Program Overview

Ransomlook is an advanced intelligence platform designed to monitor, analyze, and report on global ransomware activities. The tool consolidates data from multiple sources, including dark web forums, ransomware-as-a-service platforms, and victim reports, to offer real-time insights into the latest ransomware threats and tactics. By leveraging automated scraping, machine learning, and expert analysis, Ransomlook provides actionable intelligence to cybersecurity teams, enabling them to anticipate attacks.

Marc-Frédéric Gomez is an accomplished cybersecurity leader with over 30 years of experience. As Head of CERT at Crédit Agricole, he manages cybersecurity for over 140,000 users globally. A Certified SIM3 Auditor, Marc assesses and improves CSIRT capabilities. He is also a published author, contributing key works on PCI DSS compliance and cybersecurity for SMEs. His entrepreneurial ventures and passion for advancing IT security include founding MG Consultants and Linux Motor, alongside hosting the RadioCSIRT Podcast.

In a 2024 report, we learned that at least 45% of all data breaches now involve cloud infrastructure. As the cloud increases an organization's attack surface, it becomes paramount that incident detection and response become cloud-focused. This workshop will guide participants through detecting adversarial activities, such as lateral movement, privilege escalation, and data exfiltration, in hybrid environments. Students will learn how to automate detection workflows using free and/or open-source tools and intelligence-led incident response.

Hands-on labs will simulate real-world attack scenarios. Students will have a chance to get hands-on with realistic attack data to help them develop the skills to respond to malicious activity in hybrid environments. Furthermore, we will look at how to take the skills learned in class and bring them back to their own environments.

Matt Bromiley has over 13 years experience in incident response, managed detection and response, threat intelligence, and security operations. He has worked in environments of all shapes and sizes, battling everything from state-nexus adversaries to opportunistic, one-time hackers. Matt is also a certified SANS instructor, teaching classes in DFIR and Security Leadership. In his free team, he’s a dad to three girls - they keep him busy, oftentimes driving around the DFW metroplex.

Every Incident Response practitioner has already lived frustrating experiences of missing logs, unavailable artefact collection and response capabilities, and other operational restrictions, even in environments with developed and mature detection capabilities.

The main root cause of these situations is the way most SOC capabilities are built: the architecture, tooling and data management are designed to meet detection and qualification needs (which logs for which use case). IR teams' needs (such as retention for hunting, verbosity, capability to collect files or perform remediation at scale…) are not always considered (other team or external provider in charge, cost considered excessive…).

Is this inevitable? How could SOC design practices be improved to better meet IR-specific needs?

In this talk, we will propose ways and ideas to make SOC processes and tooling IR-ready. After reviewing common pitfalls based on real-life incidents feedback, we will try to address some of them by weighting costs, complexity and benefits. We will also demonstrate that some of these approaches can also benefit day-to-day SOC operations by shifting left forensic capabilities.

Stefan THIBAULT is an experienced advisor and technical auditor for companies ranging from SMEs to international groups and public entities based in France and Monaco. He has had the opportunity to take part in dozens of projects focused on SOC and CSIRT assessment, design and improvement. He co-constructed back in 2014 a unique SOC effectiveness testing methodology that was been used to assess entities from all sectors on the past ten years, helping identify areas of improvement on both technical and process matters. He also took part in the design of SOC strategies, processes and selection of technologies. Within Defenso, he continues to build his knowledge and thought leadership around detection improvement by staying ahead of new technologies and capabilities and by developing approaches to improve coverage and efficiency of detection and response capabilities.

Course attendee will gain practical skills on building powerful DNS Threat Intelligence system with active DNS protection using open source solutions. Name of the solution: OpenNameShield. To build OpenNameShield, the full day workshop will provide following basic knowledge on following topics:

• Docker - OpenNameShield is a docker-ized project. Advantages of using docker will be explained as well as key commands of docker.
• BIND9 - DNS server set-up and configuration. It is planned to set up operational DNS server during workshop.
• RPZ - aka DNS Firewall. Basics on zone creation to block certain domain will be provided.
• ELK - Elasticsearch and Kibana set-up.
• normalize – usage of rsyslog Log Message Normalization Module will be explained to ensure parsing of incoming log-file
• python3 – development of scripts that will enrich the incoming log-file. How to feed OpenNameShield with suspicious/ harmful domains.
• REDIS – this is important to ensure that external system limitations are not exceeded. It will be shown how to decrease outgoing requests using REDIS.

As a result OpenNameShield system will be developed where together with participants:

• The system will be enriched with suspicious/ harmful domains that are to be blocked.
• DNS blocking will be checked in real-life.
• DNS threat-hunting will be performed to identify suspicious domains.
• Identification of infected devices will take place based on the statistics of blocked DNS.

OpenNameShield system development includes usage of vast array of open-source solutions. Participants will attain excellent base level knowledge for own future project development as well as general creation of awareness on how such solutions operate.

• Type of the workshop: Technical
• Level: Beginner
• Personal equipment necessary: Please install docker on your computer.
• Be sure that command "docker run hello-world" will work for you. Optional, but strongly advised, install "Visual Studio Code" also.

  Armīns Palms, CERT.LV, is one of the key authors of the “National DNS Firewall” project in Latvia, which has been actively utilized and became mandatory for all ISPs in the country as of September 2024, following the National Cyber Security Law. He joined the CERT.LV team in 2016 and currently leads the Incident Response team. With five years of dedicated involvement in the DNS Firewall project, Armīns is passionate about sharing his knowledge and experience with the cybersecurity community and industry professionals.

  Dana Ludviga holds a MSc in Computer Science from the University of Latvia and works as the cybersecurity incident analyst at CERT.LV - Latvian national and governmental CSIRT. Dana is coordinating engagement with different stakeholders as well as representing CERT.LV at national and international events. Before her current role, Dana was as a project manager at the .LV registry NIC.LV where she contributed to the development of the domain industry with a keen eye on domain name security. As a computer science researcher at the University of Latvia her work extended to diverse IT research and network development projects funded under the 7th framework of the European Union.

This workshop will focus on building operational resilience in the face of escalating cyber threats. This session aims to equip participants with the tools and strategies necessary to effectively navigate and mitigate cyber crises. The trainers will cover key aspects of cyber crisis management, including the distinction between the incident and a crisis, the main stages of cyber crisis management, and key pillars of building a national cyber crisis management framework. Through a combination of theoretical knowledge, real-life case studies, and practical exercises, attendees will learn how to strengthen their organisation’s preparedness, ensure continuity, and reduce the impact of cyber incidents

Dr. Tadas Jakštas, a cybersecurity capacity building expert with a lot of experience in managing international security and defence projects within various NATO and EU organizations. Prior to joining NRD Cyber Security, Tadas worked at NATO Energy Security Centre of Excellence where he has been responsible for projects related to critical infrastructure protection, crisis management and industry systems cybersecurity. He has also worked at NATO Allied Command Transformation (ACT) as a coordinator of international defence capability building projects as well as on various EU cyber and energy security projects. At NRD Cyber Security Tadas is responsible for public and private sector cybersecurity strategy and policy building as well as CIIP. He is a regular lecturer at Baltic Defence College, Swedish Defence University and NATO school Oberammergau and is still an active member of defence industry – he is a NATO Civil Expert and is focusing his efforts on improving Alliance’s resilience against conventional and unconventional threats.

Živilė Nečejauskaitė is a seasoned communication specialist with 13 years of experience, half of which focuses on cybersecurity. She holds a degree in Communication for Development (C4D) and specializes in impact, change, and crisis communication. Živilė's expertise includes media engagements, public relations, and coordinating communication strategies. Her professional experience spans across Lithuania, the UK, and Sweden, in both public and private sectors. She is actively involved in international organizations, including TF CSIRT PR Group, GFCE Working Group D, FIRST AI SIG, and FIRST Metrics SIG.

Cybersecurity ecosystem in a country covers all stakeholders in the domain. Those who receive cybersecurity services, provide them, regulators and those who are regulated, research and academia, law enforcement, local and foreign companies. This lighting talk will raise a thought if National CSIRT should be accountable of creating and maintaining such ecosystem map, what value does it create?

Paulius Dauksas is a Cyber Security Consultant at NRD Cyber Security. At the company he is responsible for articulating and streamlining CSIRT/SOC establishment, modernization, assessment, Cybersecurity capacity building for nations, Natrix - solution for collective cyber defense in CII sectors for various countries, critical sectors, and private organizations. Paulius Dauksas participates in various capacity building projects both internationally and locally. Paulius has practical experience in cyber security capacity building and assessment, CII protection, CSIRT establishment and design, cyber crisis management. He has an experience of working with various international organisations, such as International Telecommunication Union, The World Bank, DCAF - Geneva Centre for Security Sector Governance, Gates Foundation, UK Home.

This interactive workshop guides participants through the comprehensive design and execution of cybersecurity tabletop exercises (TTX) tailored for both executive (C-level) and technical teams. Participants will learn how to develop realistic scenarios aligned with organizational goals, maturity levels, and business strategies, using advanced tools such as MITRE Attack Flow and the open-source T3SF platform. The workshop covers all critical stages, including defining the scope, designing the attack scenario, creating the participant experience, and running exercises. Participants will also engage in a live simulation, gaining hands-on experience by role-playing different organizational roles in incident response.

The workshop is grounded in research and methodologies derived from the papers "Cybersecurity Incident Response Tabletop Simulations for Learning in Classrooms and Organizations" and "Methodology for Cybersecurity Incident Response Simulation Exercises." These publications provide a structured approach to designing TTX, ensuring exercises are both practical and aligned with real-world challenges. In addition, the workshop emphasizes post-exercise evaluation. Participants will learn to create executive and technical reports based on exercise outcomes and assess the organization's incident response maturity using a peer-reviewed model. This model, derived from the paper "Model for Quantifying the Effects of Tabletop Simulation Exercises for Cybersecurity Incident Response," allows for a data-driven analysis of the impact of TTX on preparedness and response capabilities.

Federico Pacheco is a cybersecurity professional with a background in electronic engineering and several industry-recognized certifications. 20+ years of teaching experience at the most prestigious universities in Argentina. Four published books and +15 peer-reviewed research papers. Has worked in the public and private sectors, including regional roles in global companies. He is currently in charge of R&D+i at BASE4 Security.

Sliafertas Matias is a cybersecurity expert with over 15 years of experience leading information security, business continuity, and regulatory compliance initiatives in both multinational and governmental environments. He currently serves as the CISO at BASE4 Security, where he manages internal security and provides professional cybersecurity services across various industries. Previously, he was the Executive Director at JPMorgan Chase, where he led teams of CISOs across Latin America and Canada, implementing global security strategies tailored to regional needs. He holds a strong academic background and a broad set of certifications, including CISSP, CCSP, CRISC, CISM, and CDPSE. Additionally, he is a passionate educator, teaching Information Security courses at renowned universities.

Key achievements of the speakers working together, related to this Workshop, include pioneering the first and the latest systemic TTX in Argentina's banking sector, conducting open exercises at major cybersecurity conferences, and running exercises in large companies in different sectors, including OT/ICS related scenarios.

The cybersecurity landscape is characterized by a constant increase in malware sophistication, driven by access to financial resources, skilled actors, and the lucrative nature of cybercrime.

In this presentation, we will discuss the significant challenges posed by advanced malware, its ability to evade detection and bypass even well-structured security measures, and the importance of understanding malware behaviors to develop more effective countermeasures.

Key topics of our talk:

• Analysis of recent trends in malware development and the critical role of malware analysis in a sandbox environment as part of a proactive security strategy.
• Examples of malware evasion in sandbox environments, demonstrating why your sandbox might not be giving you the full picture.
• Practical guidelines for evaluating and benchmarking a sandbox to ensure its malware analysis accuracy and ability to identify critical threats.

This presentation aims to bridge the gap between theoretical understanding and practical application by providing actionable advice for cybersecurity professionals to enhance their organization’s threat detection and incident response capabilities.

Michael Bourton, Senior Security Solutions Engineer, VMRay

Michael Bourton has more than 20 years of broad-based expertise in the IT sector and cybersecurity industry, holding senior positions with large, international technology companies. Michael holds a Bachelor’s degree in Computer Science from the University of Greenwich, along with CISSP, CCSP and CISSP-ISSAP qualifications.

https://www.linkedin.com/in/michaelbourton/

Long gone are the days when the Internet was a playground for enthusiasts and nerds. Today, malicious cyber operations can disrupt critical infrastructure, desabilise political processes or cause millions of dollars of damage. All of this is well below the threshold of armed conflict.

But because attribution remains difficult, it's often unclear whether a given operation is state-sponsored or simply a criminal enterprise. This creates a high risk of misunderstandings that can lead to dangerous escalations.

Confidencebuilding measures (CBMs) and norms, part of the UN framework of responsible state behaviour in Cyber space are seen as tools to avoid such risks, but it is often not clear how to implement Norms and CBMs. We find that scenario-based discussions or table-top exercises are a valuable tool to help policy makers and national CSIRTs learn to communicate and de-escalate better.

In this presentation we will conduct a mini exercise, explain the rationale behind this work and give some examples of successful exercises, but also challenges.

Serge Droz is a senior advisor at the Swiss Federal Department of Foreign Affairs, in the Digitalisation Division, where he is responsible for cyber mediation and cyber security. Serge is also a board member of FIRST. Before joining the government, Serge worked for more than 20 years as an incident responder in various CSIRTs. Serge has a PhD in theoretical astrophysics.

Some years ago, mnemonic gave a presentation called The technical analyst and the half-year APT at different conferences, including the FIRST annual conference. At the time, we talked about the threat actor, but less about the victim organization. Now, as this has been a while, it is easier to also talk about the victim, and how this incident challenged both the technical incident response team, but also the management making decisions on how to deal with the incident.

This presentation will first do a quick summary of the threat actor activity, and then discuss the incident response.

Mona Østvang is a senior incident response manager working as a consultant in mnemonic IRT, a long-term member of FIRST. She has worked on a number of severe incidents the past 15 years, and does also work on preparing organizations for responding to such incidents through planning and exercising.

The talk will focus on engagement with other stakeholders within the organisation. Effective communication means and building rapport with certain stakeholders within an organisation can significantly improve reaction times and mobilisation in case of a significant cyber incident and can work as a prevention form escalating to a crisis.

During the presentation, we will review how to map stakeholders within an organisation, how to group them, and how to identify the engagement level with each group. We will also explore the exact communication examples - potential messages to each stakeholder group to create greater engagement and relevance.

Živilė Nečejauskaitė is a communications professional, specializing in change and impact communication. She is a co-trainer of the ITU Academy course on Cyber Crisis Management. Živilė has co-organized and co-hosted several cybersecurity capacity building conferences in East Africa Region, called "Cyber Defense East Africa", one of which has focused on national cyber crisis management. She holds a Master's degree in Communication for Development from Malma University in Sweden. Živilė has worked in the public and private sectors in Lithuania and abroad, and has focused on cybersecurity capacity building for the past 7 years. Currently, she dedicates her time to building frameworks for communication during a cyber incident.

This presentation will walkthrough how Silent Push analysts traced pig butchering scams to FUNNULL CDN-hosted money laundering networks, retail phishing campaigns targeting luxury brands, and more. Technical analysis of each step will be provided and explained in-depth as we cover the threat we have dubbed: “Triad Nexus."

Zach Edwards is a Senior Threat Researcher at SilentPush, joining the team in 2024, with a focus on understanding and tracking how APT groups are evolving. His expertise includes a deep knowledge of global data supply chains and advertising systems.

Zach is passionate about Data Privacy, is active in numerous communities, and has been involved in high-profile GDPR complaints, including cases against online dating apps and Google auction systems. Zach has presented at high profile events, including a 2023 Blackhat USA session titled, “Kids in the Ad Fraud Crosshair: Why International Threat Actors are Targeting Children to Steal Money from Banks and Major Corporations.” In 2024, Zach has presented at PIVOTcon, Virus Bulletin, and MWISE on various cyber threats."

This exercise is designed to emulate real-world scenarios that require seamless collaboration and joint efforts in incident response. Participants will engage in training focused on the application and execution of incident response using Standard Operating Procedures (SOPs) and cybersecurity playbooks.

The exercise will include an introduction to existing tools and frameworks, along with hands-on training for creating and exchanging executable playbooks and response strategies. The aim is to enhance the readiness and resilience of organisations by fostering collaboration, improving communication channels, and refining joint response protocols.

Manos Athanatos has more than 15 years of experience in cybersecurity and research and is a Senior Technical Project Manager at FORTH-ICS and TUC. He is also, acting as a external cybersecurity consultant and product manager. He is a member of the OASIS CACAO TC, TAC TC, CTI TC, FIRST.org and ENISA AHWG on SOC. He has been involved in more than thirty R&D projects in his career, both from the research and the product development scope. He has had the roles of the acting Project Coordinator, Scientific and Technical Coordinator, Technical Team lead, Integrator, Evaluation and Testing Leader, Risk and Quality Assurance Manager, in a number of them. He is also the head of the internal Project Management team and co-leader of the internal technical development team. His main research interests are in the areas of systems, network and system security, deception technologies, cybersecurity automation, network monitoring, CTI and SOC technologies.

A stream of bits could mean everything and nothing. Forensics analysts need to be able to structure the bits to understand the meaning.

Attendees will learn how to read bits, bytes and larger data structures. One exercise will be to read signed integer numbers and convert little endian/big numbers. Afterwards we will apply a data structure onto the bit stream and convert data into information.

With this knowledge the analyst will be able to read and understand other binary data structures. He will learn how the forensics tools work and also understand their limits.

Michael Hamm has worked for more than 10 years as Ingenieur-Sécurité in the field of classical Computer and Network Security (Firewall, VPN, AntiVirus) at the research centre “CRP Henri Tudor” in Luxembourg. Since 2010, he has been working as an operator and analyst at CIRCL – Computer Incident Response Centre Luxembourg where he is working on forensic examinations and incident response.

In the rapidly evolving landscape of cybersecurity, organizations increasingly rely on effective Cybersecurity Incident Response Teams (CSIRTs) to detect, respond to, and mitigate security incidents. Key Performance Indicators (KPIs) play a crucial role in assessing the efficiency and effectiveness of CSIRT operations. This half-day training class is designed to empower CSIRT professionals with the knowledge and skills to develop, implement, and leverage KPIs for enhanced incident response. The training will cover essential topics, including:

• Understanding CSIRT Objectives: Participants will gain insights into the core objectives of a CSIRT and how KPIs align with these goals. A comprehensive overview will be provided to establish a foundation for KPI development.
• Identification and Selection of Relevant KPIs: Explore a range of KPIs applicable to CSIRTs, considering factors such as incident detection, response times, and containment effectiveness.
• Metrics and Measurement Techniques: Delve into the methodologies for measuring KPIs accurately. Participants will learn how to define and collect relevant metrics.
• Establishing Baselines and Targets: Understand the significance and pitfall of setting baselines and realistic targets for KPIs. Practical examples and case studies will be discussed to illustrate how organizations can benchmark their CSIRT performance.
• Visualization and Reporting: Learn effective ways to present KPI data through visualizations and reports.

Following this training, participants have additional knowledge and tools to help establish a KPI framework tailored to their CSIRT's objectives. This class provides a opportunity for CSIRT professionals to enhance their skills, optimize their operations, and contribute to the overall security posture of their organizations.

Logan Wilkins currently leads a software engineering team in Cisco’s CSIRT, overseeing development programs related to incident detection and response, data management, and security metrics. Within FIRST he is the co-chair of the Metrics SIG and has served as a Candidate Sponsor for multiple groups. In addition to his experience in Cisco’s security organization, Logan has also worked in e-commerce, pharmaceutical drug discovery and was previously a high school teacher, giving countless students their first introduction to Computer Science.

SRB-CERT has a tradition of organizing cybersecurity related workshops and trainings for different stakeholders in the Republic of Serbia. In order to further educate existing CERTs and to motivate establishment of new ones, National CERT and Cybersecurity Network Foundation with the support of EU project "Cyber Balkans" localized Transits I to Serbian language and incorporate details about legal framework of Serbia. In this talk we will present results of our efforts, as well as approach we took to successfully localize Transits I course.

Marko Krstić completed his bachelor, master, and doctoral studies at the School of Electrical Engineering in Belgrade. He has been working in the field of information technology and security at the Regulatory Authority for Electronic Communications and Postal Services (RATEL) for almost ten years. He is currently serving as the Head of the Cyber Security Division and National CERT Affairs in the RATEL. Marko was part of several projects related to the application of artificial intelligence for children protection on the Internet as well as for digital forensics at the European level.

Vladimir Bobor was born 1971 in Belgrade, Serbia. He has lived in Stockholm, Sweden since 1994. He achieved and B.Sc. in Computer Engineering in 2000 and 2006 his M.Sc. with a specialization in Information and Communication Systems Security from Royal Institute of Technology (KTH) Stockholm. In 2024 he joined Swedbank CDC team as incident handler. He has long experience in Information Security field; Network Security and Computer-Network Forensics. Vladimir was a member of TF-CSIRT Steering Committee from 2014 – 2019; 2020-2023, and is one of initiators of Swedish CERT Forum.

A use case where full disk encryption do not do what you expected, and you should be aware of it.

A live demo where I show, what happen with plaintext data, that was stored on the disk before full disk encryption got activated.

Michael Hamm has worked for more than 10 years as Ingénieur-Sécurité in the field of classical Computer and Network Security (Firewall, VPN, AntiVirus) at the research center “CRP Henri Tudor” in Luxembourg. Since 2010, he has been working as an operator and analyst at CIRCL – Computer Incident Response Center Luxembourg where he is working on forensic examinations and incident response.

In early 2024, Ivanti’s Pulse Secure appliances suffered from widespread exploitation which led to the discovery of the SparkCockpit and SparkTar n-day backdoors. Insights obtained from these discoveries highlight the modern adversary capabilities deployed through initial access exploitation.

Tag along with our analysis to understand the lengths to which threat actors go to maintain a foothold within compromised networks. This session will discuss the different levels of attempted persistence, the techniques employed for defense evasion, as well as the command and control capabilities. We will also cover the detection strategies, rules, and tools that were developed to further scope these threats. By attending, participants will understand the importance of network segmentation, defense-in-depth strategies, and the role of Deep Packet Inspection in identifying similar future anomalies.

Maxime Thiebaut is an Incident Response & Threat Research expert at NVISO, where he dedicates his time to intrusion analysis and technical research. Outside of work, Maxime contributes to The DFIR Report. In addition to his coding skills, he has a keen interest in reverse engineering samples encountered in the wild.

“We should be learning from the way emergency services operate, not reinventing the wheel”. Staff at JCSC who heard this at TRANSITS 1 last April had an almost immediate chance to do this after being invited to JESIP training. This session explains some of the principles behind JESIP, looks at how we might use it for alignment in our context, and seeks to open up a conversation about how it might go elsewhere.

James McLaren, the Senior Analyst at the Jersey Cyber Security Centre, still has no programming chops to speak of after spending 19 years with the UK Civil Service (where he designed and delivered an early Internet security training course in 2001) and eight with a managed security service provider in Jersey - but he is really quite good at acquiring and analysing information, and no slouch at writing about it either. He’s #ActuallyAutistic, makes a mean Hungarian gulyas, and still speaks Russian just about well enough to tell Putin where to stick it.

As the French national cyber-security authority, ANSSI, and more specifically CERT-FR has been handling major cyber-incidents since its inception in 2009. It has also faced the rise of destructive cybercriminal attacks when sensitive services were concerned. As such, we see post-incident impact often lasting years after the initial events. To mitigate this, we have launched a multipronged effort to formalize what is post-incident remediation, improve victims support, and encourage private sector offer. This presentation summarize what we have been doing in the last 3 years on the subject and what we plan to do next.

Christophe Renard has been working in multiple roles in IT for 25+ years, in computer security for 13 years, in incident response for 8 years.

At CERT-FR he heads a team dedicated to assist in victims in regaining control and restoring their information systems after cyber-incidents.

The potential threat of quantum computers to computer security first emerged in the mid-1990s with Shor's discovery of an exponentially faster algorithm for integer factorization. This threat has become more tangible with the development of real quantum computers over the past decade. Although the immediate risk has not materialized, it continues to pose a significant challenge to forward secrecy. In this talk, I will explore the fundamental differences between quantum and classical computers and explain how Shor's algorithm undermines cryptographic systems. Additionally, I will provide an overview of the current state of quantum machine learning, which, despite significant advancements, remains limited in its practical applications. Although quantum computers are not yet ready for purposes beyond research, I will discuss the key challenges that need to be addressed to bring them into practical use and highlight important aspects to consider. This presentation aims to offer a balanced perspective on this complex and often misunderstood field, where expectations frequently surpass current achievements.

Dr. Morton Swimmer is a researcher in the Forward-Looking Threat Research (FTR) team in Trend Micro Research. His focus is on future threats, especially Web3, machine learning and quantum computing. His experience in computer security stretches back past 35 years with the founding of the first European malware research lab (VTC) at the University of Hamburg, Germany in 1988 and he has been involved in most of the innovations in security, first at university, later IBM Research and now Trend Micro. Early activities included malware analysis and computer forensics for which he built an early Malware sandbox system in 1992. This led to the development of the Digital Immune System at IBM Research, a fully automated virus analysis and signature generation system. More recently, he has been researching machine learning techniques, probabilistic reasoning and CTI ontologies to automate detection, hunting and mitigation of threats. New research topics also include the nascent Web3 technology stack and quantum computing’s effect on security issues, both positive and negative. He currently organizes the BSidesMunich and Elbsides security conferences.

Morton, a native of New York City, has a Computer Science PhD degree from the University of Hamburg, and currently resides in the Hamburg, Germany area.

This session is aimed at more experienced CSIRT team members or managers, who are curious to learn how the full SIM3 maturity model can help them assess the maturity of their or other teams - and then use it as monitoring tool as the team sets goals to increase their maturity, performance and quality. We will also explain how SIM3 works in the context of acquiring FIRST membership - which will benefit potential sponsors of membership candidates. Finally, the ongoing development of SIM3 to become a better fit also for SOCs, ISACs and PSIRTs will be shared.

Don Stikvoort is founder of the companies “S-CURE” and “Cross Your Limits”. S-CURE offers senior consultancy in the area of cyber security – specialising in CSIRT matters. Cross Your Limits coaches and trains in the human area. Based in Europe, Don’s client base is global.

After his MSc degree in Physics, he became Infantry platoon commander in the Dutch Army. In 1988 he joined the Dutch national research network SURFnet. In that capacity he was among the pioneers who together created the European Internet since November 1989. He recognised “security” as a future concern in 1991, and was chair of the 2nd CSIRT in Europe (now SURFcert) from 1992-8, and FIRST member since 1992. Today Don is a FIRST Liaison Member. Together with Klaus-Peter Kossakowski he initiated and built the closer cooperation of European CSIRTs starting in 1993 – this led to the emergence of TF-CSIRT in 2000. In 1998 he finished the ""Handbook for Computer Security Incident Response Teams (CSIRTs)"" together with Kossakowski and Moira J. West-Brown of CERT/CC. He was active in the IETF and RIPE (co-creator of the IRT-object). Don chaired the Program Committee for the 1999 FIRST conference in Brisbane, Australia, and kick-started the international FIRST Secretariat in the same year. From 2001-2011 his company ran TF-CSIRT’s Trusted Introducer service. He wrote and taught several training modules for the CSIRT community.

In 1998 Don started his first company. A first assignment was to build the network connecting over 10,000 schools in The Netherlands. Many CSIRTs were created with his help and guidance, among which the Dutch national team (NCSC-NL). Second opinions, audits and maturity assessments in this field have become a specialty – and in that capacity Don developed SIM3 in 2008, the maturity model for CSIRTs which is used worldwide today for maturity assessments and certifications. SIM3 has is now under the wings of the “Open CSIRT Foundation” (OCF). Don was one of the founders in 2016 and now chairs its board.

Starting in 1999, Don was certified in NLP, Time Line Therapy®, Coaching and Hypnotherapy, and brought that under the wing of “Cross Your Limits”, which portfolio is life & executive coaching, and training courses in what Don likes to call “human arts”. He also trains communicators, presenters and trainers, including many in the CSIRT field. Don thrives as motivational and keynote speaker. He enjoys to share his views on how the various worlds of politics, economics, psychology and daily life, but also cyber security, all intertwine and relate – and how deeper understanding and a better ability to express ourselves, increase our ability to bring good change to self as well as the world around us. He has discussed such topics all over the world, from Rome to the Australian Outback. His goal is to challenge his audience to think out-of-the-box, and motivate them to be the difference that makes the difference, along the lines of the old African proverb:

“If you think you’re too small to make a difference, try sleeping in a closed room with a mosquito”.

The most recent EU cybersecurity policy initiatives triggered changes that will strongly impact how vulnerabilities are going to be disclosed and vulnerabilities are managed in the Union. With this talk we present the latest state of the legislative implementations by ENISA. We start with an introduction to the freshly launched EU vulnerability database and ENISA's vulnerability registry service before describing the initial planning on the CRA Single Reporting Platform. Ultimately, listeners will be able to better understand the coordination and disclosure services organisationally implemented by both, national CSIRT coordinators and ENISA, and how they lay an important foundation for being able to jointly scale up our vulnerability response capacities.

Johannes Clos is a national expert seconded to the Operational Cooperation Unit of ENISA. His main responsibilities include leading the EU Vulnerability Database implementation, contributing to the CSIRTs Network Secretariat, and supporting the Operations and Situational Awareness team. Before joining ENISA he cultivated a passion for international CSIRT collaboration in BSI's CSIRT section CERT-Bund where he contributed to the creation of BSI's vulnerability disclosure policy and introduced IntelMQ for automating abuse communication in Germany.

In recent years, the number of national CSIRTs has significantly increased. For example, the ITU record of National CSIRTs shows that the number has increased from 102 in 2014 to 131 in 2020 (International Telecommunication Union 2021). The global CSIRT community has also grown. The latest FIRST.org data shows that 759 teams in 111 countries are registered as FIRST.org members.

While numerous publications delve into the challenges of establishing a national CSIRT, few focus on the unique context of small, even micro-states (islands). This presentation, drawing from the experience of NRD Cyber Security in working with small developing countries, focuses on the key challenges for establishing national CSIRTs in such states, offering a fresh and insightful perspective.

Dr. Tadas Jakštas, a cybersecurity capacity building expert with a lot of experience in managing international security and defence projects within various NATO and EU organizations. Prior to joining NRD Cyber Security, Tadas worked at NATO Energy Security Centre of Excellence where he has been responsible for projects related to critical infrastructure protection, crisis management and industry systems cybersecurity. He has also worked at NATO Allied Command Transformation (ACT) as a coordinator of international defence capability building projects as well as on various EU cyber and energy security projects. At NRD Cyber Security Tadas is responsible for public and private sector cybersecurity strategy and policy building as well as CIIP. He is a regular lecturer at Baltic Defence College, Swedish Defence University and NATO school Oberammergau and is still an active member of defence industry – he is a NATO Civil Expert and is focusing his efforts on improving Alliance’s resilience against conventional and unconventional threats.

Cybersecurity isn't just about technology; it’s fundamentally about people. Cybersecurity's human element is undeniable. Recognizing the link between psychology and psychological safety in cybersecurity frontlines, particularly within incident response, is crucial. Research emphasizes the importance of a blame-free culture where individuals can take risks, share ideas, and learn from mistakes, fostering consistent success.

Cultivating psychological safety can be challenging, especially in high-stakes environments like cybersecurity incident response. Strategies to address this include prioritizing people over technology, integrating psychological safety into onboarding, and fostering a culture of trust and transparency. By prioritizing psychological safety, organizations can unlock the full potential of their cybersecurity teams and bolster their defenses against cyber threats. This approach aligns with global perspectives on effective cybersecurity practices, ensuring a resilient and adaptive defense in the face of evolving cyber risks.

Cristiana Brafman Kittner has over two decades of experience in military strategy, weapons analysis, and strategic defense with a focus on cyber threat intelligence. Currently, Cris is the Chief Analyst at Google Cloud's Product Security Engineering and provides enterprise customers across various industries as well as senior executives and government officials with cutting-edge cyber threat intelligence and risk management solutions. She is a subject matter expert in cyber threat intelligence with a focus on Chinese military strategy, particularly on the development of the People's Republic of China's cyber threat landscape and ecosystem. Cris is a board member of The Diana Initiative and Torchlight. In her spare time, Cris is also engaged as a mentor and coach with Girl Security, The Women's Society for Cyberjutsu, and the Executive Women's Forum.

During the decades, the world has observed an increase of data breach incident eminently involving cases associated with intrusion, defacement, phishing, ransomware and malicious activities. Data breach is one of the serious threats that can be visualized as a form to cause damage to an enterprise’s organization such as corporations and governments. The objective of this presentation is to study the emerging of data breach incident by means of technical method associated with defacement, phishing, ransomware and other malicious activities that causes of data breach and review of current incident handling procedure. We analyzed incident that we received by CyberSecurity Malaysia pertaining to a data breach case that tremendously increased as of last year. As a result, we proposed a framework from the Cyber999 perspective in incident handling procedure with challenges and prevention that could have prevented target breach comprehensively in Malaysia. As a Cyber999 service for CyberSecurity Malaysia, we provide emergency response and technical assistance for internet users and organizations on cybersecurity related incidents. Cyber999 received data breach incident that requires an incident handler to investigate further with relevant or additional information such as from Threat Intelligence. For example, we analysed various threats actors regarding the breach, logs such as from web server, email server, firewall and email header. Based on the previous incident received, including of massive campaign on data breach we will highlight a few case studies on data breach that also involved server compromised, root cause, challenges, recommendations, and moving forward.

Kilausuria Abdullah works as a Specialist for Cyber999 Unit, in CyberSecurity Malaysia. A seasoned cybersecurity expert with over 10 years of experience in research & development(R&D) in research organisation and over 10 years of experience in incident handling. Adept at incident response, incident management, threats and trend analysis, and CSIRT consultancy for NCII sectors, government agencies and SMEs. Recognized for trainer in incident handling Training, with a strong focus on safeguarding against emerging cyber threats. Areas of expertise such as Security Operations Center (SOC) Management, log analysis, incident response, data and trends analysis. She also engaged in Security Advisories and Alerts, Threat Summary Report, Articles, Technical Guidelines, and Proceeding Paper related to computer security. She had also conducted talks, presentations, trainings(local) in the field of computer security particularly in Computer Security Incident Handling.