@sroberts advanced persistent incident responder

FIRST 2015

I’m lucky enough to get to go to FIRST 2015 in Berlin. I’ll be speaking on Tuesday afternoon, but one of the best things about conferences like this is being able to attend other sessions. I’ve never been to FIRST before, and this year looks jam packed. Here are the talks I’m most excited about and you’ll be likely to find me in.

Monday June 15:

Time Talk Author My Thoughts
11:00 Building instantly exploitable protection for yourself and your partners against targeted cyber threats using MISP Mr. Andras IKLODY (CIRCL) MISP is one of the bigger open source threat intelligence platforms (along with CRITs). I’m pretty familiar with CRITs, but I’m curious to see what mature MISP can do.
13:00 3J4E - JIGSAW, JUMPSTART, JUNCTURE: Three Ways to Enhance Cyber-Exercise-Experience Mr. Stefan RITTER (National IT-Situation Centre and CERT-Bund, German Federal Office for Information Security BSI) I’m really interested in writing better table top exercises. This seems like a dramatically different approach.
14:00 So You Want a Threat Intelligence* Function (*But Were Afraid to Ask) Mr. Gavin REID (Lancope) So this sounds along the lines of a talk that Kyle Maxwell and I put together for BlackHat USA (but unfortunately didn’t get accepted). I’ve thought a lot about how to build useful directed Threat Intelligence, so this is super curious.
16:00 Incident Response Programming with R Mr. Eric ZIELINSKI (Nationwide) I don’t write R, not sure I ever would, but better data analysis is super important for better incident response. Also Nationwide is from my current hometown, so I’m happy to support the local guy.

This is going to be a full day, which is a great thing for me. Lots of great talks, a wide variety of topics. Should be fun.

Tuesday June 16:

Time Talk Author My Thoughts
:no_entry_sign: 12:45 When Business Process and Incident Response Collide: The Fine-Tuning of the IR Program Ms. Reneaue RAILTON (Duke Medicine) Far too often people forget that security is a business enabler and as such has to work to support the business, sometimes even at the expense of security. It’s great to see someone taking on this often overlooked topic.
:no_entry_sign: 12:45 Overview of South Korea Target Malwares Mrs. Dongeun LEE (KRCERT/CC, KISA) South Korea ends up having a similar threat profile (that’s a big generalization) to the US. I’m curious to hear Mrs. Lee’s experience.
:no_entry_sign: 15:45 DSMS: Automating Decision Support and Monitoring Workflow for Incident Response Mr. Chris HORSLEY (CSIRT Foundry), Mr. SC LEUNG (HKCERT) So this talk is a conflict with my own… but that doesn’t make me any less interested. Decision making systems are huge for many industries, and I like anything that brings a rigor to IR.
:no_entry_sign: 15:45 Crisis Communication for Incident Response Mr. Scott ROBERTS (GitHub) Yeah… this is my talk, so I’m partial, but honestly couldn’t blame anyone going to hear the DSMS talk. That said I think it’ll be a fun discussion.

Four talks and I can only make it to two of them…. and one of them not by choice. Oh well, it’ll leave me time for one last run through of my talk.

Wednesday June 17:

Time Talk Author My Thoughts
10:30 Maximizing value of your Threat Intelligence for Security Incident Response Mr. Allan THOMSON & Mr. Jonathan TOMEK (Lookingglass Cyber Solutions) I hate vendor talks. That said anything about discussing how to apply Threat Intelligence to IR, instead of pretending they’re unrelated, is worth going to see, providing it isn’t just a glorified sales pitch.
13:30 Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling Indicators Mr. Alexandre PINTO (Niddel) & Mr. Alexandre SIEIRA (Niddel) I know the Niddel team personally, I’ve talked with them at length on their technologies and methodologies. They’re awesome.
15:00 How We Saved the Death Star and Impressed Darth Vader Mr. Matthew VALITES & Mr. Jeff BOLLINGER (Cisco CSIRT) I haven’t even read the description yet, but it’s Star Wars so I’m interested. Give me a second. Ok, could get vendory, but it sounds like a great topic and a fun tongue in cheek approach.
16:00 Validating and Improving Threat Intelligence Indicators Mr. Douglas WILSON (FireEye) I’ve never actually met him, but I know from reputation Doug Wilson is a smart smart dude. Super interested to hear what he has to say on this.

A very Threat Intelligence centric day, but with a lot of variety.

Thursday June 18:

Time Talk Author My Thoughts
:no_entry_sign: 10:30 Protecting Privacy through Incident Response Mr. Andrew CORMACK (Jisc) Doing incident response while respecting the privacy of those involved is hard. At GitHub it’s super important to us, both in terms of clients and our own employees. Anything to learn about this topic is interesting.
:no_entry_sign: 10:30 Building Community Playbooks for Malware Eradication Mr. Christian SEIFERT (Microsoft) Microsoft has shown the industry that big botnet takedowns is a team sport. They have a unique perspective on this problem, I bet it’ll be fascinating.
13:00 Effective Team Leadership and Process Improvement For Network Security Operators Mr. Jeremy SPARKS (United States Air Force) While I’m tired of stunt hacking and 0days (especially at conferences that claim they want to focus more on defense) understanding how operators think is hugely relevant to defenses, so I’ll likely be at this talk.
14:00 Unifying Incident Response Teams Via Multilateral Cyber Exercise for Mitigating Cross Border Incidents: Malaysia CERT Case Study Mrs. Sharifah Roziah MOHD KASSIM (MyCERT, CyberSecurity Malaysia) While I’ve focused on looking at how to build small incident response team sized exercises it’s interesting to think about how that scales. Even more to think about how it scales to multiple governments

One conflict, but a great IR focused day (just like Wednesday will be very Threat Intelligence focused). I expect I’ll be hitting conference lag a bit, but these talks (and a lot of coffee) will get me through the day.

Friday, June 19:

Time Talk Author My Thoughts
10:15 Sector Based Cyber Security Drills - Lessons Learnt Mr. Malagoda Pathiranage DILEEPA LATHSARA (TechCERT) Is there an echo in here? More approaches to scenario based exercises.
11:15 Discovering Patterns of Activity in Unstructured Incident Reports at Large Scale Dr. Bronwyn WOODS (CERT Program, SEI, CMU), THOMAS MILLAR (US-CERT), Mr. Sam J. PERL (CERT CC) Ok this one is fascinating. I have a ton of structured data around threats, and a ton of unstructured, but finding ways to tie that together is hard.

A nice way to round out the conference before heading home.

One of the things I always pa attention to when reviewing conference proceedings is to look out for big trends. This year I saw these three:

  • Machine Learning
  • Threat Intelligence & Sharing
  • Exercises

All of these make sense, and definitely fit the current themes of IR.

That’s my take on FIRST. Catch me in one of those talks, or find me around Berlin if you’ll be there. While talks are great the chance to meet and discuss is just as interesting to me as talks. Bis nachher!