on advanced cyberattacks. Prior to joining Trend Micro, he earned a Ph.D. in theoretical physics from the University of Amsterdam.

“Attack him where he is unprepared, appear where you are unexpected” source: Sun Tzu, The Art of War.

The presentation analyses the role of Security Operation Center (SOC) and Incident Response Teams to secure Critical Infrastructures in the energy sector, including international compliance towards the regional legislation that applies to the Operators of Critical Infrastructures.

Carlos Sanchez Santos strives to secure a world that runs entirely on green energy. Business OT Security Manager in Ørsted. Business digital transformation leader specialized in Industrial Cybersecurity. Enabling changes in large organizations with a clear mission and vision towards a sustainable humankind development. Ex-addict to cybersecurity certifications, fortunately recovered and focused in communication capabilities and business support.

Previous experiences related to the event:

• Forensic investigator in court cases for criminal activities.
• Cybersecurity Director and Head of CERT/SOC at ITS-Security.
• Threat Intelligence instructor at INCIBE (Spanish National Cybersecurity Institute).
• Specialist in Unit71 Threat Intelligence department.

Local club football player and proud dad of twins in active-active setup, availability first :-)

This session is aimed at more experienced CSIRT team members or managers, who are curious to learn how the full SIM3 maturity model can help them assess the maturity of their or other teams - and then use it as monitoring tool as the team sets goals to increase their maturity, performance and quality. We will also explain how SIM3 works in the context of acquiring FIRST membership - which will benefit potential sponsors of membership candidates. The latest version of SIM3, v2 interim, will be used as basis for this training.

Don Stikvoort MSc., joined the Dutch national research network SURFnet, after studying physics and serving as army officer. Don was among the pioneers who created the European Internet starting in 1989. He recognized “security” as a concern in 1991, chaired SURFcert between 1992-8, and was the founding father of NCSC-NL, the Dutch national team, and of the European TF-CSIRT community. Don became a member of FIRST in 1992 and has been very active during his membership: he was program chair for the FIRST conference in Australia in 1999, initiated the FIRST Secretariat, is a longtime member of the Membership Committee and co-chair of the Traffic Light Protocol SIG. In 1998 he co-wrote the ‘Handbook for Computer Security Incident Response Teams (CSIRTs)’. Don continues to support the global cyber security community through S-CURE the company he founded in 1998. Don created the SIM3 maturity model for CSIRTs, is a sought-after keynote speaker and also finds the time to do executive coaching and psychotherapy with a limited set of clients.

More info: see https://www.first.org/hof/inductees

Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.

Dataplane.org, founded in 2016 and recently incorporated as a U.S. 501(c)(3) non-profit, has constructed one of the most unique and diverse distributed Internet activity sensor networks in the world.

Starting with SSH, we then developed a set of custom network listeners to monitor and measure unsolicited Internet communications. The network spans six continents, more than sixty countries, utilizes approximately 100 different commercial hosting providers, has IPv4 address assignments in over 100 /8’s, has no volunteers, and has no donated systems. How did we do it and how does this benefit the Internet community at-large? This talk will describe why this was needed, how the network is built, the costs involved, how systems are managed, and the data derived from our efforts. We highlight analytical insights of security threats and network trends from our real-time and longitudinal data. We describe the financial and operational challenges in working with so many commercial providers.

John Kristoff is a PhD candidate in Computer Science at the University of Illinois Chicago studying under the tutelage of Chris Kanich. He is a principal analyst at NETSCOUT on the ATLAS Security Engineering and Response Team (ASERT). John is also adjunct faculty in the College of Computing and Digital Media at DePaul University. He currently serves as a research fellow at ICANN, sits on the NANOG program committee, and operates Dataplane.org.

For a long time now CSIRTs in France have been working together through a group named InterCERT-FR with objectives similar to TF-CSIRT. In october 2021, this unofficial group became an official association called InterCERT France. During this presentation we want to show you from where we started as just operational teams meeting once a month to where we are now and where we hope to be in the next few years.

Étienne Baudin is the Head of CERT and SOC for Caisse des Dépôts et Consignations group (major public financial institution primarily aimed to develop France). He has about 10 years of experience in the CSIRTs communities and loves deep technical aspects of detection & investigation as well as community driven cooperation. Since October 2021, he is a Board Member of InterCERT France.

Frédéric Le Bastard is the head of CERT La Poste, the french postal, digital and banking company. He also is vice president of Botconf, the botnets fighting conference. He finally is the president of InterCERT France, gathering 80+ cyber detection & response teams among France.

Widespread use of open source software has motivated malicious actors to take advantage of the medium, spawning significant and widespread attacks.

To be able to identify these threats at scale we automated this process and would like to present and share some open source tools to detect those attacks.

RED LILI

This is the largest batch of malicious packages from a single threat actor (1500 packages and still counting ).

We will dive into the attack and discuss the infrastructure required for such attacks.

To keep track of RED-LILI as they continue to publish malicious packages, our research team has launched RED-LILI Tracker (https://red-lili.info)

UA-Parser (Good package gone BAD)

An attacker comprised a legitimate account of a popular open-source contributor.

We will dive into the attack and TTPs used (Account Takeover) and will discuss Chain alert Free service for the open-source community to alert on those attacks.

Protestware

A pro-Ukraine NPM user account riaevangelist released several new versions of its popular package “node-ipc” (over million weekly downloads ), which included a wiper functionally targeting Russian and Belarusian IP addresses and running a malicious payload, destroying all files on disk by overwriting their content with a heart emoji “❤️” .

Jossef Harush Kadouri is passionate about Linux and Windows, and has a strong interest in exploring the possibilities of Mac in the future. With his expertise in IoT and a knack for creating real-life automation solutions, he is able to control a variety of devices using his phone. Additionally, Jossef is a designer and digital asset creator, with a focus on pixel-perfect UI.

In his free time, Jossef enjoys growing hot peppers and organizing hot pepper events in Ramat Gan, the second best city in Israel. Jossef is also an active member of the open-source community, and is ranked in the top 1% on Stack Overflow.

In 2020, he co-founded Dustico, a software supply chain security company that was acquired by Checkmarx the following year. Since then, he has been working with his team to identify and prevent software supply chain attackers, ensuring the safety of the ecosystem.

The training on DNS: Prevention, Detection, Disruption and Defense offers a comprehensive introduction from a basic to an advanced level on how adversaries abuse and leverage the Domain Name System and domain registration services to carry out different types of attacks.

Looking at both the technical aspect of the domain resolution process to the lifecycle of domain names, with a focus on the vulnerabilities in the processes and systems, participants in the training will gain an understanding on how they can prevent the malicious activity, detect and disrupt it, as well as defend their specific constituencies.

The training consists of the following modules:

• DNS Basics and Ecosystem
• How do domains resolve?
• What are the components in the DNS?
• How does a domain get registered?
• Who is who in the domain ecosystem and why this matters?
• Phishing - Hands-on: Participants will learn which steps to take, with real-life examples, when addressing phishing cases against their constituencies:
• Detect the phishing
• Identify the relevant entities
• Gather the evidence
• Decide who to submit reports of abuse
• Decide on information sharing
• Advanced DNS
• Delegation
• Relevant Resource Records
• Authoritative vs. Recursive Resolvers
• Exercise
• Sophisticated DNS attacks
• Examples of sophisticated attacks
• Possible countermeasures for detection, disruption, and defense
• Techniques and good practices to prevent DNS threats
• Table-top exercise based on 4 scenarios:
• Hijacking
• DNS amplification
• Random subdomain attack
• DNS as a covert channel for exfiltration

Morning Session (09:00-12:30) Afternoon Repeat Session (13:30-17:00)

Carlos Alvarez del Pino leads ICANN's engagement with the trust and public safety communities (civil/criminal law enforcement, national cyber security centers, consumer protection, incident response teams, threat intelligence, operational security). His portfolio includes trust-groups, national/defense/police response teams, and organizations like the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), the Forum of Incident Response and Security Teams (FIRST), the National Cyber Forensics and Training Alliance (NCFTA), the Global Cyber Alliance or the Cyber Defence Alliance, among others.

Carlos is an attorney graduated from the Universidad de los Andes in Bogota. He holds a Master of Laws degree from the University of Southern California Gould School of Law, and has studies on networking with TCP/IP from UCLA.

David Rufenacht is senior threat intelligence analyst at InfoGuard. Previously, David worked for the Swiss National Cyber Security Center providing threat assessments to critical infrastructure. He holds a master degree in international relations as well as in social anthropology.

The cybersecurity industry already has standards for almost every domain, now it’s time for behaviour analytics to get in line. We will present an open body of knowledge for user behaviours associated with risks and threats, to better deploy mitigation and preventive activities, on focused groups with higher exposure to incidents, in order to maximise the security ROI.

During the session we will showcase the framework and demonstrate how it can be used by security teams to assess their visibility on the behaviour of their users and assess their capabilities against threats, furthermore we will also be demonstrating how the C-suite can use the framework to evaluate their return on security investment when performing preventive measures on the users which display behaviours associated to risks.

Albert Calvo is an AI Researcher at the i2cat foundation and PhD Candidate at Universitat Politècnica de Catalunya (UPC), where he focuses his research on empowering cybersecurity operations using Artificial Intelligence providing trustworthy solutions. Further Albert Calvo has extensive experience contributing to several Horizon 2020 R+D+i projects and competitive projects.

Nil Ortiz holds a Computer Science Engineering degree from the Autonomous University of Barcelona (UAB, 2017), and a Master’s degree in Cybersecurity from the Camilo José Cela University (UCJC,2020) with a thesis on the design, development and implementation of a Security Operations Centre. He has experience as a cybersecurity and threat intelligence analyst across Europe, focusing on the financial sector. Currently he works as senior research and development cybersecurity engineer, where his areas of research include cybersecurity incident response, threat intelligence, artificial intelligence applied to cybersecurity and 5G, with knowledge sharing and threat dissemination as core drives. He also acts as associate professor at the Open University of Catalonia.

Dr. Sherif Hashem is a Full Professor of Information Sciences and Technology at George Mason University (GMU). His professional and research interest includes cybersecurity, artificial intelligence, cyber policies and strategies, and management of information security. He has 5 published book chapters and over 60 refereed articles in international journals and conference proceedings, with more than 2600 citations.

Sherif is currently the Chair of the Board of Directors of FIRST. He is a member of the African Union’s Cybersecurity Expert Group (AUCSEG), a Senior IEEE member and an ISACA Certified Information Security Manager (CISM).

Over the last two decades, Sherif led several key cybersecurity efforts at the national level, and setting up the framework for developing the Egyptian Computer Emergency Readiness Team (EG-CERT). In 2016, he became the Chairman of the Executive Bureau of the Egypt’s Supreme Cybersecurity Council. He led the team that drafted Egypt’s first National Cybersecurity Strategy (2017-2021). Successful cybersecurity initiatives and activities led by Sherif have contributed to Egypt’s advanced cybersecurity rank: 14th among 193 countries, as reported by the International Telecommunications Union (ITU) Global Cybersecurity Index in July 2017.

At the international level, Sherif was an expert member of the United Nations Group of Government Experts (UN GGE) on the Developments In The Field Of Information And Telecommunications In The Context Of International Security (Aug 2012 - June 2013), a 15-members high-level group of experts that developed strategic cybersecurity reports to be endorsed by the UN General Assembly. Sherif was the Chairman of the ITU’s Council Working Group for Child online Protection from 2010-2017. He has been invited to give cybersecurity and ICT professional and strategic keynote speeches by numerous leading international organizations including: UN, ITU, Interpol, NATO, OSCE, OECD, African Union, the League of Arab States, as well as by the US Department of Defense and US Department of State.

Sherif received a Ph.D. in Industrial Engineering from Purdue University-USA, a M.Sc. in Engineering Mathematics and a B.Sc. in Communication & Electronic Engineering from Cairo University-Egypt. He completed the Senior Executive Program at Harvard Business School-USA. He received several awards and recognition including: The Global Bangemann Challenge Award from the King of Sweden (Stockholm – 1999).

Silvio Oertli is the Head of SWITCH-CERT (Universities & Registry). Before joining SWITCH-CERT, he has been working in IT investigation for law enforcement agencies since 2008. Started as an project manager, he went into the field of digital forensics and last as deputy head of the investigation service at the Cybercrime Competence Center of the Zürich cantonal police. Before his career as an IT investigator, he gained several years of IT industry experience as a project manager, software developer and systems engineer for 911-dispatch-software. Silvio is a trained IT forensics trainer and teaches digital Forensics at the University of Applied Sciences in Business Administration Zurich . In addition to his IT engineering degree, he holds a Bachelor of Law.

Silvio has been on the Steering Committee since September 2018 and the Chair of TF-CSIRT since September 2019.

After “Oops! It Happened Again” and “Fool Us! Or is it us Fools?”, the dynamic presentation duo sadly had to decide that once more they have to return.

Since last year so many ludicrously avoidable cybersecurity incidents have been experienced that one really must wonder if users will ever learn. How much education and awareness does one need. It becomes even more cynical if the incidents are caused by the politicians that made the cyber-regulations but don’t follow these (read: break) themselves “as they are inconvenient to work with”.

In their usual energetic and lively presentation style, this dynamic duo will present real-life examples of cyber-incidents, and explain what went wrong and how they could have been prevented. Eager to learn why we (the users) keep making these mistakes and causing incidents, they will also dive deeper into the reasons that history keeps repeating itself. And they will reveal the surprising common denominator that they have found.

To get in the mood, turn on your Walkman, insert that 70’s cassette, and play Bachman Turner Overdrive’s “You ain’t seen nothing yet” as loud as you can. Then, after watching our presentation, we hope everyone will stop making these errors so that we can genuinely say “Here's something that you're never gonna forget! B-b-b-baby”

Eddy Willems is a worldwide known cyber security expert from Belgium. He is a board member of 3 security industry organizations, EICAR, AVAR and LSEC, and is the resident Security Evangelist and Global Security Officer at G DATA Cyberdefense. He became a founding member of EICAR in 1991, one of the world’s first security IT organizations. Over the years he has served in many extra roles in different security industry organizations. Several CERTs, press agencies, print and online publications and broadcasting media, for example CNN, use his advice regularly. In October of 2013, he published his first book in Belgium and the Netherlands, entitled 'Cybergevaar' (Lannoo). A German translation followed afterwards and an English translation and update, Cyberdanger (Springer), was published in 2019. He is also co-author of the Dutch SF cyberthriller ‘Het Virus’ published in 2020. Eddy is a known inspiring speaker and is giving lectures and presentations (including TEDx) worldwide for a very diverse audience from children to experts.

Righard Zwienenberg started dealing with computer viruses in 1988 after encountering the first virus problems at the Technical University of Delft. His interest thus kindled and studied virus behavior and presented solutions and detection schemes ever since. Initially starting as an independent consultant, in 1991 he co-founded CSE Ltd. In November 1995 Zwienenberg joined the Research and Development department of ThunderBYTE. In 1998 he joined the Norman Development team to work on the scanner engine. In 2005 Zwienenberg took the role of Chief Research Officer. After AMTSO – Anti Malware Testing Standards Organization - was formed, Zwienenberg was elected as president. He is serving on the board of AVAR and on the Technical Overview Board of the WildList. In 2011 Zwienenberg was looking for new opportunities and started as a Senior Research Fellow at ESET. In April 2012 Zwienenberg stepped down as President of AMTSO to take the role as CTO and later as CEO. In 2016 he rejoined the AMTSO board for another two-year run. He also is the Vice Chair of the Executive Committee of IEEE ICSG. In 2018, Zwienenberg joined the Europol European Cyber Crime Center (EC3) Advisory Group as an ESET representative. Zwienenberg has been a member of CARO since late 1991. He is a frequent speaker at conferences – among these Virus Bulletin, EICAR, AVAR, FIRST, APWG, RSA, InfoSec, SANS, CFET, ISOI, SANS Security Summits, IP Expo, Government Symposia, SCADA seminars, etc. - and general security seminars. His interests are not limited to malicious code but have broadened to include general cybersecurity issues and encryption technologies over the past years.