Follow on Twitter
Conference Registration









Registration for Training is now closed.

This year, the Australian Cyber Security Centre (ACSC) is proud to host training by some of Australia's top cyber experts. These training opportunities will take place prior to the conference, on 11 and 12 April at the National Convention and Exhibition Centre. Training is an additional cost to conference registration and all have limited positions available. The following training opportunities will be available:



Number of participants

1. Introduction to STIX, TAXII and CyBOX

11 April

$950 (inc GST)

Limited to 20 participants

2. Top 4 Mitigations Strategies:
Implementing & Auditing

1112 April

$2200 (inc GST)

Limited to 30 participants

3. Hack it and Track it

1112 April

$2200 (inc GST)

Limited to 30 participants

4. Enterprise Incident Response

1112 April

$3000 (inc GST)

Limited to 25 participants

Please note training providers may cancel course due to low numbers. If this is the case, full reimbursement of course registration will be received.

Introduction to STIX, TAXII and CybOX

Course Overview:

STIX, TAXII and CybOX are community-championed specifications for threat data sharing, promising to make sharing within and between organisations much easier. Chances are that if you arent receiving threat intel via STIX today, you will be in the near future.

The Introduction to STIX, TAXII and CybOX course will introduce you to the basics of how to share and consume threat data and threat intel using these standards. During this single day course, you will learn what STIX, TAXII and CybOX are, why they were developed, why there is such a buzz about them, and how to use them within your organisation.

The course will give you hands-on experience working with STIX , TAXII and CybOX, providing you with the fundamental knowledge required to use STIX, TAXII and CybOX in their threat intelligence programmes.


  • At the completion of the course, you will understand:
  • What is Threat Intelligence
  • Are you ready to use Threat Intel?
  • What is STIX, TAXII and CybOX and how do they work together
  • Why do we need these standards?
  • What is the STIX data model?
  • How to use CybOX
  • How to use STIX
  • How to use TAXII
  • Caveats and problems in the real world
  • How to consume a real STIX doc
  • How to create a real STIX doc
  • How to interact with a real TAXII Server

After this course, you will know when and why to use the STIX and TAXII standards, how to receive intelligence and how to package your own intelligence in a sharable way.


Terry MacDonald

Terry MacDonald has been involved in information security for over 14 years. He has worked in various roles during that time, spanning Security Operations, Policy, Planning, Business Development and Product Development. Terry founded the Spark NZ Security Operations Team, has worked in senior roles at the Cisco Managed Threat Defense centre and helped Microsoft develop their internal Threat Intelligence Management solution. In recent years Terry has focused on helping organisations integrate threat intelligence, incident response and policy planning together to gain the most benefit from their information security programmes. Terry has been a major contributor to the STIX, TAXII and CybOX threat intelligence sharing standards, and has provided advisory services to major vendors such as Microsoft, Soltra and EclecticIQ. Terry is also a NZITF board member in his spare time.

Kayne Naughton

Kayne Naughton is a technologist and security researcher with 15 years experience across the education, government and finance industries. He founded the Security Intelligence team at National Australia Banks nabCERT and contributed to the tasking, operations and strategy of the Security Operations team in addition to leading the banks response to many cybercrime related incidents. Since leaving the banking sector he has provided advice, consulting, solutions and training to most of the Australias leading banks. Kayne is also a volunteer with the Shadowserver Foundation, a US based non-profit dedicated to keeping the internet safe and is a regular speaker at security events, covering both the offensive and defensive perspectives.

Top 4 Mitigations Strategies: Implementing & Auditing

Over the past three years, there has been an ever-increasing focus on preventing targeted cyber intrusions around the world. The Australian Signals Directorate (ASD) responded to the sharp increase in observed intrusion activity with the 'Strategies to Mitigate Targeted Cyber Intrusions'. This is a list of 35 strategies ranked in order of effectiveness that organisations can implement to reduce the likelihood of a successful targeted cyber intrusion.

There has been a significant push for public and private sector organisations to implement the 'Top 4 Mitigation Strategies' which are:

  • Application Whitelisting;
  • Patch Applications;
  • Patch Operating System;
  • Minimise Administrative Privileges.

In this two-day version of the SANS SEC480 Top 4 Mitigations Strategies: Implementing & Auditing course, participants will:


  • Understand the techniques attackers use in targeted cyber intrusions
  • Learn the importance of the Top 4 mitigation strategies including their effectiveness
  • Gain a sound understanding of the strategies, their objectives and compliance requirements
  • Obtain practical experience installing, configuring and deploying technologies to implement the Top 4 Mitigation Strategies
  • Understand common implementation roadblocks and methods to overcome them
  • Learn implementation and business communication methods
  • Learn how to protect your systems from targeted cyber intrusions
  • Learn how to detect targeted cyber intrusions
  • Learn how to implement business processes which support the Top 4 mitigation strategies.


The Cyber Security Operations Centre in ASD has stated that at least 85% of the cyber intrusions it responds to would be mitigated had agencies implemented these Top 4 strategies.

This course closely aligns with the ASD Top 4 mitigation strategies which can be found here:


Mark Hofman

Mark Hofman is a director and founder of Shearwater Solutions and has over 15 years' experience in ICT Security. He has worked for both private industry and government and has provided a wide range of information security consulting services to numerous organizations, including the financial sector, private sector, and government organizations. Mark is currently a certified instructor for the SANS Institute. He has had a number of publications, has trained and lectured internationally, and is a handler for the Internet Storm Center. Mark holds professional certifications, including CISSP, GIAC GCFW, CompTIA Security+ and BSI lead auditor accreditations.

Hack it and Track it

Course Overview:

Nuix Hack It and Track It (HIATI) is a two-day course designed for penetration testers and forensic investigators. Experts from Nuixs Cyber Threat Analysis Team will cover cutting-edge techniques for compromising a target and then forensically investigating that breach.

Most penetration testers have limited knowledge regarding the residual trace data left behind by their activities. Similarly, most forensic investigators have only a rudimentary knowledge of how the attacks they investigate actually take place. What if you could see the attack as it happened and the indicators of compromise left behind by the breach?

Our expert trainers will lead you through real-world scenarios. You will use your skills to compromise a host and extract target data. Then, you will utilize the indicators of compromise and trace evidence left behind by your activities to tell the story of what took place and how.

During this two-day course, participants will:

  • Be introduced to penetration testing and forensics methodology
  • Learn how to use common penetration testing tools including Nmap, Metasploit, Ncrack, Medusa, sqlmap, web shells and custom exploits
  • Use common forensics tools including forensic imaging utilities, NetworkMiner, Wireshark, Volatility, The Sleuth Kit, Nuix and custom scripts. The class is hands-on, focusing on attacker techniques and understanding the motivations behind them.

This class is limited to 30 students to optimise the classroom training. Students will need to bring their own laptop (minimum 32GB of RAM) and VMware player installed prior to the workshop. Students will receive a training manual and a USB thumb drive with the manual, lab exercises, and virtual machines.


Chris Pogue

Senior Vice President, Cyber Threat Analysis Team, Nuix

Chris Pogue is the Senior Vice President of Nuixs Cyber Threat Analysis security consulting team, and a member of the US Secret Service Electronic Crimes Task Force.

Chris is responsible for the companys security services organisation; he oversees critical investigations and contracts, and key markets throughout the United States. His team focuses on incident response, breach preparedness, penetration testing and malware reverse engineering.

Over his career, Chris has led multiple professional security services organisations and corporate security initiatives to investigate thousands of security breaches worldwide. His extensive experience is drawn from careers as a cybercrimes investigator, ethical hacker, military officer and law enforcement and military instructor.

In 2010, Chris was named a SANS Thought Leader.

Chris served in the United States Army as a Signal Corps Warrant Officer and Field Artillery Sergeant. He distinguished himself as an Honour Graduate from a variety of Army Academies and Schools and received multiple awards and commendations for excellence.

Ryan Linn

Director Advanced Tactics and Countermeasures, Nuix

Ryan has more than 15 years of experience in information security. He has worked as a technical team leader, database administrator, Windows and UNIX systems administrator, network engineer, web application developer, systems programmer and information security engineer. Ryan has delivered his research about ATM security, network protocol attacks, and penetration testing tactics. He also contributes to open source projects such as Metasploit, Ettercap, and the Browser Exploitation Framework.

Enterprise Incident Response

Attacks against computer systems continue to increase in frequency and sophistication. In order to effectively defend data and intellectual property, organizations must have the ability to rapidly detect and respond to threats. This intensive two-day course is designed to teach the fundamental investigative techniques needed to respond to todays landscape of threat actors and intrusion scenarios. Completely redeveloped with all-new material in 2013, the class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them. Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, develop indicators of compromise to further scope an incident, and much more.

The course is compromised of the following modules, with labs included throughout:

  • The Incident Response Process: An introduction to the targeted attack life-cycle, initial attack vectors used by different threat actors, the stages of an effective incident response process, and remediation.
  • Acquiring Forensic Evidence: An overview of volatile and non-volatile evidence, live response acquisition versus forensic imaging, and related methods and tools.
  • Introduction to Windows Evidence: Analysis of the key sources of evidence that can be used to investigate a compromised Windows system, including NTFS artifacts, prefetch, web browser history, event logs, the registry, and more.
  • Memory Acquisition and Analysis: How memory is structured on a Windows system, the artifacts and evidence available in physical memory and the pagefile, and how memory analysis can identify advanced techniques used by malware.
  • Investigating Lateral Movement: An in-depth analysis of how attackers move from system-to-system in a compromised Windows environment, the distinctions between network logons and interactive access, and the resulting sources of evidence on disk, in logs, and in the registry.
  • Persistence: Analysis of advanced persistence mechanisms, such as DLL search order hijacking; introduction to user-land and kernel rootkits; alternative remote-access mechanisms exploited by attackers.


Chris DiGiamo

Chris DiGiamo is a Principal Consultant in Mandiants San Francisco office. Mr. DiGiamo has over ten years of experience performing incident response and network analysis for both private and public institutions. At Mandiant, he assists in forensic investigations and data analytics for cyber incidents. Mr. DiGiamo specializes in the programmatic identification of malicious network traffic and has written tools to assist in the identification of targeted malware variants. Prior to joining Mandiant, Mr. DiGiamo was the technical lead of the Federal Trade Commission (FTC) Computer Incident Response Team (CIRT).

Emmanuel Jean-Georges

Emmanuel Manny Jean-Georges is a Consultant at Mandiant working out of the New York, NY office. Mr. Jean-Georges works primarily in the Incident Response and Computer Forensics service lines for MANDIANT. Mr. Jean-Georges participated in a six month rotation within the Mandiants Managed Defense team. During this rotation, Manny was responsible for leading surge investigations in five client environments across the Aerospace and Defense, Manufacturing, and the Financial Services industries. Mr. Jean-Georges has since participated in dozens of targeted intrusion investigations for global organizations in varying industries, educational institutions, and state governments. In addition, he has led, helped teach and develop Mandiant education courses on Enterprise Incident Response and Advanced Network Investigation Techniques to Mandiant clients and federal law enforcement. Prior to working at Mandiant, Mr. Jean-Georges was a Server Technology Specialist at FM Global. In this position, he administered and maintained Microsoft Windows Servers, supported application deployment and assisted server and application troubleshooting.