Publications (2025)

USTLP:CLEAR
Beware of Geeks Bearing Gifts - Media Effects Used in Influence Operations (part 2)
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University, US)
Over the past decade, the term "fake news" has become overused and divisive, prompting many to dismiss it outright. This raises questions about how this narrative benefits society—or even aids adversaries. Discussions around "active measures" often miss the mark, failing to grasp the broader implications of such tactics. In today’s information age, traditional cautionary warnings evolve into modern ones like “Beware of geeks bearing gifts,” underscoring the potential manipulation of seemingly benign messages.

This presentation will explore reflexive influence operations, techniques that exploit messaging to align segments of a target audience with adversary objectives. By examining second- and third-order effects, the discussion aims to reveal how such operations succeed in reshaping perceptions and achieving strategic goals. Examples illustrating these tactics will also be provided..
Beware of Geeks Bearing Gifts
January 2, 2025 09:00-10:00
LTTLP:CLEAR
Incident Response: How to Get Others in the Organisation to Care?
Živilė NečejauskaitėŽivilė Nečejauskaitė (NRD Cyber Security, LT)
The presentation will focus on engagement with other stakeholders within the organisation. Effective means of communicating and building relationships with specific stakeholders within an organisation can significantly improve response times and mobilisation in the event of a significant cyber incident and prevent the situation from escalating.

During the presentation we will look at how to map the stakeholders within an organisation, how to group them and how to determine the level of engagement with each group. We will also explore the precise communication examples - potential messages to each stakeholder group to create greater engagement and relevance.

Živilė Nečejauskaitė is a communications professional, specializing in change and impact communication. She is a co-trainer of the ITU Academy course on Cyber Crisis Management. Živilė has co-organized and co-hosted several cybersecurity capacity building conferences in East Africa Region, called "Cyber Defense East Africa", one of which has focused on national cyber crisis management. She holds a Master's degree in Communication for Development from Malma University in Sweden. Živilė has worked in the public and private sectors in Lithuania and abroad, and has focused on cybersecurity capacity building for the past 7 years. Currently, she dedicates her time to building frameworks for communication during a cyber incident.

TF-CSIRT Meeting & 2025 FIRST Regional Symposium for Europe
Monte Carlo, MC
January 15, 2025 15:30-16:00
Hosted by CERT Monaco
Incident-Response_How-to-get-others-in-the-organisation-to-care_Zivile-Necejauskaite.pdf
MD5: 4acf671a54de0fa2be6dbd8eb2053af5
Format: application/pdf
Last Update: January 21st, 2025
Size: 1.44 Mb
USTLP:CLEAR
Investigating Triad Nexus and Pivoting from a Pig Butchering Investment Scam Website into an Entire Malicious Network
Zach EdwardsZach Edwards (Silent Push, US)
This presentation will walkthrough how Silent Push analysts traced pig butchering scams to FUNNULL CDN-hosted money laundering networks, retail phishing campaigns targeting luxury brands, and more. Technical analysis of each step will be provided and explained in-depth as we cover the threat we have dubbed: “Triad Nexus."

Zach Edwards is a Senior Threat Researcher at SilentPush, joining the team in 2024, with a focus on understanding and tracking how APT groups are evolving. His expertise includes a deep knowledge of global data supply chains and advertising systems.

Zach is passionate about Data Privacy, is active in numerous communities, and has been involved in high-profile GDPR complaints, including cases against online dating apps and Google auction systems. Zach has presented at high profile events, including a 2023 Blackhat USA session titled, “Kids in the Ad Fraud Crosshair: Why International Threat Actors are Targeting Children to Steal Money from Banks and Major Corporations.” In 2024, Zach has presented at PIVOTcon, Virus Bulletin, and MWISE on various cyber threats."

TF-CSIRT Meeting & 2025 FIRST Regional Symposium for Europe
Monte Carlo, MC
January 15, 2025 10:45-11:30
Hosted by CERT Monaco
Silent-Push-Triad-Nexus-Zach-Edwards.pdf
MD5: c255473a13dc0d52e2f8841e2672c027
Format: application/pdf
Last Update: January 10th, 2025
Size: 4.86 Mb
USTLP:CLEAR
KPIs for CSIRTs
Logan WilkinsLogan Wilkins (Cisco, US)
In the rapidly evolving landscape of cybersecurity, organizations increasingly rely on effective Cybersecurity Incident Response Teams (CSIRTs) to detect, respond to, and mitigate security incidents. Key Performance Indicators (KPIs) play a crucial role in assessing the efficiency and effectiveness of CSIRT operations. This half-day training class is designed to empower CSIRT professionals with the knowledge and skills to develop, implement, and leverage KPIs for enhanced incident response. The training will cover essential topics, including:
- Understanding CSIRT Objectives: Participants will gain insights into the core objectives of a CSIRT and how KPIs align with these goals. A comprehensive overview will be provided to establish a foundation for KPI development.
- Identification and Selection of Relevant KPIs: Explore a range of KPIs applicable to CSIRTs, considering factors such as incident detection, response times, and containment effectiveness.
- Metrics and Measurement Techniques: Delve into the methodologies for measuring KPIs accurately. Participants will learn how to define and collect relevant metrics.
- Establishing Baselines and Targets: Understand the significance and pitfall of setting baselines and realistic targets for KPIs. Practical examples and case studies will be discussed to illustrate how organizations can benchmark their CSIRT performance.
- Visualization and Reporting: Learn effective ways to present KPI data through visualizations and reports.
Following this training, participants have additional knowledge and tools to help establish a KPI framework tailored to their CSIRT's objectives. This class provides a opportunity for CSIRT professionals to enhance their skills, optimize their operations, and contribute to the overall security posture of their organizations.

Logan Wilkins currently leads a software engineering team in Cisco’s CSIRT, overseeing development programs related to incident detection and response, data management, and security metrics. Within FIRST he is the co-chair of the Metrics SIG and has served as a Candidate Sponsor for multiple groups. In addition to his experience in Cisco’s security organization, Logan has also worked in e-commerce, pharmaceutical drug discovery and was previously a high school teacher, giving countless students their first introduction to Computer Science.
TF-CSIRT Meeting & 2025 FIRST Regional Symposium for Europe
Monte Carlo, MC
January 14, 2025 09:00-10:30, January 14, 2025 11:00-12:30
Hosted by CERT Monaco
KPIs-for-CSIRTs-TLP-CLEAR.pdf
MD5: 3710d4445526562f31cbe79ec14d3829
Format: application/pdf
Last Update: January 23rd, 2025
Size: 1.37 Mb
RS SETLP:CLEAR
Localization of Transits I Course in the Republic of Serbia
Marko KrstićVladimir BoborMarko Krstić (SRB-CERT (RATEL), RS), Vladimir Bobor (SIRT Officer Swedbank CDC, SE)
SRB-CERT has a tradition of organizing cybersecurity related workshops and trainings for different stakeholders in the Republic of Serbia. In order to further educate existing CERTs and to motivate establishment of new ones, National CERT and Cybersecurity Network Foundation with the support of EU project "Cyber Balkans" localized Transits I to Serbian language and incorporate details about legal framework of Serbia. In this talk we will present results of our efforts, as well as approach we took to successfully localize Transits I course.

Marko Krstić completed his bachelor, master, and doctoral studies at the School of Electrical Engineering in Belgrade. He has been working in the field of information technology and security at the Regulatory Authority for Electronic Communications and Postal Services (RATEL) for almost ten years. He is currently serving as the Head of the Cyber Security Division and National CERT Affairs in the RATEL. Marko was part of several projects related to the application of artificial intelligence for children protection on the Internet as well as for digital forensics at the European level.

Vladimir Bobor was born 1971 in Belgrade, Serbia. He has lived in Stockholm, Sweden since 1994. He achieved and B.Sc. in Computer Engineering in 2000 and 2006 his M.Sc. with a specialization in Information and Communication Systems Security from Royal Institute of Technology (KTH) Stockholm. In 2024 he joined Swedbank CDC team as incident handler. He has long experience in Information Security field; Network Security and Computer-Network Forensics. Vladimir was a member of TF-CSIRT Steering Committee from 2014 – 2019; 2020-2023, and is one of initiators of Swedish CERT Forum.

TF-CSIRT Meeting & 2025 FIRST Regional Symposium for Europe
Monte Carlo, MC
January 15, 2025 16:05-16:10
Hosted by CERT Monaco
Localization-of-Transits-I-Course-in-the-Republic-01.pdf
MD5: a8bdbaf1f89f92cb8eff4342d83d7b0a
Format: application/pdf
Last Update: January 21st, 2025
Size: 187.51 Kb
LUTLP:CLEAR
LUKS Full Disk Encryption Upside-Down
Michael HammMichael Hamm (CIRCL, LU)
A use case where full disk encryption do not do what you expected, and you should be aware of it.

A live demo where I show, what happen with plaintext data, that was stored on the disk before full disk encryption got activated.

Michael Hamm has worked for more than 10 years as Ingénieur-Sécurité in the field of classical Computer and Network Security (Firewall, VPN, AntiVirus) at the research center “CRP Henri Tudor” in Luxembourg. Since 2010, he has been working as an operator and analyst at CIRCL – Computer Incident Response Center Luxembourg where he is working on forensic examinations and incident response.

TF-CSIRT Meeting & 2025 FIRST Regional Symposium for Europe
Monte Carlo, MC
January 15, 2025 16:10-16:20
Hosted by CERT Monaco
dfir-kickstart.pdf
MD5: b7a09d5d9dfe2147dcbd9f2183d9fdac
Format: application/pdf
Last Update: January 7th, 2025
Size: 177.47 Kb
Luks.pdf
MD5: 3afa308a3b9a7a3280b3919c3e1d5cff
Format: application/pdf
Last Update: January 7th, 2025
Size: 251.51 Kb
JETLP:GREEN
Never mind the Pollocks: Aligning Incident Response with Emergency Response Using JESIP
James McLarenJames McLaren (Jersey Cyber Security Centre, JE)
“We should be learning from the way emergency services operate, not reinventing the wheel”. Staff at JCSC who heard this at TRANSITS 1 last April had an almost immediate chance to do this after being invited to JESIP training. This session explains some of the principles behind JESIP, looks at how we might use it for alignment in our context, and seeks to open up a conversation about how it might go elsewhere.

James McLaren, the Senior Analyst at the Jersey Cyber Security Centre, still has no programming chops to speak of after spending 19 years with the UK Civil Service (where he designed and delivered an early Internet security training course in 2001) and eight with a managed security service provider in Jersey - but he is really quite good at acquiring and analysing information, and no slouch at writing about it either. He’s #ActuallyAutistic, makes a mean Hungarian gulyas, and still speaks Russian just about well enough to tell Putin where to stick it.

TF-CSIRT Meeting & 2025 FIRST Regional Symposium for Europe
Monte Carlo, MC
January 15, 2025 14:00-14:30
Hosted by CERT Monaco
NMTP-CLEAR-version.pdf
MD5: fdb582a4d19497aeb347d2f04282e2e5
Format: application/pdf
Last Update: January 28th, 2025
Size: 1.07 Mb
FRTLP:GREEN
Post-Incident Remediation at ANSSI: A Full Scale Effort
Christophe RenardChristophe Renard (Agence Nationale de la Sécurité des Systèmes d'Information, FR)
As the French national cyber-security authority, ANSSI, and more specifically CERT-FR has been handling major cyber-incidents since its inception in 2009. It has also faced the rise of destructive cybercriminal attacks when sensitive services were concerned. As such, we see post-incident impact often lasting years after the initial events. To mitigate this, we have launched a multipronged effort to formalize what is post-incident remediation, improve victims support, and encourage private sector offer. This presentation summarize what we have been doing in the last 3 years on the subject and what we plan to do next.

Christophe Renard has been working in multiple roles in IT for 25+ years, in computer security for 13 years, in incident response for 8 years.

At CERT-FR he heads a team dedicated to assist in victims in regaining control and restoring their information systems after cyber-incidents.

TF-CSIRT Meeting & 2025 FIRST Regional Symposium for Europe
Monte Carlo, MC
January 16, 2025 09:30-10:15
Hosted by CERT Monaco
TLPWHITE-firsteu2025-anssi-remediation.pdf
MD5: 03c6892cda6fc2a81c50644bbf2db8f4
Format: application/pdf
Last Update: January 16th, 2025
Size: 40.56 Mb
DETLP:CLEAR
Quantum Computers: Should We Worry?
Morton SwimmerMorton Swimmer (Trend Micro, Inc, DE)
The potential threat of quantum computers to computer security first emerged in the mid-1990s with Shor's discovery of an exponentially faster algorithm for integer factorization. This threat has become more tangible with the development of real quantum computers over the past decade. Although the immediate risk has not materialized, it continues to pose a significant challenge to forward secrecy. In this talk, I will explore the fundamental differences between quantum and classical computers and explain how Shor's algorithm undermines cryptographic systems. Additionally, I will provide an overview of the current state of quantum machine learning, which, despite significant advancements, remains limited in its practical applications. Although quantum computers are not yet ready for purposes beyond research, I will discuss the key challenges that need to be addressed to bring them into practical use and highlight important aspects to consider. This presentation aims to offer a balanced perspective on this complex and often misunderstood field, where expectations frequently surpass current achievements.

Dr. Morton Swimmer is a researcher in the Forward-Looking Threat Research (FTR) team in Trend Micro Research. His focus is on future threats, especially Web3, machine learning and quantum computing. His experience in computer security stretches back past 35 years with the founding of the first European malware research lab (VTC) at the University of Hamburg, Germany in 1988 and he has been involved in most of the innovations in security, first at university, later IBM Research and now Trend Micro. Early activities included malware analysis and computer forensics for which he built an early Malware sandbox system in 1992. This led to the development of the Digital Immune System at IBM Research, a fully automated virus analysis and signature generation system. More recently, he has been researching machine learning techniques, probabilistic reasoning and CTI ontologies to automate detection, hunting and mitigation of threats. New research topics also include the nascent Web3 technology stack and quantum computing’s effect on security issues, both positive and negative. He currently organizes the BSidesMunich and Elbsides security conferences.

Morton, a native of New York City, has a Computer Science PhD degree from the University of Hamburg, and currently resides in the Hamburg, Germany area.

TF-CSIRT Meeting & 2025 FIRST Regional Symposium for Europe
Monte Carlo, MC
January 15, 2025 13:30-14:00
Hosted by CERT Monaco
Quantum-Computers-Should-we-worry-FIRST-EU25.pdf
MD5: 7a817a93d2880094931fdcd62d04d6eb
Format: application/pdf
Last Update: January 21st, 2025
Size: 11.46 Mb
USTLP:AMBER
The Human Factor: Psychological Safety in Cybersecurity Frontlines
Cristiana Brafman KittnerCristiana Brafman Kittner (Google Cloud, US)
Cybersecurity isn't just about technology; it’s fundamentally about people. Cybersecurity's human element is undeniable. Recognizing the link between psychology and psychological safety in cybersecurity frontlines, particularly within incident response, is crucial. Research emphasizes the importance of a blame-free culture where individuals can take risks, share ideas, and learn from mistakes, fostering consistent success.

Cultivating psychological safety can be challenging, especially in high-stakes environments like cybersecurity incident response. Strategies to address this include prioritizing people over technology, integrating psychological safety into onboarding, and fostering a culture of trust and transparency. By prioritizing psychological safety, organizations can unlock the full potential of their cybersecurity teams and bolster their defenses against cyber threats. This approach aligns with global perspectives on effective cybersecurity practices, ensuring a resilient and adaptive defense in the face of evolving cyber risks.

Cristiana Brafman Kittner has over two decades of experience in military strategy, weapons analysis, and strategic defense with a focus on cyber threat intelligence. Currently, Cris is the Chief Analyst at Google Cloud's Product Security Engineering and provides enterprise customers across various industries as well as senior executives and government officials with cutting-edge cyber threat intelligence and risk management solutions. She is a subject matter expert in cyber threat intelligence with a focus on Chinese military strategy, particularly on the development of the People's Republic of China's cyber threat landscape and ecosystem. Cris is a board member of The Diana Initiative and Torchlight. In her spare time, Cris is also engaged as a mentor and coach with Girl Security, The Women's Society for Cyberjutsu, and the Executive Women's Forum.

TF-CSIRT Meeting & 2025 FIRST Regional Symposium for Europe
Monte Carlo, MC
January 15, 2025 09:30-10:00
Hosted by CERT Monaco
FIRST-HumanFactor_2025.pdf
MD5: ce83e7a49714b9dc0194a99fbbec205d
Format: application/pdf
Last Update: January 15th, 2025
Size: 3.55 Mb

Publications (2025)

Beware of Geeks Bearing Gifts - Media Effects Used in Influence Operations (part 2)

Incident Response: How to Get Others in the Organisation to Care?

Investigating Triad Nexus and Pivoting from a Pig Butchering Investment Scam Website into an Entire Malicious Network

KPIs for CSIRTs

Localization of Transits I Course in the Republic of Serbia

LUKS Full Disk Encryption Upside-Down

Never mind the Pollocks: Aligning Incident Response with Emergency Response Using JESIP

Post-Incident Remediation at ANSSI: A Full Scale Effort

Quantum Computers: Should We Worry?

The Human Factor: Psychological Safety in Cybersecurity Frontlines

Publications on Spotlight