Program Overview

Agenda is subject to change.

Times are reflected in UTC. Please check your local times. The event will be presented in English.

Wednesday, March 2^nd
Symposium Plenary
Thursday, March 3^rd
Symposium Plenary

Wednesday, March 2^nd

	Symposium Plenary
12:00 – 12:15	DE GB Welcome and Update from the FIRST Board Alexander Jaeger (FIRST.Org, DE); Chris Gibson (FIRST Executive Director – FIRST.Org, GB)
12:15 – 12:30	CH Update from the TF-CSIRT Steering Committee Silvio Oertli (SWITCH-CERT/ TF-CSIRT Steering Committee, CH)
12:30 – 13:00	US Building Capacity in Critical Infrastructure Sectors Justin Novak (CERT/CC, US)
13:00 – 13:30	PL BLUE and RED for the Olympic Games Aleksander Pawlicki, Maciej Zarski (Atos, PL)
13:30 – 13:45	Break
13:45 – 14:15	EE EG US MU Approaches and Practices for Increasing the Maturity and Capabilities for CSIRTs in Emerging Economies Prof. Hayretdin Bahsi (Tallinn University of Technology in Estonia, EE); Dr. Sherif Hashem (FIRST, EG); Jean-Robert Hountomey (AfricaCERT); Dr. Unal Tatar (University at Albany, US); Dr. Kaleem Ahmed Usmani (CERT-MU, MU)
14:15 – 14:45	ES Cybersecurity Emergency Action Plan for Local Entities in Comunitat Valenciana, Spain Jose Vila (CSIRT-CV, ES)
14:45 – 15:15	NL US Traffic Light Protocol 2022: Updates for An Improved Sharing Experience Don Stikvoort (Elsinore, NL); Tom Millar (DHS, US)
15:15 – 15:45	DE Advanced Use of Bug Bounty Programs to Improve Vulnerability Response François Ambrosini (Huawei Technologies Duesseldorf GmbH, DE)

Thursday, March 3^rd

	Symposium Plenary
12:00 – 12:05	GB Brief Welcome Remarks Chris Gibson (FIRST Executive Director – FIRST.org, GB)
12:05 – 12:35	SK PL US CZ CH Lightning Talks Henrich Slezak (IstroCSIRT, SK); Aleksander Pawlicki (Atos, PL); Shannon Sabens (Crowdstrike, US); Martin Laštovička (CSIRT-MU, Masaryk University, CZ); Jan Kopřiva (Nettles Consulting, CZ); Christos Arvanitis (CERN, CH)
12:35 – 12:55	IT Ransomware Attack: Lessons Learned Paolo Cravero, Francesco De Luca (CSI-RT, IT)
12:55 – 13:25	ES Hunting for log4shell Compromises José Ángel García Guijarro (SIA CERT, ES)
13:25 – 13:40	Break
13:40 – 14:10	SK Fuzzing Windows Media Foundation in 2021 Milan Kyselica (IstroCSIRT , SK)
14:10 – 14:40	EU Data Driven APT Attribution and AI/ML Research Patrick Mana, Bahtiar Mustafa (EUROCONTROL / EATM-CERT, EU)
14:40 – 15:10	FI Flubot - Pandemic in Our Pockets Juho Jauhiainen (Accenture, FI)

DE
Advanced Use of Bug Bounty Programs to Improve Vulnerability Response
François AmbrosiniFrançois Ambrosini (Huawei Technologies Duesseldorf GmbH, DE)
Huawei PSIRT handles vulnerabilities affecting Huawei products. In addition, Huawei runs a bug bounty program for its mobile phone business. Taking the examples of variant analysis and fuzzing as used at Huawei, this talk will present how a bug bounty program can be used to further improve the overall vulnerability response of an organization. Organizations running such program are not limited to passively receive and handle vulnerability disclosures. They can also take a more active role by leveraging knowledge acquired from disclosures, in order to proactively look for similar vulnerabilities, and report these into usual PSIRT processes. A short presentation of Huawei PSIRT and of the bug bounty program will serve as introduction before moving to the technical aspects.

François Ambrosini is Responsible Disclosure and Vulnerability Management Evangelist at Huawei and represents Huawei PSIRT in Europe. He obtained his engineering degree in electronics and signal processing combined with a master's degree in computer networks and telecommunications from ENSEEIHT, Toulouse, France, in 2003. He was involved with radio technology development at Sagem Défence & Sécurité and later in the standardisation of mobile TV systems at Motorola, and consulted on security both independently and for umlaut communications. His activities have spanned several domains including IoT security, reconfigurable radio systems security, practical use of attribute-based cryptography and of language-theoretic security, and the development of several standards serving the private and public sectors as well as the EU legislation.

March 2, 2022 15:15-15:45
Francois-20220302-Presentation-FIRST-Symposium-Europe.pdf
MD5: 02efc83ada45e71e3991dbf17e637b9c
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.08 Mb
EE EG US MU
Approaches and Practices for Increasing the Maturity and Capabilities for CSIRTs in Emerging Economies
Prof. Hayretdin BahsiDr. Sherif HashemJean-Robert HountomeyDr. Unal TatarDr. Kaleem Ahmed UsmaniProf. Hayretdin Bahsi (Tallinn University of Technology in Estonia, EE), Dr. Sherif Hashem (FIRST, EG), Jean-Robert Hountomey (AfricaCERT), Dr. Unal Tatar (University at Albany, US), Dr. Kaleem Ahmed Usmani (CERT-MU, MU)
The research explores approaches and practices to provide low-income countries with a practical, affordable, flexible, and achievable workforce training and development methods including a menu of resources mapped to CSIRT organizational, technical, and operational service requirements.

https://cybilportal.org/publications/cyber-incident-management-in-low-income-countries-part-2-a-guideline-for-development/

https://cybilportal.org/publications/cyber-incident-management-in-low-income-countries-part-1-a-holistic-view-on-csirt-development/
- Prof. Hayretdin Bahsi is a research professor at the Centre for Digital Forensics and Cyber Security at Tallinn University of Technology in Estonia. He received his PhD and MSc degrees in Computer Engineering from Sabanci University and Bilkent University respectively. He was involved in many R&D and consultancy projects on cyber security as a researcher, consultant, and program coordinator at the Information Security Research Centre of the Scientific and Technological Research Council of Turkey between 2000 and 2014. He acted as the founding director of the National Cyber Security Research Institute. His research interests include cyber-physical system security and the application of machine learning methods to cyber security problems.
- Dr. Sherif Hashem is a Full Professor of Information Sciences and Technology at George Mason University-USA. Dr Hashem is a Senior IEEE member and an ISACA Certified Information Security Manager (CISM). Dr Hashem is currently a member of the Board of Directors of FIRST (Forum of Incident Response and Security Teams), and a member of the African Union’s Cybersecurity Expert Group (AUCSEG).
  
  Over the last two decades, Dr. Hashem led several key cybersecurity efforts at the national level, and setting up the framework for further developing the Egyptian Computer Emergency Readiness Team (EG-CERT). In 2015, Dr Hashem became a member of Egypt’s Supreme Cybersecurity Council (ESCC), which is affiliated with the Cabinet of Ministers. As the Chairman of the Executive Bureau of the ESCC, Dr Hashem led the team that drafted Egypt’s first National Cybersecurity Strategy (2017-2021). Successful cybersecurity initiatives and activities led by Dr Hashem have contributed to Egypt’s advanced cybersecurity rank: 14th among 193 countries, as reported by the International Telecommunications Union (ITU) Global Cybersecurity Index in July 2017.
  
  At the international level, Dr Hashem was an expert member of the United Nations Group of Government Experts (UN GGE) on the Developments In The Field Of Information And Telecommunications In The Context Of International Security (Aug 2012 - June 2013), a 15-members high-level group of experts that developed strategic cybersecurity reports to be endorsed by the UN General Assembly. He has been invited to give cybersecurity and ICT professional and strategic keynote speeches by numerous leading international organizations including: UN, ITU, Interpol, NATO, OSCE, OECD, African Union, the League of Arab States, as well as by the US Department of Defense and US Department of State.
- Jean-Robert Hountomey works as a researcher for a global technology leader. His expertise includes Product Security, Privacy Engineering, Secure Software Development Life Cycle, incident management, vulnerability research, maturity frameworks, drafting of policy, guidelines, and best practices.
  
  Mr. Hountomey is a Founder and Director of the Africa Forum of Incident response and security teams(AfricaCERT), the African Anti Abuse Working Group. He is a SIM3 auditor, a Member of the African Union Cybersecurity Expert Group, the FIRST Membership committee, the PSIRT SIG, the Vulnerability Coordination SIG, the CVE outreach, and Communication Working Group (OCWG), ISACA (GOLD), OWASP (LIFETIME), IAPP.
  
  He has contributed to cybersecurity frameworks, articles, ICANN, ISOC, AfriNIC, AfNOG, AfrISPA, the GFCE, and the UN OEWG. His research includes issues and opportunities related to law, technology, and Internet Governance.
- Kaleem Ahmed Usmani: I am heading the Computer Emergency Response Team of Mauritius (CERT-MU), a national CERT since May 2010. It operates under the umbrella of the National Computer Board, an autonomous body under the Ministry of Information Technology Communication and Innovation, Republic of Mauritius.
  
  My experience of 18 years in the ICT industry spans over cybersecurity , network engineering, system administration, IT management and project implementation. Currently, I am involved in implementing the national level cybersecurity projects for Mauritius and also involved in initiating regional cybersecurity projects for IOC, SADC and COMESA region. I am the Mauritian representative to UN Group of Governmental Experts (UNGGE) on Cyber for the period 2019-2021.
- Dr. Unal Tatar is an assistant professor of cybersecurity in the College of Emergency Preparedness, Homeland Security, and Cybersecurity at the University at Albany. Dr. Tatar worked as a principal cybersecurity researcher in government, industry, and academia for over 17 years. He is the former coordinator of the National Computer Emergency Response Team of Turkey. Dr. Tatar’s research is funded by the National Science Foundation, National Security Agency, Department of Defense, Air Force Research Laboratory, NATO, and Society of Actuaries. His main topics of interest are cybersecurity risk management, economics of cybersecurity, cyber insurance, privacy, cybersecurity education and capacity building. Dr. Tatar holds a BS in Computer Engineering, an MS in Cryptography, and a Ph.D. in Engineering Management and Systems Engineering.
March 2, 2022 13:45-14:15
FIRST-EU-Meeting-AfricaCERT.pdf
MD5: b51943767e6fd797f600291f3b4343e3
Format: application/pdf
Last Update: June 7th, 2024
Size: 499.78 Kb
PL
BLUE and RED for the Olympic Games
Aleksander PawlickiMaciej ZarskiAleksander Pawlicki (Atos, PL), Maciej Zarski (Atos, PL)
During the Olympics Games, the best athletes in the world compete for 3 weeks, but they prepare for this event for many years, using ever newer tools, techniques and tactics. The same applies to cybersecurity – we have cloud, big data, data science and AI, but are these technologies enough to win the cyber-race ...? What is worth considering when building cyber-readiness in order to build an organization: stronger, faster and more cyber-resilient ...? Atos has been serving the Olympics Games for over 30 years, and we strive to constantly improve cybersecurity management every year – during this presentation, we will present our approach based on the experience gained during the preparation and delivery of cyber operations for the Tokyo 2020 Olympic Games.

Ready, Steady, Go!
- Aleksander Pawlicki - Global CERT Incident Response Lead, Senior Atos Expert, Security Enthusiast In charge for technical leadership of Atos Global CERT, which provides services of Digital Security and Incident Response (DFIR), Threat Intelligence (TI) and Threat Hunting (TH) to Atos and its customers. Responsible for leading incident response for large investigation or crisis. Security enthusiast, who strongly believes in purple team philosophy.
- Maciej Zarski - Global Head of Atos CERT Cyber Security Manager, Architect, Transformer and Enabler having over 15 years of experience in various IT and Security global roles in operations, transitions, designs, strategies and continual improvements. Having DevOps principles at heart, constantly focused on creating value for clients. In the current role, responsible for end-to-end transformation of all cybersecurity services for big global client, including on-prem systems, cloud and advanced security analytics based on big data technologies.
March 2, 2022 13:00-13:30
GB
Brief Welcome Remarks
Chris GibsonChris Gibson (FIRST.org, GB)

Chris brings a wealth of relevant and up-to-date experience in setting up and managing CERTs at the very highest levels of the worldwide Information and Cyber Security community.

Chris spent over 12 years working in the Computer Emergency Response Team (CERT) whilst at Citigroup and, for 10 years, was part of the leadership of the Forum of Incident Response and Security Teams (FIRST); 2 as Chair. Within FIRST he implemented the Fellowship program. This was created to fund CERTs from UN-designated “Least Developed Nations” (LDCs) allowing them both to join FIRST and attend conferences and training.

Chris joined the UK Government's CERT-UK team in November 2013 to build and launch the UK’s first formally chartered national CERT, joined Close Brothers as Chief Information Security Officer in November 2016, moved to Orwell Group as CISO in Jul 2018 and joined FIRST as it’s Executive Director in May 2019.

Chris’ experience has allowed him to work with colleagues from both inside some of the world’s largest global financial institutions with the complexities that brings and also with colleagues from the incident response community, with members ranging from Microsoft and Oracle through to the national CERTs of Azerbaijan and Indonesia.

March 3, 2022 12:00-12:05
US
Building Capacity in Critical Infrastructure Sectors
Justin NovakJustin Novak (CERT/CC, US)
An emerging specialization in incident response is the adoption of sector CSIRTs—CSIRTs responsible for facilitating incident response and management for a particular sector of a country or economy (e.g., financial, energy, or government). These specialized entities enable public and private sector stakeholders to come together to address the risks, threats, and other challenges that are unique to the organizations and individuals in a particular sector.

In order to realize the value of these specialized Incident Response teams, a new framework has been developed by the SEI as a guide for helping interested parties develop the policies, processes, and procedures necessary to operationalize a sector CSIRT. The Sector CSIRT Framework provides guidance for (1) developing a sector-based computer security incident response and coordination capability and (2) integrating this capability into a larger national cybersecurity ecosystem as applicable. This presentation will review The Sector CSIRTs Framework, along with some cases studies examining its implementation.

Justin Novak is a Senior Security Operations Researcher at the CERT Division of the Software Engineering Institute, a Federally Funded Research and Development Center hosted at Carnegie Mellon University. At CERT, he is involved in research on the operation of CSIRTs, Sector CSIRTs, and Security Operations Centers, focusing on incident response and incident management. He is currently is the SEI lead for engagements with Foreign Military partners through the DoD’s Foreign Military Sales program. Prior to that he led the International Cybersecurity Initiatives team. Before working at CERT, Justin was an Intrusion Detection Analyst and Network Analyst for the Department of Defense. He also worked in state government as an advisor to senior lawmakers. Justin holds a bachelor’s degree in Physics from the University of Pittsburgh, a Master’s degree in Security Studies from the University of Pittsburgh, and a PhD in Public Policy from George Mason University. Justin is an active member of the FIRST community and serves on the FIRST membership committee.

March 2, 2022 12:30-13:00
ES
Cybersecurity Emergency Action Plan for Local Entities in Comunitat Valenciana, Spain
Jose VilaJose Vila (CSIRT-CV, ES)
With the rise of ransomware attacks against municipalities in Comunitat Valenciana (Spain) in the first half of 2021, Generalitat Valenciana (the Regional Government) has put together an Emergency Action Plan focused on providing a solid Cybersecurity ground to all of its municipalities, so they can better face future threats and comply with the applicable legislations (ENS, Esquema Nacional de Seguridad, mandatory for all public sector organizations in Spain).

The plan, which was awarded to S2 Grupo and has the collaboration of CCN-CERT, started in July and has so far provided common tools to better fight and prevent ransomware attacks in every municipality, is starting to provide more advanced sensors in some of them to enable better threat detection, and will help municipalities minimize impact when a successful cyberattack occurs.

The early stages of the plan have been a real challenge in terms of expanding the current structures of CSIRT-CV and creating procedures for all of the new services being provided. It has also been a challenge in terms of tools, because a new focus to microCLAUDIA, one of the main tools used, had to be done.
- Jose Vila - Jose Vila is a Senior Cybersecurity Analyst with more than 12 years of experience in the sector. He has been mainly focused in cyberdefense and incident management. He is part of the technical coordination team of CSIRT-CV.
March 2, 2022 14:15-14:45
Jose-Vila-CSIRT-CV-Cybersecurity-Emergency-Action-Plan-for-Local-Entities.pdf
MD5: 61179b473abb3c034c228070ae2d6112
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.53 Mb
EU
Data Driven APT Attribution and AI/ML Research
Patrick ManaBahtiar MustafaPatrick Mana (EUROCONTROL / EATM-CERT, EU), Bahtiar Mustafa (EUROCONTROL / EATM-CERT, EU)
In this talk we will present a data driven methodology to attribute TTPs to APT groups. To better analyse attackers behaviours we developed a tool that utilizes MITRE ATT&CK framework. This tool can be used to better analyse TTPs and attribute to certain APT groups based to data models. Further usage of tool will utilize AI/ML to extract TTPs from non-structured data and use it in attribution models. Analysis tool and methodology will be shared with participants.
- Patrick Mana is the EUROCONTROL Cyber Security Program Manager and EATM-CERT Manager (European Air Traffic Management Computer Emergency Response Team). He has spent his entire career working in air traffic management (ATM). He started 35 years ago working with Thales on aviation software development and project/product management. In 1999, he joined EUROCONTROL, where he led the safety assessment activities. In 2008, he moved to the Single European Sky Air Traffic Management Research Joint Undertaking (SESAR JU), where he was the Head of the development framework and SJU Programme Manager for all transverse activities including security for six years.
- Bahtiar Mustafa - Bahtiar MUSTAFA is cyber security expert at EATM-CERT. He is working in cybersecurity for more than 20 years. Before EATM-CERT he worked for national CERTs, government/military organizations and private sector. He holds several certificate like CISSP, GXPN, CEH, GWEB, PMP and has expertise in cybersecurity areas like red teaming, penetration testing, cyber defence, secure system design, incident response, digital forensics, network security. He is also a part time instructor delivering cybersecurity lectures in universities.
March 3, 2022 14:10-14:40
2022-TF-CSIRT-FIRST-Attribution-MITRE-ATTACK-by-EATM-CERT_PMana_BMustafa.pdf
MD5: 8c25bcbbd5e0561a1d04e5875ab89a96
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.88 Mb
FI
Flubot - Pandemic in Our Pockets
Juho JauhiainenJuho Jauhiainen (Accenture, FI)
Flubot banking malware has been tormenting Android users phones in the past year. In fall 2021, Flubot adopted DNS over HTTPS C2 infrastructure and hit Finland and some other countries very hard. This technical presentation will go through how Flubot works, what capabilities the current version of the malware has, and how we can fight it!
- Juho Jauhiainen - is currently working for Accenture as a Lead Security Incident Investigator. In addition to his current position, he has DFIR and malware analysis experience from various private and public sector organizations, like The National Cyber Security Centre Finland (NCSC-FI). In his freetime, he co-hosts Finnish podcast Turvakäräjät, runs Helsinki security meetup group HelSec, and teaches forensics at National Defence Training Association of Finland. Juho is CISSP, GCFA, GMON, GREM and OSCP certified.
March 3, 2022 14:40-15:10
TLP_WHITE-FIRST-TF-CSIRT-Flubot.pdf
MD5: d9109fa59d7aa4c96c1a35974c038c8b
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.37 Mb
SK
Fuzzing Windows Media Foundation in 2021
Milan KyselicaMilan Kyselica (IstroCSIRT , SK)
In detail look at how fuzzing research was carried out against one of Microsoft's products. Why we were able to identify multiple critical risk issues that other researchers had overlooked. Takeaways and lessons learned.
- Milan Kyselica - Milan works as a lead penetration tester and currently serves as Head of Offensive security in IstroSec. He focuses on red teaming, social engineering and application testing. Previously he worked as penetration tester in CSIRT.SK and then as Head of offensive department in a private company. He is also interested in Bug Bounty and Responsible Disclosure where he found multiple CVEs in Web Applications, Mobile Applications, IoT systems and automotive. Milan Currently held multiple certifications such as GIAC Cloud Penetration Tester (GCPN), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP), Certified Red Team Professional (CRTP) and Certified Red Team Expert (CRTE).
March 3, 2022 13:40-14:10
Milan-Fuzzing-Windows-Media-Foundation-in-2021.pdf
MD5: c643287f6aeb517489f04ebf39c3f8ba
Format: application/pdf
Last Update: June 7th, 2024
Size: 504.14 Kb
ES
Hunting for log4shell Compromises
José Ángel García GuijarroJosé Ángel García Guijarro (SIA CERT, ES)
The revelation on December 9th of the CVE-2021-44228 Apache log4j vulnerability (log4shell) has heavily impacted IT-teams worldwide, due to how widespread the library is, how easy is to exploit the vulnerability and the fact that public exploits where available. However, the main problem for some organizations is the fact that the exploits may have been used as early as December 1st as a 0-Day exploit by state or criminal actors.

As a result of these concerns, SIA IRT team conducted two compromise assessments in different organizations, requiring tailored approaches for each one. For this task we had to developed a custom approach that involved close collaboration with the onsite security and networking staff in order to overcome the challenges of detecting a compromise in the entire organization.

This presentation intends to provide an adequate representation of the issues and solutions adopted in order to scale up the retroactive detection of a successful log4shell exploitation using the tools available on each organization and how to overcome previously undetected monitoring gaps.
- José Ángel García Guijarro - Jose Angel has been working in cybersecurity since 2013 as part of CERT for entities in the financial, health and energy sectors as malware analyst and senior incident responder. Also, since 2021 as a certified forensic specialist. In his duties he has collaborated in efforts oriented towards protecting critical infrastructure collaborating with Incibe, CCN-CERT and EDA. Currently working as part of a multidisciplinary incident response team within SIA CERT (ES), helping organizations to respond and to prepare for cybersecurity incidents. Our competencies range from forensic analysis, creation of policies and procedures for incident response, compromise assessment, design training exercises to evaluate readiness of our partners. During the last two years SIA CERT (ES) has acquired extensive experience responding to company-wide incidents involving ransomware and data breaches.
March 3, 2022 12:55-13:25
Jose-Hunting_log4shell_Final.pdf
MD5: ba19ea0a42047471bca6a25d014b767f
Format: application/pdf
Last Update: June 7th, 2024
Size: 1001.6 Kb
SK PL US CZ CH
Lightning Talks
Henrich SlezakAleksander PawlickiShannon SabensMartin LaštovičkaJan KopřivaChristos ArvanitisHenrich Slezak (IstroCSIRT, SK), Aleksander Pawlicki (Atos, PL), Shannon Sabens (Crowdstrike, US), Martin Laštovička (CSIRT-MU, Masaryk University, CZ), Jan Kopřiva (Nettles Consulting, CZ), Christos Arvanitis (CERN, CH)
- Introduction of a New Team: IstroCSIRT (Henrich Slezak)
- Introduction of a New Team: Atos CERT (Aleksander Pawlicki)
- CVE Lightning Talk (Shannon Sabens)
- Malware Analysis Automation Platform (Martin Laštovička)
- Couple of Interesting Trends Seen in Log4shell Exploitation Attempts (Jan Kopriva)
- Leveraging MISP Intel via a pDNS-based Infrastructure as a Poor Man’s SOC (Christos Arvanitis)
Christos Arvanitis is a Computer Security Fellow at the European Organization for Nuclear Research (CERN). Coming from a software engineering background, his main activities lie in supporting the CERN Computer Security Team and the Security Operations Centre by maintaining and developing tools and automated solutions. He is also actively supporting the incident response infrastructure as well as various monitoring and analysis solutions used at CERN.

Jan Kopřiva is a Security Manager at Accenture and one of the “Handlers” at the renowned SANS Internet Storm Center. He has an extensive professional experience – over his career, Jan worked on projects ranging from implementation of security monitoring and incident response processes and technologies to conducting penetration tests and red team exercises and from performing security audits to teaching different aspects of application security to developers. He has authored numerous research papers and articles focused on different aspects of cyber security and he regularly speaks at security conferences, both local and international.

Martin Laštovička is the head of the cybersecurity operations group in CSIRT-MU team and also a Ph.D. candidate at the Faculty of Informatics, Masaryk University. His research topic lies in network traffic analysis and practical applications of machine learning to build Cyber Situational Awareness. He focuses on applying research outputs to real-world data and enhance the operations of the CSIRT-MU team.

Aleksander Pawlicki Global CERT Incident Response Lead, Senior Atos Expert, Security Enthusiast In charge for technical leadership of Atos Global CERT, which provides services of Digital Security and Incident Response (DFIR), Threat Intelligence (TI) and Threat Hunting (TH) to Atos and its customers. Responsible for leading incident response for large investigation or crisis. Security enthusiast, who strongly believes in purple team philosophy.

Shannon Sabens has 20+ years of program management experience in security, anti-malware and software vulnerability research and response coordination. Shannon is a board member on the CVE Program Board and the chair of the CVE Outreach Working Group. Currently, she is the Director for Threat Response at CrowdStrike.

Henrich Slezák, CISA is focused on GRC, information security management, security auditing, training and awareness and consultation on information security with more than 10 years of experience in governmental and private sector. Henrich also participated in various incident response engagements as team member, incident response manager and incident response facilitator. He also represented Slovak governmental CSIRT in expert groups in Europe including CSIRTs Network, ENISA Cyber Exercises planners, and many working groups.
March 3, 2022 12:05-12:35
Atos_CERT_intro-Aleksander-Pawlicki.pdf
MD5: 8ef1b24777723018fc8db024f07048f3
Format: application/pdf
Last Update: June 7th, 2024
Size: 219.91 Kb
CVE-Lightning-Talk-2022-01March22_FIRST-Shannon.pdf
MD5: 6f07da3cc37749ba293a1ab3beaa4221
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.29 Mb
FIRST_TF-CSIRT-Europe22-JK-log4shell.pdf
MD5: 7deaa462b4630539b8ffef54da8fcc8b
Format: application/pdf
Last Update: June 7th, 2024
Size: 517.16 Kb
Introduction-of-a-New-Team-IstroCSIRT.pdf
MD5: d1bee628a3f1c844965944458495f395
Format: application/pdf
Last Update: June 7th, 2024
Size: 865.94 Kb
Martin-Lastovicka-SAPPAN-Malware-Analysis-Platform.pptx
MD5: 2c8dc714679abae77ddb7d85525d89b7
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: June 7th, 2024
Size: 2.33 Mb
IT
Ransomware Attack: Lessons Learned
Paolo CraveroFrancesco De LucaPaolo Cravero (CSI-RT, IT), Francesco De Luca (CSI-RT, IT)
We will talk about an attack we suffered recently, which we managed successfully and from which we learned a lot on several aspects.
- Paolo Cravero - Paolo Cravero is an "all around" Senior Cybersecurity Analyst and Blue Teamer with a strong background on networking and email systems. He has a special attitude towards specifications adherence and enjoys extracting valuable information from machine generated data. Paolo holds a M.Sc. degree in Telecommunications Engineering from the Politecnico di Torino and has been part of CSI-RT since its foundation.
- Francesco De Luca - Francesco De Luca is a Security Professional with more than 30 years of experience in IT, Services Industry and Security. As a Certified Information Security System Professional (CISSP) he contributed to the creation of the regional CSIRT. Security is not only an exciting job, but also a keen and personal interest.
March 3, 2022 12:35-12:55
TF-CSIRT-Europe22_CSI-RT-Lessons-Learned.pdf
MD5: e890222dbcad3edd916636595e180654
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.29 Mb
NL US
Traffic Light Protocol 2022: Updates for An Improved Sharing Experience
Don StikvoortTom MillarDon Stikvoort (Elsinore, NL), Tom Millar (DHS, US)
Since 2018, the FIRST Traffic Light Protocol Special Interest Group (TLP-SIG) has been working on updating the FIRST TLP standard to comply with the current FIRST Standards Policy and to better reflect the needs of TLP's most frequent users. Some changes were also necessary to simply reflect the changes in the world we live in. The result is a new FIRST TLP for 2022 - an evolution, not a revolution, but a standard we hope the worldwide CSIRT and PSIRT community will embrace and find even more effective than its predecessor. This talk will present the latest version of the updated TLP, highlighting the significant changes and explaining why they were made.

Don Stikvoort Don joined the Dutch national research network SURFnet in 1988, after studying physics and 2 years in the army. Don was among the pioneers who created the European Internet starting in 1989. He recognized “security” as a concern in 1991, chaired SURFcert between 1992-8, and was the founding father of NCSC-NL, the Dutch national team, and of the European TF-CSIRT community. Don became a member of FIRST in 1992 and has been very active during his membership from chairing the FIRST conference in Australia in 1999, co-chair of the Traffic Light Protocol working group and participating in CSIRT, Metrics and Ethics working groups. In 1998 he co-wrote the ‘Handbook for Computer Security Incident Response Teams (CSIRTs)’. Don continues to support the global cyber security community through S-CURE the company he founded in 1998. Don created the SIM3 maturity model for CSIRTs, is a sought-after keynote speaker and also finds the time to do executive coaching and psycho therapy with a limited set of clients.

Mr. Thomas R. Millar serves as the United States Computer Emergency Readiness Team’s (US-CERT) Chief of Communications, a role which finds him at the intersection of outreach, awareness, standards development, and technical interoperability initiatives. In this role, Mr. Millar is focused on modernizing US-CERT's approaches to information sharing, knowledge exchange and coordination. Since joining US-CERT in 2007, he has played a significant role in US-CERT's response activities during major cyber events such as the Distributed Denial of Service (DDoS) attacks on Estonia in 2007, the outbreak of the Conficker worm, and the DDoS attacks on major U.S. Government and commercial Web sites in 2009.

Mr. Millar has previously worked as a team lead for intrusion detection and analysis at the FBI’s Enterprise Security Operations Center. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force.

Mr. Millar has a Master’s of Science in Engineering Management from the George Washington University.

March 2, 2022 14:45-15:15
DE GB
Welcome and Update from the FIRST Board
Chris GibsonAlexander Jaeger (FIRST.Org, DE), Chris Gibson (FIRST.Org, GB)

Chris brings a wealth of relevant and up-to-date experience in setting up and managing CERTs at the very highest levels of the worldwide Information and Cyber Security community.

Chris spent over 12 years working in the Computer Emergency Response Team (CERT) whilst at Citigroup and, for 10 years, was part of the leadership of the Forum of Incident Response and Security Teams (FIRST); 2 as Chair. Within FIRST he implemented the Fellowship program. This was created to fund CERTs from UN-designated “Least Developed Nations” (LDCs) allowing them both to join FIRST and attend conferences and training.

Chris joined the UK Government's CERT-UK team in November 2013 to build and launch the UK’s first formally chartered national CERT, joined Close Brothers as Chief Information Security Officer in November 2016, moved to Orwell Group as CISO in Jul 2018 and joined FIRST as it’s Executive Director in May 2019.

Chris’ experience has allowed him to work with colleagues from both inside some of the world’s largest global financial institutions with the complexities that brings and also with colleagues from the incident response community, with members ranging from Microsoft and Oracle through to the national CERTs of Azerbaijan and Indonesia.

March 2, 2022 12:00-12:15