FIRST Workshop Series

Alexandre Dulaunoy: Alexandre Dulaunoy leads the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL in the research and operational fields. He enjoys working on projects that blend “free information,” innovation, and direct social improvement. When not gardening binary streams, he likes facing the reality of ecosystems while gardening plants or doing photography. He enjoys it when humans use machines in unexpected ways.

Aurelien Thirion graduated from the University of Lorraine as a Master in Computer Science and Security. Aurelien is a software engineer and security researcher at CIRCL. He lead the development of the AIL framework and is a core member of the D4 project.

Jean-Louis Huynen is a security researcher at CIRCL. He works on threat detection/intel and the development of tools to support incident response, Previously he collaborated with LIST-- Luxembourg Institute of Science and Technology (LU)--to the development of a Mixed Reality platform for the training for Security Critical Agents (mainly on firearms events and CBRN incidents). Previous research works (and his PhD) at SnT--Interdisciplinary Centre for Security, Reliability and Trust (LU)--focused on the usability of security systems and root cause analysis techniques for investigating security incidents.

AIL[1] is an open source framework to analyse, correlate and crawl Tor hidden services, paste websites, forums or any facing services. The framework is used by many CSIRTs to find leaks of information, gather intelligence or suspicious activities at large. The module will present the functionality of the software and will include analysis on real information discovered during the training session. The objective for the participants is to gather experience in using and extending the AIL open source software to cover there use-cases. The workshop is also an opportunity to meet the core developer of the platform and propose direct changes in the open source software to support CSIRT community.

[1] https://github.com/ail-project/ail-framework

Paweł Srokosz is a security researcher and a malware analyst at CERT.PL, constantly digging for fire and doing reverse engineering of ransomware and botnet malware. Free-time spends on playing CTFs as a p4 team member and studying for a PhD in Computer Science at Warsaw University of Technology.

Jarosław Jedynak is a programmer that changed his career path to become a security engineer in CERT.PL. His speciality areas include malware reverse engineering, analysis automation in Python and administration of the ever-growing kubernetes cluster in CERT.PL. In his free he time plays security CTFs (with the p4 team he established 5 years ago) and browses cat memes on the internet.

Paweł Pawliński is a principal specialist at CERT.PL. His past job experience includes data analysis, threat tracking and automation. In his current role, Paweł leads a team developing threat monitoring and data sharing systems.

During almost a decade of our malware analysis experience in CERT.PL, we have tried many different approaches. Most of them failed but we have learned a lot about what works and what does not. Finally, after several years of development, we can publicly release a system that we are proud of: a complete open-source malware repository and analysis platform.

The workshop will provide practical hands-on introduction to all aspects of the platform:

• MWDB: Community-based online service for analysis and sharing of malware samples. The service is freely available to a white-hat researchers and provides fully-automated malware extraction and botnet tracking.
• Malwarecage: Repository of samples and all kinds of technical information related to malware like configurations.
• Karton: Microservice framework for highly scalable and fault-resistant malware analysis workflows. We will explain the installation and configuration quickly and spend the rest of time on adapting workflows to the Karton framework.
• Malduck is our library for malware extraction and analysis. We'll explain how to use it effectively and how to create your own modules.

All components are either already available on our Github page: https://github.com/CERT-Polska

Registration for this workshop is limited to 30.

Andras Iklody works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL as a software developer and has been developing the MISP core since early 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.

MISP is an open source Threat Information Sharing Platform (TISP), aiming to provide a broad spectrum of sharing with machines and humans alike. CIRCL has been giving trainings on MISP and threat intelligence sharing in general as part of a continuous effort since 2016.

The training is meant as an introductory workshop, tackling the main functionalities of the platform from both an analyst and as an administrator perspective, producing highly contextualized information, enriching it, collaborating on it and sharing it with partners and tools.

This is the day 1 of a 2 day workshop.