FIRST Technical Colloquia & Symposia provide a free discussion forum for FIRST member teams and invite guests to share information about vulnerabilities, incidents, tools and all other issues that affect the operation of incident response and security teams. This TC has always had a technical focus on incident response and responders. We have one day of training (available as a sponsorship opportunity), followed by the main conference with 2 days of talks.
The call for papers is now open! Note this will be an in-person event. There will be no virtual talks - only send an abstract if you can commit to be there in-person.
The TC will be a plenary-style conference held on the 26th and 27th of March at the W hotel in downtown Amsterdam, Netherlands. In addition, we will host an optional, free training workshop on Monday, March 25th.
The idea behind the TC is to encourage security teams and talented researchers to share their technical work in a friendly environment. We encourage anyone who has not spoken at a conference before to submit a proposal. Local talent is welcome from anywhere (although travel and other expenses are not covered by FIRST, we can not sponsor visas or invitation letters). We are interested in new ideas and presenters. We can help new presenters review their materials in preparation for submission. Any novel ideas, techniques, case studies, or research related to incident and threat response are welcome. We are interested in how teams walk through actual security incidents. Some other suggested topics are:
- AI in incident detection/response
- Threat actor groups & techniques
- Creative incident response techniques
- Security in the cloud and container environments
- Real-world security incidents/events
- Automation of TI ingestion and alerting
- Criminal underground / State-backed actors
- Digital forensics
- Monetisation of cybercrime
- Threat Hunting
- Operationalizing Threat Intelligence
- Relevant geopolitical cybersecurity research
All talks must be 45 mins (including time for Q&A). For your submission to be reviewed, you must submit using the EasyChair form and provide ALL of the following information:
- Title
- Presenter's Name(s), Affiliation, and a short biography & picture
- Brief Summary (Abstract)
- Has this been presented before (if so, where)?
- Draft Presentation
Our goal is to have the program on the event website ASAP - To that end, please have all submissions completed by Jan 31st.
The conference has always been a 100% free event. Your support enables us to deliver a world-class event that is available to all free of charge. By sponsoring, you have access to industry practitioners, from executives to analysts from many business verticals across the globe. For more information on sponsorship opportunities, please email katie.lanza@humansecurity.com
FIRST Technical Colloquia & Symposia provide a free discussion forum for FIRST member teams and invite guests to share information about vulnerabilities, incidents, tools and all other issues that affect the operation of incident response and security teams. This TC has always had a technical focus on incident response and responders. We have one day of training (available as a sponsorship opportunity), followed by the main conference with 2 days of talks. This conference is 100% free to attend.
Oh no, your infrastructure is getting attacked and worsening by the day. The attacks seem highly coordinated, but where do you even begin when trying to hunt down the attackers? Roll up your sleeves and get ready to slip down the rabbit hole into the shadowy corners of the internet. In this 4 hour, one-of-a-kind OSINT and large-scale data-collection workshop, we'll show you how to become the cyber-sleuth you never knew you could be - minus the trench coat and fedora (unless that's your style). We'll demystify the Dark and Dark Web, debunk those spooky legends, and give you tips and tricks to keep a low profile. We'll arm you with cunning tactics for safe lurking in onion-land, navigating sneaky marketplaces, and scraping massive heaps of intel while also staying legal! Expect a healthy dose of humour and enough practical know-how to impress your pet goldfish—and give you something to talk about while you wait for the next season of Love Island. Get ready to dive deep, stay safe, and come out the other side a certified data-diving rockstar!
“Smart City” has been a trendy buzzphrase used by politicians, city planners, and tech companies for over a decade now — but their shiny promises gloss over dangerous realities.
Downtime and damages in municipalities due to cyberattacks regularly make the news, but we focus primarily on securing and recovering IT systems. Smart Cities by nature use a combination of IT and OT systems but have no established or holistic approach for managing overlapping risks to both. The consequences to security from varied stakeholders involved in Smart City planning and implementation go unexamined. Human hazards, vulnerable devices, and data management issues build on these to create diverse and creative attack paths for all sorts of threat actors.
Smart Cities present a ubiquitous and unique combination of risks which must be comprehensively assessed in order to improve procedural and operational security, reliability, and resilience. By reframing our understanding of what Smart Cities are, we can use and integrate pre-existing actionable strategies to prepare and defend against threats ranging from pandemics to nation-state attacks. As politically motivated cyberattacks expand in reach and collateral radius, we need to prepare our cities for when they become the next battlefield.
This talk aims to expand our definition of Smart Cities; discuss the data, human, and technological risks that they face; and share resources on how to deal with them.
Building on last year’s investigation into a massive Chinese package redelivery smishing syndicate, this presentation delves deeper into one of the key actors briefly touched on in the previous research.
PepsiDog is a threat actor that exemplifies a new level of professionalism, operating as a “developer-first” entity in the phishing ecosystem. By selling advanced phishing kits and offering phishing-as-a-service (PhaaS), they provide tools that enable global targeting of individuals and institutions, often through package redelivery scams.
This research highlights how this actor differs from others in scale, sophistication, and operational structure, demonstrating the ongoing evolution of threat actor capabilities. A day in the life of a threat researcher investigating this group will offer attendees a behind-the-scenes look at the challenges of unraveling their operations.
Additionally, we’ll explore their technical innovation, the expanded adoption of new cash-out mechanisms, and how their kits are being sold and deployed globally.
Key findings and updates for attendees include:
Insights into how this actor designs and markets phishkits to other criminal groups, enabling widespread and efficient phishing campaigns.
A peek inside the panel demonstrating of the actor’s sophisticated phishing kit, including their modular and customizable features designed for global targeting.
Analysis of the steadily increasing number of compromised credentials and financial data linked to this actor’s operations over the past year.
Examination of the actor’s growing influence and their collaboration with other Chinese groups exhibiting similar tactics, techniques, and procedures (TTPs).
This session, tailored for both technical and non-technical audiences, will provide actionable insights into the professionalization of cybercrime and offer strategies for detecting and defending against such advanced threats.
Silent patching—fixing security vulnerabilities without disclosure—presents a critical blind spot in software supply chain security. With 1 in 6 vulnerabilities patched silently, traditional security tools relying on public vulnerability databases like CVE or NVD fall short, leaving organizations exposed to unknown risks. This presentation introduces an entirely novel approach that harnesses the power of Large Language Models (LLMs) to detect these hidden vulnerabilities in open-source software.
We'll show how our novel dual-LLM architecture analyses public changelog data to identify and classify silently patched vulnerabilities. Through a live demo, we'll show how this AI-driven method has allowed us to uncover hundreds of previously unknown vulnerabilities in major open-source projects, with 20% classified as critical or high severity.
Key points:
The threat landscape of silent patching and its impact on supply chain security
Detailed breakdown of our dual-LLM model architecture and methodology
Real-world findings and their implications for the security community
The crucial role of Human-in-the-Loop (HITL) verification in the AI-driven process
Benchmarking results against traditional security research methods
Limitations of the current approach and future improvements
Starting a continuous security validation program in a complex enterprise environment requires thoughtful architecture, clear use cases, and systematic validation approaches. This talk shares SAP's journey in establishing our Breach and Attack Simulation foundation, focusing on how we approached detection validation, security control assessment, and advanced attack scenario testing. We'll explore our methodology for building a centralized Detection Lab, share our framework for staged validation, and discuss how we're preparing for Line of Business deployments. Through practical examples from our initial implementation phase, attendees will gain insights into building scalable security validation programs that can grow with enterprise needs. Learn how we approached infrastructure design, use case prioritization, and stakeholder alignment to create a strong foundation for enterprise-wide security validation.
Cybercrime has emerged as a major global concern, with increasing instances of online threats impacting various sectors. In Ghana, the forestry sector, which plays a pivotal role in the country’s economy, has not been immune to the effects of cybercrime. This study investigates the monetisation of cybercrime within Ghana's forestry sector, focusing on how illegal activities are financially sustained through digital platforms and their effects on the industry. Specifically, it explores the extent to which cybercriminals exploit forestry data, illegal timber trade, and logging activities through cyber means. The research addresses several key questions: How are cybercriminals monetising illegal activities in Ghana’s forestry sector? What are the prevalent cybercrime methods used in forestry-related crimes? How do these cybercrimes affect the sustainability of the forestry industry? What measures are being implemented to mitigate these crimes? To answer these questions, a mixed-method approach is employed, combining qualitative and quantitative techniques. Data is gathered through interviews with forestry experts, cybersecurity professionals, and law enforcement, alongside a survey of forestry businesses and government agencies. Additionally, the study uses secondary data from reports on cybercrime and forestry management in Ghana.
The results indicate that cybercriminals are exploiting gaps in the digital infrastructure of the forestry sector to facilitate illegal logging, timber trafficking, and the falsification of forestry-related documents. These crimes often involve phishing, hacking of logging permits, and the manipulation of satellite data used for forest monitoring. The financial benefits gained by criminals from such activities are significant, contributing to the growth of illegal timber trade and undermining legal and sustainable forestry practices. The monetisation of cybercrime within Ghana's forestry sector poses serious risks to both the economy and environmental sustainability. There is a critical need for enhanced cybersecurity measures, stricter law enforcement, and the integration of technology-driven solutions to curb these activities. Further research is needed to develop effective strategies to protect the sector from cyber threats while promoting sustainable practices in forestry management.
This presentation explores the analysis of a real-world Adversary-in-the-Middle (AiTM) attack, in which a threat actor successfully circumvented the Multi-Factor Authentication (MFA) of a Microsoft 365 account belonging to a global corporation. Following this breach, the attacker executed a Business Email Compromise (BEC) and escalated the attack by performing second-stage AiTM and BEC operations on additional targets from the initial victim's contact list.
In this talk, we will learn about:
Recent shift on focus of attacks
Adversary-in-the-middle and its usage for attackers
Evasion & exfiltration mechanisms used by attackers
Case study
What can be done to defend & detect & investigate
Q&A
This talk, "In-Depth Study of Linux Rootkits," will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today.
Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will have the knowledge and tools necessary to safeguard Linux systems against rootkit attacks.
Beginning with an introduction to the fundamental capabilities of Linux rootkits, this talk traces the history of these malicious tools from their origins to their increasingly sophisticated techniques. It categorizes rootkits into kernel-level, user-mode, and hybrid types, explaining their respective methods for hooking kernel functions, intercepting user-space processes, and combining techniques from both realms. The discussion includes an analysis of rootkit persistence mechanisms and stealth techniques, which allow them to remain undetected.
Next, we shift to detection strategies, starting with signature-based detection, which involves identifying known rootkits through specific patterns but also addresses the limitations of this approach. It explores behavioral analysis by monitoring system anomalies and presents case studies demonstrating the effectiveness of this method. The importance of integrity checking is highlighted, emphasizing the challenges in maintaining accurate baselines for system files and binaries.
Furthermore, this talk reviews advanced detection tools and frameworks, providing an overview of popular rootkit detection tools and practical demonstrations of their use. This comprehensive analysis underscores the ongoing battle between rootkit developers and cybersecurity professionals, emphasizing the need for continuous advancements in detection and mitigation techniques.
In recent times, ransomware actors have been increasingly using the Bring Your Own Vulnerable Driver (BYOVD) technique, but what does it actually mean? What types of drivers are suitable for BYOVD? Which drivers are they bringing and why? Which vulnerabilities are exploited and what is the purpose of exploiting them? How is it all done and which threat actors have been using them?
This presentation introduces BYOVD technique, digs deeper into driver vulnerabilities and their exploitation by ransomware threat actors. First, we investigate three primary classes of vulnerabilities in legacy Windows drivers abused by threat actors: arbitrary MSR writes, arbitrary kernel memory writes, and insufficient access controls. These vulnerabilities enable attackers to escalate privileges, load unsigned code, bypass EDR software and conduct other activities leading to the final payload.
We shift our focus on ransomware groups leveraging BYOVD for their operations, including Kasseika, Akira, Qilin, BlackByte, and RansomHub. We discuss BYOVD related TTPs of ransomware groups active in 2024.
Our session also briefly discusses Windows exploit mitigations designed to counter these threats. Features like Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI), Kernel Control Flow Guard (kCFG), and kernel shadow stacks play crucial roles in enhancing system security.
We conclude with a section on detecting and preventing BYOVD from the point of view of blue team members, documenting sources of data and detection strategies.
By addressing both technical and operational aspects of BYOVD, this presentation emphasises insights for forensics experts, incident responders, and cyber threat researchers and provides knowledge for better research and detection of BYOVD based threats.
Kubernetes has become a critical component of modern production environments, valued for its scalability, flexibility, and ability to streamline container orchestration. However, its complexity and dynamic nature present unique challenges for security incident response. A compromised Kubernetes environment can provide attackers with substantial computational resources and access, enabling activities such as data exfiltration, intellectual property theft, or cryptocurrency mining.
Incident response in Kubernetes requires specialized knowledge, as traditional security practices often fall short in addressing the nuances of containerized systems. For example, the ephemeral nature of containers, combined with limited logging and monitoring practices and insufficient support from detection tools, makes it challenging to detect, contain and respond to incidents effectively. Many security teams are unfamiliar with Kubernetes-specific attack vectors and lack the expertise needed to respond to breaches in such environments.
This presentation will first provide examples of Kubernetes attack chains and highlight techniques—such as privilege escalation through "bad pods"—that are specific to this environment. It will then review critical logs that should be collected and explain how disk and memory forensics can aid in incident response. It will also discuss the challenges that a team might face during the analysis.
In today's cloud-centric business landscape, cyber threat actors are increasingly targeting cloud infrastructures to conduct high-impact ransomware attacks. This presentation delves into the tactics, techniques, and procedures (TTPs) of the threat actor known as Scattered Spider, with a focus on understanding their ransomware deployment life cycle within cloud environments.
Drawing from in-depth research and real-world case studies targeting the insurance and financial sectors, we will explore how Scattered Spider employs advanced social engineering methods—such as voice phishing (vishing) and SMS phishing (smishing)—to compromise high-privileged accounts like IT service desk administrators and identity administrators. The session will examine their use of SIM swapping to bypass multi-factor authentication (MFA) and gain unauthorized access to critical cloud services and Software as a Service (SaaS) platforms.
We will uncover how Scattered Spider leverages legitimate cloud features, including Cross-Tenant Synchronization in Microsoft Entra ID and federated identity providers, to establish persistent access and escalate privileges within compromised environments. The talk will highlight their use of open-source tools for cloud reconnaissance, their methods for impairing security tools, and their strategies for evading detection—such as utilizing remote monitoring and management (RMM) tools, protocol tunneling, and creating unmanaged virtual machines.
Furthermore, the presentation will dissect Scattered Spider's ransomware deployment strategies targeting cloud Infrastructure as a Service (IaaS) platforms like VMware ESXi. We will discuss their automated deployment tactics, and cloud-native tools to execute ransomware payloads efficiently, making recovery efforts more challenging for victims.
By mapping out Scattered Spider's comprehensive attack life cycle—from initial cloud account compromise to ransomware execution—we aim to equip cybersecurity professionals with actionable insights to bolster their cloud security posture. The session will conclude with prevention opportunities, offering best practices in authentication and account security, cloud environment hardening, and detection queries to identify and mitigate malicious activities.
Key Takeaways:
Understand the new TTPs used by Scattered Spider in cloud environments.
Gain insights into the ransomware deployment life cycle within cloud infrastructures.
Learn how to detect and prevent similar attacks through practical security measures.
Explore real-world incidents and case studies for a comprehensive understanding of the cloud threat landscape.
LLMs are Unreliable for Cyber Threat Intelligence: How LLMs Show Low Performance, Inconsistency and Low Calibration in CTI Tasks
Several recent works have argued that Large Language Models (LLMs) can be used to tame the data deluge in the cybersecurity field, by improving the automation of Cyber Threat Intelligence (CTI) tasks.
We present an evaluation methodology that other than allowing to test LLMs on CTI tasks when using zero-shot learning, few-shot learning and fine-tuning, also allows to quantify their consistency and their confidence level. We run experiments with three state-of-the-art LLMs and a dataset of 350 threat intelligence reports and present new evidence of potential security risks in relying on LLMs for CTI.
We show how LLMs cannot guarantee sufficient performance on real-size reports while also being inconsistent and overconfident. Few-shot learning and fine-tuning only partially improve the results, thus posing doubts about the possibility of using LLMs for CTI scenarios, where labelled datasets are lacking and where precise confidence model estimates are necessary to rely on LLMs predictions.
This is a a story-telling presentation about an unknown group spreading Latrodectus, and all its modules, to operate an espionage attack, which was concluded with a money theft. We are going to show how Threat Intelligence can speed up incident response procedures and assist in identifying other victims and active malicious infrastructure.
