Industry Trends

Annual FiRST Conference Wrap-up

By David Maciejak | June 23, 2016

The 28th FiRST security event was held in “the land of morning calm’s” capital, Seoul this past June 12-17, 2016. This is the yearly conference for all CERT and CSIRT teams to gather to share ideas and feedback of their work. 

This year the FiRST event again successfully brought together the best speakers to discuss such issues as threat actor hunting, threat intelligence sharing, and incident response.

While we can’t review all of the talks here, we will go over some that the Fortinet team in attendance found to be especially interesting.

On the threat actor hunting side, two talks stood out. “Correlating Threats Using Internet Snaphots” from PassiveTotal, and “Adversary Recon and Practical Defenses Using Domain and DNS OSINT” from DomainTools were both very interesting presentations, and demonstrated some new techniques on how to digitally hunt criminals. They said two things that I couldn’t agree with more when doing this job:

  • The first is that attribution is a proxy for risk - not only the risk to be wrong, but also risk for your own safety
  • And the second is, OSINT at scale is not that free, meaning the more you have to dig the more you have to structure and store the data

On the threat intelligence sharing side, the presentation “Beyond Sharing: Cyber Threat Intelligence Making a Difference” from the US Department of Homeland Security was quite informative. Richard Struse shared some feedback on the ongoing efforts around STIX 2.0, TAXII 2.0, and CYBOX 3.0. Everyone in the industry is waiting for the coming release of these new major versions of these tools. The goal is to deliver a refactoring of these solutions to reduce their complexity, and to also add some new features like JSON support instead of XML.

With the proliferation of threat intelligence feeds, CERT/CC and CERT Polska have developed a methodology to assess the quality and operational value of this data, which they presented in their session “Towards a Methodology for Evaluating Threat Intelligence Feeds.” They released a complete paper along with their code that can generate overlapping charts. Not surprisingly, a lot of data overlaps between multiple sources, especially those from commercial feeds versus OSINT. This new methodology addresses this challenge of overlap. Here at Fortinet we are well aware of this challenge, and are working to clean out duplicate entries from our commercial CTI feed.

On the incident response side, the folks from Adobe shared their experiences in their session entitled “Decade of Change: 10 years of Product Incident Response At Adobe.” They shared some numbers from the past when they only expected one critical zero-day attack per year, and stressed the importance of finding the right people and having a good triage reporting system.

Finally, the US-CERT team shared some interesting trends and general best practices in their talk, “Best Practices and Big Mistakes in Responding to Major Incidents.” For example, last year they were involved in 15 big cases, covering everything from general incident response to providing digital forensics directly on-site. They were, of course, not able to disclose the customer cases in detail, but it was interesting to see significant similarities from the observed breach details that they shared.

The presentation slides for the talks mentioned above – and much more – are available at

We also want to send a big thanks to the Fortinet Korea team for the invitation.

-= FortiGuard Lion Team =-